summaryrefslogtreecommitdiff
path: root/src/libcharon/plugins/stroke/stroke_socket.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/plugins/stroke/stroke_socket.c')
-rw-r--r--src/libcharon/plugins/stroke/stroke_socket.c671
1 files changed, 671 insertions, 0 deletions
diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c
new file mode 100644
index 000000000..56c18da38
--- /dev/null
+++ b/src/libcharon/plugins/stroke/stroke_socket.c
@@ -0,0 +1,671 @@
+/*
+ * Copyright (C) 2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "stroke_socket.h"
+
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+
+#include <processing/jobs/callback_job.h>
+#include <hydra.h>
+#include <daemon.h>
+#include <threading/thread.h>
+
+#include "stroke_config.h"
+#include "stroke_control.h"
+#include "stroke_cred.h"
+#include "stroke_ca.h"
+#include "stroke_attribute.h"
+#include "stroke_list.h"
+
+typedef struct stroke_job_context_t stroke_job_context_t;
+typedef struct private_stroke_socket_t private_stroke_socket_t;
+
+/**
+ * private data of stroke_socket
+ */
+struct private_stroke_socket_t {
+
+ /**
+ * public functions
+ */
+ stroke_socket_t public;
+
+ /**
+ * Unix socket to listen for strokes
+ */
+ int socket;
+
+ /**
+ * job accepting stroke messages
+ */
+ callback_job_t *job;
+
+ /**
+ * configuration backend
+ */
+ stroke_config_t *config;
+
+ /**
+ * attribute provider
+ */
+ stroke_attribute_t *attribute;
+
+ /**
+ * controller to control daemon
+ */
+ stroke_control_t *control;
+
+ /**
+ * credential set
+ */
+ stroke_cred_t *cred;
+
+ /**
+ * CA sections
+ */
+ stroke_ca_t *ca;
+
+ /**
+ * Status information logging
+ */
+ stroke_list_t *list;
+};
+
+/**
+ * job context to pass to processing thread
+ */
+struct stroke_job_context_t {
+
+ /**
+ * file descriptor to read from
+ */
+ int fd;
+
+ /**
+ * global stroke interface
+ */
+ private_stroke_socket_t *this;
+};
+
+/**
+ * Helper function which corrects the string pointers
+ * in a stroke_msg_t. Strings in a stroke_msg sent over "wire"
+ * contains RELATIVE addresses (relative to the beginning of the
+ * stroke_msg). They must be corrected if they reach our address
+ * space...
+ */
+static void pop_string(stroke_msg_t *msg, char **string)
+{
+ if (*string == NULL)
+ {
+ return;
+ }
+
+ /* check for sanity of string pointer and string */
+ if (string < (char**)msg ||
+ string > (char**)msg + sizeof(stroke_msg_t) ||
+ (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) ||
+ (unsigned long)*string > msg->length)
+ {
+ *string = "(invalid pointer in stroke msg)";
+ }
+ else
+ {
+ *string = (char*)msg + (unsigned long)*string;
+ }
+}
+
+/**
+ * Pop the strings of a stroke_end_t struct and log them for debugging purposes
+ */
+static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end)
+{
+ pop_string(msg, &end->address);
+ pop_string(msg, &end->subnets);
+ pop_string(msg, &end->sourceip);
+ pop_string(msg, &end->auth);
+ pop_string(msg, &end->auth2);
+ pop_string(msg, &end->id);
+ pop_string(msg, &end->id2);
+ pop_string(msg, &end->cert);
+ pop_string(msg, &end->cert2);
+ pop_string(msg, &end->ca);
+ pop_string(msg, &end->ca2);
+ pop_string(msg, &end->groups);
+ pop_string(msg, &end->updown);
+
+ DBG2(DBG_CFG, " %s=%s", label, end->address);
+ DBG2(DBG_CFG, " %ssubnet=%s", label, end->subnets);
+ DBG2(DBG_CFG, " %ssourceip=%s", label, end->sourceip);
