diff options
Diffstat (limited to 'src/charon/config')
29 files changed, 3116 insertions, 3041 deletions
diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c new file mode 100644 index 000000000..6df68c700 --- /dev/null +++ b/src/charon/config/backend_manager.c @@ -0,0 +1,229 @@ +/** + * @file backend_manager.c + * + * @brief Implementation of backend_manager_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "backend_manager.h" + +#include <sys/types.h> +#include <dirent.h> +#include <sys/stat.h> +#include <dlfcn.h> + +#include <daemon.h> +#include <utils/linked_list.h> +#include <config/backends/writeable_backend.h> + + +typedef struct private_backend_manager_t private_backend_manager_t; + +/** + * Private data of an backend_manager_t object. + */ +struct private_backend_manager_t { + + /** + * Public part of backend_manager_t object. + */ + backend_manager_t public; + + /** + * list of registered backends + */ + linked_list_t *backends; + + /** + * Additional list of writable backends. + */ + linked_list_t *writeable; + + /** + * List of dlopen() handles we used to open backends + */ + linked_list_t *handles; +}; + +/** + * implements backend_manager_t.get_ike_cfg. + */ +static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, + host_t *my_host, host_t *other_host) +{ + backend_t *backend; + ike_cfg_t *config = NULL; + iterator_t *iterator = this->backends->create_iterator(this->backends, TRUE); + while (config == NULL && iterator->iterate(iterator, (void**)&backend)) + { + config = backend->get_ike_cfg(backend, my_host, other_host); + } + iterator->destroy(iterator); + return config; +} + +/** + * implements backend_manager_t.get_peer_cfg. + */ +static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info) +{ + backend_t *backend; + peer_cfg_t *config = NULL; + iterator_t *iterator = this->backends->create_iterator(this->backends, TRUE); + while (config == NULL && iterator->iterate(iterator, (void**)&backend)) + { + config = backend->get_peer_cfg(backend, my_id, other_id, other_ca_info); + } + iterator->destroy(iterator); + return config; +} + +/** + * implements backend_manager_t.add_peer_cfg. + */ +static void add_peer_cfg(private_backend_manager_t *this, peer_cfg_t *config) +{ + writeable_backend_t *backend; + + if (this->writeable->get_first(this->writeable, (void**)&backend) == SUCCESS) + { + backend->add_cfg(backend, config); + } +} + +/** + * implements backend_manager_t.create_iterator. + */ +static iterator_t* create_iterator(private_backend_manager_t *this) +{ + writeable_backend_t *backend; + + if (this->writeable->get_first(this->writeable, (void**)&backend) == SUCCESS) + { + return backend->create_iterator(backend); + } + /* give out an empty iterator if we have no writable backend*/ + return this->writeable->create_iterator(this->writeable, TRUE); +} + +/** + * load the configuration backend modules + */ +static void load_backends(private_backend_manager_t *this) +{ + struct dirent* entry; + DIR* dir; + + dir = opendir(IPSEC_BACKENDDIR); + if (dir == NULL) + { + DBG1(DBG_CFG, "error opening backend modules directory "IPSEC_BACKENDDIR); + return; + } + + DBG1(DBG_CFG, "loading backend modules from '"IPSEC_BACKENDDIR"'"); + + while ((entry = readdir(dir)) != NULL) + { + char file[256]; + backend_t *backend; + backend_constructor_t constructor; + void *handle; + char *ending; + + snprintf(file, sizeof(file), IPSEC_BACKENDDIR"/%s", entry->d_name); + + ending = entry->d_name + strlen(entry->d_name) - 3; + if (ending <= entry->d_name || !streq(ending, ".so")) + { + /* skip anything which does not look like a library */ + DBG2(DBG_CFG, " skipping %s, doesn't look like a library", + entry->d_name); + continue; + } + /* try to load the library */ + handle = dlopen(file, RTLD_LAZY); + if (handle == NULL) + { + DBG1(DBG_CFG, " opening backend module %s failed: %s", + entry->d_name, dlerror()); + continue; + } + constructor = dlsym(handle, "backend_create"); + if (constructor == NULL) + { + DBG1(DBG_CFG, " backend module %s has no backend_create() " + "function, skipped", entry->d_name); + dlclose(handle); + continue; + } + + backend = constructor(); + if (backend == NULL) + { + DBG1(DBG_CFG, " unable to create instance of backend " + "module %s, skipped", entry->d_name); + dlclose(handle); + continue; + } + DBG1(DBG_CFG, " loaded backend module successfully from %s", entry->d_name); + this->backends->insert_last(this->backends, backend); + if (backend->is_writeable(backend)) + { + this->writeable->insert_last(this->writeable, backend); + } + this->handles->insert_last(this->handles, handle); + } + closedir(dir); +} + +/** + * Implementation of backend_manager_t.destroy. + */ +static void destroy(private_backend_manager_t *this) +{ + this->backends->destroy_offset(this->backends, offsetof(backend_t, destroy)); + this->writeable->destroy(this->writeable); + this->handles->destroy_function(this->handles, (void*)dlclose); + free(this); +} + +/* + * Described in header-file + */ +backend_manager_t *backend_manager_create() +{ + private_backend_manager_t *this = malloc_thing(private_backend_manager_t); + + this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; + this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg; + this->public.add_peer_cfg = (void (*)(backend_manager_t*,peer_cfg_t*))add_peer_cfg; + this->public.create_iterator = (iterator_t* (*)(backend_manager_t*))create_iterator; + this->public.destroy = (void (*)(backend_manager_t*))destroy; + + this->backends = linked_list_create(); + this->writeable = linked_list_create(); + this->handles = linked_list_create(); + + load_backends(this); + + return &this->public; +} + diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h new file mode 100644 index 000000000..22a19a218 --- /dev/null +++ b/src/charon/config/backend_manager.h @@ -0,0 +1,124 @@ +/** + * @file backend_manager.h + * + * @brief Interface backend_manager_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef BACKEND_MANAGER_H_ +#define BACKEND_MANAGER_H_ + +typedef struct backend_manager_t backend_manager_t; + +#include <library.h> +#include <utils/host.h> +#include <utils/identification.h> +#include <config/ike_cfg.h> +#include <config/peer_cfg.h> +#include <config/backends/backend.h> + + +/** + * @brief A loader and multiplexer to use multiple backends. + * + * Charon allows the use of multiple configuration backends simultaneously. To + * access all this backends by a single call, this class wraps multiple + * backends behind a single object. It is also responsible for loading + * the backend modules and cleaning them up. + * A backend may be writeable or not. All backends implement the backend_t + * interface, those who are writeable additionally implement the + * writeable_backend_t interface. Adding configs to the backend_manager will + * be redirected to the first writeable backend. + * @verbatim + + +---------+ +-----------+ +--------------+ | + | | | | +--------------+ | | + | daemon |----->| backend_- | +--------------+ |-+ <==|==> IPC + | core | | manager |---->| backends |-+ | + | |----->| | +--------------+ | + | | | | | + +---------+ +-----------+ | + + @endverbatim + * + * @b Constructors: + * - backend_manager_create() + * + * @ingroup config + */ +struct backend_manager_t { + + /** + * @brief Get an ike_config identified by two hosts. + * + * @param this calling object + * @param my_host address of own host + * @param other_host address of remote host + * @return matching ike_config, or NULL if none found + */ + ike_cfg_t* (*get_ike_cfg)(backend_manager_t *this, + host_t *my_host, host_t *other_host); + + /** + * @brief Get a peer_config identified by two IDs and the peer's certificate issuer + * + * @param this calling object + * @param my_id own ID + * @param other_id peer ID + * @param other_ca_info info record on issuer of peer certificate + * @return matching peer_config, or NULL if none found + */ + peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info); + + /** + * @brief Add a peer_config to the first found writable backend. + * + * @param this calling object + * @param config peer_config to add to the backend + */ + void (*add_peer_cfg)(backend_manager_t *this, peer_cfg_t *config); + + /** + * @brief Create an iterator over all peer configs of the writable backend. + * + * @param this calling object + * @return iterator over peer configs + */ + iterator_t* (*create_iterator)(backend_manager_t *this); + + /** + * @brief Destroys a backend_manager_t object. + * + * @param this calling object + */ + void (*destroy) (backend_manager_t *this); +}; + +/** + * @brief Creates a new instance of the manager and loads all backends. + * + * @return backend_manager instance + * + * @ingroup config + */ +backend_manager_t* backend_manager_create(void); + +#endif /*BACKEND_MANAGER_H_*/ + diff --git a/src/charon/config/backends/backend.h b/src/charon/config/backends/backend.h new file mode 100644 index 000000000..acab660b6 --- /dev/null +++ b/src/charon/config/backends/backend.h @@ -0,0 +1,96 @@ +/** + * @file backend.h + * + * @brief Interface backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef BACKEND_H_ +#define BACKEND_H_ + +typedef struct backend_t backend_t; + +#include <library.h> +#include <config/ike_cfg.h> +#include <config/peer_cfg.h> +#include <utils/linked_list.h> + +/** + * @brief The interface for a configuration backend. + * + * A configuration backend is loaded by the backend_manager. It does the actual + * configuration lookup for the method it implements. See backend_manager_t for + * more information. + * + * @b Constructors: + * - implementations constructors + * + * @ingroup backends + */ +struct backend_t { + + /** + * @brief Get an ike_cfg identified by two hosts. + * + * @param this calling object + * @param my_host address of own host + * @param other_host address of remote host + * @return matching ike_config, or NULL if none found + */ + ike_cfg_t *(*get_ike_cfg)(backend_t *this, + host_t *my_host, host_t *other_host); + + /** + * @brief Get a peer_cfg identified by two IDs. + * + * Select a config based on the two IDs and the other's certificate issuer + * + * @param this calling object + * @param my_id own ID + * @param other_id peer ID + * @param other_ca_info info record on issuer of peer certificate + * @return matching peer_config, or NULL if none found + */ + peer_cfg_t *(*get_peer_cfg)(backend_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info); + + /** + * @brief Check if a backend is writable and implements writable_backend_t. + * + * @param this calling object + * @return TRUE if backend implements writable_backend_t. + */ + bool (*is_writeable)(backend_t *this); + + /** + * @brief Destroy a backend. + * + * @param this calling object + */ + void (*destroy)(backend_t *this); +}; + + +/** + * Construction to create a backend. + */ +typedef backend_t*(*backend_constructor_t)(void); + +#endif /* BACKEND_H_ */ + diff --git a/src/charon/config/backends/local_backend.c b/src/charon/config/backends/local_backend.c new file mode 100644 index 000000000..2e80cc870 --- /dev/null +++ b/src/charon/config/backends/local_backend.c @@ -0,0 +1,274 @@ +/** + * @file local_backend.c + * + * @brief Implementation of local_backend_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> + +#include "local_backend.h" + +#include <daemon.h> +#include <utils/linked_list.h> +#include <crypto/ca.h> + + +typedef struct private_local_backend_t private_local_backend_t; + +/** + * Private data of an local_backend_t object + */ +struct private_local_backend_t { + + /** + * Public part + */ + local_backend_t public; + + /** + * list of configs + */ + linked_list_t *cfgs; + + /** + * Mutex to exclusivly access list + */ + pthread_mutex_t mutex; +}; + +/** + * implements backen_t.get_ike_cfg. + */ +static ike_cfg_t *get_ike_cfg(private_local_backend_t *this, + host_t *my_host, host_t *other_host) +{ + peer_cfg_t *peer; + ike_cfg_t *current, *found = NULL; + iterator_t *iterator; + host_t *my_candidate, *other_candidate; + enum { + MATCH_NONE = 0x00, + MATCH_ANY = 0x01, + MATCH_ME = 0x04, + MATCH_OTHER = 0x08, + } prio, best = MATCH_ANY; + + DBG2(DBG_CFG, "looking for a config for %H...%H", + my_host, other_host); + + iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); + while (iterator->iterate(iterator, (void**)&peer)) + { + prio = MATCH_NONE; + current = peer->get_ike_cfg(peer); + my_candidate = current->get_my_host(current); + other_candidate = current->get_other_host(current); + + if (my_candidate->ip_equals(my_candidate, my_host)) + { + prio += MATCH_ME; + } + else if (my_candidate->is_anyaddr(my_candidate)) + { + prio += MATCH_ANY; + } + + if (other_candidate->ip_equals(other_candidate, other_host)) + { + prio += MATCH_OTHER; + } + else if (other_candidate->is_anyaddr(other_candidate)) + { + prio += MATCH_ANY; + } + + DBG2(DBG_CFG, " candidate '%s': %H...%H, prio %d", + peer->get_name(peer), my_candidate, other_candidate, prio); + + /* we require at least two MATCH_ANY */ + if (prio > best) + { + best = prio; + found = current; + } + } + if (found) + { + found->get_ref(found); + } + iterator->destroy(iterator); + return found; +} + +#define PRIO_NO_MATCH_FOUND 256 + +/** + * implements backend_t.get_peer. + */ +static peer_cfg_t *get_peer_cfg(private_local_backend_t *this, + identification_t *my_id, identification_t *other_id, + ca_info_t *other_ca_info) +{ + peer_cfg_t *current, *found = NULL; + iterator_t *iterator; + identification_t *my_candidate, *other_candidate; + int best = PRIO_NO_MATCH_FOUND; + + DBG2(DBG_CFG, "looking for a config for %D...%D", my_id, other_id); + + iterator = this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); + while (iterator->iterate(iterator, (void**)¤t)) + { + int wc1, wc2; + + my_candidate = current->get_my_id(current); + other_candidate = current->get_other_id(current); + + if (my_candidate->matches(my_candidate, my_id, &wc1) + && other_id->matches(other_id, other_candidate, &wc2)) + { + int prio = (wc1 + wc2) * (MAX_CA_PATH_LEN + 1); + int pathlen = 0; + identification_t *other_candidate_ca = current->get_other_ca(current); + + /* are there any ca constraints? */ + if (other_candidate_ca->get_type(other_candidate_ca) != ID_ANY) + { + ca_info_t *ca_info = other_ca_info; + + for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) + { + if (ca_info == NULL) + { + prio = PRIO_NO_MATCH_FOUND; + break; + } + else + { + x509_t *cacert = ca_info->get_certificate(ca_info); + identification_t *other_ca = cacert->get_subject(cacert); + + if (other_candidate_ca->equals(other_candidate_ca, other_ca)) + { + /* found a ca match */ + break; + } + if (cacert->is_self_signed(cacert)) + { + /* reached the root ca without a match */ + prio = PRIO_NO_MATCH_FOUND; + break; + } + /* move a level upward in the trust path hierarchy */ + ca_info = charon->credentials->get_issuer(charon->credentials, cacert); + } + } + if (pathlen == MAX_CA_PATH_LEN) + { + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); + prio = PRIO_NO_MATCH_FOUND; + } + } + if (prio == PRIO_NO_MATCH_FOUND) + { + DBG2(DBG_CFG, " candidate '%s': %D...%D, no ca match", + current->get_name(current), my_candidate, other_candidate); + } + else + { + prio += pathlen; + DBG2(DBG_CFG, " candidate '%s': %D...%D, prio %d", + current->get_name(current), my_candidate, other_candidate, prio); + + if (prio < best) + { + found = current; + best = prio; + } + } + } + } + if (found) + { + DBG1(DBG_CFG, "found matching config \"%s\": %D...%D, prio %d", + found->get_name(found), + found->get_my_id(found), + found->get_other_id(found), + best); + found->get_ref(found); + } + iterator->destroy(iterator); + return found; +} + +/** + * Implementation of backend_t.is_writable. + */ +static bool is_writeable(private_local_backend_t *this) +{ + return TRUE; +} + +/** + * Implementation of writable_backend_t.create_iterator. + */ +static iterator_t* create_iterator(private_local_backend_t *this) +{ + return this->cfgs->create_iterator_locked(this->cfgs, &this->mutex); +} + +/** + * Implementation of writable_backend_t.add_peer_cfg. + */ +static void add_cfg(private_local_backend_t *this, peer_cfg_t *config) +{ + pthread_mutex_lock(&this->mutex); + this->cfgs->insert_last(this->cfgs, config); + pthread_mutex_unlock(&this->mutex); +} + +/** + * Implementation of backend_t.destroy. + */ +static void destroy(private_local_backend_t *this) +{ + this->cfgs->destroy_offset(this->cfgs, offsetof(peer_cfg_t, destroy)); + free(this); +} + +/** + * Described in header. + */ +backend_t *backend_create(void) +{ + private_local_backend_t *this = malloc_thing(private_local_backend_t); + + this->public.backend.backend.get_ike_cfg = (ike_cfg_t* (*)(backend_t*, host_t*, host_t*))get_ike_cfg; + this->public.backend.backend.get_peer_cfg = (peer_cfg_t* (*)(backend_t*,identification_t*,identification_t*,ca_info_t*))get_peer_cfg; + this->public.backend.backend.is_writeable = (bool(*) (backend_t*))is_writeable; + this->public.backend.backend.destroy = (void (*)(backend_t*))destroy; + this->public.backend.create_iterator = (iterator_t* (*)(writeable_backend_t*))create_iterator; + this->public.backend.add_cfg = (void (*)(writeable_backend_t*,peer_cfg_t*))add_cfg; + + /* private variables */ + this->cfgs = linked_list_create(); + pthread_mutex_init(&this->mutex, NULL); + + return &this->public.backend.backend; +} diff --git a/src/charon/config/backends/local_backend.h b/src/charon/config/backends/local_backend.h new file mode 100644 index 000000000..b33c6443b --- /dev/null +++ b/src/charon/config/backends/local_backend.h @@ -0,0 +1,60 @@ +/** + * @file local_backend.h + * + * @brief Interface of local_backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef LOCAL_BACKEND_H_ +#define LOCAL_BACKEND_H_ + +typedef struct local_backend_t local_backend_t; + +#include <library.h> +#include <config/backends/writeable_backend.h> + +/** + * @brief An in-memory backend to store configurations. + * + * The local_backend_t stores the configuration in a simple list. It + * implements both, backend_t and writeable_backend_t. + * + * @b Constructors: + * - local_backend_create() + * + * @ingroup backends + */ +struct local_backend_t { + + /** + * Implements writable_backend_t interface + */ + writeable_backend_t backend; +}; + +/** + * @brief Create a backend_t instance implemented as local backend. + * + * @return backend instance + * + * @ingroup backends + */ +backend_t *backend_create(void); + +#endif /* LOCAL_BACKEND_H_ */ + diff --git a/src/charon/config/backends/writeable_backend.h b/src/charon/config/backends/writeable_backend.h new file mode 100644 index 000000000..ea62f62c9 --- /dev/null +++ b/src/charon/config/backends/writeable_backend.h @@ -0,0 +1,64 @@ +/** + * @file writeable_backend.h + * + * @brief Interface of writeable_backend_t. + * + */ + +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef WRITEABLE_BACKEND_H_ +#define WRITEABLE_BACKEND_H_ + +typedef struct writeable_backend_t writeable_backend_t; + +#include <library.h> +#include <config/backends/backend.h> + +/** + * @brief A writeable backend extends backend_t by modification functions. + * + * @b Constructors: + * - writeable_backend_create() + * + * @ingroup backends + */ +struct writeable_backend_t { + + /** + * Implements backend_t interface + */ + backend_t backend; + + /** + * @brief Add a peer_config to the backend. + * + * @param this calling object + * @param config peer_config to add to the backend + */ + void (*add_cfg)(writeable_backend_t *this, peer_cfg_t *config); + + /** + * @brief Create an iterator over all peer configs. + * + * @param this calling object + * @return iterator over peer configs + */ + iterator_t* (*create_iterator)(writeable_backend_t *this); +}; + +#endif /* WRITEABLE_BACKEND_H_ */ + diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c new file mode 100644 index 000000000..e9f0e5249 --- /dev/null +++ b/src/charon/config/child_cfg.c @@ -0,0 +1,449 @@ +/** + * @file child_cfg.c + * + * @brief Implementation of child_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + + +#include "child_cfg.h" + +#include <daemon.h> + +ENUM(mode_names, MODE_TRANSPORT, MODE_BEET, + "TRANSPORT", + "TUNNEL", + "2", + "3", + "BEET", +); + +typedef struct private_child_cfg_t private_child_cfg_t; + +/** + * Private data of an child_cfg_t object + */ +struct private_child_cfg_t { + + /** + * Public part + */ + child_cfg_t public; + + /** + * Number of references hold by others to this child_cfg + */ + refcount_t refcount; + + /** + * Name of the child_cfg, used to query it + */ + char *name; + + /** + * list for all proposals + */ + linked_list_t *proposals; + + /** + * list for traffic selectors