more CHILD_SA refactorings

This commit is contained in:
Martin Willi 2008-10-24 08:02:35 +00:00
parent f2a5aa4a9d
commit 6e10aeadab
4 changed files with 136 additions and 132 deletions

View File

@ -123,20 +123,15 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
u_int32_t rekey, now = time(NULL);
u_int32_t use_in, use_out, use_fwd;
u_int32_t use_in, use_out;
encryption_algorithm_t encr_alg;
integrity_algorithm_t int_alg;
chunk_t encr_key, int_key;
ipsec_mode_t mode;
child_sa->get_stats(child_sa, &mode,
&encr_alg, &encr_key, NULL, &int_alg, &int_key, NULL,
&rekey, &use_in, &use_out, &use_fwd);
fprintf(out, "%12s{%d}: %N, %N",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa_state_names, child_sa->get_state(child_sa),
ipsec_mode_names, mode);
ipsec_mode_names, child_sa->get_mode(child_sa));
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
{
@ -162,6 +157,8 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
if (child_sa->get_protocol(child_sa) == PROTO_ESP)
{
encr_alg = child_sa->get_encryption(child_sa, TRUE, &encr_key);
switch (encr_alg)
{
/* Algorithms with variable key size.
@ -185,6 +182,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
break;
}
}
int_alg = child_sa->get_integrity(child_sa, TRUE, &int_key);
switch (int_alg)
{
case AUTH_UNDEFINED:
@ -195,6 +193,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
fprintf(out, ", rekeying ");
rekey = child_sa->get_lifetime(child_sa, FALSE);
if (rekey)
{
fprintf(out, "in %#V", &now, &rekey);
@ -205,7 +204,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
}
fprintf(out, ", last use: ");
use_in = max(use_in, use_fwd);
use_in = child_sa->get_usetime(child_sa, TRUE);
if (use_in)
{
fprintf(out, "%ds_i ", now - use_in);
@ -214,6 +213,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
fprintf(out, "no_i ");
}
use_out = child_sa->get_usetime(child_sa, FALSE);
if (use_out)
{
fprintf(out, "%ds_o ", now - use_out);

