ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.

This commit is contained in:
Tobias Brunner 2009-08-27 11:27:10 +02:00
parent 86e4728550
commit caf87c7dcb
2 changed files with 48 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
src/charon/config/child_cfg.c
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (C) 2008 Tobias Brunner * Copyright (C) 2008-2009 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter * Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil * Hochschule fuer Technik Rapperswil
@ -97,20 +97,9 @@ struct private_child_cfg_t {
action_t close_action; action_t close_action;
/** /**
* Time before an SA gets invalid * CHILD_SA lifetime config
*/ */
u_int32_t lifetime; lifetime_cfg_t *lifetime;
/**
* Time before an SA gets rekeyed
*/
u_int32_t rekeytime;
/**
* Time, which specifies the range of a random value
* substracted from rekeytime.
*/
u_int32_t jitter;
/** /**
* enable IPComp * enable IPComp
@ -360,20 +349,33 @@ static bool get_hostaccess(private_child_cfg_t *this)
return this->hostaccess; return this->hostaccess;
} }
/**
* Applies jitter to the rekey value. Returns the new rekey value.
* Note: The distribution of random values is not perfect, but it
* should get the job done.
*/
static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
{
if (jitter == 0)
{
return rekey;
}
jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
return rekey - jitter * (random() / (RAND_MAX + 1.0));
}
#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f)
/** /**
* Implementation of child_cfg_t.get_lifetime. * Implementation of child_cfg_t.get_lifetime.
*/ */
static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey) static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
{ {
if (rekey) lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
{ memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t));
if (this->jitter == 0) APPLY_JITTER(lft, time);
{ APPLY_JITTER(lft, bytes);
return this->rekeytime; APPLY_JITTER(lft, packets);
} return lft;
return this->rekeytime - (random() % this->jitter);
}
return this->lifetime;
} }
/** /**
@ -478,6 +480,7 @@ static void destroy(private_child_cfg_t *this)
{ {
free(this->updown); free(this->updown);
} }
free(this->lifetime);
free(this->name); free(this->name);
free(this); free(this);
} }
@ -486,10 +489,10 @@ static void destroy(private_child_cfg_t *this)
/* /*
* Described in header-file * Described in header-file
*/ */
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
u_int32_t rekeytime, u_int32_t jitter, char *updown, bool hostaccess,
char *updown, bool hostaccess, ipsec_mode_t mode, ipsec_mode_t mode, action_t dpd_action,
action_t dpd_action, action_t close_action, bool ipcomp) action_t close_action, bool ipcomp)
{ {
private_child_cfg_t *this = malloc_thing(private_child_cfg_t); private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
@ -504,7 +507,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode; this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action; this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action; this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime; this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
@ -515,8 +518,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
this->name = strdup(name); this->name = strdup(name);
this->lifetime = lifetime; this->lifetime = lifetime;
this->rekeytime = rekeytime;
this->jitter = jitter;
this->updown = updown ? strdup(updown) : NULL; this->updown = updown ? strdup(updown) : NULL;
this->hostaccess = hostaccess; this->hostaccess = hostaccess;
this->mode = mode; this->mode = mode;

37
src/charon/config/child_cfg.h
View File

@ -214,18 +214,14 @@ struct child_cfg_t {
bool (*get_hostaccess) (child_cfg_t *this); bool (*get_hostaccess) (child_cfg_t *this);
/** /**
* Get the lifetime of a CHILD_SA. * Get the lifetime configuration of a CHILD_SA.
* *
* If "rekey" is set to TRUE, a lifetime is returned before the first * The rekey limits automatically contain a jitter to avoid simultaneous
* rekeying should be started. If it is FALSE, the actual lifetime is * rekeying. These values will change with each call to this function.
* returned when the CHILD_SA must be deleted. *
* The rekey time automatically contains a jitter to avoid simlutaneous * @return lifetime_cfg_t (has to be freed)
* rekeying.
*
* @param rekey TRUE to get rekey time
* @return lifetime in seconds
*/ */
u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey); lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
/** /**
* Get the mode to use for the CHILD_SA. * Get the mode to use for the CHILD_SA.
@ -311,16 +307,15 @@ struct child_cfg_t {
* Create a configuration template for CHILD_SA setup. * Create a configuration template for CHILD_SA setup.
* *
* The "name" string gets cloned. * The "name" string gets cloned.
* Lifetimes are in seconds. To prevent to peers to start rekeying at the *
* same time, a jitter may be specified. Rekeying of an SA starts at * The lifetime_cfg_t object gets adopted by this config.
* (rekeytime - random(0, jitter)). You should specify * To prevent two peers to start rekeying at the same time, a jitter may be
* lifetime > rekeytime > jitter. * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
*
* After a call to create, a reference is obtained (refcount = 1). * After a call to create, a reference is obtained (refcount = 1).
* *
* @param name name of the child_cfg * @param name name of the child_cfg
* @param lifetime lifetime after CHILD_SA expires and gets deleted * @param lifetime lifetime_cfg_t for this child_cfg
* @param rekeytime time when rekeying should be initiated
* @param jitter range of randomization time to remove from rekeytime
* @param updown updown script to execute on up/down event * @param updown updown script to execute on up/down event
* @param hostaccess TRUE to allow access to the local host * @param hostaccess TRUE to allow access to the local host
* @param mode mode to propose for CHILD_SA, transport, tunnel or BEET * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
@ -329,9 +324,9 @@ struct child_cfg_t {
* @param ipcomp use IPComp, if peer supports it * @param ipcomp use IPComp, if peer supports it
* @return child_cfg_t object * @return child_cfg_t object
*/ */
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
u_int32_t rekeytime, u_int32_t jitter, char *updown, bool hostaccess,
char *updown, bool hostaccess, ipsec_mode_t mode, ipsec_mode_t mode, action_t dpd_action,
action_t dpd_action, action_t close_action, bool ipcomp); action_t close_action, bool ipcomp);
#endif /** CHILD_CFG_H_ @}*/ #endif /** CHILD_CFG_H_ @}*/