for my site + */ + linked_list_t *my_ts; + + /** + * list for traffic selectors for others site + */ + linked_list_t *other_ts; + + /** + * updown script + */ + char *updown; + + /** + * allow host access + */ + bool hostaccess; + + /** + * Mode to propose for a initiated CHILD: tunnel/transport + */ + mode_t mode; + + /** + * Time before an SA gets invalid + */ + u_int32_t lifetime; + + /** + * Time before an SA gets rekeyed + */ + u_int32_t rekeytime; + + /** + * Time, which specifies the range of a random value + * substracted from rekeytime. + */ + u_int32_t jitter; +}; + +/** + * Implementation of child_cfg_t.get_name + */ +static char *get_name(private_child_cfg_t *this) +{ + return this->name; +} + +/** + * Implementation of child_cfg_t.add_proposal + */ +static void add_proposal(private_child_cfg_t *this, proposal_t *proposal) +{ + this->proposals->insert_last(this->proposals, proposal); +} + +/** + * strip out DH groups from a proposal + */ +static void strip_dh_from_proposal(proposal_t *proposal) +{ + iterator_t *iterator; + algorithm_t *algo; + + iterator = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP); + while (iterator->iterate(iterator, (void**)&algo)) + { + iterator->remove(iterator); + free(algo); + } + iterator->destroy(iterator); +} + +/** + * Implementation of child_cfg_t.get_proposals + */ +static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) +{ + iterator_t *iterator; + proposal_t *current; + linked_list_t *proposals = linked_list_create(); + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + current = current->clone(current); + if (strip_dh) + { + strip_dh_from_proposal(current); + } + proposals->insert_last(proposals, current); + } + iterator->destroy(iterator); + + return proposals; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static proposal_t* select_proposal(private_child_cfg_t*this, + linked_list_t *proposals, bool strip_dh) +{ + iterator_t *stored_iter, *supplied_iter; + proposal_t *stored, *supplied, *selected = NULL; + + stored_iter = this->proposals->create_iterator(this->proposals, TRUE); + supplied_iter = proposals->create_iterator(proposals, TRUE); + + /* compare all stored proposals with all supplied. Stored ones are preferred. */ + while (stored_iter->iterate(stored_iter, (void**)&stored)) + { + stored = stored->clone(stored); + supplied_iter->reset(supplied_iter); + while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) + { + if (strip_dh) + { + strip_dh_from_proposal(stored); + } + selected = stored->select(stored, supplied); + if (selected) + { + break; + } + } + stored->destroy(stored); + if (selected) + { + break; + } + } + stored_iter->destroy(stored_iter); + supplied_iter->destroy(supplied_iter); + return selected; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static void add_traffic_selector(private_child_cfg_t *this, bool local, + traffic_selector_t *ts) +{ + if (local) + { + this->my_ts->insert_last(this->my_ts, ts); + } + else + { + this->other_ts->insert_last(this->other_ts, ts); + } +} + +/** + * Implementation of child_cfg_t.get_name + */ +static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local, + linked_list_t *supplied, + host_t *host) +{ + iterator_t *i1, *i2; + traffic_selector_t *ts1, *ts2, *selected; + linked_list_t *result = linked_list_create(); + + if (local) + { + i1 = this->my_ts->create_iterator(this->my_ts, TRUE); + } + else + { + i1 = this->other_ts->create_iterator(this->other_ts, FALSE); + } + + /* no list supplied, just fetch the stored traffic selectors */ + if (supplied == NULL) + { + while (i1->iterate(i1, (void**)&ts1)) + { + /* we make a copy of the TS, this allows us to update dynamic TS' */ + ts1 = ts1->clone(ts1); + if (host) + { + ts1->set_address(ts1, host); + } + result->insert_last(result, ts1); + } + i1->destroy(i1); + } + else + { + DBG2(DBG_CFG, "selecting traffic selectors"); + i2 = supplied->create_iterator(supplied, TRUE); + /* iterate over all stored selectors */ + while (i1->iterate(i1, (void**)&ts1)) + { + /* we make a copy of the TS, as we have to update dynamic TS' */ + ts1 = ts1->clone(ts1); + if (host) + { + ts1->set_address(ts1, host); + } + + i2->reset(i2); + /* iterate over all supplied traffic selectors */ + while (i2->iterate(i2, (void**)&ts2)) + { + DBG2(DBG_CFG, "stored %R <=> %R received", ts1, ts2); + selected = ts1->get_subset(ts1, ts2); + if (selected) + { + result->insert_last(result, selected); + DBG2(DBG_CFG, "found traffic selector for %s: %R", + local ? "us" : "other", selected); + } + } + ts1->destroy(ts1); + } + i1->destroy(i1); + i2->destroy(i2); + } + + /* remove any redundant traffic selectors in the list */ + i1 = result->create_iterator(result, TRUE); + i2 = result->create_iterator(result, TRUE); + while (i1->iterate(i1, (void**)&ts1)) + { + while (i2->iterate(i2, (void**)&ts2)) + { + if (ts1 != ts2) + { + if (ts2->is_contained_in(ts2, ts1)) + { + i2->remove(i2); + ts2->destroy(ts2); + i1->reset(i1); + break; + } + if (ts1->is_contained_in(ts1, ts2)) + { + i1->remove(i1); + ts1->destroy(ts1); + i2->reset(i2); + break; + } + } + } + } + i1->destroy(i1); + i2->destroy(i2); + + return result; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static char* get_updown(private_child_cfg_t *this) +{ + return this->updown; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static bool get_hostaccess(private_child_cfg_t *this) +{ + return this->hostaccess; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey) +{ + if (rekey) + { + if (this->jitter == 0) + { + return this->rekeytime; + } + return this->rekeytime - (random() % this->jitter); + } + return this->lifetime; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static mode_t get_mode(private_child_cfg_t *this) +{ + return this->mode; +} + +/** + * Implementation of child_cfg_t.get_dh_group. + */ +static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) +{ + iterator_t *iterator; + proposal_t *proposal; + algorithm_t *algo; + diffie_hellman_group_t dh_group = MODP_NONE; + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)&proposal)) + { + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo)) + { + dh_group = algo->algorithm; + break; + } + } + iterator->destroy(iterator); + return dh_group; +} + +/** + * Implementation of child_cfg_t.get_name + */ +static void get_ref(private_child_cfg_t *this) +{ + ref_get(&this->refcount); +} + +/** + * Implements child_cfg_t.destroy. + */ +static void destroy(private_child_cfg_t *this) +{ + if (ref_put(&this->refcount)) + { + this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); + this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy)); + this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy)); + if (this->updown) + { + free(this->updown); + } + free(this->name); + free(this); + } +} + +/* + * Described in header-file + */ +child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + char *updown, bool hostaccess, mode_t mode) +{ + private_child_cfg_t *this = malloc_thing(private_child_cfg_t); + + /* public functions */ + this->public.get_name = (char* (*) (child_cfg_t*))get_name; + this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; + this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; + this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; + this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; + this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool))select_proposal; + this->public.get_updown = (char* (*) (child_cfg_t*))get_updown; + this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess; + this->public.get_mode = (mode_t (*) (child_cfg_t *))get_mode; + this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime; + this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; + this->public.get_ref = (void (*) (child_cfg_t*))get_ref; + this->public.destroy = (void (*) (child_cfg_t*))destroy; + + /* apply init values */ + this->name = strdup(name); + this->lifetime = lifetime; + this->rekeytime = rekeytime; + this->jitter = jitter; + this->updown = updown ? strdup(updown) : NULL; + this->hostaccess = hostaccess; + this->mode = mode; + + /* initialize private members*/ + this->refcount = 1; + this->proposals = linked_list_create(); + this->my_ts = linked_list_create(); + this->other_ts = linked_list_create(); + + return &this->public; +} diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h new file mode 100644 index 000000000..e1a6553b4 --- /dev/null +++ b/src/charon/config/child_cfg.h @@ -0,0 +1,251 @@ +/** + * @file child_cfg.h + * + * @brief Interface of child_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef CHILD_CFG_H_ +#define CHILD_CFG_H_ + +typedef enum mode_t mode_t; +typedef struct child_cfg_t child_cfg_t; + +#include <library.h> +#include <config/proposal.h> +#include <config/traffic_selector.h> + +/** + * @brief Mode of an CHILD_SA. + * + * These are equal to those defined in XFRM, so don't change. + * + * @ingroup config + */ +enum mode_t { + /** transport mode, no inner address */ + MODE_TRANSPORT = 0, + /** tunnel mode, inner and outer addresses */ + MODE_TUNNEL = 1, + /** BEET mode, tunnel mode but fixed, bound inner addresses */ + MODE_BEET = 4, +}; + +/** + * enum names for mode_t. + */ +extern enum_name_t *mode_names; + +/** + * @brief A child_cfg_t defines the config template for a CHILD_SA. + * + * After creation, proposals and traffic selectors may be added to the config. + * A child_cfg object is referenced multiple times, and is not thread save. + * Reading from the object is save, adding things is not allowed while other + * threads may access the object. + * A reference counter handles the number of references hold to this config. + * + * @see peer_cfg_t to get an overview over the configurations. + * + * @b Constructors: + * - child_cfg_create() + * + * @ingroup config + */ +struct child_cfg_t { + + /** + * @brief Get the name of the child_cfg. + * + * @param this calling object + * @return child_cfg's name + */ + char *(*get_name) (child_cfg_t *this); + + /** + * @brief Add a proposal to the list. + * + * The proposals are stored by priority, first added + * is the most prefered. + * After add, proposal is owned by child_cfg. + * + * @param this calling object + * @param proposal proposal to add + */ + void (*add_proposal) (child_cfg_t *this, proposal_t *proposal); + + /** + * @brief Get the list of proposals for the CHILD_SA. + * + * Resulting list and all of its proposals must be freed after use. + * + * @param this calling object + * @param strip_dh TRUE strip out diffie hellman groups + * @return list of proposals + */ + linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh); + + /** + * @brief Select a proposal from a supplied list. + * + * Returned propsal is newly created and must be destroyed after usage. + * + * @param this calling object + * @param proposals list from from wich proposals are selected + * @param strip_dh TRUE strip out diffie hellman groups + * @return selected proposal, or NULL if nothing matches + */ + proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals, + bool strip_dh); + + /** + * @brief Add a traffic selector to the config. + * + * Use the "local" parameter to add it for the local or the remote side. + * After add, traffic selector is owned by child_cfg. + * + * @param this calling object + * @param local TRUE for local side, FALSE for remote + * @param ts traffic_selector to add + */ + void (*add_traffic_selector)(child_cfg_t *this, bool local, + traffic_selector_t *ts); + + /** + * @brief Get a list of traffic selectors to use for the CHILD_SA. + * + * The config contains two set of traffic selectors, one for the local + * side, one for the remote side. + * If a list with traffic selectors is supplied, these are used to narrow + * down the traffic selector list to the greatest common divisor. + * Some traffic selector may be "dymamic", meaning they are narrowed down + * to a specific address (host-to-host or virtual-IP setups). Use + * the "host" parameter to narrow such traffic selectors to that address. + * Resulted list and its traffic selectors must be destroyed after use. + * + * @param this calling object + * @param local TRUE for TS on local side, FALSE for remote + * @param supplied list with TS to select from, or NULL + * @param host address to use for narrowing "dynamic" TS', or NULL + * @return list containing the traffic selectors + */ + linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, + linked_list_t *supplied, + host_t *host); + + /** + * @brief Get the updown script to run for the CHILD_SA. + * + * @param this calling object + * @return path to updown script + */ + char* (*get_updown)(child_cfg_t *this); + + /** + * @brief Should we allow access to the local host (gateway)? + * + * @param this calling object + * @return value of hostaccess flag + */ + bool (*get_hostaccess) (child_cfg_t *this); + + /** + * @brief Get the lifetime of a CHILD_SA. + * + * If "rekey" is set to TRUE, a lifetime is returned before the first + * rekeying should be started. If it is FALSE, the actual lifetime is + * returned when the CHILD_SA must be deleted. + * The rekey time automatically contains a jitter to avoid simlutaneous + * rekeying. + * + * @param this child_cfg + * @param rekey TRUE to get rekey time + * @return lifetime in seconds + */ + u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey); + + /** + * @brief Get the mode to use for the CHILD_SA. + * + * The mode is either tunnel, transport or BEET. The peer must agree + * on the method, fallback is tunnel mode. + * + * @param this child_cfg + * @return lifetime in seconds + */ + mode_t (*get_mode) (child_cfg_t *this); + + /** + * @brief Get the DH group to use for CHILD_SA setup. + * + * @param this calling object + * @return dh group to use + */ + diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this); + + /** + * @brief Get a new reference. + * + * Get a new reference to this child_cfg by increasing + * it's internal reference counter. + * Do not call get_ref or any other function until you + * already have a reference. Otherwise the object may get + * destroyed while calling get_ref(), + * + * @param this calling object + */ + void (*get_ref) (child_cfg_t *this); + + /** + * @brief Destroys the child_cfg object. + * + * Decrements the internal reference counter and + * destroys the child_cfg when it reaches zero. + * + * @param this calling object + */ + void (*destroy) (child_cfg_t *this); +}; + +/** + * @brief Create a configuration template for CHILD_SA setup. + * + * The "name" string gets cloned. + * Lifetimes are in seconds. To prevent to peers to start rekeying at the + * same time, a jitter may be specified. Rekeying of an SA starts at + * (rekeytime - random(0, jitter)). You should specify + * lifetime > rekeytime > jitter. + * After a call to create, a reference is obtained (refcount = 1). + * + * @param name name of the child_cfg + * @param lifetime lifetime after CHILD_SA expires and gets deleted + * @param rekeytime time when rekeying should be initiated + * @param jitter range of randomization time to remove from rekeytime + * @param updown updown script to execute on up/down event + * @param hostaccess TRUE to allow access to the local host + * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET + * @return child_cfg_t object + * + * @ingroup config + */ +child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, + u_int32_t rekeytime, u_int32_t jitter, + char *updown, bool hostaccess, mode_t mode); + +#endif /* CHILD_CFG_H_ */ diff --git a/src/charon/config/configuration.c b/src/charon/config/configuration.c deleted file mode 100755 index 488ba9a5e..000000000 --- a/src/charon/config/configuration.c +++ /dev/null @@ -1,162 +0,0 @@ -/** - * @file configuration.c - * - * @brief Implementation of configuration_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <math.h> - -#include "configuration.h" - -#include <library.h> - -/** - * Timeout in milliseconds after that a half open IKE_SA gets deleted. - */ -#define HALF_OPEN_IKE_SA_TIMEOUT 30000 - -/** - * Retransmission uses a backoff algorithm. The timeout is calculated using - * TIMEOUT * (BASE ** try). - * When try reaches TRIES, retransmission is given up. - * - * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us: - * - * | relative | absolute - * --------------------------------------------------------- - * 4s * (1.8 ** (0 % 5)) = 4s 4s - * 4s * (1.8 ** (1 % 5)) = 7s 11s - * 4s * (1.8 ** (2 % 5)) = 13s 24s - * 4s * (1.8 ** (3 % 5)) = 23s 47s - * 4s * (1.8 ** (4 % 5)) = 42s 89s - * 4s * (1.8 ** (5 % 5)) = 76s 165s - * - * The peer is considered dead after 2min 45s when no reply comes in. - */ - -/** - * First retransmit timeout in milliseconds. - * Timeout value is increasing in each retransmit round. - */ -#define RETRANSMIT_TIMEOUT 4000 - -/** - * Base which is raised to the power of the retransmission count. - */ -#define RETRANSMIT_BASE 1.8 - -/** - * Number of retransmits done in a retransmit sequence - */ -#define RETRANSMIT_TRIES 5 - -/** - * Keepalive interval in seconds. - */ -#define KEEPALIVE_INTERVAL 20 - -/** - * retry interval in seconds. - */ -#define RETRY_INTERVAL 30 - -/** - * jitter to user for retrying - */ -#define RETRY_JITTER 20 - - -typedef struct private_configuration_t private_configuration_t; - -/** - * Private data of an configuration_t object. - */ -struct private_configuration_t { - - /** - * Public part of configuration_t object. - */ - configuration_t public; - -}; - -/** - * Implementation of configuration_t.get_retransmit_timeout. - */ -static u_int32_t get_retransmit_timeout (private_configuration_t *this, - u_int32_t retransmit_count) -{ - if (retransmit_count > RETRANSMIT_TRIES) - { - /* give up */ - return 0; - } - return (u_int32_t) - (RETRANSMIT_TIMEOUT * pow(RETRANSMIT_BASE, retransmit_count)); -} - -/** - * Implementation of configuration_t.get_half_open_ike_sa_timeout. - */ -static u_int32_t get_half_open_ike_sa_timeout (private_configuration_t *this) -{ - return HALF_OPEN_IKE_SA_TIMEOUT; -} - -/** - * Implementation of configuration_t.get_keepalive_interval. - */ -static u_int32_t get_keepalive_interval (private_configuration_t *this) -{ - return KEEPALIVE_INTERVAL; -} - -/** - * Implementation of configuration_t.get_retry_interval. - */ -static u_int32_t get_retry_interval (private_configuration_t *this) -{ - return RETRY_INTERVAL - (random() % RETRY_JITTER); -} - -/** - * Implementation of configuration_t.destroy. - */ -static void destroy(private_configuration_t *this) -{ - free(this); -} - -/* - * Described in header-file - */ -configuration_t *configuration_create() -{ - private_configuration_t *this = malloc_thing(private_configuration_t); - - /* public functions */ - this->public.destroy = (void(*)(configuration_t*))destroy; - this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t*,u_int32_t))get_retransmit_timeout; - this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t*)) get_half_open_ike_sa_timeout; - this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t*)) get_keepalive_interval; - this->public.get_retry_interval = (u_int32_t (*) (configuration_t*)) get_retry_interval; - - return (&this->public); -} diff --git a/src/charon/config/configuration.h b/src/charon/config/configuration.h deleted file mode 100755 index c1207171d..000000000 --- a/src/charon/config/configuration.h +++ /dev/null @@ -1,102 +0,0 @@ -/** - * @file configuration.h - * - * @brief Interface configuration_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONFIGURATION_H_ -#define CONFIGURATION_H_ - -typedef struct configuration_t configuration_t; - -#include <library.h> - -/** - * @brief The interface for various daemon related configs. - * - * @b Constructors: - * - configuration_create() - * - * @ingroup config - */ -struct configuration_t { - - /** - * @brief Returns the retransmit timeout. - * - * A return value of zero means the request should not be - * retransmitted again. - * - * @param this calling object - * @param retransmitted number of times a message was retransmitted so far - * @return time in milliseconds, when to do next retransmit - */ - u_int32_t (*get_retransmit_timeout) (configuration_t *this, - u_int32_t retransmitted); - - /** - * @brief Returns the timeout for an half open IKE_SA in ms. - * - * Half open means that the IKE_SA is still on a not established state - * - * @param this calling object - * @return timeout in milliseconds (ms) - */ - u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this); - - /** - * @brief Returns the keepalive interval in s. - * - * The keepalive interval defines the idle time after which a - * NAT keepalive packet should be sent. - * - * @param this calling object - * @return interval in s - */ - u_int32_t (*get_keepalive_interval) (configuration_t *this); - - /** - * @brief Returns the interval to retry a failed action again. - * - * In some situations, the protocol may be in a state where processing - * is not possible and an action must be retried (e.g. rekeying). - * - * @param this calling object - * @return interval in s - */ - u_int32_t (*get_retry_interval) (configuration_t *this); - - /** - * @brief Destroys a configuration_t object. - * - * @param this calling object - */ - void (*destroy) (configuration_t *this); -}; - -/** - * @brief Creates a configuration backend. - * - * @return static_configuration_t object - * - * @ingroup config - */ -configuration_t *configuration_create(void); - -#endif /*CONFIGURATION_H_*/ diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c deleted file mode 100644 index ffe508992..000000000 --- a/src/charon/config/connections/connection.c +++ /dev/null @@ -1,404 +0,0 @@ -/** - * @file connection.c - * - * @brief Implementation of connection_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <string.h> - -#include <config/connections/connection.h> -#include <utils/linked_list.h> - -ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND, - "CERT_ALWAYS_SEND", - "CERT_SEND_IF_ASKED", - "CERT_NEVER_SEND" -); - -typedef struct private_connection_t private_connection_t; - -/** - * Private data of an connection_t object - */ -struct private_connection_t { - - /** - * Public part - */ - connection_t public; - - /** - * Number of references hold by others to this connection - */ - refcount_t refcount; - - /** - * Name of the connection - */ - char *name; - - /** - * Does charon handle this connection? Or can he ignore it? - */ - bool ikev2; - - /** - * should we send a certificate request? - */ - cert_policy_t certreq_policy; - - /** - * should we send a certificates? - */ - cert_policy_t cert_policy; - - /** - * ID of us - */ - identification_t *my_id; - - /** - * Host information of my host. - */ - host_t *my_host; - - /** - * Host information of other host. - */ - host_t *other_host; - - /** - * Interval to send DPD liveness checks on inactivity - */ - u_int32_t dpd_delay; - - /** - * Number of retransmission sequences to send bevore giving up - */ - u_int32_t keyingtries; - - /** - * Supported proposals - */ - linked_list_t *proposals; - - /** - * Time before an SA gets invalid - */ - u_int32_t soft_lifetime; - - /** - * Time before an SA gets rekeyed - */ - u_int32_t hard_lifetime; - - /** - * Use full reauthentication instead of rekeying - */ - bool reauth; - - /** - * Time, which specifies the range of a random value - * substracted from soft_lifetime. - */ - u_int32_t jitter; -}; - -/** - * Implementation of connection_t.get_name. - */ -static char *get_name (private_connection_t *this) -{ - return this->name; -} - -/** - * Implementation of connection_t.is_ikev2. - */ -static bool is_ikev2 (private_connection_t *this) -{ - return this->ikev2; -} - -/** - * Implementation of connection_t.get_certreq_policy. - */ -static cert_policy_t get_certreq_policy (private_connection_t *this) -{ - return this->certreq_policy; -} - -/** - * Implementation of connection_t.get_cert_policy. - */ -static cert_policy_t get_cert_policy (private_connection_t *this) -{ - return this->cert_policy; -} - -/** - * Implementation of connection_t.get_my_host. - */ -static host_t *get_my_host (private_connection_t *this) -{ - return this->my_host; -} - -/** - * Implementation of connection_t.get_other_host. - */ -static host_t *get_other_host (private_connection_t *this) -{ - return this->other_host; -} - -/** - * Implementation of connection_t.get_proposals. - */ -static linked_list_t* get_proposals(private_connection_t *this) -{ - iterator_t *iterator; - proposal_t *current; - linked_list_t *proposals = linked_list_create(); - - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - current = current->clone(current); - proposals->insert_last(proposals, (void*)current); - } - iterator->destroy(iterator); - - return proposals; -} - -/** - * Implementation of connection_t.select_proposal. - */ -static proposal_t *select_proposal(private_connection_t *this, linked_list_t *proposals) -{ - iterator_t *stored_iter, *supplied_iter; - proposal_t *stored, *supplied, *selected; - - stored_iter = this->proposals->create_iterator(this->proposals, TRUE); - supplied_iter = proposals->create_iterator(proposals, TRUE); - - /* compare all stored proposals with all supplied. Stored ones are preferred. */ - while (stored_iter->iterate(stored_iter, (void**)&stored)) - { - supplied_iter->reset(supplied_iter); - - while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) - { - selected = stored->select(stored, supplied); - if (selected) - { - /* they match, return */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - return selected; - } - } - } - /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - - return NULL; -} - -/** - * Implementation of connection_t.add_proposal. - */ -static void add_proposal(private_connection_t *this, proposal_t *proposal) -{ - this->proposals->insert_last(this->proposals, proposal); -} - -/** - * Implementation of connection_t.get_dpd_delay. - */ -static u_int32_t get_dpd_delay(private_connection_t *this) -{ - return this->dpd_delay; -} - -/** - * Implementation of connection_t.get_keyingtries. - */ -static u_int32_t get_keyingtries(private_connection_t *this) -{ - return this->keyingtries; -} - -/** - * Implementation of connection_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_connection_t *this) -{ - iterator_t *iterator; - proposal_t *proposal; - algorithm_t *algo; - diffie_hellman_group_t dh_group = MODP_NONE; - - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void**)&proposal)) - { - if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo)) - { - dh_group = algo->algorithm; - break; - } - } - iterator->destroy(iterator); - return dh_group; -} - -/** - * Implementation of connection_t.check_dh_group. - */ -static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh_group) -{ - iterator_t *prop_iter, *alg_iter; - proposal_t *proposal; - algorithm_t *algo; - - prop_iter = this->proposals->create_iterator(this->proposals, TRUE); - while (prop_iter->iterate(prop_iter, (void**)&proposal)) - { - alg_iter = proposal->create_algorithm_iterator(proposal, DIFFIE_HELLMAN_GROUP); - while (alg_iter->iterate(alg_iter, (void**)&algo)) - { - if (algo->algorithm == dh_group) - { - prop_iter->destroy(prop_iter); - alg_iter->destroy(alg_iter); - return TRUE; - } - } - alg_iter->destroy(alg_iter); - } - prop_iter->destroy(prop_iter); - return FALSE; -} -/** - * Implementation of connection_t.get_soft_lifetime - */ -static u_int32_t get_soft_lifetime(private_connection_t *this) -{ - if (this->jitter == 0) - { - return this->soft_lifetime ; - } - return this->soft_lifetime - (random() % this->jitter); -} - -/** - * Implementation of connection_t.get_hard_lifetime. - */ -static u_int32_t get_hard_lifetime(private_connection_t *this) -{ - return this->hard_lifetime; -} - -/** - * Implementation of connection_t.get_reauth. - */ -static bool get_reauth(private_connection_t *this) -{ - return this->reauth; -} - -/** - * Implementation of connection_t.get_ref. - */ -static void get_ref(private_connection_t *this) -{ - ref_get(&this->refcount); -} - -/** - * Implementation of connection_t.destroy. - */ -static void destroy(private_connection_t *this) -{ - if (ref_put(&this->refcount)) - { - this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); - this->my_host->destroy(this->my_host); - this->other_host->destroy(this->other_host); - free(this->name); - free(this); - } -} - -/** - * Described in header. - */ -connection_t * connection_create(char *name, bool ikev2, - cert_policy_t cert_policy, - cert_policy_t certreq_policy, - host_t *my_host, host_t *other_host, - u_int32_t dpd_delay, bool reauth, - u_int32_t keyingtries, - u_int32_t hard_lifetime, - u_int32_t soft_lifetime, u_int32_t jitter) -{ - private_connection_t *this = malloc_thing(private_connection_t); - - /* public functions */ - this->public.get_name = (char*(*)(connection_t*))get_name; - this->public.is_ikev2 = (bool(*)(connection_t*))is_ikev2; - this->public.get_cert_policy = (cert_policy_t(*)(connection_t*))get_cert_policy; - this->public.get_certreq_policy = (cert_policy_t(*)(connection_t*))get_certreq_policy; - this->public.get_my_host = (host_t*(*)(connection_t*))get_my_host; - this->public.get_other_host = (host_t*(*)(connection_t*))get_other_host; - this->public.get_proposals = (linked_list_t*(*)(connection_t*))get_proposals; - this->public.select_proposal = (proposal_t*(*)(connection_t*,linked_list_t*))select_proposal; - this->public.add_proposal = (void(*)(connection_t*, proposal_t*)) add_proposal; - this->public.get_dpd_delay = (u_int32_t(*)(connection_t*)) get_dpd_delay; - this->public.get_reauth = (bool(*)(connection_t*)) get_reauth; - this->public.get_keyingtries = (u_int32_t(*)(connection_t*)) get_keyingtries; - this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group; - this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group; - this->public.get_soft_lifetime = (u_int32_t (*) (connection_t *))get_soft_lifetime; - this->public.get_hard_lifetime = (u_int32_t (*) (connection_t *))get_hard_lifetime; - this->public.get_ref = (void(*)(connection_t*))get_ref; - this->public.destroy = (void(*)(connection_t*))destroy; - - /* private variables */ - this->refcount = 1; - this->name = strdup(name); - this->ikev2 = ikev2; - this->cert_policy = cert_policy; - this->certreq_policy = certreq_policy; - this->my_host = my_host; - this->other_host = other_host; - this->dpd_delay = dpd_delay; - this->reauth = reauth; - this->keyingtries = keyingtries; - this->hard_lifetime = hard_lifetime; - this->soft_lifetime = soft_lifetime; - this->jitter = jitter; - - this->proposals = linked_list_create(); - - return &this->public; -} diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h deleted file mode 100644 index d0788876f..000000000 --- a/src/charon/config/connections/connection.h +++ /dev/null @@ -1,292 +0,0 @@ -/** - * @file connection.h - * - * @brief Interface of connection_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONNECTION_H_ -#define CONNECTION_H_ - -typedef enum cert_policy_t cert_policy_t; -typedef struct connection_t connection_t; - -#include <library.h> -#include <utils/host.h> -#include <utils/linked_list.h> -#include <utils/identification.h> -#include <config/proposal.h> -#include <crypto/diffie_hellman.h> - - -/** - * Certificate sending policy. This is also used for certificate - * requests when using this definition for the other peer. If - * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its - * included. - * - * @ingroup config - * - * @warning These definitions must be the same as in pluto/starter, - * as they are sent over the stroke socket. - */ -enum cert_policy_t { - /** always send certificates, even when not requested */ - CERT_ALWAYS_SEND = 0, - /** send certificate upon cert request */ - CERT_SEND_IF_ASKED = 1, - /** never send a certificate, even when requested */ - CERT_NEVER_SEND = 2, -}; - -/** - * enum strings for cert_policy_t - * - * @ingroup config - */ -extern enum_name_t *cert_policy_names; - -/** - * @brief A connection_t defines the rules to set up an IKE_SA. - * - * @b Constructors: - * - connection_create() - * - * @ingroup config - */ -struct connection_t { - - /** - * @brief Get my address as host_t object. - * - * Object is NOT getting cloned. - * - * @param this calling object - * @return host information as host_t object - */ - host_t *(*get_my_host) (connection_t *this); - - /** - * @brief Get others address as host_t object. - * - * Object is NOT getting cloned. - * - * @param this calling object - * @return host information as host_t object - */ - host_t *(*get_other_host) (connection_t *this); - - /** - * @brief Returns a list of all supported proposals. - * - * Returned list and its proposals must be destroyed after usage. - * - * @param this calling object - * @return list containing all the proposals - */ - linked_list_t *(*get_proposals) (connection_t *this); - - /** - * @brief Adds a proposal to the list. - * - * The first added proposal has the highest priority, the last - * added the lowest. - * - * @param this calling object - * @param proposal proposal to add - */ - void (*add_proposal) (connection_t *this, proposal_t *proposal); - - /** - * @brief Select a proposed from suggested proposals. - * - * Returned proposal must be destroyed after usage. - * - * @param this calling object - * @param proposals list of proposals to select from - * @return selected proposal, or NULL if none matches. - */ - proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals); - - /** - * @brief Get the DPD check interval. - * - * @param this calling object - * @return dpd_delay in seconds - */ - u_int32_t (*get_dpd_delay) (connection_t *this); - - /** - * @brief Should a full reauthentication be done instead of rekeying? - * - * @param this calling object - * @return TRUE to use full reauthentication - */ - bool (*get_reauth) (connection_t *this); - - /** - * @brief Get the max number of retransmission sequences. - * - * @param this calling object - * @return max number of retransmission sequences - */ - u_int32_t (*get_keyingtries) (connection_t *this); - - /** - * @brief Get the connection name. - * - * Name must not be freed, since it points to - * internal data. - * - * @param this calling object - * @return name of the connection - */ - char* (*get_name) (connection_t *this); - - /** - * @brief Check if the connection is marked as an IKEv2 connection. - * - * Since all connections (IKEv1+2) are loaded, but charon handles - * only those marked with IKEv2, this flag can tell us if we must - * ignore a connection on initiaton. Then pluto will do it for us. - * - * @param this calling object - * @return - TRUE, if this is an IKEv2 connection - */ - bool (*is_ikev2) (connection_t *this); - - /** - * @brief Should be sent a certificate request for this connection? - * - * A certificate request contains serials of our trusted CA certificates. - * This flag says if such a request is sent on connection setup to - * the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise. - * - * @param this calling object - * @return certificate request sending policy - */ - cert_policy_t (*get_certreq_policy) (connection_t *this); - - /** - * @brief Should be sent a certificate for this connection? - * - * Return the policy used to send the certificate. - * - * @param this calling object - * @return certificate sending policy - */ - cert_policy_t (*get_cert_policy) (connection_t *this); - - /** - * @brief Get the DH group to use for connection initialization. - * - * @param this calling object - * @return dh group to use for initialization - */ - diffie_hellman_group_t (*get_dh_group) (connection_t *this); - - /** - * @brief Check if a suggested dh group is acceptable. - * - * If we guess a wrong DH group for IKE_SA_INIT, the other - * peer will send us a offer. But is this acceptable for us? - * - * @param this calling object - * @return TRUE if group acceptable - */ - bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group); - - /** - * @brief Get the lifetime of a connection, before IKE_SA rekeying starts. - * - * A call to this function automatically adds a jitter to - * avoid simultanous rekeying. - * - * @param this calling object - * @return lifetime in seconds - */ - u_int32_t (*get_soft_lifetime) (connection_t *this); - - /** - * @brief Get the lifetime of a connection, before IKE_SA gets deleted. - * - * @param this calling object - * @return lifetime in seconds - */ - u_int32_t (*get_hard_lifetime) (connection_t *this); - - /** - * @brief Get a new reference to this connection. - * - * Get a new reference to this connection by increasing - * it's internal reference counter. - * Do not call get_ref or any other function until you - * already have a reference. Otherwise the object may get - * destroyed while calling get_ref(), - * - * @param this calling object - */ - void (*get_ref) (connection_t *this); - - /** - * @brief Destroys a connection_t object. - * - * Decrements the internal reference counter and - * destroys the connection when it reaches zero. - * - * @param this calling object - */ - void (*destroy) (connection_t *this); -}; - -/** - * @brief Creates a connection_t object. - * - * Supplied hosts become owned by connection, so - * do not modify or destroy them after a call to - * connection_create(). Name gets cloned internally. - * The retrasmit sequence number says how fast we give up when the peer - * does not respond. A high value may bridge-over temporary connection - * problems, a small value can detect dead peers faster. - * - * @param name connection identifier - * @param ikev2 TRUE if this is an IKEv2 connection - * @param cert_policy certificate send policy - * @param cert_req_policy certificate request send policy - * @param my_host host_t representing local address - * @param other_host host_t representing remote address - * @param dpd_delay interval of DPD liveness checks - * @param reauth use full reauthentication instead of rekeying - * @param keyingtries number of retransmit sequences to use - * @param hard_lifetime lifetime before deleting an IKE_SA - * @param soft_lifetime lifetime before rekeying an IKE_SA - * @param jitter range of randomization time - * @return connection_t object. - * - * @ingroup config - */ -connection_t * connection_create(char *name, bool ikev2, - cert_policy_t cert_pol, cert_policy_t req_pol, - host_t *my_host, host_t *other_host, - u_int32_t dpd_delay, bool reauth, - u_int32_t keyingtries, - u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter); - -#endif /* CONNECTION_H_ */ diff --git a/src/charon/config/connections/connection_store.h b/src/charon/config/connections/connection_store.h deleted file mode 100755 index 70f209d3b..000000000 --- a/src/charon/config/connections/connection_store.h +++ /dev/null @@ -1,118 +0,0 @@ -/** - * @file connection_store.h - * - * @brief Interface connection_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONNECTION_STORE_H_ -#define CONNECTION_STORE_H_ - -typedef struct connection_store_t connection_store_t; - -#include <library.h> -#include <config/connections/connection.h> -#include <utils/iterator.h> - -/** - * @brief The interface for a store of connection_t's. - * - * @b Constructors: - * - stroke_create() - * - * @ingroup config - */ -struct connection_store_t { - - /** - * @brief Returns a connection definition identified by two hosts. - * - * This call is usefull to get a connection identified by addresses. - * It may be used after kernel request for traffic protection. - * The returned connection gets created/cloned and therefore must - * be destroyed after usage. - * - * @param this calling object - * @param my_id own address of connection - * @param other_id others address of connection - * @return - * - connection_t, if found - * - NULL otherwise - */ - connection_t *(*get_connection_by_hosts)(connection_store_t *this, - host_t *my_host, host_t *other_host); - - /** - * @brief Returns a connection identified by its name. - * - * This call is usefull to get a connection identified its - * name, as on an connection setup. - * - * @param this calling object - * @param name name of the connection to get - * @return - * - connection_t, if found - * - NULL otherwise - */ - connection_t *(*get_connection_by_name) (connection_store_t *this, char *name); - - /** - * @brief Add a connection to the store. - * - * After a successful call, the connection is owned by the store and may - * not be manipulated nor destroyed. - * - * @param this calling object - * @param connection connection to add - * @return - * - SUCCESS, or - * - FAILED - */ - status_t (*add_connection) (connection_store_t *this, connection_t *connection); - - /** - * @brief Delete a connection from the store. - * - * Remove a connection from the connection store, identified - * by the connections name. - * - * @param this calling object - * @param name name of the connection to delete - * @return - * - SUCCESS, or - * - NOT_FOUND - */ - status_t (*delete_connection) (connection_store_t *this, char *name); - - /** - * @brief Get an iterator for the stored connections. - * - * @param this calling object - * @return iterator over all stored connections - */ - iterator_t* (*create_iterator) (connection_store_t *this); - - /** - * @brief Destroys a connection_store_t object. - * - * @param this calling object - */ - void (*destroy) (connection_store_t *this); -}; - -#endif /* CONNECTION_STORE_H_ */ diff --git a/src/charon/config/connections/local_connection_store.c b/src/charon/config/connections/local_connection_store.c deleted file mode 100644 index df4ec230a..000000000 --- a/src/charon/config/connections/local_connection_store.c +++ /dev/null @@ -1,237 +0,0 @@ -/** - * @file local_connection_store.c - * - * @brief Implementation of local_connection_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <string.h> - -#include "local_connection_store.h" - -#include <daemon.h> -#include <utils/linked_list.h> - - -typedef struct private_local_connection_store_t private_local_connection_store_t; - -/** - * Private data of an local_connection_store_t object - */ -struct private_local_connection_store_t { - - /** - * Public part - */ - local_connection_store_t public; - - /** - * stored connection - */ - linked_list_t *connections; - - /** - * Mutex to exclusivly access connection list - */ - pthread_mutex_t mutex; -}; - - -/** - * Implementation of connection_store_t.get_connection_by_hosts. - */ -static connection_t *get_connection_by_hosts(private_local_connection_store_t *this, host_t *my_host, host_t *other_host) -{ - typedef enum { - PRIO_UNDEFINED= 0x00, - PRIO_ADDR_ANY= 0x01, - PRIO_ADDR_MATCH= 0x02 - } prio_t; - - prio_t best_prio = PRIO_UNDEFINED; - - iterator_t *iterator; - connection_t *candidate; - connection_t *found = NULL; - - DBG2(DBG_CFG, "looking for connection for host pair %H...