END_TEST
START_TEST(test_get_esa_id_nonexistent)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 0,
"Got esa id for nonexistent SAD entry");
sad->destroy(sad);
addr->destroy(addr);
}
END_TEST
START_TEST(test_create_from_string_any_v6)
{
host_t *host;
host = host_create_from_string("%any6", 500);
verify_any(host, AF_INET6, 500);
host->destroy(host);
host = host_create_from_string("::", 500);
verify_any(host, AF_INET6, 500);
host->destroy(host);
host = host_create_from_string("fec1::1", 500);
verify_address(host, addr_v6, AF_INET6, 500);
host->destroy(host);
host = host_create_from_string("fec1::1.500", 500);
ck_assert(host == NULL);
host = host_create_from_string("f::e::c::1::1", 500);
ck_assert(host == NULL);
host = host_create_from_string("foo::bar", 500);
ck_assert(host == NULL);
}
static bool add_address(u_int pool_id, char *address_str, int *family)
{
host_t *address;
int user_id = 0;
char *pos_eq = strchr(address_str, '=');
if (pos_eq != NULL)
{
identification_t *id = identification_create_from_string(pos_eq + 1);
user_id = get_identity(id);
id->destroy(id);
if (user_id == 0)
{
return FALSE;
}
*pos_eq = '\0';
}
address = host_create_from_string(address_str, 0);
if (address == NULL)
{
fprintf(stderr, "invalid address '%s'.\n", address_str);
return FALSE;
}
if (family && *family != AF_UNSPEC &&
*family != address->get_family(address))
{
fprintf(stderr, "invalid address family '%s'.\n", address_str);
address->destroy(address);
return FALSE;
}
if (db->execute(db, NULL,
"INSERT INTO addresses "
"(pool, address, identity, acquired, released) "
"VALUES (?, ?, ?, ?, ?)",
DB_UINT, pool_id, DB_BLOB, address->get_address(address),
DB_UINT, user_id, DB_UINT, 0, DB_UINT, 1) != 1)
{
fprintf(stderr, "inserting address '%s' failed.\n", address_str);
address->destroy(address);
return FALSE;
}
if (family)
{
*family = address->get_family(address);
}
address->destroy(address);
return TRUE;
}
/**
* Run client to perform echo test
*/
static void run_echo_client(echo_server_config_t *config)
{
tls_socket_t *tls;
ssize_t len, rd, wr;
int fd;
host_t *host;
identification_t *server, *client = NULL;
char buf[128];
host = host_create_from_string(config->addr, config->port);
server = identification_create_from_string(config->addr);
if (config->cauth)
{
client = server;
}
fd = socket(AF_INET, SOCK_STREAM, 0);
ck_assert(fd != -1);
ck_assert(connect(fd, host->get_sockaddr(host),
*host->get_sockaddr_len(host)) != -1);
tls = tls_socket_create(FALSE, server, client, fd, NULL,
config->version, TRUE);
ck_assert(tls != NULL);
wr = rd = 0;
while (rd < config->data.len)
{
len = tls->write(tls, config->data.ptr + wr, config->data.len - wr);
ck_assert(len >= 0);
wr += len;
len = tls->read(tls, buf, sizeof(buf), FALSE);
if (len == -1 && errno == EWOULDBLOCK)
{
continue;
}
if (len == 0)
{
ck_assert_int_eq(rd, config->data.len);
break;
}
ck_assert(len > 0);
ck_assert(rd + len <= config->data.len);
ck_assert(memeq(buf, config->data.ptr + rd, len));
rd += len;
}
tls->destroy(tls);
close(fd);
host->destroy(host);
server->destroy(server);
}
END_TEST
START_TEST(test_get_esa_id)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
fail_unless(sad->insert(sad, 23, addr, addr, 42, 50),
"Error inserting SAD entry");
fail_unless(sad->get_esa_id(sad, addr, addr, 42, 50) == 23,
"Error getting esa id");
sad->destroy(sad);
addr->destroy(addr);
}
END_TEST
START_TEST(test_insert)
{
host_t *addr = host_create_from_string("127.0.0.1", 1024);
tkm_kernel_sad_t *sad = tkm_kernel_sad_create();
fail_unless(sad->insert(sad, 1, addr, addr, 42, 50),
"Error inserting SAD entry");
sad->destroy(sad);
addr->destroy(addr);
}
/**
* PF_ROUTE for some reason does not send an event for the first address
* installed after a fresh boot. Fix this by installing a fake tun address
* just to remove it afterwards.
