summaryrefslogtreecommitdiff
path: root/src/starter/starterstroke.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/starter/starterstroke.c')
-rw-r--r--src/starter/starterstroke.c308
1 files changed, 164 insertions, 144 deletions
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c
index 6e1f1605d..79a92cdad 100644
--- a/src/starter/starterstroke.c
+++ b/src/starter/starterstroke.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2007-2015 Tobias Brunner
* Copyright (C) 2006 Martin Willi
* Hochschule fuer Technik Rapperswil
*
@@ -31,37 +32,57 @@
#define IPV4_LEN 4
#define IPV6_LEN 16
-static char* push_string(stroke_msg_t *msg, char *string)
+static stroke_msg_t *create_stroke_msg(int type)
{
- unsigned long string_start = msg->length;
+ stroke_msg_t *msg;
- if (string == NULL)
+ INIT(msg,
+ .type = type,
+ .length = offsetof(stroke_msg_t, buffer),
+ );
+ return msg;
+}
+
+#define push_string(msg, field, str) \
+ push_string_impl(msg, offsetof(stroke_msg_t, field), str)
+#define push_string_end(msg, offset, field, str) \
+ push_string_impl(msg, offset + offsetof(stroke_end_t, field), str)
+
+static void push_string_impl(stroke_msg_t **msg, size_t offset, char *string)
+{
+ size_t cur_len = (*msg)->length, str_len;
+
+ if (!string)
{
- return NULL;
+ return;
}
- else if ((size_t)msg->length + strlen(string) >= sizeof(stroke_msg_t))
+ str_len = strlen(string) + 1;
+ if (cur_len + str_len >= UINT16_MAX)
{
- /* set invalid length to fail during message send */
- msg->length = ~0;
- return NULL;
+ (*msg)->length = UINT16_MAX;
+ return;
}
- else
+ while (cur_len + str_len > sizeof(stroke_msg_t) + (*msg)->buflen)
{
- msg->length += strlen(string) + 1;
- strcpy((char*)msg + string_start, string);
- return (char*)string_start;
+ *msg = realloc(*msg, sizeof(stroke_msg_t) + (*msg)->buflen +
+ STROKE_BUF_LEN_INC);
+ (*msg)->buflen += STROKE_BUF_LEN_INC;
}
+ (*msg)->length += str_len;
+ strcpy((char*)*msg + cur_len, string);
+ *(char**)((char*)*msg + offset) = (char*)cur_len;
}
-static int send_stroke_msg (stroke_msg_t *msg)
+static int send_stroke_msg(stroke_msg_t *msg)
{
stream_t *stream;
char *uri, buffer[64];
int count;
- if (msg->length > sizeof(stroke_msg_t))
+ if (msg->length == UINT16_MAX)
{
- DBG1(DBG_APP, "stroke message exceeds buffer size");
+ DBG1(DBG_APP, "stroke message exceeds maximum buffer size");
+ free(msg);
return -1;
}
@@ -74,6 +95,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
if (!stream)
{
DBG1(DBG_APP, "failed to connect to stroke socket '%s'", uri);
+ free(msg);
return -1;
}
@@ -81,6 +103,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
{
DBG1(DBG_APP, "sending stroke message failed");
stream->destroy(stream);
+ free(msg);
return -1;
}
while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0)
@@ -93,6 +116,7 @@ static int send_stroke_msg (stroke_msg_t *msg)
DBG1(DBG_APP, "reading stroke response failed");
}
stream->destroy(stream);
+ free(msg);
return 0;
}
@@ -109,33 +133,38 @@ static char* connection_name(starter_conn_t *conn)
return conn->name;
}
-static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end)
+static void add_end(stroke_msg_t **msg, size_t offset, starter_end_t *conn_end)
{
- msg_end->auth = push_string(msg, conn_end->auth);
- msg_end->auth2 = push_string(msg, conn_end->auth2);
- msg_end->id = push_string(msg, conn_end->id);
- msg_end->id2 = push_string(msg, conn_end->id2);
- msg_end->rsakey = push_string(msg, conn_end->rsakey);
- msg_end->cert = push_string(msg, conn_end->cert);
- msg_end->cert2 = push_string(msg, conn_end->cert2);
- msg_end->cert_policy = push_string(msg, conn_end->cert_policy);
- msg_end->ca = push_string(msg, conn_end->ca);
- msg_end->ca2 = push_string(msg, conn_end->ca2);
- msg_end->groups = push_string(msg, conn_end->groups);
- msg_end->groups2 = push_string(msg, conn_end->groups2);
- msg_end->updown = push_string(msg, conn_end->updown);
+ stroke_end_t *msg_end;
+
+ push_string_end(msg, offset, auth, conn_end->auth);
+ push_string_end(msg, offset, auth2, conn_end->auth2);
+ push_string_end(msg, offset, id, conn_end->id);