+ DBG2(DBG_CFG, " %sauth=%s", label, end->auth);
+ DBG2(DBG_CFG, " %sauth2=%s", label, end->auth2);
+ DBG2(DBG_CFG, " %sid=%s", label, end->id);
+ DBG2(DBG_CFG, " %sid2=%s", label, end->id2);
+ DBG2(DBG_CFG, " %scert=%s", label, end->cert);
+ DBG2(DBG_CFG, " %scert2=%s", label, end->cert2);
+ DBG2(DBG_CFG, " %sca=%s", label, end->ca);
+ DBG2(DBG_CFG, " %sca2=%s", label, end->ca2);
+ DBG2(DBG_CFG, " %sgroups=%s", label, end->groups);
+ DBG2(DBG_CFG, " %supdown=%s", label, end->updown);
+}
+
+/**
+ * Add a connection to the configuration list
+ */
+static void stroke_add_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
+{
+ pop_string(msg, &msg->add_conn.name);
+ DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name);
+
+ DBG2(DBG_CFG, "conn %s", msg->add_conn.name);
+ pop_end(msg, "left", &msg->add_conn.me);
+ pop_end(msg, "right", &msg->add_conn.other);
+ pop_string(msg, &msg->add_conn.eap_identity);
+ pop_string(msg, &msg->add_conn.algorithms.ike);
+ pop_string(msg, &msg->add_conn.algorithms.esp);
+ pop_string(msg, &msg->add_conn.ikeme.mediated_by);
+ pop_string(msg, &msg->add_conn.ikeme.peerid);
+ DBG2(DBG_CFG, " eap_identity=%s", msg->add_conn.eap_identity);
+ DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike);
+ DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp);
+ DBG2(DBG_CFG, " mediation=%s", msg->add_conn.ikeme.mediation ? "yes" : "no");
+ DBG2(DBG_CFG, " mediated_by=%s", msg->add_conn.ikeme.mediated_by);
+ DBG2(DBG_CFG, " me_peerid=%s", msg->add_conn.ikeme.peerid);
+
+ this->config->add(this->config, msg);
+ this->attribute->add_pool(this->attribute, msg);
+}
+
+/**
+ * Delete a connection from the list
+ */
+static void stroke_del_conn(private_stroke_socket_t *this, stroke_msg_t *msg)
+{
+ pop_string(msg, &msg->del_conn.name);
+ DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name);
+
+ this->config->del(this->config, msg);
+ this->attribute->del_pool(this->attribute, msg);
+}
+
+/**
+ * initiate a connection by name
+ */
+static void stroke_initiate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->initiate.name);
+ DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name);
+
+ this->control->initiate(this->control, msg, out);
+}
+
+/**
+ * terminate a connection by name
+ */
+static void stroke_terminate(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->terminate.name);
+ DBG1(DBG_CFG, "received stroke: terminate '%s'", msg->terminate.name);
+
+ this->control->terminate(this->control, msg, out);
+}
+
+/**
+ * terminate a connection by peers virtual IP
+ */
+static void stroke_terminate_srcip(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->terminate_srcip.start);
+ pop_string(msg, &msg->terminate_srcip.end);
+ DBG1(DBG_CFG, "received stroke: terminate-srcip %s-%s",
+ msg->terminate_srcip.start, msg->terminate_srcip.end);
+
+ this->control->terminate_srcip(this->control, msg, out);
+}
+
+/**
+ * route a policy (install SPD entries)
+ */
+static void stroke_route(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->route.name);
+ DBG1(DBG_CFG, "received stroke: route '%s'", msg->route.name);
+
+ this->control->route(this->control, msg, out);
+}
+
+/**
+ * unroute a policy
+ */
+static void stroke_unroute(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->terminate.name);
+ DBG1(DBG_CFG, "received stroke: unroute '%s'", msg->route.name);
+
+ this->control->unroute(this->control, msg, out);