*/
static void fixup_pf_route()
{
tun_device_t *tun;
host_t *host;
tun = tun_device_create(NULL);
if (tun)
{
if (tun->up(tun))
{
host = host_create_from_string("127.0.0.99", 0);
tun->set_address(tun, host, 32);
host->destroy(host);
}
tun->destroy(tun);
}
}
/**
* Start a echo server using config
*/
static void start_echo_server(echo_server_config_t *config)
{
host_t *host;
int on = 1;
host = host_create_from_string(config->addr, config->port);
config->fd = socket(AF_INET, SOCK_STREAM, 0);
ck_assert(config->fd != -1);
ck_assert(setsockopt(config->fd, SOL_SOCKET, SO_REUSEADDR,
(void*)&on, sizeof(on)) != -1);
ck_assert_msg(bind(config->fd, host->get_sockaddr(host),
*host->get_sockaddr_len(host)) != -1, "%s", strerror(errno));
host->destroy(host);
ck_assert(listen(config->fd, 1) != -1);
lib->processor->set_threads(lib->processor, 8);
lib->processor->queue_job(lib->processor, (job_t*)
callback_job_create((void*)serve_echo, config, NULL, NULL));
}
/**
* Determine the type of the attribute and its value
*/
static bool parse_attributes(char *name, char *value, value_type_t *value_type,
configuration_attribute_type_t *type,
configuration_attribute_type_t *type_ip6,
chunk_t *blob)
{
host_t *addr = NULL, *mask = NULL;
chunk_t addr_chunk, mask_chunk, blob_next;
char *text = "", *pos_addr, *pos_mask, *pos_next, *endptr;
int i;
switch (*value_type)
{
case VALUE_STRING:
*blob = chunk_create(value, strlen(value));
*blob = chunk_clone(*blob);
break;
case VALUE_HEX:
*blob = chunk_from_hex(chunk_create(value, strlen(value)), NULL);
break;
case VALUE_ADDR:
addr = host_create_from_string(value, 0);
if (addr == NULL)
{
fprintf(stderr, "invalid IP address: '%s'.\n", value);
return FALSE;
}
addr_chunk = addr->get_address(addr);
*blob = chunk_clone(addr_chunk);
break;
case VALUE_SUBNET:
*blob = chunk_empty;
pos_next = value;
do
{
pos_addr = pos_next;
pos_next = strchr(pos_next, ',');
if (pos_next)
{
*pos_next = '\0';
pos_next += 1;
}
pos_mask = strchr(pos_addr, '/');
if (pos_mask == NULL)
{
fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", pos_addr);
free(blob->ptr);
return FALSE;
}
*pos_mask = '\0';
pos_mask += 1;
addr = host_create_from_string(pos_addr, 0);
mask = host_create_from_string(pos_mask, 0);
if (addr == NULL || addr->get_family(addr) != AF_INET ||
mask == NULL || mask->get_family(addr) != AF_INET)
{
fprintf(stderr, "invalid IPv4 subnet: '%s/%s'.\n",
pos_addr, pos_mask);
DESTROY_IF(addr);
DESTROY_IF(mask);
free(blob->ptr);
return FALSE;
}
addr_chunk = addr->get_address(addr);
mask_chunk = mask->get_address(mask);
blob_next = chunk_alloc(blob->len + UNITY_NETWORK_LEN);
memcpy(blob_next.ptr, blob->ptr, blob->len);
pos_addr = blob_next.ptr + blob->len;
memset(pos_addr, 0x00, UNITY_NETWORK_LEN);
memcpy(pos_addr, addr_chunk.ptr, 4);
memcpy(pos_addr + 4, mask_chunk.ptr, 4);
addr->destroy(addr);
addr = NULL;
mask->destroy(mask);
chunk_free(blob);
*blob = blob_next;
}
while (pos_next);
break;
case VALUE_NONE:
*blob = chunk_empty;
break;
}
/* init the attribute type */
*type = 0;
*type_ip6 = 0;
for (i = 0; i < countof(attr_info); i++)
{
if (strcaseeq(name, attr_info[i].keyword))
{
*type = attr_info[i].type;
*type_ip6 = attr_info[i].type_ip6;
if (*value_type == VALUE_NONE)
{
*value_type = attr_info[i].value_type;
return TRUE;
}
if (*value_type != attr_info[i].value_type &&
*value_type != VALUE_HEX)
{
switch (attr_info[i].value_type)
{
case VALUE_STRING:
text = "a string";
break;
case VALUE_HEX:
text = "a hex";
break;
case VALUE_ADDR:
text = "an IP address";
break;
case VALUE_SUBNET:
text = "a subnet";
break;
case VALUE_NONE:
text = "no";
break;
}
fprintf(stderr, "the %s attribute requires %s value.\n",
name, text);
DESTROY_IF(addr);
free(blob->ptr);
return FALSE;
}
if (*value_type == VALUE_ADDR)
{
*type = (addr->get_family(addr) == AF_INET) ?
