projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
child-cfg: Fix removal of redundant traffic selectors
[strongswan.git] / src / libcharon / config / child_cfg.c
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "child_cfg.h"
19
20 #include <stdint.h>
21
22 #include <daemon.h>
23
24 ENUM(action_names, ACTION_NONE, ACTION_RESTART,
25 "clear",
26 "hold",
27 "restart",
28 );
29
30 typedef struct private_child_cfg_t private_child_cfg_t;
31
32 /**
33 * Private data of an child_cfg_t object
34 */
35 struct private_child_cfg_t {
36
37 /**
38 * Public part
39 */
40 child_cfg_t public;
41
42 /**
43 * Number of references hold by others to this child_cfg
44 */
45 refcount_t refcount;
46
47 /**
48 * Name of the child_cfg, used to query it
49 */
50 char *name;
51
52 /**
53 * list for all proposals
54 */
55 linked_list_t *proposals;
56
57 /**
58 * list for traffic selectors for my site
59 */
60 linked_list_t *my_ts;
61
62 /**
63 * list for traffic selectors for others site
64 */
65 linked_list_t *other_ts;
66
67 /**
68 * updown script
69 */
70 char *updown;
71
72 /**
73 * allow host access
74 */
75 bool hostaccess;
76
77 /**
78 * Mode to propose for a initiated CHILD: tunnel/transport
79 */
80 ipsec_mode_t mode;
81
82 /**
83 * action to take to start CHILD_SA
84 */
85 action_t start_action;
86
87 /**
88 * action to take on DPD
89 */
90 action_t dpd_action;
91
92 /**
93 * action to take on CHILD_SA close
94 */
95 action_t close_action;
96
97 /**
98 * CHILD_SA lifetime config
99 */
100 lifetime_cfg_t lifetime;
101
102 /**
103 * enable IPComp
104 */
105 bool use_ipcomp;
106
107 /**
108 * Inactivity timeout
109 */
110 u_int32_t inactivity;
111
112 /**
113 * Reqid to install CHILD_SA with
114 */
115 u_int32_t reqid;
116
117 /**
118 * Optional mark to install inbound CHILD_SA with
119 */
120 mark_t mark_in;
121
122 /**
123 * Optional mark to install outbound CHILD_SA with
124 */
125 mark_t mark_out;
126
127 /**
128 * Traffic Flow Confidentiality padding, if enabled
129 */
130 u_int32_t tfc;
131
132 /**
133 * set up IPsec transport SA in MIPv6 proxy mode
134 */
135 bool proxy_mode;
136
137 /**
138 * enable installation and removal of kernel IPsec policies
139 */
140 bool install_policy;
141 };
142
143 METHOD(child_cfg_t, get_name, char*,
144 private_child_cfg_t *this)
145 {
146 return this->name;
147 }
148
149 METHOD(child_cfg_t, add_proposal, void,
150 private_child_cfg_t *this, proposal_t *proposal)
151 {
152 this->proposals->insert_last(this->proposals, proposal);
153 }
154
155 METHOD(child_cfg_t, get_proposals, linked_list_t*,
156 private_child_cfg_t *this, bool strip_dh)
157 {
158 enumerator_t *enumerator;
159 proposal_t *current;
160 linked_list_t *proposals = linked_list_create();
161
162 enumerator = this->proposals->create_enumerator(this->proposals);
163 while (enumerator->enumerate(enumerator, &current))
164 {
165 current = current->clone(current);
166 if (strip_dh)
167 {
168 current->strip_dh(current, MODP_NONE);
169 }
170 proposals->insert_last(proposals, current);
171 }
172 enumerator->destroy(enumerator);
173
174 DBG2(DBG_CFG, "configured proposals: %#P", proposals);
175
176 return proposals;
177 }
178
179 METHOD(child_cfg_t, select_proposal, proposal_t*,
180 private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh,
181 bool private)
182 {
183 enumerator_t *stored_enum, *supplied_enum;
184 proposal_t *stored, *supplied, *selected = NULL;
185
186 stored_enum = this->proposals->create_enumerator(this->proposals);
