ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

add priority management for kernel policy 

let ROUTED policies installed, until manuall removed
introduced new naming scheme to allow proper shutdown of IKE/CHILD_SAs
ike_sa_manager cleanups
This commit is contained in:
Martin Willi 2006-09-08 13:10:52 +00:00
parent 1239c6f40b
commit a095243f60
12 changed files with 256 additions and 221 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/charon/config/policies/policy.h
View File

@ -52,7 +52,7 @@ enum dpd_action_t {
/**
* String mappings for dpd_action_t
*/
mapping_t dpd_action_m[];
extern mapping_t dpd_action_m[];
typedef struct policy_t policy_t;

1
src/charon/config/traffic_selector.c
View File

@ -24,6 +24,7 @@
#include <arpa/inet.h>
#include <string.h>
#include <netdb.h>
#include <stdio.h>
#include "traffic_selector.h"

4
src/charon/queues/jobs/incoming_packet_job.c
View File

@ -152,7 +152,9 @@ static status_t execute(private_incoming_packet_job_t *this)
ike_sa_id->get_responder_spi(ike_sa_id));
if (message->get_request(message))
{
send_notify_response(this, message, INVALID_IKE_SPI);
/* TODO: send notify if we have NULL crypters,
* see todo in send_notify_response
send_notify_response(this, message, INVALID_IKE_SPI); */
}
ike_sa_id->destroy(ike_sa_id);
message->destroy(message);

26
src/charon/sa/child_sa.c
View File

@ -24,6 +24,7 @@
#include "child_sa.h"
#include <stdio.h>
#include <string.h>
#include <daemon.h>
@ -182,8 +183,14 @@ static char *get_name(private_child_sa_t *this)
*/
static void set_name(private_child_sa_t *this, char* name)
{
free(this->name);
this->name = strdup(name);
char buffer[64];
if (snprintf(buffer, sizeof(buffer), "%s[%d]",
name, this->reqid - REQID_START) > 0)
{
free(this->name);
this->name = strdup(buffer);
}
}
/**
@ -468,6 +475,8 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
{
iterator_t *my_iter, *other_iter;
traffic_selector_t *my_ts, *other_ts;
/* use low prio for ROUTED policies */
bool high_prio = (this->state != CHILD_CREATED);
/* iterate over both lists */
my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
@ -503,15 +512,15 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
/* install 3 policies: out, in and forward */
status = charon->kernel_interface->add_policy(charon->kernel_interface,
this->me.addr, this->other.addr, my_ts, other_ts,
POLICY_OUT, this->protocol, this->reqid, FALSE);
POLICY_OUT, this->protocol, this->reqid, high_prio, FALSE);
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
this->other.addr, this->me.addr, other_ts, my_ts,
POLICY_IN, this->protocol, this->reqid, FALSE);
POLICY_IN, this->protocol, this->reqid, high_prio, FALSE);
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
this->other.addr, this->me.addr, other_ts, my_ts,
POLICY_FWD, this->protocol, this->reqid, FALSE);
POLICY_FWD, this->protocol, this->reqid, high_prio, FALSE);
if (status != SUCCESS)
{
@ -805,6 +814,7 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
iterator_t *iterator;
sa_policy_t *policy;
status_t status;
/* we always use high priorities, as hosts getting updated are INSTALLED */
iterator = this->policies->create_iterator(this->policies, TRUE);
while (iterator->iterate(iterator, (void**)&policy))
@ -813,19 +823,19 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
charon->kernel_interface,
new_me, new_other,
policy->my_ts, policy->other_ts,
POLICY_OUT, this->protocol, this->reqid, TRUE);
POLICY_OUT, this->protocol, this->reqid, TRUE, TRUE);
status |= charon->kernel_interface->add_policy(
charon->kernel_interface,
new_other, new_me,
policy->other_ts, policy->my_ts,
POLICY_IN, this->protocol, this->reqid, TRUE);
POLICY_IN, this->protocol, this->reqid, TRUE, TRUE);
status |= charon->kernel_interface->add_policy(
charon->kernel_interface,
new_other, new_me,
policy->other_ts, policy->my_ts,
POLICY_FWD, this->protocol, this->reqid, TRUE);
POLICY_FWD, this->protocol, this->reqid, TRUE, TRUE);
if (status != SUCCESS)
{

