more CHILD_SA refactorings
This commit is contained in:
parent
f2a5aa4a9d
commit
6e10aeadab
|
@ -123,20 +123,15 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all)
|
|||
static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
|
||||
{
|
||||
u_int32_t rekey, now = time(NULL);
|
||||
u_int32_t use_in, use_out, use_fwd;
|
||||
u_int32_t use_in, use_out;
|
||||
encryption_algorithm_t encr_alg;
|
||||
integrity_algorithm_t int_alg;
|
||||
chunk_t encr_key, int_key;
|
||||
ipsec_mode_t mode;
|
||||
|
||||
child_sa->get_stats(child_sa, &mode,
|
||||
&encr_alg, &encr_key, NULL, &int_alg, &int_key, NULL,
|
||||
&rekey, &use_in, &use_out, &use_fwd);
|
||||
|
||||
fprintf(out, "%12s{%d}: %N, %N",
|
||||
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
|
||||
child_sa_state_names, child_sa->get_state(child_sa),
|
||||
ipsec_mode_names, mode);
|
||||
ipsec_mode_names, child_sa->get_mode(child_sa));
|
||||
|
||||
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
|
||||
{
|
||||
|
@ -162,6 +157,8 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
|
|||
|
||||
if (child_sa->get_protocol(child_sa) == PROTO_ESP)
|
||||
{
|
||||
encr_alg = child_sa->get_encryption(child_sa, TRUE, &encr_key);
|
||||
|
||||
switch (encr_alg)
|
||||
{
|
||||
/* Algorithms with variable key size.
|
||||
|
@ -185,6 +182,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
|
|||
break;
|
||||
}
|
||||
}
|
||||
int_alg = child_sa->get_integrity(child_sa, TRUE, &int_key);
|
||||
switch (int_alg)
|
||||
{
|
||||
case AUTH_UNDEFINED:
|
||||
|
@ -195,6 +193,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
|
|||
}
|
||||
fprintf(out, ", rekeying ");
|
||||
|
||||
rekey = child_sa->get_lifetime(child_sa, FALSE);
|
||||
if (rekey)
|
||||
{
|
||||
fprintf(out, "in %#V", &now, &rekey);
|
||||
|
@ -205,7 +204,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
|
|||
}
|
||||
|
||||
fprintf(out, ", last use: ");
|
||||
use_in = max(use_in, use_fwd);
|
||||
use_in = child_sa->get_usetime(child_sa, TRUE);
|
||||
if (use_in)
|
||||
{
|
||||
fprintf(out, "%ds_i ", now - use_in);
|
||||
|
@ -214,6 +213,7 @@ static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
|
|||
{
|
||||
fprintf(out, "no_i ");
|
||||
}
|
||||
use_out = child_sa->get_usetime(child_sa, FALSE);
|
||||
if (use_out)
|
||||
{
|
||||
fprintf(out, "%ds_o ", now - use_out);
|
||||
|
|
|
@ -106,16 +106,16 @@ struct private_child_sa_t {
|
|||
*/
|
||||
chunk_t int_key[2];
|
||||
|
||||
/**
|
||||
* time, on which SA was installed
|
||||
*/
|
||||
time_t install_time;
|
||||
|
||||
/**
|
||||
* absolute time when rekeying is scheduled
|
||||
*/
|
||||
time_t rekey_time;
|
||||
|
||||
/**
|
||||
* absolute time when the SA expires
|
||||
*/
|
||||
time_t expire_time;
|
||||
|
||||
/**
|
||||
* state of the CHILD_SA
|
||||
*/
|
||||
|
@ -343,54 +343,83 @@ static enumerator_t* create_policy_enumerator(private_child_sa_t *this)
|
|||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.get_stats.