%H", - my_host, other_host); - - pthread_mutex_lock(&(this->mutex)); - iterator = this->connections->create_iterator(this->connections, TRUE); - /* determine closest matching connection */ - while (iterator->iterate(iterator, (void**)&candidate)) - { - host_t *candidate_my_host; - host_t *candidate_other_host; - - candidate_my_host = candidate->get_my_host(candidate); - candidate_other_host = candidate->get_other_host(candidate); - - /* my_host addresses must match*/ - if (my_host->ip_equals(my_host, candidate_my_host)) - { - prio_t prio = PRIO_UNDEFINED; - - /* exact match of peer host address or wildcard address? */ - if (other_host->ip_equals(other_host, candidate_other_host)) - { - prio |= PRIO_ADDR_MATCH; - } - else if (candidate_other_host->is_anyaddr(candidate_other_host)) - { - prio |= PRIO_ADDR_ANY; - } - - DBG2(DBG_CFG, "candidate connection \"%s\": %H...%H (prio=%d)", - candidate->get_name(candidate), - candidate_my_host, candidate_other_host, prio); - - if (prio > best_prio) - { - found = candidate; - best_prio = prio; - } - } - } - iterator->destroy(iterator); - - if (found) - { - DBG2(DBG_CFG, "found matching connection \"%s\": %H...%H (prio=%d)", - found->get_name(found), found->get_my_host(found), - found->get_other_host(found), best_prio); - - /* give out a new reference to it */ - found->get_ref(found); - } - pthread_mutex_unlock(&(this->mutex)); - return found; -} - -/** - * Implementation of connection_store_t.get_connection_by_name. - */ -static connection_t *get_connection_by_name(private_local_connection_store_t *this, char *name) -{ - iterator_t *iterator; - connection_t *current, *found = NULL; - - pthread_mutex_lock(&(this->mutex)); - iterator = this->connections->create_iterator(this->connections, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (strcmp(name, current->get_name(current)) == 0) - { - found = current; - break; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - - if (found) - { - /* get a new reference for it */ - found->get_ref(found); - } - return found; -} - -/** - * Implementation of connection_store_t.delete_connection. - */ -static status_t delete_connection(private_local_connection_store_t *this, char *name) -{ - iterator_t *iterator; - connection_t *current; - bool found = FALSE; - - pthread_mutex_lock(&(this->mutex)); - iterator = this->connections->create_iterator(this->connections, TRUE); - while (iterator->iterate(iterator, (void **)¤t)) - { - if (strcmp(current->get_name(current), name) == 0) - { - /* remove connection from list, and destroy it */ - iterator->remove(iterator); - current->destroy(current); - found = TRUE; - break; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - if (found) - { - return SUCCESS; - } - return NOT_FOUND; -} - -/** - * Implementation of connection_store_t.add_connection. - */ -static status_t add_connection(private_local_connection_store_t *this, connection_t *connection) -{ - pthread_mutex_lock(&(this->mutex)); - this->connections->insert_last(this->connections, connection); - pthread_mutex_unlock(&(this->mutex)); - return SUCCESS; -} - -/** - * Implementation of connection_store_t.create_iterator. - */ -static iterator_t* create_iterator(private_local_connection_store_t *this) -{ - return this->connections->create_iterator_locked(this->connections, - &this->mutex); -} - -/** - * Implementation of connection_store_t.destroy. - */ -static void destroy (private_local_connection_store_t *this) -{ - pthread_mutex_lock(&(this->mutex)); - this->connections->destroy_offset(this->connections, offsetof(connection_t, destroy)); - pthread_mutex_unlock(&(this->mutex)); - free(this); -} - -/** - * Described in header. - */ -local_connection_store_t * local_connection_store_create(void) -{ - private_local_connection_store_t *this = malloc_thing(private_local_connection_store_t); - - this->public.connection_store.get_connection_by_hosts = (connection_t*(*)(connection_store_t*,host_t*,host_t*))get_connection_by_hosts; - this->public.connection_store.get_connection_by_name = (connection_t*(*)(connection_store_t*,char*))get_connection_by_name; - this->public.connection_store.delete_connection = (status_t(*)(connection_store_t*,char*))delete_connection; - this->public.connection_store.add_connection = (status_t(*)(connection_store_t*,connection_t*))add_connection; - this->public.connection_store.create_iterator = (iterator_t*(*)(connection_store_t*))create_iterator; - this->public.connection_store.destroy = (void(*)(connection_store_t*))destroy; - - /* private variables */ - this->connections = linked_list_create(); - pthread_mutex_init(&(this->mutex), NULL); - - return (&this->public); -} diff --git a/src/charon/config/connections/local_connection_store.h b/src/charon/config/connections/local_connection_store.h deleted file mode 100644 index e78ed809a..000000000 --- a/src/charon/config/connections/local_connection_store.h +++ /dev/null @@ -1,62 +0,0 @@ -/** - * @file local_connection_store.h - * - * @brief Interface of local_connection_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef LOCAL_CONNECTION_H_ -#define LOCAL_CONNECTION_H_ - -typedef struct local_connection_store_t local_connection_store_t; - -#include <library.h> -#include <config/connections/connection_store.h> - -/** - * @brief A connection_store_t implementation using a simple connection list. - * - * The local_connection_store_t class implements the connection_store_t interface - * as simple as possible. connection_t's are stored in an in-memory list. - * - * @b Constructors: - * - local_connection_store_create() - * - * @todo Make thread-save first - * @todo Add remove_connection method - * - * @ingroup config - */ -struct local_connection_store_t { - - /** - * Implements connection_store_t interface - */ - connection_store_t connection_store; -}; - -/** - * @brief Creates a local_connection_store_t instance. - * - * @return connection store instance. - * - * @ingroup config - */ -local_connection_store_t * local_connection_store_create(void); - -#endif /* LOCAL_CONNECTION_H_ */ diff --git a/src/charon/config/credentials/local_credential_store.c b/src/charon/config/credentials/local_credential_store.c index b7b71b9e7..6964345b3 100644 --- a/src/charon/config/credentials/local_credential_store.c +++ b/src/charon/config/credentials/local_credential_store.c @@ -24,6 +24,7 @@ #include <dirent.h> #include <string.h> #include <pthread.h> +#include <errno.h> #include <library.h> #include <utils/lexparser.h> @@ -32,13 +33,13 @@ #include <crypto/certinfo.h> #include <crypto/x509.h> #include <crypto/ca.h> +#include <crypto/ac.h> #include <crypto/crl.h> #include <asn1/ttodata.h> #include "local_credential_store.h" #define PATH_BUF 256 -#define MAX_CA_PATH_LEN 7 typedef struct shared_key_t shared_key_t; @@ -103,24 +104,25 @@ static shared_key_t *shared_key_create(chunk_t secret) | | ca_info_t | | +--------------------------+ +---------------+ | char *name | -| x509_t |<--| x509_t *cacert | +----------------------+ -+---------------+ | linked_list_t *certinfos |-->| certinfo_t | -| chunk_t keyid | | linked_list_t *ocspuris | +----------------------+ -+---------------+ | crl_t *crl | | chunk_t serialNumber | +| x509_t |<--| x509_t *cacert | ++---------------+ | linked_list_t *attrcerts | +----------------------+ +| chunk_t keyid | | linked_list_t *certinfos |-->| certinfo_t | ++---------------+ | linked_list_t *ocspuris | +----------------------+ + | | crl_t *crl | | chunk_t serialNumber | | | linked_list_t *crluris | | cert_status_t status | - | | pthread_mutex_t mutex | | time_t thisUpdate | -+---------------+ +--------------------------+ | time_t nextUpdate | -| x509_t | | | bool once | -+---------------+ | +----------------------+ -| chunk_t keyid | | | -+---------------+ +------------------------- + +----------------------+ - | | ca_info_t | | certinfo_t | - | +--------------------------+ +----------------------+ -+---------------+ | char *name | | chunk_t serialNumber | -| x509_t |<--| x509_t *cacert | | cert_status_t status | -+---------------+ | linked_list_t *certinfos | | time_t thisUpdate | -| chunk_t keyid | | linked_list_t *ocspuris | | time_t nextUpdate | -+---------------+ | crl_t *crl | | bool once | ++---------------+ | pthread_mutex_t mutex | | time_t thisUpdate | +| x509_t | +--------------------------+ | time_t nextUpdate | ++---------------+ | | bool once | +| chunk_t keyid | | +----------------------+ ++---------------+ +------------------------- + | + | | ca_info_t | +----------------------+ + | +--------------------------+ | certinfo_t | ++---------------+ | char *name | +----------------------+ +| x509_t |<--| x509_t *cacert | | chunk_t serialNumber | ++---------------+ | linked_list_t *attrcerts | | cert_status_t status | +| chunk_t keyid | | linked_list_t *certinfos | | time_t thisUpdate | ++---------------+ | linked_list_t *ocspuris | | time_t nextUpdate | + | | crl_t *crl | | bool once | | | linked_list_t *crluris | +----------------------+ | | pthread_mutex_t mutex; | | | +--------------------------+ @@ -169,11 +171,6 @@ struct private_local_credential_store_t { * list of X.509 CA information records */ linked_list_t *ca_infos; - - /** - * enforce strict crl policy - */ - bool strict; }; @@ -302,39 +299,29 @@ static rsa_public_key_t *get_rsa_public_key(private_local_credential_store_t *th } /** - * Implementation of local_credential_store_t.get_trusted_public_key. + * Implementation of credential_store_t.get_issuer. */ -static rsa_public_key_t *get_trusted_public_key(private_local_credential_store_t *this, - identification_t *id) +static ca_info_t* get_issuer(private_local_credential_store_t *this, x509_t *cert) { - cert_status_t status; - err_t ugh; - - x509_t *cert = get_certificate(this, id); - - if (cert == NULL) - return NULL; + ca_info_t *found = cert->get_ca_info(cert); - ugh = cert->is_valid(cert, NULL); - if (ugh != NULL) + if (found == NULL) { - DBG1(DBG_CFG, "certificate %s", ugh); - return NULL; - } + iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE); + ca_info_t *ca_info; - status = cert->get_status(cert); - if (status == CERT_REVOKED || status == CERT_UNTRUSTED || (this->strict && status != CERT_GOOD)) - { - DBG1(DBG_CFG, "certificate status: %N", cert_status_names, status); - return NULL; - } - if (status == CERT_GOOD && cert->get_until(cert) < time(NULL)) - { - DBG1(DBG_CFG, "certificate is good but crl is stale"); - return NULL; + while (iterator->iterate(iterator, (void**)&ca_info)) + { + if (ca_info->is_cert_issuer(ca_info, cert)) + { + found = ca_info; + cert->set_ca_info(cert, found); + break; + } + } + iterator->destroy(iterator); } - - return cert->get_public_key(cert); + return found; } /** @@ -435,29 +422,6 @@ static x509_t* get_ca_certificate_by_keyid(private_local_credential_store_t *thi } /** - * Implementation of credential_store_t.get_issuer. - */ -static ca_info_t* get_issuer(private_local_credential_store_t *this, const x509_t *cert) -{ - ca_info_t *found = NULL; - ca_info_t *ca_info; - - iterator_t *iterator = this->ca_infos->create_iterator(this->ca_infos, TRUE); - - while (iterator->iterate(iterator, (void**)&ca_info)) - { - if (ca_info->is_cert_issuer(ca_info, cert)) - { - found = ca_info; - break; - } - } - iterator->destroy(iterator); - - return found; -} - -/** * Find an exact copy of a certificate in a linked list */ static x509_t* find_certificate(linked_list_t *certs, x509_t *cert) @@ -509,13 +473,13 @@ static void add_uris(ca_info_t *issuer, x509_t *cert) /** * Implementation of credential_store_t.is_trusted */ -static bool is_trusted(private_local_credential_store_t *this, x509_t *cert) +static bool is_trusted(private_local_credential_store_t *this, const char *label, x509_t *cert) { int pathlen; time_t until = UNDEFINED_TIME; x509_t *cert_to_be_trusted = cert; - DBG2(DBG_CFG, "establishing trust in certificate:"); + DBG1(DBG_CFG, "establishing trust in %s certificate:", label); for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) { @@ -525,8 +489,8 @@ static bool is_trusted(private_local_credential_store_t *this, x509_t *cert) rsa_public_key_t *issuer_public_key; bool valid_signature; - DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); - DBG2(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); + DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); + DBG1(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); ugh = cert->is_valid(cert, &until); if (ugh != NULL) @@ -558,18 +522,19 @@ static bool is_trusted(private_local_credential_store_t *this, x509_t *cert) /* check if cert is a self-signed root ca */ if (pathlen > 0 && cert->is_self_signed(cert)) { - DBG2(DBG_CFG, "reached self-signed root ca"); + DBG1(DBG_CFG, "reached self-signed root ca"); cert_to_be_trusted->set_until(cert_to_be_trusted, until); cert_to_be_trusted->set_status(cert_to_be_trusted, CERT_GOOD); return TRUE; } else { - /* go up one step in the trust chain */ + DBG1(DBG_CFG, "going up one step in the certificate trust chain (%d)", + pathlen + 1); cert = issuer_cert; } } - DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); return FALSE; } @@ -584,7 +549,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f x509_t *end_cert = cert; x509_t *cert_copy = find_certificate(this->certs, end_cert); - DBG2(DBG_CFG, "verifying end entity certificate:"); + DBG1(DBG_CFG, "verifying end entity certificate up to trust anchor:"); *found = (cert_copy != NULL); if (*found) @@ -595,14 +560,16 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) { + bool valid_signature; err_t ugh = NULL; ca_info_t *issuer; x509_t *issuer_cert; rsa_public_key_t *issuer_public_key; - bool valid_signature; + chunk_t keyid = cert->get_keyid(cert); DBG1(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); DBG1(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); + DBG1(DBG_CFG, "keyid: %#B", &keyid); ugh = cert->is_valid(cert, &until); if (ugh != NULL) @@ -647,24 +614,29 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f } else { + bool strict; time_t nextUpdate; cert_status_t status; certinfo_t *certinfo = certinfo_create(cert->get_serialNumber(cert)); - certinfo->set_nextUpdate(certinfo, until); - if (pathlen == 0) { /* add any crl and ocsp uris contained in the certificate under test */ add_uris(issuer, cert); } + strict = issuer->is_strict(issuer); + DBG1(DBG_CFG, "issuer %s a strict crl policy", + strict ? "enforces":"does not enforce"); + /* first check certificate revocation using ocsp */ status = issuer->verify_by_ocsp(issuer, certinfo, &this->public.credential_store); /* if ocsp service is not available then fall back to crl */ - if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && this->strict)) + if ((status == CERT_UNDEFINED) || (status == CERT_UNKNOWN && strict)) { + + certinfo->set_status(certinfo, CERT_UNKNOWN); status = issuer->verify_by_crl(issuer, certinfo, CRL_DIR); } @@ -674,23 +646,23 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f switch (status) { case CERT_GOOD: - /* set nextUpdate */ - cert->set_until(cert, nextUpdate); + /* with strict crl policy the public key must have the same + * lifetime as the validity of the ocsp status or crl lifetime + */ + if (strict) + { + cert->set_until(cert, nextUpdate); + until = (nextUpdate < until)? nextUpdate : until; + } /* if status information is stale */ - if (this->strict && nextUpdate < time(NULL)) + if (strict && nextUpdate < time(NULL)) { DBG2(DBG_CFG, "certificate is good but status is stale"); certinfo->destroy(certinfo); return FALSE; } DBG1(DBG_CFG, "certificate is good"); - - /* with strict crl policy the public key must have the same - * lifetime as the validity of the ocsp status or crl lifetime - */ - if (this->strict && nextUpdate < until) - until = nextUpdate; break; case CERT_REVOKED: { @@ -724,7 +696,7 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f case CERT_UNDEFINED: default: DBG1(DBG_CFG, "certificate status unknown"); - if (this->strict) + if (strict) { /* update status of end certificate in the credential store */ if (cert_copy) @@ -738,14 +710,97 @@ static bool verify(private_local_credential_store_t *this, x509_t *cert, bool *f } certinfo->destroy(certinfo); } - /* go up one step in the trust chain */ + DBG1(DBG_CFG, "going up one step in the certificate trust chain (%d)", + pathlen + 1); cert = issuer_cert; } - DBG1(DBG_CFG, "maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + DBG1(DBG_CFG, "maximum ca path length of %d levels reached", MAX_CA_PATH_LEN); return FALSE; } /** + * Implementation of local_credential_store_t.verify_signature. + */ +static status_t verify_signature(private_local_credential_store_t *this, + chunk_t hash, chunk_t sig, + identification_t *id, ca_info_t **issuer_p) +{ + iterator_t *iterator = this->certs->create_iterator(this->certs, TRUE); + status_t sig_status; + x509_t *cert; + + /* default return values in case of failure */ + sig_status = NOT_FOUND; + *issuer_p = NULL; + + while (iterator->iterate(iterator, (void**)&cert)) + { + if (id->equals(id, cert->get_subject(cert)) + || cert->equals_subjectAltName(cert, id)) + { + rsa_public_key_t *public_key = cert->get_public_key(cert); + cert_status_t cert_status = cert->get_status(cert); + + DBG2(DBG_CFG, "found candidate peer certificate"); + + if (cert_status == CERT_UNDEFINED || cert->get_until(cert) < time(NULL)) + { + bool found; + + if (!verify(this, cert, &found)) + { + sig_status = VERIFY_ERROR; + DBG1(DBG_CFG, "candidate peer certificate was not successfully verified"); + continue; + } + *issuer_p = get_issuer(this, cert); + } + else + { + ca_info_t *issuer = get_issuer(this, cert); + chunk_t keyid = public_key->get_keyid(public_key); + + DBG2(DBG_CFG, "subject: '%D'", cert->get_subject(cert)); + DBG2(DBG_CFG, "issuer: '%D'", cert->get_issuer(cert)); + DBG2(DBG_CFG, "keyid: %#B", &keyid); + + if (issuer == NULL) + { + DBG1(DBG_CFG, "candidate peer certificate has no retrievable issuer"); + sig_status = NOT_FOUND; + continue; + } + if (cert_status == CERT_REVOKED || cert_status == CERT_UNTRUSTED + || ((issuer)->is_strict(issuer) && cert_status != CERT_GOOD)) + { + DBG1(DBG_CFG, "candidate peer certificate has an inacceptable status: %N", cert_status_names, cert_status); + sig_status = VERIFY_ERROR; + continue; + } + *issuer_p = issuer; + } + sig_status = public_key->verify_emsa_pkcs1_signature(public_key, hash, sig); + if (sig_status == SUCCESS) + { + DBG2(DBG_CFG, "candidate peer certificate has a matching RSA public key"); + break; + } + else + { + DBG1(DBG_CFG, "candidate peer certificate has a non-matching RSA public key"); + *issuer_p = NULL; + } + } + } + iterator->destroy(iterator); + if (sig_status == NOT_FOUND) + { + DBG1(DBG_CFG, "no candidate peer certificate found"); + } + return sig_status; +} + +/** * Add a unique certificate to a linked list */ static x509_t* add_certificate(linked_list_t *certs, x509_t *cert) @@ -770,7 +825,7 @@ static x509_t* add_certificate(linked_list_t *certs, x509_t *cert) /** * Add a unique ca info record to a linked list */ -static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info) +static ca_info_t* add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_info) { ca_info_t *current_ca_info; ca_info_t *found_ca_info = NULL; @@ -791,11 +846,13 @@ static