39
src/charon/sa/ike_sa.c
View File

@ -920,8 +920,6 @@ static status_t initiate(private_ike_sa_t *this,
this->logger->log(this->logger, CONTROL,
"initiating IKE_SA");
set_name(this, connection->get_name(connection));
DESTROY_IF(this->my_host);
this->my_host = connection->get_my_host(connection);
this->my_host = this->my_host->clone(this->my_host);
@ -1130,27 +1128,30 @@ static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
while (iterator->iterate(iterator, (void**)&child_sa))
{
linked_list_t *my_ts_conf, *other_ts_conf;
my_ts = child_sa->get_my_traffic_selectors(child_sa);
other_ts = child_sa->get_other_traffic_selectors(child_sa);
my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
if (ts_list_equals(my_ts, my_ts_conf) &&
ts_list_equals(other_ts, other_ts_conf))
if (child_sa->get_state(child_sa) == CHILD_ROUTED)
{
linked_list_t *my_ts_conf, *other_ts_conf;
my_ts = child_sa->get_my_traffic_selectors(child_sa);
other_ts = child_sa->get_other_traffic_selectors(child_sa);
my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
if (ts_list_equals(my_ts, my_ts_conf) &&
ts_list_equals(other_ts, other_ts_conf))
{
ts_list_destroy(my_ts_conf);
ts_list_destroy(other_ts_conf);
iterator->destroy(iterator);
this->logger->log(this->logger, CONTROL,
"a CHILD_SA with such a policy already routed");
return FAILED;
}
ts_list_destroy(my_ts_conf);
ts_list_destroy(other_ts_conf);
iterator->destroy(iterator);
this->logger->log(this->logger, CONTROL,
"a CHILD_SA with such a policy already routed");
return FAILED;
}
ts_list_destroy(my_ts_conf);
ts_list_destroy(other_ts_conf);
}
iterator->destroy(iterator);