|
||||
* Implementation of child_sa_t.get_usetime
|
||||
*/
|
||||
static void get_stats(private_child_sa_t *this, ipsec_mode_t *mode,
|
||||
encryption_algorithm_t *encr_algo,
|
||||
chunk_t *encr_key_in, chunk_t *encr_key_out,
|
||||
integrity_algorithm_t *int_algo,
|
||||
chunk_t *int_key_in, chunk_t *int_key_out,
|
||||
u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
|
||||
u_int32_t *use_fwd)
|
||||
static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
|
||||
{
|
||||
traffic_selector_t *my_ts, *other_ts;
|
||||
enumerator_t *enumerator;
|
||||
u_int32_t in = 0, out = 0, fwd = 0, time;
|
||||
|
||||
traffic_selector_t *my_ts, *other_ts;
|
||||
u_int32_t last_use = 0;
|
||||
|
||||
enumerator = create_policy_enumerator(this);
|
||||
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
|
||||
{
|
||||
|
||||
if (charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
other_ts, my_ts, POLICY_IN, &time) == SUCCESS)
|
||||
u_int32_t in, out, fwd;
|
||||
|
||||
if (inbound)
|
||||
{
|
||||
in = max(in, time);
|
||||
if (charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
|
||||
{
|
||||
last_use = max(last_use, in);
|
||||
}
|
||||
if (charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
|
||||
{
|
||||
last_use = max(last_use, fwd);
|
||||
}
|
||||
}
|
||||
if (charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
my_ts, other_ts, POLICY_OUT, &time) == SUCCESS)
|
||||
else
|
||||
{
|
||||
out = max(out, time);
|
||||
}
|
||||
if (charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
other_ts, my_ts, POLICY_FWD, &time) == SUCCESS)
|
||||
{
|
||||
fwd = max(fwd, time);
|
||||
if (charon->kernel_interface->query_policy(charon->kernel_interface,
|
||||
my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
|
||||
{
|
||||
last_use = max(last_use, out);
|
||||
}
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
return last_use;
|
||||
}
|
||||
|
||||
#define SET_PTR_IF(x, y) if (x) { *x = y; }
|
||||
SET_PTR_IF(mode, this->mode);
|
||||
SET_PTR_IF(encr_algo, this->enc_alg);
|
||||
SET_PTR_IF(encr_key_in, this->enc_key[0]);
|
||||
SET_PTR_IF(encr_key_out, this->enc_key[1]);
|
||||
SET_PTR_IF(int_algo, this->int_alg);
|
||||
SET_PTR_IF(int_key_in, this->int_key[0]);
|
||||
SET_PTR_IF(int_key_out, this->int_key[1]);
|
||||
SET_PTR_IF(rekey, this->rekey_time);
|
||||
SET_PTR_IF(use_in, in);
|
||||
SET_PTR_IF(use_out, out);
|
||||
SET_PTR_IF(use_fwd, fwd);
|
||||
/**
|
||||
* Implementation of child_sa_t.get_lifetime
|
||||
*/
|
||||
static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
|
||||
{
|
||||
if (hard)
|
||||
{
|
||||
return this->expire_time;
|
||||
}
|
||||
return this->rekey_time;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.get_integrity
|
||||
*/
|
||||
static integrity_algorithm_t get_integrity(private_child_sa_t *this,
|
||||
bool inbound, chunk_t *key)
|
||||
{
|
||||
*key = this->int_key[!!inbound];
|
||||
return this->int_alg;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.get_encryption
|
||||
*/
|
||||
static encryption_algorithm_t get_encryption(private_child_sa_t *this,
|
||||
bool inbound, chunk_t *key)
|
||||
{
|
||||
*key = this->enc_key[!!inbound];
|
||||
return this->enc_alg;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.get_mode
|
||||
*/
|
||||
static ipsec_mode_t get_mode(private_child_sa_t *this)
|
||||
{
|
||||
return this->mode;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -470,7 +499,7 @@ static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
|
|||
static status_t install(private_child_sa_t *this, proposal_t *proposal,
|
||||
ipsec_mode_t mode, prf_plus_t *prf_plus, bool mine)
|
||||
{
|
||||
u_int32_t spi, cpi, soft, hard;
|
||||
u_int32_t spi, cpi, soft, hard, now;
|
||||
host_t *src, *dst;
|
||||
status_t status;
|
||||
int add_keymat;
