diff options
Diffstat (limited to 'src/charon/config')
| -rw-r--r-- | src/charon/config/attributes/attribute_handler.h | 58 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_manager.c | 120 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_manager.h | 74 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_provider.h | 16 | ||||
| -rw-r--r-- | src/charon/config/auth_cfg.c | 768 | ||||
| -rw-r--r-- | src/charon/config/auth_cfg.h | 201 | ||||
| -rw-r--r-- | src/charon/config/backend.h | 18 | ||||
| -rw-r--r-- | src/charon/config/backend_manager.c | 314 | ||||
| -rw-r--r-- | src/charon/config/backend_manager.h | 32 | ||||
| -rw-r--r-- | src/charon/config/child_cfg.c | 2 | ||||
| -rw-r--r-- | src/charon/config/child_cfg.h | 2 | ||||
| -rw-r--r-- | src/charon/config/ike_cfg.c | 2 | ||||
| -rw-r--r-- | src/charon/config/ike_cfg.h | 2 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.c | 194 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.h | 78 | ||||
| -rw-r--r-- | src/charon/config/proposal.c | 251 | ||||
| -rw-r--r-- | src/charon/config/proposal.h | 23 | ||||
| -rw-r--r-- | src/charon/config/traffic_selector.c | 2 | ||||
| -rw-r--r-- | src/charon/config/traffic_selector.h | 2 |
19 files changed, 1656 insertions, 503 deletions
diff --git a/src/charon/config/attributes/attribute_handler.h b/src/charon/config/attributes/attribute_handler.h new file mode 100644 index 000000000..de1c4414d --- /dev/null +++ b/src/charon/config/attributes/attribute_handler.h @@ -0,0 +1,58 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup attribute_handler attribute_handler + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTE_HANDLER_H_ +#define ATTRIBUTE_HANDLER_H_ + +#include <sa/ike_sa.h> +#include <encoding/payloads/configuration_attribute.h> + +typedef struct attribute_handler_t attribute_handler_t; + +/** + * Interface to handle configuration payload attributes. + */ +struct attribute_handler_t { + + /** + * Handle a configuration attribute. + * + * After receiving a configuration attriubte, it is passed to each + * attribute handler until it is handled. + * + * @param type type of configuration attribute to handle + * @param data associated attribute data + * @return TRUE if attribute handled + */ + bool (*handle)(attribute_handler_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data); + + /** + * Release an attribute handled during handle(). + * + * A handler that handle()d an attribute gets a call to release() when the + * IKE_SA gets closed. Depending on the implementation, this is required + * to remove the attribute. + */ + void (*release)(attribute_handler_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data); +}; + +#endif /* ATTRIBUTE_HANDLER_ @}*/ diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c index a069c954a..83e431c43 100644 --- a/src/charon/config/attributes/attribute_manager.c +++ b/src/charon/config/attributes/attribute_manager.c @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id$ */ #include "attribute_manager.h" @@ -39,6 +37,11 @@ struct private_attribute_manager_t { linked_list_t *providers; /** + * list of registered handlers + */ + linked_list_t *handlers; + + /** * rwlock provider list */ rwlock_t *lock; @@ -49,7 +52,7 @@ struct private_attribute_manager_t { */ static host_t* acquire_address(private_attribute_manager_t *this, char *pool, identification_t *id, - auth_info_t *auth, host_t *requested) + host_t *requested) { enumerator_t *enumerator; attribute_provider_t *current; @@ -59,7 +62,7 @@ static host_t* acquire_address(private_attribute_manager_t *this, enumerator = this->providers->create_enumerator(this->providers); while (enumerator->enumerate(enumerator, ¤t)) { - host = current->acquire_address(current, pool, id, auth, requested); + host = current->acquire_address(current, pool, id, requested); if (host) { break; @@ -105,6 +108,29 @@ static void release_address(private_attribute_manager_t *this, } /** + * inner enumerator constructor for attributes + */ +static enumerator_t *attrib_enum_create(attribute_provider_t *provider, + identification_t *id) +{ + return provider->create_attribute_enumerator(provider, id); +} + +/** + * Implementation of attribute_manager_t.create_attribute_enumerator + */ +static enumerator_t* create_attribute_enumerator( + private_attribute_manager_t *this, identification_t *id) +{ + this->lock->read_lock(this->lock); + return enumerator_create_cleaner( + enumerator_create_nested( + this->providers->create_enumerator(this->providers), + (void*)attrib_enum_create, id, NULL), + (void*)this->lock->unlock, this->lock); +} + +/** * Implementation of attribute_manager_t.add_provider. */ static void add_provider(private_attribute_manager_t *this, @@ -127,11 +153,89 @@ static void remove_provider(private_attribute_manager_t *this, } /** + * Implementation of attribute_manager_t.handle + */ +static attribute_handler_t* handle(private_attribute_manager_t *this, + ike_sa_t *ike_sa, configuration_attribute_type_t type, + chunk_t data) +{ + enumerator_t *enumerator; + attribute_handler_t *current, *handled = NULL; + + this->lock->read_lock(this->lock); + enumerator = this->handlers->create_enumerator(this->handlers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current->handle(current, ike_sa, type, data)) + { + handled = current; + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + + if (!handled) + { + DBG1(DBG_CFG, "handling %N attribute failed", + configuration_attribute_type_names, type); + } + return handled; +} + +/** + * Implementation of attribute_manager_t.release + */ +static void release(private_attribute_manager_t *this, + attribute_handler_t *handler, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data) +{ + enumerator_t *enumerator; + attribute_handler_t *current; + + this->lock->read_lock(this->lock); + enumerator = this->handlers->create_enumerator(this->handlers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current == handler) + { + current->release(current, ike_sa, type, data); + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); +} + +/** + * Implementation of attribute_manager_t.add_handler + */ +static void add_handler(private_attribute_manager_t *this, + attribute_handler_t *handler) +{ + this->lock->write_lock(this->lock); + this->handlers->insert_last(this->handlers, handler); + this->lock->unlock(this->lock); +} + +/** + * Implementation of attribute_manager_t.remove_handler + */ +static void remove_handler(private_attribute_manager_t *this, + attribute_handler_t *handler) +{ + this->lock->write_lock(this->lock); + this->handlers->remove(this->handlers, handler, NULL); + this->lock->unlock(this->lock); +} + +/** * Implementation of attribute_manager_t.destroy */ static void destroy(private_attribute_manager_t *this) { this->providers->destroy(this->providers); + this->handlers->destroy(this->handlers); this->lock->destroy(this->lock); free(this); } @@ -143,13 +247,19 @@ attribute_manager_t *attribute_manager_create() { private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t); - this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address; + this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address; this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address; + this->public.create_attribute_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t *id))create_attribute_enumerator; this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider; this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider; + this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))handle; + this->public.release = (void(*)(attribute_manager_t*, attribute_handler_t *handler, ike_sa_t *ike_sa, configuration_attribute_type_t type, chunk_t data))release; + this->public.add_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))add_handler; + this->public.remove_handler = (void(*)(attribute_manager_t*, attribute_handler_t *handler))remove_handler; this->public.destroy = (void(*)(attribute_manager_t*))destroy; this->providers = linked_list_create(); + this->handlers = linked_list_create(); this->lock = rwlock_create(RWLOCK_DEFAULT); return &this->public; diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h index aef6e7b6e..ceea06581 100644 --- a/src/charon/config/attributes/attribute_manager.h +++ b/src/charon/config/attributes/attribute_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Martin Willi + * Copyright (C) 2008-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id$ */ /** @@ -24,26 +22,31 @@ #define ATTRIBUTE_MANAGER_H_ #include <config/attributes/attribute_provider.h> +#include <config/attributes/attribute_handler.h> typedef struct attribute_manager_t attribute_manager_t; /** - * Provide configuration