projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Remove policies in kernel interfaces based on their priority.
[strongswan.git] / src / libcharon / sa / child_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #define _GNU_SOURCE
20 #include "child_sa.h"
21
22 #include <stdio.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <hydra.h>
27 #include <daemon.h>
28
29 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
30 "CREATED",
31 "ROUTED",
32 "INSTALLING",
33 "INSTALLED",
34 "UPDATING",
35 "REKEYING",
36 "DELETING",
37 "DESTROYING",
38 );
39
40 typedef struct private_child_sa_t private_child_sa_t;
41
42 /**
43 * Private data of a child_sa_t object.
44 */
45 struct private_child_sa_t {
46 /**
47 * Public interface of child_sa_t.
48 */
49 child_sa_t public;
50
51 /**
52 * address of us
53 */
54 host_t *my_addr;
55
56 /**
57 * address of remote
58 */
59 host_t *other_addr;
60
61 /**
62 * our actually used SPI, 0 if unused
63 */
64 u_int32_t my_spi;
65
66 /**
67 * others used SPI, 0 if unused
68 */
69 u_int32_t other_spi;
70
71 /**
72 * our Compression Parameter Index (CPI) used, 0 if unused
73 */
74 u_int16_t my_cpi;
75
76 /**
77 * others Compression Parameter Index (CPI) used, 0 if unused
78 */
79 u_int16_t other_cpi;
80
81 /**
82 * List for local traffic selectors
83 */
84 linked_list_t *my_ts;
85
86 /**
87 * List for remote traffic selectors
88 */
89 linked_list_t *other_ts;
90
91 /**
92 * Protocol used to protect this SA, ESP|AH
93 */
94 protocol_id_t protocol;
95
96 /**
97 * reqid used for this child_sa
98 */
99 u_int32_t reqid;
100
101 /**
102 * inbound mark used for this child_sa
103 */
104 mark_t mark_in;
105
106 /**
107 * outbound mark used for this child_sa
108 */
109 mark_t mark_out;
110
111 /**
112 * absolute time when rekeying is scheduled
113 */
114 time_t rekey_time;
115
116 /**
117 * absolute time when the SA expires
118 */
119 time_t expire_time;
120
121 /**
122 * state of the CHILD_SA
123 */
124 child_sa_state_t state;
125
126 /**
127 * Specifies if UDP encapsulation is enabled (NAT traversal)
128 */
129 bool encap;
130
131 /**
132 * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
133 */
134 ipcomp_transform_t ipcomp;
135
136 /**
137 * mode this SA uses, tunnel/transport
138 */
139 ipsec_mode_t mode;
140
141 /**
142 * Action to enforce if peer closes the CHILD_SA
143 */
144 action_t close_action;
145
146 /**
147 * Action to enforce if peer is considered dead
148 */
149 action_t dpd_action;
150
151 /**
152 * selected proposal
153 */
154 proposal_t *proposal;
155
156 /**
157 * config used to create this child
158 */
159 child_cfg_t *config;
160
161 /**
162 * time of last use in seconds (inbound)
163 */
164 u_int32_t my_usetime;
165
166 /**
167 * time of last use in seconds (outbound)
168 */
169 u_int32_t other_usetime;
170
171 /**
172 * last number of inbound bytes
173 */
174 u_int64_t my_usebytes;
175
176 /**
177 * last number of outbound bytes
178 */
179 u_int64_t other_usebytes;
180 };
181
182 /**
183 * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
184 */
185 static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
186 {
187 switch (protocol)
188 {
189 case PROTO_ESP:
190 return IPPROTO_ESP;
191 case PROTO_AH:
192 return IPPROTO_AH;
193 default:
194 return protocol;
195 }
196 }
197
198 METHOD(child_sa_t, get_name, char*,
199 private_child_sa_t *this)
200 {
201 return this->config->get_name(this->config);
202 }
203
204 METHOD(child_sa_t, get_reqid, u_int32_t,
205 private_child_sa_t *this)
206 {
207 return this->reqid;
208 }
209
210 METHOD(child_sa_t, get_config, child_cfg_t*,
211 private_child_sa_t *this)
212 {
213 return this->config;
