diff options
Diffstat (limited to 'src/starter/starterstroke.c')
-rw-r--r-- | src/starter/starterstroke.c | 308 |
1 files changed, 164 insertions, 144 deletions
diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 6e1f1605d..79a92cdad 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2007-2015 Tobias Brunner * Copyright (C) 2006 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -31,37 +32,57 @@ #define IPV4_LEN 4 #define IPV6_LEN 16 -static char* push_string(stroke_msg_t *msg, char *string) +static stroke_msg_t *create_stroke_msg(int type) { - unsigned long string_start = msg->length; + stroke_msg_t *msg; - if (string == NULL) + INIT(msg, + .type = type, + .length = offsetof(stroke_msg_t, buffer), + ); + return msg; +} + +#define push_string(msg, field, str) \ + push_string_impl(msg, offsetof(stroke_msg_t, field), str) +#define push_string_end(msg, offset, field, str) \ + push_string_impl(msg, offset + offsetof(stroke_end_t, field), str) + +static void push_string_impl(stroke_msg_t **msg, size_t offset, char *string) +{ + size_t cur_len = (*msg)->length, str_len; + + if (!string) { - return NULL; + return; } - else if ((size_t)msg->length + strlen(string) >= sizeof(stroke_msg_t)) + str_len = strlen(string) + 1; + if (cur_len + str_len >= UINT16_MAX) { - /* set invalid length to fail during message send */ - msg->length = ~0; - return NULL; + (*msg)->length = UINT16_MAX; + return; } - else + while (cur_len + str_len > sizeof(stroke_msg_t) + (*msg)->buflen) { - msg->length += strlen(string) + 1; - strcpy((char*)msg + string_start, string); - return (char*)string_start; + *msg = realloc(*msg, sizeof(stroke_msg_t) + (*msg)->buflen + + STROKE_BUF_LEN_INC); + (*msg)->buflen += STROKE_BUF_LEN_INC; } + (*msg)->length += str_len; + strcpy((char*)*msg + cur_len, string); + *(char**)((char*)*msg + offset) = (char*)cur_len; } -static int send_stroke_msg (stroke_msg_t *msg) +static int send_stroke_msg(stroke_msg_t *msg) { stream_t *stream; char *uri, buffer[64]; int count; - if (msg->length > sizeof(stroke_msg_t)) + if (msg->length == UINT16_MAX) { - DBG1(DBG_APP, "stroke message exceeds buffer size"); + DBG1(DBG_APP, "stroke message exceeds maximum buffer size"); + free(msg); return -1; } @@ -74,6 +95,7 @@ static int send_stroke_msg (stroke_msg_t *msg) if (!stream) { DBG1(DBG_APP, "failed to connect to stroke socket '%s'", uri); + free(msg); return -1; } @@ -81,6 +103,7 @@ static int send_stroke_msg (stroke_msg_t *msg) { DBG1(DBG_APP, "sending stroke message failed"); stream->destroy(stream); + free(msg); return -1; } while ((count = stream->read(stream, buffer, sizeof(buffer)-1, TRUE)) > 0) @@ -93,6 +116,7 @@ static int send_stroke_msg (stroke_msg_t *msg) DBG1(DBG_APP, "reading stroke response failed"); } stream->destroy(stream); + free(msg); return 0; } @@ -109,33 +133,38 @@ static char* connection_name(starter_conn_t *conn) return conn->name; } -static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, starter_end_t *conn_end) +static void add_end(stroke_msg_t **msg, size_t offset, starter_end_t *conn_end) { - msg_end->auth = push_string(msg, conn_end->auth); - msg_end->auth2 = push_string(msg, conn_end->auth2); - msg_end->id = push_string(msg, conn_end->id); - msg_end->id2 = push_string(msg, conn_end->id2); - msg_end->rsakey = push_string(msg, conn_end->rsakey); - msg_end->cert = push_string(msg, conn_end->cert); - msg_end->cert2 = push_string(msg, conn_end->cert2); - msg_end->cert_policy = push_string(msg, conn_end->cert_policy); - msg_end->ca = push_string(msg, conn_end->ca); - msg_end->ca2 = push_string(msg, conn_end->ca2); - msg_end->groups = push_string(msg, conn_end->groups); - msg_end->groups2 = push_string(msg, conn_end->groups2); - msg_end->updown = push_string(msg, conn_end->updown); + stroke_end_t *msg_end; + + push_string_end(msg, offset, auth, conn_end->auth); + push_string_end(msg, offset, auth2, conn_end->auth2); + push_string_end(msg, offset, id, conn_end->id); + push_string_end(msg, offset, id2, conn_end->id2); + push_string_end(msg, offset, rsakey, conn_end->rsakey); + push_string_end(msg, offset, cert, conn_end->cert); + push_string_end(msg, offset, cert2, conn_end->cert2); + push_string_end(msg, offset, cert_policy, conn_end->cert_policy); + push_string_end(msg, offset, ca, conn_end->ca); + push_string_end(msg, offset, ca2, conn_end->ca2); + push_string_end(msg, offset, groups, conn_end->groups); + push_string_end(msg, offset, groups2, conn_end->groups2); + push_string_end(msg, offset, updown, conn_end->updown); if (conn_end->host) { - msg_end->address = push_string(msg, conn_end->host); + push_string_end(msg, offset, address, conn_end->host); } else { - msg_end->address = push_string(msg, "%any"); + push_string_end(msg, offset, address, "%any"); } + push_string_end(msg, offset, subnets, conn_end->subnet); + push_string_end(msg, offset, sourceip, conn_end->sourceip); + push_string_end(msg, offset, dns, conn_end->dns); + + /* we can't assign it earlier as msg might change */ + msg_end = (stroke_end_t*)((char*)(*msg) + offset); msg_end->ikeport = conn_end->ikeport; - msg_end->subnets = push_string(msg, conn_end->subnet); - msg_end->sourceip = push_string(msg, conn_end->sourceip); - msg_end->dns = push_string(msg, conn_end->dns); msg_end->sendcert = conn_end->sendcert; msg_end->hostaccess = conn_end->hostaccess; msg_end->tohost = !conn_end->subnet; @@ -147,187 +176,178 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - memset(&msg, 0, sizeof(msg)); - msg.type = STR_ADD_CONN; - msg.length = offsetof(stroke_msg_t, buffer); - msg.add_conn.version = conn->keyexchange; - msg.add_conn.name = push_string(&msg, connection_name(conn)); - msg.add_conn.eap_identity = push_string(&msg, conn->eap_identity); - msg.add_conn.aaa_identity = push_string(&msg, conn->aaa_identity); - msg.add_conn.xauth_identity = push_string(&msg, conn->xauth_identity); + msg = create_stroke_msg(STR_ADD_CONN); + msg->add_conn.version = conn->keyexchange; + push_string(&msg, add_conn.name, connection_name(conn)); + push_string(&msg, add_conn.eap_identity, conn->eap_identity); + push_string(&msg, add_conn.aaa_identity, conn->aaa_identity); + push_string(&msg, add_conn.xauth_identity, conn->xauth_identity); - msg.add_conn.mode = conn->mode; - msg.add_conn.proxy_mode = conn->proxy_mode; + msg->add_conn.mode = conn->mode; + msg->add_conn.proxy_mode = conn->proxy_mode; if (!(conn->options & SA_OPTION_DONT_REKEY)) { - msg.add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH); - msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; - msg.add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds; - msg.add_conn.rekey.margin = conn->sa_rekey_margin; - msg.add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes; - msg.add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes; - msg.add_conn.rekey.life_packets = conn->sa_ipsec_life_packets; - msg.add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets; - msg.add_conn.rekey.fuzz = conn->sa_rekey_fuzz; + msg->add_conn.rekey.reauth = !(conn->options & SA_OPTION_DONT_REAUTH); + msg->add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; + msg->add_conn.rekey.ike_lifetime = conn->sa_ike_life_seconds; + msg->add_conn.rekey.margin = conn->sa_rekey_margin; + msg->add_conn.rekey.life_bytes = conn->sa_ipsec_life_bytes; + msg->add_conn.rekey.margin_bytes = conn->sa_ipsec_margin_bytes; + msg->add_conn.rekey.life_packets = conn->sa_ipsec_life_packets; + msg->add_conn.rekey.margin_packets = conn->sa_ipsec_margin_packets; + msg->add_conn.rekey.fuzz = conn->sa_rekey_fuzz; } - msg.add_conn.rekey.tries = conn->sa_keying_tries; - - msg.add_conn.mobike = conn->options & SA_OPTION_MOBIKE; - msg.add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP; - msg.add_conn.fragmentation = conn->fragmentation; - msg.add_conn.ikedscp = conn->ikedscp; - msg.add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS; - msg.add_conn.install_policy = conn->install_policy; - msg.add_conn.aggressive = conn->aggressive; - msg.add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH; - msg.add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy; - msg.add_conn.unique = cfg->setup.uniqueids; - msg.add_conn.algorithms.ike = push_string(&msg, conn->ike); - msg.add_conn.algorithms.esp = push_string(&msg, conn->esp); - msg.add_conn.algorithms.ah = push_string(&msg, conn->ah); - msg.add_conn.dpd.delay = conn->dpd_delay; - msg.add_conn.dpd.timeout = conn->dpd_timeout; - msg.add_conn.dpd.action = conn->dpd_action; - msg.add_conn.close_action = conn->close_action; - msg.add_conn.inactivity = conn->inactivity; - msg.add_conn.ikeme.mediation = conn->me_mediation; - msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); - msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); - msg.add_conn.reqid = conn->reqid; - msg.add_conn.replay_window = conn->replay_window; - msg.add_conn.mark_in.value = conn->mark_in.value; - msg.add_conn.mark_in.mask = conn->mark_in.mask; - msg.add_conn.mark_out.value = conn->mark_out.value; - msg.add_conn.mark_out.mask = conn->mark_out.mask; - msg.add_conn.tfc = conn->tfc; - - starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); - starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); - - if (!msg.add_conn.me.auth && !msg.add_conn.other.auth && + msg->add_conn.rekey.tries = conn->sa_keying_tries; + + msg->add_conn.mobike = conn->options & SA_OPTION_MOBIKE; + msg->add_conn.force_encap = conn->options & SA_OPTION_FORCE_ENCAP; + msg->add_conn.fragmentation = conn->fragmentation; + msg->add_conn.ikedscp = conn->ikedscp; + msg->add_conn.ipcomp = conn->options & SA_OPTION_COMPRESS; + msg->add_conn.install_policy = conn->install_policy; + msg->add_conn.aggressive = conn->aggressive; + msg->add_conn.pushmode = conn->options & SA_OPTION_MODECFG_PUSH; + msg->add_conn.crl_policy = (crl_policy_t)cfg->setup.strictcrlpolicy; + msg->add_conn.unique = cfg->setup.uniqueids; + push_string(&msg, add_conn.algorithms.ike, conn->ike); + push_string(&msg, add_conn.algorithms.esp, conn->esp); + push_string(&msg, add_conn.algorithms.ah, conn->ah); + msg->add_conn.dpd.delay = conn->dpd_delay; + msg->add_conn.dpd.timeout = conn->dpd_timeout; + msg->add_conn.dpd.action = conn->dpd_action; + msg->add_conn.close_action = conn->close_action; + msg->add_conn.inactivity = conn->inactivity; + msg->add_conn.ikeme.mediation = conn->me_mediation; + push_string(&msg, add_conn.ikeme.mediated_by, conn->me_mediated_by); + push_string(&msg, add_conn.ikeme.peerid, conn->me_peerid); + msg->add_conn.reqid = conn->reqid; + msg->add_conn.replay_window = conn->replay_window; + msg->add_conn.mark_in.value = conn->mark_in.value; + msg->add_conn.mark_in.mask = conn->mark_in.mask; + msg->add_conn.mark_out.value = conn->mark_out.value; + msg->add_conn.mark_out.mask = conn->mark_out.mask; + msg->add_conn.tfc = conn->tfc; + + add_end(&msg, offsetof(stroke_msg_t, add_conn.me), &conn->left); + add_end(&msg, offsetof(stroke_msg_t, add_conn.other), &conn->right); + + if (!msg->add_conn.me.auth && !msg->add_conn.other.auth && conn->authby) { /* leftauth/rightauth not set, use legacy options */ if (streq(conn->authby, "rsa") || streq(conn->authby, "rsasig") || streq(conn->authby, "ecdsa") || streq(conn->authby, "ecdsasig") || streq(conn->authby, "pubkey")) { - msg.add_conn.me.auth = push_string(&msg, "pubkey"); - msg.add_conn.other.auth = push_string(&msg, "pubkey"); + push_string(&msg, add_conn.me.auth, "pubkey"); + push_string(&msg, add_conn.other.auth, "pubkey"); } else if (streq(conn->authby, "secret") || streq(conn->authby, "psk")) { - msg.add_conn.me.auth = push_string(&msg, "psk"); - msg.add_conn.other.auth = push_string(&msg, "psk"); + push_string(&msg, add_conn.me.auth, "psk"); + push_string(&msg, add_conn.other.auth, "psk"); } else if (streq(conn->authby, "xauthrsasig")) { - msg.add_conn.me.auth = push_string(&msg, "pubkey"); - msg.add_conn.other.auth = push_string(&msg, "pubkey"); + push_string(&msg, add_conn.me.auth, "pubkey"); + push_string(&msg, add_conn.other.auth, "pubkey"); if (conn->options & SA_OPTION_XAUTH_SERVER) { - msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.other.auth2, "xauth"); } else { - msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.me.auth2, "xauth"); } } else if (streq(conn->authby, "xauthpsk")) { - msg.add_conn.me.auth = push_string(&msg, "psk"); - msg.add_conn.other.auth = push_string(&msg, "psk"); + push_string(&msg, add_conn.me.auth, "psk"); + push_string(&msg, add_conn.other.auth, "psk"); if (conn->options & SA_OPTION_XAUTH_SERVER) { - msg.add_conn.other.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.other.auth2, "xauth"); } else { - msg.add_conn.me.auth2 = push_string(&msg, "xauth"); + push_string(&msg, add_conn.me.auth2, "xauth"); } } } - return send_stroke_msg(&msg); + return send_stroke_msg(msg); } int starter_stroke_del_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_DEL_CONN; - msg.length = offsetof(stroke_msg_t, buffer); - msg.del_conn.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_DEL_CONN); + push_string(&msg, del_conn.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_route_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_ROUTE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.route.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_ROUTE); + push_string(&msg, route.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_unroute_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_UNROUTE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.route.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_UNROUTE); + push_string(&msg, route.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_initiate_conn(starter_conn_t *conn) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_INITIATE; - msg.length = offsetof(stroke_msg_t, buffer); - msg.initiate.name = push_string(&msg, connection_name(conn)); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_INITIATE); + push_string(&msg, initiate.name, connection_name(conn)); + return send_stroke_msg(msg); } int starter_stroke_add_ca(starter_ca_t *ca) { - stroke_msg_t msg; - - msg.type = STR_ADD_CA; - msg.length = offsetof(stroke_msg_t, buffer); - msg.add_ca.name = push_string(&msg, ca->name); - msg.add_ca.cacert = push_string(&msg, ca->cacert); - msg.add_ca.crluri = push_string(&msg, ca->crluri); - msg.add_ca.crluri2 = push_string(&msg, ca->crluri2); - msg.add_ca.ocspuri = push_string(&msg, ca->ocspuri); - msg.add_ca.ocspuri2 = push_string(&msg, ca->ocspuri2); - msg.add_ca.certuribase = push_string(&msg, ca->certuribase); - return send_stroke_msg(&msg); + stroke_msg_t *msg; + + msg = create_stroke_msg(STR_ADD_CA); + push_string(&msg, add_ca.name, ca->name); + push_string(&msg, add_ca.cacert, ca->cacert); + push_string(&msg, add_ca.crluri, ca->crluri); + push_string(&msg, add_ca.crluri2, ca->crluri2); + push_string(&msg, add_ca.ocspuri, ca->ocspuri); + push_string(&msg, add_ca.ocspuri2, ca->ocspuri2); + push_string(&msg, add_ca.certuribase, ca->certuribase); + return send_stroke_msg(msg); } int starter_stroke_del_ca(starter_ca_t *ca) { - stroke_msg_t msg; + stroke_msg_t *msg; - msg.type = STR_DEL_CA; - msg.length = offsetof(stroke_msg_t, buffer); - msg.del_ca.name = push_string(&msg, ca->name); - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_DEL_CA); + push_string(&msg, del_ca.name, ca->name); + return send_stroke_msg(msg); } int starter_stroke_configure(starter_config_t *cfg) { - stroke_msg_t msg; + stroke_msg_t *msg; if (cfg->setup.cachecrls) { - msg.type = STR_CONFIG; - msg.length = offsetof(stroke_msg_t, buffer); - msg.config.cachecrl = 1; - return send_stroke_msg(&msg); + msg = create_stroke_msg(STR_CONFIG); + msg->config.cachecrl = 1; + return send_stroke_msg(msg); } return 0; } |