+}
+
+/**
+ * Add a ca information record to the cainfo list
+ */
+static void stroke_add_ca(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->add_ca.name);
+ DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name);
+
+ pop_string(msg, &msg->add_ca.cacert);
+ pop_string(msg, &msg->add_ca.crluri);
+ pop_string(msg, &msg->add_ca.crluri2);
+ pop_string(msg, &msg->add_ca.ocspuri);
+ pop_string(msg, &msg->add_ca.ocspuri2);
+ pop_string(msg, &msg->add_ca.certuribase);
+ DBG2(DBG_CFG, "ca %s", msg->add_ca.name);
+ DBG2(DBG_CFG, " cacert=%s", msg->add_ca.cacert);
+ DBG2(DBG_CFG, " crluri=%s", msg->add_ca.crluri);
+ DBG2(DBG_CFG, " crluri2=%s", msg->add_ca.crluri2);
+ DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri);
+ DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2);
+ DBG2(DBG_CFG, " certuribase=%s", msg->add_ca.certuribase);
+
+ this->ca->add(this->ca, msg);
+}
+
+/**
+ * Delete a ca information record from the cainfo list
+ */
+static void stroke_del_ca(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->del_ca.name);
+ DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name);
+
+ this->ca->del(this->ca, msg);
+}
+
+
+/**
+ * show status of daemon
+ */
+static void stroke_status(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out, bool all)
+{
+ pop_string(msg, &(msg->status.name));
+
+ this->list->status(this->list, msg, out, all);
+}
+
+/**
+ * list various information
+ */
+static void stroke_list(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out)
+{
+ if (msg->list.flags & LIST_CAINFOS)
+ {
+ this->ca->list(this->ca, msg, out);
+ }
+ this->list->list(this->list, msg, out);
+}
+
+/**
+ * reread various information
+ */
+static void stroke_reread(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ this->cred->reread(this->cred, msg, out);
+}
+
+/**
+ * purge various information
+ */
+static void stroke_purge(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ if (msg->purge.flags & PURGE_OCSP)
+ {
+ charon->credentials->flush_cache(charon->credentials,
+ CERT_X509_OCSP_RESPONSE);
+ }
+ if (msg->purge.flags & PURGE_IKE)
+ {
+ this->control->purge_ike(this->control, msg, out);
+ }
+}
+
+/**
+ * list pool leases
+ */
+static void stroke_leases(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ pop_string(msg, &msg->leases.pool);
+ pop_string(msg, &msg->leases.address);
+
+ this->list->leases(this->list, msg, out);
+}
+
+debug_t get_group_from_name(char *type)
+{
+ if (strcaseeq(type, "any")) return DBG_ANY;
+ else if (strcaseeq(type, "mgr")) return DBG_MGR;
+ else if (strcaseeq(type, "ike")) return DBG_IKE;
+ else if (strcaseeq(type, "chd")) return DBG_CHD;
+ else if (strcaseeq(type, "job")) return DBG_JOB;
+ else if (strcaseeq(type, "cfg")) return DBG_CFG;
+ else if (strcaseeq(type, "knl")) return DBG_KNL;
+ else if (strcaseeq(type, "net")) return DBG_NET;
+ else if (strcaseeq(type, "enc")) return DBG_ENC;
+ else if (strcaseeq(type, "lib")) return DBG_LIB;
+ else return -1;
+}
+
+/**
+ * set the verbosity debug output
+ */
+static void stroke_loglevel(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ enumerator_t *enumerator;
+ sys_logger_t *sys_logger;
+ file_logger_t *file_logger;
+ debug_t group;
+
+ pop_string(msg, &(msg->loglevel.type));
+ DBG1(DBG_CFG, "received stroke: loglevel %d for %s",
+ msg->loglevel.level, msg->loglevel.type);
+
