diff options
| -rw-r--r-- | src/charon/Makefile.am | 2 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_manager.c | 145 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_manager.h | 82 | ||||
| -rw-r--r-- | src/charon/config/attributes/attribute_provider.h | 60 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.c | 60 | ||||
| -rw-r--r-- | src/charon/config/peer_cfg.h | 21 | ||||
| -rw-r--r-- | src/charon/daemon.c | 5 | ||||
| -rw-r--r-- | src/charon/daemon.h | 9 | ||||
| -rw-r--r-- | src/charon/plugins/stroke/stroke_config.c | 38 | ||||
| -rw-r--r-- | src/charon/sa/ike_sa.c | 11 | ||||
| -rw-r--r-- | src/charon/sa/tasks/child_create.c | 3 | ||||
| -rw-r--r-- | src/charon/sa/tasks/ike_config.c | 35 | ||||
| -rw-r--r-- | src/starter/cmp.c | 4 | ||||
| -rw-r--r-- | src/starter/confread.c | 28 | ||||
| -rw-r--r-- | src/starter/confread.h | 3 | ||||
| -rw-r--r-- | src/starter/starterstroke.c | 48 | ||||
| -rw-r--r-- | src/starter/starterwhack.c | 20 | ||||
| -rw-r--r-- | src/stroke/stroke.c | 35 | ||||
| -rw-r--r-- | src/stroke/stroke_msg.h | 2 |
19 files changed, 466 insertions, 145 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index b0404ea3b..7a1c2e52f 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -10,6 +10,8 @@ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ config/proposal.c config/proposal.h \ config/traffic_selector.c config/traffic_selector.h \ +config/attributes/attribute_provider.h \ +config/attributes/attribute_manager.c config/attributes/attribute_manager.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ diff --git a/src/charon/config/attributes/attribute_manager.c b/src/charon/config/attributes/attribute_manager.c new file mode 100644 index 000000000..0ec84c7be --- /dev/null +++ b/src/charon/config/attributes/attribute_manager.c @@ -0,0 +1,145 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +#include "attribute_manager.h" + +#include <utils/linked_list.h> +#include <utils/mutex.h> + +typedef struct private_attribute_manager_t private_attribute_manager_t; + +/** + * private data of attribute_manager + */ +struct private_attribute_manager_t { + + /** + * public functions + */ + attribute_manager_t public; + + /** + * list of registered providers + */ + linked_list_t *providers; + + /** + * mutex to lock provider list + */ + mutex_t *mutex; +}; + +/** + * Implementation of attribute_manager_t.acquire_address. + */ +static host_t* acquire_address(private_attribute_manager_t *this, + char *pool, identification_t *id, + auth_info_t *auth, host_t *requested) +{ + enumerator_t *enumerator; + attribute_provider_t *current; + host_t *host = NULL; + + this->mutex->lock(this->mutex); + enumerator = this->providers->create_enumerator(this->providers); + while (enumerator->enumerate(enumerator, ¤t)) + { + host = current->acquire_address(current, pool, id, auth, requested); + if (host) + { + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + return host; +} + +/** + * Implementation of attribute_manager_t.release_address. + */ +static void release_address(private_attribute_manager_t *this, + char *pool, host_t *address) +{ + enumerator_t *enumerator; + attribute_provider_t *current; + + this->mutex->lock(this->mutex); + enumerator = this->providers->create_enumerator(this->providers); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current->release_address(current, pool, address)) + { + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of attribute_manager_t.add_provider. + */ +static void add_provider(private_attribute_manager_t *this, + attribute_provider_t *provider) +{ + this->mutex->lock(this->mutex); + this->providers->insert_last(this->providers, provider); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of attribute_manager_t.remove_provider. + */ +static void remove_provider(private_attribute_manager_t *this, + attribute_provider_t *provider) +{ + this->mutex->lock(this->mutex); + this->providers->remove(this->providers, provider, NULL); + this->mutex->unlock(this->mutex); +} + +/** + * Implementation