214 }
215
216 METHOD(child_sa_t, set_state, void,
217 private_child_sa_t *this, child_sa_state_t state)
218 {
219 charon->bus->child_state_change(charon->bus, &this->public, state);
220 this->state = state;
221 }
222
223 METHOD(child_sa_t, get_state, child_sa_state_t,
224 private_child_sa_t *this)
225 {
226 return this->state;
227 }
228
229 METHOD(child_sa_t, get_spi, u_int32_t,
230 private_child_sa_t *this, bool inbound)
231 {
232 return inbound ? this->my_spi : this->other_spi;
233 }
234
235 METHOD(child_sa_t, get_cpi, u_int16_t,
236 private_child_sa_t *this, bool inbound)
237 {
238 return inbound ? this->my_cpi : this->other_cpi;
239 }
240
241 METHOD(child_sa_t, get_protocol, protocol_id_t,
242 private_child_sa_t *this)
243 {
244 return this->protocol;
245 }
246
247 METHOD(child_sa_t, set_protocol, void,
248 private_child_sa_t *this, protocol_id_t protocol)
249 {
250 this->protocol = protocol;
251 }
252
253 METHOD(child_sa_t, get_mode, ipsec_mode_t,
254 private_child_sa_t *this)
255 {
256 return this->mode;
257 }
258
259 METHOD(child_sa_t, set_mode, void,
260 private_child_sa_t *this, ipsec_mode_t mode)
261 {
262 this->mode = mode;
263 }
264
265 METHOD(child_sa_t, has_encap, bool,
266 private_child_sa_t *this)
267 {
268 return this->encap;
269 }
270
271 METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t,
272 private_child_sa_t *this)
273 {
274 return this->ipcomp;
275 }
276
277 METHOD(child_sa_t, set_ipcomp, void,
278 private_child_sa_t *this, ipcomp_transform_t ipcomp)
279 {
280 this->ipcomp = ipcomp;
281 }
282
283 METHOD(child_sa_t, set_close_action, void,
284 private_child_sa_t *this, action_t action)
285 {
286 this->close_action = action;
287 }
288
289 METHOD(child_sa_t, get_close_action, action_t,
290 private_child_sa_t *this)
291 {
292 return this->close_action;
293 }
294
295 METHOD(child_sa_t, set_dpd_action, void,
296 private_child_sa_t *this, action_t action)
297 {
298 this->dpd_action = action;
299 }
300
301 METHOD(child_sa_t, get_dpd_action, action_t,
302 private_child_sa_t *this)
303 {
304 return this->dpd_action;
305 }
306
307 METHOD(child_sa_t, get_proposal, proposal_t*,
308 private_child_sa_t *this)
309 {
310 return this->proposal;
311 }
312
313 METHOD(child_sa_t, set_proposal, void,
314 private_child_sa_t *this, proposal_t *proposal)
315 {
316 this->proposal = proposal->clone(proposal);
317 }
318
319 METHOD(child_sa_t, get_traffic_selectors, linked_list_t*,
320 private_child_sa_t *this, bool local)
321 {
322 return local ? this->my_ts : this->other_ts;
323 }
324
325 typedef struct policy_enumerator_t policy_enumerator_t;
326
327 /**
328 * Private policy enumerator
329 */
330 struct policy_enumerator_t {
331 /** implements enumerator_t */
332 enumerator_t public;
333 /** enumerator over own TS */
334 enumerator_t *mine;
335 /** enumerator over others TS */
336 enumerator_t *other;
337 /** list of others TS, to recreate enumerator */
338 linked_list_t *list;
339 /** currently enumerating TS for "me" side */
340 traffic_selector_t *ts;
341 };
342
343 METHOD(enumerator_t, policy_enumerate, bool,
344 policy_enumerator_t *this, traffic_selector_t **my_out,
345 traffic_selector_t **other_out)
346 {
347 traffic_selector_t *other_ts;
348
349 while (this->ts || this->mine->enumerate(this->mine, &this->ts))
350 {
351 if (!this->other->enumerate(this->other, &other_ts))
352 { /* end of others list, restart with new of mine */
353 this->other->destroy(this->other);
354 this->other = this->list->create_enumerator(this->list);
355 this->ts = NULL;
356 continue;
357 }
358 if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
359 { /* family mismatch */