+ push_string_end(msg, offset, id2, conn_end->id2);
+ push_string_end(msg, offset, rsakey, conn_end->rsakey);
+ push_string_end(msg, offset, cert, conn_end->cert);
+ push_string_end(msg, offset, cert2, conn_end->cert2);
+ push_string_end(msg, offset, cert_policy, conn_end->cert_policy);
+ push_string_end(msg, offset, ca, conn_end->ca);
+ push_string_end(msg, offset, ca2, conn_end->ca2);
+ push_string_end(msg, offset, groups, conn_end->groups);
+ push_string_end(msg, offset, groups2, conn_end->groups2);
+ push_string_end(msg, offset, updown, conn_end->updown);
if (conn_end->host)
{
- msg_end->address = push_string(msg, conn_end->host);
+ push_string_end(msg, offset, address, conn_end->host);
}
else
{
- msg_end->address = push_string(msg, "%any");
+ push_string_end(msg, offset, address, "%any");
}
+ push_string_end(msg, offset, subnets, conn_end->subnet);
+ push_string_end(msg, offset, sourceip, conn_end->sourceip);
+ push_string_end(msg, offset, dns, conn_end->dns);
+
+ /* we can't assign it earlier as msg might change */
+ msg_end = (stroke_end_t*)((char*)(*msg) + offset);
msg_end->ikeport = conn_end->ikeport;
- msg_end->subnets = push_string(msg, conn_end->subnet);
- msg_end->sourceip = push_string(msg, conn_end->sourceip);
- msg_end->dns = push_string(msg, conn_end->dns);
msg_end->sendcert = conn_end->sendcert;
msg_end->hostaccess = conn_end->hostaccess;
msg_end->tohost = !conn_end->subnet;
@@ -147,187 +176,178 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta
int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
- memset(&msg, 0, sizeof(msg));
- msg.type = STR_ADD_CONN;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.add_conn.version = conn->keyexchange;
- msg.add_conn.name = push_string(&msg, connection_name(conn));
- msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity);
- msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity);
- msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity);
+ msg = create_stroke_msg(STR_ADD_CONN);
+ msg->add_conn.version = conn->keyexchange;
+ push_string(&msg, add_conn.name, connection_name(conn));
+ push_string(&msg, add_conn.eap_identity, conn->eap_identity);
+ push_string(&msg, add_conn.aaa_identity, conn->aaa_identity);
+ push_string(&msg, add_conn.xauth_identity, conn->xauth_identity);
- msg.add_conn.mode = conn->mode;
- msg.add_conn.proxy_mode = conn->proxy_mode;
+ msg->add_conn.mode = conn->mode;
+ msg->add_conn.proxy_mode = conn->proxy_mode;
if (!(conn->options & SA_OPTION_DONT_REKEY))
{
- msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
- msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
- msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
- msg.add_conn.rekey.margin = conn->sa_rekey_margin;
- msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
- msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
- msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
- msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
- msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
+ msg->add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH);
+ msg->add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds;
+ msg->add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds;
+ msg->add_conn.rekey.margin = conn->sa_rekey_margin;
+ msg->add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes;
+ msg->add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes;
+ msg->add_conn.rekey.life_packets = conn->sa_ipsec_life_packets;
+ msg->add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets;
+ msg->add_conn.rekey.fuzz = conn->sa_rekey_fuzz;
}
- msg.add_conn.rekey.tries = conn->sa_keying_tries;
-
- msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
- msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
- msg.add_conn.fragmentation = conn->fragmentation;
- msg.add_conn.ikedscp = conn->ikedscp;
- msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
- msg.add_conn.install_policy = conn->install_policy;
- msg.add_conn.aggressive = conn->aggressive;
- msg.add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH;
- msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
- msg.add_conn.unique = cfg->setup.uniqueids;
- msg.add_conn.algorithms.ike = push_string(&msg, conn->ike);
- msg.add_conn.algorithms.esp = push_string(&msg, conn->esp);
- msg.add_conn.algorithms.ah = push_string(&msg, conn->ah);
- msg.add_conn.dpd.delay = conn->dpd_delay;
- msg.add_conn.dpd.timeout = conn->dpd_timeout;
- msg.add_conn.dpd.action = conn->dpd_action;
- msg.add_conn.close_action = conn->close_action;
- msg.add_conn.inactivity = conn->inactivity;
- msg.add_conn.ikeme.mediation = conn->me_mediation;
- msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by);
- msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid);
- msg.add_conn.reqid = conn->reqid;
- msg.add_conn.replay_window = conn->replay_window;
- msg.add_conn.mark_in.value = conn->mark_in.value;
- msg.add_conn.mark_in.mask = conn->mark_in.mask;
- msg.add_conn.mark_out.value = conn->mark_out.value;
- msg.add_conn.mark_out.mask = conn->mark_out.mask;
- msg.add_conn.tfc = conn->tfc;
-
- starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left);
- starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right);
-
- if (!msg.add_conn.me.auth && !msg.add_conn.other.auth &&
+ msg->add_conn.rekey.tries = conn->sa_keying_tries;
+
+ msg->add_conn.mobike = conn->options & SA_OPTION_MOBIKE;
+ msg->add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP;
+ msg->add_conn.fragmentation = conn->fragmentation;
+ msg->add_conn.ikedscp = conn->ikedscp;
+ msg->add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS;
+ msg->add_conn.install_policy = conn->install_policy;
+ msg->add_conn.aggressive = conn->aggressive;
+ msg->add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH;
+ msg->add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy;
+ msg->add_conn.unique = cfg->setup.uniqueids;
+ push_string(&msg, add_conn.algorithms.ike, conn->ike);
+ push_string(&msg, add_conn.algorithms.esp, conn->esp);
+ push_string(&msg, add_conn.algorithms.ah, conn->ah);
+ msg->add_conn.dpd.delay = conn->dpd_delay;
+ msg->add_conn.dpd.timeout = conn->dpd_timeout;
+ msg->add_conn.dpd.action = conn->dpd_action;
+ msg->add_conn.close_action = conn->close_action;
+ msg->add_conn.inactivity = conn->inactivity;
+ msg->add_conn.ikeme.mediation = conn->me_mediation;
+ push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by);
+ push_string(&msg, add_conn.ikeme.peerid, conn->me_peerid);
+ msg->add_conn.reqid = conn->reqid;
+ msg->add_conn.replay_window = conn->replay_window;
+ msg->add_conn.mark_in.value = conn->mark_in.value;
+ msg->add_conn.mark_in.mask = conn->mark_in.mask;
+ msg->add_conn.mark_out.value = conn->mark_out.value;
+ msg->add_conn.mark_out.mask = conn->mark_out.mask;
+ msg->add_conn.tfc = conn->tfc;
+
+ add_end(&msg, offsetof(stroke_msg_t, add_conn.me), &conn->left);
+ add_end(&msg, offsetof(stroke_msg_t, add_conn.other), &conn->right);
+
+ if (!msg->add_conn.me.auth && !msg->add_conn.other.auth &&
conn->authby)
{ /* leftauth/rightauth not set, use legacy options */
if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") ||
streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") ||
streq(conn->authby, "pubkey"))
{
- msg.add_conn.me.auth = push_string(&msg, "pubkey");
- msg.add_conn.other.auth = push_string(&msg, "pubkey");
+ push_string(&msg, add_conn.me.auth, "pubkey");
+ push_string(&msg, add_conn.other.auth, "pubkey");
}
else if (streq(conn->authby, "secret") || streq(conn->authby, "psk"))
{
- msg.add_conn.me.auth = push_string(&msg, "psk");
- msg.add_conn.other.auth = push_string(&msg, "psk");
+ push_string(&msg, add_conn.me.auth, "psk");
+ push_string(&msg, add_conn.other.auth, "psk");
}
else if (streq(conn->authby, "xauthrsasig"))
{
- msg.add_conn.me.auth = push_string(&msg, "pubkey");
- msg.add_conn.other.auth = push_string(&msg, "pubkey");
+ push_string(&msg, add_conn.me.auth, "pubkey");
+ push_string(&msg, add_conn.other.auth, "pubkey");
if (conn->options & SA_OPTION_XAUTH_SERVER)
{
- msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+ push_string(&msg, add_conn.other.auth2, "xauth");