187 supplied_enum = proposals->create_enumerator(proposals);
188
189 /* compare all stored proposals with all supplied. Stored ones are preferred. */
190 while (stored_enum->enumerate(stored_enum, &stored))
191 {
192 stored = stored->clone(stored);
193 while (supplied_enum->enumerate(supplied_enum, &supplied))
194 {
195 if (strip_dh)
196 {
197 stored->strip_dh(stored, MODP_NONE);
198 }
199 selected = stored->select(stored, supplied, private);
200 if (selected)
201 {
202 DBG2(DBG_CFG, "received proposals: %#P", proposals);
203 DBG2(DBG_CFG, "configured proposals: %#P", this->proposals);
204 DBG2(DBG_CFG, "selected proposal: %P", selected);
205 break;
206 }
207 }
208 stored->destroy(stored);
209 if (selected)
210 {
211 break;
212 }
213 supplied_enum->destroy(supplied_enum);
214 supplied_enum = proposals->create_enumerator(proposals);
215 }
216 stored_enum->destroy(stored_enum);
217 supplied_enum->destroy(supplied_enum);
218 if (selected == NULL)
219 {
220 DBG1(DBG_CFG, "received proposals: %#P", proposals);
221 DBG1(DBG_CFG, "configured proposals: %#P", this->proposals);
222 }
223 return selected;
224 }
225
226 METHOD(child_cfg_t, add_traffic_selector, void,
227 private_child_cfg_t *this, bool local, traffic_selector_t *ts)
228 {
229 if (local)
230 {
231 this->my_ts->insert_last(this->my_ts, ts);
232 }
233 else
234 {
235 this->other_ts->insert_last(this->other_ts, ts);
236 }
237 }
238
239 METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
240 private_child_cfg_t *this, bool local, linked_list_t *supplied,
241 linked_list_t *hosts)
242 {
243 enumerator_t *e1, *e2;
244 traffic_selector_t *ts1, *ts2, *selected;
245 linked_list_t *result, *derived;
246 host_t *host;
247
248 result = linked_list_create();
249 derived = linked_list_create();
250 if (local)
251 {
252 e1 = this->my_ts->create_enumerator(this->my_ts);
253 }
254 else
255 {
256 e1 = this->other_ts->create_enumerator(this->other_ts);
257 }
258 /* In a first step, replace "dynamic" TS with the host list */
259 while (e1->enumerate(e1, &ts1))
260 {
261 if (hosts && hosts->get_count(hosts) &&
262 ts1->is_dynamic(ts1))
263 {
264 e2 = hosts->create_enumerator(hosts);
265 while (e2->enumerate(e2, &host))
266 {
267 ts2 = ts1->clone(ts1);
268 ts2->set_address(ts2, host);
269 derived->insert_last(derived, ts2);
270 }
271 e2->destroy(e2);
272 }
273 else
274 {
275 derived->insert_last(derived, ts1->clone(ts1));
276 }
277 }
278 e1->destroy(e1);
279
280 DBG2(DBG_CFG, "%s traffic selectors for %s:",
281 supplied ? "selecting" : "proposing", local ? "us" : "other");
282 if (supplied == NULL)
283 {
284 while (derived->remove_first(derived, (void**)&ts1) == SUCCESS)
285 {
286 DBG2(DBG_CFG, " %R", ts1);
287 result->insert_last(result, ts1);
288 }
289 derived->destroy(derived);
290 }
291 else
292 {
293 e1 = derived->create_enumerator(derived);
294 e2 = supplied->create_enumerator(supplied);
295 /* enumerate all configured/derived selectors */
296 while (e1->enumerate(e1, &ts1))
297 {
298 /* enumerate all supplied traffic selectors */
299 while (e2->enumerate(e2, &ts2))
300 {
301 selected = ts1->get_subset(ts1, ts2);
302 if (selected)
303 {
304 DBG2(DBG_CFG, " config: %R, received: %R => match: %R",
305 ts1, ts2, selected);
306 result->insert_last(result, selected);
307 }
308 else
309 {
310 DBG2(DBG_CFG, " config: %R, received: %R => no match",
311 ts1, ts2);
312 }
313 }
314 supplied->reset_enumerator(supplied, e2);
315 }
316 e1->destroy(e1);