273
src/charon/sa/ike_sa_manager.c
View File

@ -134,58 +134,7 @@ struct private_ike_sa_manager_t {
* Public interface of ike_sa_manager_t.
*/
ike_sa_manager_t public;
/**
* @brief Get next spi.
*
* We give out SPIs from a pseudo random source
*
* @param this the ike_sa_manager
* @return the next spi
*/
u_int64_t (*get_next_spi) (private_ike_sa_manager_t *this);
/**
* @brief Find the ike_sa_entry_t object in the list by SPIs.
*
* This function simply iterates over the linked list. A hash-table
* would be more efficient when storing a lot of IKE_SAs...
*
* @param this calling object
* @param ike_sa_id id of the ike_sa, containing SPIs
* @param[out] entry pointer to set to the found entry
* @return
* - SUCCESS when found,
* - NOT_FOUND when no such ike_sa_id in list
*/
status_t (*get_entry_by_id) (private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id, ike_sa_entry_t **entry);
/**
* @brief Find the ike_sa_entry_t in the list by pointer to SA.
*
* This function simply iterates over the linked list. A hash-table
* would be more efficient when storing a lot of IKE_SAs...
*
* @param this calling object
* @param ike_sa pointer to the ike_sa
* @param[out] entry pointer to set to the found entry
* @return
* - SUCCESS when found,
* - NOT_FOUND when no such ike_sa_id in list
*/
status_t (*get_entry_by_sa) (private_ike_sa_manager_t *this, ike_sa_t *ike_sa, ike_sa_entry_t **entry);
/**
* @brief Delete an entry from the linked list.
*
* @param this calling object
* @param entry entry to delete
* @return
* - SUCCESS when found,
* - NOT_FOUND when no such ike_sa_id in list
*/
status_t (*delete_entry) (private_ike_sa_manager_t *this, ike_sa_entry_t *entry);
/**
* Lock for exclusivly accessing the manager.
*/
@ -321,6 +270,17 @@ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *ent
iterator->current(iterator, (void**)&current);
if (current == entry)
{
/* mark it, so now new threads can get this entry */
entry->driveout_new_threads = TRUE;
/* wait until all workers have done their work */
while (entry->waiting_threads)
{
/* wake up all */
pthread_cond_broadcast(&(entry->condvar));
/* they will wake us again when their work is done */
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
this->logger->log(this->logger, CONTROL|LEVEL2,
"found entry by pointer. Going to delete it");
iterator->remove(iterator);
@ -440,7 +400,7 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this,
ike_sa_entry_t *new_ike_sa_entry;
ike_sa_id_t *new_ike_sa_id;
initiator_spi = this->get_next_spi(this);
initiator_spi = get_next_spi(this);
new_ike_sa_id = ike_sa_id_create(0, 0, TRUE);
new_ike_sa_id->set_initiator_spi(new_ike_sa_id, initiator_spi);
@ -501,7 +461,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
*/
ike_sa_entry_t *entry;
/* look for the entry */
if (this->get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
{
if (wait_for_entry(this, entry))
{
@ -537,7 +497,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
ike_sa_entry_t *new_ike_sa_entry;
/* set SPIs, we are the responder */
responder_spi = this->get_next_spi(this);
responder_spi = get_next_spi(this);
/* we also set arguments spi, so its still valid */
ike_sa_id->set_responder_spi(ike_sa_id, responder_spi);
@ -558,7 +518,7 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id
/* checkout of a new and unused IKE_SA, used for rekeying */
ike_sa_entry_t *new_ike_sa_entry;
ike_sa_id->set_initiator_spi(ike_sa_id, this->get_next_spi(this));
ike_sa_id->set_initiator_spi(ike_sa_id, get_next_spi(this));
/* create entry */
new_ike_sa_entry = ike_sa_entry_create(ike_sa_id);
this->logger->log(this->logger, CONTROL|LEVEL2,
@ -621,7 +581,7 @@ static ike_sa_t* checkout_by_child(private_ike_sa_manager_t *this,
/**
* Implementation of ike_sa_manager_t.get_ike_sa_list.
*/
linked_list_t *get_ike_sa_list(private_ike_sa_manager_t* this)
static linked_list_t *get_ike_sa_list(private_ike_sa_manager_t* this)
{
linked_list_t *list;
iterator_t *iterator;
@ -642,32 +602,6 @@ linked_list_t *get_ike_sa_list(private_ike_sa_manager_t* this)
return list;
}
/**
* Implementation of ike_sa_manager_t.get_ike_sa_list_by_name.
*/
linked_list_t *get_ike_sa_list_by_name(private_ike_sa_manager_t* this, const char *name)
{
linked_list_t *list;
iterator_t *iterator;
ike_sa_entry_t *entry;
pthread_mutex_lock(&(this->mutex));
list = linked_list_create();
iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
while (iterator->iterate(iterator, (void**)&entry))
{
if (strcmp(name, entry->ike_sa->get_name(entry->ike_sa)) == 0)
{
list->insert_last(list, (void*)entry->ike_sa_id->clone(entry->ike_sa_id));
}
}
iterator->destroy(iterator);
pthread_mutex_unlock(&(this->mutex));
return list;
}
/**
* Implementation of ike_sa_manager_t.log_status.
*/
@ -724,7 +658,7 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
pthread_mutex_lock(&(this->mutex));
/* look for the entry */
if (this->get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
{
/* ike_sa_id must be updated */
entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
@ -772,23 +706,13 @@ static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ik
pthread_mutex_lock(&(this->mutex));
if (this->get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
if (get_entry_by_sa(this, ike_sa, &entry) == SUCCESS)
{
/* mark it, so now new threads can acquire this SA */
entry->driveout_new_threads = TRUE;
/* additionaly, drive out waiting threads */
/* drive out waiting threads, as we are in hurry */
entry->driveout_waiting_threads = TRUE;
/* wait until all workers have done their work */
while (entry->waiting_threads)
{
/* let the other threads leave the manager */
pthread_cond_broadcast(&(entry->condvar));
/* and the nice thing, they will wake us again when their work is done */
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
/* ok, we are alone now, no threads waiting in the entry's condvar */
this->delete_entry(this, entry);
