child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.
This commit is contained in:
parent
86e4728550
commit
caf87c7dcb
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2008 Tobias Brunner
|
* Copyright (C) 2008-2009 Tobias Brunner
|
||||||
* Copyright (C) 2005-2007 Martin Willi
|
* Copyright (C) 2005-2007 Martin Willi
|
||||||
* Copyright (C) 2005 Jan Hutter
|
* Copyright (C) 2005 Jan Hutter
|
||||||
* Hochschule fuer Technik Rapperswil
|
* Hochschule fuer Technik Rapperswil
|
||||||
|
@ -97,20 +97,9 @@ struct private_child_cfg_t {
|
||||||
action_t close_action;
|
action_t close_action;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Time before an SA gets invalid
|
* CHILD_SA lifetime config
|
||||||
*/
|
*/
|
||||||
u_int32_t lifetime;
|
lifetime_cfg_t *lifetime;
|
||||||
|
|
||||||
/**
|
|
||||||
* Time before an SA gets rekeyed
|
|
||||||
*/
|
|
||||||
u_int32_t rekeytime;
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Time, which specifies the range of a random value
|
|
||||||
* substracted from rekeytime.
|
|
||||||
*/
|
|
||||||
u_int32_t jitter;
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* enable IPComp
|
* enable IPComp
|
||||||
|
@ -360,20 +349,33 @@ static bool get_hostaccess(private_child_cfg_t *this)
|
||||||
return this->hostaccess;
|
return this->hostaccess;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Applies jitter to the rekey value. Returns the new rekey value.
|
||||||
|
* Note: The distribution of random values is not perfect, but it
|
||||||
|
* should get the job done.
|
||||||
|
*/
|
||||||
|
static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
|
||||||
|
{
|
||||||
|
if (jitter == 0)
|
||||||
|
{
|
||||||
|
return rekey;
|
||||||
|
}
|
||||||
|
jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
|
||||||
|
return rekey - jitter * (random() / (RAND_MAX + 1.0));
|
||||||
|
}
|
||||||
|
#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Implementation of child_cfg_t.get_lifetime.
|
* Implementation of child_cfg_t.get_lifetime.
|
||||||
*/
|
*/
|
||||||
static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
|
static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
|
||||||
{
|
{
|
||||||
if (rekey)
|
lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
|
||||||
{
|
memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t));
|
||||||
if (this->jitter == 0)
|
APPLY_JITTER(lft, time);
|
||||||
{
|
APPLY_JITTER(lft, bytes);
|
||||||
return this->rekeytime;
|
APPLY_JITTER(lft, packets);
|
||||||
}
|
return lft;
|
||||||
return this->rekeytime - (random() % this->jitter);
|
|
||||||
}
|
|
||||||
return this->lifetime;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -478,6 +480,7 @@ static void destroy(private_child_cfg_t *this)
|
||||||
{
|
{
|
||||||
free(this->updown);
|
free(this->updown);
|
||||||
}
|
}
|
||||||
|
free(this->lifetime);
|
||||||
free(this->name);
|
free(this->name);
|
||||||
free(this);
|
free(this);
|
||||||
}
|
}
|
||||||
|
@ -486,10 +489,10 @@ static void destroy(private_child_cfg_t *this)
|
||||||
/*
|
/*
|
||||||
* Described in header-file
|
* Described in header-file
|
||||||
*/
|
*/
|
||||||
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
|
child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
|
||||||
u_int32_t rekeytime, u_int32_t jitter,
|
char *updown, bool hostaccess,
|
||||||
char *updown, bool hostaccess, ipsec_mode_t mode,
|
ipsec_mode_t mode, action_t dpd_action,
|
||||||
action_t dpd_action, action_t close_action, bool ipcomp)
|
action_t close_action, bool ipcomp)
|
||||||
{
|
{
|
||||||
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
|
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
|
||||||
|
|
||||||
|
@ -504,7 +507,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
|
||||||
this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
|
this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
|
||||||
this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
|
this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
|
||||||
this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
|
this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
|
||||||
this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
|
this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
|
||||||
this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
|
this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
|
||||||
this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
|
this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
|
||||||
this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
|
this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
|
||||||
|
@ -515,8 +518,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
|
||||||
|
|
||||||
this->name = strdup(name);
|
this->name = strdup(name);
|
||||||
this->lifetime = lifetime;
|
this->lifetime = lifetime;
|
||||||
this->rekeytime = rekeytime;
|
|
||||||
this->jitter = jitter;
|
|
||||||
this->updown = updown ? strdup(updown) : NULL;
|
this->updown = updown ? strdup(updown) : NULL;
|
||||||
this->hostaccess = hostaccess;
|
this->hostaccess = hostaccess;
|
||||||
this->mode = mode;
|
this->mode = mode;
|
||||||
|
|
|
@ -214,18 +214,14 @@ struct child_cfg_t {
|
||||||
bool (*get_hostaccess) (child_cfg_t *this);
|
bool (*get_hostaccess) (child_cfg_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the lifetime of a CHILD_SA.