317 e2->destroy(e2);
318
319 /* check if we/peer did any narrowing, raise alert */
320 e1 = derived->create_enumerator(derived);
321 e2 = result->create_enumerator(result);
322 while (e1->enumerate(e1, &ts1))
323 {
324 if (!e2->enumerate(e2, &ts2) || !ts1->equals(ts1, ts2))
325 {
326 charon->bus->alert(charon->bus, ALERT_TS_NARROWED,
327 local, result, this);
328 break;
329 }
330 }
331 e1->destroy(e1);
332 e2->destroy(e2);
333
334 derived->destroy_offset(derived, offsetof(traffic_selector_t, destroy));
335 }
336
337 /* remove any redundant traffic selectors in the list */
338 e1 = result->create_enumerator(result);
339 e2 = result->create_enumerator(result);
340 while (e1->enumerate(e1, &ts1))
341 {
342 while (e2->enumerate(e2, &ts2))
343 {
344 if (ts1 != ts2)
345 {
346 if (ts2->is_contained_in(ts2, ts1))
347 {
348 result->remove_at(result, e2);
349 ts2->destroy(ts2);
350 result->reset_enumerator(result, e1);
351 break;
352 }
353 if (ts1->is_contained_in(ts1, ts2))
354 {
355 result->remove_at(result, e1);
356 ts1->destroy(ts1);
357 break;
358 }
359 }
360 }
361 result->reset_enumerator(result, e2);
362 }
363 e1->destroy(e1);
364 e2->destroy(e2);
365
366 return result;
367 }
368
369 METHOD(child_cfg_t, get_updown, char*,
370 private_child_cfg_t *this)
371 {
372 return this->updown;
373 }
374
375 METHOD(child_cfg_t, get_hostaccess, bool,
376 private_child_cfg_t *this)
377 {
378 return this->hostaccess;
379 }
380
381 /**
382 * Applies jitter to the rekey value. Returns the new rekey value.
383 * Note: The distribution of random values is not perfect, but it
384 * should get the job done.
385 */
386 static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
387 {
388 if (jitter == 0)
389 {
390 return rekey;
391 }
392 jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
393 return rekey - jitter * (random() / (RAND_MAX + 1.0));
394 }
395 #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter)
396
397 METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*,
398 private_child_cfg_t *this)
399 {
400 lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
401 memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t));
402 APPLY_JITTER(lft->time);
403 APPLY_JITTER(lft->bytes);
404 APPLY_JITTER(lft->packets);
405 return lft;
406 }
407
408 METHOD(child_cfg_t, get_mode, ipsec_mode_t,
409 private_child_cfg_t *this)
410 {
411 return this->mode;
412 }
413
414 METHOD(child_cfg_t, get_start_action, action_t,
415 private_child_cfg_t *this)
416 {
417 return this->start_action;
418 }
419
420 METHOD(child_cfg_t, get_dpd_action, action_t,
421 private_child_cfg_t *this)
422 {
423 return this->dpd_action;
424 }
425
426 METHOD(child_cfg_t, get_close_action, action_t,
427 private_child_cfg_t *this)
428 {
429 return this->close_action;
430 }
431
432 METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t,
433 private_child_cfg_t *this)
434 {
435 enumerator_t *enumerator;
436 proposal_t *proposal;
437 u_int16_t dh_group = MODP_NONE;
438
439 enumerator = this->proposals->create_enumerator(this->proposals);
440 while (enumerator->enumerate(enumerator, &proposal))
441 {
442 if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &dh_group, NULL))
443 {
444 break;
445 }
446 }
447 enumerator->destroy(enumerator);
448 return dh_group;
449 }
450
451 METHOD(child_cfg_t, use_ipcomp, bool,
452 private_child_cfg_t *this)
453 {
454 return this->use_ipcomp;
455 }
456
457 METHOD(child_cfg_t, get_inactivity, u_int32_t,
458 private_child_cfg_t *this)