|
||||
|
@ -600,8 +629,9 @@ static status_t install(private_child_sa_t *this, proposal_t *proposal,
|
|||
this->int_alg, this->int_key[!!mine],
|
||||
mode, IPCOMP_NONE, this->encap, mine);
|
||||
|
||||
this->install_time = time(NULL);
|
||||
this->rekey_time = this->install_time + soft;
|
||||
now = time(NULL);
|
||||
this->rekey_time = now + soft;
|
||||
this->expire_time = now + hard;
|
||||
return status;
|
||||
}
|
||||
|
||||
|
@ -743,44 +773,6 @@ static linked_list_t *get_traffic_selectors(private_child_sa_t *this, bool local
|
|||
return this->other_ts;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.get_use_time
|
||||
*/
|
||||
static status_t get_use_time(private_child_sa_t *this,
|
||||
bool inbound, time_t *use_time)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
traffic_selector_t *my_ts, *other_ts;
|
||||
status_t status = FAILED;
|
||||
|
||||
*use_time = UNDEFINED_TIME;
|
||||
|
||||
enumerator = create_policy_enumerator(this);
|
||||
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
|
||||
{
|
||||
if (inbound)
|
||||
{
|
||||
time_t in = UNDEFINED_TIME, fwd = UNDEFINED_TIME;
|
||||
|
||||
status = charon->kernel_interface->query_policy(
|
||||
charon->kernel_interface, other_ts, my_ts,
|
||||
POLICY_IN, (u_int32_t*)&in);
|
||||
status |= charon->kernel_interface->query_policy(
|
||||
charon->kernel_interface, other_ts, my_ts,
|
||||
POLICY_FWD, (u_int32_t*)&fwd);
|
||||
*use_time = max(in, fwd);
|
||||
}
|
||||
else
|
||||
{
|
||||
status = charon->kernel_interface->query_policy(
|
||||
charon->kernel_interface, my_ts, other_ts,
|
||||
POLICY_OUT, (u_int32_t*)use_time);
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
return status;
|
||||
}
|
||||
|
||||
/**
|
||||
* Implementation of child_sa_t.update_hosts.
|
||||
*/
|
||||
|
@ -996,7 +988,11 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
|
|||
this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
|
||||
this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
|
||||
this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
|
||||
this->public.get_stats = (void(*)(child_sa_t*, ipsec_mode_t*,encryption_algorithm_t*,chunk_t*,chunk_t*,integrity_algorithm_t*,chunk_t*,chunk_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
|
||||
this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
|
||||
this->public.get_encryption = (encryption_algorithm_t(*)(child_sa_t*, bool, chunk_t*))get_encryption;
|
||||
this->public.get_integrity = (integrity_algorithm_t(*)(child_sa_t*, bool, chunk_t*))get_integrity;
|
||||
this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
|
||||
this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
|
||||
this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
|
||||
this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))add;
|
||||
this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))update;
|
||||
|
@ -1004,7 +1000,6 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
|
|||
this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,ipsec_mode_t,protocol_id_t))add_policies;
|
||||
this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
|
||||
this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
|
||||
this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
|
||||
this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
|
||||
this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
|
||||
this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
|
||||
|
|
|
@ -148,25 +148,45 @@ struct child_sa_t {
|
|||
protocol_id_t (*get_protocol) (child_sa_t *this);
|
||||
|
||||
/**
|
||||
* Get info and statistics about this CHILD_SA.
|
||||
* Get the IPsec mode of this CHILD_SA.
|
||||
*
|
||||
* @param mode mode this IKE_SA uses
|
||||
* @param encr_algo encryption algorithm used by this CHILD_SA.