+ group = get_group_from_name(msg->loglevel.type);
+ if (group < 0)
+ {
+ fprintf(out, "invalid type (%s)!\n", msg->loglevel.type);
+ return;
+ }
+ /* we set the loglevel on ALL sys- and file-loggers */
+ enumerator = charon->sys_loggers->create_enumerator(charon->sys_loggers);
+ while (enumerator->enumerate(enumerator, &sys_logger))
+ {
+ sys_logger->set_level(sys_logger, group, msg->loglevel.level);
+ }
+ enumerator->destroy(enumerator);
+ enumerator = charon->file_loggers->create_enumerator(charon->file_loggers);
+ while (enumerator->enumerate(enumerator, &file_logger))
+ {
+ file_logger->set_level(file_logger, group, msg->loglevel.level);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * set various config options
+ */
+static void stroke_config(private_stroke_socket_t *this,
+ stroke_msg_t *msg, FILE *out)
+{
+ this->cred->cachecrl(this->cred, msg->config.cachecrl);
+}
+
+/**
+ * destroy a job context
+ */
+static void stroke_job_context_destroy(stroke_job_context_t *this)
+{
+ if (this->fd)
+ {
+ close(this->fd);
+ }
+ free(this);
+}
+
+/**
+ * process a stroke request from the socket pointed by "fd"
+ */
+static job_requeue_t process(stroke_job_context_t *ctx)
+{
+ stroke_msg_t *msg;
+ u_int16_t msg_length;
+ ssize_t bytes_read;
+ FILE *out;
+ private_stroke_socket_t *this = ctx->this;
+ int strokefd = ctx->fd;
+
+ /* peek the length */
+ bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK);
+ if (bytes_read != sizeof(msg_length))
+ {
+ DBG1(DBG_CFG, "reading length of stroke message failed: %s",
+ strerror(errno));
+ return JOB_REQUEUE_NONE;
+ }
+
+ /* read message */
+ msg = alloca(msg_length);
+ bytes_read = recv(strokefd, msg, msg_length, 0);
+ if (bytes_read != msg_length)
+ {
+ DBG1(DBG_CFG, "reading stroke message failed: %s", strerror(errno));
+ return JOB_REQUEUE_NONE;
+ }
+
+ out = fdopen(strokefd, "w+");
+ if (out == NULL)
+ {
+ DBG1(DBG_CFG, "opening stroke output channel failed: %s", strerror(errno));
+ return JOB_REQUEUE_NONE;
+ }
+
+ DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length);
+
+ switch (msg->type)
+ {
+ case STR_INITIATE:
+ stroke_initiate(this, msg, out);
+ break;
+ case STR_ROUTE:
+ stroke_route(this, msg, out);
+ break;
+ case STR_UNROUTE:
+ stroke_unroute(this, msg, out);
+ break;
+ case STR_TERMINATE:
+ stroke_terminate(this, msg, out);
+ break;
+ case STR_TERMINATE_SRCIP:
+ stroke_terminate_srcip(this, msg, out);
+ break;
+ case STR_STATUS:
+ stroke_status(this, msg, out, FALSE);
+ break;
+ case STR_STATUS_ALL:
+ stroke_status(this, msg, out, TRUE);
+ break;
+ case STR_ADD_CONN:
+ stroke_add_conn(this, msg);
+ break;
+ case STR_DEL_CONN:
+ stroke_del_conn(this, msg);
+ break;
+ case STR_ADD_CA:
+ stroke_add_ca(this, msg, out);
+ break;
+ case STR_DEL_CA:
+ stroke_del_ca(this, msg, out);
+ break;
+ case STR_LOGLEVEL:
+ stroke_loglevel(this, msg, out);
+ break;
+ case STR_CONFIG:
+ stroke_config(this, msg, out);
+ break;
+ case STR_LIST:
+ stroke_list(this, msg, out);
+ break;
+ case STR_REREAD:
+ stroke_reread(this, msg, out);
+ break;
+ case STR_PURGE:
+ stroke_purge(this, msg, out);
+ break;
+ case STR_LEASES:
+ stroke_leases(this, msg, out);
+ break;
+ default:
+ DBG1(DBG_CFG, "received unknown stroke");
+ break;
+ }
+ fclose(out);
+ /* fclose() closes underlying FD */
+ ctx->fd = 0;
+ return JOB_REQUEUE_NONE;
+}
+
+/**
+ * Implementation of private_stroke_socket_t.stroke_receive.