|
* Get the lifetime configuration of a CHILD_SA.
|
||||||
*
|
*
|
||||||
* If "rekey" is set to TRUE, a lifetime is returned before the first
|
* The rekey limits automatically contain a jitter to avoid simultaneous
|
||||||
* rekeying should be started. If it is FALSE, the actual lifetime is
|
* rekeying. These values will change with each call to this function.
|
||||||
* returned when the CHILD_SA must be deleted.
|
*
|
||||||
* The rekey time automatically contains a jitter to avoid simlutaneous
|
* @return lifetime_cfg_t (has to be freed)
|
||||||
* rekeying.
|
|
||||||
*
|
|
||||||
* @param rekey TRUE to get rekey time
|
|
||||||
* @return lifetime in seconds
|
|
||||||
*/
|
*/
|
||||||
u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
|
lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the mode to use for the CHILD_SA.
|
* Get the mode to use for the CHILD_SA.
|
||||||
|
@ -311,16 +307,15 @@ struct child_cfg_t {
|
||||||
* Create a configuration template for CHILD_SA setup.
|
* Create a configuration template for CHILD_SA setup.
|
||||||
*
|
*
|
||||||
* The "name" string gets cloned.
|
* The "name" string gets cloned.
|
||||||
* Lifetimes are in seconds. To prevent to peers to start rekeying at the
|
*
|
||||||
* same time, a jitter may be specified. Rekeying of an SA starts at
|
* The lifetime_cfg_t object gets adopted by this config.
|
||||||
* (rekeytime - random(0, jitter)). You should specify
|
* To prevent two peers to start rekeying at the same time, a jitter may be
|
||||||
* lifetime > rekeytime > jitter.
|
* specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
|
||||||
|
*
|
||||||
* After a call to create, a reference is obtained (refcount = 1).
|
* After a call to create, a reference is obtained (refcount = 1).
|
||||||
*
|
*
|
||||||
* @param name name of the child_cfg
|
* @param name name of the child_cfg
|
||||||
* @param lifetime lifetime after CHILD_SA expires and gets deleted
|
* @param lifetime lifetime_cfg_t for this child_cfg
|
||||||
* @param rekeytime time when rekeying should be initiated
|
|
||||||
* @param jitter range of randomization time to remove from rekeytime
|
|
||||||
* @param updown updown script to execute on up/down event
|
* @param updown updown script to execute on up/down event
|
||||||
* @param hostaccess TRUE to allow access to the local host
|
* @param hostaccess TRUE to allow access to the local host
|
||||||
* @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
|
* @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
|
||||||
|
@ -329,9 +324,9 @@ struct child_cfg_t {
|
||||||
* @param ipcomp use IPComp, if peer supports it
|
* @param ipcomp use IPComp, if peer supports it
|
||||||
* @return child_cfg_t object
|
* @return child_cfg_t object
|
||||||
*/
|
*/
|
||||||
child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
|
child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
|
||||||
u_int32_t rekeytime, u_int32_t jitter,
|
char *updown, bool hostaccess,
|
||||||
char *updown, bool hostaccess, ipsec_mode_t mode,
|
ipsec_mode_t mode, action_t dpd_action,
|
||||||
action_t dpd_action, action_t close_action, bool ipcomp);
|
action_t close_action, bool ipcomp);
|
||||||
|
|
||||||
#endif /** CHILD_CFG_H_ @}*/
|
#endif /** CHILD_CFG_H_ @}*/
|
||||||
|
|
Loading…
Reference in New Issue