View File

@ -106,16 +106,16 @@ struct private_child_sa_t {
*/
chunk_t int_key[2];
/**
* time, on which SA was installed
*/
time_t install_time;
/**
* absolute time when rekeying is scheduled
*/
time_t rekey_time;
/**
* absolute time when the SA expires
*/
time_t expire_time;
/**
* state of the CHILD_SA
*/
@ -343,54 +343,83 @@ static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
}
/**
* Implementation of child_sa_t.get_stats.
* Implementation of child_sa_t.get_usetime
*/
static void get_stats(private_child_sa_t *this, ipsec_mode_t *mode,
encryption_algorithm_t *encr_algo,
chunk_t *encr_key_in, chunk_t *encr_key_out,
integrity_algorithm_t *int_algo,
chunk_t *int_key_in, chunk_t *int_key_out,
u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
u_int32_t *use_fwd)
static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
{
traffic_selector_t *my_ts, *other_ts;
enumerator_t *enumerator;
u_int32_t in = 0, out = 0, fwd = 0, time;
traffic_selector_t *my_ts, *other_ts;
u_int32_t last_use = 0;
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
if (charon->kernel_interface->query_policy(charon->kernel_interface,
other_ts, my_ts, POLICY_IN, &time) == SUCCESS)
u_int32_t in, out, fwd;
if (inbound)
{
in = max(in, time);
if (charon->kernel_interface->query_policy(charon->kernel_interface,
other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
{
last_use = max(last_use, in);
}
if (charon->kernel_interface->query_policy(charon->kernel_interface,
other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
{
last_use = max(last_use, fwd);
}
}
if (charon->kernel_interface->query_policy(charon->kernel_interface,
my_ts, other_ts, POLICY_OUT, &time) == SUCCESS)
else
{
out = max(out, time);
}
if (charon->kernel_interface->query_policy(charon->kernel_interface,
other_ts, my_ts, POLICY_FWD, &time) == SUCCESS)
{
fwd = max(fwd, time);
if (charon->kernel_interface->query_policy(charon->kernel_interface,
my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
{
last_use = max(last_use, out);
}
}
}
enumerator->destroy(enumerator);
return last_use;
}
#define SET_PTR_IF(x, y) if (x) { *x = y; }
SET_PTR_IF(mode, this->mode);
SET_PTR_IF(encr_algo, this->enc_alg);
SET_PTR_IF(encr_key_in, this->enc_key[0]);
SET_PTR_IF(encr_key_out, this->enc_key[1]);
SET_PTR_IF(int_algo, this->int_alg);
SET_PTR_IF(int_key_in, this->int_key[0]);
SET_PTR_IF(int_key_out, this->int_key[1]);
SET_PTR_IF(rekey, this->rekey_time);
SET_PTR_IF(use_in, in);
SET_PTR_IF(use_out, out);
SET_PTR_IF(use_fwd, fwd);
/**
* Implementation of child_sa_t.get_lifetime
*/
static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
{
if (hard)
{
return this->expire_time;
}
return this->rekey_time;
}
/**
* Implementation of child_sa_t.get_integrity
*/
static integrity_algorithm_t get_integrity(private_child_sa_t *this,
bool inbound, chunk_t *key)
{
*key = this->int_key[!!inbound];
return this->int_alg;
}
/**
* Implementation of child_sa_t.get_encryption
*/
static encryption_algorithm_t get_encryption(private_child_sa_t *this,
bool inbound, chunk_t *key)
{
*key = this->enc_key[!!inbound];
return this->enc_alg;
}
/**
* Implementation of child_sa_t.get_mode
*/
static ipsec_mode_t get_mode(private_child_sa_t *this)
{
return this->mode;
}
/**
@ -470,7 +499,7 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
static status_t install(private_child_sa_t *this, proposal_t *proposal,
ipsec_mode_t mode, prf_plus_t *prf_plus, bool mine)
{
u_int32_t spi, cpi, soft, hard;
u_int32_t spi, cpi, soft, hard, now;
host_t *src, *dst;
status_t status;
int add_keymat;
@ -600,8 +629,9 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
this->int_alg, this->int_key[!!mine],
mode, IPCOMP_NONE, this->encap, mine);
this->install_time = time(NULL);
this->rekey_time = this->install_time + soft;
now = time(NULL);
this->rekey_time = now + soft;
this->expire_time = now + hard;
return status;
}
@ -743,44 +773,6 @@ static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local
return this->other_ts;
}
/**
* Implementation of child_sa_t.get_use_time
*/
static status_t get_use_time(private_child_sa_t *this,
bool inbound, time_t *use_time)
{
enumerator_t *enumerator;
traffic_selector_t *my_ts, *other_ts;
status_t status = FAILED;
*use_time = UNDEFINED_TIME;
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
if (inbound)
{
time_t in = UNDEFINED_TIME, fwd = UNDEFINED_TIME;
status = charon->kernel_interface->query_policy(
charon->kernel_interface, other_ts, my_ts,
POLICY_IN, (u_int32_t*)&in);
status |= charon->kernel_interface->query_policy(
charon->kernel_interface, other_ts, my_ts,
POLICY_FWD, (u_int32_t*)&fwd);
*use_time = max(in, fwd);
}
else
{
status = charon->kernel_interface->query_policy(
charon->kernel_interface, my_ts, other_ts,
POLICY_OUT, (u_int32_t*)use_time);
}
}
enumerator->destroy(enumerator);
return status;
}
/**
* Implementation of child_sa_t.update_hosts.
*/
@ -996,7 +988,11 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
this->public.get_stats = (void(*)(child_sa_t*, ipsec_mode_t*,encryption_algorithm_t*,chunk_t*,chunk_t*,integrity_algorithm_t*,chunk_t*,chunk_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
this->public.get_encryption = (encryption_algorithm_t(*)(child_sa_t*, bool, chunk_t*))get_encryption;
this->public.get_integrity = (integrity_algorithm_t(*)(child_sa_t*, bool, chunk_t*))get_integrity;
this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))add;
this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))update;
@ -1004,7 +1000,6 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,ipsec_mode_t,protocol_id_t))add_policies;
this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;