delete_entry(this, entry);
this->logger->log(this->logger, CONTROL|LEVEL1,
"check-in and destroy of IKE_SA successful");
retval = SUCCESS;
@ -825,7 +749,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
pthread_mutex_lock(&(this->mutex));
if (this->get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
if (get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
{
/* we try a delete. If it succeeds, our job is done here. The
* other peer will reply, and the IKE SA gets the finally deleted...
@ -837,25 +761,10 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
}
/* but if the IKE SA is not in a state where the deletion is
* negotiated with the other peer, we can destroy the IKE SA on our own.
* For this, we must be sure that really NO other threads are
* waiting for this SA...
*/
else
{
/* mark it, so now new threads can acquire this SA */
entry->driveout_new_threads = TRUE;
/* wait until all workers have done their work */
while (entry->waiting_threads)
{
/* wake up all */
pthread_cond_broadcast(&(entry->condvar));
/* and the nice thing, they will wake us again when their work
* is done */
pthread_cond_wait(&(entry->condvar), &(this->mutex));
}
/* ok, we are alone now, no threads waiting in the entry's condvar */
this->delete_entry(this, entry);
this->logger->log(this->logger, CONTROL|LEVEL1, "destroyed IKE_SA");
}
retval = SUCCESS;
}
@ -870,6 +779,125 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
return retval;
}
/**
* Implementation of ike_sa_manager_t.delete_by_name.
*/
static status_t delete_by_name(private_ike_sa_manager_t *this, char *name)
{
iterator_t *iterator;
iterator_t *child_iter;
ike_sa_entry_t *entry;
size_t name_len = strlen(name);
pthread_mutex_lock(&(this->mutex));
iterator = this->ike_sa_list->create_iterator(this->ike_sa_list, TRUE);
while (iterator->iterate(iterator, (void**)&entry))
{
if (wait_for_entry(this, entry))
{
/* delete ike_sa if:
* name{x} matches completely
* name{} matches by name
* name matches by name
*/
bool del = FALSE;
char *ike_name;
char *child_name;
child_sa_t *child_sa;
ike_name = entry->ike_sa->get_name(entry->ike_sa);
/* check if "name{x}" matches completely */
if (strcmp(name, ike_name) == 0)
{
del = TRUE;
}
/* check if name is in form of "name{}" and matches to ike_name */
else if (name_len > 1 &&
name[name_len - 2] == '{' && name[name_len - 1] == '}' &&
strlen(ike_name) > name_len &&
ike_name[name_len - 2] == '{' &&
strncmp(name, ike_name, name_len - 2) == 0)
{
del = TRUE;
}
/* finally, check if name is "name" and matches ike_name */
else if (name_len == strchr(ike_name, '{') - ike_name &&
strncmp(name, ike_name, name_len) == 0)
{
del = TRUE;
}
if (del)
{
if (entry->ike_sa->delete(entry->ike_sa) == DESTROY_ME)
{
delete_entry(this, entry);
iterator->reset(iterator);
}
/* no need to check children, as we delete all */
continue;
}
/* and now the same game for all children. delete child_sa if:
* name[x] matches completely
* name[] matches by name
* name matches by name
*/
child_iter = entry->ike_sa->create_child_sa_iterator(entry->ike_sa);
while (child_iter->iterate(child_iter, (void**)&child_sa))
{
/* skip ROUTED children, they have their "unroute" command */
if (child_sa->get_state(child_sa) == CHILD_ROUTED)
{
continue;
}
child_name = child_sa->get_name(child_sa);
del = FALSE;
/* check if "name[x]" matches completely */
if (strcmp(name, child_name) == 0)
{
del = TRUE;
}
/* check if name is in form of "name[]" and matches to child_name */
else if (name_len > 1 &&
name[name_len - 2] == '[' && name[name_len - 1] == ']' &&
strlen(child_name) > name_len &&
child_name[name_len - 2] == '[' &&
strncmp(name, child_name, name_len - 2) == 0)
{
del = TRUE;
}
/* finally, check if name is "name" and matches child_name */
else if (name_len == strchr(child_name, '[') - child_name &&
strncmp(name, child_name, name_len) == 0)
{
del = TRUE;
}
if (del)
{
if (entry->ike_sa->delete_child_sa(entry->ike_sa,
child_sa->get_protocol(child_sa),
child_sa->get_spi(child_sa, TRUE)) == DESTROY_ME)
{
/* when a fatal error occurs, we are responsible to
* remove the IKE_SA */
delete_entry(this, entry);
iterator->reset(iterator);
break;
}
}
}
child_iter->destroy(child_iter);
}
}
iterator->destroy(iterator);
pthread_mutex_unlock(&(this->mutex));
return SUCCESS;
}
/**
* Implementation of ike_sa_manager_t.destroy.
*/
@ -921,10 +949,9 @@ static void destroy(private_ike_sa_manager_t *this)
this->logger->log(this->logger, CONTROL|LEVEL2, "destroy all entries");
/* Step 4: destroy all entries */
while (list->get_count(list) > 0)
while (list->remove_last(list, (void**)&entry) == SUCCESS)
{
list->get_first(list, (void**)&entry);
this->delete_entry(this, entry);
entry->destroy(entry);
}
list->destroy(list);
pthread_mutex_unlock(&(this->mutex));
@ -947,18 +974,12 @@ ike_sa_manager_t *ike_sa_manager_create()
this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout;
this->public.checkout_by_child = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t))checkout_by_child;
this->public.get_ike_sa_list = (linked_list_t*(*)(ike_sa_manager_t*))get_ike_sa_list;
this->public.get_ike_sa_list_by_name = (linked_list_t*(*)(ike_sa_manager_t*,const char*))get_ike_sa_list_by_name;
this->public.log_status = (void(*)(ike_sa_manager_t*,logger_t*,char*))log_status;
this->public.checkin = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
this->public.delete = (status_t(*)(ike_sa_manager_t*,ike_sa_id_t*))delete_;
this->public.delete_by_name = (status_t(*)(ike_sa_manager_t*,char*))delete_by_name;
this->public.checkin_and_destroy = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
/* initialize private functions */
this->get_next_spi = get_next_spi;
this->get_entry_by_sa = get_entry_by_sa;
this->get_entry_by_id = get_entry_by_id;
this->delete_entry = delete_entry;
/* initialize private variables */
this->logger = logger_manager->get_logger(logger_manager, IKE_SA_MANAGER);

32
src/charon/sa/ike_sa_manager.h
View File

@ -116,15 +116,6 @@ struct ike_sa_manager_t {
*/
linked_list_t *(*get_ike_sa_list) (ike_sa_manager_t* this);
/**
* @brief Get a list of all IKE_SA SAs currently set up specified
* by the connections name.
*
* @param this the manager object
* @return a list with ike_sa_id_t s
*/
linked_list_t *(*get_ike_sa_list_by_name) (ike_sa_manager_t* this, const char *name);
/**
* @brief Log the status of the IKE_SA's in the manager.
*
@ -171,6 +162,29 @@ struct ike_sa_manager_t {
*/
status_t (*delete) (ike_sa_manager_t* this, ike_sa_id_t *ike_sa_id);
/**
* @brief Delete a SA identified by its name, which was not checked out.
*
* Using delete_by_name allows the delete of IKE_SAs and CHILD_SAs.
* The supplied name may have one of the following format:
*
* name{x} => delete IKE_SA with "name" and unique id "x"
* name{} => delete all IKE_SAs with "name"
* name[x] => delete CHILD_SA with "name" and unique id "x"
* name[] => delete all CHILD_SAs with "name"
* name => delete all CHILD_SAs or IKE_SAs with "name"
*
* @warning do not use this when the SA is already checked out, this will
* deadlock!
*
* @param this the manager object
* @param name name in one of the format described above
* @returns
* - SUCCESS if found
* - NOT_FOUND when no such SA is available
*/
status_t (*delete_by_name) (ike_sa_manager_t* this, char *name);
/**
* @brief Destroy a checked out SA.
*