360 continue;
361 }
362 if (this->ts->get_protocol(this->ts) &&
363 other_ts->get_protocol(other_ts) &&
364 this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
365 { /* protocol mismatch */
366 continue;
367 }
368 *my_out = this->ts;
369 *other_out = other_ts;
370 return TRUE;
371 }
372 return FALSE;
373 }
374
375 METHOD(enumerator_t, policy_destroy, void,
376 policy_enumerator_t *this)
377 {
378 this->mine->destroy(this->mine);
379 this->other->destroy(this->other);
380 free(this);
381 }
382
383 METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
384 private_child_sa_t *this)
385 {
386 policy_enumerator_t *e;
387
388 INIT(e,
389 .public = {
390 .enumerate = (void*)_policy_enumerate,
391 .destroy = _policy_destroy,
392 },
393 .mine = this->my_ts->create_enumerator(this->my_ts),
394 .other = this->other_ts->create_enumerator(this->other_ts),
395 .list = this->other_ts,
396 .ts = NULL,
397 );
398
399 return &e->public;
400 }
401
402 /**
403 * update the cached usebytes
404 * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
405 * are available, and NOT_SUPPORTED if the kernel interface does not support
406 * querying the usebytes.
407 */
408 static status_t update_usebytes(private_child_sa_t *this, bool inbound)
409 {
410 status_t status = FAILED;
411 u_int64_t bytes;
412
413 if (inbound)
414 {
415 if (this->my_spi)
416 {
417 status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
418 this->other_addr, this->my_addr, this->my_spi,
419 proto_ike2ip(this->protocol), this->mark_in,
420 &bytes);
421 if (status == SUCCESS)
422 {
423 if (bytes > this->my_usebytes)
424 {
425 this->my_usebytes = bytes;
426 return SUCCESS;
427 }
428 return FAILED;
429 }
430 }
431 }
432 else
433 {
434 if (this->other_spi)
435 {
436 status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
437 this->my_addr, this->other_addr, this->other_spi,
438 proto_ike2ip(this->protocol), this->mark_out,
439 &bytes);
440 if (status == SUCCESS)
441 {
442 if (bytes > this->other_usebytes)
443 {
444 this->other_usebytes = bytes;
445 return SUCCESS;
446 }
447 return FAILED;
448 }
449 }
450 }
451 return status;
452 }
453
454 /**
455 * updates the cached usetime
456 */
457 static void update_usetime(private_child_sa_t *this, bool inbound)
458 {
459 enumerator_t *enumerator;
460 traffic_selector_t *my_ts, *other_ts;
461 u_int32_t last_use = 0;
462
463 enumerator = create_policy_enumerator(this);
464 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
465 {
466 u_int32_t in, out, fwd;
467
468 if (inbound)
469 {
470 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
471 other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
472 {
473 last_use = max(last_use, in);
474 }
475 if (this->mode != MODE_TRANSPORT)
476 {
477 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
478 other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
479 {
480 last_use = max(last_use, fwd);
481 }
482 }
483 }
484 else
485 {
486 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
487 my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
488 {
489 last_use = max(last_use, out);
490 }
491 }
492 }
493 enumerator->destroy(enumerator);
494
495 if (last_use == 0)
496 {
497 return;
498 }
499 if (inbound)
500 {
501 this->my_usetime = last_use;
502 }
503 else
504 {
505 this->other_usetime = last_use;
506 }
507 }
508
509 METHOD(child_sa_t, get_usestats, void,
510 private_child_sa_t *this, bool inbound, time_t *time, u_int64_t *bytes)
511 {
512 if (update_usebytes(this, inbound) != FAILED)
513 {
514 /* there was traffic since last update or the kernel interface
515 * does not support querying the number of usebytes.