+ */
+static job_requeue_t receive(private_stroke_socket_t *this)
+{
+ struct sockaddr_un strokeaddr;
+ int strokeaddrlen = sizeof(strokeaddr);
+ int strokefd;
+ bool oldstate;
+ callback_job_t *job;
+ stroke_job_context_t *ctx;
+
+ oldstate = thread_cancelability(TRUE);
+ strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen);
+ thread_cancelability(oldstate);
+
+ if (strokefd < 0)
+ {
+ DBG1(DBG_CFG, "accepting stroke connection failed: %s", strerror(errno));
+ return JOB_REQUEUE_FAIR;
+ }
+
+ ctx = malloc_thing(stroke_job_context_t);
+ ctx->fd = strokefd;
+ ctx->this = this;
+ job = callback_job_create((callback_job_cb_t)process,
+ ctx, (void*)stroke_job_context_destroy, this->job);
+ charon->processor->queue_job(charon->processor, (job_t*)job);
+
+ return JOB_REQUEUE_FAIR;
+}
+
+
+/**
+ * initialize and open stroke socket
+ */
+static bool open_socket(private_stroke_socket_t *this)
+{
+ struct sockaddr_un socket_addr;
+ mode_t old;
+
+ socket_addr.sun_family = AF_UNIX;
+ strcpy(socket_addr.sun_path, STROKE_SOCKET);
+
+ /* set up unix socket */
+ this->socket = socket(AF_UNIX, SOCK_STREAM, 0);
+ if (this->socket == -1)
+ {
+ DBG1(DBG_CFG, "could not create stroke socket");
+ return FALSE;
+ }
+
+ unlink(socket_addr.sun_path);
+ old = umask(~(S_IRWXU | S_IRWXG));
+ if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0)
+ {
+ DBG1(DBG_CFG, "could not bind stroke socket: %s", strerror(errno));
+ close(this->socket);
+ return FALSE;
+ }
+ umask(old);
+ if (chown(socket_addr.sun_path, charon->uid, charon->gid) != 0)
+ {
+ DBG1(DBG_CFG, "changing stroke socket permissions failed: %s",
+ strerror(errno));
+ }
+
+ if (listen(this->socket, 10) < 0)
+ {
+ DBG1(DBG_CFG, "could not listen on stroke socket: %s", strerror(errno));
+ close(this->socket);
+ unlink(socket_addr.sun_path);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+/**
+ * Implementation of stroke_socket_t.destroy
+ */
+static void destroy(private_stroke_socket_t *this)
+{
+ this->job->cancel(this->job);
+ charon->credentials->remove_set(charon->credentials, &this->ca->set);
+ charon->credentials->remove_set(charon->credentials, &this->cred->set);
+ charon->backends->remove_backend(charon->backends, &this->config->backend);
+ hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider);
+ this->cred->destroy(this->cred);
+ this->ca->destroy(this->ca);
+ this->config->destroy(this->config);
+ this->attribute->destroy(this->attribute);
+ this->control->destroy(this->control);
+ this->list->destroy(this->list);
+ free(this);
+}
+
+/*
+ * see header file
+ */
+stroke_socket_t *stroke_socket_create()
+{
+ private_stroke_socket_t *this = malloc_thing(private_stroke_socket_t);
+
+ this->public.destroy = (void(*)(stroke_socket_t*))destroy;
+
+ if (!open_socket(this))
+ {
+ free(this);
+ return NULL;
+ }
+
+ this->cred = stroke_cred_create();
+ this->attribute = stroke_attribute_create();
+ this->ca = stroke_ca_create(this->cred);
+ this->config = stroke_config_create(this->ca, this->cred);
+ this->control = stroke_control_create();
+ this->list = stroke_list_create(this->attribute);
+
+ charon->credentials->add_set(charon->credentials, &this->ca->set);
+ charon->credentials->add_set(charon->credentials, &this->cred->set);
+ charon->backends->add_backend(charon->backends, &this->config->backend);
+ hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider);
+
+ this->job = callback_job_create((callback_job_cb_t)receive,
+ this, NULL, NULL);
+ charon->processor->queue_job(charon->processor, (job_t*)this->job);
+
+ return &this->public;
+}
+