of attribute_manager_t.destroy + */ +static void destroy(private_attribute_manager_t *this) +{ + this->providers->destroy(this->providers); + this->mutex->destroy(this->mutex); + free(this); +} + +/* + * see header file + */ +attribute_manager_t *attribute_manager_create() +{ + private_attribute_manager_t *this = malloc_thing(private_attribute_manager_t); + + this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,auth_info_t*,host_t*))acquire_address; + this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*))release_address; + this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider; + this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider; + this->public.destroy = (void(*)(attribute_manager_t*))destroy; + + this->providers = linked_list_create(); + this->mutex = mutex_create(MUTEX_DEFAULT); + + return &this->public; +} + diff --git a/src/charon/config/attributes/attribute_manager.h b/src/charon/config/attributes/attribute_manager.h new file mode 100644 index 000000000..540e054fd --- /dev/null +++ b/src/charon/config/attributes/attribute_manager.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup attribute_manager attribute_manager + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTE_MANAGER_H_ +#define ATTRIBUTE_MANAGER_H_ + +#include <config/attributes/attribute_provider.h> + +typedef struct attribute_manager_t attribute_manager_t; + +/** + * Provide configuration attributes to include in CFG Payloads. + */ +struct attribute_manager_t { + + /** + * Acquire a virtual IP address to assign to a peer. + * + * @param pool pool name to acquire address from + * @param id peer identity to get address for + * @param auth authorization infos of peer + * @param requested IP in configuration request + * @return allocated address, NULL to serve none + */ + host_t* (*acquire_address)(attribute_manager_t *this, + char *pool, identification_t *id, + auth_info_t *auth, host_t *requested); + + /** + * Release a previously acquired address. + * + * @param pool pool name from which the address was acquired + * @param address address to release + */ + void (*release_address)(attribute_manager_t *this, + char *pool, host_t *address); + + /** + * Register an attribute provider to the manager. + * + * @param provider attribute provider to register + */ + void (*add_provider)(attribute_manager_t *this, + attribute_provider_t *provider); + /** + * Unregister an attribute provider from the manager. + * + * @param provider attribute provider to unregister + */ + void (*remove_provider)(attribute_manager_t *this, + attribute_provider_t *provider); + /** + * Destroy a attribute_manager instance. + */ + void (*destroy)(attribute_manager_t *this); +}; + +/** + * Create a attribute_manager instance. + */ +attribute_manager_t *attribute_manager_create(); + +#endif /* ATTRIBUTE_MANAGER_H_ @}*/ diff --git a/src/charon/config/attributes/attribute_provider.h b/src/charon/config/attributes/attribute_provider.h new file mode 100644 index 000000000..1712bd188 --- /dev/null +++ b/src/charon/config/attributes/attribute_provider.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * $Id$ + */ + +/** + * @defgroup attribute_provider attribute_provider + * @{ @ingroup attributes + */ + +#ifndef ATTRIBUTE_PROVIDER_H_ +#define ATTRIBUTE_PROVIDER_H_ + +#include <library.h> +#include <utils/host.h> +#include <credentials/auth_info.h> + +typedef struct attribute_provider_t attribute_provider_t; + +/** + * Interface to provide attributes to peers through attribute manager. + */ +struct attribute_provider_t { + + /** + * Acquire a virtual IP address to assign to a peer. + * + * @param pool name of the pool to acquire address from + * @param id peer ID + * @param auth authorization infos + * @param requested IP in configuration request + * @return allocated address, NULL to serve none + */ + host_t* (*acquire_address)(attribute_provider_t *this, + char *pool, identification_t *id, + auth_info_t *auth, host_t *requested); + /** + * Release a previously acquired address. + * + * @param pool name of the pool this address was acquired from + * @param address address to release + * @return TRUE if the address has been released by the provider + */ + bool (*release_address)(attribute_provider_t *this, + char *pool, host_t *address); +}; + +#endif /* ATTRIBUTE_PROVIDER_H_ @}*/ diff --git a/src/charon/config/peer_cfg.c b/src/charon/config/peer_cfg.c index d85935c60..f0804d93f 100644 --- a/src/charon/config/peer_cfg.c +++ b/src/charon/config/peer_cfg.c @@ -153,12 +153,12 @@ struct private_peer_cfg_t { /** * virtual IP to use locally */ - host_t *my_virtual_ip; + host_t *virtual_ip; /** - * virtual IP to use remotly + * pool to acquire configuration attributes from */ - host_t *other_virtual_ip; + char *pool; /** * required authorization constraints @@ -396,35 +396,19 @@ static dpd_action_t get_dpd_action(private_peer_cfg_t *this) } /** - * Implementation of peer_cfg_t.get_my_virtual_ip. + * Implementation of peer_cfg_t.get_virtual_ip. */ -static host_t* get_my_virtual_ip(private_peer_cfg_t *this) +static host_t* get_virtual_ip(private_peer_cfg_t *this) { - if (this->my_virtual_ip == NULL) - { - return NULL; - } - return this->my_virtual_ip->clone(this->my_virtual_ip); + return this->virtual_ip; } - + /** - * Implementation of peer_cfg_t.get_other_virtual_ip. + * Implementation of peer_cfg_t.get_pool. */ -static host_t* get_other_virtual_ip(private_peer_cfg_t *this, host_t *suggestion) +static char* get_pool(private_peer_cfg_t *this) { - if (this->other_virtual_ip == NULL) - { /* disallow */ - return NULL; - } - if (!this->other_virtual_ip->is_anyaddr(this->other_virtual_ip)) - { /* force own configuration */ - return this->other_virtual_ip->clone(this->other_virtual_ip); - } - if (suggestion == NULL || suggestion->is_anyaddr(suggestion)) - { - return NULL; - } - return suggestion->clone(suggestion); + return this->pool; } /** @@ -491,12 +475,10 @@ static bool equals(private_peer_cfg_t *this, private_peer_cfg_t *other) this->over_time == other->over_time && this->dpd_delay == other->dpd_delay && this->dpd_action == other->dpd_action && - (this->my_virtual_ip == other->my_virtual_ip || - (this->my_virtual_ip && other->my_virtual_ip && - this->my_virtual_ip->equals(this->my_virtual_ip, other->my_virtual_ip))) && - (this->other_virtual_ip == other->other_virtual_ip || - (this->other_virtual_ip && other->other_virtual_ip && - this->other_virtual_ip->equals(this->other_virtual_ip, other->other_virtual_ip))) && + (this->virtual_ip == other->virtual_ip || + (this->virtual_ip && other->virtual_ip && + this->virtual_ip->equals(this->virtual_ip, other->virtual_ip))) && + (this->pool == other->pool || streq(this->pool, other->pool)) && this->auth->equals(this->auth, other->auth) #ifdef ME && this->mediation == other->mediation && @@ -527,14 +509,14 @@ static void destroy(private_peer_cfg_t *this) this->child_cfgs->destroy_offset(this->child_cfgs, offsetof(child_cfg_t, destroy)); this->my_id->destroy(this->my_id); this->other_id->destroy(this->other_id); - DESTROY_IF(this->my_virtual_ip); - DESTROY_IF(this->other_virtual_ip); + DESTROY_IF(this->virtual_ip); this->auth->destroy(this->auth); #ifdef ME DESTROY_IF(this->mediated_by); DESTROY_IF(this->peer_id); #endif /* ME */ free(this->name); + free(this->pool); free(this); } } @@ -551,7 +533,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, u_int32_t reauth_time, u_int32_t jitter_time, u_int32_t over_time, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, - host_t *my_virtual_ip, host_t *other_virtual_ip, + host_t *virtual_ip, char *pool, bool mediation, peer_cfg_t *mediated_by, identification_t *peer_id) { @@ -577,8 +559,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->public.use_mobike = (bool (*) (peer_cfg_t *))use_mobike; this->public.get_dpd_delay = (u_int32_t (*) (peer_cfg_t *))get_dpd_delay; this->public.get_dpd_action = (dpd_action_t (*) (peer_cfg_t *))get_dpd_action; - this->public.get_my_virtual_ip = (host_t* (*) (peer_cfg_t *))get_my_virtual_ip; - this->public.get_other_virtual_ip = (host_t* (*) (peer_cfg_t *, host_t *))get_other_virtual_ip; + this->public.get_virtual_ip = (host_t* (*) (peer_cfg_t *))get_virtual_ip; + this->public.get_pool = (char*(*)(peer_cfg_t*))get_pool; this->public.get_auth = (auth_info_t*(*)(peer_cfg_t*))get_auth; this->public.equals = (bool(*)(peer_cfg_t*, peer_cfg_t *other))equals; this->public.get_ref = (void(*)(peer_cfg_t *))get_ref; @@ -617,8 +599,8 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->use_mobike = mobike; this->dpd_delay = dpd_delay; this->dpd_action = dpd_action; - this->my_virtual_ip = my_virtual_ip; - this->other_virtual_ip = other_virtual_ip; + this->virtual_ip = virtual_ip; + this->pool = pool ? strdup(pool) : NULL; this->auth = auth_info_create(); this->refcount = 1; #ifdef ME diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index 43bcb8ef6..dedabf07d 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -276,21 +276,16 @@ struct peer_cfg_t { * used for a request and may be changed by the server. * * @param suggestion NULL, %any or specific - * @return clone of an IP, %any or NULL + * @return virtual IP, %any or NULL */ - host_t* (*get_my_virtual_ip) (peer_cfg_t *this); + host_t* (*get_virtual_ip) (peer_cfg_t *this); /** - * Get a virtual IP for the remote peer. + * Get the name of the pool to acquire configuration attributes from. * - * An IP may be supplied, if one was requested by the initiator. However, - * the suggestion is not more as it says, any address may be returned, even - * NULL to not use virtual IPs. - * - * @param suggestion NULL, %any or specific - * @return clone of an IP to use + * @return pool name, NULL if none defined */ - host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion); + char* (*get_pool)(peer_cfg_t *this); #ifdef ME /** @@ -378,8 +373,8 @@ struct peer_cfg_t { * @param mobike use MOBIKE (RFC4555) if peer supports it * @param dpd_delay after how many seconds of inactivity to check DPD * @param dpd_action what to do with CHILD_SAs when detected a dead peer - * @param my_virtual_ip virtual IP for local host, or NULL - * @param other_virtual_ip virtual IP for remote host, or NULL + * @param virtual_ip virtual IP for local host, or NULL + * @param pool pool name to get configuration attributes from, or NULL * @param mediation TRUE if this is a mediation connection * @param mediated_by peer_cfg_t of the mediation connection to mediate through * @param peer_id ID that identifies our peer at the mediation server @@ -394,7 +389,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, u_int32_t reauth_time, u_int32_t jitter_time, u_int32_t over_time, bool mobike, u_int32_t dpd_delay, dpd_action_t dpd_action, - host_t *my_virtual_ip, host_t *other_virtual_ip, + host_t *virtual_ip, char *pool, bool mediation, peer_cfg_t *mediated_by, identification_t *peer_id); diff --git a/src/charon/daemon.c b/src/charon/daemon.c index 689bad9fe..e1e9a71e7 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -35,8 +35,6 @@ #include "daemon.h" #include <library.h> -#include <credentials/credential_manager.h> -#include <config/backend_manager.h> #include <config/traffic_selector.h> /* on some distros, a capset definition is missing */ @@ -185,6 +183,7 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->public.mediation_manager); #endif /* ME */ DESTROY_IF(this->public.backends); + DESTROY_IF(this->public.attributes); DESTROY_IF(this->public.credentials); DESTROY_IF(this->public.sender); DESTROY_IF(this->public.receiver); @@ -338,6 +337,7 @@ static bool initialize(private_daemon_t *this, bool syslog, level_t levels[]) this->public.controller = controller_create(); this->public.eap = eap_manager_create(); this->public.backends = backend_manager_create(); + this->public.attributes = attribute_manager_create(); this->public.plugins = plugin_loader_create(); this->public.kernel_interface = kernel_interface_create(); this->public.socket = socket_create(); @@ -408,6 +408,7 @@ private_daemon_t *daemon_create(void) this->public.ike_sa_manager = NULL; this->public.credentials = NULL; this->public.backends = NULL; + this->public.attributes = NULL; this->public.sender= NULL; this->public.receiver = NULL; this->public.scheduler = NULL; diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 9da7953f0..5d590754b 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -30,6 +30,9 @@ * @defgroup config config * @ingroup charon * + * @defgroup attributes attributes + * @ingroup config + * * @defgroup control control * @ingroup charon * @@ -157,6 +160,7 @@ typedef struct daemon_t daemon_t; #include <bus/listeners/sys_logger.h> #include <sa/ike_sa_manager.h> #include <config/backend_manager.h> +#include <config/attributes/attribute_manager.h> #include <credentials/credential_manager.h> #include <sa/authenticators/eap/eap_manager.h> #include <plugins/plugin_loader.h> @@ -213,6 +217,11 @@ struct daemon_t { backend_manager_t *backends; /** + * Manager IKEv2 cfg payload attributes + */ + attribute_manager_t *attributes; + + /** * Manager for the credential backends */ credential_manager_t *credentials; diff --git a/src/charon/plugins/stroke/stroke_config.c b/src/charon/plugins/stroke/stroke_config.c index ef8ceed91..f4f3dbc99 100644 --- a/src/charon/plugins/stroke/stroke_config.c +++ b/src/charon/plugins/stroke/stroke_config.c @@ -354,7 +354,7 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, { identification_t *me, *other, *peer_id = NULL; peer_cfg_t *mediated_by = NULL; - host_t *my_vip = NULL, *other_vip = NULL; + host_t *vip = NULL; certificate_t *cert; u_int32_t rekey = 0, reauth = 0, over, jitter; @@ -457,21 +457,43 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this, { rekey = msg->add_conn.rekey.ike_lifetime - over; } - if (msg->add_conn.me.virtual_ip && msg->add_conn.me.sourceip) + if (msg->add_conn.me.sourceip_size) { - my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0); - } - if (msg->add_conn.other.virtual_ip && msg->add_conn.other.sourceip) - { - other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0); + if (msg->add_conn.me.sourceip) + { + vip = host_create_from_string(msg->add_conn.me.sourceip, 0); + } + if (!vip) + { /* if it is set to something like %poolname, request an address */ + if (msg->add_conn.me.subnet) + { /* use the same addreass as in subnet, if any */ + if (strchr(msg->add_conn.me.subnet, '.')) + { + vip = host_create_any(AF_INET); + } + else + { + vip = host_create_any(AF_INET6); + } + } + else + { + host_t* my_host = ike_cfg->get_my_host(ike_cfg); + vip = host_create_any(my_host->get_family(my_host)); + } + } } + /* other.sourceip is managed in stroke_attributes. If it is set, we define + * the pool name as the connection name, which the attribute provider + * uses to serve pool addresses. */ return peer_cfg_create(msg->add_conn.name, msg->add_conn.ikev2 ? 2 : 1, ike_cfg, me, other, msg->add_conn.me.sendcert, msg->add_conn.auth_method, msg->add_conn.eap_type, msg->add_conn.eap_vendor, msg->add_conn.rekey.tries, rekey, reauth, jitter, over, msg->add_conn.mobike, msg->add_conn.dpd.delay, msg->add_conn.dpd.action, - my_vip, other_vip, msg->add_conn.ikeme.mediation, mediated_by, peer_id); + vip, msg->add_conn.other.sourceip ? msg->add_conn.name : NULL, + msg->add_conn.ikeme.mediation, mediated_by, peer_id); } /** diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index 14200793f..20bbd06af 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -2315,7 +2315,16 @@ static void destroy(private_ike_sa_t *this) this->my_virtual_ip); this->my_virtual_ip->destroy(this->my_virtual_ip); } - DESTROY_IF(this->other_virtual_ip); + if (this->other_virtual_ip) + { + if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg)) + { + charon->attributes->release_address(charon->attributes, + this->peer_cfg->get_pool(this->peer_cfg), + this->other_virtual_ip); + } + this->other_virtual_ip->destroy(this->other_virtual_ip); + } remove_dns_servers(this); this->dns_servers->destroy_offset(this->dns_servers, diff --git a/src/charon/sa/tasks/child_create.c b/src/charon/sa/tasks/child_create.c index 8b711e8f3..f4f814308 100644 --- a/src/charon/sa/tasks/child_create.c +++ b/src/charon/sa/tasks/child_create.c @@ -535,11 +535,10 @@ static status_t build_i(private_child_create_t *this, message_t *message) if (!this->reqid) { peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - vip = peer_cfg->get_my_virtual_ip(peer_cfg); + vip = peer_cfg->get_virtual_ip(peer_cfg); if (vip) { propose_all = TRUE; - vip->destroy(vip); } } diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c index 2af0aed96..7bd214f01 100644 --- a/src/charon/sa/tasks/ike_config.c +++ b/src/charon/sa/tasks/ike_config.c @@ -261,14 +261,14 @@ static status_t build_i(private_ike_config_t *this, message_t *message) /* reuse virtual IP if we already have one */ vip = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE); - if (vip) + if (!vip) { - this->virtual_ip = vip->clone(vip); + config = this->ike_sa->get_peer_cfg(this->ike_sa); + vip = config->get_virtual_ip(config); } - else + if (vip) { - config = this->ike_sa->get_peer_cfg(this->ike_sa); - this->virtual_ip = config->get_my_virtual_ip(config); + this->virtual_ip = vip->clone(vip); } build_payloads(this, message, CFG_REQUEST); @@ -305,11 +305,14 @@ static status_t build_r(private_ike_config_t *this, message_t *message) host_t *ip; DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip); - ip = config->get_other_virtual_ip(config, this->virtual_ip); - if (ip == NULL || ip->is_anyaddr(ip)) + ip = charon->attributes->acquire_address(charon->attributes, + config->get_pool(config), + this->ike_sa->get_other_id(this->ike_sa), + this->ike_sa->get_other_auth(this->ike_sa), + this->virtual_ip); + if (ip == NULL) { DBG1(DBG_IKE, "not assigning a virtual IP to peer"); - DESTROY_IF(ip); return SUCCESS; } DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip); @@ -318,16 +321,6 @@ static status_t build_r(private_ike_config_t *this, message_t *message) this->virtual_ip->destroy(this->virtual_ip); this->virtual_ip = ip; - /* DNS testing values - if (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS) - { - ip->destroy(ip); - ip = host_create_from_string("10.3.0.1", 0); - this->dns->insert_last(this->dns, ip); - ip = host_create_from_string("10.3.0.2", 0); - this->dns->insert_last(this->dns, ip); - } */ - build_payloads(this, message, CFG_REPLY); } return SUCCESS; @@ -354,7 +347,11 @@ static status_t process_i(private_ike_config_t *this, message_t *message) if (this->virtual_ip == NULL) { /* force a configured virtual IP, even server didn't return one */ config = this->ike_sa->get_peer_cfg(this->ike_sa); - this->virtual_ip = config->get_my_virtual_ip(config); + this->virtual_ip = config->get_virtual_ip(config); + if (this->virtual_ip) + { + this->virtual_ip = this->virtual_ip->clone(this->virtual_ip); + } } if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip)) diff --git a/src/starter/cmp.c b/src/starter/cmp.c index 03d98cbd7..610b08960 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -29,6 +29,7 @@ #define VARCMP(obj) if (c1->obj != c2->obj) return FALSE #define ADDCMP(obj) if (!sameaddr(&c1->obj,&c2->obj)) return FALSE #define SUBCMP(obj) if (!samesubnet(&c1->obj,&c2->obj)) return FALSE +#define STRCMP(obj) if (strcmp(c1->obj,c2->obj)) return FALSE static bool starter_cmp_end(starter_end_t *c1, starter_end_t *c2) @@ -45,12 +46,11 @@ starter_cmp_end(starter_end_t *c1, starter_end_t *c2) ADDCMP(addr); } ADDCMP(nexthop); - ADDCMP(srcip); + STRCMP(srcip); SUBCMP(subnet); VARCMP(has_client); VARCMP(has_client_wildcard); VARCMP(has_port_wildcard); - VARCMP(has_srcip); VARCMP(modecfg); VARCMP(port); VARCMP(protocol); diff --git a/src/starter/confread.c b/src/starter/confread.c index 0c188ee2c..bae343719 