void add_ca_info(private_local_credential_store_t *this, ca_info_t *ca_in { current_ca_info->add_info(current_ca_info, ca_info); ca_info->destroy(ca_info); + ca_info = found_ca_info; } else { this->ca_infos->insert_last(this->ca_infos, (void*)ca_info); } + return ca_info; } /** @@ -886,12 +943,12 @@ static void load_auth_certificates(private_local_credential_store_t *this, struct stat stb; DIR* dir; - DBG1(DBG_CFG, "loading %s certificates from '%s/'", label, path); + DBG1(DBG_CFG, "loading %s certificates from '%s'", label, path); dir = opendir(path); if (dir == NULL) { - DBG1(DBG_CFG, "error opening %s certs directory %s'", label, path); + DBG1(DBG_CFG, "error opening %s certs directory '%s'", label, path); return; } @@ -962,12 +1019,15 @@ static void load_ca_certificates(private_local_credential_store_t *this) while (iterator->iterate(iterator, (void **)&ca_info)) { - x509_t *cacert = ca_info->get_certificate(ca_info); - ca_info_t *issuer = get_issuer(this, cacert); - - if (issuer) + if (ca_info->is_ca(ca_info)) { - add_uris(issuer, cacert); + x509_t *cacert = ca_info->get_certificate(ca_info); + ca_info_t *issuer = get_issuer(this, cacert); + + if (issuer) + { + add_uris(issuer, cacert); + } } } iterator->destroy(iterator); @@ -975,6 +1035,74 @@ static void load_ca_certificates(private_local_credential_store_t *this) } /** + * Implements local_credential_store_t.load_aa_certificates + */ +static void load_aa_certificates(private_local_credential_store_t *this) +{ + load_auth_certificates(this, AUTH_AA, "aa", AA_CERTIFICATE_DIR); +} + +/** + * Add a unique attribute certificate to a linked list + */ +static void add_attr_certificate(private_local_credential_store_t *this, x509ac_t *cert) +{ + /* TODO add a new attribute certificate to the linked list */ +} + +/** + * Implements local_credential_store_t.load_attr_certificates + */ +static void load_attr_certificates(private_local_credential_store_t *this) +{ + struct dirent* entry; + struct stat stb; + DIR* dir; + + const char *path = ATTR_CERTIFICATE_DIR; + + DBG1(DBG_CFG, "loading attribute certificates from '%s'", path); + + dir = opendir(ATTR_CERTIFICATE_DIR); + if (dir == NULL) + { + DBG1(DBG_CFG, "error opening attribute certs directory '%s'", path); + return; + } + + while ((entry = readdir(dir)) != NULL) + { + char file[PATH_BUF]; + + snprintf(file, sizeof(file), "%s/%s", path, entry->d_name); + + if (stat(file, &stb) == -1) + { + continue; + } + /* try to parse all regular files */ + if (stb.st_mode & S_IFREG) + { + x509ac_t *cert = x509ac_create_from_file(file); + + if (cert) + { + err_t ugh = cert->is_valid(cert, NULL); + + if (ugh != NULL) + { + DBG1(DBG_CFG, "warning: attribute certificate %s", ugh); + } + add_attr_certificate(this, cert); + } + } + } + closedir(dir); + + +} + +/** * Implements local_credential_store_t.load_ocsp_certificates */ static void load_ocsp_certificates(private_local_credential_store_t *this) @@ -993,7 +1121,7 @@ static void add_crl(private_local_credential_store_t *this, crl_t *crl, const ch while (iterator->iterate(iterator, (void**)&ca_info)) { - if (ca_info->is_crl_issuer(ca_info, crl)) + if (ca_info->is_ca(ca_info) && ca_info->is_crl_issuer(ca_info, crl)) { char buffer[BUF_LEN]; chunk_t uri = { buffer, 7 + strlen(path) }; @@ -1027,12 +1155,12 @@ static void load_crls(private_local_credential_store_t *this) DIR* dir; crl_t *crl; - DBG1(DBG_CFG, "loading crls from '%s/'", CRL_DIR); + DBG1(DBG_CFG, "loading crls from '%s'", CRL_DIR); dir = opendir(CRL_DIR); if (dir == NULL) { - DBG1(DBG_CFG, "error opening crl directory %s'", CRL_DIR); + DBG1(DBG_CFG, "error opening crl directory '%s'", CRL_DIR); return; } @@ -1300,7 +1428,8 @@ error: } else { - DBG1(DBG_CFG, "could not open file '%s'", SECRETS_FILE); + DBG1(DBG_CFG, "could not open file '%s': %s", SECRETS_FILE, + strerror(errno)); } } @@ -1321,7 +1450,7 @@ static void destroy(private_local_credential_store_t *this) /** * Described in header. */ -local_credential_store_t * local_credential_store_create(bool strict) +local_credential_store_t * local_credential_store_create(void) { private_local_credential_store_t *this = malloc_thing(private_local_credential_store_t); @@ -1330,21 +1459,23 @@ local_credential_store_t * local_credential_store_create(bool strict) this->public.credential_store.get_rsa_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_rsa_public_key; this->public.credential_store.get_rsa_private_key = (rsa_private_key_t* (*) (credential_store_t*,rsa_public_key_t*))get_rsa_private_key; this->public.credential_store.has_rsa_private_key = (bool (*) (credential_store_t*,rsa_public_key_t*))has_rsa_private_key; - this->public.credential_store.get_trusted_public_key = (rsa_public_key_t*(*)(credential_store_t*,identification_t*))get_trusted_public_key; this->public.credential_store.get_certificate = (x509_t* (*) (credential_store_t*,identification_t*))get_certificate; this->public.credential_store.get_auth_certificate = (x509_t* (*) (credential_store_t*,u_int,identification_t*))get_auth_certificate; this->public.credential_store.get_ca_certificate_by_keyid = (x509_t* (*) (credential_store_t*,chunk_t))get_ca_certificate_by_keyid; - this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,const x509_t*))get_issuer; - this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,x509_t*))is_trusted; + this->public.credential_store.get_issuer = (ca_info_t* (*) (credential_store_t*,x509_t*))get_issuer; + this->public.credential_store.is_trusted = (bool (*) (credential_store_t*,const char*,x509_t*))is_trusted; + this->public.credential_store.verify_signature = (status_t (*) (credential_store_t*,chunk_t,chunk_t,identification_t*,ca_info_t**))verify_signature; this->public.credential_store.verify = (bool (*) (credential_store_t*,x509_t*,bool*))verify; this->public.credential_store.add_end_certificate = (x509_t* (*) (credential_store_t*,x509_t*))add_end_certificate; this->public.credential_store.add_auth_certificate = (x509_t* (*) (credential_store_t*,x509_t*,u_int))add_auth_certificate; - this->public.credential_store.add_ca_info = (void (*) (credential_store_t*,ca_info_t*))add_ca_info; + this->public.credential_store.add_ca_info = (ca_info_t* (*) (credential_store_t*,ca_info_t*))add_ca_info; this->public.credential_store.release_ca_info = (status_t (*) (credential_store_t*,const char*))release_ca_info; this->public.credential_store.create_cert_iterator = (iterator_t* (*) (credential_store_t*))create_cert_iterator; this->public.credential_store.create_auth_cert_iterator = (iterator_t* (*) (credential_store_t*))create_auth_cert_iterator; this->public.credential_store.create_cainfo_iterator = (iterator_t* (*) (credential_store_t*))create_cainfo_iterator; this->public.credential_store.load_ca_certificates = (void (*) (credential_store_t*))load_ca_certificates; + this->public.credential_store.load_aa_certificates = (void (*) (credential_store_t*))load_aa_certificates; + this->public.credential_store.load_attr_certificates = (void (*) (credential_store_t*))load_attr_certificates; this->public.credential_store.load_ocsp_certificates = (void (*) (credential_store_t*))load_ocsp_certificates; this->public.credential_store.load_crls = (void (*) (credential_store_t*))load_crls; this->public.credential_store.load_secrets = (void (*) (credential_store_t*))load_secrets; @@ -1357,7 +1488,6 @@ local_credential_store_t * local_credential_store_create(bool strict) this->certs = linked_list_create(); this->auth_certs = linked_list_create(); this->ca_infos = linked_list_create(); - this->strict = strict; return (&this->public); } diff --git a/src/charon/config/credentials/local_credential_store.h b/src/charon/config/credentials/local_credential_store.h index 88a94d6f9..87a12663a 100644 --- a/src/charon/config/credentials/local_credential_store.h +++ b/src/charon/config/credentials/local_credential_store.h @@ -54,11 +54,10 @@ struct local_credential_store_t { /** * @brief Creates a local_credential_store_t instance. * - * @param strict enforce a strict crl policy * @return credential store instance. * * @ingroup config */ -local_credential_store_t *local_credential_store_create(bool strict); +local_credential_store_t *local_credential_store_create(void); #endif /* LOCAL_CREDENTIAL_H_ */ diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c new file mode 100644 index 000000000..35f46a6b7 --- /dev/null +++ b/src/charon/config/ike_cfg.c @@ -0,0 +1,228 @@ +/** + * @file ike_cfg.c + * + * @brief Implementation of ike_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ike_cfg.h" + +#include <string.h> + + +typedef struct private_ike_cfg_t private_ike_cfg_t; + +/** + * Private data of an ike_cfg_t object + */ +struct private_ike_cfg_t { + + /** + * Public part + */ + ike_cfg_t public; + + /** + * Number of references hold by others to this ike_cfg + */ + refcount_t refcount; + + /** + * Address of local host + */ + host_t *my_host; + + /** + * Address of remote host + */ + host_t *other_host; + + /** + * should we send a certificate request? + */ + bool certreq; + + /** + * List of proposals to use + */ + linked_list_t *proposals; +}; + +/** + * Implementation of ike_cfg_t.certreq. + */ +static bool send_certreq(private_ike_cfg_t *this) +{ + return this->certreq; +} + +/** + * Implementation of ike_cfg_t.get_my_host. + */ +static host_t *get_my_host (private_ike_cfg_t *this) +{ + return this->my_host; +} + +/** + * Implementation of ike_cfg_t.get_other_host. + */ +static host_t *get_other_host (private_ike_cfg_t *this) +{ + return this->other_host; +} + +/** + * Implementation of ike_cfg_t.add_proposal. + */ +static void add_proposal(private_ike_cfg_t *this, proposal_t *proposal) +{ + this->proposals->insert_last(this->proposals, proposal); +} + +/** + * Implementation of ike_cfg_t.get_proposals. + */ +static linked_list_t* get_proposals(private_ike_cfg_t *this) +{ + iterator_t *iterator; + proposal_t *current; + linked_list_t *proposals = linked_list_create(); + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + current = current->clone(current); + proposals->insert_last(proposals, (void*)current); + } + iterator->destroy(iterator); + + return proposals; +} + +/** + * Implementation of ike_cfg_t.select_proposal. + */ +static proposal_t *select_proposal(private_ike_cfg_t *this, + linked_list_t *proposals) +{ + iterator_t *stored_iter, *supplied_iter; + proposal_t *stored, *supplied, *selected; + + stored_iter = this->proposals->create_iterator(this->proposals, TRUE); + supplied_iter = proposals->create_iterator(proposals, TRUE); + + /* compare all stored proposals with all supplied. Stored ones are preferred.*/ + while (stored_iter->iterate(stored_iter, (void**)&stored)) + { + supplied_iter->reset(supplied_iter); + + while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) + { + selected = stored->select(stored, supplied); + if (selected) + { + /* they match, return */ + stored_iter->destroy(stored_iter); + supplied_iter->destroy(supplied_iter); + return selected; + } + } + } + /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ + stored_iter->destroy(stored_iter); + supplied_iter->destroy(supplied_iter); + + return NULL; +} + +/** + * Implementation of ike_cfg_t.get_dh_group. + */ +static diffie_hellman_group_t get_dh_group(private_ike_cfg_t *this) +{ + iterator_t *iterator; + proposal_t *proposal; + algorithm_t *algo; + diffie_hellman_group_t dh_group = MODP_NONE; + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)&proposal)) + { + if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &algo)) + { + dh_group = algo->algorithm; + break; + } + } + iterator->destroy(iterator); + return dh_group; +} + +/** + * Implementation of ike_cfg_t.get_ref. + */ +static void get_ref(private_ike_cfg_t *this) +{ + ref_get(&this->refcount); +} + +/** + * Implementation of ike_cfg_t.destroy. + */ +static void destroy(private_ike_cfg_t *this) +{ + if (ref_put(&this->refcount)) + { + this->proposals->destroy_offset(this->proposals, + offsetof(proposal_t, destroy)); + this->my_host->destroy(this->my_host); + this->other_host->destroy(this->other_host); + free(this); + } +} + +/** + * Described in header. + */ +ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host) +{ + private_ike_cfg_t *this = malloc_thing(private_ike_cfg_t); + + /* public functions */ + this->public.send_certreq = (bool(*)(ike_cfg_t*))send_certreq; + this->public.get_my_host = (host_t*(*)(ike_cfg_t*))get_my_host; + this->public.get_other_host = (host_t*(*)(ike_cfg_t*))get_other_host; + this->public.add_proposal = (void(*)(ike_cfg_t*, proposal_t*)) add_proposal; + this->public.get_proposals = (linked_list_t*(*)(ike_cfg_t*))get_proposals; + this->public.select_proposal = (proposal_t*(*)(ike_cfg_t*,linked_list_t*))select_proposal; + this->public.get_dh_group = (diffie_hellman_group_t(*)(ike_cfg_t*)) get_dh_group; + this->public.get_ref = (void(*)(ike_cfg_t*))get_ref; + this->public.destroy = (void(*)(ike_cfg_t*))destroy; + + /* private variables */ + this->refcount = 1; + this->certreq = certreq; + this->my_host = my_host; + this->other_host = other_host; + + this->proposals = linked_list_create(); + + return &this->public; +} diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h new file mode 100644 index 000000000..bcdc90d9e --- /dev/null +++ b/src/charon/config/ike_cfg.h @@ -0,0 +1,151 @@ +/** + * @file ike_cfg.h + * + * @brief Interface of ike_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef IKE_CFG_H_ +#define IKE_CFG_H_ + +typedef struct ike_cfg_t ike_cfg_t; + +#include <library.h> +#include <utils/host.h> +#include <utils/linked_list.h> +#include <utils/identification.h> +#include <config/proposal.h> +#include <crypto/diffie_hellman.h> + +/** + * @brief An ike_cfg_t defines the rules to set up an IKE_SA. + * + * @see peer_cfg_t to get an overview over the configurations. + * + * @b Constructors: + * - ike_cfg_create() + * + * @ingroup config + */ +struct ike_cfg_t { + + /** + * @brief Get own address. + * + * @param this calling object + * @return host information as host_t object + */ + host_t* (*get_my_host) (ike_cfg_t *this); + + /** + * @brief Get peers address. + * + * @param this calling object + * @return host information as host_t object + */ + host_t* (*get_other_host) (ike_cfg_t *this); + + /** + * @brief Adds a proposal to the list. + * + * The first added proposal has the highest priority, the last + * added the lowest. + * + * @param this calling object + * @param proposal proposal to add + */ + void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal); + + /** + * @brief Returns a list of all supported proposals. + * + * Returned list and its proposals must be destroyed after use. + * + * @param this calling object + * @return list containing all the proposals + */ + linked_list_t* (*get_proposals) (ike_cfg_t *this); + + /** + * @brief Select a proposed from suggested proposals. + * + * Returned proposal must be destroyed after use. + * + * @param this calling object + * @param proposals list of proposals to select from + * @return selected proposal, or NULL if none matches. + */ + proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals); + + /** + * @brief Should we send a certificate request in IKE_SA_INIT? + * + * @param this calling object + * @return certificate request sending policy + */ + bool (*send_certreq) (ike_cfg_t *this); + + /** + * @brief Get the DH group to use for IKE_SA setup. + * + * @param this calling object + * @return dh group to use for initialization + */ + diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this); + + /** + * @brief Get a new reference to this ike_cfg. + * + * Get a new reference to this ike_cfg by increasing + * it's internal reference counter. + * Do not call get_ref or any other function until you + * already have a reference. Otherwise the object may get + * destroyed while calling get_ref(), + * + * @param this calling object + */ + void (*get_ref) (ike_cfg_t *this); + + /** + * @brief Destroys a ike_cfg_t object. + * + * Decrements the internal reference counter and + * destroys the ike_cfg when it reaches zero. + * + * @param this calling object + */ + void (*destroy) (ike_cfg_t *this); +}; + +/** + * @brief Creates a ike_cfg_t object. + * + * Supplied hosts become owned by ike_cfg, the name gets cloned. + * + * @param name ike_cfg identifier + * @param certreq TRUE to send a certificate request + * @param my_host host_t representing local address + * @param other_host host_t representing remote address + * @return ike_cfg_t object. + * + * @ingroup config + */ +ike_cfg_t *ike_cfg_create(bool certreq, host_t *my_host, host_t *other_host); + +#endif /* IKE_CFG_H_ */ diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c new file mode 100644 index 000000000..1d9176e0d --- /dev/null +++ b/src/charon/config/peer_cfg.c @@ -0,0 +1,479 @@ +/** + * @file peer_cfg.c + * + * @brief Implementation of peer_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <string.h> +#include <pthread.h> + +#include "peer_cfg.h" + +#include <utils/linked_list.h> +#include <utils/identification.h> + +ENUM(cert_policy_names, CERT_ALWAYS_SEND, CERT_NEVER_SEND, + "CERT_ALWAYS_SEND", + "CERT_SEND_IF_ASKED", + "CERT_NEVER_SEND" +); + +ENUM(dpd_action_names, DPD_NONE, DPD_RESTART, + "DPD_NONE", + "DPD_CLEAR", + "DPD_ROUTE", + "DPD_RESTART" +); + +typedef struct private_peer_cfg_t private_peer_cfg_t; + +/** + * Private data of an peer_cfg_t object + */ +struct private_peer_cfg_t { + + /** + * Public part + */ + peer_cfg_t public; + + /** + * Number of references hold by others to this peer_cfg + */ + refcount_t refcount; + + /** + * Name of the peer_cfg, used to query it + */ + char *name; + + /** + * IKE version to use for initiation + */ + u_int ike_version; + + /** + * IKE config associated to this peer config + */ + ike_cfg_t *ike_cfg; + + /** + * list of child configs associated to this peer config + */ + linked_list_t *child_cfgs; + + /** + * mutex to lock access to list of child_cfgs + */ + pthread_mutex_t mutex; + + /** + * id to use to identify us + */ + identification_t *my_id; + + /** + * allowed id for other + */ + identification_t *other_id; + + /** + * we have a cert issued by this CA + */ + identification_t *my_ca; + + /** + * we require the other end to have a cert issued by this CA + */ + identification_t *other_ca; + + /** + * should we send a certificate + */ + cert_policy_t cert_policy; + + /** + * Method to use for own authentication data + */ + auth_method_t auth_method; + + /** + * EAP type to use for peer authentication + */ + eap_type_t eap_type; + + /** + * number of tries after giving up if peer does not respond + */ + u_int32_t keyingtries; + + /** + * user reauthentication instead of rekeying + */ + bool use_reauth; + + /** + * Time before an SA gets invalid + */ + u_int32_t lifetime; + + /** + * Time before an SA gets rekeyed + */ + u_int32_t rekeytime; + + /** + * Time, which specifies the range of a random value + * substracted from lifetime. + */ + u_int32_t jitter; + + /** + * What to do with an SA when other peer seams to be dead? + */ + bool dpd_delay; + + /** + * What to do with CHILDren when other peer seams to be dead? + */ + bool dpd_action; + + /** + * virtual IP to use locally + */ + host_t *my_virtual_ip; + + /** + * virtual IP to use remotly + */ + host_t *other_virtual_ip; +}; + +/** + * Implementation of peer_cfg_t.get_name + */ +static char *get_name(private_peer_cfg_t *this) +{ + return this->name; +} + +/** + * Implementation of peer_cfg_t.get_ike_version + */ +static u_int get_ike_version(private_peer_cfg_t *this) +{ + return this->ike_version; +} + +/** + * Implementation of peer_cfg_t.get_ike_cfg + */ +static ike_cfg_t* get_ike_cfg(private_peer_cfg_t *this) +{ + return this->ike_cfg; +} + +/** + * Implementation of peer_cfg_t.add_child_cfg. + */ +static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg) +{ + pthread_mutex_lock(&this->mutex); + this->child_cfgs->insert_last(this->child_cfgs, child_cfg); + pthread_mutex_unlock(&this->mutex); +} + +/** + * Implementation of peer_cfg_t.create_child_cfg_iterator. + */ +static iterator_t* create_child_cfg_iterator(private_peer_cfg_t *this) +{ + return this->child_cfgs->create_iterator_locked(this->child_cfgs, + &this->mutex); +} + +/** + * Check if child_cfg contains traffic selectors + */ +static bool contains_ts(child_cfg_t *child, bool mine, linked_list_t *ts, + host_t *host) +{ + linked_list_t *selected; + bool contains = FALSE; + + selected = child->get_traffic_selectors(child, mine, ts, host); + contains = selected->get_count(selected); + selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy)); + return contains; +} + +/** + * Implementation of peer_cfg_t.select_child_cfg + */ +static child_cfg_t* select_child_cfg(private_peer_cfg_t *this, + linked_list_t *my_ts, + linked_list_t *other_ts, + host_t *my_host, host_t *other_host) +{ + child_cfg_t *current, *found = NULL; + iterator_t *iterator; + + iterator = create_child_cfg_iterator(this); + while (iterator->iterate(iterator, (void**)¤t)) + { + if (contains_ts(current, TRUE, my_ts, my_host) && + contains_ts(current, FALSE, other_ts, other_host)) + { + found = current; + found->get_ref(found); + break; + } + } + iterator->destroy(iterator); + return found; +} + +/** + * Implementation of peer_cfg_t.get_my_id + */ +static identification_t *get_my_id(private_peer_cfg_t *this) +{ + return this->my_id; +} + +/** + * Implementation of peer_cfg_t.get_other_id + */ +static identification_t *get_other_id(private_peer_cfg_t *this) +{ + return this->other_id; +} + +/** + * Implementation of peer_cfg_t.get_my_ca + */ +static identification_t *get_my_ca(private_peer_cfg_t *this) +{ + return this->my_ca; +} + +static identification_t *get_other_ca(private_peer_cfg_t *this) +{ + return this->other_ca; +} + +/** + * Implementation of peer_cfg_t.get_cert_policy. + */ +static cert_policy_t get_cert_policy(private_peer_cfg_t *this) +{ + return this->cert_policy; +} + +/** + * Implementation of connection_t.auth_method_t. + */ +static auth_method_t get_auth_method(private_peer_cfg_t *this) +{ + return this->auth_method; +} + +/** + * Implementation of connection_t.get_eap_type. + */ +static eap_type_t get_eap_type(private_peer_cfg_t *this) +{ + return this->eap_type; +} + +/** + * Implementation of connection_t.get_keyingtries. + */ +static u_int32_t get_keyingtries(private_peer_cfg_t *this) +{ + return this->keyingtries; +} + +/** + * Implementation of peer_cfg_t.get_soft_lifetime + */ +static u_int32_t get_lifetime(private_peer_cfg_t *this, bool rekey) +{ + if (rekey) + { + if (this->jitter == 0) + { + return this->rekeytime; + } + return this->rekeytime - (random() % this->jitter); + } + return this->lifetime; +} + +/** + * Implementation of peer_cfg_t.use_reauth. + */ +static bool use_reauth(private_peer_cfg_t *this, bool rekey) +{ + return this->use_reauth; +} + +/** + * Implements peer_cfg_t.get_dpd_delay + */ +static u_int32_t get_dpd_delay(private_peer_cfg_t *this) +{ + return this->dpd_delay; +} + +/** + * Implements peer_cfg_t.get_dpd_action + */ +static dpd_action_t get_dpd_action(private_peer_cfg_t *this) +{ + return this->dpd_action; +} + +/** + * Implementation of peer_cfg_t.get_my_virtual_ip. + */ +static host_t* get_my_virtual_ip(private_peer_cfg_t *this) +{ + if (this->my_virtual_ip == NULL) + { + return NULL; + } + return this->my_virtual_ip->clone(this->my_virtual_ip); +} + +/** + * Implementation of peer_cfg_t.get_other_virtual_ip. + */ +static host_t* get_other_virtual_ip(private_peer_cfg_t *this, host_t *suggestion) +{ + if (this->other_virtual_ip == NULL) + { /* disallow */ + return NULL; + } + if (!this->other_virtual_ip->is_anyaddr(this->other_virtual_ip)) + { /* force own configuration */ + return this->other_virtual_ip->clone(this->other_virtual_ip); + } + if (suggestion == NULL || suggestion->is_anyaddr(suggestion)) + { + return NULL; + } + return suggestion->clone(suggestion); +} + +/** + * Implements peer_cfg_t.get_ref. + */ +static void get_ref(private_peer_cfg_t *this) +{ + ref_get(&this->refcount); +} + +/** + * Implements peer_cfg_t.destroy. + */ +static void destroy(private_peer_cfg_t *this) +{ + if (ref_put(&this->refcount)) + { + this->ike_cfg->destroy(this->ike_cfg); + this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy)); + this->my_id->destroy(this->my_id); + this->other_id->destroy(this->other_id); + DESTROY_IF(this->my_ca); + DESTROY_IF(this->other_ca); + + DESTROY_IF(this->my_virtual_ip); + DESTROY_IF(this->other_virtual_ip); + free(this->name); + free(this); + } +} + +/* + * Described in header-file + */ +peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, + identification_t *my_id, identification_t *other_id, + identification_t *my_ca, identification_t *other_ca, + cert_policy_t cert_policy, auth_method_t auth_method, + eap_type_t eap_type, u_int32_t keyingtries, + u_int32_t lifetime, u_int32_t rekeytime, + u_int32_t jitter, bool reauth, + u_int32_t dpd_delay, dpd_action_t dpd_action, + host_t *my_virtual_ip, host_t *other_virtual_ip) +{ + private_peer_cfg_t *this = malloc_thing(private_peer_cfg_t); + + /* public functions */ + this->public.get_name = (char* (*) (peer_cfg_t *))get_name; + this->public.get_ike_version = (u_int(*) (peer_cfg_t *))get_ike_version; + this->public.get_ike_cfg = (ike_cfg_t* (*) (peer_cfg_t *))get_ike_cfg; + this->public.add_child_cfg = (void (*) (peer_cfg_t *, child_cfg_t*))add_child_cfg; + this->public.create_child_cfg_iterator = (iterator_t* (*) (peer_cfg_t *))create_child_cfg_iterator; + this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg; + this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id; + this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; + this->public.get_my_ca = (identification_t* (*)(peer_cfg_t *))get_my_ca; + this->public.get_other_ca = (identification_t* (*)(peer_cfg_t *))get_other_ca; + this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; + this->public.get_auth_method = (auth_method_t (*) (peer_cfg_t *))get_auth_method; + this->public.get_eap_type = (eap_type_t (*) (peer_cfg_t *))get_eap_type; + this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries; + this->public.get_lifetime = (u_int32_t (*) (peer_cfg_t *, bool rekey))get_lifetime; + this->public.use_reauth = (bool (*) (peer_cfg_t *))use_reauth; + this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay; + this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action; + this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip; + this->public.get_other_virtual_ip = (host_t* (*) (peer_cfg_t *, host_t *))get_other_virtual_ip; + this->public.get_ref = (void(*)(peer_cfg_t *))get_ref; + this->public.destroy = (void(*)(peer_cfg_t *))destroy; + + /* apply init values */ + this->name = strdup(name); + this->ike_version = ike_version; + this->ike_cfg = ike_cfg; + this->child_cfgs = linked_list_create(); + pthread_mutex_init(&this->mutex, NULL); + this->my_id = my_id; + this->other_id = other_id; + this->my_ca = my_ca; + this->other_ca = other_ca; + this->cert_policy = cert_policy; + this->auth_method = auth_method; + this->eap_type = eap_type; + this->keyingtries = keyingtries; + this->lifetime = lifetime; + this->rekeytime = rekeytime; + this->jitter = jitter; + this->use_reauth = reauth; + this->dpd_delay = dpd_delay; + this->dpd_action = dpd_action; + this->my_virtual_ip = my_virtual_ip; + this->other_virtual_ip = other_virtual_ip; + this->refcount = 1; + + return &this->public; +} diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h new file mode 100644 index 000000000..63c87674c --- /dev/null +++ b/src/charon/config/peer_cfg.h @@ -0,0 +1,368 @@ +/** + * @file peer_cfg.h + * + * @brief Interface of peer_cfg_t. + * + */ + +/* + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef PEER_CFG_H_ +#define PEER_CFG_H_ + +typedef enum dpd_action_t dpd_action_t; +typedef enum cert_policy_t cert_policy_t; +typedef struct peer_cfg_t peer_cfg_t; + +#include <library.h> +#include <utils/identification.h> +#include <config/traffic_selector.h> +#include <config/proposal.h> +#include <config/ike_cfg.h> +#include <config/child_cfg.h> +#include <sa/authenticators/authenticator.h> +#include <sa/authenticators/eap/eap_method.h> + +/** + * Certificate sending policy. This is also used for certificate + * requests when using this definition for the other peer. If + * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its + * included. + * + * @ingroup config + * + * @warning These definitions must be the same as in pluto/starter, + * as they are sent over the stroke socket. + */ +enum cert_policy_t { + /** always send certificates, even when not requested */ + CERT_ALWAYS_SEND = 0, + /** send certificate upon cert request */ + CERT_SEND_IF_ASKED = 1, + /** never send a certificate, even when requested */ + CERT_NEVER_SEND = 2, +}; + +/** + * enum strings for cert_policy_t + * + * @ingroup config + */ +extern enum_name_t *cert_policy_names; + +/** + * @brief Actions to take when a peer does not respond (dead peer detected). + * + * These values are the same as in pluto/starter, so do not modify them! + * + * @ingroup config + */ +enum dpd_action_t { + /** DPD disabled */ + DPD_NONE, + /** remove CHILD_SAs without replacement */ + DPD_CLEAR, + /** route the CHILD_SAs to resetup when needed */ + DPD_ROUTE, + /** restart CHILD_SAs in a new IKE_SA, immediately */ + DPD_RESTART, +}; + +/** + * enum names for dpd_action_t. + */ +extern enum_name_t *dpd_action_names; + +/** + * @brief Configuration of a peer, specified by IDs. + * + * The peer config defines a connection between two given IDs. It contains + * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains + * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer. + * @verbatim + + +-------------------+ +---------------+ + +---------------+ | peer_cfg | +---------------+ | + | ike_cfg | +-------------------+ | child_cfg | | + +---------------+ | - ids | +---------------+ | + | - hosts | 1 1 | - cas | 1 n | - proposals | | + | - proposals |<------| - auth info |-------->| - traffic sel | | + | - ... | | - dpd config | | - ... |-+ + +---------------+ | - ... | +---------------+ + +-------------------+ + @endverbatim + * + * @b Constructors: + * - peer_cfg_create() + * + * @ingroup config + */ +struct peer_cfg_t { + + /** + * @brief Get the name of the peer_cfg. + * + * Returned object is not getting cloned. + * + * @param this calling object + * @return peer_cfg's name + */ + char* (*get_name) (peer_cfg_t *this); + + /** + * @brief Get the IKE version to use for initiating. + * + * @param this calling object + * @return IKE major version + */ + u_int (*get_ike_version)(peer_cfg_t *this); + + /** + * @brief Get the IKE config to use for initiaton. + * + * @param this calling object + * @return the IKE config to use + */ + ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this); + + /** + * @brief Attach a CHILD config. + * + * @param this calling object + * @param child_cfg CHILD config to add + */ + void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg); + + /** + * @brief Create an iterator for all attached CHILD configs. + * + * @param this calling object + * @return an iterator over all CHILD configs. + */ + iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this); + + /** + * @brief Select a CHILD config from traffic selectors. + * + * @param this calling object + * @param my_ts TS for local side + * @param other_ts TS for remote side + * @param my_host host to narrow down dynamic TS for local side + * @param other_host host to narrow down dynamic TS for remote side + * @return selected CHILD config, or NULL if no match found + */ + child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts, + linked_list_t *other_ts, host_t *my_host, + host_t *other_host); + + /** + * @brief Get own ID. + * + * @param this calling object + * @return own id + */ + identification_t* (*get_my_id)(peer_cfg_t *this); + + /** + * @brief Get peers ID. + * + * @param this calling object + * @return other id + */ + identification_t* (*get_other_id)(peer_cfg_t *this); + + /** + * @brief Get own CA. + * + * @param this calling object + * @return own ca + */ + identification_t* (*get_my_ca)(peer_cfg_t *this); + + /** + * @brief Get peers CA. + * + * @param this calling object + * @return other ca + */ + identification_t* (*get_other_ca)(peer_cfg_t *this); + + /** + * @brief Should be sent a certificate for this connection? + * + * @param this calling object + * @return certificate sending policy + */ + cert_policy_t (*get_cert_policy) (peer_cfg_t *this); + + /** + * @brief Get the authentication method to use to authenticate us. + * + * @param this calling object + * @return authentication method + */ + auth_method_t (*get_auth_method) (peer_cfg_t *this); + + /** + * @brief Get the EAP type to use for peer authentication. + * + * @param this calling object + * @return authentication method + */ + eap_type_t (*get_eap_type) (peer_cfg_t *this); + + /** + * @brief Get the max number of retries after timeout. + * + * @param this calling object + * @return max number retries + */ + u_int32_t (*get_keyingtries) (peer_cfg_t *this); + + /** + * @brief Get the lifetime of a IKE_SA. + * + * If "rekey" is set to TRUE, a lifetime is returned before the first + * rekeying should be started. If it is FALSE, the actual lifetime is + * returned when the IKE_SA must be deleted. + * The rekey time automatically contains a jitter to avoid simlutaneous + * rekeying. + * + * @param this child_config + * @param rekey TRUE to get rekey time + * @return lifetime in seconds + */ + u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey); + + /** + * @brief Should a full reauthentication be done instead of rekeying? + * + * @param this calling object + * @return TRUE to use full reauthentication + */ + bool (*use_reauth) (peer_cfg_t *this); + + /** + * @brief Get the DPD check interval. + * + * @param this calling object + * @return dpd_delay in seconds + */ + u_int32_t (*get_dpd_delay) (peer_cfg_t *this); + + /** + * @brief What should be done with a CHILD_SA, when other peer does not respond. + * + * @param this calling object + * @return dpd action + */ + dpd_action_t (*get_dpd_action) (peer_cfg_t *this); + + /** + * @brief Get a virtual IP for the local peer. + * + * If no virtual IP should be used, NULL is returned. %any means to request + * a virtual IP using configuration payloads. A specific address is also + * used for a request and may be changed by the server. + * + * @param this peer_cfg + * @param suggestion NULL, %any or specific + * @return clone of an IP, %any or NULL + */ + host_t* (*get_my_virtual_ip) (peer_cfg_t *this); + + /** + * @brief Get a virtual IP for the remote peer. + * + * An IP may be supplied, if one was requested by the initiator. However, + * the suggestion is not more as it says, any address may be returned, even + * NULL to not use virtual IPs. + * + * @param this peer_cfg + * @param suggestion NULL, %any or specific + * @return clone of an IP to use + */ + host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion); + + /** + * @brief Get a new reference. + * + * Get a new reference to this peer_cfg by increasing + * it's internal reference counter. + * Do not call get_ref or any other function until you + * already have a reference. Otherwise the object may get + * destroyed while calling get_ref(), + * + * @param this calling object + */ + void (*get_ref) (peer_cfg_t *this); + + /** + * @brief Destroys the peer_cfg object. + * + * Decrements the internal reference counter and + * destroys the peer_cfg when it reaches zero. + * + * @param this calling object + */ + void (*destroy) (peer_cfg_t *this); +}; + +/** + * @brief Create a configuration object for IKE_AUTH and later. + * + * name-string gets cloned, ID's not. + * Virtual IPs are used if they are != NULL. A %any host means the virtual + * IP should be obtained from the other peer. + * Lifetimes are in seconds. To prevent to peers to start rekeying at the + * same time, a jitter may be specified. Rekeying of an SA starts at + * (rekeylifetime - random(0, jitter)). + * + * @param name name of the peer_cfg + * @param ike_version which IKE version we sould use for this peer + * @param ike_cfg IKE config to use when acting as initiator + * @param my_id identification_t for ourselves + * @param other_id identification_t for the remote guy + * @param my_ca CA to use for us + * @param other_ca CA to use for other + * @param cert_policy should we send a certificate payload? + * @param auth_method auth method to use to authenticate us + * @param eap_type EAP type to use for peer authentication + * @param keyingtries how many keying tries should be done before giving up + * @param lifetime lifetime before deleting an SA + * @param rekeytime lifetime before rekeying an SA + * @param jitter range of random to substract from rekeytime + * @param use_reauth sould be done reauthentication instead of rekeying? + * @param dpd_delay after how many seconds of inactivity to check DPD + * @param dpd_action what to do with CHILD_SAs when detected a dead peer + * @param my_virtual_ip virtual IP for local host, or NULL + * @param other_virtual_ip virtual IP for remote host, or NULL + * @return peer_cfg_t object + * + * @ingroup config + */ +peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, + identification_t *my_id, identification_t *other_id, + identification_t *my_ca, identification_t *other_ca, + cert_policy_t cert_policy, auth_method_t auth_method, + eap_type_t eap_type, u_int32_t keyingtries, + u_int32_t lifetime, u_int32_t rekeytime, + u_int32_t jitter, bool use_reauth, + u_int32_t dpd_delay, dpd_action_t dpd_action, + host_t *my_virtual_ip, host_t *other_virtual_ip); + +#endif /* PEER_CFG_H_ */ diff --git a/src/charon/config/policies/local_policy_store.c b/src/charon/config/policies/local_policy_store.c deleted file mode 100644 index dd22b43a0..000000000 --- a/src/charon/config/policies/local_policy_store.c +++ /dev/null @@ -1,282 +0,0 @@ -/** - * @file local_policy_store.c - * - * @brief Implementation of local_policy_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <string.h> - -#include "local_policy_store.h" - -#include <daemon.h> -#include <utils/linked_list.h> - - -typedef struct private_local_policy_store_t private_local_policy_store_t; - -/** - * Private data of an local_policy_store_t object - */ -struct private_local_policy_store_t { - - /** - * Public part - */ - local_policy_store_t public; - - /** - * list of policy_t's - */ - linked_list_t *policies; - - /** - * Mutex to exclusivly access list - */ - pthread_mutex_t mutex; -}; - -/** - * Implementation of policy_store_t.add_policy. - */ -static void add_policy(private_local_policy_store_t *this, policy_t *policy) -{ - pthread_mutex_lock(&(this->mutex)); - this->policies->insert_last(this->policies, (void*)policy); - pthread_mutex_unlock(&(this->mutex)); -} - -/** - * Check if a policy contains traffic selectors - */ -static bool contains_traffic_selectors(policy_t *policy, bool mine, - linked_list_t *ts, host_t *host) -{ - linked_list_t *selected; - bool contains = FALSE; - - if (mine) - { - selected = policy->select_my_traffic_selectors(policy, ts, host); - } - else - { - selected = policy->select_other_traffic_selectors(policy, ts, host); - } - if (selected->get_count(selected)) - { - contains = TRUE; - } - selected->destroy_offset(selected, offsetof(traffic_selector_t, destroy)); - return contains; -} - -/** - * Implementation of policy_store_t.get_policy. - */ -static policy_t *get_policy(private_local_policy_store_t *this, - identification_t *my_id, identification_t *other_id, - linked_list_t *my_ts, linked_list_t *other_ts, - host_t *my_host, host_t *other_host) -{ - typedef enum { - PRIO_UNDEFINED = 0x00, - PRIO_TS_MISMATCH = 0x01, - PRIO_ID_ANY = 0x02, - PRIO_ID_MATCH = PRIO_ID_ANY + MAX_WILDCARDS, - } prio_t; - - prio_t best_prio = PRIO_UNDEFINED; - - iterator_t *iterator; - policy_t *candidate; - policy_t *found = NULL; - traffic_selector_t *ts; - - DBG1(DBG_CFG, "searching policy for '%D'...'%D'", my_id, other_id); - iterator = my_ts->create_iterator(my_ts, TRUE); - while (iterator->iterate(iterator, (void**)&ts)) - { - DBG1(DBG_CFG, " local TS: %R", ts); - } - iterator->destroy(iterator); - iterator = other_ts->create_iterator(other_ts, TRUE); - while (iterator->iterate(iterator, (void**)&ts)) - { - DBG1(DBG_CFG, " remote TS: %R", ts); - } - iterator->destroy(iterator); - - pthread_mutex_lock(&(this->mutex)); - iterator = this->policies->create_iterator(this->policies, TRUE); - - /* determine closest matching policy */ - while (iterator->iterate(iterator, (void**)&candidate)) - { - identification_t *candidate_my_id; - identification_t *candidate_other_id; - int wildcards; - - candidate_my_id = candidate->get_my_id(candidate); - candidate_other_id = candidate->get_other_id(candidate); - - /* my_id is either %any or if set must match exactly */ - if (candidate_my_id->matches(candidate_my_id, my_id, &wildcards)) - { - prio_t prio = PRIO_UNDEFINED; - - /* wildcard match for other_id */ - if (!other_id->matches(other_id, candidate_other_id, &wildcards)) - { - continue; - } - prio = PRIO_ID_MATCH - wildcards; - - /* only accept if traffic selectors match */ - if (!contains_traffic_selectors(candidate, TRUE, my_ts, my_host) || - !contains_traffic_selectors(candidate, FALSE, other_ts, other_host)) - { - DBG2(DBG_CFG, "candidate '%s' inacceptable due traffic " - "selector mismatch", candidate->get_name(candidate)); - prio = PRIO_TS_MISMATCH; - } - - DBG2(DBG_CFG, "candidate policy '%s': '%D'...'