}
else
{
- msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+ push_string(&msg, add_conn.me.auth2, "xauth");
}
}
else if (streq(conn->authby, "xauthpsk"))
{
- msg.add_conn.me.auth = push_string(&msg, "psk");
- msg.add_conn.other.auth = push_string(&msg, "psk");
+ push_string(&msg, add_conn.me.auth, "psk");
+ push_string(&msg, add_conn.other.auth, "psk");
if (conn->options & SA_OPTION_XAUTH_SERVER)
{
- msg.add_conn.other.auth2 = push_string(&msg, "xauth");
+ push_string(&msg, add_conn.other.auth2, "xauth");
}
else
{
- msg.add_conn.me.auth2 = push_string(&msg, "xauth");
+ push_string(&msg, add_conn.me.auth2, "xauth");
}
}
}
- return send_stroke_msg(&msg);
+ return send_stroke_msg(msg);
}
int starter_stroke_del_conn(starter_conn_t *conn)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
- msg.type = STR_DEL_CONN;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.del_conn.name = push_string(&msg, connection_name(conn));
- return send_stroke_msg(&msg);
+ msg = create_stroke_msg(STR_DEL_CONN);
+ push_string(&msg, del_conn.name, connection_name(conn));
+ return send_stroke_msg(msg);
}
int starter_stroke_route_conn(starter_conn_t *conn)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
- msg.type = STR_ROUTE;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.route.name = push_string(&msg, connection_name(conn));
- return send_stroke_msg(&msg);
+ msg = create_stroke_msg(STR_ROUTE);
+ push_string(&msg, route.name, connection_name(conn));
+ return send_stroke_msg(msg);
}
int starter_stroke_unroute_conn(starter_conn_t *conn)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
- msg.type = STR_UNROUTE;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.route.name = push_string(&msg, connection_name(conn));
- return send_stroke_msg(&msg);
+ msg = create_stroke_msg(STR_UNROUTE);
+ push_string(&msg, route.name, connection_name(conn));
+ return send_stroke_msg(msg);
}
int starter_stroke_initiate_conn(starter_conn_t *conn)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
- msg.type = STR_INITIATE;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.initiate.name = push_string(&msg, connection_name(conn));
- return send_stroke_msg(&msg);
+ msg = create_stroke_msg(STR_INITIATE);
+ push_string(&msg, initiate.name, connection_name(conn));
+ return send_stroke_msg(msg);
}
int starter_stroke_add_ca(starter_ca_t *ca)
{
- stroke_msg_t msg;
-
- msg.type = STR_ADD_CA;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.add_ca.name = push_string(&msg, ca->name);
- msg.add_ca.cacert = push_string(&msg, ca->cacert);
- msg.add_ca.crluri = push_string(&msg, ca->crluri);
- msg.add_ca.crluri2 = push_string(&msg, ca->crluri2);
- msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri);
- msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2);
- msg.add_ca.certuribase = push_string(&msg, ca->certuribase);
- return send_stroke_msg(&msg);
+ stroke_msg_t *msg;
+
+ msg = create_stroke_msg(STR_ADD_CA);
+ push_string(&msg, add_ca.name, ca->name);
+ push_string(&msg, add_ca.cacert, ca->cacert);
+ push_string(&msg, add_ca.crluri, ca->crluri);
+ push_string(&msg, add_ca.crluri2, ca->crluri2);
+ push_string(&msg, add_ca.ocspuri, ca->ocspuri);
+ push_string(&msg, add_ca.ocspuri2, ca->ocspuri2);
+ push_string(&msg, add_ca.certuribase, ca->certuribase);
+ return send_stroke_msg(msg);
}
int starter_stroke_del_ca(starter_ca_t *ca)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
- msg.type = STR_DEL_CA;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.del_ca.name = push_string(&msg, ca->name);
- return send_stroke_msg(&msg);
+ msg = create_stroke_msg(STR_DEL_CA);
+ push_string(&msg, del_ca.name, ca->name);
+ return send_stroke_msg(msg);
}
int starter_stroke_configure(starter_config_t *cfg)
{
- stroke_msg_t msg;
+ stroke_msg_t *msg;
if (cfg->setup.cachecrls)
{
- msg.type = STR_CONFIG;
- msg.length = offsetof(stroke_msg_t, buffer);
- msg.config.cachecrl = 1;
- return send_stroke_msg(&msg);
+ msg = create_stroke_msg(STR_CONFIG);
+ msg->config.cachecrl = 1;
+ return send_stroke_msg(msg);
}
return 0;
}