From 5ae3221075f65dead61374e67193468bb7437209 Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 11 Feb 2014 09:19:45 +0100 Subject: [PATCH 1/4] ike: Store unhandled attributes on IKE_SA as well --- src/libcharon/sa/ike_sa.c | 7 +++++-- src/libcharon/sa/ike_sa.h | 3 +++ src/libcharon/sa/ikev1/tasks/mode_config.c | 7 ++----- src/libcharon/sa/ikev2/tasks/ike_config.c | 7 ++----- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 7b38e0268..3ef9801e0 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2150,8 +2150,11 @@ METHOD(ike_sa_t, destroy, void, /* remove attributes first, as we pass the IKE_SA to the handler */ while (array_remove(this->attributes, ARRAY_TAIL, &entry)) { - hydra->attributes->release(hydra->attributes, entry.handler, - this->other_id, entry.type, entry.data); + if (entry.handler) + { + hydra->attributes->release(hydra->attributes, entry.handler, + this->other_id, entry.type, entry.data); + } free(entry.data.ptr); } /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index d162539db..5dc7326a4 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -978,6 +978,9 @@ struct ike_sa_t { * registered at the IKE_SA. Attributes are inherit()ed and get released * when the IKE_SA is closed. * + * Unhandled attributes are passed as well, but with a NULL handler. They + * do not get released. + * * @param handler handler installed the attribute, use for release() * @param type configuration attribute type * @param data associated attribute data diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 55fb390ce..d678f1942 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -139,11 +139,8 @@ static void handle_attribute(private_mode_config_t *this, handler = hydra->attributes->handle(hydra->attributes, this->ike_sa->get_other_id(this->ike_sa), handler, ca->get_type(ca), ca->get_chunk(ca)); - if (handler) - { - this->ike_sa->add_configuration_attribute(this->ike_sa, - handler, ca->get_type(ca), ca->get_chunk(ca)); - } + this->ike_sa->add_configuration_attribute(this->ike_sa, + handler, ca->get_type(ca), ca->get_chunk(ca)); } /** diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index 1a4c21b54..89b15ea5f 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -130,11 +130,8 @@ static void handle_attribute(private_ike_config_t *this, handler = hydra->attributes->handle(hydra->attributes, this->ike_sa->get_other_id(this->ike_sa), handler, ca->get_type(ca), ca->get_chunk(ca)); - if (handler) - { - this->ike_sa->add_configuration_attribute(this->ike_sa, - handler, ca->get_type(ca), ca->get_chunk(ca)); - } + this->ike_sa->add_configuration_attribute(this->ike_sa, + handler, ca->get_type(ca), ca->get_chunk(ca)); } /** From 9d257034d86c6ed47dbd0d6d0e0c6f618dd0a6af Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 11 Feb 2014 10:12:24 +0100 Subject: [PATCH 2/4] ike: Create an enumerator for (un-)handled configuration attributes on IKE_SA --- src/libcharon/sa/ike_sa.c | 21 +++++++++++++++++++++ src/libcharon/sa/ike_sa.h | 11 +++++++++++ 2 files changed, 32 insertions(+) diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 3ef9801e0..8c7817520 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2001,6 +2001,26 @@ METHOD(ike_sa_t, add_configuration_attribute, void, array_insert(this->attributes, ARRAY_TAIL, &entry); } +/** + * Enumerator filter for attributes + */ +static bool filter_attribute(void *null, attribute_entry_t **in, + configuration_attribute_type_t *type, void *in2, + chunk_t *data, void *in3, bool *handled) +{ + *type = (*in)->type; + *data = (*in)->data; + *handled = (*in)->handler != NULL; + return TRUE; +} + +METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*, + private_ike_sa_t *this) +{ + return enumerator_create_filter(array_create_enumerator(this->attributes), + (void*)filter_attribute, NULL, NULL); +} + METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, private_ike_sa_t *this, task_queue_t queue) { @@ -2317,6 +2337,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, .clear_virtual_ips = _clear_virtual_ips, .create_virtual_ip_enumerator = _create_virtual_ip_enumerator, .add_configuration_attribute = _add_configuration_attribute, + .create_attribute_enumerator = _create_attribute_enumerator, .set_kmaddress = _set_kmaddress, .create_task_enumerator = _create_task_enumerator, .flush_queue = _flush_queue, diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index 5dc7326a4..15fb47484 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -989,6 +989,17 @@ struct ike_sa_t { attribute_handler_t *handler, configuration_attribute_type_t type, chunk_t data); + /** + * Create an enumerator over received configuration attributes. + * + * The resulting enumerator is over the configuration_attribute_type_t type, + * a value chunk_t followed by a bool flag. The boolean flag indicates if + * the attribute has been handled by an attribute handler. + * + * @return enumerator over type, value and the "handled" flag. + */ + enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this); + /** * Set local and remote host addresses to be used for IKE. * From 7fc98a840b0f6fe0abace9b28db85234ca84b5ec Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 11 Feb 2014 09:49:44 +0100 Subject: [PATCH 3/4] ikev1: Invoke the assign_vips() bus hook for IKEv1 as well --- src/libcharon/bus/listeners/listener.h | 6 +++--- src/libcharon/sa/ikev1/tasks/mode_config.c | 4 ++++ 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 57445df01..9eee72264 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -192,10 +192,10 @@ struct listener_t { narrow_hook_t type, linked_list_t *local, linked_list_t *remote); /** - * Virtual IP address assignment hook + * Virtual IP address assignment hook. * - * This hook gets invoked when a a Virtual IP address is assigned to an - * IKE_SA (assign = TRUE) and again when it is released (assign = FALSE) + * This hook gets invoked after virtual IPs have been assigned to a peer + * for a specific IKE_SA, and again before they get released. * * @param ike_sa IKE_SA the VIPs are assigned to * @param assign TRUE if assigned to IKE_SA, FALSE if released diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index d678f1942..9a33f49f6 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -393,6 +393,8 @@ static status_t build_set(private_mode_config_t *this, message_t *message) any4->destroy(any4); any6->destroy(any6); + charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); + /* query registered providers for additional attributes to include */ pools = linked_list_create_from_enumerator( config->create_pool_enumerator(config)); @@ -502,6 +504,8 @@ static status_t build_reply(private_mode_config_t *this, message_t *message) } enumerator->destroy(enumerator); + charon->bus->assign_vips(charon->bus, this->ike_sa, TRUE); + /* query registered providers for additional attributes to include */ enumerator = hydra->attributes->create_responder_enumerator( hydra->attributes, pools, id, vips); From eef7427b0fe9de11d6cf877aea267692426ee35b Mon Sep 17 00:00:00 2001 From: Martin Willi Date: Tue, 11 Feb 2014 10:09:08 +0100 Subject: [PATCH 4/4] bus: Add a handle_vips() hook invoked after handling configuration attributes Similar to assign_vips() used by a peer assigning virtual IPs to the other peer, the handle_vips() hook gets invoked on a peers after receiving attributes. On release of the same attributes the hook gets invoked again. This is useful to inspect handled attributes, as the ike_updown() hook is invoked after authentication, when attributes have not been handled yet. --- src/libcharon/bus/bus.c | 28 ++++++++++++++++++++++ src/libcharon/bus/bus.h | 8 +++++++ src/libcharon/bus/listeners/listener.h | 12 ++++++++++ src/libcharon/sa/ike_sa.c | 1 + src/libcharon/sa/ikev1/tasks/mode_config.c | 2 ++ src/libcharon/sa/ikev2/tasks/ike_config.c | 2 ++ 6 files changed, 53 insertions(+) diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index bc080d1c0..d467c3320 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -879,6 +879,33 @@ METHOD(bus_t, assign_vips, void, this->mutex->unlock(this->mutex); } +METHOD(bus_t, handle_vips, void, + private_bus_t *this, ike_sa_t *ike_sa, bool handle) +{ + enumerator_t *enumerator; + entry_t *entry; + bool keep; + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->handle_vips) + { + continue; + } + entry->calling++; + keep = entry->listener->handle_vips(entry->listener, ike_sa, handle); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + /** * Credential manager hook function to forward bus alerts */ @@ -955,6 +982,7 @@ bus_t *bus_create() .authorize = _authorize, .narrow = _narrow, .assign_vips = _assign_vips, + .handle_vips = _handle_vips, .destroy = _destroy, }, .listeners = linked_list_create(), diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 4a0ac68e3..1d708c5a5 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -411,6 +411,14 @@ struct bus_t { */ void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign); + /** + * Virtual IP handler hook. + * + * @param ike_sa IKE_SA the VIPs/attributes got handled on + * @param assign TRUE after installing attributes, FALSE on release + */ + void (*handle_vips)(bus_t *this, ike_sa_t *ike_sa, bool handle); + /** * Destroy the event bus. */ diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 9eee72264..abcc765e5 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -203,6 +203,18 @@ struct listener_t { */ bool (*assign_vips)(listener_t *this, ike_sa_t *ike_sa, bool assign); + /** + * Virtual IP and configuration attribute handler hook. + * + * This hook gets invoked after virtual IP and other configuration + * attributes just got installed or are about to get uninstalled on a peer + * receiving them. + * + * @param ike_sa IKE_SA the VIPs/attributes are handled on + * @param handle TRUE if handled by IKE_SA, FALSE on release + * @return TRUE to stay registered, FALSE to unregister + */ + bool (*handle_vips)(listener_t *this, ike_sa_t *ike_sa, bool handle); }; #endif /** LISTENER_H_ @}*/ diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 8c7817520..c338cdaef 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -2168,6 +2168,7 @@ METHOD(ike_sa_t, destroy, void, } /* remove attributes first, as we pass the IKE_SA to the handler */ + charon->bus->handle_vips(charon->bus, &this->public, FALSE); while (array_remove(this->attributes, ARRAY_TAIL, &entry)) { if (entry.handler) diff --git a/src/libcharon/sa/ikev1/tasks/mode_config.c b/src/libcharon/sa/ikev1/tasks/mode_config.c index 9a33f49f6..94026b9af 100644 --- a/src/libcharon/sa/ikev1/tasks/mode_config.c +++ b/src/libcharon/sa/ikev1/tasks/mode_config.c @@ -441,6 +441,8 @@ static void install_vips(private_mode_config_t *this) } } enumerator->destroy(enumerator); + + charon->bus->handle_vips(charon->bus, this->ike_sa, TRUE); } METHOD(task_t, process_r, status_t, diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c index 89b15ea5f..da06e2a36 100644 --- a/src/libcharon/sa/ikev2/tasks/ike_config.c +++ b/src/libcharon/sa/ikev2/tasks/ike_config.c @@ -446,6 +446,8 @@ METHOD(task_t, process_i, status_t, } } enumerator->destroy(enumerator); + + charon->bus->handle_vips(charon->bus, this->ike_sa, TRUE); return SUCCESS; } return NEED_MORE;