attributes to include in CFG Payloads. + * The attribute manager hands out attributes or handles them. + * + * The attribute manager manages both, attribute providers and attribute + * handlers. Attribute providers are responsible to hand out attributes if + * a connecting peer requests them. Handlers handle such attributes if they + * are received on the requesting peer. */ struct attribute_manager_t { - + /** * Acquire a virtual IP address to assign to a peer. * * @param pool pool name to acquire address from - * @param id peer identity to get address for - * @param auth authorization infos of peer + * @param id peer identity to get address forua * @param requested IP in configuration request * @return allocated address, NULL to serve none */ host_t* (*acquire_address)(attribute_manager_t *this, char *pool, identification_t *id, - auth_info_t *auth, host_t *requested); + host_t *requested); /** * Release a previously acquired address. @@ -56,6 +59,15 @@ struct attribute_manager_t { char *pool, host_t *address, identification_t *id); /** + * Create an enumerator over attributes to hand out to a peer. + * + * @param id peer identity to hand out attributes to + * @return enumerator (configuration_attribute_type_t, chunk_t) + */ + enumerator_t* (*create_attribute_enumerator)(attribute_manager_t *this, + identification_t *id); + + /** * Register an attribute provider to the manager. * * @param provider attribute provider to register @@ -69,10 +81,50 @@ struct attribute_manager_t { */ void (*remove_provider)(attribute_manager_t *this, attribute_provider_t *provider); + + /** + * Handle a configuration attribute by passing them to the handlers. + * + * @param ike_sa IKE_SA where attribute was received + * @param type type of configuration attribute + * @param data associated attribute data + * @return handler which handled this attribute, NULL if none + */ + attribute_handler_t* (*handle)(attribute_manager_t *this, ike_sa_t *ike_sa, + configuration_attribute_type_t type, chunk_t data); + /** - * Destroy a attribute_manager instance. - */ - void (*destroy)(attribute_manager_t *this); + * Release an attribute previously handle()d by a handler. + * + * @param handler handler returned by handle() for this attribute + * @param ike_sa IKE_SA owning the attribute + * @param type type of attribute to release + * @param data associated attribute data + */ + void (*release)(attribute_manager_t *this, attribute_handler_t *handler, + ike_sa_t *ike_sa, configuration_attribute_type_t type, + chunk_t data); + + /** + * Register an attribute handler to the manager. + * + * @param handler attribute handler to register + */ + void (*add_handler)(attribute_manager_t *this, + attribute_handler_t *handler); + + /** + * Unregister an attribute handler from the manager. + * + * @param handler attribute handler to unregister + */ + void (*remove_handler)(attribute_manager_t *this, + attribute_handler_t *handler); + + /** + * Destroy a attribute_manager instance. + */ + void (*destroy)(attribute_manager_t *this); }; /** diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h index 5d563e86b..0f1057af4 100644 --- a/src/charon/config/attributes/attribute_provider.h +++ b/src/charon/config/attributes/attribute_provider.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id$ */ /** @@ -25,7 +23,7 @@ #include <library.h> #include <utils/host.h> -#include <credentials/auth_info.h> +#include <utils/identification.h> typedef struct attribute_provider_t attribute_provider_t; @@ -39,13 +37,12 @@ struct attribute_provider_t { * * @param pool name of the pool to acquire address from * @param id peer ID - * @param auth authorization infos * @param requested IP in configuration request * @return allocated address, NULL to serve none */ host_t* (*acquire_address)(attribute_provider_t *this, char *pool, identification_t *id, - auth_info_t *auth, host_t *requested); + host_t *requested); /** * Release a previously acquired address. * @@ -56,6 +53,15 @@ struct attribute_provider_t { */ bool (*release_address)(attribute_provider_t *this, char *pool, host_t *address, identification_t *id); + + /** + * Create an enumerator over attributes to hand out to a peer. + * + * @param id peer ID + * @return enumerator (configuration_attribute_type_t, chunk_t) + */ + enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this, + identification_t *id); }; #endif /** ATTRIBUTE_PROVIDER_H_ @}*/ diff --git a/src/charon/config/auth_cfg.c b/src/charon/config/auth_cfg.c new file mode 100644 index 000000000..e4501bc93 --- /dev/null +++ b/src/charon/config/auth_cfg.c @@ -0,0 +1,768 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "auth_cfg.h" + +#include <daemon.h> +#include <utils/linked_list.h> +#include <utils/identification.h> +#include <credentials/certificates/certificate.h> + +ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, + "RULE_IDENTITY", + "RULE_AUTH_CLASS", + "RULE_EAP_IDENTITY", + "RULE_EAP_TYPE", + "RULE_EAP_VENDOR", + "RULE_CA_CERT", + "RULE_IM_CERT", + "RULE_SUBJECT_CERT", + "RULE_CRL_VALIDATION", + "RULE_OCSP_VALIDATION", + "RULE_AC_GROUP", + "HELPER_IM_CERT", + "HELPER_SUBJECT_CERT", + "HELPER_IM_HASH_URL", + "HELPER_SUBJECT_HASH_URL", +); + +typedef struct private_auth_cfg_t private_auth_cfg_t; + +/** + * private data of item_set + */ +struct private_auth_cfg_t { + + /** + * public functions + */ + auth_cfg_t public; + + /** + * list of entry_t + */ + linked_list_t *entries; +}; + +typedef struct entry_t entry_t; + +struct entry_t { + /** rule type */ + auth_rule_t type; + /** associated value */ + void *value; +}; + +/** + * enumerator for auth_cfg_t.create_enumerator() + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** inner enumerator from linked_list_t */ + enumerator_t *inner; + /** current entry */ + entry_t *current; +} entry_enumerator_t; + +/** + * enumerate function for item_enumerator_t + */ +static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value) +{ + entry_t *entry; + + if (this->inner->enumerate(this->inner, &entry)) + { + this->current = entry; + *type = entry->type; + *value = entry->value; + return TRUE; + } + return FALSE; +} + +/** + * destroy function for item_enumerator_t + */ +static void entry_enumerator_destroy(entry_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +/** + * Implementation of auth_cfg_t.create_enumerator. + */ +static enumerator_t* create_enumerator(private_auth_cfg_t *this) +{ + entry_enumerator_t *enumerator; + + enumerator = malloc_thing(entry_enumerator_t); + enumerator->inner = this->entries->create_enumerator(this->entries); + enumerator->public.enumerate = (void*)enumerate; + enumerator->public.destroy = (void*)entry_enumerator_destroy; + enumerator->current = NULL; + return &enumerator->public; +} + +/** + * Destroy the value associated with an entry + */ +static void destroy_entry_value(entry_t *entry) +{ + switch (entry->type) + { + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id = (identification_t*)entry->value; + id->destroy(id); + break; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)entry->value; + cert->destroy(cert); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + free(entry->value); + break; + } + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + break; + } +} + +/** + * Implementation of auth_cfg_t.replace. + */ +static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, + auth_rule_t type, ...) +{ + if (enumerator->current) + { + va_list args; + + va_start(args, type); + + destroy_entry_value(enumerator->current); + enumerator->current->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + /* integer type */ + enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* pointer type */ + enumerator->current->value = va_arg(args, void*); + break; + } + va_end(args); + } +} + +/** + * Implementation of auth_cfg_t.get. + */ +static void* get(private_auth_cfg_t *this, auth_rule_t type) +{ + enumerator_t *enumerator; + void *current_value, *best_value = NULL; + auth_rule_t current_type; + bool found = FALSE; + + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, ¤t_type, ¤t_value)) + { + if (type == current_type) + { + if (type == AUTH_RULE_CRL_VALIDATION || + type == AUTH_RULE_OCSP_VALIDATION) + { /* for CRL/OCSP validation, always get() the highest value */ + if (!found || current_value > best_value) + { + best_value = current_value; + } + found = TRUE; + continue; + } + best_value = current_value; + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + if (found) + { + return best_value; + } + switch (type) + { + /* use some sane defaults if we don't find an entry */ + case AUTH_RULE_AUTH_CLASS: + return (void*)AUTH_CLASS_ANY; + case AUTH_RULE_EAP_TYPE: + return (void*)EAP_NAK; + case AUTH_RULE_EAP_VENDOR: + return (void*)0; + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + return (void*)VALIDATION_FAILED; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + default: + return NULL; + } +} + +/** + * Implementation of auth_cfg_t.add. + */ +static void add(private_auth_cfg_t *this, auth_rule_t type, ...) +{ + entry_t *entry = malloc_thing(entry_t); + va_list args; + + va_start(args, type); + entry->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + /* integer type */ + entry->value = (void*)(uintptr_t)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* pointer type */ + entry->value = va_arg(args, void*); + break; + } + va_end(args); + this->entries->insert_last(this->entries, entry); +} + +/** + * Implementation of auth_cfg_t.complies. + */ +static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, + bool log_error) +{ + enumerator_t *e1, *e2; + bool success = TRUE; + auth_rule_t t1, t2; + void *value; + + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + switch (t1) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)value; + + success = FALSE; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &c2)) + { + if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && + c1->equals(c1, c2)) + { + success = TRUE; + } + } + e2->destroy(e2); + if (!success && log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated by CA '%Y'.", c1->get_subject(c1)); + } + break; + } + case AUTH_RULE_SUBJECT_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)value; + c2 = get(this, AUTH_RULE_SUBJECT_CERT); + if (!c2 || !c1->equals(c1, c2)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated with peer cert '%Y'.", + c1->get_subject(c1)); + } + } + break; + } + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + { + cert_validation_t validated, required; + + required = (uintptr_t)value; + validated = (uintptr_t)get(this, t1); + switch (required) + { + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %N is %N, " + "but requires at least %N", auth_rule_names, + t1, cert_validation_names, validated, + cert_validation_names, required); + } + break; + } + break; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + { + identification_t *id1, *id2; + + id1 = (identification_t*)value; + id2 = get(this, t1); + if (!id2 || !id2->matches(id2, id1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'" + " required ", t1 == AUTH_RULE_IDENTITY ? "" : + "EAP ", id1); + } + } + break; + } + case AUTH_RULE_AUTH_CLASS: + { + if ((uintptr_t)value != AUTH_CLASS_ANY && + (uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %N authentication, " + "but %N was used", auth_class_names, (uintptr_t)value, + auth_class_names, (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_EAP_TYPE: + { + if ((uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %N, " + "but %N was used", eap_type_names, (uintptr_t)value, + eap_type_names, (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_EAP_VENDOR: + { + if ((uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires EAP vendor %d, " + "but %d was used", (uintptr_t)value, + (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_AC_GROUP: + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check %N not implemented!", + auth_rule_names, t1); + } + break; + } + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* skip helpers */ + continue; + } + if (!success) + { + break; + } + } + e1->destroy(e1); + return success; +} + +/** + * Implementation of auth_cfg_t.merge. + */ +static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy) +{ + if (!other) + { /* nothing to merge */ + return; + } + if (copy) + { + enumerator_t *enumerator; + auth_rule_t type; + void *value; + + enumerator = create_enumerator(other); + while (enumerator->enumerate(enumerator, &type, &value)) + { + switch (type) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)value; + + add(this, type, cert->get_ref(cert)); + break; + } + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + { + add(this, type, (uintptr_t)value); + break; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id = (identification_t*)value; + + add(this, type, id->clone(id)); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + add(this, type, strdup((char*)value)); + break; + } + } + } + enumerator->destroy(enumerator); + } + else + { + entry_t *entry; + + while (other->entries->remove_first(other->entries, + (void**)&entry) == SUCCESS) + { + this->entries->insert_last(this->entries, entry); + } + } +} + +/** + * Implementation of auth_cfg_t.equals. + */ +static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) +{ + enumerator_t *e1, *e2; + entry_t *i1, *i2; + bool equal = TRUE, found; + + if (this->entries->get_count(this->entries) != + other->entries->get_count(other->entries)) + { + return FALSE; + } + e1 = this->entries->create_enumerator(this->entries); + while (e1->enumerate(e1, &i1)) + { + found = FALSE; + e2 = other->entries->create_enumerator(other->entries); + while (e2->enumerate(e2, &i2)) + { + if (i1->type == i2->type) + { + switch (i1->type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + { + if (i1->value == i2->value) + { + found = TRUE; + break; + } + continue; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)i1->value; + c2 = (certificate_t*)i2->value; + + if (c1->equals(c1, c2)) + { + found = TRUE; + break; + } + continue; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id1, *id2; + + id1 = (identification_t*)i1->value; + id2 = (identification_t*)i2->value; + + if (id1->equals(id1, id2)) + { + found = TRUE; + break; + } + continue; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + if (streq(i1->value, i2->value)) + { + found = TRUE; + break; + } + continue; + } + } + break; + } + } + e2->destroy(e2); + if (!found) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + return equal; +} + +/** + * Implementation of auth_cfg_t.purge + */ +static void purge(private_auth_cfg_t *this, bool keep_ca) +{ + entry_t *entry; + linked_list_t *cas; + + cas = linked_list_create(); + while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS) + { + if (keep_ca && entry->type == AUTH_RULE_CA_CERT) + { + cas->insert_first(cas, entry); + } + else + { + destroy_entry_value(entry); + free(entry); + } + } + while (cas->remove_last(cas, (void**)&entry) == SUCCESS) + { + this->entries->insert_first(this->entries, entry); + } + cas->destroy(cas); +} + +/** + * Implementation of auth_cfg_t.clone + */ +static auth_cfg_t* clone_(private_auth_cfg_t *this) +{ + enumerator_t *enumerator; + auth_cfg_t *clone; + entry_t *entry; + + clone = auth_cfg_create(); + enumerator = this->entries->create_enumerator(this->entries); + while (enumerator->enumerate(enumerator, &entry)) + { + switch (entry->type) + { + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_AC_GROUP: + { + identification_t *id = (identification_t*)entry->value; + clone->add(clone, entry->type, id->clone(id)); + break; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)entry->value; + clone->add(clone, entry->type, cert->get_ref(cert)); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + clone->add(clone, entry->type, strdup(entry->value)); + break; + } + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + clone->add(clone, entry->type, (uintptr_t)entry->value); + break; + } + } + enumerator->destroy(enumerator); + return clone; +} + +/** + * Implementation of auth_cfg_t.destroy + */ +static void destroy(private_auth_cfg_t *this) +{ + purge(this, FALSE); + this->entries->destroy(this->entries); + free(this); +} + +/* + * see header file + */ +auth_cfg_t *auth_cfg_create() +{ + private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t); + + this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add; + this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get; + this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator; + this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace; + this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies; + this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge; + this->public.purge = (void(*)(auth_cfg_t*,bool))purge; + this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals; + this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_; + this->public.destroy = (void(*)(auth_cfg_t*))destroy; + + this->entries = linked_list_create(); + + return &this->public; +} + diff --git a/src/charon/config/auth_cfg.h b/src/charon/config/auth_cfg.h new file mode 100644 index 000000000..c6bc1959b --- /dev/null +++ b/src/charon/config/auth_cfg.h @@ -0,0 +1,201 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup auth_cfg auth_cfg + * @{ @ingroup config + */ + +#ifndef AUTH_CFG_H_ +#define