|
||||
* @param encr_key encryption key
|
||||
* @param int_algo integrity algorithm used by this CHILD_SA
|
||||
* @param int_key integrity key
|
||||
* @param rekey time when rekeying is scheduled
|
||||
* @param use_in time when last traffic was seen coming in
|
||||
* @param use_out time when last traffic was seen going out
|
||||
* @param use_fwd time when last traffic was getting forwarded
|
||||
* @return TUNNEL | TRANSPORT | BEET
|
||||
*/
|
||||
void (*get_stats)(child_sa_t *this, ipsec_mode_t *mode,
|
||||
encryption_algorithm_t *encr,
|
||||
chunk_t *encr_key_in, chunk_t *encr_key_out,
|
||||
integrity_algorithm_t *int_algo,
|
||||
chunk_t *int_key_in, chunk_t *int_key_out,
|
||||
u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
|
||||
u_int32_t *use_fwd);
|
||||
ipsec_mode_t (*get_mode)(child_sa_t *this);
|
||||
|
||||
/**
|
||||
* Get the IPsec encryption key.
|
||||
*
|
||||
* @param inbound TRUE for inbound, FALSE for outbound key
|
||||
* @param key chunk where to write key pointer and length
|
||||
* @return encryption algorithm
|
||||
*/
|
||||
encryption_algorithm_t (*get_encryption)(child_sa_t *this, bool inbound,
|
||||
chunk_t *key);
|
||||
/**
|
||||
* Get the IPsec integrity.
|
||||
*
|
||||
* @param inbound TRUE for inbound, FALSE for outbound key
|
||||
* @param key chunk where to write key pointer and length
|
||||
* @return integrity algorithm
|
||||
*/
|
||||
integrity_algorithm_t (*get_integrity)(child_sa_t *this, bool inbound,
|
||||
chunk_t *key);
|
||||
/**
|
||||
* Get the lifetime of the CHILD_SA.
|
||||
*
|
||||
* @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
|
||||
* @return lifetime in seconds
|
||||
*/
|
||||
u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
|
||||
|
||||
/**
|
||||
* Get last use time of the CHILD_SA.
|
||||
*
|
||||
* @param inbound TRUE for inbound traffic, FALSE for outbound
|
||||
* @return time of last use in seconds
|
||||
*/
|
||||
u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
|
||||
|
||||
/**
|
||||
* Allocate SPIs for given proposals.
|
||||
|
@ -250,15 +270,6 @@ struct child_sa_t {
|
|||
*/
|
||||
enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
|
||||
|
||||
/**
|
||||
* Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
|
||||
*
|
||||
* @param inbound query for in- or outbound usage
|
||||
* @param use_time the time
|
||||
* @return SUCCESS or FAILED
|
||||
*/
|
||||
status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
|
||||
|
||||
/**
|
||||
* Get the state of the CHILD_SA.
|
||||
*/
|
||||
|
@ -285,7 +296,7 @@ struct child_sa_t {
|
|||
* @param other_cpi other Compression Parameter Index
|
||||
*/
|
||||
void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
|
||||
u_int16_t other_cpi);
|
||||
u_int16_t other_cpi);
|
||||
|
||||
/**
|
||||
* Returns the Compression Parameter Index (CPI) allocated from the kernel.
|
||||
|
|
|
@ -304,28 +304,26 @@ struct private_ike_sa_t {
|
|||
*/
|
||||
static time_t get_use_time(private_ike_sa_t* this, bool inbound)
|
||||
{
|
||||
iterator_t *iterator;
|
||||
enumerator_t *enumerator;
|
||||
child_sa_t *child_sa;
|
||||
time_t latest = 0, use_time;
|
||||
|
||||
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
||||
while (iterator->iterate(iterator, (void**)&child_sa))
|
||||
{
|
||||
if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
|
||||
{
|
||||
latest = max(latest, use_time);
|
||||
}
|
||||
}
|
||||
iterator->destroy(iterator);
|
||||
time_t use_time;
|
||||
|
||||
if (inbound)
|
||||
{
|
||||
return max(this->time.inbound, latest);
|
||||
use_time = this->time.inbound;
|
||||
}
|
||||
else
|
||||
{
|
||||
return max(this->time.outbound, latest);
|
||||
use_time = this->time.outbound;
|
||||
}
|
||||
enumerator = this->child_sas->create_enumerator(this->child_sas);
|
||||
while (enumerator->enumerate(enumerator, &child_sa))
|
||||
{
|
||||
use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
return use_time;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue