ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

added policy cache to kernel interface 

allows refcounting of multiple installed policies
	finally brings us stable simultaneous rekeying
This commit is contained in:
Martin Willi 2006-07-12 11:42:36 +00:00
parent 269f7f448b
commit aeeb4f4f97
7 changed files with 564 additions and 579 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/charon/encoding/message.c
View File

@ -204,7 +204,7 @@ static payload_rule_t create_child_sa_i_payload_rules[] = {
* Message rule for CREATE_CHILD_SA from responder.
*/
static payload_rule_t create_child_sa_r_payload_rules[] = {
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,FALSE},
{NOTIFY,0,MAX_NOTIFY_PAYLOADS,TRUE,TRUE},
{SECURITY_ASSOCIATION,1,1,TRUE,FALSE},
{NONCE,1,1,TRUE,FALSE},
{KEY_EXCHANGE,0,1,TRUE,FALSE},

159
src/charon/sa/child_sa.c
View File

@ -113,11 +113,6 @@ struct private_child_sa_t {
* transaction which is rekeying this CHILD_SA
*/
void *rekeying_transaction;
/**
* has this child SA been rekeyed/is rekeying?
*/
bool is_rekeying;
/**
* Specifies if NAT traversal is used
@ -446,21 +441,21 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
policy->me.net, policy->other.net,
policy->me.net_mask, policy->other.net_mask,
XFRM_POLICY_OUT, policy->upper_proto,
this->protocol, this->reqid);
this->protocol, this->reqid, FALSE);
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
this->other.addr, this->me.addr,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_IN, policy->upper_proto,
this->protocol, this->reqid);
this->protocol, this->reqid, FALSE);
status |= charon->kernel_interface->add_policy(charon->kernel_interface,
this->other.addr, this->me.addr,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_FWD, policy->upper_proto,
this->protocol, this->reqid);
this->protocol, this->reqid, FALSE);
if (status != SUCCESS)
{
@ -487,7 +482,6 @@ static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list
static void set_rekeying_transaction(private_child_sa_t *this, void *transaction)
{
this->rekeying_transaction = transaction;
this->is_rekeying = TRUE;
}
/**
@ -498,100 +492,28 @@ static void* get_rekeying_transaction(private_child_sa_t *this)
return this->rekeying_transaction;
}
/**
* Implementation of child_sa_t.is_rekeying.
*/
static bool is_rekeying(private_child_sa_t *this)
{
return this->is_rekeying;
}
/**
* Implementation of child_sa_t.get_use_time
*/
static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use_time)
{
iterator_t *iterator;
sa_policy_t *policy;
struct protoent *proto;
char proto_buf[8] = "";
char *proto_name = proto_buf;
status_t status;
*use_time = UNDEFINED_TIME;
iterator = this->policies->create_iterator(this->policies, TRUE);
while (iterator->iterate(iterator, (void**)&policy))
if (inbound)
{
time_t ut;
if (policy->upper_proto)
{
proto = getprotobynumber(policy->upper_proto);
if (proto)
{
proto_name = proto->p_name;
}
else
{
snprintf(proto_buf, sizeof(proto_buf), "<%d>", policy->upper_proto);
}
}
this->logger->log(this->logger, CONTROL|LEVEL1,
"querying policy: %s/%d==%s==%s/%d",
policy->me.net->get_address(policy->me.net), policy->me.net_mask,
proto_name,
policy->other.net->get_address(policy->other.net), policy->other.net_mask);
if (inbound)
{
status = charon->kernel_interface->query_policy(charon->kernel_interface,
this->other.addr, this->me.addr,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_IN, policy->upper_proto,
&ut);
/* also check forward policy in tunnel mode */
if (status == SUCCESS /*&& mode == TUNNEL XXX */)
{
time_t fwd;
status = charon->kernel_interface->query_policy(charon->kernel_interface,
this->other.addr, this->me.addr,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_FWD, policy->upper_proto,
&fwd);
if (status == SUCCESS)
{
ut = max(ut, fwd);
}
}
}
else
{
status = charon->kernel_interface->query_policy(charon->kernel_interface,
this->me.addr, this->other.addr,
policy->me.net, policy->other.net,
policy->me.net_mask, policy->other.net_mask,
XFRM_POLICY_OUT, policy->upper_proto,
&ut);
}
if (status != SUCCESS)
{
iterator->destroy(iterator);
return FAILED;
}
*use_time = max(*use_time, ut);
status = charon->kernel_interface->query_sa(charon->kernel_interface,
this->me.addr, this->me.spi,
this->protocol, use_time);
}
iterator->destroy(iterator);
return SUCCESS;
else
{
status = charon->kernel_interface->query_sa(charon->kernel_interface,
this->other.addr, this->other.spi,
this->protocol, use_time);
}
return status;
}
/**
@ -759,18 +681,13 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
iterator = this->policies->create_iterator(this->policies, TRUE);