24
src/charon/sa/transactions/ike_sa_init.c
View File

@ -110,6 +110,11 @@ struct private_ike_sa_init_t {
*/
u_int32_t reqid;
/**
* Unique ID for to enumerate all IKE_SAs in its name
*/
u_int32_t unique_id;
/**
* Randomizer to generate nonces
*/
@ -281,6 +286,7 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
message_t *request;
host_t *me, *other;
identification_t *my_id, *other_id;
char name[64];
/* check if we already have built a message (retransmission) */
if (this->message)
@ -298,6 +304,12 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result)
other_id = this->policy->get_other_id(this->policy);
this->ike_sa->set_my_id(this->ike_sa, my_id->clone(my_id));
this->ike_sa->set_other_id(this->ike_sa, other_id->clone(other_id));
if (snprintf(name, sizeof(name), "%s{%d}",
this->connection->get_name(this->connection),
this->unique_id) > 0)
{
this->ike_sa->set_name(this->ike_sa, name);
}
/* build the request */
request = message_create();
@ -516,6 +528,7 @@ static status_t get_response(private_ike_sa_init_t *this,
nonce_payload_t *nonce_request = NULL;
ike_sa_id_t *ike_sa_id;
u_int32_t timeout;
char name[64];
/* check if we already have built a response (retransmission) */
if (this->message)
@ -561,8 +574,13 @@ static status_t get_response(private_ike_sa_init_t *this,
me->get_string(me), other->get_string(other));
return DESTROY_ME;
}
this->ike_sa->set_name(this->ike_sa,
this->connection->get_name(this->connection));
if (snprintf(name, sizeof(name), "%s{%d}",
this->connection->get_name(this->connection),
this->unique_id) > 0)
{
this->ike_sa->set_name(this->ike_sa, name);
}
/* Precompute NAT-D hashes for incoming NAT notify comparison */
ike_sa_id = request->get_ike_sa_id(request);
@ -1077,6 +1095,7 @@ static void destroy(private_ike_sa_init_t *this)
*/
ike_sa_init_t *ike_sa_init_create(ike_sa_t *ike_sa)
{
static u_int unique_id = 0;
private_ike_sa_init_t *this = malloc_thing(private_ike_sa_init_t);
/* transaction interface functions */
@ -1103,6 +1122,7 @@ ike_sa_init_t *ike_sa_init_create(ike_sa_t *ike_sa)
this->connection = NULL;
this->policy = NULL;
this->proposal = NULL;
this->unique_id = ++unique_id;
this->reqid = 0;
this->randomizer = randomizer_create();
this->nat_hasher = hasher_create(HASH_SHA1);

2
src/charon/sa/transactions/rekey_ike_sa.c
View File

@ -376,7 +376,7 @@ static status_t switchto_new_sa(private_rekey_ike_sa_t* this, bool initiator)
other_id = this->ike_sa->get_other_id(this->ike_sa);
my_host = this->ike_sa->get_my_host(this->ike_sa);
other_host = this->ike_sa->get_other_host(this->ike_sa);
name = this->connection->get_name(this->connection);
name = this->ike_sa->get_name(this->ike_sa);
this->new_sa->set_my_id(this->new_sa, my_id->clone(my_id));
this->new_sa->set_other_id(this->new_sa, other_id->clone(other_id));