516 */
517 update_usetime(this, inbound);
518 }
519 if (time)
520 {
521 *time = inbound ? this->my_usetime : this->other_usetime;
522 }
523 if (bytes)
524 {
525 *bytes = inbound ? this->my_usebytes : this->other_usebytes;
526 }
527 }
528
529 METHOD(child_sa_t, get_lifetime, time_t,
530 private_child_sa_t *this, bool hard)
531 {
532 return hard ? this->expire_time : this->rekey_time;
533 }
534
535 METHOD(child_sa_t, alloc_spi, u_int32_t,
536 private_child_sa_t *this, protocol_id_t protocol)
537 {
538 if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
539 this->other_addr, this->my_addr,
540 proto_ike2ip(protocol), this->reqid,
541 &this->my_spi) == SUCCESS)
542 {
543 return this->my_spi;
544 }
545 return 0;
546 }
547
548 METHOD(child_sa_t, alloc_cpi, u_int16_t,
549 private_child_sa_t *this)
550 {
551 if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
552 this->other_addr, this->my_addr,
553 this->reqid, &this->my_cpi) == SUCCESS)
554 {
555 return this->my_cpi;
556 }
557 return 0;
558 }
559
560 METHOD(child_sa_t, install, status_t,
561 private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
562 u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts,
563 linked_list_t *other_ts)
564 {
565 u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
566 u_int16_t esn = NO_EXT_SEQ_NUMBERS;
567 traffic_selector_t *src_ts = NULL, *dst_ts = NULL;
568 time_t now;
569 lifetime_cfg_t *lifetime;
570 u_int32_t tfc = 0;
571 host_t *src, *dst;
572 status_t status;
573 bool update = FALSE;
574
575 /* now we have to decide which spi to use. Use self allocated, if "in",
576 * or the one in the proposal, if not "in" (others). Additionally,
577 * source and dest host switch depending on the role */
578 if (inbound)
579 {
580 dst = this->my_addr;
581 src = this->other_addr;
582 if (this->my_spi == spi)
583 { /* alloc_spi has been called, do an SA update */
584 update = TRUE;
585 }
586 this->my_spi = spi;
587 this->my_cpi = cpi;
588 }
589 else
590 {
591 src = this->my_addr;
592 dst = this->other_addr;
593 this->other_spi = spi;
594 this->other_cpi = cpi;
595
596 if (tfcv3)
597 {
598 tfc = this->config->get_tfc(this->config);
599 }
600 }
601
602 DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
603 protocol_id_names, this->protocol);
604
605 /* send SA down to the kernel */
606 DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
607
608 this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
609 &enc_alg, &size);
610 this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
611 &int_alg, &size);
612 this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
613 &esn, NULL);
614
615 lifetime = this->config->get_lifetime(this->config);
616
617 now = time_monotonic(NULL);
618 if (lifetime->time.rekey)
619 {
620 this->rekey_time = now + lifetime->time.rekey;
621 }
622 if (lifetime->time.life)
623 {
624 this->expire_time = now + lifetime->time.life;
625 }
626
627 if (!lifetime->time.jitter && !inbound)
628 { /* avoid triggering multiple rekey events */
629 lifetime->time.rekey = 0;
630 }
631
632 if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT)
633 {
634 /* BEET requires the bound address from the traffic selectors.
