diff options
Diffstat (limited to 'src/pluto/connections.h')
| -rw-r--r-- | src/pluto/connections.h | 190 |
1 files changed, 92 insertions, 98 deletions
diff --git a/src/pluto/connections.h b/src/pluto/connections.h index 16cbbfd72..ee2e00da6 100644 --- a/src/pluto/connections.h +++ b/src/pluto/connections.h @@ -1,5 +1,6 @@ /* information about connections between hosts and clients * Copyright (C) 1998-2001 D. Hugh Redelmeier + * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -17,9 +18,11 @@ #include <sys/queue.h> -#include "id.h" +#include <utils/linked_list.h> +#include <utils/identification.h> +#include <credentials/ietf_attributes/ietf_attributes.h> + #include "certs.h" -#include "ac.h" #include "smartcard.h" #include "whack.h" @@ -127,7 +130,7 @@ extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]); struct virtual_t; struct end { - struct id id; + identification_t *id; ip_address host_addr, host_nexthop, @@ -144,13 +147,14 @@ struct end { u_int16_t host_port; /* host order */ u_int16_t port; /* host order */ u_int8_t protocol; - cert_t cert; /* end certificate */ - chunk_t ca; /* CA distinguished name */ - struct ietfAttrList *groups;/* access control groups */ + cert_t *cert; /* end certificate */ + identification_t *ca; /* CA distinguished name */ + ietf_attributes_t *groups; /* access control groups */ smartcard_t *sc; /* smartcard reader and key info */ struct virtual_t *virt; bool modecfg; /* this end: request local address from server */ /* that end: give local addresses to clients */ + char *pool; /* name of an associated virtual IP address pool */ bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */ /* rules if client behind host is a subnet */ bool allow_any; /* IP address is subject to change */ @@ -166,6 +170,8 @@ struct spd_route { uint32_t reqid; }; +typedef struct connection connection_t; + struct connection { char *name; bool ikev1; @@ -182,10 +188,10 @@ struct connection { time_t dpd_timeout; dpd_action_t dpd_action; - char *log_file_name; /* name of log file */ - FILE *log_file; /* possibly open FILE */ + char *log_file_name; /* name of log file */ + FILE *log_file; /* possibly open FILE */ TAILQ_ENTRY(connection) log_link; /* linked list of open conns */ - bool log_file_err; /* only bitch once */ + bool log_file_err; /* only bitch once */ struct spd_route spd; @@ -210,119 +216,110 @@ struct connection { sa_family_t addr_family; /* between gateways */ sa_family_t tunnel_addr_family; /* between clients */ - struct connection *policy_next; /* if multiple policies, + connection_t *policy_next; /* if multiple policies, next one to apply */ - struct gw_info *gw_info; struct alg_info_esp *alg_info_esp; struct alg_info_ike *alg_info_ike; - struct host_pair *host_pair; - struct connection *hp_next; /* host pair list link */ - - struct connection *ac_next; /* all connections list link */ - - generalName_t *requested_ca; /* collected certificate requests */ + connection_t *hp_next; /* host pair list link */ + connection_t *ac_next; /* all connections list link */ + linked_list_t *requested_ca; /* collected certificate requests */ bool got_certrequest; }; #define oriented(c) ((c).interface != NULL) -extern bool orient(struct connection *c); +extern bool orient(connection_t *c); -extern bool same_peer_ids(const struct connection *c - , const struct connection *d, const struct id *his_id); +extern bool same_peer_ids(const connection_t *c, const connection_t *d, + identification_t *his_id); /* Format the topology of a connection end, leaving out defaults. * Largest left end looks like: client === host : port [ host_id ] --- hop * Note: if that==NULL, skip nexthop */ #define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10) -extern size_t format_end(char *buf, size_t buf_len - , const struct end *this, const struct end *that - , bool is_left, lset_t policy); +extern size_t format_end(char *buf, size_t buf_len, const struct end *this, + const struct end *that, bool is_left, lset_t policy); extern void add_connection(const whack_message_t *wm); extern void initiate_connection(const char *name, int whackfd); -extern void initiate_opportunistic(const ip_address *our_client - , const ip_address *peer_client, int transport_proto, bool held, int whackfd); +extern void initiate_opportunistic(const ip_address *our_client, + const ip_address *peer_client, + int transport_proto, bool held, int whackfd); extern void terminate_connection(const char *nm); -extern void release_connection(struct connection *c, bool relations); -extern void delete_connection(struct connection *c, bool relations); +extern void release_connection(connection_t *c, bool relations); +extern void delete_connection(connection_t *c, bool relations); extern void delete_connections_by_name(const char *name, bool strict); extern void delete_every_connection(void); -extern char *add_group_instance(struct connection *group, const ip_subnet *target); -extern void remove_group_instance(const struct connection *group, const char *name); +extern char *add_group_instance(connection_t *group, const ip_subnet *target); +extern void remove_group_instance(const connection_t *group, const char *name); extern void release_dead_interfaces(void); extern void check_orientations(void); -extern struct connection *route_owner(struct connection *c - , struct spd_route **srp - , struct connection **erop - , struct spd_route **esrp); -extern struct connection *shunt_owner(const ip_subnet *ours - , const ip_subnet *his); +extern connection_t *route_owner(connection_t *c, struct spd_route **srp, + connection_t **erop, struct spd_route **esrp); +extern connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his); extern bool uniqueIDs; /* --uniqueids? */ -extern void ISAKMP_SA_established(struct connection *c, so_serial_t serial); +extern void ISAKMP_SA_established(connection_t *c, so_serial_t serial); -#define his_id_was_instantiated(c) ((c)->kind == CK_INSTANCE \ - && (id_is_ipaddr(&(c)->spd.that.id)? \ - sameaddr(&(c)->spd.that.id.ip_addr, &(c)->spd.that.host_addr) : TRUE)) +#define id_is_ipaddr(id) ((id)->get_type(id) == ID_IPV4_ADDR || \ + (id)->get_type(id) == ID_IPV6_ADDR) +extern bool his_id_was_instantiated(const connection_t *c); struct state; /* forward declaration of tag (defined in state.h) */ -extern struct connection - *con_by_name(const char *nm, bool strict), - *find_host_connection(const ip_address *me, u_int16_t my_port - , const ip_address *him, u_int16_t his_port, lset_t policy), - *refine_host_connection(const struct state *st, const struct id *id - , chunk_t peer_ca), - *find_client_connection(struct connection *c - , const ip_subnet *our_net - , const ip_subnet *peer_net - , const u_int8_t our_protocol - , const u_int16_t out_port - , const u_int8_t peer_protocol - , const u_int16_t peer_port), - *find_connection_by_reqid(uint32_t reqid); - -extern struct connection * -find_connection_for_clients(struct spd_route **srp - , const ip_address *our_client - , const ip_address *peer_client - , int transport_proto); - -extern chunk_t get_peer_ca_and_groups(struct connection *c - , const ietfAttrList_t **peer_list); - + +extern connection_t* con_by_name(const char *nm, bool strict); +extern connection_t* find_host_connection(const ip_address *me, + u_int16_t my_port, + const ip_address *him, + u_int16_t his_port, lset_t policy); +extern connection_t* refine_host_connection(const struct state *st, + identification_t *id, + identification_t *peer_ca); +extern connection_t* find_client_connection(connection_t *c, + const ip_subnet *our_net, + const ip_subnet *peer_net, + const u_int8_t our_protocol, + const u_int16_t out_port, + const u_int8_t peer_protocol, + const u_int16_t peer_port); +extern connection_t* find_connection_by_reqid(uint32_t reqid); +extern connection_t* find_connection_for_clients(struct spd_route **srp, + const ip_address *our_client, + const ip_address *peer_client, + int transport_proto); +extern void get_peer_ca_and_groups(connection_t *c, + identification_t **peer_ca, + ietf_attributes_t **peer_attributes); + /* instantiating routines * Note: connection_discard() is in state.h because all its work * is looking through state objects. */ struct gw_info; /* forward declaration of tag (defined in dnskey.h) */ struct alg_info; /* forward declaration of tag (defined in alg_info.h) */ -extern struct connection *rw_instantiate(struct connection *c - , const ip_address *him - , u_int16_t his_port - , const ip_subnet *his_net - , const struct id *his_id); - -extern struct connection *oppo_instantiate(struct connection *c - , const ip_address *him - , const struct id *his_id - , struct gw_info *gw - , const ip_address *our_client - , const ip_address *peer_client); - -extern struct connection - *build_outgoing_opportunistic_connection(struct gw_info *gw - , const ip_address *our_client - , const ip_address *peer_client); - -/* worst case: "[" serial "] " myclient "=== ..." peer "===" hisclient '\0' */ -#define CONN_INST_BUF \ - (2 + 10 + 1 + SUBNETTOT_BUF + 7 + ADDRTOT_BUF + 3 + SUBNETTOT_BUF + 1) - -extern void fmt_conn_instance(const struct connection *c - , char buf[CONN_INST_BUF]); +extern connection_t *rw_instantiate(connection_t *c, + const ip_address *him, + u_int16_t his_port, + const ip_subnet *his_net, + identification_t *his_id); + +extern connection_t *oppo_instantiate(connection_t *c, + const ip_address *him, + identification_t *his_id, + struct gw_info *gw, + const ip_address *our_client, + const ip_address *peer_client); + +extern connection_t + *build_outgoing_opportunistic_connection(struct gw_info *gw, + const ip_address *our_client, + const ip_address *peer_client); + +#define CONN_INST_BUF BUF_LEN + +extern void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]); /* operations on "pending", the structure representing Quick Mode * negotiations delayed until a Keying Channel has been negotiated. @@ -330,12 +327,9 @@ extern void fmt_conn_instance(const struct connection *c struct pending; /* forward declaration (opaque outside connections.c) */ -extern void add_pending(int whack_sock - , struct state *isakmp_sa - , struct connection *c - , lset_t policy - , unsigned long try - , so_serial_t replacing); +extern void add_pending(int whack_sock, struct state *isakmp_sa, + connection_t *c, lset_t policy, unsigned long try, + so_serial_t replacing); extern void release_pending_whacks(struct state *st, err_t story); extern void unpend(struct state *st); @@ -343,7 +337,7 @@ extern void update_pending(struct state *os, struct state *ns); extern void flush_pending_by_state(struct state *st); extern void show_pending_phase2(const struct host_pair *hp, const struct state *st); -extern void connection_discard(struct connection *c); +extern void connection_discard(connection_t *c); /* A template connection's eroute can be eclipsed by * either a %hold or an eroute for an instance iff @@ -351,15 +345,15 @@ extern void connection_discard(struct connection *c); */ #define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client)) extern long eclipse_count; -extern struct connection *eclipsed(struct connection *c, struct spd_route **); +extern connection_t *eclipsed(connection_t *c, struct spd_route **); /* print connection status */ extern void show_connections_status(bool all, const char *name); -extern int connection_compare(const struct connection *ca - , const struct connection *cb); -extern void update_host_pair(const char *why, struct connection *c +extern int connection_compare(const connection_t *ca + , const connection_t *cb); +extern void update_host_pair(const char *why, connection_t *c , const ip_address *myaddr, u_int16_t myport , const ip_address *hisaddr, u_int16_t hisport); |