summaryrefslogtreecommitdiff
path: root/src/starter/starterstroke.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter/starterstroke.c')
-rw-r--r--src/starter/starterstroke.c109
1 files changed, 73 insertions, 36 deletions
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index fae895ba0..ffd5d28a6 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -1,5 +1,4 @@
/* Stroke for charon is the counterpart to whack from pluto
- * Copyright (C) 2007 Tobias Brunner
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -13,7 +12,7 @@
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
- * RCSID $Id: starterstroke.c 3394 2007-12-13 17:31:21Z martin $
+ * RCSID $Id: starterstroke.c 4100 2008-06-24 13:36:10Z martin $
*/
#include <sys/types.h>
@@ -32,20 +31,19 @@
#include <defs.h>
#include <log.h>
-#include <stroke.h>
+#include <stroke_msg.h>
#include "starterstroke.h"
#include "confread.h"
#include "files.h"
/**
- * Authentication mehtods, must be the same values as in charon
+ * Authentication methods, must be the same as in charons authenticator.h
*/
enum auth_method_t {
- AUTH_RSA = 1,
- AUTH_PSK = 2,
- AUTH_DSS = 3,
- AUTH_EAP = 201,
+ AUTH_PUBKEY = 1,
+ AUTH_PSK = 2,
+ AUTH_EAP = 3
};
static char* push_string(stroke_msg_t *msg, char *string)
@@ -162,32 +160,62 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
msg_end->updown = push_string(msg, conn_end->updown);
ip_address2string(&conn_end->addr, buffer, sizeof(buffer));
msg_end->address = push_string(msg, buffer);
- ip_address2string(&conn_end->subnet.addr, buffer, sizeof(buffer));
- msg_end->subnet = push_string(msg, buffer);
- msg_end->subnet_mask = conn_end->subnet.maskbits;
+ msg_end->subnets = push_string(msg, conn_end->subnet);
msg_end->sendcert = conn_end->sendcert;
msg_end->hostaccess = conn_end->hostaccess;
msg_end->tohost = !conn_end->has_client;
msg_end->protocol = conn_end->protocol;
msg_end->port = conn_end->port;
- msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip;
- ip_address2string(&conn_end->srcip, buffer, sizeof(buffer));
- msg_end->sourceip = push_string(msg, buffer);
+ if (conn_end->srcip)
+ {
+ if (conn_end->srcip[0] == '%')
+ { /* %poolname, strip % */
+ msg_end->sourceip_size = 0;
+ msg_end->sourceip = push_string(msg, conn_end->srcip + 1);
+ }
+ else
+ {
+ char *pos = strchr(conn_end->srcip, '/');
+ if (pos)
+ { /* CIDR subnet definition */
+ snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip);
+ msg_end->sourceip = push_string(msg, buffer);
+ msg_end->sourceip_size = atoi(pos + 1);
+ }
+ else
+ { /* a single address */
+ msg_end->sourceip = push_string(msg, conn_end->srcip);
+ if (strchr(conn_end->srcip, ':'))
+ { /* IPv6 */
+ msg_end->sourceip_size = 128;
+ }
+ else
+ { /* IPv4 */
+ msg_end->sourceip_size = 32;
+ }
+ }
+ }
+ }
+ else if (conn_end->modecfg)
+ {
+ msg_end->sourceip_size = 1;
+ }
}
-int starter_stroke_add_conn(starter_conn_t *conn)
+int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
{
stroke_msg_t msg;
+ memset(&msg, 0, sizeof(msg));
msg.type = STR_ADD_CONN;
msg.length = offsetof(stroke_msg_t, buffer);
msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2;
msg.add_conn.name = push_string(&msg, connection_name(conn));
- /* RSA is preferred before PSK and EAP */
- if (conn->policy & POLICY_RSASIG)
+ /* PUBKEY is preferred to PSK and EAP */
+ if (conn->policy & POLICY_RSASIG || conn->policy & POLICY_ECDSASIG)
{
- msg.add_conn.auth_method = AUTH_RSA;
+ msg.add_conn.auth_method = AUTH_PUBKEY;
}
else if (conn->policy & POLICY_PSK)
{
@@ -213,15 +241,7 @@ int starter_stroke_add_conn(starter_conn_t *conn)
msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */
}
- if (conn->policy & POLICY_DONT_REKEY)
- {
- msg.add_conn.rekey.ipsec_lifetime = 0;
- msg.add_conn.rekey.ike_lifetime = 0;
- msg.add_conn.rekey.margin = 0;
- msg.add_conn.rekey.tries = 0;
- msg.add_conn.rekey.fuzz = 0;
- }
- else
+ if (!(conn->policy & POLICY_DONT_REKEY))
{
msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY;
msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
@@ -232,13 +252,16 @@ int starter_stroke_add_conn(starter_conn_t *conn)
}
msg.add_conn.mobike = conn->policy & POLICY_MOBIKE;
msg.add_conn.force_encap = conn->policy & POLICY_FORCE_ENCAP;
+ msg.add_conn.ipcomp = conn->policy & POLICY_COMPRESS;
+ msg.add_conn.crl_policy = cfg->setup.strictcrlpolicy;
+ msg.add_conn.unique = cfg->setup.uniqueids;
msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
msg.add_conn.dpd.delay = conn->dpd_delay;
msg.add_conn.dpd.action = conn->dpd_action;
- msg.add_conn.p2p.mediation = conn->p2p_mediation;
- msg.add_conn.p2p.mediated_by = push_string(&msg, conn->p2p_mediated_by);
- msg.add_conn.p2p.peerid = push_string(&msg, conn->p2p_peerid);
+ msg.add_conn.ikeme.mediation = conn->me_mediation;
+ msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
+ msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
@@ -282,12 +305,13 @@ int starter_stroke_add_ca(starter_ca_t *ca)
msg.type = STR_ADD_CA;
msg.length = offsetof(stroke_msg_t, buffer);
- msg.add_ca.name = push_string(&msg, ca->name);
- msg.add_ca.cacert = push_string(&msg, ca->cacert);
- msg.add_ca.crluri = push_string(&msg, ca->crluri);
- msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
- msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
- msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
+ msg.add_ca.name = push_string(&msg, ca->name);
+ msg.add_ca.cacert = push_string(&msg, ca->cacert);
+ msg.add_ca.crluri = push_string(&msg, ca->crluri);
+ msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
+ msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
+ msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
+ msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
return send_stroke_msg(&msg);
}
@@ -301,4 +325,17 @@ int starter_stroke_del_ca(starter_ca_t *ca)
return send_stroke_msg(&msg);
}
+int starter_stroke_configure(starter_config_t *cfg)
+{
+ stroke_msg_t msg;
+
+ if (cfg->setup.cachecrls)
+ {
+ msg.type = STR_CONFIG;
+ msg.length = offsetof(stroke_msg_t, buffer);
+ msg.config.cachecrl = 1;
+ return send_stroke_msg(&msg);
+ }
+ return 0;
+}