View File

@ -148,25 +148,45 @@ struct child_sa_t {
protocol_id_t (*get_protocol) (child_sa_t *this);
/**
* Get info and statistics about this CHILD_SA.
* Get the IPsec mode of this CHILD_SA.
*
* @param mode mode this IKE_SA uses
* @param encr_algo encryption algorithm used by this CHILD_SA.
* @param encr_key encryption key
* @param int_algo integrity algorithm used by this CHILD_SA
* @param int_key integrity key
* @param rekey time when rekeying is scheduled
* @param use_in time when last traffic was seen coming in
* @param use_out time when last traffic was seen going out
* @param use_fwd time when last traffic was getting forwarded
* @return TUNNEL | TRANSPORT | BEET
*/
void (*get_stats)(child_sa_t *this, ipsec_mode_t *mode,
encryption_algorithm_t *encr,
chunk_t *encr_key_in, chunk_t *encr_key_out,
integrity_algorithm_t *int_algo,
chunk_t *int_key_in, chunk_t *int_key_out,
u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
u_int32_t *use_fwd);
ipsec_mode_t (*get_mode)(child_sa_t *this);
/**
* Get the IPsec encryption key.
*
* @param inbound TRUE for inbound, FALSE for outbound key
* @param key chunk where to write key pointer and length
* @return encryption algorithm
*/
encryption_algorithm_t (*get_encryption)(child_sa_t *this, bool inbound,
chunk_t *key);
/**
* Get the IPsec integrity.
*
* @param inbound TRUE for inbound, FALSE for outbound key
* @param key chunk where to write key pointer and length
* @return integrity algorithm
*/
integrity_algorithm_t (*get_integrity)(child_sa_t *this, bool inbound,
chunk_t *key);
/**
* Get the lifetime of the CHILD_SA.
*
* @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
* @return lifetime in seconds
*/
u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
/**
* Get last use time of the CHILD_SA.
*
* @param inbound TRUE for inbound traffic, FALSE for outbound
* @return time of last use in seconds
*/
u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
/**
* Allocate SPIs for given proposals.
@ -250,15 +270,6 @@ struct child_sa_t {
*/
enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
/**
* Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
*
* @param inbound query for in- or outbound usage
* @param use_time the time
* @return SUCCESS or FAILED
*/
status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
/**
* Get the state of the CHILD_SA.
*/
@ -285,7 +296,7 @@ struct child_sa_t {
* @param other_cpi other Compression Parameter Index
*/
void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
u_int16_t other_cpi);
u_int16_t other_cpi);
/**
* Returns the Compression Parameter Index (CPI) allocated from the kernel.

View File

@ -304,28 +304,26 @@ struct private_ike_sa_t {
*/
static time_t get_use_time(private_ike_sa_t* this, bool inbound)
{
iterator_t *iterator;
enumerator_t *enumerator;
child_sa_t *child_sa;
time_t latest = 0, use_time;
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
{
latest = max(latest, use_time);
}
}
iterator->destroy(iterator);
time_t use_time;
if (inbound)
{
return max(this->time.inbound, latest);
use_time = this->time.inbound;
}
else
{
return max(this->time.outbound, latest);
use_time = this->time.outbound;
}
enumerator = this->child_sas->create_enumerator(this->child_sas);
while (enumerator->enumerate(enumerator, &child_sa))
{
use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
}
enumerator->destroy(enumerator);
return use_time;
}
/**