automatically establish a PSK authenticated SA between cluster nodes
[strongswan.git] / src / charon / plugins / ha_sync / ha_sync_child.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ha_sync_child.h"
17
18 typedef struct private_ha_sync_child_t private_ha_sync_child_t;
19
20 /**
21 * Private data of an ha_sync_child_t object.
22 */
23 struct private_ha_sync_child_t {
24
25 /**
26 * Public ha_sync_child_t interface.
27 */
28 ha_sync_child_t public;
29
30 /**
31 * socket we use for syncing
32 */
33 ha_sync_socket_t *socket;
34 };
35
36 /**
37 * Implementation of listener_t.child_keys
38 */
39 static bool child_keys(private_ha_sync_child_t *this, ike_sa_t *ike_sa,
40 child_sa_t *child_sa, diffie_hellman_t *dh,
41 chunk_t nonce_i, chunk_t nonce_r)
42 {
43 ha_sync_message_t *m;
44 chunk_t secret;
45 proposal_t *proposal;
46 u_int16_t alg, len;
47 linked_list_t *list;
48 enumerator_t *enumerator;
49 traffic_selector_t *ts;
50
51 if (this->socket->is_sync_sa(this->socket, ike_sa))
52 { /* do not sync SA between nodes */
53 return TRUE;
54 }
55
56 m = ha_sync_message_create(HA_SYNC_CHILD_ADD);
57
58 m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
59 m->add_attribute(m, HA_SYNC_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
60 m->add_attribute(m, HA_SYNC_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
61 m->add_attribute(m, HA_SYNC_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
62 m->add_attribute(m, HA_SYNC_OUTBOUND_CPI, child_sa->get_cpi(child_sa, FALSE));
63 m->add_attribute(m, HA_SYNC_IPSEC_MODE, child_sa->get_mode(child_sa));
64 m->add_attribute(m, HA_SYNC_IPCOMP, child_sa->get_ipcomp(child_sa));
65 m->add_attribute(m, HA_SYNC_CONFIG_NAME, child_sa->get_name(child_sa));
66
67 proposal = child_sa->get_proposal(child_sa);
68 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
69 {
70 m->add_attribute(m, HA_SYNC_ALG_ENCR, alg);
71 if (len)
72 {
73 m->add_attribute(m, HA_SYNC_ALG_ENCR_LEN, len);
74 }
75 }
76 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
77 {
78 m->add_attribute(m, HA_SYNC_ALG_INTEG, alg);
79 }
80 m->add_attribute(m, HA_SYNC_NONCE_I, nonce_i);
81 m->add_attribute(m, HA_SYNC_NONCE_R, nonce_r);
82 if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS)
83 {
84 m->add_attribute(m, HA_SYNC_SECRET, secret);
85 chunk_clear(&secret);
86 }
87
88 list = child_sa->get_traffic_selectors(child_sa, TRUE);
89 enumerator = list->create_enumerator(list);
90 while (enumerator->enumerate(enumerator, &ts))
91 {
92 m->add_attribute(m, HA_SYNC_LOCAL_TS, ts);
93 }
94 enumerator->destroy(enumerator);
95 list = child_sa->get_traffic_selectors(child_sa, FALSE);
96 enumerator = list->create_enumerator(list);
97 while (enumerator->enumerate(enumerator, &ts))
98 {
99 m->add_attribute(m, HA_SYNC_REMOTE_TS, ts);
100 }
101 enumerator->destroy(enumerator);
102
103 this->socket->push(this->socket, m);
104
105 return TRUE;
106 }
107
108 /**
109 * Implementation of listener_t.child_state_change
110 */
111 static bool child_state_change(private_ha_sync_child_t *this, ike_sa_t *ike_sa,
112 child_sa_t *child_sa, child_sa_state_t state)
113 {
114 if (!ike_sa || ike_sa->get_state(ike_sa) == IKE_PASSIVE)
115 { /* only sync active IKE_SAs */
116 return TRUE;
117 }
118 if (this->socket->is_sync_sa(this->socket, ike_sa))
119 { /* do not sync SA between nodes */
120 return TRUE;
121 }
122
123 if (state == CHILD_DESTROYING)
124 {
125 ha_sync_message_t *m;
126
127 m = ha_sync_message_create(HA_SYNC_CHILD_DELETE);
128
129 m->add_attribute(m, HA_SYNC_IKE_ID, ike_sa->get_id(ike_sa));
130 m->add_attribute(m, HA_SYNC_INBOUND_SPI,
131 child_sa->get_spi(child_sa, TRUE));
132 this->socket->push(this->socket, m);
133 }
134 return TRUE;
135 }
136
137 /**
138 * Implementation of ha_sync_child_t.destroy.
139 */
140 static void destroy(private_ha_sync_child_t *this)
141 {
142 free(this);
143 }
144
145 /**
146 * See header
147 */
148 ha_sync_child_t *ha_sync_child_create(ha_sync_socket_t *socket)
149 {
150 private_ha_sync_child_t *this = malloc_thing(private_ha_sync_child_t);
151
152 memset(&this->public.listener, 0, sizeof(listener_t));
153 this->public.listener.child_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
154 this->public.listener.child_state_change = (bool(*)(listener_t*,ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state))child_state_change;
155 this->public.destroy = (void(*)(ha_sync_child_t*))destroy;
156
157 this->socket = socket;
158
159 return &this->public;
160 }
161