635 * TODO: We add just the first traffic selector for now, as the
636 * kernel accepts a single TS per SA only */
637 if (inbound)
638 {
639 my_ts->get_first(my_ts, (void**)&dst_ts);
640 other_ts->get_first(other_ts, (void**)&src_ts);
641 }
642 else
643 {
644 my_ts->get_first(my_ts, (void**)&src_ts);
645 other_ts->get_first(other_ts, (void**)&dst_ts);
646 }
647 }
648
649 status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
650 src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
651 inbound ? this->mark_in : this->mark_out, tfc,
652 lifetime, enc_alg, encr, int_alg, integ, this->mode,
653 this->ipcomp, cpi, this->encap, esn, update, src_ts, dst_ts);
654
655 free(lifetime);
656
657 return status;
658 }
659
660 METHOD(child_sa_t, add_policies, status_t,
661 private_child_sa_t *this, linked_list_t *my_ts_list,
662 linked_list_t *other_ts_list)
663 {
664 enumerator_t *enumerator;
665 traffic_selector_t *my_ts, *other_ts;
666 status_t status = SUCCESS;
667
668 /* apply traffic selectors */
669 enumerator = my_ts_list->create_enumerator(my_ts_list);
670 while (enumerator->enumerate(enumerator, &my_ts))
671 {
672 this->my_ts->insert_last(this->my_ts, my_ts->clone(my_ts));
673 }
674 enumerator->destroy(enumerator);
675 enumerator = other_ts_list->create_enumerator(other_ts_list);
676 while (enumerator->enumerate(enumerator, &other_ts))
677 {
678 this->other_ts->insert_last(this->other_ts, other_ts->clone(other_ts));
679 }
680 enumerator->destroy(enumerator);
681
682 if (this->config->install_policy(this->config))
683 {
684 policy_priority_t priority;
685 ipsec_sa_cfg_t my_sa = {
686 .mode = this->mode,
687 .reqid = this->reqid,
688 .ipcomp = {
689 .transform = this->ipcomp,
690 },
691 }, other_sa = my_sa;
692
693 my_sa.ipcomp.cpi = this->my_cpi;
694 other_sa.ipcomp.cpi = this->other_cpi;
695
696 if (this->protocol == PROTO_ESP)
697 {
698 my_sa.esp.use = TRUE;
699 my_sa.esp.spi = this->my_spi;
700 other_sa.esp.use = TRUE;
701 other_sa.esp.spi = this->other_spi;
702 }
703 else
704 {
705 my_sa.ah.use = TRUE;
706 my_sa.ah.spi = this->my_spi;
707 other_sa.ah.use = TRUE;
708 other_sa.ah.spi = this->other_spi;
709 }
710
711 priority = this->state == CHILD_CREATED ? POLICY_PRIORITY_ROUTED
712 : POLICY_PRIORITY_DEFAULT;
713
714 /* enumerate pairs of traffic selectors */
715 enumerator = create_policy_enumerator(this);
716 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
717 {
718 /* install 3 policies: out, in and forward */
719 status |= hydra->kernel_interface->add_policy(
720 hydra->kernel_interface,
721 this->my_addr, this->other_addr, my_ts, other_ts,
722 POLICY_OUT, POLICY_IPSEC, &other_sa,
723 this->mark_out, priority);
724
725 status |= hydra->kernel_interface->add_policy(
726 hydra->kernel_interface,
727 this->other_addr, this->my_addr, other_ts, my_ts,
728 POLICY_IN, POLICY_IPSEC, &my_sa,
729 this->mark_in, priority);
730 if (this->mode != MODE_TRANSPORT)
731 {
732 status |= hydra->kernel_interface->add_policy(
733 hydra->kernel_interface,
734 this->other_addr, this->my_addr, other_ts, my_ts,
735 POLICY_FWD, POLICY_IPSEC, &my_sa,
736 this->mark_in, priority);
737 }
738
739 if (status != SUCCESS)
740 {
741 break;
742 }
743 }
744 enumerator->destroy(enumerator);
745 }
746
747 if (status == SUCCESS && this->state == CHILD_CREATED)
748 { /* switch to routed state if no SAD entry set up */
749 set_state(this, CHILD_ROUTED);
750 }
751 return status;
752 }
753
754 METHOD(child_sa_t, update, status_t,
755 private_child_sa_t *this, host_t *me, host_t *other, host_t *vip,
756 bool encap)
757 {
758 child_sa_state_t old;
759 bool transport_proxy_mode;
760
761 /* anything changed at all? */
762 if (me->equals(me, this->my_addr) &&