attr_info[i].type : attr_info[i].type_ip6;
addr->destroy(addr);
}
else if (*value_type == VALUE_HEX)
{
*value_type = attr_info[i].value_type;
if (*value_type == VALUE_ADDR)
{
if (blob->len == 16)
{
*type = attr_info[i].type_ip6;
}
else if (blob->len != 4)
{
fprintf(stderr, "the %s attribute requires "
"a valid IP address.\n", name);
free(blob->ptr);
return FALSE;
}
}
}
return TRUE;
}
}
/* clean up */
DESTROY_IF(addr);
/* is the attribute type numeric? */
*type = strtol(name, &endptr, 10);
if (*endptr != '\0')
{
fprintf(stderr, "the %s attribute is not recognized.\n", name);
free(blob->ptr);
return FALSE;
}
if (*type < 1 || *type > 32767)
{
fprintf(stderr, "the attribute type must lie in the range 1..32767.\n");
free(blob->ptr);
return FALSE;
}
if (*value_type == VALUE_NONE)
{
*value_type = VALUE_HEX;
}
return TRUE;
}
static void do_args(int argc, char *argv[])
{
char *name = "", *value = "", *filter = "";
char *pool = NULL, *identity = NULL, *addresses = NULL;
value_type_t value_type = VALUE_NONE;
int timeout = 0;
bool utc = FALSE, hexout = FALSE;
enum {
OP_UNDEF,
OP_USAGE,
OP_STATUS,
OP_STATUS_ATTR,
OP_ADD,
OP_ADD_ATTR,
OP_DEL,
OP_DEL_ATTR,
OP_SHOW_ATTR,
OP_RESIZE,
OP_LEASES,
OP_PURGE,
OP_BATCH
} operation = OP_UNDEF;
/* reinit getopt state */
optind = 0;
while (TRUE)
{
int c;
struct option long_opts[] = {
{ "help", no_argument, NULL, 'h' },
{ "utc", no_argument, NULL, 'u' },
{ "status", no_argument, NULL, 'w' },
{ "add", required_argument, NULL, 'a' },
{ "replace", required_argument, NULL, 'c' },
{ "del", required_argument, NULL, 'd' },
{ "resize", required_argument, NULL, 'r' },
{ "leases", no_argument, NULL, 'l' },
{ "purge", required_argument, NULL, 'p' },
{ "statusattr", no_argument, NULL, '1' },
{ "addattr", required_argument, NULL, '2' },
{ "delattr", required_argument, NULL, '3' },
{ "showattr", no_argument, NULL, '4' },
{ "batch", required_argument, NULL, 'b' },
{ "start", required_argument, NULL, 's' },
{ "end", required_argument, NULL, 'e' },
{ "addresses", required_argument, NULL, 'y' },
{ "timeout", required_argument, NULL, 't' },
{ "filter", required_argument, NULL, 'f' },
{ "addr", required_argument, NULL, 'v' },
{ "mask", required_argument, NULL, 'v' },
{ "server", required_argument, NULL, 'v' },
{ "subnet", required_argument, NULL, 'n' },
{ "string", required_argument, NULL, 'g' },
{ "hex", required_argument, NULL, 'x' },
{ "hexout", no_argument, NULL, '5' },
{ "pool", required_argument, NULL, '6' },
{ "identity", required_argument, NULL, '7' },
{ 0,0,0,0 }
};
c = getopt_long(argc, argv, "", long_opts, NULL);
switch (c)
{
case EOF:
break;
case 'h':
operation = OP_USAGE;
break;
case 'w':
operation = OP_STATUS;
break;
case '1':
operation = OP_STATUS_ATTR;
break;
case 'u':
utc = TRUE;
continue;
case 'c':
replace_pool = TRUE;
/* fallthrough */
case 'a':
name = optarg;
operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD;
if (replace_pool && operation == OP_ADD_ATTR)
{
fprintf(stderr, "invalid pool name: "
"reserved for '%s' attribute.\n", optarg);
usage();
exit(EXIT_FAILURE);
}
continue;
case '2':
name = optarg;
operation = OP_ADD_ATTR;
continue;
case 'd':
name = optarg;
operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL;
continue;
case '3':