while (iterator->iterate(iterator, (void**)&policy))
{
this->logger->log(this->logger, CONTROL|LEVEL1,
"updating policy: %s/%d====%s/%d",
policy->me.net->get_address(policy->me.net), policy->me.net_mask,
policy->other.net->get_address(policy->other.net), policy->other.net_mask);
status = charon->kernel_interface->add_policy(
charon->kernel_interface,
new_me, new_other,
policy->me.net, policy->other.net,
policy->me.net_mask, policy->other.net_mask,
XFRM_POLICY_OUT, policy->upper_proto,
this->protocol, this->reqid);
this->protocol, this->reqid, TRUE);
status |= charon->kernel_interface->add_policy(
charon->kernel_interface,
@ -778,7 +695,7 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_IN, policy->upper_proto,
this->protocol, this->reqid);
this->protocol, this->reqid, TRUE);
status |= charon->kernel_interface->add_policy(
charon->kernel_interface,
@ -786,8 +703,8 @@ static status_t update_policy_hosts(private_child_sa_t *this, host_t *new_me, ho
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_FWD, policy->upper_proto,
this->protocol, this->reqid);
this->protocol, this->reqid, TRUE);
if (status != SUCCESS)
{
iterator->destroy(iterator);
@ -879,27 +796,21 @@ static void destroy(private_child_sa_t *this)
/* delete all policies in the kernel */
while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
{
if (!this->is_rekeying)
{
/* let rekeyed policies, as they are used by another child_sa */
charon->kernel_interface->del_policy(charon->kernel_interface,
this->me.addr, this->other.addr,
policy->me.net, policy->other.net,
policy->me.net_mask, policy->other.net_mask,
XFRM_POLICY_OUT, policy->upper_proto);
charon->kernel_interface->del_policy(charon->kernel_interface,
this->other.addr, this->me.addr,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_IN, policy->upper_proto);
charon->kernel_interface->del_policy(charon->kernel_interface,
this->other.addr, this->me.addr,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_FWD, policy->upper_proto);
}
/* let rekeyed policies, as they are used by another child_sa */
charon->kernel_interface->del_policy(charon->kernel_interface,
policy->me.net, policy->other.net,
policy->me.net_mask, policy->other.net_mask,
XFRM_POLICY_OUT, policy->upper_proto);
charon->kernel_interface->del_policy(charon->kernel_interface,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_IN, policy->upper_proto);
charon->kernel_interface->del_policy(charon->kernel_interface,
policy->other.net, policy->me.net,
policy->other.net_mask, policy->me.net_mask,
XFRM_POLICY_FWD, policy->upper_proto);
policy->me.net->destroy(policy->me.net);
policy->other.net->destroy(policy->other.net);
free(policy);
@ -933,7 +844,6 @@ child_sa_t * child_sa_create(u_int32_t rekey, host_t *me, host_t* other,
this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
this->public.set_rekeying_transaction = (void (*)(child_sa_t*,void*))set_rekeying_transaction;
this->public.get_rekeying_transaction = (void* (*)(child_sa_t*))get_rekeying_transaction;
this->public.is_rekeying = (bool (*)(child_sa_t*))is_rekeying;
this->public.log_status = (void (*)(child_sa_t*, logger_t*, char*))log_status;
this->public.destroy = (void(*)(child_sa_t*))destroy;
@ -953,7 +863,6 @@ child_sa_t * child_sa_create(u_int32_t rekey, host_t *me, host_t* other,
this->policies = linked_list_create();
this->protocol = PROTO_NONE;
this->rekeying_transaction = NULL;
this->is_rekeying = FALSE;
return &this->public;
}

17
src/charon/sa/child_sa.h
View File

@ -174,6 +174,9 @@ struct child_sa_t {
* such situations to handle them cleanly. A rekeying transaction
* registers itself to the CHILD_SA, and checks later if another
* transaction is in progress of a rekey.
*
* @todo Fix include problematics to allow inclusion of
* the create_child_sa_t transaction.
*
* @param this calling object
*/
@ -182,22 +185,12 @@ struct child_sa_t {
/**
* @brief Get the transaction which rekeys this CHILD_SA.
*
* See set_rekeying_transactoin
* @see set_rekeying_transactoin().
*
* @param this calling object
*/
void* (*get_rekeying_transaction) (child_sa_t *this);
/**
* @brief Is the CHILD SA rekeying/in progress of rekeying?
*
* This is a readonly parameter. It is set whenever the
* set_rekeying_transaction() method is called.
*
* @param this calling object
*/
bool (*is_rekeying) (child_sa_t *this);
/**
* @brief Log the status of a child_sa to a logger.
*
@ -223,7 +216,7 @@ struct child_sa_t {
/**
* @brief Constructor to create a new child_sa_t.
*
*
* @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
* @param me own address
* @param other remote address