AUTH_CFG_H_ + +#include <utils/enumerator.h> + +typedef struct auth_cfg_t auth_cfg_t; +typedef enum auth_rule_t auth_rule_t; + +/** + * Authentication config to use during authentication process. + * + * Each authentication config contains a set of rules. These rule-sets are used + * in two ways: + * - For configs specifying local authentication behavior, the rules define + * which authentication method in which way. + * - For configs specifying remote peer authentication, the rules define + * constraints the peer has to fullfill. + * + * Additionally to the rules, there is a set of helper items. These are used + * to transport credentials during the authentication process. + */ +enum auth_rule_t { + + /** identity to use for IKEv2 authentication exchange, identification_t* */ + AUTH_RULE_IDENTITY, + /** authentication class, auth_class_t */ + AUTH_RULE_AUTH_CLASS, + /** EAP identity to use within EAP-Identity exchange, identification_t* */ + AUTH_RULE_EAP_IDENTITY, + /** EAP type to propose for peer authentication, eap_type_t */ + AUTH_RULE_EAP_TYPE, + /** EAP vendor for vendor specific type, u_int32_t */ + AUTH_RULE_EAP_VENDOR, + /** certificate authority, certificate_t* */ + AUTH_RULE_CA_CERT, + /** intermediate certificate in trustchain, certificate_t* */ + AUTH_RULE_IM_CERT, + /** subject certificate, certificate_t* */ + AUTH_RULE_SUBJECT_CERT, + /** result of a CRL validation, cert_validation_t */ + AUTH_RULE_CRL_VALIDATION, + /** result of a OCSP validation, cert_validation_t */ + AUTH_RULE_OCSP_VALIDATION, + /** subject is in attribute certificate group, identification_t* */ + AUTH_RULE_AC_GROUP, + + /** intermediate certificate, certificate_t* */ + AUTH_HELPER_IM_CERT, + /** subject certificate, certificate_t* */ + AUTH_HELPER_SUBJECT_CERT, + /** Hash and URL of a intermediate certificate, char* */ + AUTH_HELPER_IM_HASH_URL, + /** Hash and URL of a end-entity certificate, char* */ + AUTH_HELPER_SUBJECT_HASH_URL, +}; + +/** + * enum name for auth_rule_t. + */ +extern enum_name_t *auth_rule_names; + +/** + * Authentication/Authorization round. + * + * RFC4739 defines multiple authentication rounds. This class defines such + * a round from a configuration perspective, either for the local or the remote + * peer. Local config are called "rulesets", as they define how we authenticate. + * Remote peer configs are called "constraits", they define what is needed to + * complete the authentication round successfully. + * + * @verbatim + + [Repeat for each configuration] + +--------------------------------------------------+ + | | + | | + | +----------+ IKE_AUTH +--------- + | + | | config | -----------> | | | + | | ruleset | | | | + | +----------+ [ <----------- ] | | | + | [ optional EAP ] | Peer | | + | +----------+ [ -----------> ] | | | + | | config | | | | + | | constr. | <----------- | | | + | +----------+ IKE_AUTH +--------- + | + | | + | | + +--------------------------------------------------+ + + @endverbatim + * + * Values for each items are either pointers (casted to void*) or short + * integers (use uintptr_t cast). + */ +struct auth_cfg_t { + + /** + * Add an rule to the set. + * + * @param rule rule type + * @param ... associated value to rule + */ + void (*add)(auth_cfg_t *this, auth_rule_t rule, ...); + + /** + * Get an rule value. + * + * @param rule rule type + * @return bool if item has been found + */ + void* (*get)(auth_cfg_t *this, auth_rule_t rule); + + /** + * Create an enumerator over added rules. + * + * @return enumerator over (auth_rule_t, union{void*,uintpr_t}) + */ + enumerator_t* (*create_enumerator)(auth_cfg_t *this); + + /** + * Replace an rule at enumerator position. + * + * @param pos enumerator position position + * @param rule rule type + * @param ... associated value to rule + */ + void (*replace)(auth_cfg_t *this, enumerator_t *pos, + auth_rule_t rule, ...); + + /** + * Check if a used config fulfills a set of configured constraints. + * + * @param constraints required authorization rules + * @param log_error wheter to log compliance errors + * @return TRUE if this complies with constraints + */ + bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error); + + /** + * Merge items from other into this. + * + * @param other items to read for merge + * @param copy TRUE to copy items, FALSE to move them + */ + void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy); + + /** + * Purge all rules in a config. + * + * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries + */ + void (*purge)(auth_cfg_t *this, bool keep_ca); + + /** + * Check two configs for equality. + * + * @param other other config to compaire against this + * @return TRUE if auth infos identical + */ + bool (*equals)(auth_cfg_t *this, auth_cfg_t *other); + + /** + * Clone a authentication config, including all rules. + * + * @return cloned configuration + */ + auth_cfg_t* (*clone)(auth_cfg_t *this); + + /** + * Destroy a config with all associated rules/values. + */ + void (*destroy)(auth_cfg_t *this); +}; + +/** + * Create a authentication config. + */ +auth_cfg_t *auth_cfg_create(); + +#endif /** AUTH_CFG_H_ @}*/ diff --git a/src/charon/config/backend.h b/src/charon/config/backend.h index 3a22f61ac..458abc37f 100644 --- a/src/charon/config/backend.h +++ b/src/charon/config/backend.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: backend.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -28,7 +26,6 @@ typedef struct backend_t backend_t; #include <library.h> #include <config/ike_cfg.h> #include <config/peer_cfg.h> -#include <credentials/auth_info.h> #include <utils/linked_list.h> /** @@ -45,6 +42,10 @@ struct backend_t { * * Hosts may be NULL to get all. * + * There is no requirement for the backend to filter the configurations + * using the supplied hosts; but it may do so if it increases lookup times + * (e.g. include hosts in SQL query). + * * @param me address of local host * @param other address of remote host * @return enumerator over ike_cfg_t's @@ -52,10 +53,17 @@ struct backend_t { enumerator_t* (*create_ike_cfg_enumerator)(backend_t *this, host_t *me, host_t *other); /** - * Create an enumerator over all Peer configs matching two IDs. + * Create an enumerator over all peer configs matching two identities. * * IDs may be NULL to get all. * + * As configurations are looked up in the first authentication round (when + * multiple authentication), the backend implementation should compare + * the identities to the first auth_cfgs only. + * There is no requirement for the backend to filter the configurations + * using the supplied identities; but it may do so if it increases lookup + * times (e.g. include hosts in SQL query). + * * @param me identity of ourself * @param other identity of remote host * @return enumerator over peer_cfg_t @@ -64,7 +72,7 @@ struct backend_t { identification_t *me, identification_t *other); /** - * Get a peer_cfg identified by it's name, or a name of its child. + * Get a peer_cfg identified by it's name, or a name of its children. * * @param name name of peer/child cfg * @return matching peer_config, or NULL if none found diff --git a/src/charon/config/backend_manager.c b/src/charon/config/backend_manager.c index a9fe974af..3a3a78466 100644 --- a/src/charon/config/backend_manager.c +++ b/src/charon/config/backend_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: backend_manager.c 4758 2008-12-04 23:16:10Z andreas $ */ #include "backend_manager.h" @@ -68,15 +66,6 @@ typedef struct { } ike_data_t; /** - * data to pass nested peer enumerator - */ -typedef struct { - private_backend_manager_t *this; - identification_t *me; - identification_t *other; -} peer_data_t; - -/** * inner enumerator constructor for IKE cfgs */ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data) @@ -85,59 +74,58 @@ static enumerator_t *ike_enum_create(backend_t *backend, ike_data_t *data) } /** - * inner enumerator constructor for Peer cfgs - */ -static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data) -{ - return backend->create_peer_cfg_enumerator(backend, data->me, data->other); -} -/** - * inner enumerator constructor for all Peer cfgs - */ -static enumerator_t *peer_enum_create_all(backend_t *backend) -{ - return backend->create_peer_cfg_enumerator(backend, NULL, NULL); -} - -/** * get a match of a candidate ike_cfg for two hosts */ -static ike_cfg_match_t get_match(ike_cfg_t *cand, host_t *me, host_t *other) +static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { host_t *me_cand, *other_cand; ike_cfg_match_t match = MATCH_NONE; - me_cand = host_create_from_dns(cand->get_my_addr(cand), - me->get_family(me), 0); - if (!me_cand) + if (me) { - return MATCH_NONE; - } - if (me_cand->ip_equals(me_cand, me)) - { - match += MATCH_ME; + me_cand = host_create_from_dns(cand->get_my_addr(cand), + me->get_family(me), 0); + if (!me_cand) + { + return MATCH_NONE; + } + if (me_cand->ip_equals(me_cand, me)) + { + match += MATCH_ME; + } + else if (me_cand->is_anyaddr(me_cand)) + { + match += MATCH_ANY; + } + me_cand->destroy(me_cand); } - else if (me_cand->is_anyaddr(me_cand)) + else { match += MATCH_ANY; } - me_cand->destroy(me_cand); - other_cand = host_create_from_dns(cand->get_other_addr(cand), - other->get_family(other), 0); - if (!other_cand) + if (other) { - return MATCH_NONE; - } - if (other_cand->ip_equals(other_cand, other)) - { - match += MATCH_OTHER; + other_cand = host_create_from_dns(cand->get_other_addr(cand), + other->get_family(other), 0); + if (!other_cand) + { + return MATCH_NONE; + } + if (other_cand->ip_equals(other_cand, other)) + { + match += MATCH_OTHER; + } + else if (other_cand->is_anyaddr(other_cand)) + { + match += MATCH_ANY; + } + other_cand->destroy(other_cand); } - else if (other_cand->is_anyaddr(other_cand)) + else { match += MATCH_ANY; } - other_cand->destroy(other_cand); return match; } @@ -165,7 +153,7 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, (void*)ike_enum_create, data, (void*)free); while (enumerator->enumerate(enumerator, (void**)¤t)) { - match = get_match(current, me, other); + match = get_ike_match(current, me, other); if (match) { @@ -191,87 +179,198 @@ static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, return found; } +/** + * Get the best ID match in one of the configs auth_cfg + */ +static id_match_t get_peer_match(identification_t *id, + peer_cfg_t *cfg, bool local) +{ + enumerator_t *enumerator; + auth_cfg_t *auth; + identification_t *candidate; + id_match_t match = ID_MATCH_NONE; + + if (!id) + { + return ID_MATCH_ANY; + } + + /* compare first auth config only */ + enumerator = cfg->create_auth_cfg_enumerator(cfg, local); + if (enumerator->enumerate(enumerator, &auth)) + { + candidate = auth->get(auth, AUTH_RULE_IDENTITY); + if (candidate) + { + match = id->matches(id, candidate); + /* match vice-versa, as the proposed IDr might be ANY */ + if (!match) + { + match = candidate->matches(candidate, id); + } + } + else + { + match = ID_MATCH_ANY; + } + } + enumerator->destroy(enumerator); + return match; +} + +/** + * data to pass nested peer enumerator + */ +typedef struct { + rwlock_t *lock; + identification_t *me; + identification_t *other; +} peer_data_t; + +/** + * list element to help sorting + */ +typedef struct { + id_match_t match_peer; + ike_cfg_match_t match_ike; + peer_cfg_t *cfg; +} match_entry_t; + +/** + * inner enumerator constructor for peer cfgs + */ +static enumerator_t *peer_enum_create(backend_t *backend, peer_data_t *data) +{ + return backend->create_peer_cfg_enumerator(backend, data->me, data->other); +} + +/** + * unlock/cleanup peer enumerator + */ +static void peer_enum_destroy(peer_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} -static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this) +/** + * convert enumerator value from match_entry to config + */ +static bool peer_enum_filter(linked_list_t *configs, + match_entry_t **in, peer_cfg_t **out) { - this->lock->read_lock(this->lock); - return enumerator_create_nested( - this->backends->create_enumerator(this->backends), - (void*)peer_enum_create_all, this->lock, - (void*)this->lock->unlock); + *out = (*in)->cfg; + return TRUE; +} + +/** + * Clean up temporary config list + */ +static void peer_enum_filter_destroy(linked_list_t *configs) +{ + match_entry_t *entry; + + while (configs->remove_last(configs, (void**)&entry) == SUCCESS) + { + entry->cfg->destroy(entry->cfg); + free(entry); + } + configs->destroy(configs); } /** - * implements backend_manager_t.get_peer_cfg. + * Insert entry into match-sorted list, using helper + */ +static void insert_sorted(match_entry_t *entry, linked_list_t *list, + linked_list_t *helper) +{ + match_entry_t *current; + + while (list->remove_first(list, (void**)¤t) == SUCCESS) + { + helper->insert_last(helper, current); + } + while (helper->remove_first(helper, (void**)¤t) == SUCCESS) + { + if (entry && ( + (entry->match_ike > current->match_ike && + entry->match_peer >= current->match_peer) || + (entry->match_ike >= current->match_ike && + entry->match_peer > current->match_peer))) + { + list->insert_last(list, entry); + entry = NULL; + } + list->insert_last(list, current); + } + if (entry) + { + list->insert_last(list, entry); + } +} + +/** + * Implements backend_manager_t.create_peer_cfg_enumerator. */ -static peer_cfg_t *get_peer_cfg(private_backend_manager_t *this, host_t *me, - host_t *other, identification_t *my_id, - identification_t *other_id, auth_info_t *auth) +static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, + host_t *me, host_t *other, identification_t *my_id, + identification_t *other_id) { - peer_cfg_t *current, *found = NULL; enumerator_t *enumerator; - id_match_t best_peer = ID_MATCH_NONE; - ike_cfg_match_t best_ike = MATCH_NONE; peer_data_t *data; - - DBG2(DBG_CFG, "looking for a peer config for %H[%D]...%H[%D]", - me, my_id, other, other_id); + peer_cfg_t *cfg; + linked_list_t *configs, *helper; data = malloc_thing(peer_data_t); - data->this = this; + data->lock = this->lock; data->me = my_id; data->other = other_id; + /* create a sorted list with all matches */ this->lock->read_lock(this->lock); enumerator = enumerator_create_nested( - this->backends->create_enumerator(this->backends), - (void*)peer_enum_create, data, (void*)free); - while (enumerator->enumerate(enumerator, ¤t)) + this->backends->create_enumerator(this->backends), + (void*)peer_enum_create, data, (void*)peer_enum_destroy); + + if (!me && !other && !my_id && !other_id) + { /* shortcut if we are doing a "listall" */ + return enumerator; + } + + DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]", + me, my_id, other, other_id); + + configs = linked_list_create(); + /* only once allocated helper list for sorting */ + helper = linked_list_create(); + while (enumerator->enumerate(enumerator, &cfg)) { - identification_t *my_cand, *other_cand; - id_match_t m1, m2, match_peer; + id_match_t match_peer_me, match_peer_other; ike_cfg_match_t match_ike; + match_entry_t *entry; - my_cand = current->get_my_id(current); - other_cand = current->get_other_id(current); - - /* own ID may have wildcards in both, config and request (missing IDr) */ - m1 = my_cand->matches(my_cand, my_id); - if (!m1) - { - m1 = my_id->matches(my_id, my_cand); - } - m2 = other_id->matches(other_id, other_cand); - - match_peer = m1 + m2; - match_ike = get_match(current->get_ike_cfg(current), me, other); + match_peer_me = get_peer_match(my_id, cfg, TRUE); + match_peer_other = get_peer_match(other_id, cfg, FALSE); + match_ike = get_ike_match(cfg->get_ike_cfg(cfg), me, other); - if (m1 && m2 && match_ike && - auth->complies(auth, current->get_auth(current))) + if (match_peer_me && match_peer_other && match_ike) { - DBG2(DBG_CFG, " candidate \"%s\": %D...%D with prio %d.%d", - current->get_name(current), my_cand, other_cand, - match_peer, match_ike); - if ((match_peer > best_peer && match_ike >= best_ike) || - (match_peer >= best_peer && match_ike > best_ike)) - { - DESTROY_IF(found); - found = current; - found->get_ref(found); - best_peer = match_peer; - best_ike = match_ike; - } + DBG2(DBG_CFG, " candidate \"%s\", match: %d/%d/%d (me/other/ike)", + cfg->get_name(cfg), match_peer_me, match_peer_other, match_ike); + + entry = malloc_thing(match_entry_t); + entry->match_peer = match_peer_me + match_peer_other; + entry->match_ike = match_ike; + entry->cfg = cfg->get_ref(cfg); + insert_sorted(entry, configs, helper); } } - if (found) - { - DBG1(DBG_CFG, "found matching peer config \"%s\": %D...%D with prio %d.%d", - found->get_name(found), found->get_my_id(found), - found->get_other_id(found), best_peer, best_ike); - } enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - return found; + helper->destroy(helper); + + return enumerator_create_filter(configs->create_enumerator(configs), + (void*)peer_enum_filter, configs, + (void*)peer_enum_filter_destroy); } /** @@ -332,9 +431,8 @@ backend_manager_t *backend_manager_create() private_backend_manager_t *this = malloc_thing(private_backend_manager_t); this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; - this->public.get_peer_cfg = (peer_cfg_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*,auth_info_t*))get_peer_cfg; this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name; - this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*))create_peer_cfg_enumerator; + this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator; this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend; this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend; this->public.destroy = (void (*)(backend_manager_t*))destroy; diff --git a/src/charon/config/backend_manager.h b/src/charon/config/backend_manager.h index 657e5af94..0b7d7d0f8 100644 --- a/src/charon/config/backend_manager.h +++ b/src/charon/config/backend_manager.