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -88,10 +88,8 @@ static void default_values(starter_config_t *cfg) anyaddr(AF_INET, &cfg->conn_default.left.addr); anyaddr(AF_INET, &cfg->conn_default.left.nexthop); - anyaddr(AF_INET, &cfg->conn_default.left.srcip); anyaddr(AF_INET, &cfg->conn_default.right.addr); anyaddr(AF_INET, &cfg->conn_default.right.nexthop); - anyaddr(AF_INET, &cfg->conn_default.right.srcip); cfg->ca_default.seen = LEMPTY; } @@ -284,28 +282,41 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token } else { + ip_address addr; + ip_subnet net; + conn->tunnel_addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip); + if (strchr(value, '/')) + { /* CIDR notation, address pool */ + ugh = ttosubnet(value, 0, conn->tunnel_addr_family, &net); + } + else if (value[0] != '%') + { /* old style fixed srcip, a %poolname otherwise */ + ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); + } if (ugh != NULL) { plog("# bad addr: %s=%s [%s]", name, value, ugh); goto err; } - end->has_srcip = TRUE; + end->srcip = clone_str(value, "srcip"); } conn->policy |= POLICY_TUNNEL; break; case KW_NATIP: - if (end->has_srcip) + if (end->srcip) { plog("# natip and sourceip cannot be defined at the same time"); goto err; } if (streq(value, "%defaultroute")) { + char buf[64]; + if (cfg->defaultroute.defined) { - end->srcip = cfg->defaultroute.addr; + addrtot(&cfg->defaultroute.addr, 0, buf, sizeof(buf)); + end->srcip = clone_str(buf, "natip"); } else { @@ -315,13 +326,16 @@ kw_end(starter_conn_t *conn, starter_end_t *end, kw_token_t token } else { + ip_address addr; + conn->tunnel_addr_family = ip_version(value); - ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &end->srcip); + ugh = ttoaddr(value, 0, conn->tunnel_addr_family, &addr); if (ugh != NULL) { plog("# bad addr: %s=%s [%s]", name, value, ugh); goto err; } + end->srcip = clone_str(value, "srcip"); } end->has_natip = TRUE; conn->policy |= POLICY_TUNNEL; diff --git a/src/starter/confread.h b/src/starter/confread.h index 4ccf6284c..ae25a0843 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -67,12 +67,10 @@ struct starter_end { char *iface; ip_address addr; ip_address nexthop; - ip_address srcip; ip_subnet subnet; bool has_client; bool has_client_wildcard; bool has_port_wildcard; - bool has_srcip; bool has_natip; bool modecfg; certpolicy_t sendcert; @@ -84,6 +82,7 @@ struct starter_end { u_int16_t port; u_int8_t protocol; char *virt; + char *srcip; }; typedef struct also also_t; diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 83db1430c..025cd66f4 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -170,15 +170,47 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->tohost = !conn_end->has_client; msg_end->protocol = conn_end->protocol; msg_end->port = conn_end->port; - msg_end->virtual_ip = conn_end->modecfg || conn_end->has_srcip; - ip_address2string(&conn_end->srcip, buffer, sizeof(buffer)); - msg_end->sourceip = push_string(msg, buffer); + if (conn_end->srcip) + { + if (conn_end->srcip[0] == '%') + { /* %poolname, strip % */ + msg_end->sourceip_size = 0; + msg_end->sourceip = push_string(msg, conn_end->srcip + 1); + } + else + { + char *pos = strchr(conn_end->srcip, '/'); + if (pos) + { /* CIDR subnet definition */ + snprintf(buffer, pos - conn_end->srcip + 1, "%s", conn_end->srcip); + msg_end->sourceip = push_string(msg, buffer); + msg_end->sourceip_size = atoi(pos + 1); + } + else + { /* a sigle address */ + msg_end->sourceip = push_string(msg, conn_end->srcip); + if (strchr(conn_end->srcip, ':')) + { /* IPv6 */ + msg_end->sourceip_size = 128; + } + else + { /* IPv4 */ + msg_end->sourceip_size = 32; + } + } + } + } + else if (conn_end->modecfg) + { + msg_end->sourceip_size = 1; + } } int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) { stroke_msg_t msg; + memset(&msg, 0, sizeof(msg)); msg.type = STR_ADD_CONN; msg.length = offsetof(stroke_msg_t, buffer); msg.add_conn.ikev2 = conn->keyexchange == KEY_EXCHANGE_IKEV2; @@ -213,15 +245,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.mode = 0; /* XFRM_MODE_TUNNEL */ } - if (conn->policy & POLICY_DONT_REKEY) - { - msg.add_conn.rekey.ipsec_lifetime = 0; - msg.add_conn.rekey.ike_lifetime = 0; - msg.add_conn.rekey.margin = 0; - msg.add_conn.rekey.tries = 0; - msg.add_conn.rekey.fuzz = 0; - } - else + if (!