diff options
Diffstat (limited to 'src/charon/sa')
| -rw-r--r-- | src/charon/sa/ike_sa.c | 221 | ||||
| -rw-r--r-- | src/charon/sa/ike_sa.h | 17 | ||||
| -rw-r--r-- | src/charon/sa/tasks/ike_config.c | 277 |
3 files changed, 141 insertions, 374 deletions
diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index fd70e9941..4a14da580 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -57,10 +57,6 @@ #include <processing/jobs/initiate_mediation_job.h> #endif -#ifndef RESOLV_CONF -#define RESOLV_CONF "/etc/resolv.conf" -#endif - ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING, "CREATED", "CONNECTING", @@ -72,17 +68,18 @@ ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING, ); typedef struct private_ike_sa_t private_ike_sa_t; +typedef struct attribute_entry_t attribute_entry_t; /** * Private data of an ike_sa_t object. */ struct private_ike_sa_t { - + /** * Public members */ ike_sa_t public; - + /** * Identifier for the current IKE_SA. */ @@ -96,7 +93,7 @@ struct private_ike_sa_t { /** * Current state of the IKE_SA */ - ike_sa_state_t state; + ike_sa_state_t state; /** * IKE configuration used to set up this IKE_SA @@ -179,7 +176,7 @@ struct private_ike_sa_t { * set of condition flags currently enabled for this IKE_SA */ ike_condition_t conditions; - + /** * Linked List containing the child sa's of the current IKE_SA. */ @@ -201,9 +198,9 @@ struct private_ike_sa_t { host_t *other_virtual_ip; /** - * List of DNS servers installed by us + * List of configuration attributes (attribute_entry_t) */ - linked_list_t *dns_servers; + linked_list_t *attributes; /** * list of peers additional addresses, transmitted via MOBIKE @@ -219,7 +216,7 @@ struct private_ike_sa_t { * number pending UPDATE_SA_ADDRESS (MOBIKE) */ u_int32_t pending_updates; - + /** * NAT keep alive interval */ @@ -234,12 +231,12 @@ struct private_ike_sa_t { * how many times we have retried so far (keyingtries) */ u_int32_t keyingtry; - + /** * local host address to be used for IKE, set via MIGRATE kernel message */ host_t *local_host; - + /** * remote host address to be used for IKE, set via MIGRATE kernel message */ @@ -247,6 +244,18 @@ struct private_ike_sa_t { }; /** + * Entry to maintain install configuration attributes during IKE_SA lifetime + */ +struct attribute_entry_t { + /** handler used to install this attribute */ + attribute_handler_t *handler; + /** attribute type */ + configuration_attribute_type_t type; + /** attribute data */ + chunk_t data; +}; + +/** * get the time of the latest traffic processed by the kernel */ static time_t get_use_time(private_ike_sa_t* this, bool inbound) @@ -1996,12 +2005,34 @@ static status_t roam(private_ike_sa_t *this, bool address) } /** + * Implementation of ike_sa_t.add_configuration_attribute + */ +static void add_configuration_attribute(private_ike_sa_t *this, + configuration_attribute_type_t type, chunk_t data) +{ + attribute_entry_t *entry; + attribute_handler_t *handler; + + handler = charon->attributes->handle(charon->attributes, + &this->public, type, data); + if (handler) + { + entry = malloc_thing(attribute_entry_t); + entry->handler = handler; + entry->type = type; + entry->data = chunk_clone(data); + + this->attributes->insert_last(this->attributes, entry); + } +} + +/** * Implementation of ike_sa_t.inherit. */ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) { child_sa_t *child_sa; - host_t *ip; + attribute_entry_t *entry; /* apply hosts and ids */ this->my_host->destroy(this->my_host); @@ -2025,11 +2056,11 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) other->other_virtual_ip = NULL; } - /* ... and DNS servers */ - while (other->dns_servers->remove_last(other->dns_servers, - (void**)&ip) == SUCCESS) + /* ... and configuration attributes */ + while (other->attributes->remove_last(other->attributes, + (void**)&entry) == SUCCESS) { - this->dns_servers->insert_first(this->dns_servers, ip); + this->attributes->insert_first(this->attributes, entry); } /* inherit all conditions */ @@ -2082,147 +2113,27 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) } /** - * Implementation of ike_sa_t.remove_dns_server - */ -static void remove_dns_servers(private_ike_sa_t *this) -{ - FILE *file; - struct stat stats; - chunk_t contents, line, orig_line, token; - char string[INET6_ADDRSTRLEN]; - host_t *ip; - iterator_t *iterator; - - if (this->dns_servers->get_count(this->dns_servers) == 0) - { - /* don't touch anything if we have no nameservers installed */ - return; - } - - file = fopen(RESOLV_CONF, "r"); - if (file == NULL || stat(RESOLV_CONF, &stats) != 0) - { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", - RESOLV_CONF, strerror(errno)); - return; - } - - contents = chunk_alloca((size_t)stats.st_size); - - if (fread(contents.ptr, 1, contents.len, file) != contents.len) - { - DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno)); - fclose(file); - return; - } - - fclose(file); - file = fopen(RESOLV_CONF, "w"); - if (file == NULL) - { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", - RESOLV_CONF, strerror(errno)); - return; - } - - iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE); - while (fetchline(&contents, &line)) - { - bool found = FALSE; - orig_line = line; - if (extract_token(&token, ' ', &line) && - strncasecmp(token.ptr, "nameserver", token.len) == 0) - { - if (!extract_token(&token, ' ', &line)) - { - token = line; - } - iterator->reset(iterator); - while (iterator->iterate(iterator, (void**)&ip)) - { - snprintf(string, sizeof(string), "%H", ip); - if (strlen(string) == token.len && - strncmp(token.ptr, string, token.len) == 0) - { - iterator->remove(iterator); - ip->destroy(ip); - found = TRUE; - break; - } - } - } - - if (!found) - { - /* write line untouched back to file */ - ignore_result(fwrite(orig_line.ptr, orig_line.len, 1, file)); - fprintf(file, "\n"); - } - } - iterator->destroy(iterator); - fclose(file); -} - -/** - * Implementation of ike_sa_t.add_dns_server - */ -static void add_dns_server(private_ike_sa_t *this, host_t *dns) -{ - FILE *file; - struct stat stats; - chunk_t contents; - - DBG1(DBG_IKE, "installing DNS server %H", dns); - - file = fopen(RESOLV_CONF, "a+"); - if (file == NULL || stat(RESOLV_CONF, &stats) != 0) - { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", - RESOLV_CONF, strerror(errno)); - return; - } - - contents = chunk_alloca(stats.st_size); - - if (fread(contents.ptr, 1, contents.len, file) != contents.len) - { - DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno)); - fclose(file); - return; - } - - fclose(file); - file = fopen(RESOLV_CONF, "w"); - if (file == NULL) - { - DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s", - RESOLV_CONF, strerror(errno)); - return; - } - - if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n", - dns, this->other_id) < 0) - { - DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno)); - } - else - { - this->dns_servers->insert_last(this->dns_servers, dns->clone(dns)); - } - ignore_result(fwrite(contents.ptr, contents.len, 1, file)); - - fclose(file); -} - -/** * Implementation of ike_sa_t.destroy. */ static void destroy(private_ike_sa_t *this) { + attribute_entry_t *entry; + charon->bus->set_sa(charon->bus, &this->public); set_state(this, IKE_DESTROYING); + /* remove attributes first, as we pass the IKE_SA to the handler */ + while (this->attributes->remove_last(this->attributes, + (void**)&entry) == SUCCESS) + { + charon->attributes->release(charon->attributes, entry->handler, + &this->public, entry->type, entry->data); + free(entry->data.ptr); + free(entry); + } + this->attributes->destroy(this->attributes); + this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy)); /* unset SA after here to avoid usage by the listeners */ @@ -2247,10 +2158,6 @@ static void destroy(private_ike_sa_t *this) } this->other_virtual_ip->destroy(this->other_virtual_ip); } - - remove_dns_servers(this); - this->dns_servers->destroy_offset(this->dns_servers, - offsetof(host_t, destroy)); this->additional_addresses->destroy_offset(this->additional_addresses, offsetof(host_t, destroy)); #ifdef ME @@ -2351,7 +2258,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id; this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip; this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip; - this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server; + this->public.add_configuration_attribute = (void(*)(ike_sa_t*, configuration_attribute_type_t type, chunk_t data))add_configuration_attribute; this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress; #ifdef ME this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server; @@ -2391,8 +2298,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->unique_id = ++unique_id; this->my_virtual_ip = NULL; this->other_virtual_ip = NULL; - this->dns_servers = linked_list_create(); this->additional_addresses = linked_list_create(); + this->attributes = linked_list_create(); this->nat_detection_dest = chunk_empty; this->pending_updates = 0; this->keyingtry = 0; diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index c9d3b97f3..e17175bf1 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -35,6 +35,7 @@ typedef struct ike_sa_t ike_sa_t; #include <library.h> #include <encoding/message.h> #include <encoding/payloads/proposal_substructure.h> +#include <encoding/payloads/configuration_attribute.h> #include <sa/ike_sa_id.h> #include <sa/child_sa.h> #include <sa/tasks/task.h> @@ -868,14 +869,18 @@ struct ike_sa_t { host_t* (*get_virtual_ip) (ike_sa_t *this, bool local); /** - * Add a DNS server to the system. + * Register a configuration attribute to the IKE_SA. * - * An IRAS may send a DNS server. To use it, it is installed on the - * system. The DNS entry has a lifetime until the IKE_SA gets closed. + * If an IRAS sends a configuration attribute it is installed and + * registered at the IKE_SA. Attributes are inherit()ed and get released + * when the IKE_SA is closed. * - * @param dns DNS server to install on the system + * @param handler handler installed the attribute, use for release() + * @param type configuration attribute type + * @param data associated attribute data */ - void (*add_dns_server) (ike_sa_t *this, host_t *dns); + void (*add_configuration_attribute)(ike_sa_t *this, + configuration_attribute_type_t type, chunk_t data); /** * Set local and remote host addresses to be used for IKE. @@ -887,7 +892,7 @@ struct ike_sa_t { * @param remote remote kmaddress */ void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote); - + /** * Inherit all attributes of other to this after rekeying. * diff --git a/src/charon/sa/tasks/ike_config.c b/src/charon/sa/tasks/ike_config.c index cb769f9b4..2e2696722 100644 --- a/src/charon/sa/tasks/ike_config.c +++ b/src/charon/sa/tasks/ike_config.c @@ -50,54 +50,34 @@ struct private_ike_config_t { * virtual ip */ host_t *virtual_ip; - - /** - * list of DNS servers - */ - linked_list_t *dns; - - /** - * list of WINS servers - */ - linked_list_t *nbns; }; /** - * build configuration payloads and attributes + * build INTERNAL_IPV4/6_ADDRESS from virtual ip */ -static void build_payloads(private_ike_config_t *this, message_t *message, - config_type_t type) +static void build_vip(private_ike_config_t *this, host_t *vip, cp_payload_t *cp) { - cp_payload_t *cp; configuration_attribute_t *ca; chunk_t chunk, prefix; - if (!this->virtual_ip) - { - return; - } - - cp = cp_payload_create(); - cp->set_config_type(cp, type); - ca = configuration_attribute_create(); - if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET) + if (vip->get_family(vip) == AF_INET) { ca->set_type(ca, INTERNAL_IP4_ADDRESS); - if (this->virtual_ip->is_anyaddr(this->virtual_ip)) + if (vip->is_anyaddr(vip)) { chunk = chunk_empty; } else { - chunk = this->virtual_ip->get_address(this->virtual_ip); + chunk = vip->get_address(vip); } } else { ca->set_type(ca, INTERNAL_IP6_ADDRESS); - if (this->virtual_ip->is_anyaddr(this->virtual_ip)) + if (vip->is_anyaddr(vip)) { chunk = chunk_empty; } @@ -105,71 +85,12 @@ static void build_payloads(private_ike_config_t *this, message_t *message, { prefix = chunk_alloca(1); *prefix.ptr = 64; - chunk = this->virtual_ip->get_address(this->virtual_ip); + chunk = vip->get_address(vip); chunk = chunk_cata("cc", chunk, prefix); } } ca->set_value(ca, chunk); cp->add_configuration_attribute(cp, ca); - - /* we currently always add a DNS request if we request an IP */ - if (this->initiator) - { - ca = configuration_attribute_create(); - if (this->virtual_ip->get_family(this->virtual_ip) == AF_INET) - { - ca->set_type(ca, INTERNAL_IP4_DNS); - } - else - { - ca->set_type(ca, INTERNAL_IP6_DNS); - } - cp->add_configuration_attribute(cp, ca); - } - else - { - host_t *ip; - iterator_t *iterator; - - /* Add internal DNS servers */ - iterator = this->dns->create_iterator(this->dns, TRUE); - while (iterator->iterate(iterator, (void**)&ip)) - { - ca = configuration_attribute_create(); - if (ip->get_family(ip) == AF_INET) - { - ca->set_type(ca, INTERNAL_IP4_DNS); - } - else - { - ca->set_type(ca, INTERNAL_IP6_DNS); - } - chunk = ip->get_address(ip); - ca->set_value(ca, chunk); - cp->add_configuration_attribute(cp, ca); - } - iterator->destroy(iterator); - - /* Add internal WINS servers */ - iterator = this->nbns->create_iterator(this->nbns, TRUE); - while (iterator->iterate(iterator, (void**)&ip)) - { - ca = configuration_attribute_create(); - if (ip->get_family(ip) == AF_INET) - { - ca->set_type(ca, INTERNAL_IP4_NBNS); - } - else - { - ca->set_type(ca, INTERNAL_IP6_NBNS); - } - chunk = ip->get_address(ip); - ca->set_value(ca, chunk); - cp->add_configuration_attribute(cp, ca); - } - iterator->destroy(iterator); - } - message->add_payload(message, (payload_t*)cp); } /** @@ -203,55 +124,23 @@ static void process_attribute(private_ike_config_t *this, } ip = host_create_from_chunk(family, addr, 0); } - if (ip && !this->virtual_ip) - { - this->virtual_ip = ip; - } - break; - } - case INTERNAL_IP4_DNS: - family = AF_INET; - /* fall */ - case INTERNAL_IP6_DNS: - { - addr = ca->get_value(ca); - if (addr.len == 0) - { - ip = host_create_any(family); - } - else - { - ip = host_create_from_chunk(family, addr, 0); - } if (ip) { - this->dns->insert_last(this->dns, ip); + DESTROY_IF(this->virtual_ip); + this->virtual_ip = ip; } break; } - case INTERNAL_IP4_NBNS: - case INTERNAL_IP6_NBNS: - { - addr = ca->get_value(ca); - if (addr.len == 0) + default: + if (this->initiator) { - ip = host_create_any(family); + this->ike_sa->add_configuration_attribute(this->ike_sa, + ca->get_type(ca), ca->get_value(ca)); } else { - ip = host_create_from_chunk(family, addr, 0); + /* we do not handle attribute requests other than for VIPs */ } - if (ip) - { - this->nbns->insert_last(this->nbns, ip); - } - break; - } - default: - DBG1(DBG_IKE, "ignoring %N config attribute", - configuration_attribute_type_names, - ca->get_type(ca)); - break; } } @@ -313,12 +202,28 @@ static status_t build_i(private_ike_config_t *this, message_t *message) } if (vip) { - this->virtual_ip = vip->clone(vip); + configuration_attribute_t *ca; + cp_payload_t *cp; + + cp = cp_payload_create(); + cp->set_config_type(cp, CFG_REQUEST); + + build_vip(this, vip, cp); + + /* we currently always add a DNS request if we request an IP */ + ca = configuration_attribute_create(); + if (vip->get_family(vip) == AF_INET) + { + ca->set_type(ca, INTERNAL_IP4_DNS); + } + else + { + ca->set_type(ca, INTERNAL_IP6_DNS); + } + cp->add_configuration_attribute(cp, ca); + message->add_payload(message, (payload_t*)cp); } - - build_payloads(this, message, CFG_REQUEST); } - return NEED_MORE; } @@ -345,17 +250,22 @@ static status_t build_r(private_ike_config_t *this, message_t *message) if (config && this->virtual_ip) { - host_t *ip = NULL; + enumerator_t *enumerator; + configuration_attribute_type_t type; + configuration_attribute_t *ca; + chunk_t value; + cp_payload_t *cp; + host_t *vip = NULL; DBG1(DBG_IKE, "peer requested virtual IP %H", this->virtual_ip); if (config->get_pool(config)) { - ip = charon->attributes->acquire_address(charon->attributes, + vip = charon->attributes->acquire_address(charon->attributes, config->get_pool(config), this->ike_sa->get_other_id(this->ike_sa), this->virtual_ip); } - if (ip == NULL) + if (vip == NULL) { DBG1(DBG_IKE, "no virtual IP found, sending %N", notify_type_names, INTERNAL_ADDRESS_FAILURE); @@ -363,13 +273,27 @@ static status_t build_r(private_ike_config_t *this, message_t *message) chunk_empty); return SUCCESS; } - DBG1(DBG_IKE, "assigning virtual IP %H to peer", ip); - this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, ip); + DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip); + this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip); + + cp = cp_payload_create(); + cp->set_config_type(cp, CFG_REQUEST); - this->virtual_ip->destroy(this->virtual_ip); - this->virtual_ip = ip; + build_vip(this, vip, cp); - build_payloads(this, message, CFG_REPLY); + /* if we add an IP, we also look for other attributes */ + enumerator = charon->attributes->create_attribute_enumerator( + charon->attributes, this->ike_sa->get_other_id(this->ike_sa)); + while (enumerator->enumerate(enumerator, &type, &value)) + { + ca = configuration_attribute_create(); + ca->set_type(ca, type); + ca->set_value(ca, value); + cp->add_configuration_attribute(cp, ca); + } + enumerator->destroy(enumerator); + + message->add_payload(message, (payload_t*)cp); } return SUCCESS; } @@ -383,36 +307,12 @@ static status_t process_i(private_ike_config_t *this, message_t *message) { if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED) { /* in last IKE_AUTH exchange */ - host_t *ip; - peer_cfg_t *config; - DESTROY_IF(this->virtual_ip); - this->virtual_ip = NULL; - process_payloads(this, message); - if (this->virtual_ip == NULL) - { /* force a configured virtual IP, even if server didn't return one */ - config = this->ike_sa->get_peer_cfg(this->ike_sa); - this->virtual_ip = config->get_virtual_ip(config); - if (this->virtual_ip) - { - this->virtual_ip = this->virtual_ip->clone(this->virtual_ip); - } - } - - if (this->virtual_ip && !this->virtual_ip->is_anyaddr(this->virtual_ip)) + if (this->virtual_ip) { this->ike_sa->set_virtual_ip(this->ike_sa, TRUE, this->virtual_ip); - - while (this->dns->remove_last(this->dns, (void**)&ip) == SUCCESS) - { - if (!ip->is_anyaddr(ip)) - { - this->ike_sa->add_dns_server(this->ike_sa, ip); - } - ip->destroy(ip); - } } return SUCCESS; } @@ -433,11 +333,9 @@ static task_type_t get_type(private_ike_config_t *this) static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa) { DESTROY_IF(this->virtual_ip); - this->dns->destroy_offset(this->dns, offsetof(host_t, destroy)); this->ike_sa = ike_sa; this->virtual_ip = NULL; - this->dns = linked_list_create(); } /** @@ -446,8 +344,6 @@ static void migrate(private_ike_config_t *this, ike_sa_t *ike_sa) static void destroy(private_ike_config_t *this) { DESTROY_IF(this->virtual_ip); - this->dns->destroy_offset(this->dns, offsetof(host_t, destroy)); - this->nbns->destroy_offset(this->nbns, offsetof(host_t, destroy)); free(this); } @@ -457,7 +353,7 @@ static void destroy(private_ike_config_t *this) ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator) { private_ike_config_t *this = malloc_thing(private_ike_config_t); - + this->public.task.get_type = (task_type_t(*)(task_t*))get_type; this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; this->public.task.destroy = (void(*)(task_t*))destroy; @@ -465,9 +361,7 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator) this->initiator = initiator; this->ike_sa = ike_sa; this->virtual_ip = NULL; - this->dns = linked_list_create(); - this->nbns = linked_list_create(); - + if (initiator) { this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; @@ -475,49 +369,10 @@ ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator) } else { - int i; - - /* assign DNS servers */ - for (i = 1; i <= DNS_SERVER_MAX; i++) - { - char dns_key[16], *dns_str; - - snprintf(dns_key, sizeof(dns_key), "charon.dns%d", i); - dns_str = lib->settings->get_str(lib->settings, dns_key, NULL); - if (dns_str) - { - host_t *dns = host_create_from_string(dns_str, 0); - - if (dns) - { - DBG2(DBG_CFG, "assigning DNS server %H to peer", dns); - this->dns->insert_last(this->dns, dns); - } - } - } - - /* assign WINS servers */ - for (i = 1; i <= NBNS_SERVER_MAX; i++) - { - char nbns_key[16], *nbns_str; - - snprintf(nbns_key, sizeof(nbns_key), "charon.nbns%d", i); - nbns_str = lib->settings->get_str(lib->settings, nbns_key, NULL); - if (nbns_str) - { - host_t *nbns = host_create_from_string(nbns_str, 0); - - if (nbns) - { - DBG2(DBG_CFG, "assigning NBNS server %H to peer", nbns); - this->nbns->insert_last(this->nbns, nbns); - } - } - } - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; } - + return &this->public; } + |