21
src/charon/threads/kernel_interface.c
View File

@ -50,7 +50,8 @@
#define KERNEL_AH 51
/** default priority of installed policies */
#define SPD_PRIORITY 1024
#define PRIO_LOW 3000
#define PRIO_HIGH 2000
#define BUFFER_SIZE 1024
@ -979,7 +980,7 @@ static status_t add_policy(private_kernel_interface_t *this,
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, protocol_id_t protocol,
u_int32_t reqid, bool update)
u_int32_t reqid, bool high_prio, bool update)
{
iterator_t *iterator;
kernel_policy_t *current, *policy;
@ -1011,6 +1012,14 @@ static status_t add_policy(private_kernel_interface_t *this,
current->refcount++;
this->logger->log(this->logger, CONTROL|LEVEL1,
"policy already exists, increasing refcount");
if (!high_prio)
{
/* if added policy is for a ROUTED child_sa, do not
* overwrite existing INSTALLED policy */
iterator->destroy(iterator);
pthread_mutex_unlock(&this->pol_mutex);
return SUCCESS;
}
}
policy = current;
found = TRUE;
@ -1035,7 +1044,11 @@ static status_t add_policy(private_kernel_interface_t *this,
policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr);
policy_info->sel = policy->sel;
policy_info->dir = policy->direction;
policy_info->priority = SPD_PRIORITY;
/* calculate priority based on source selector size, small size = high prio */
policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW;
policy_info->priority -= policy->sel.prefixlen_s * 10;
policy_info->priority -= policy->sel.proto ? 2 : 0;
policy_info->priority -= policy->sel.sport_mask ? 1 : 0;
policy_info->action = XFRM_POLICY_ALLOW;
policy_info->share = XFRM_SHARE_ANY;
pthread_mutex_unlock(&this->pol_mutex);
@ -1272,7 +1285,7 @@ kernel_interface_t *kernel_interface_create()
this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa;
this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa;
this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool))add_policy;
this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,bool))add_policy;
this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy;
this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy;
this->public.destroy = (void(*)(kernel_interface_t*)) destroy;

3
src/charon/threads/kernel_interface.h
View File

@ -207,6 +207,7 @@ struct kernel_interface_t {
* @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
* @param protocol protocol to use to protect traffic (AH/ESP)
* @param reqid uniqe ID of an SA to use to enforce policy
* @param high_prio if TRUE, uses a higher priority than any with FALSE
* @param update update an existing policy, if TRUE
* @return
* - SUCCESS
@ -217,7 +218,7 @@ struct kernel_interface_t {
traffic_selector_t *src_ts,
traffic_selector_t *dst_ts,
policy_dir_t direction, protocol_id_t protocol,
u_int32_t reqid, bool update);
u_int32_t reqid, bool high_prio, bool update);
/**
* @brief Query the use time of a policy.

50
src/charon/threads/stroke_interface.c
View File

@ -601,58 +601,10 @@ static void stroke_route(private_stroke_t *this, stroke_msg_t *msg, bool route)
*/
static void stroke_terminate(private_stroke_t *this, stroke_msg_t *msg)
{
linked_list_t *ike_sas;
iterator_t *iterator;
int instances = 0;
connection_t *conn;
pop_string(msg, &(msg->terminate.name));
this->logger->log(this->logger, CONTROL, "received stroke: terminate \"%s\"", msg->terminate.name);
/* we have to do tricky tricks to give the most comprehensive output to the user.
* There are different cases:
* 1. Connection is available, but IKEv1:
* => just ignore it, let pluto print it
* 2. Connection is not available, but instances of a deleted connection template:
* => terminate them, and print their termination
* 3. Connection is not available, and and no instances are there:
* => show error about bad connection name
* 4. An IKEv2 connection is available, and may contain instances:
* => terminate and print, simple
*/
conn = charon->connections->get_connection_by_name(charon->connections, msg->terminate.name);
if (conn == NULL || conn->is_ikev2(conn))
{
ike_sas = charon->ike_sa_manager->get_ike_sa_list_by_name(charon->ike_sa_manager, msg->terminate.name);
iterator = ike_sas->create_iterator(ike_sas, TRUE);
while (iterator->has_next(iterator))
{
ike_sa_id_t *ike_sa_id;
iterator->current(iterator, (void**)&ike_sa_id);
charon->ike_sa_manager->delete(charon->ike_sa_manager, ike_sa_id);
ike_sa_id->destroy(ike_sa_id);
instances++;
}
iterator->destroy(iterator);
ike_sas->destroy(ike_sas);
if (conn == NULL && instances == 0)
{
this->stroke_logger->log(this->stroke_logger, CONTROL,
"no connection named \"%s\"",
msg->terminate.name);
}
else
{
this->stroke_logger->log(this->stroke_logger, CONTROL,
"terminated %d instances of \"%s\"",
instances, msg->terminate.name);
}
}
if (conn)
{
conn->destroy(conn);
}
charon->ike_sa_manager->delete_by_name(charon->ike_sa_manager, msg->terminate.name);
}
/**