name = optarg;
operation = OP_DEL_ATTR;
continue;
case '4':
operation = OP_SHOW_ATTR;
continue;
case 'r':
name = optarg;
operation = OP_RESIZE;
continue;
case 'l':
operation = OP_LEASES;
continue;
case 'p':
name = optarg;
operation = OP_PURGE;
continue;
case 'b':
name = optarg;
if (operation == OP_BATCH)
{
fprintf(stderr, "--batch commands can not be nested\n");
exit(EXIT_FAILURE);
}
operation = OP_BATCH;
continue;
case 's':
DESTROY_IF(start);
start = host_create_from_string(optarg, 0);
if (start == NULL)
{
fprintf(stderr, "invalid start address: '%s'.\n", optarg);
usage();
exit(EXIT_FAILURE);
}
continue;
case 'e':
DESTROY_IF(end);
end = host_create_from_string(optarg, 0);
if (end == NULL)
{
fprintf(stderr, "invalid end address: '%s'.\n", optarg);
usage();
exit(EXIT_FAILURE);
}
continue;
case 't':
timeout = atoi(optarg);
if (timeout == 0 && strcmp(optarg, "0") != 0)
{
fprintf(stderr, "invalid timeout '%s'.\n", optarg);
usage();
exit(EXIT_FAILURE);
}
continue;
case 'f':
filter = optarg;
continue;
case 'y':
addresses = optarg;
continue;
case 'g':
value_type = VALUE_STRING;
value = optarg;
continue;
case 'n':
value_type = VALUE_SUBNET;
value = optarg;
continue;
case 'v':
value_type = VALUE_ADDR;
value = optarg;
continue;
case 'x':
value_type = VALUE_HEX;
value = optarg;
continue;
case '5':
hexout = TRUE;
continue;
case '6':
pool = optarg;
continue;
case '7':
identity = optarg;
continue;
default:
usage();
exit(EXIT_FAILURE);
break;
}
break;
}
switch (operation)
{
case OP_USAGE:
usage();
break;
case OP_STATUS:
status();
break;
case OP_STATUS_ATTR:
status_attr(hexout);
break;
case OP_ADD:
if (addresses != NULL)
{
add_addresses(name, addresses, timeout);
}
else if (start != NULL && end != NULL)
{
add(name, start, end, timeout);
}
else
{
fprintf(stderr, "missing arguments.\n");
usage();
exit(EXIT_FAILURE);
}
break;
case OP_ADD_ATTR:
if (value_type == VALUE_NONE)
{
fprintf(stderr, "missing arguments.\n");
usage();
exit(EXIT_FAILURE);
}
if (identity && !pool)
{
fprintf(stderr, "--identity option can't be used without --pool.\n");
usage();
exit(EXIT_FAILURE);
}
add_attr(name, pool, identity, value, value_type);
break;
case OP_DEL:
del(name);
break;
case OP_DEL_ATTR:
if (identity && !pool)
{
fprintf(stderr, "--identity option can't be used without --pool.\n");
usage();
exit(EXIT_FAILURE);
}
del_attr(name, pool, identity, value, value_type);
break;
case OP_SHOW_ATTR:
show_attr();
break;
case OP_RESIZE:
if (end == NULL)
{
fprintf(stderr, "missing arguments.\n");
usage();
exit(EXIT_FAILURE);
}
resize(name, end);
break;
case OP_LEASES:
leases(filter, utc);
break;
case OP_PURGE:
purge(name);
break;
case OP_BATCH:
if (name == NULL)
{
fprintf(stderr, "missing arguments.\n");
usage();
exit(EXIT_FAILURE);
}
batch(argv[0], name);
break;
default:
usage();
exit(EXIT_FAILURE);
}
}
/**
* create the lease query using the filter string
*/
static enumerator_t *create_lease_query(char *filter, array_t **to_free)
{
enumerator_t *query;
chunk_t id_chunk = chunk_empty, addr_chunk = chunk_empty;
id_type_t id_type = 0;
u_int tstamp = 0;
bool online = FALSE, valid = FALSE, expired = FALSE;
char *value, *pos, *pool = NULL;
enum {
FIL_POOL = 0,
FIL_ID,
FIL_ADDR,
FIL_TSTAMP,
FIL_STATE,
};
char *const token[] = {