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: backend_manager.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -64,20 +62,6 @@ struct backend_manager_t { host_t *my_host, host_t *other_host); /** - * Get a peer_config identified by two IDs and authorization info. - * - * @param me own address - * @param other peer address - * @param my_id own ID - * @param other_id peer ID - * @param auth_info authorization info - * @return matching peer_config, or NULL if none found - */ - peer_cfg_t* (*get_peer_cfg)(backend_manager_t *this, host_t *me, - host_t *other, identification_t *my_id, - identification_t *other_id, auth_info_t *auth); - - /** * Get a peer_config identified by it's name. * * @param name name of the peer_config @@ -86,12 +70,20 @@ struct backend_manager_t { peer_cfg_t* (*get_peer_cfg_by_name)(backend_manager_t *this, char *name); /** - * Create an enumerator over all peer configs. + * Create an enumerator over all matching peer configs. * - * @return enumerator over peer configs + * Pass NULL as parameters to match any. The enumerator enumerates over + * peer_cfgs, ordered by priority (best match first). + * + * @param me local address + * @param other remote address + * @param my_id IDr in first authentication round + * @param other_id IDi in first authentication round + * @return enumerator over peer_cfg_t */ - enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this); - + enumerator_t* (*create_peer_cfg_enumerator)(backend_manager_t *this, + host_t *me, host_t *other, identification_t *my_id, + identification_t *other_id); /** * Register a backend on the manager. * diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c index 737a38e89..43e41671a 100644 --- a/src/charon/config/child_cfg.c +++ b/src/charon/config/child_cfg.c @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: child_cfg.c 4862 2009-02-11 16:41:37Z andreas $ */ #include "child_cfg.h" diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h index 6e3b0ba00..185fee3da 100644 --- a/src/charon/config/child_cfg.h +++ b/src/charon/config/child_cfg.h @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: child_cfg.h 5003 2009-03-24 17:43:01Z martin $ */ /** diff --git a/src/charon/config/ike_cfg.c b/src/charon/config/ike_cfg.c index 8beccdc29..e80ab577e 100644 --- a/src/charon/config/ike_cfg.c +++ b/src/charon/config/ike_cfg.c @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: ike_cfg.c 4062 2008-06-12 11:42:19Z martin $ */ #include "ike_cfg.h" diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h index c2f1f2867..064906423 100644 --- a/src/charon/config/ike_cfg.h +++ b/src/charon/config/ike_cfg.h @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: ike_cfg.h 5003 2009-03-24 17:43:01Z martin $ */ /** diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index 9cbca040d..da796d6a2 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: peer_cfg.c 4612 2008-11-11 06:37:37Z andreas $ */ #include <string.h> @@ -82,16 +80,6 @@ struct private_peer_cfg_t { mutex_t *mutex; /** - * id to use to identify us - */ - identification_t *my_id; - - /** - * allowed id for other - */ - identification_t *other_id; - - /** * should we send a certificate */ cert_policy_t cert_policy; @@ -147,10 +135,15 @@ struct private_peer_cfg_t { char *pool; /** - * required authorization constraints + * local authentication configs (rulesets) */ - auth_info_t *auth; - + linked_list_t *local_auth; + + /** + * remote authentication configs (constraints) + */ + linked_list_t *remote_auth; + #ifdef ME /** * Is this a mediation connection? @@ -205,13 +198,39 @@ static void add_child_cfg(private_peer_cfg_t *this, child_cfg_t *child_cfg) } /** + * child_cfg enumerator + */ +typedef struct { + enumerator_t public; + enumerator_t *wrapped; + mutex_t *mutex; +} child_cfg_enumerator_t; + +/** * Implementation of peer_cfg_t.remove_child_cfg. */ -static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator) +static void remove_child_cfg(private_peer_cfg_t *this, + child_cfg_enumerator_t *enumerator) +{ + this->child_cfgs->remove_at(this->child_cfgs, enumerator->wrapped); +} + +/** + * Implementation of child_cfg_enumerator_t.destroy + */ +static void child_cfg_enumerator_destroy(child_cfg_enumerator_t *this) { - this->mutex->lock(this->mutex); - this->child_cfgs->remove_at(this->child_cfgs, enumerator); this->mutex->unlock(this->mutex); + this->wrapped->destroy(this->wrapped); + free(this); +} + +/** + * Implementation of child_cfg_enumerator_t.enumerate + */ +static bool child_cfg_enumerate(child_cfg_enumerator_t *this, child_cfg_t **chd) +{ + return this->wrapped->enumerate(this->wrapped, chd); } /** @@ -219,12 +238,15 @@ static void remove_child_cfg(private_peer_cfg_t *this, enumerator_t *enumerator) */ static enumerator_t* create_child_cfg_enumerator(private_peer_cfg_t *this) { - enumerator_t *enumerator; - + child_cfg_enumerator_t *enumerator = malloc_thing(child_cfg_enumerator_t); + + enumerator->public.enumerate = (void*)child_cfg_enumerate; + enumerator->public.destroy = (void*)child_cfg_enumerator_destroy; + enumerator->mutex = this->mutex; + enumerator->wrapped = this->child_cfgs->create_enumerator(this->child_cfgs); + this->mutex->lock(this->mutex); - enumerator = this->child_cfgs->create_enumerator(this->child_cfgs); - return enumerator_create_cleaner(enumerator, - (void*)this->mutex->unlock, this->mutex); + return &enumerator->public; } /** @@ -287,22 +309,6 @@ static child_cfg_t* select_child_cfg(private_peer_cfg_t *this, } /** - * Implementation of peer_cfg_t.get_my_id - */ -static identification_t *get_my_id(private_peer_cfg_t *this) -{ - return this->my_id; -} - -/** - * Implementation of peer_cfg_t.get_other_id - */ -static identification_t *get_other_id(private_peer_cfg_t *this) -{ - return this->other_id; -} - -/** * Implementation of peer_cfg_t.get_cert_policy. */ static cert_policy_t get_cert_policy(private_peer_cfg_t *this) @@ -397,13 +403,34 @@ static char* get_pool(private_peer_cfg_t *this) { return this->pool; } - + +/** + * Implementation of peer_cfg_t.add_auth_cfg + */ +static void add_auth_cfg(private_peer_cfg_t *this, + auth_cfg_t *cfg, bool local) +{ + if (local) + { + this->local_auth->insert_last(this->local_auth, cfg); + } + else + { + this->remote_auth->insert_last(this->remote_auth, cfg); + } +} + /** - * Implementation of peer_cfg_t.get_auth. + * Implementation of peer_cfg_t.create_auth_cfg_enumerator */ -static auth_info_t* get_auth(private_peer_cfg_t *this) +static enumerator_t* create_auth_cfg_enumerator(private_peer_cfg_t *this, + bool local) { - return this->auth; + if (local) + { + return this->local_auth->create_enumerator(this->local_auth); + } + return this->remote_auth->create_enumerator(this->remote_auth); } #ifdef ME @@ -433,6 +460,60 @@ static identification_t* get_peer_id(private_peer_cfg_t *this) #endif /* ME */ /** + * check auth configs for equality + */ +static bool auth_cfg_equal(private_peer_cfg_t *this, private_peer_cfg_t *other) +{ + enumerator_t *e1, *e2; + auth_cfg_t *cfg1, *cfg2; + bool equal = TRUE; + + if (this->local_auth->get_count(this->local_auth) != + other->local_auth->get_count(other->local_auth)) + { + return FALSE; + } + if (this->remote_auth->get_count(this->remote_auth) != + other->remote_auth->get_count(other->remote_auth)) + { + return FALSE; + } + + e1 = this->local_auth->create_enumerator(this->local_auth); + e2 = other->local_auth->create_enumerator(other->local_auth); + while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2)) + { + if (!cfg1->equals(cfg1, cfg2)) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + e2->destroy(e2); + + if (!equal) + { + return FALSE; + } + + e1 = this->remote_auth->create_enumerator(this->remote_auth); + e2 = other->remote_auth->create_enumerator(other->remote_auth); + while (e1->enumerate(e1, &cfg1) && e2->enumerate(e2, &cfg2)) + { + if (!cfg1->equals(cfg1, cfg2)) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + e2->destroy(e2); + + return equal; +} + +/** * Implementation of peer_cfg_t.equals. */ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) @@ -448,8 +529,6 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) return ( this->ike_version == other->ike_version && - this->my_id->equals(this->my_id, other->my_id) && - this->other_id->equals(this->other_id, other->other_id) && this->cert_policy == other->cert_policy && this->unique == other->unique && this->keyingtries == other->keyingtries && @@ -464,7 +543,7 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) && (this->pool == other->pool || (this->pool && other->pool && streq(this->pool, other->pool))) && - this->auth->equals(this->auth, other->auth) + auth_cfg_equal(this, other) #ifdef ME && this->mediation == other->mediation && this->mediated_by == other->mediated_by && @@ -492,11 +571,13 @@ static void destroy(private_peer_cfg_t *this) if (ref_put(&this->refcount)) { this->ike_cfg->destroy(this->ike_cfg); - this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy)); - this->my_id->destroy(this->my_id); - this->other_id->destroy(this->other_id); + this->child_cfgs->destroy_offset(this->child_cfgs, + offsetof(child_cfg_t, destroy)); DESTROY_IF(this->virtual_ip); - this->auth->destroy(this->auth); + this->local_auth->destroy_offset(this->local_auth, + offsetof(auth_cfg_t, destroy)); + this->remote_auth->destroy_offset(this->remote_auth, + offsetof(auth_cfg_t, destroy)); #ifdef ME DESTROY_IF(this->mediated_by); DESTROY_IF(this->peer_id); @@ -512,7 +593,6 @@ static void destroy(private_peer_cfg_t *this) * Described in header-file */ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, - identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, @@ -531,8 +611,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.remove_child_cfg = (void(*)(peer_cfg_t*, enumerator_t*))remove_child_cfg; this->public.create_child_cfg_enumerator = (enumerator_t* (*) (peer_cfg_t *))create_child_cfg_enumerator; this->public.select_child_cfg = (child_cfg_t* (*) (peer_cfg_t *,linked_list_t*,linked_list_t*,host_t*,host_t*))select_child_cfg; - this->public.get_my_id = (identification_t* (*)(peer_cfg_t*))get_my_id; - this->public.get_other_id = (identification_t* (*)(peer_cfg_t *))get_other_id; this->public.get_cert_policy = (cert_policy_t (*) (peer_cfg_t *))get_cert_policy; this->public.get_unique_policy = (unique_policy_t (*) (peer_cfg_t *))get_unique_policy; this->public.get_keyingtries = (u_int32_t (*) (peer_cfg_t *))get_keyingtries; @@ -543,7 +621,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.get_dpd = (u_int32_t (*) (peer_cfg_t *))get_dpd; this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip; this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool; - this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth; + this->public.add_auth_cfg = (void(*)(peer_cfg_t*, auth_cfg_t *cfg, bool local))add_auth_cfg; + this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(peer_cfg_t*, bool local))create_auth_cfg_enumerator; this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals; this->public.get_ref = (peer_cfg_t*(*)(peer_cfg_t *))get_ref; this->public.destroy = (void(*)(peer_cfg_t *))destroy; @@ -559,8 +638,6 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->ike_cfg = ike_cfg; this->child_cfgs = linked_list_create(); this->mutex = mutex_create(MUTEX_DEFAULT); - this->my_id = my_id; - this->other_id = other_id; this->cert_policy = cert_policy; this->unique = unique; this->keyingtries = keyingtries; @@ -580,7 +657,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->dpd = dpd; this->virtual_ip = virtual_ip; this->pool = pool ? strdup(pool) : NULL; - this->auth = auth_info_create(); + this->local_auth = linked_list_create(); + this->remote_auth = linked_list_create(); this->refcount = 1; #ifdef ME this->mediation = mediation; diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index 93bc7d495..3c095eff0 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -1,6 +1,6 @@ /* * Copyright (C) 2007-2008 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: peer_cfg.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -38,7 +36,7 @@ typedef struct peer_cfg_t peer_cfg_t; #include <config/child_cfg.h> #include <sa/authenticators/authenticator.h> #include <sa/authenticators/eap/eap_method.h> -#include <credentials/auth_info.h> +#include <config/auth_cfg.h> /** * Certificate sending policy. This is also used for certificate @@ -87,27 +85,33 @@ extern enum_name_t *unique_policy_names; * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer. * @verbatim - - +-------------------+ +---------------+ - +---------------+ | peer_cfg | +---------------+ | - | ike_cfg | +-------------------+ | child_cfg | | - +---------------+ | - ids | +---------------+ | - | - hosts | 1 1 | - cas | 1 n | - proposals | | - | - proposals |<------| - auth info |-------->| - traffic sel | | - | - ... | | - dpd config | | - ... |-+ - +---------------+ | - ... | +---------------+ - +-------------------+ - ^ - | - +-------------------+ - | auth_info | - +-------------------+ - | auth_items | - +-------------------+ + +-------------------+ +---------------+ + +---------------+ | peer_cfg | +---------------+ | + | ike_cfg | +-------------------+ | child_cfg | | + +---------------+ | - ids | +---------------+ | + | - hosts | 1 1 | - cas | 1 n | - proposals | | + | - proposals |<-----| - auth info |----->| - traffic sel | | + | - ... | | - dpd config | | - ... |-+ + +---------------+ | - ... | +---------------+ + +-------------------+ + | 1 0 | + | | + v n n V + +-------------------+ +-------------------+ + +-------------------+ | +-------------------+ | + | auth_cfg | | | auth_cfg | | + +-------------------+ | +-------------------+ | + | - local rules |-+ | - remote constr. |-+ + +-------------------+ +-------------------+ @endverbatim - * The auth_info_t object associated to the peer_cfg holds additional - * authorization constraints. A peer who wants to use a config needs to fullfil - * the requirements defined in auth_info. + * + * Each peer_cfg has two lists of authentication config attached. Local + * authentication configs define how to authenticate ourself against the remote + * peer. Each config is enforced using the multiple authentication extension + * (RFC4739). + * The remote authentication configs are handled as constraints. The peer has + * to fullfill each of these rules (using multiple authentication, in any order) + * to gain access to the configuration. */ struct peer_cfg_t { @@ -169,25 +173,20 @@ struct peer_cfg_t { host_t *other_host); /** - * Get the authentication constraint items. + * Add an authentication config to the peer configuration. * - * @return auth_info object to manipulate requirements - */ - auth_info_t* (*get_auth)(peer_cfg_t *this); - - /** - * Get own ID. - * - * @return own id + * @param config config to add + * @param local TRUE for local rules, FALSE for remote constraints */ - identification_t* (*get_my_id)(peer_cfg_t *this); + void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local); /** - * Get peers ID. - * - * @return other id + * Create an enumerator over registered authentication configs. + * + * @param local TRUE for local rules, FALSE for remote constraints + * @return enumerator over auth_cfg_t* */ - identification_t* (*get_other_id)(peer_cfg_t *this); + enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local); /** * Should be sent a certificate for this connection? @@ -331,8 +330,6 @@ struct peer_cfg_t { * @param name name of the peer_cfg * @param ike_version which IKE version we sould use for this peer * @param ike_cfg IKE config to use when acting as initiator - * @param my_id identification_t for ourselves - * @param other_id identification_t for the remote guy * @param cert_policy should we send a certificate payload? * @param unique uniqueness of an IKE_SA * @param keyingtries how many keying tries should be done before giving up @@ -350,7 +347,6 @@ struct peer_cfg_t { * @return peer_cfg_t object */ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, - identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, diff --git a/src/charon/config/proposal.c b/src/charon/config/proposal.c index 92ef34b75..e2dfcca4f 100644 --- a/src/charon/config/proposal.c +++ b/src/charon/config/proposal.c @@ -12,8 +12,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: proposal.c 4936 2009-03-12 18:07:32Z tobias $ */ #include <string.h> @@ -24,10 +22,11 @@ #include <utils/linked_list.h> #include <utils/identification.h> #include <utils/lexparser.h> +#include <crypto/transform.h> #include <crypto/prfs/prf.h> #include <crypto/crypters/crypter.h> #include <crypto/signers/signer.h> - +#include <crypto/proposal/proposal_keywords.h> ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP, "PROTO_NONE", @@ -36,16 +35,6 @@ ENUM(protocol_id_names, PROTO_NONE, PROTO_ESP, "ESP", ); -ENUM_BEGIN(transform_type_names, UNDEFINED_TRANSFORM_TYPE, UNDEFINED_TRANSFORM_TYPE, - "UNDEFINED_TRANSFORM_TYPE"); -ENUM_NEXT(transform_type_names, ENCRYPTION_ALGORITHM, EXTENDED_SEQUENCE_NUMBERS, UNDEFINED_TRANSFORM_TYPE, - "ENCRYPTION_ALGORITHM", - "PSEUDO_RANDOM_FUNCTION", - "INTEGRITY_ALGORITHM", - "DIFFIE_HELLMAN_GROUP", - "EXTENDED_SEQUENCE_NUMBERS"); -ENUM_END(transform_type_names, EXTENDED_SEQUENCE_NUMBERS); - ENUM(extended_sequence_numbers_names, NO_EXT_SEQ_NUMBERS, EXT_SEQ_NUMBERS, "NO_EXT_SEQ", "EXT_SEQ", @@ -585,227 +574,57 @@ static void check_proposal(private_proposal_t *this) /** * add a algorithm identified by a string to the proposal. - * TODO: we could use gperf here. */ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) { - if (strncmp(alg.ptr, "null", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_NULL, 0); - } - else if (strncmp(alg.ptr, "aes128", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128); - } - else if (strncmp(alg.ptr, "aes192", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192); - } - else if (strncmp(alg.ptr, "aes256", alg.len) == 0) + const proposal_token_t *token = proposal_get_token(alg.ptr, alg.len); + + if (token == NULL) { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256); + return FAILED; } - else if (strstr(alg.ptr, "ccm")) - { - u_int16_t key_size, icv_size; - if (sscanf(alg.ptr, "aes%huccm%hu", &key_size, &icv_size) == 2) - { - if (key_size == 128 || key_size == 192 || key_size == 256) - { - switch (icv_size) - { - case 8: /* octets */ - case 64: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_CCM_ICV8, key_size); - break; - case 12: /* octets */ - case 96: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_CCM_ICV12, key_size); - break; - case 16: /* octets */ - case 128: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_CCM_ICV16, key_size); - break; - default: - /* invalid ICV size */ - break; - } - } - } - } - else if (strstr(alg.ptr, "gcm")) - { - u_int16_t key_size, icv_size; + add_algorithm(this, token->type, token->algorithm, token->keysize); - if (sscanf(alg.ptr, "aes%hugcm%hu", &key_size, &icv_size) == 2) - { - if (key_size == 128 || key_size == 192 || key_size == 256) - { - switch (icv_size) - { - case 8: /* octets */ - case 64: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_GCM_ICV8, key_size); - break; - case 12: /* octets */ - case 96: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_GCM_ICV12, key_size); - break; - case 16: /* octets */ - case 128: /* bits */ - add_algorithm(this, ENCRYPTION_ALGORITHM, - ENCR_AES_GCM_ICV16, key_size); - break; - default: - /* invalid ICV size */ - break; - } - } - } - } - else if (strncmp(alg.ptr, "3des", alg.len) == 0) + if (this->protocol == PROTO_IKE && token->type == INTEGRITY_ALGORITHM) { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_3DES, 0); - } - /* blowfish only uses some predefined key sizes yet */ - else if (strncmp(alg.ptr, "blowfish128", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128); - } - else if (strncmp(alg.ptr, "blowfish192", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192); - } - else if (strncmp(alg.ptr, "blowfish256", alg.len) == 0) - { - add_algorithm(this, ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256); - } - else if (strncmp(alg.ptr, "sha", alg.len) == 0 || - strncmp(alg.ptr, "sha1", alg.len) == 0) - { - /* sha means we use SHA for both, PRF and AUTH */ - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0); - } - } - else if (strncmp(alg.ptr, "sha256", alg.len) == 0 || - strncmp(alg.ptr, "sha2_256", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0); - } - } - else if (strncmp(alg.ptr, "sha384", alg.len) == 0 || - strncmp(alg.ptr, "sha2_384", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0); - } - } - else if (strncmp(alg.ptr, "sha512", alg.len) == 0 || - strncmp(alg.ptr, "sha2_512", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0); - if (this->protocol == PROTO_IKE) - { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0); - } - } - else if (strncmp(alg.ptr, "md5", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0); - if (this->protocol == PROTO_IKE) + pseudo_random_function_t prf; + + switch (token->algorithm) { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0); + case AUTH_HMAC_SHA1_96: + prf = PRF_HMAC_SHA1; + break; + case AUTH_HMAC_SHA2_256_128: + prf = PRF_HMAC_SHA2_256; + break; + case AUTH_HMAC_SHA2_384_192: + prf = PRF_HMAC_SHA2_384; + break; + case AUTH_HMAC_SHA2_512_256: + prf = PRF_HMAC_SHA2_512; + break; + case AUTH_HMAC_MD5_96: + prf = PRF_HMAC_MD5; + break; + case AUTH_AES_XCBC_96: + prf = PRF_AES128_XCBC; + break; + default: + prf = PRF_UNDEFINED; } - } - else if (strncmp(alg.ptr, "aesxcbc", alg.len) == 0) - { - add_algorithm(this, INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0); - if (this->protocol == PROTO_IKE) + if (prf != PRF_UNDEFINED) { - add_algorithm(this, PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0); + add_algorithm(this, PSEUDO_RANDOM_FUNCTION, prf, 0); } } - else if (strncmp(alg.ptr, "modpnull", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_NULL, 0); - } - else if (strncmp(alg.ptr, "modp768", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0); - } - else if (strncmp(alg.ptr, "modp1024", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0); - } - else if (strncmp(alg.ptr, "modp1536", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0); - } - else if (strncmp(alg.ptr, "modp2048", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0); - } - else if (strncmp(alg.ptr, "modp3072", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0); - } - else if (strncmp(alg.ptr, "modp4096", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0); - } - else if (strncmp(alg.ptr, "modp6144", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0); - } - else if (strncmp(alg.ptr, "modp8192", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp192", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp224", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp256", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp384", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0); - } - else if (strncmp(alg.ptr, "ecp521", alg.len) == 0) - { - add_algorithm(this, DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0); - } - else - { - return FAILED; - } return SUCCESS; } /** * print all algorithms of a kind to buffer */ -static int print_alg(private_proposal_t *this, char **dst, int *len, +static int print_alg(private_proposal_t *this, char **dst, size_t *len, u_int kind, void *names, bool *first) { enumerator_t *enumerator; @@ -826,7 +645,7 @@ static int print_alg(private_proposal_t *this, char **dst, int *len, } if (size) { - written += print_in_hook(*dst, *len, "-%d", size); + written += print_in_hook(*dst, *len, "_%u", size); } } enumerator->destroy(enumerator); diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h index 6096158e6..bc7a8c5e7 100644 --- a/src/charon/config/proposal.h +++ b/src/charon/config/proposal.h @@ -11,8 +11,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: proposal.h 5003 2009-03-24 17:43:01Z martin $ */ /** @@ -24,7 +22,6 @@ #define PROPOSAL_H_ typedef enum protocol_id_t protocol_id_t; -typedef enum transform_type_t transform_type_t; typedef enum extended_sequence_numbers_t extended_sequence_numbers_t; typedef struct proposal_t proposal_t; @@ -32,6 +29,7 @@ typedef struct proposal_t proposal_t; #include <utils/identification.h> #include <utils/linked_list.h> #include <utils/host.h> +#include <crypto/transform.h> #include <crypto/crypters/crypter.h> #include <crypto/signers/signer.h> #include <crypto/diffie_hellman.h> @@ -52,25 +50,6 @@ enum protocol_id_t { */ extern enum_name_t *protocol_id_names; - -/** - * Type of a transform, as in IKEv2 RFC 3.3.2. - */ -enum transform_type_t { - UNDEFINED_TRANSFORM_TYPE = 241, - ENCRYPTION_ALGORITHM = 1, - PSEUDO_RANDOM_FUNCTION = 2, - INTEGRITY_ALGORITHM = 3, - DIFFIE_HELLMAN_GROUP = 4, - EXTENDED_SEQUENCE_NUMBERS = 5 -}; - -/** - * enum names for transform_type_t. - */ -extern enum_name_t *transform_type_names; - - /** * Extended sequence numbers, as in IKEv2 RFC 3.3.2. */ diff --git a/src/charon/config/traffic_selector.c b/src/charon/config/traffic_selector.c index b3bab900d..a8ea10008 100644 --- a/src/charon/config/traffic_selector.c +++ b/src/charon/config/traffic_selector.c @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: traffic_selector.c 4936 2009-03-12 18:07:32Z tobias $ */ #include <arpa/inet.h> diff --git a/src/charon/config/traffic_selector.h b/src/charon/config/traffic_selector.h index 2721f8993..a57da43a8 100644 --- a/src/charon/config/traffic_selector.h +++ b/src/charon/config/traffic_selector.h @@ -13,8 +13,6 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. - * - * $Id: traffic_selector.h 5003 2009-03-24 17:43:01Z martin $ */ /** |