23
src/charon/sa/transactions/create_child_sa.c
View File

@ -172,8 +172,8 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result)
host_t *me, *other;
/* check if we are not already rekeying */
if (this->rekeyed_sa &&
this->rekeyed_sa->is_rekeying(this->rekeyed_sa))
if (this->rekeyed_sa &&
this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa))
{
this->logger->log(this->logger, ERROR,
"rekeying a CHILD_SA which is already rekeying, aborted");
@ -628,20 +628,11 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request
response->add_payload(response, (payload_t*)ts_response);
}
/* CHILD_SA successfully created. We set us as the rekeying transaction of
* this SA. If we already initiated rekeying of the same SA, we will detect
* the rekeyed SA. If we already initiated rekeying of the same SA, we will detect
* this later in the conclude() call. */
if (this->rekeyed_sa)
{
if (this->rekeyed_sa->is_rekeying(this->rekeyed_sa))
{
/* rekeying already in progress, register us, too */
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
}
else
{
/* no rekeying in progress. mark SA as rekeyed, but not conflicted */
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, NULL);
}
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, &this->public);
}
return SUCCESS;
}
@ -779,14 +770,14 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
other = (private_create_child_sa_t*)
this->rekeyed_sa->get_rekeying_transaction(this->rekeyed_sa);
/* we are not rekeying anymore, unregister us */
/* rekeying finished, update SA status */
this->rekeyed_sa->set_rekeying_transaction(this->rekeyed_sa, NULL);
if (other != this)
{ /* simlutaneous rekeying is going on, not so good */
chunk_t this_lowest, other_lowest;
/* check if this has a lower nonce the other */
/* check if this has a lower nonce than other */
if (memcmp(this->nonce_i.ptr, this->nonce_r.ptr,
min(this->nonce_i.len, this->nonce_r.len)) < 0)
{
@ -822,7 +813,6 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
/* delete the old SA if we have won the rekeying nonce compare*/
if (!this->lost)
{
other->rekeyed_sa->set_rekeying_transaction(other->rekeyed_sa, NULL);
delete_child_sa = delete_child_sa_create(this->ike_sa, this->message_id + 1);
delete_child_sa->set_child_sa(delete_child_sa, this->rekeyed_sa);
*next = (transaction_t*)delete_child_sa;
@ -832,7 +822,6 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response,
{
/* we have lost simlutaneous rekeying, delete the CHILD_SA we just have created */
delete_child_sa = delete_child_sa_create(this->ike_sa, this->message_id + 1);
new_child->set_rekeying_transaction(new_child, NULL);
delete_child_sa->set_child_sa(delete_child_sa, new_child);
*next = (transaction_t*)delete_child_sa;
}

7
src/charon/sa/transactions/delete_child_sa.c
View File

@ -192,8 +192,11 @@ static status_t process_delete(private_delete_child_sa_t *this, delete_payload_t
* this means we have lost the nonce comparison, and the rekeying
* will fail. We set a flag in the transaction for this special case.
*/
this->logger->log(this->logger, CONTROL,
"DELETE received while rekeying, rekeying cancelled");
if (!response)
{ /* only whine as initiator */
this->logger->log(this->logger, CONTROL,
"DELETE received while rekeying, rekeying cancelled");
}
rekey->cancel(rekey);
}
/* delete it, with inbound spi */