[FIL_POOL] = "pool",
[FIL_ID] = "id",
[FIL_ADDR] = "addr",
[FIL_TSTAMP] = "tstamp",
[FIL_STATE] = "status",
NULL
};
/* if the filter string contains a distinguished name as a ID, we replace
* ", " by "/ " in order to not confuse the getsubopt parser */
pos = filter;
while ((pos = strchr(pos, ',')))
{
if (pos[1] == ' ')
{
pos[0] = '/';
}
pos++;
}
while (filter && *filter != '\0')
{
switch (getsubopt(&filter, token, &value))
{
case FIL_POOL:
if (value)
{
pool = value;
}
break;
case FIL_ID:
if (value)
{
identification_t *id;
id = identification_create_from_string(value);
id_type = id->get_type(id);
id_chunk = chunk_clone(id->get_encoding(id));
array_insert_create(to_free, ARRAY_TAIL, id_chunk.ptr);
id->destroy(id);
}
break;
case FIL_ADDR:
if (value)
{
host_t *addr;
addr = host_create_from_string(value, 0);
if (!addr)
{
fprintf(stderr, "invalid 'addr' in filter string.\n");
exit(EXIT_FAILURE);
}
addr_chunk = chunk_clone(addr->get_address(addr));
array_insert_create(to_free, ARRAY_TAIL, addr_chunk.ptr);
addr->destroy(addr);
}
break;
case FIL_TSTAMP:
if (value)
{
tstamp = atoi(value);
}
if (tstamp == 0)
{
online = TRUE;
}
break;
case FIL_STATE:
if (value)
{
if (streq(value, "online"))
{
online = TRUE;
}
else if (streq(value, "valid"))
{
valid = TRUE;
}
else if (streq(value, "expired"))
{
expired = TRUE;
}
else
{
fprintf(stderr, "invalid 'state' in filter string.\n");
exit(EXIT_FAILURE);
}
}
break;
default:
fprintf(stderr, "invalid filter string.\n");
exit(EXIT_FAILURE);
break;
}
}
query = db->query(db,
"SELECT name, addresses.address, identities.type, "
"identities.data, leases.acquired, leases.released, timeout "
"FROM leases JOIN addresses ON leases.address = addresses.id "
"JOIN pools ON addresses.pool = pools.id "
"JOIN identities ON leases.identity = identities.id "
"WHERE (? OR name = ?) "
"AND (? OR (identities.type = ? AND identities.data = ?)) "
"AND (? OR addresses.address = ?) "
"AND (? OR (? >= leases.acquired AND (? <= leases.released))) "
"AND (? OR leases.released > ? - timeout) "
"AND (? OR leases.released < ? - timeout) "
"AND ? "
"UNION "
"SELECT name, address, identities.type, identities.data, "
"acquired, released, timeout FROM addresses "
"JOIN pools ON addresses.pool = pools.id "
"JOIN identities ON addresses.identity = identities.id "
"WHERE ? AND released = 0 "
"AND (? OR name = ?) "
"AND (? OR (identities.type = ? AND identities.data = ?)) "
"AND (? OR address = ?)",
DB_INT, pool == NULL, DB_TEXT, pool,
DB_INT, !id_chunk.ptr,
DB_INT, id_type,
DB_BLOB, id_chunk,
DB_INT, !addr_chunk.ptr,
DB_BLOB, addr_chunk,
DB_INT, tstamp == 0, DB_UINT, tstamp, DB_UINT, tstamp,
DB_INT, !valid, DB_INT, time(NULL),
DB_INT, !expired, DB_INT, time(NULL),
DB_INT, !online,
/* union */
DB_INT, !(valid || expired),
DB_INT, pool == NULL, DB_TEXT, pool,
DB_INT, !id_chunk.ptr,
DB_INT, id_type,
DB_BLOB, id_chunk,
DB_INT, !addr_chunk.ptr,
DB_BLOB, addr_chunk,
/* res */
DB_TEXT, DB_BLOB, DB_INT, DB_BLOB, DB_UINT, DB_UINT, DB_UINT);
return query;
}
static void add_addresses(char *pool, char *path, int timeout)
{
u_int pool_id, count = 0;
int family = AF_UNSPEC;
char address_str[512];
host_t *addr;
FILE *file;
db->transaction(db, FALSE);
addr = host_create_from_string("%any", 0);
