aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/charon/plugins/uci/uci_config.c166
-rw-r--r--src/charon/plugins/uci/uci_creds.c32
2 files changed, 158 insertions, 40 deletions
diff --git a/src/charon/plugins/uci/uci_config.c b/src/charon/plugins/uci/uci_config.c
index 8f35ccc19..0ba94cdcf 100644
--- a/src/charon/plugins/uci/uci_config.c
+++ b/src/charon/plugins/uci/uci_config.c
@@ -17,6 +17,9 @@
* $Id$
*/
+#define _GNU_SOURCE
+#include <string.h>
+
#include "uci_config.h"
#include "uci_parser.h"
@@ -53,43 +56,140 @@ typedef struct {
} peer_enumerator_t;
/**
+ * create a proposal from a string, with fallback to default
+ */
+static proposal_t *create_proposal(char *string, protocol_id_t proto)
+{
+ proposal_t *proposal = NULL;
+
+ if (string)
+ {
+ proposal = proposal_create_from_string(proto, string);
+ }
+ if (!proposal)
+ {
+ proposal = proposal_create_default(proto);
+ }
+ return proposal;
+}
+
+/**
+ * create an identity, with fallback to %any
+ */
+static identification_t *create_id(char *string)
+{
+ identification_t *id = NULL;
+
+ if (string)
+ {
+ id = identification_create_from_string(string);
+ }
+ if (!id)
+ {
+ id = identification_create_from_encoding(ID_ANY, chunk_empty);
+ }
+ return id;
+}
+
+/**
+ * create an traffic selector, fallback to dynamic
+ */
+static traffic_selector_t *create_ts(char *string)
+{
+ if (string)
+ {
+ int netbits = 32;
+ host_t *net;
+ char *pos;
+
+ string = strdupa(string);
+ pos = strchr(string, '/');
+ if (pos)
+ {
+ *pos++ = '\0';
+ netbits = atoi(pos);
+ }
+ else
+ {
+ if (strchr(string, ':'))
+ {
+ netbits = 128;
+ }
+ }
+ net = host_create_from_string(string, 0);
+ if (net)
+ {
+ return traffic_selector_create_from_subnet(net, netbits, 0, 0);
+ }
+ }
+ return traffic_selector_create_dynamic(0, 0, 65535);
+}
+
+/**
+ * create a rekey time from a string with hours, with fallback
+ */
+static u_int create_rekey(char *string)
+{
+ u_int rekey = 0;
+
+ if (string)
+ {
+ rekey = atoi(string);
+ if (rekey)
+ {
+ return rekey * 3600;
+ }
+ }
+ /* every 12 hours */
+ return 12 * 3600;
+}
+
+/**
* Implementation of peer_enumerator_t.public.enumerate
*/
static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg)
{
- char *name, *local_id, *remote_ip;
+ char *name, *ike_proposal, *esp_proposal, *ike_rekey, *esp_rekey;
+ char *local_id, *local_addr, *local_net;
+ char *remote_id, *remote_addr, *remote_net;
child_cfg_t *child_cfg;
ike_cfg_t *ike_cfg;
/* defaults */
name = "unnamed";
- local_id = "%any";
- remote_ip = "0.0.0.0";
+ local_id = NULL;
+ remote_id = NULL;
+ local_addr = "0.0.0.0";
+ remote_addr = "0.0.0.0";
+ local_net = NULL;
+ remote_net = NULL;
+ ike_proposal = NULL;
+ esp_proposal = NULL;
+ ike_rekey = NULL;
+ esp_rekey = NULL;
- if (this->inner->enumerate(this->inner, &name, &local_id, &remote_ip))
+ if (this->inner->enumerate(this->inner, &name, &local_id, &remote_id,
+ &local_addr, &remote_addr, &local_net, &remote_net,
+ &ike_proposal, &esp_proposal, &ike_rekey, &esp_rekey))
{
DESTROY_IF(this->peer_cfg);
- ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", remote_ip);
- ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+ ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, remote_addr);
+ ike_cfg->add_proposal(ike_cfg, create_proposal(ike_proposal, PROTO_IKE));
this->peer_cfg = peer_cfg_create(
- name, 2, ike_cfg,
- identification_create_from_string(local_id),
- identification_create_from_encoding(ID_ANY, chunk_empty),
+ name, 2, ike_cfg, create_id(local_id), create_id(remote_id),
CERT_SEND_IF_ASKED, UNIQUE_NO, CONF_AUTH_PSK,
- 0, 0, /* EAP method, vendor */
- 1, 3600*12, 0, /* keytries, rekey, reauth */
- 3600, 1800, /* jitter, overtime */
- TRUE, 60, /* mobike, dpddelay */
- NULL, NULL, /* vip, pool */
- FALSE, NULL, NULL); /* mediation, med by, peer id */
- child_cfg = child_cfg_create(
- name, 3600*4, 3600*3, 360, NULL, TRUE,
- MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
- child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
- child_cfg->add_traffic_selector(child_cfg, TRUE,
- traffic_selector_create_dynamic(0, 0, 65535));
- child_cfg->add_traffic_selector(child_cfg, FALSE,
- traffic_selector_create_dynamic(0, 0, 65535));