%D' (prio=%d)", - candidate->get_name(candidate), - candidate_my_id, candidate_other_id, prio); - - if (prio > best_prio) - { - found = candidate; - best_prio = prio; - } - } - } - iterator->destroy(iterator); - - if (found) - { - DBG1(DBG_CFG, "found matching policy '%s': '%D'...'%D' (prio=%d)", - found->get_name(found), found->get_my_id(found), - found->get_other_id(found), best_prio); - /* give out a new reference to it */ - found->get_ref(found); - } - pthread_mutex_unlock(&(this->mutex)); - return found; -} - -/** - * Implementation of policy_store_t.get_policy_by_name. - */ -static policy_t *get_policy_by_name(private_local_policy_store_t *this, char *name) -{ - iterator_t *iterator; - policy_t *current, *found = NULL; - - DBG2(DBG_CFG, "looking for policy '%s'", name); - - pthread_mutex_lock(&(this->mutex)); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void **)¤t)) - { - if (strcmp(current->get_name(current), name) == 0) - { - found = current; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - - /* give out a new reference */ - found->get_ref(found); - return found; -} - -/** - * Implementation of policy_store_t.delete_policy. - */ -static status_t delete_policy(private_local_policy_store_t *this, char *name) -{ - iterator_t *iterator; - policy_t *current; - bool found = FALSE; - - pthread_mutex_lock(&(this->mutex)); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void **)¤t)) - { - if (strcmp(current->get_name(current), name) == 0) - { - /* remove policy from list, and destroy it */ - iterator->remove(iterator); - current->destroy(current); - found = TRUE; - /* we do not break here, as there may be multipe policies */ - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&(this->mutex)); - if (found) - { - return SUCCESS; - } - return NOT_FOUND; -} - -/** - * Implementation of policy_store_t.create_iterator. - */ -static iterator_t* create_iterator(private_local_policy_store_t *this) -{ - return this->policies->create_iterator_locked(this->policies, - &this->mutex); -} - -/** - * Implementation of policy_store_t.destroy. - */ -static void destroy(private_local_policy_store_t *this) -{ - pthread_mutex_lock(&(this->mutex)); - this->policies->destroy_offset(this->policies, offsetof(policy_t, destroy)); - pthread_mutex_unlock(&(this->mutex)); - free(this); -} - -/** - * Described in header. - */ -local_policy_store_t *local_policy_store_create(void) -{ - private_local_policy_store_t *this = malloc_thing(private_local_policy_store_t); - - this->public.policy_store.add_policy = (void (*) (policy_store_t*,policy_t*))add_policy; - this->public.policy_store.get_policy = (policy_t* (*) (policy_store_t*,identification_t*,identification_t*, - linked_list_t*,linked_list_t*,host_t*,host_t*))get_policy; - this->public.policy_store.get_policy_by_name = (policy_t* (*) (policy_store_t*,char*))get_policy_by_name; - this->public.policy_store.delete_policy = (status_t (*) (policy_store_t*,char*))delete_policy; - this->public.policy_store.create_iterator = (iterator_t* (*) (policy_store_t*))create_iterator; - this->public.policy_store.destroy = (void (*) (policy_store_t*))destroy; - - /* private variables */ - this->policies = linked_list_create(); - pthread_mutex_init(&(this->mutex), NULL); - - return (&this->public); -} diff --git a/src/charon/config/policies/local_policy_store.h b/src/charon/config/policies/local_policy_store.h deleted file mode 100644 index 01d5d2d60..000000000 --- a/src/charon/config/policies/local_policy_store.h +++ /dev/null @@ -1,60 +0,0 @@ -/** - * @file local_policy_store.h - * - * @brief Interface of local_policy_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef LOCAL_POLICY_STORE_H_ -#define LOCAL_POLICY_STORE_H_ - -typedef struct local_policy_store_t local_policy_store_t; - -#include <library.h> -#include <config/policies/policy_store.h> - - -/** - * @brief A policy_store_t implementation using a simple policy lists. - * - * The local_policy_store_t class implements the policy_store_t interface - * as simple as possible. The policies are stored in a in-memory list. - * - * @b Constructors: - * - local_policy_store_create() - * - * @ingroup config - */ -struct local_policy_store_t { - - /** - * Implements policy_store_t interface - */ - policy_store_t policy_store; -}; - -/** - * @brief Creates a local_policy_store_t instance. - * - * @return policy store instance. - * - * @ingroup config - */ -local_policy_store_t *local_policy_store_create(void); - -#endif /* LOCAL_POLICY_STORE_H_ */ diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c deleted file mode 100644 index 363d1609f..000000000 --- a/src/charon/config/policies/policy.c +++ /dev/null @@ -1,635 +0,0 @@ -/** - * @file policy.c - * - * @brief Implementation of policy_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <time.h> -#include <string.h> -#include <unistd.h> - -#include "policy.h" - -#include <daemon.h> -#include <utils/linked_list.h> -#include <utils/identification.h> - -ENUM(dpd_action_names, DPD_NONE, DPD_RESTART, - "DPD_NONE", - "DPD_CLEAR", - "DPD_ROUTE", - "DPD_RESTART" -); - -ENUM(mode_names, MODE_TRANSPORT, MODE_BEET, - "TRANSPORT", - "TUNNEL", - "2", - "3", - "BEET" -); - -typedef struct private_policy_t private_policy_t; - -/** - * Private data of an policy_t object - */ -struct private_policy_t { - - /** - * Public part - */ - policy_t public; - - /** - * Number of references hold by others to this policy - */ - refcount_t refcount; - - /** - * Name of the policy, used to query it - */ - char *name; - - /** - * id to use to identify us - */ - identification_t *my_id; - - /** - * allowed id for other - */ - identification_t *other_id; - - /** - * virtual IP to use locally - */ - host_t *my_virtual_ip; - - /** - * virtual IP to use remotly - */ - host_t *other_virtual_ip; - - /** - * Method to use for own authentication data - */ - auth_method_t auth_method; - - /** - * EAP type to use for peer authentication - */ - eap_type_t eap_type; - - /** - * we have a cert issued by this CA - */ - identification_t *my_ca; - - /** - * we require the other end to have a cert issued by this CA - */ - identification_t *other_ca; - - /** - * updown script - */ - char *updown; - - /** - * allow host access - */ - bool hostaccess; - - /** - * list for all proposals - */ - linked_list_t *proposals; - - /** - * list for traffic selectors for my site - */ - linked_list_t *my_ts; - - /** - * list for traffic selectors for others site - */ - linked_list_t *other_ts; - - /** - * Time before an SA gets invalid - */ - u_int32_t soft_lifetime; - - /** - * Time before an SA gets rekeyed - */ - u_int32_t hard_lifetime; - - /** - * Time, which specifies the range of a random value - * substracted from soft_lifetime. - */ - u_int32_t jitter; - - /** - * What to do with an SA when other peer seams to be dead? - */ - bool dpd_action; - - /** - * Mode to propose for a initiated CHILD: tunnel/transport - */ - mode_t mode; -}; - -/** - * Implementation of policy_t.get_name - */ -static char *get_name(private_policy_t *this) -{ - return this->name; -} - -/** - * Implementation of policy_t.get_my_id - */ -static identification_t *get_my_id(private_policy_t *this) -{ - return this->my_id; -} - -/** - * Implementation of policy_t.get_other_id - */ -static identification_t *get_other_id(private_policy_t *this) -{ - return this->other_id; -} - -/** - * Implementation of policy_t.get_my_ca - */ -static identification_t *get_my_ca(private_policy_t *this) -{ - return this->my_ca; -} - -/** - * Implementation of policy_t.get_other_ca - */ -static identification_t *get_other_ca(private_policy_t *this) -{ - return this->other_ca; -} - -/** - * Implementation of connection_t.auth_method_t. - */ -static auth_method_t get_auth_method(private_policy_t *this) -{ - return this->auth_method; -} - -/** - * Implementation of connection_t.get_eap_type. - */ -static eap_type_t get_eap_type(private_policy_t *this) -{ - return this->eap_type; -} - -/** - * Get traffic selectors, with wildcard-address update - */ -static linked_list_t *get_traffic_selectors(private_policy_t *this, - linked_list_t *list, host_t *host) -{ - iterator_t *iterator; - traffic_selector_t *current; - linked_list_t *result = linked_list_create(); - - iterator = list->create_iterator(list, TRUE); - - while (iterator->iterate(iterator, (void**)¤t)) - { - /* we make a copy of the TS, this allows us to update wildcard - * addresses in it. We won't pollute the shared policy. */ - current = current->clone(current); - if (host) - { - current->set_address(current, host); - } - - result->insert_last(result, (void*)current); - } - iterator->destroy(iterator); - return result; -} - -/** - * Implementation of policy_t.get_my_traffic_selectors - */ -static linked_list_t *get_my_traffic_selectors(private_policy_t *this, host_t *me) -{ - return get_traffic_selectors(this, this->my_ts, me); -} - -/** - * Implementation of policy_t.get_other_traffic_selectors - */ -static linked_list_t *get_other_traffic_selectors(private_policy_t *this, host_t *other) -{ - return get_traffic_selectors(this, this->other_ts, other); -} - -/** - * Narrow traffic selectors, with wildcard-address update in "stored". - */ -static linked_list_t *select_traffic_selectors(private_policy_t *this, - linked_list_t *stored, - linked_list_t *supplied, - host_t *host) -{ - iterator_t *supplied_iter, *stored_iter, *i1, *i2; - traffic_selector_t *supplied_ts, *stored_ts, *selected_ts, *ts1, *ts2; - linked_list_t *selected = linked_list_create(); - - DBG2(DBG_CFG, "selecting traffic selectors"); - - stored_iter = stored->create_iterator(stored, TRUE); - supplied_iter = supplied->create_iterator(supplied, TRUE); - - /* iterate over all stored selectors */ - while (stored_iter->iterate(stored_iter, (void**)&stored_ts)) - { - /* we make a copy of the TS, this allows us to update wildcard - * addresses in it. We won't pollute the shared policy. */ - stored_ts = stored_ts->clone(stored_ts); - if (host) - { - stored_ts->set_address(stored_ts, host); - } - - supplied_iter->reset(supplied_iter); - /* iterate over all supplied traffic selectors */ - while (supplied_iter->iterate(supplied_iter, (void**)&supplied_ts)) - { - DBG2(DBG_CFG, "stored %R <=> %R received", - stored_ts, supplied_ts); - - selected_ts = stored_ts->get_subset(stored_ts, supplied_ts); - if (selected_ts) - { - /* got a match, add to list */ - selected->insert_last(selected, (void*)selected_ts); - - DBG2(DBG_CFG, "found traffic selector for %s: %R", - stored == this->my_ts ? "us" : "other", selected_ts); - } - } - stored_ts->destroy(stored_ts); - } - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - - /* remove any redundant traffic selectors in the list */ - i1 = selected->create_iterator(selected, TRUE); - i2 = selected->create_iterator(selected, TRUE); - while (i1->iterate(i1, (void**)&ts1)) - { - while (i2->iterate(i2, (void**)&ts2)) - { - if (ts1 != ts2) - { - if (ts2->is_contained_in(ts2, ts1)) - { - i2->remove(i2); - ts2->destroy(ts2); - i1->reset(i1); - break; - } - if (ts1->is_contained_in(ts1, ts2)) - { - i1->remove(i1); - ts1->destroy(ts1); - i2->reset(i2); - break; - } - } - } - } - i1->destroy(i1); - i2->destroy(i2); - - return selected; -} - -/** - * Implementation of private_policy_t.select_my_traffic_selectors - */ -static linked_list_t *select_my_traffic_selectors(private_policy_t *this, - linked_list_t *supplied, - host_t *me) -{ - return select_traffic_selectors(this, this->my_ts, supplied, me); -} - -/** - * Implementation of private_policy_t.select_other_traffic_selectors - */ -static linked_list_t *select_other_traffic_selectors(private_policy_t *this, - linked_list_t *supplied, - host_t* other) -{ - return select_traffic_selectors(this, this->other_ts, supplied, other); -} - -/** - * Implementation of policy_t.get_proposal_iterator - */ -static linked_list_t *get_proposals(private_policy_t *this) -{ - iterator_t *iterator; - proposal_t *current; - linked_list_t *proposals = linked_list_create(); - - iterator = this->proposals->create_iterator(this->proposals, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - current = current->clone(current); - proposals->insert_last(proposals, (void*)current); - } - iterator->destroy(iterator); - - return proposals; -} - -/** - * Implementation of policy_t.select_proposal - */ -static proposal_t *select_proposal(private_policy_t *this, linked_list_t *proposals) -{ - iterator_t *stored_iter, *supplied_iter; - proposal_t *stored, *supplied, *selected; - - stored_iter = this->proposals->create_iterator(this->proposals, TRUE); - supplied_iter = proposals->create_iterator(proposals, TRUE); - - /* compare all stored proposals with all supplied. Stored ones are preferred. */ - while (stored_iter->iterate(stored_iter, (void**)&stored)) - { - supplied_iter->reset(supplied_iter); - while (supplied_iter->iterate(supplied_iter, (void**)&supplied)) - { - selected = stored->select(stored, supplied); - if (selected) - { - /* they match, return */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - return selected; - } - } - } - - /* no proposal match :-(, will result in a NO_PROPOSAL_CHOSEN... */ - stored_iter->destroy(stored_iter); - supplied_iter->destroy(supplied_iter); - - return NULL; -} - -/** - * Implementation of policy_t.add_authorities - */ -static void add_authorities(private_policy_t *this, identification_t *my_ca, identification_t *other_ca) -{ - this->my_ca = my_ca; - this->other_ca = other_ca; -} - -/** - * Implementation of policy_t.get_updown - */ -static char* get_updown(private_policy_t *this) -{ - return this->updown; -} - -/** - * Implementation of policy_t.get_hostaccess - */ -static bool get_hostaccess(private_policy_t *this) -{ - return this->hostaccess; -} - -/** - * Implements policy_t.get_dpd_action - */ -static dpd_action_t get_dpd_action(private_policy_t *this) -{ - return this->dpd_action; -} - -/** - * Implementation of policy_t.add_my_traffic_selector - */ -static void add_my_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector) -{ - this->my_ts->insert_last(this->my_ts, (void*)traffic_selector); -} - -/** - * Implementation of policy_t.add_other_traffic_selector - */ -static void add_other_traffic_selector(private_policy_t *this, traffic_selector_t *traffic_selector) -{ - this->other_ts->insert_last(this->other_ts, (void*)traffic_selector); -} - -/** - * Implementation of policy_t.add_proposal - */ -static void add_proposal(private_policy_t *this, proposal_t *proposal) -{ - this->proposals->insert_last(this->proposals, (void*)proposal); -} - -/** - * Implementation of policy_t.get_soft_lifetime - */ -static u_int32_t get_soft_lifetime(private_policy_t *this) -{ - if (this->jitter == 0) - { - return this->soft_lifetime ; - } - return this->soft_lifetime - (random() % this->jitter); -} - -/** - * Implementation of policy_t.get_hard_lifetime - */ -static u_int32_t get_hard_lifetime(private_policy_t *this) -{ - return this->hard_lifetime; -} - -/** - * Implementation of policy_t.get_mode. - */ -static mode_t get_mode(private_policy_t *this) -{ - return this->mode; -} - -/** - * Implementation of policy_t.get_virtual_ip. - */ -static host_t* get_virtual_ip(private_policy_t *this, host_t *suggestion) -{ - if (suggestion == NULL) - { - if (this->my_virtual_ip) - { - return this->my_virtual_ip->clone(this->my_virtual_ip); - } - return NULL; - } - if (this->other_virtual_ip) - { - return this->other_virtual_ip->clone(this->other_virtual_ip); - } - if (suggestion->is_anyaddr(suggestion)) - { - return NULL; - } - return suggestion->clone(suggestion); -} - -/** - * Implements policy_t.get_ref. - */ -static void get_ref(private_policy_t *this) -{ - ref_get(&this->refcount); -} - -/** - * Implements policy_t.destroy. - */ -static void destroy(private_policy_t *this) -{ - if (ref_put(&this->refcount)) - { - - this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy)); - this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy)); - this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy)); - - /* delete certification authorities */ - DESTROY_IF(this->my_ca); - DESTROY_IF(this->other_ca); - - /* delete updown script */ - if (this->updown) - { - free(this->updown); - } - - /* delete ids */ - this->my_id->destroy(this->my_id); - this->other_id->destroy(this->other_id); - DESTROY_IF(this->my_virtual_ip); - DESTROY_IF(this->other_virtual_ip); - - free(this->name); - free(this); - } -} - -/* - * Described in header-file - */ -policy_t *policy_create(char *name, identification_t *my_id, identification_t *other_id, - host_t *my_virtual_ip, host_t *other_virtual_ip, - auth_method_t auth_method, eap_type_t eap_type, - u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter, char *updown, bool hostaccess, - mode_t mode, dpd_action_t dpd_action) -{ - private_policy_t *this = malloc_thing(private_policy_t); - - /* public functions */ - this->public.get_name = (char* (*) (policy_t*))get_name; - this->public.get_my_id = (identification_t* (*) (policy_t*))get_my_id; - this->public.get_other_id = (identification_t* (*) (policy_t*))get_other_id; - this->public.get_my_ca = (identification_t* (*) (policy_t*))get_my_ca; - this->public.get_other_ca = (identification_t* (*) (policy_t*))get_other_ca; - this->public.get_auth_method = (auth_method_t (*) (policy_t*)) get_auth_method; - this->public.get_eap_type = (eap_type_t (*) (policy_t*)) get_eap_type; - this->public.get_my_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_my_traffic_selectors; - this->public.get_other_traffic_selectors = (linked_list_t* (*) (policy_t*,host_t*))get_other_traffic_selectors; - this->public.select_my_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_my_traffic_selectors; - this->public.select_other_traffic_selectors = (linked_list_t* (*) (policy_t*,linked_list_t*,host_t*))select_other_traffic_selectors; - this->public.get_proposals = (linked_list_t* (*) (policy_t*))get_proposals; - this->public.select_proposal = (proposal_t* (*) (policy_t*,linked_list_t*))select_proposal; - this->public.add_my_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_my_traffic_selector; - this->public.add_other_traffic_selector = (void (*) (policy_t*,traffic_selector_t*))add_other_traffic_selector; - this->public.add_proposal = (void (*) (policy_t*,proposal_t*))add_proposal; - this->public.add_authorities = (void (*) (policy_t*,identification_t*,identification_t*))add_authorities; - this->public.get_updown = (char* (*) (policy_t*))get_updown; - this->public.get_hostaccess = (bool (*) (policy_t*))get_hostaccess; - this->public.get_dpd_action = (dpd_action_t (*) (policy_t*))get_dpd_action; - this->public.get_soft_lifetime = (u_int32_t (*) (policy_t *))get_soft_lifetime; - this->public.get_hard_lifetime = (u_int32_t (*) (policy_t *))get_hard_lifetime; - this->public.get_mode = (mode_t (*) (policy_t *))get_mode; - this->public.get_virtual_ip = (host_t* (*)(policy_t*,host_t*))get_virtual_ip; - this->public.get_ref = (void (*) (policy_t*))get_ref; - this->public.destroy = (void (*) (policy_t*))destroy; - - /* apply init values */ - this->name = strdup(name); - this->my_id = my_id; - this->other_id = other_id; - this->my_virtual_ip = my_virtual_ip; - this->other_virtual_ip = other_virtual_ip; - this->auth_method = auth_method; - this->eap_type = eap_type; - this->hard_lifetime = hard_lifetime; - this->soft_lifetime = soft_lifetime; - this->jitter = jitter; - this->updown = (updown == NULL) ? NULL : strdup(updown); - this->hostaccess = hostaccess; - this->dpd_action = dpd_action; - this->mode = mode; - - /* initialize private members*/ - this->refcount = 1; - this->my_ca = NULL; - this->other_ca = NULL; - this->proposals = linked_list_create(); - this->my_ts = linked_list_create(); - this->other_ts = linked_list_create(); - - return &this->public; -} diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h deleted file mode 100644 index d8916b29e..000000000 --- a/src/charon/config/policies/policy.h +++ /dev/null @@ -1,413 +0,0 @@ -/** - * @file policy.h - * - * @brief Interface of policy_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef POLICY_H_ -#define POLICY_H_ - -typedef enum dpd_action_t dpd_action_t; -typedef struct policy_t policy_t; - -#include <library.h> -#include <utils/identification.h> -#include <config/traffic_selector.h> -#include <config/proposal.h> -#include <sa/authenticators/authenticator.h> -#include <sa/authenticators/eap/eap_method.h> - - -/** - * @brief Actions to take when a peer does not respond (dead peer detected). - * - * These values are the same as in pluto/starter, so do not modify them! - * - * @ingroup config - */ -enum dpd_action_t { - /** DPD disabled */ - DPD_NONE, - /** remove CHILD_SA without replacement */ - DPD_CLEAR, - /** route the CHILD_SA to resetup when needed */ - DPD_ROUTE, - /** restart CHILD_SA in a new IKE_SA, immediately */ - DPD_RESTART, -}; - -/** - * enum names for dpd_action_t. - */ -extern enum_name_t *dpd_action_names; - -/** - * @brief Mode of an IPsec SA. - * - * These are equal to those defined in XFRM, so don't change. - * - * @ingroup config - */ -enum mode_t { - /** transport mode, no inner address */ - MODE_TRANSPORT = 0, - /** tunnel mode, inner and outer addresses */ - MODE_TUNNEL = 1, - /** BEET mode, tunnel mode but fixed, bound inner addresses */ - MODE_BEET = 4, -}; - -/** - * enum names for mode_t. - */ -extern enum_name_t *mode_names; - -/** - * @brief A policy_t defines the policies to apply to CHILD_SAs. - * - * The given two IDs identify a policy. These rules define how - * child SAs may be set up and which traffic may be IPsec'ed. - * - * @b Constructors: - * - policy_create() - * - * @ingroup config - */ -struct policy_t { - - /** - * @brief Get the name of the policy. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return policy's name - */ - char *(*get_name) (policy_t *this); - - /** - * @brief Get own id. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return own id - */ - identification_t *(*get_my_id) (policy_t *this); - - /** - * @brief Get peer id. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return other id - */ - identification_t *(*get_other_id) (policy_t *this); - - /** - * @brief Get own ca. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return own ca - */ - identification_t *(*get_my_ca) (policy_t *this); - - /** - * @brief Get peer ca. - * - * Returned object is not getting cloned. - * - * @param this calling object - * @return other ca - */ - identification_t *(*get_other_ca) (policy_t *this); - - /** - * @brief Get the authentication method to use. - * - * @param this calling object - * @return authentication method - */ - auth_method_t (*get_auth_method) (policy_t *this); - - /** - * @brief Get the EAP type to use for peer authentication. - * - * @param this calling object - * @return authentication method - */ - eap_type_t (*get_eap_type) (policy_t *this); - - /** - * @brief Get configured traffic selectors for our site. - * - * Returns a list with all traffic selectors for the local - * site. List and items must be destroyed after usage. - * - * @param this calling object - * @return list with traffic selectors - */ - linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me); - - /** - * @brief Get configured traffic selectors for others site. - * - * Returns a list with all traffic selectors for the remote - * site. List and items must be destroyed after usage. - * - * @param this calling object - * @return list with traffic selectors - */ - linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other); - - /** - * @brief Select traffic selectors from a supplied list for local site. - * - * Resulted list and traffic selectors must be destroyed after usage. - * As the traffic selectors may contain a wildcard address (0.0.0.0) for - * addresses we don't know in previous, an address may be supplied to - * replace these 0.0.0.0 addresses on-the-fly. - * - * @param this calling object - * @param supplied linked list with traffic selectors - * @param me host address used by us - * @return list containing the selected traffic selectors - */ - linked_list_t *(*select_my_traffic_selectors) (policy_t *this, - linked_list_t *supplied, - host_t *me); - - /** - * @brief Select traffic selectors from a supplied list for remote site. - * - * Resulted list and traffic selectors must be destroyed after usage. - * As the traffic selectors may contain a wildcard address (0.0.0.0) for - * addresses we don't know in previous, an address may be supplied to - * replace these 0.0.0.0 addresses on-the-fly. - * - * @param this calling object - * @param supplied linked list with traffic selectors - * @return list containing the selected traffic selectors - */ - linked_list_t *(*select_other_traffic_selectors) (policy_t *this, - linked_list_t *supplied, - host_t *other); - - /** - * @brief Get the list of internally stored proposals. - * - * policy_t does store proposals for AH/ESP, IKE proposals are in - * the connection_t. - * Resulting list and all of its proposals must be freed after usage. - * - * @param this calling object - * @return lists with proposals - */ - linked_list_t *(*get_proposals) (policy_t *this); - - /** - * @brief Select a proposal from a supplied list. - * - * Returned propsal is newly created and must be destroyed after usage. - * - * @param this calling object - * @param proposals list from from wich proposals are selected - * @return selected proposal, or NULL if nothing matches - */ - proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals); - - /** - * @brief Add a traffic selector to the list for local site. - * - * After add, traffic selector is owned by policy. - * - * @param this calling object - * @param traffic_selector traffic_selector to add - */ - void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector); - - /** - * @brief Add a traffic selector to the list for remote site. - * - * After add, traffic selector is owned by policy. - * - * @param this calling object - * @param traffic_selector traffic_selector to add - */ - void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector); - - /** - * @brief Add a proposal to the list. - * - * The proposals are stored by priority, first added - * is the most prefered. - * After add, proposal is owned by policy. - * - * @param this calling object - * @param proposal proposal to add - */ - void (*add_proposal) (policy_t *this, proposal_t *proposal); - - /** - * @brief Add certification authorities. - * - * @param this calling object - * @param my_ca issuer of my certificate - * @param other_ca required issuer of the peer's certificate - */ - void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca); - - /** - * @brief Get updown script - * - * @param this calling object - * @return path to updown script - */ - char* (*get_updown) (policy_t *this); - - /** - * @brief Get hostaccess flag - * - * @param this calling object - * @return value of hostaccess flag - */ - bool (*get_hostaccess) (policy_t *this); - - /** - * @brief What should be done with a CHILD_SA, when other peer does not respond. - * - * @param this calling object - * @return dpd action - */ - dpd_action_t (*get_dpd_action) (policy_t *this); - - /** - * @brief Get the lifetime of a policy, before rekeying starts. - * - * A call to this function automatically adds a jitter to - * avoid simultanous rekeying. - * - * @param this policy - * @return lifetime in seconds - */ - u_int32_t (*get_soft_lifetime) (policy_t *this); - - /** - * @brief Get the lifetime of a policy, before SA gets deleted. - * - * @param this policy - * @return lifetime in seconds - */ - u_int32_t (*get_hard_lifetime) (policy_t *this); - - /** - * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET. - * - * @param this policy - * @return lifetime in seconds - */ - mode_t (*get_mode) (policy_t *this); - - /** - * @brief Get a virtual IP for the local or the remote host. - * - * By supplying NULL as IP, an IP for the local host is requested. It - * may be %any or specific. - * By supplying %any as host, an IP from the pool is selected to be - * served to the peer. - * If a specified host is supplied, it is checked if this address - * is acceptable to serve to the peer. If so, it is returned. Otherwise, - * an alternative IP is returned. - * In any mode, this call may return NULL indicating virtual IP should - * not be used. - * - * @param this policy - * @param suggestion NULL, %any or specific, see description - * @return clone of an IP to use, or NULL - */ - host_t* (*get_virtual_ip) (policy_t *this, host_t *suggestion); - - /** - * @brief Get a new reference. - * - * Get a new reference to this policy by increasing - * it's internal reference counter. - * Do not call get_ref or any other function until you - * already have a reference. Otherwise the object may get - * destroyed while calling get_ref(), - * - * @param this calling object - */ - void (*get_ref) (policy_t *this); - - /** - * @brief Destroys the policy object. - * - * Decrements the internal reference counter and - * destroys the policy when it reaches zero. - * - * @param this calling object - */ - void (*destroy) (policy_t *this); -}; - -/** - * @brief Create a configuration object for IKE_AUTH and later. - * - * name-string gets cloned, ID's not. - * Virtual IPs are used if they are != NULL. A %any host means the virtual - * IP should be obtained from the other peer. - * Lifetimes are in seconds. To prevent to peers to start rekeying at the - * same time, a jitter may be specified. Rekeying of an SA starts at - * (soft_lifetime - random(0, jitter)). After a successful rekeying, - * the hard_lifetime limit counter is reset. You should specify - * hard_lifetime > soft_lifetime > jitter. - * After a call to create, a reference is obtained (refcount = 1). - * - * @param name name of the policy - * @param my_id identification_t for ourselves - * @param other_id identification_t for the remote guy - * @param my_virtual_ip virtual IP for local host, or NULL - * @param other_virtual_ip virtual IP for remote host, or NULL - * @param auth_method Authentication method to use for our(!) auth data - * @param eap_type EAP type to use for peer authentication - * @param hard_lifetime lifetime before deleting an SA - * @param soft_lifetime lifetime before rekeying an SA - * @param jitter range of randomization time - * @param updown updown script to execute on up/down event - * @param hostaccess allow access to the host itself (used by the updown script) - * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET - * @param dpd_action what to to with a CHILD_SA when other peer does not respond - * @return policy_t object - * - * @ingroup config - */ -policy_t *policy_create(char *name, - identification_t *my_id, identification_t *other_id, - host_t *my_virtual_ip, host_t *other_virtual_ip, - auth_method_t auth_method, eap_type_t eap_type, - u_int32_t hard_lifetime, u_int32_t soft_lifetime, - u_int32_t jitter, char *updown, bool hostaccess, - mode_t mode, dpd_action_t dpd_action); - -#endif /* POLICY_H_ */ diff --git a/src/charon/config/policies/policy_store.h b/src/charon/config/policies/policy_store.h deleted file mode 100755 index cd8870953..000000000 --- a/src/charon/config/policies/policy_store.h +++ /dev/null @@ -1,119 +0,0 @@ -/** - * @file policy_store.h - * - * @brief Interface policy_store_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef POLICY_STORE_H_ -#define POLICY_STORE_H_ - -typedef struct policy_store_t policy_store_t; - -#include <library.h> -#include <config/policies/policy.h> -#include <utils/linked_list.h> - - -/** - * @brief The interface for a store of policy_t's. - * - * The store uses reference counting to manage their lifetime. Call - * destroy() for a policy which is returned from the store after usage. - * - * @b Constructors: - * - stroke_create() - * - * @ingroup config - */ -struct policy_store_t { - - /** - * @brief Returns a policy identified by two IDs and a set of traffic selectors. - * - * other_id must be fully qualified. my_id may be %any, as the - * other peer may not include an IDr Request. - * - * @param this calling object - * @param my_id own ID of the policy - * @param other_id others ID of the policy - * @param my_ts traffic selectors requested for local host - * @param other_ts traffic selectors requested for remote host - * @param my_host host to use for wilcards in TS compare - * @param other_host host to use for wildcards in TS compare - * @return - * - matching policy_t, if found - * - NULL otherwise - */ - policy_t *(*get_policy) (policy_store_t *this, - identification_t *my_id, identification_t *other_id, - linked_list_t *my_ts, linked_list_t *other_ts, - host_t *my_host, host_t* other_host); - - /** - * @brief Returns a policy identified by a connection name. - * - * @param this calling object - * @param name name of the policy - * @return - * - matching policy_t, if found - * - NULL otherwise - */ - policy_t *(*get_policy_by_name) (policy_store_t *this, char *name); - - /** - * @brief Add a policy to the list. - * - * The policy is owned by the store after the call. Do - * not modify nor free. - * - * @param this calling object - * @param policy policy to add - */ - void (*add_policy) (policy_store_t *this, policy_t *policy); - - /** - * @brief Delete a policy from the store. - * - * Remove a policy from the store identified by its name. - * - * @param this calling object - * @param policy policy to add - * @return - * - SUCCESS, or - * - NOT_FOUND - */ - status_t (*delete_policy) (policy_store_t *this, char *name); - - /** - * @brief Get an iterator for the stored policies. - * - * @param this calling object - * @return iterator over all stored policies - */ - iterator_t* (*create_iterator) (policy_store_t *this); - - /** - * @brief Destroys a policy_store_t object. - * - * @param this calling object - */ - void (*destroy) (policy_store_t *this); -}; - -#endif /*POLICY_STORE_H_*/ diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index dcab8cbdd..cff9859c1 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -144,39 +144,6 @@ static void add_algorithm(private_proposal_t *this, transform_type_t type, u_int } /** - * Implements proposal_t.get_algorithm. - */ -static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo) -{ - linked_list_t *list; - switch (type) - { - case ENCRYPTION_ALGORITHM: - list = this->encryption_algos; - break; - case INTEGRITY_ALGORITHM: - list = this->integrity_algos; - break; - case PSEUDO_RANDOM_FUNCTION: - list = this->prf_algos; - break; - case DIFFIE_HELLMAN_GROUP: - list = this->dh_groups; - break; - case EXTENDED_SEQUENCE_NUMBERS: - list = this->esns; - break; - default: - return FALSE; - } - if (list->get_first(list, (void**)algo) != SUCCESS) - { - return FALSE; - } - return TRUE; -} - -/** * Implements proposal_t.create_algorithm_iterator. */ static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform_type_t type) @@ -200,6 +167,50 @@ static iterator_t *create_algorithm_iterator(private_proposal_t *this, transform } /** + * Implements proposal_t.get_algorithm. + */ +static bool get_algorithm(private_proposal_t *this, transform_type_t type, algorithm_t** algo) +{ + iterator_t *iterator = create_algorithm_iterator(this, type); + if (iterator->iterate(iterator, (void**)algo)) + { + iterator->destroy(iterator); + return TRUE; + } + iterator->destroy(iterator); + return FALSE; +} + +/** + * Implements proposal_t.has_dh_group + */ +static bool has_dh_group(private_proposal_t *this, diffie_hellman_group_t group) +{ + algorithm_t *current; + iterator_t *iterator; + bool result = FALSE; + + iterator = this->dh_groups->create_iterator(this->dh_groups, TRUE); + if (iterator->get_count(iterator)) + { + while (iterator->iterate(iterator, (void**)¤t)) + { + if (current->algorithm == group) + { + result = TRUE; + break; + } + } + } + else if (group == MODP_NONE) + { + result = TRUE; + } + iterator->destroy(iterator); + return result; +} + +/** * Find a matching alg/keysize in two linked lists */ static bool select_algo(linked_list_t *first, linked_list_t *second, bool *add, u_int16_t *alg, size_t *key_size) @@ -399,6 +410,10 @@ static proposal_t *clone_(private_proposal_t *this) return &clone->public; } +/** + * add a algorithm identified by a string to the proposal. + * TODO: we could use gperf here. + */ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { if (strncmp(alg.ptr, "null", alg.len) == 0) @@ -443,8 +458,9 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); } - } - else if (strncmp(alg.ptr, "sha256", alg.len) == 0) + } + else if (strncmp(alg.ptr, "sha256", alg.len) == 0 || + strncmp(alg.ptr, "sha2_256", alg.len) == 0) { add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); if (this->protocol == PROTO_IKE) @@ -452,7 +468,8 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0); } } - else if (strncmp(alg.ptr, "sha384", alg.len) == 0) + else if (strncmp(alg.ptr, "sha384", alg.len) == 0 || + strncmp(alg.ptr, "sha2_384", alg.len) == 0) { add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); if (this->protocol == PROTO_IKE) @@ -460,7 +477,8 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0); } } - else if (strncmp(alg.ptr, "sha512", alg.len) == 0) + else if (strncmp(alg.ptr, "sha512", alg.len) == 0 || + strncmp(alg.ptr, "sha2_512", alg.len) == 0) { add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); if (this->protocol == PROTO_IKE) @@ -476,6 +494,14 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); } } + else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0) + { + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); + if (this->protocol == PROTO_IKE) + { + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, AUTH_AES_XCBC_96, 0); + } + } else if (strncmp(alg.ptr, "modp768", alg.len) == 0) { add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); @@ -530,6 +556,7 @@ proposal_t *proposal_create(protocol_id_t protocol) this->public.add_algorithm = (void (*)(proposal_t*,transform_type_t,u_int16_t,size_t))add_algorithm; this->public.create_algorithm_iterator = (iterator_t* (*)(proposal_t*,transform_type_t))create_algorithm_iterator; this->public.get_algorithm = (bool (*)(proposal_t*,transform_type_t,algorithm_t**))get_algorithm; + this->public.has_dh_group = (bool (*)(proposal_t*,diffie_hellman_group_t))has_dh_group; this->public.select = (proposal_t* (*)(proposal_t*,proposal_t*))select_proposal; this->public.get_protocol = (protocol_id_t(*)(proposal_t*))get_protocol; this->public.set_spi = (void(*)(proposal_t*,u_int64_t))set_spi; @@ -586,11 +613,13 @@ proposal_t *proposal_create_default(protocol_id_t protocol) add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; case PROTO_AH: add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); + add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); add_algorithm(this, EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0); break; diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h index abcb40999..379550f44 100644 --- a/src/charon/config/proposal.h +++ b/src/charon/config/proposal.h @@ -102,6 +102,8 @@ extern enum_name_t *extended_sequence_numbers_names; /** * Struct used to store different kinds of algorithms. The internal * lists of algorithms contain such structures. + * + * @ingroup config */ struct algorithm_t { /** @@ -162,7 +164,6 @@ struct proposal_t { * @brief Get the algorithm for a type to use. * * If there are multiple algorithms, only the first is returned. - * Result is still owned by proposal, do not modify! * * @param this calling object * @param type kind of algorithm @@ -170,6 +171,15 @@ struct proposal_t { * @return TRUE if algorithm of this kind available */ bool (*get_algorithm) (proposal_t *this, transform_type_t type, algorithm_t** algo); + + /** + * @brief Check if the proposal has a specific DH group. + * + * @param this calling object + * @param group group to check for + * @return TRUE if algorithm included + */ + bool (*has_dh_group) (proposal_t *this, diffie_hellman_group_t group); /** * @brief Compare two proposal, and select a matching subset. diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c index 2fb012e16..b399074d1 100644 --- a/src/charon/config/traffic_selector.c +++ b/src/charon/config/traffic_selector.c @@ -167,6 +167,8 @@ static int print(FILE *stream, const struct printf_info *info, const void *const *args) { private_traffic_selector_t *this = *((private_traffic_selector_t**)(args[0])); + linked_list_t *list = *((linked_list_t**)(args[0])); + iterator_t *iterator; char addr_str[INET6_ADDRSTRLEN] = ""; char *serv_proto = NULL; u_int8_t mask; @@ -179,6 +181,24 @@ static int print(FILE *stream, const struct printf_info *info, return fprintf(stream, "(null)"); } + if (info->alt) + { + iterator = list->create_iterator(list, TRUE); + while (iterator->iterate(iterator, (void**)&this)) + { + /* call recursivly */ + written += fprintf(stream, "%R ", this); + } + iterator->destroy(iterator); + return written; + } + + if (this->dynamic) + { + return fprintf(stream, "dynamic/%d", + this->type == TS_IPV4_ADDR_RANGE ? 32 : 128); + } + if (this->type == TS_IPV4_ADDR_RANGE) { inet_ntop(AF_INET, &this->from4, addr_str, sizeof(addr_str)); |