pool_id = create_pool(pool, addr->get_address(addr),
addr->get_address(addr), timeout);
addr->destroy(addr);
file = (strcmp(path, "-") == 0 ? stdin : fopen(path, "r"));
if (file == NULL)
{
fprintf(stderr, "opening '%s' failed: %s\n", path, strerror(errno));
exit(-1);
}
printf("starting allocation... ");
fflush(stdout);
while (fgets(address_str, sizeof(address_str), file))
{
size_t addr_len = strlen(address_str);
char *last_chr = address_str + addr_len - 1;
if (*last_chr == '\n')
{
if (addr_len == 1)
{ /* end of input */
break;
}
*last_chr = '\0';
}
if (add_address(pool_id, address_str, &family) == FALSE)
{
if (file != stdin)
{
fclose(file);
}
exit(EXIT_FAILURE);
}
++count;
}
if (file != stdin)
{
fclose(file);
}
if (family == AF_INET6)
{ /* update address family if necessary */
addr = host_create_from_string("%any6", 0);
if (db->execute(db, NULL,
"UPDATE pools SET start = ?, end = ? WHERE id = ?",
DB_BLOB, addr->get_address(addr),
DB_BLOB, addr->get_address(addr), DB_UINT, pool_id) <= 0)
{
addr->destroy(addr);
fprintf(stderr, "updating pool address family failed.\n");
exit(EXIT_FAILURE);
}
addr->destroy(addr);
}
db->commit(db);
printf("%d addresses done.\n", count);
}
void ikev2_psk_configs_create(android_config_t *configs,
peer_cfg_t **peer_c,
child_cfg_t **child_c)
{
ike_cfg_t *ike_cfg;
traffic_selector_t *ts;
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
auth_cfg_t *auth;
lifetime_cfg_t lifetime = {
.time = {
.life = 10800, /* 3h */
.rekey = 10200, /* 2h50min */
.jitter = 300 /* 5min */
}
};
identification_t *gateway_id = identification_create_from_string("%any");
*peer_c = NULL;
*child_c = NULL;
assert(configs->auth_method == AUTH_PSK);
ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "0.0.0.0",
charon->socket->get_port(charon->socket, FALSE),
configs->sgw, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
if (!add_ike_proposals(ike_cfg))
{
/* failed */
gateway_id->destroy(gateway_id);
return;
}
peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
FALSE, FALSE, /* mobike, aggressive */
TRUE, DPD_INTERVAL, 0, /* DPD delay, timeout */
FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
/* Adds local side PSK authentication */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
auth->add(auth, AUTH_RULE_IDENTITY,
configs->psk.ipsec_identifier->clone(configs->psk.ipsec_identifier));
auth->add(auth, AUTH_RULE_GROUP,
configs->psk.ipsec_identifier->clone(configs->psk.ipsec_identifier));
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
/* Add remote PSK side authentication */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
auth->add(auth, AUTH_RULE_IDENTITY, gateway_id);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
0, 0, NULL, NULL, 0);
if (!add_child_proposals(child_cfg))
{
/*failed*/
return;
}
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
0, "255.255.255.255", 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
/*Take extra ref, because add claims ownership. */
*child_c = child_cfg;
(*child_c)->get_ref(*child_c);
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
*peer_c = peer_cfg;
}
void ikev2_rsa_configs_create(android_config_t *configs,
peer_cfg_t **peer_c,
child_cfg_t **child_c)
{
ike_cfg_t *ike_cfg;
traffic_selector_t *ts;
peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
chunk_t temp_chunk;
certificate_t *temp_cert;
identification_t *temp_id = NULL;
auth_cfg_t *auth;
lifetime_cfg_t lifetime = {
.time = {
.life = 10800, /* 3h */
.rekey = 10200, /* 2h50min */
.jitter = 300 /* 5min */
}
};
/* send cert req if we don't have the sgw cert and if we have
CA to validate the cert. */
bool send_cert_req = ( strlen(configs->rsa.server_cert) == 0 );
assert(configs->auth_method == AUTH_RSA);
*peer_c = NULL;
*child_c = NULL;
#ifdef FORCE_FRAGMENT_CONF
DBG1(DBG_CFG, "Set IKEV2 RSA FORCE fragment ON");
ike_cfg = ike_cfg_create(IKEV2, send_cert_req, FALSE, "0.0.0.0",
charon->socket->get_port(charon->socket, FALSE),
configs->sgw, IKEV2_UDP_PORT, FRAGMENTATION_FORCE, 0);
#else
ike_cfg = ike_cfg_create(IKEV2, send_cert_req, FALSE, "0.0.0.0",
charon->socket->get_port(charon->socket, FALSE),
configs->sgw, IKEV2_UDP_PORT, FRAGMENTATION_YES, 0);
#endif
if (!add_ike_proposals(ike_cfg))
{
/* failed */
return;
}
peer_cfg = peer_cfg_create("android", ike_cfg, CERT_SEND_IF_ASKED,
UNIQUE_REPLACE, 1, /* keyingtries */
36000, 0, /* rekey 10h, reauth none */
600, 600, /* jitter, over 10min */
FALSE, FALSE, /* mobike, aggressive */
TRUE, DPD_INTERVAL, 0, /* DPD delay, timeout */
FALSE, NULL, NULL); /* mediation */
peer_cfg->add_virtual_ip(peer_cfg, host_create_from_string("0.0.0.0", 0));
/* Adds local side PUBKEY authentication */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
/* client ID for the auth */
temp_chunk.ptr = configs->rsa.user_cert;
temp_chunk.len = strlen(configs->rsa.user_cert);
temp_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_PEM, temp_chunk, BUILD_END);
if (temp_cert == NULL)
{
DBG1(DBG_CFG, "Failed to create cert from user cert data");
return;
}
temp_id = temp_cert->get_subject(temp_cert);
auth->add(auth, AUTH_RULE_IDENTITY,
temp_id->clone(temp_id));
temp_id = NULL;
temp_cert->destroy(temp_cert);
temp_cert = NULL;
peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE);
/* Add remote side RSA authentication */
auth = auth_cfg_create();
auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
if (strlen(configs->rsa.server_cert) > 0)
{
temp_chunk.ptr = configs->rsa.server_cert;
temp_chunk.len = strlen(configs->rsa.server_cert);
temp_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_PEM, temp_chunk, BUILD_END);
if (temp_cert == NULL)
{
DBG1(DBG_CFG, "Failed to create cert from user cert data");
return;
}
temp_id = temp_cert->get_subject(temp_cert);
temp_id = temp_id->clone(temp_id);
temp_cert->destroy(temp_cert);
}
else
{
temp_id = identification_create_from_string("%any");
}
auth->add(auth, AUTH_RULE_IDENTITY, temp_id);
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL,
ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE,
0, 0, NULL, NULL, 0);
if (!add_child_proposals(child_cfg))
{
/*failed*/
return;
}
ts = traffic_selector_create_dynamic(0, 0, 65535);
child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0",
0, "255.255.255.255", 65535);
child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
/*Take extra ref, because add claims ownership. */
*child_c = child_cfg;
(*child_c)->get_ref(*child_c);
peer_cfg->add_child_cfg(peer_cfg, child_cfg);
*peer_c = peer_cfg;
}