807
src/charon/threads/kernel_interface.c
View File

File diff suppressed because it is too large Load Diff

128
src/charon/threads/kernel_interface.h
View File

@ -48,6 +48,10 @@ typedef struct kernel_interface_t kernel_interface_t;
* The kernel interface handles the communication with the kernel
* for SA and policy management. It allows setup of these, and provides
* further the handling of kernel events.
* Policy information are cached in the interface. This is necessary to do
* reference counting. The Linux kernel does not allow the same policy
* installed twice, but we need this as CHILD_SA exist multiple times
* when rekeying. Thats why we do reference counting of policies.
*
* @b Constructors:
* - kernel_interface_create()
@ -73,11 +77,8 @@ struct kernel_interface_t {
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*get_spi) (kernel_interface_t *this,
host_t *src, host_t *dst,
protocol_id_t protocol,
u_int32_t reqid,
u_int32_t *spi);
status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst,
protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
/**
* @brief Add an SA to the SAD.
@ -107,18 +108,12 @@ struct kernel_interface_t {
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*add_sa)(kernel_interface_t *this,
host_t *src, host_t *dst,
u_int32_t spi,
protocol_id_t protocol,
u_int32_t reqid,
u_int64_t expire_soft,
u_int64_t expire_hard,
algorithm_t *enc_alg,
algorithm_t *int_alg,
prf_plus_t *prf_plus,
natt_conf_t *natt,
bool replace);
status_t (*add_sa) (kernel_interface_t *this,
host_t *src, host_t *dst, u_int32_t spi,
protocol_id_t protocol, u_int32_t reqid,
u_int64_t expire_soft, u_int64_t expire_hard,
algorithm_t *enc_alg, algorithm_t *int_alg,
prf_plus_t *prf_plus, natt_conf_t *natt, bool replace);
/**
* @brief Update the hosts on an installed SA. Encapsulation ports are also updated.
@ -127,40 +122,52 @@ struct kernel_interface_t {
* the protocol AND the destination address (and family) to identify SAs. Therefore if the
* destination address changed we create a new SA and delete the old one.
*
* @param this calling object
* @param src source address for this SA
* @param dst destination address for this SA
* @param new_src new source address for this SA
* @param new_dst new destination address for this SA
* @param this calling object
* @param src source address for this SA
* @param dst destination address for this SA
* @param new_src new source address for this SA
* @param new_dst new destination address for this SA
* @param src_changes changes in src
* @param dst_changes changes in dst
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @return
* - SUCCESS
* - FAILED if kernel comm failed
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*update_sa_hosts)(kernel_interface_t *this,
host_t *src, host_t *dst,
host_t *new_src, host_t *new_dst,
int src_changes, int dst_changes,
u_int32_t spi, protocol_id_t protocol);
/**
* @brief Query the use time of an SA.
*
* @param this calling object
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param[out] use_time the time of this SA's last use
* @return
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
protocol_id_t protocol, time_t *use_time);
/**
* @brief Delete a previusly installed SA from the SAD.
*
* @param this calling object
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @param this calling object
* @param dst destination address for this SA
* @param spi SPI allocated by us or remote peer
* @param protocol protocol for this SA (ESP/AH)
* @return
* - SUCCESS
* - FAILED if kernel comm failed
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*del_sa) (kernel_interface_t *this,
host_t *dst,
u_int32_t spi,
protocol_id_t protocol);
status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi,
protocol_id_t protocol);
/**
* @brief Add a policy to the SPD.
@ -181,47 +188,23 @@ struct kernel_interface_t {
* @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
* @param protocol protocol to use to protect traffic (AH/ESP)
* @param reqid uniqe ID of an SA to use to enforce policy
* @param update update an existing policy, if TRUE
* @return
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*add_policy) (kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
u_int8_t src_hostbits, u_int8_t dst_hostbits,
int direction, int upper_proto,
protocol_id_t protocol,
u_int32_t reqid);
/**
* @brief Query the use time of a policy
*
* @param this calling object
* @param me address of local peer
* @param other address of remote peer
* @param src src address of traffic this policy applies
* @param dst dest address of traffic this policy applies
* @param src_hostbits subnetmask to use for src address
* @param dst_hostbits subnetmask to use for dst address
* @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD
* @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
* @param use_time the time of this policy's last use
* @return
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*query_policy) (kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
u_int8_t src_hostbits, u_int8_t dst_hostbits,
int direction, int upper_proto,
time_t *use_time);
host_t *me, host_t *other,
host_t *src, host_t *dst,
u_int8_t src_hostbits, u_int8_t dst_hostbits,
u_int8_t direction, u_int8_t upper_proto,
protocol_id_t protocol,
u_int32_t reqid, bool update);
/**
* @brief Remove a policy from the SPD.
*
*
* @param this calling object
* @param me address of local peer
* @param other address of remote peer
* @param src src address of traffic this policy applies
* @param dst dest address of traffic this policy applies
* @param src_hostbits subnetmask to use for src address
@ -232,11 +215,10 @@ struct kernel_interface_t {
* - SUCCESS
* - FAILED if kernel comm failed
*/
status_t (*del_policy) (kernel_interface_t *this,
host_t *me, host_t *other,
host_t *src, host_t *dst,
u_int8_t src_hostbits, u_int8_t dst_hostbits,
int direction, int upper_proto);
status_t (*del_policy) (kernel_interface_t *this,
host_t *src, host_t *dst,
u_int8_t src_hostbits, u_int8_t dst_hostbits,
u_int8_t direction, u_int8_t upper_proto);
/**
* @brief Destroys a kernel_interface object.