459 {
460 return this->inactivity;
461 }
462
463 METHOD(child_cfg_t, get_reqid, u_int32_t,
464 private_child_cfg_t *this)
465 {
466 return this->reqid;
467 }
468
469 METHOD(child_cfg_t, get_mark, mark_t,
470 private_child_cfg_t *this, bool inbound)
471 {
472 return inbound ? this->mark_in : this->mark_out;
473 }
474
475 METHOD(child_cfg_t, get_tfc, u_int32_t,
476 private_child_cfg_t *this)
477 {
478 return this->tfc;
479 }
480
481 METHOD(child_cfg_t, set_mipv6_options, void,
482 private_child_cfg_t *this, bool proxy_mode, bool install_policy)
483 {
484 this->proxy_mode = proxy_mode;
485 this->install_policy = install_policy;
486 }
487
488 METHOD(child_cfg_t, use_proxy_mode, bool,
489 private_child_cfg_t *this)
490 {
491 return this->proxy_mode;
492 }
493
494 METHOD(child_cfg_t, install_policy, bool,
495 private_child_cfg_t *this)
496 {
497 return this->install_policy;
498 }
499
500 METHOD(child_cfg_t, get_ref, child_cfg_t*,
501 private_child_cfg_t *this)
502 {
503 ref_get(&this->refcount);
504 return &this->public;
505 }
506
507 METHOD(child_cfg_t, destroy, void,
508 private_child_cfg_t *this)
509 {
510 if (ref_put(&this->refcount))
511 {
512 this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
513 this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
514 this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
515 if (this->updown)
516 {
517 free(this->updown);
518 }
519 free(this->name);
520 free(this);
521 }
522 }
523
524 /*
525 * Described in header-file
526 */
527 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
528 char *updown, bool hostaccess,
529 ipsec_mode_t mode, action_t start_action,
530 action_t dpd_action, action_t close_action,
531 bool ipcomp, u_int32_t inactivity, u_int32_t reqid,
532 mark_t *mark_in, mark_t *mark_out, u_int32_t tfc)
533 {
534 private_child_cfg_t *this;
535
536 INIT(this,
537 .public = {
538 .get_name = _get_name,
539 .add_traffic_selector = _add_traffic_selector,
540 .get_traffic_selectors = _get_traffic_selectors,
541 .add_proposal = _add_proposal,
542 .get_proposals = _get_proposals,
543 .select_proposal = _select_proposal,
544 .get_updown = _get_updown,
545 .get_hostaccess = _get_hostaccess,
546 .get_mode = _get_mode,
547 .get_start_action = _get_start_action,
548 .get_dpd_action = _get_dpd_action,
549 .get_close_action = _get_close_action,
550 .get_lifetime = _get_lifetime,
551 .get_dh_group = _get_dh_group,
552 .set_mipv6_options = _set_mipv6_options,
553 .use_ipcomp = _use_ipcomp,
554 .get_inactivity = _get_inactivity,
555 .get_reqid = _get_reqid,
556 .get_mark = _get_mark,
557 .get_tfc = _get_tfc,
558 .use_proxy_mode = _use_proxy_mode,
559 .install_policy = _install_policy,
560 .get_ref = _get_ref,
561 .destroy = _destroy,
562 },
563 .name = strdup(name),
564 .updown = strdupnull(updown),
565 .hostaccess = hostaccess,
566 .mode = mode,
567 .start_action = start_action,
568 .dpd_action = dpd_action,
569 .close_action = close_action,
570 .use_ipcomp = ipcomp,
571 .inactivity = inactivity,
572 .reqid = reqid,
573 .proxy_mode = FALSE,
574 .install_policy = TRUE,
575 .refcount = 1,
576 .proposals = linked_list_create(),
577 .my_ts = linked_list_create(),
578 .other_ts = linked_list_create(),
579 .tfc = tfc,
580 );
581
582 if (mark_in)
583 {
584 this->mark_in = *mark_in;
585 }
586 if (mark_out)
587 {
588 this->mark_out = *mark_out;
589 }
590 memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t));
591
592 return &this->public;
593 }
strongSwan - IPsec VPN