+ 0, 0, /* EAP method, vendor */
+ 1, create_rekey(ike_rekey), 0, /* keytries, rekey, reauth */
+ 1800, 900, /* jitter, overtime */
+ TRUE, 60, /* mobike, dpddelay */
+ NULL, NULL, /* vip, pool */
+ FALSE, NULL, NULL); /* mediation, med by, peer id */
+ child_cfg = child_cfg_create(name,
+ create_rekey(esp_rekey) + 300, create_rekey(ike_rekey), 300,
+ NULL, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE);
+ child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_IKE));
+ child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net));
+ child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net));
this->peer_cfg->add_child_cfg(this->peer_cfg, child_cfg);
*cfg = this->peer_cfg;
return TRUE;
@@ -120,7 +220,9 @@ static enumerator_t* create_peer_cfg_enumerator(private_uci_config_t *this,
e->public.destroy = (void*)peer_enumerator_destroy;
e->peer_cfg = NULL;
e->inner = this->parser->create_section_enumerator(this->parser,
- "local_id", "remote_ip", NULL);
+ "local_id", "remote_id", "local_addr", "remote_addr",
+ "local_net", "remote_net", "ike_proposal", "esp_proposal",
+ "ike_rekey", "esp_rekey", NULL);
if (!e->inner)
{
free(e);
@@ -146,18 +248,20 @@ typedef struct {
*/
static bool ike_enumerator_enumerate(ike_enumerator_t *this, ike_cfg_t **cfg)
{
- char *name, *remote_ip;
+ char *local_addr, *remote_addr, *ike_proposal;
/* defaults */
- name = "unnamed";
- remote_ip = "0.0.0.0";
+ local_addr = "0.0.0.0";
+ remote_addr = "0.0.0.0";
+ ike_proposal = NULL;
- if (this->inner->enumerate(this->inner, &name, &remote_ip))
+ if (this->inner->enumerate(this->inner, NULL,
+ &local_addr, &remote_addr, &ike_proposal))
{
DESTROY_IF(this->ike_cfg);
- this->ike_cfg = ike_cfg_create(FALSE, FALSE, "0.0.0.0", remote_ip);
+ this->ike_cfg = ike_cfg_create(FALSE, FALSE, local_addr, remote_addr);
this->ike_cfg->add_proposal(this->ike_cfg,
- proposal_create_default(PROTO_IKE));
+ create_proposal(ike_proposal, PROTO_IKE));
*cfg = this->ike_cfg;
return TRUE;
@@ -187,7 +291,7 @@ static enumerator_t* create_ike_cfg_enumerator(private_uci_config_t *this,
e->public.destroy = (void*)ike_enumerator_destroy;
e->ike_cfg = NULL;
e->inner = this->parser->create_section_enumerator(this->parser,
- "remote_ip", NULL);
+ "local_addr", "remote_addr", "ike_proposal", NULL);
if (!e->inner)
{
free(e);
diff --git a/src/charon/plugins/uci/uci_creds.c b/src/charon/plugins/uci/uci_creds.c
index f55980cfa..60f6fc934 100644
--- a/src/charon/plugins/uci/uci_creds.c
+++ b/src/charon/plugins/uci/uci_creds.c
@@ -59,16 +59,18 @@ typedef struct {
static bool shared_enumerator_enumerate(shared_enumerator_t *this,
shared_key_t **key, id_match_t *me, id_match_t *other)
{
- char *local_id, *psk;
- identification_t *local;
+ char *local_id, *remote_id, *psk;
+ identification_t *local, *remote;
while (TRUE)
{
/* defaults */
local_id = "%any";
+ remote_id = "%any";
psk = NULL;
- if (!this->inner->enumerate(this->inner, NULL, &local_id, &psk))
+ if (!this->inner->enumerate(this->inner, NULL,
+ &local_id, &remote_id, &psk))
{
return FALSE;
}
@@ -83,23 +85,35 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this,
{
continue;
}
- *me = this->me ? this->me->matches(this->me, local) : ID_MATCH_ANY;
+ *me = this->me ? this->me->matches(this->me, local)
+ : ID_MATCH_ANY;
local->destroy(local);
if (!*me)
{
continue;
}
}
+ if (other)
+ {
+ remote = identification_create_from_string(remote_id);
+ if (!remote)
+ {
+ continue;
+ }
+ *other = this->other ? this->other->matches(this->other, remote)
+ : ID_MATCH_ANY;
+ remote->destroy(remote);
+ if (!*other)
+ {
+ continue;
+ }
+ }
break;
}
DESTROY_IF(this->current);
this->current = shared_key_create(SHARED_IKE,
chunk_clone(chunk_create(psk, strlen(psk))));
*key = this->current;
- if (other)
- {
- *other = ID_MATCH_ANY;
- }
return TRUE;
}
@@ -135,7 +149,7 @@ static enumerator_t* create_shared_enumerator(private_uci_creds_t *this,
e->me = me;
e->other = other;
e->inner = this->parser->create_section_enumerator(this->parser,
- "local_id", "psk", NULL);
+ "local_id", "remote_id", "psk", NULL);
if (!e->inner)
{
free(e);
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-14 21:18:57 +0000