(conn->policy & POLICY_DONT_REKEY)) { msg.add_conn.rekey.reauth = (conn->policy & POLICY_DONT_REAUTH) == LEMPTY; msg.add_conn.rekey.ipsec_lifetime = conn->sa_ipsec_life_seconds; diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 019489eec..970c74d20 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -149,13 +149,28 @@ connection_name(starter_conn_t *conn) static void set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) -{ +{ + if (end->srcip && end->srcip[0] != '%') + { + int len = 0; + char *pos, *v6; + + pos = strchr(end->srcip, '/'); + v6 = strchr(end->srcip, ':'); + if (pos) + { + /* use first address only for pluto */ + len = pos - end->srcip; + } + w->has_srcip = 1; + ttoaddr(end->srcip, len, v6 ? AF_INET6 : AF_INET, &w->host_srcip); + } + w->id = end->id; w->cert = end->cert; w->ca = end->ca; w->groups = end->groups; w->host_addr = end->addr; - w->host_srcip = end->srcip; w->has_client = end->has_client; if (family == AF_INET6 && isanyaddr(&end->nexthop)) @@ -171,7 +186,6 @@ set_whack_end(whack_end_t *w, starter_end_t *end, sa_family_t family) w->has_client_wildcard = end->has_client_wildcard; w->has_port_wildcard = end->has_port_wildcard; - w->has_srcip = end->has_srcip; w->has_natip = end->has_natip; w->allow_any = end->allow_any && !end->dns_failed; w->modecfg = end->modecfg; diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 3f2a661ba..77436801c 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -105,61 +105,28 @@ static int add_connection(char *name, { stroke_msg_t msg; + memset(&msg, 0, sizeof(msg)); msg.length = offsetof(stroke_msg_t, buffer); msg.type = STR_ADD_CONN; msg.add_conn.name = push_string(&msg, name); msg.add_conn.ikev2 = 1; msg.add_conn.auth_method = 2; - msg.add_conn.eap_type = 0; msg.add_conn.mode = 1; msg.add_conn.mobike = 1; - msg.add_conn.force_encap = 0; - - msg.add_conn.rekey.reauth = 0; - msg.add_conn.rekey.ipsec_lifetime = 0; - msg.add_conn.rekey.ike_lifetime = 0; - msg.add_conn.rekey.margin = 0; - msg.add_conn.rekey.tries = 0; - msg.add_conn.rekey.fuzz = 0; - - msg.add_conn.algorithms.ike = NULL; - msg.add_conn.algorithms.esp = NULL; - - msg.add_conn.dpd.delay = 0; msg.add_conn.dpd.action = 1; - msg.add_conn.ikeme.mediation = 0; - msg.add_conn.ikeme.mediated_by = NULL; - msg.add_conn.ikeme.peerid = NULL; - msg.add_conn.me.id = push_string(&msg, my_id); msg.add_conn.me.address = push_string(&msg, my_addr); msg.add_conn.me.subnet = push_string(&msg, my_net); msg.add_conn.me.subnet_mask = my_netmask; - msg.add_conn.me.sourceip = NULL; - msg.add_conn.me.virtual_ip = 0; - msg.add_conn.me.cert = NULL; - msg.add_conn.me.ca = NULL; msg.add_conn.me.sendcert = 1; - msg.add_conn.me.hostaccess = 0; - msg.add_conn.me.tohost = 0; - msg.add_conn.me.protocol = 0; - msg.add_conn.me.port = 0; msg.add_conn.other.id = push_string(&msg, other_id); msg.add_conn.other.address = push_string(&msg, other_addr); msg.add_conn.other.subnet = push_string(&msg, other_net); msg.add_conn.other.subnet_mask = other_netmask; - msg.add_conn.other.sourceip = NULL; - msg.add_conn.other.virtual_ip = 0; - msg.add_conn.other.cert = NULL; - msg.add_conn.other.ca = NULL; msg.add_conn.other.sendcert = 1; - msg.add_conn.other.hostaccess = 0; - msg.add_conn.other.tohost = 0; - msg.add_conn.other.protocol = 0; - msg.add_conn.other.port = 0; return send_stroke_msg(&msg); } diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index c48ebe812..4ba4b5da9 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -126,7 +126,7 @@ struct stroke_end_t { char *updown; char *address; char *sourceip; - u_int8_t virtual_ip; + int sourceip_size; char *subnet; int subnet_mask; int sendcert; |