763 other->equals(other, this->other_addr) && this->encap == encap)
764 {
765 return SUCCESS;
766 }
767
768 old = this->state;
769 set_state(this, CHILD_UPDATING);
770 transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
771 this->mode == MODE_TRANSPORT;
772
773 if (!transport_proxy_mode)
774 {
775 /* update our (initator) SA */
776 if (this->my_spi)
777 {
778 if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
779 this->my_spi, proto_ike2ip(this->protocol),
780 this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
781 this->other_addr, this->my_addr, other, me,
782 this->encap, encap, this->mark_in) == NOT_SUPPORTED)
783 {
784 return NOT_SUPPORTED;
785 }
786 }
787
788 /* update his (responder) SA */
789 if (this->other_spi)
790 {
791 if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
792 this->other_spi, proto_ike2ip(this->protocol),
793 this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
794 this->my_addr, this->other_addr, me, other,
795 this->encap, encap, this->mark_out) == NOT_SUPPORTED)
796 {
797 return NOT_SUPPORTED;
798 }
799 }
800 }
801
802 if (this->config->install_policy(this->config))
803 {
804 ipsec_sa_cfg_t my_sa = {
805 .mode = this->mode,
806 .reqid = this->reqid,
807 .ipcomp = {
808 .transform = this->ipcomp,
809 },
810 }, other_sa = my_sa;
811
812 my_sa.ipcomp.cpi = this->my_cpi;
813 other_sa.ipcomp.cpi = this->other_cpi;
814
815 if (this->protocol == PROTO_ESP)
816 {
817 my_sa.esp.use = TRUE;
818 my_sa.esp.spi = this->my_spi;
819 other_sa.esp.use = TRUE;
820 other_sa.esp.spi = this->other_spi;
821 }
822 else
823 {
824 my_sa.ah.use = TRUE;
825 my_sa.ah.spi = this->my_spi;
826 other_sa.ah.use = TRUE;
827 other_sa.ah.spi = this->other_spi;
828 }
829
830 /* update policies */
831 if (!me->ip_equals(me, this->my_addr) ||
832 !other->ip_equals(other, this->other_addr))
833 {
834 enumerator_t *enumerator;
835 traffic_selector_t *my_ts, *other_ts;
836
837 /* always use high priorities, as hosts getting updated are INSTALLED */
838 enumerator = create_policy_enumerator(this);
839 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
840 {
841 /* remove old policies first */
842 hydra->kernel_interface->del_policy(hydra->kernel_interface,
843 my_ts, other_ts, POLICY_OUT, this->reqid,
844 this->mark_out, POLICY_PRIORITY_DEFAULT);
845 hydra->kernel_interface->del_policy(hydra->kernel_interface,
846 other_ts, my_ts, POLICY_IN, this->reqid,
847 this->mark_in, POLICY_PRIORITY_DEFAULT);
848 if (this->mode != MODE_TRANSPORT)
849 {
850 hydra->kernel_interface->del_policy(hydra->kernel_interface,
851 other_ts, my_ts, POLICY_FWD, this->reqid,
852 this->mark_in, POLICY_PRIORITY_DEFAULT);
853 }
854
855 /* check whether we have to update a "dynamic" traffic selector */
856 if (!me->ip_equals(me, this->my_addr) &&
857 my_ts->is_host(my_ts, this->my_addr))
858 {
859 my_ts->set_address(my_ts, me);
860 }
861 if (!other->ip_equals(other, this->other_addr) &&
862 other_ts->is_host(other_ts, this->other_addr))
863 {
864 other_ts->set_address(other_ts, other);
865 }
866
867 /* we reinstall the virtual IP to handle interface roaming
868 * correctly */
869 if (vip)
870 {
871 hydra->kernel_interface->del_ip(hydra->kernel_interface, vip);
872 hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, me);
873 }
874
875 /* reinstall updated policies */
876 hydra->kernel_interface->add_policy(hydra->kernel_interface,
877 me, other, my_ts, other_ts, POLICY_OUT, POLICY_IPSEC,
878 &other_sa, this->mark_out, POLICY_PRIORITY_DEFAULT);
879 hydra->kernel_interface->add_policy(hydra->kernel_interface,
880 other, me, other_ts, my_ts, POLICY_IN, POLICY_IPSEC,
881 &my_sa, this->mark_in, POLICY_PRIORITY_DEFAULT);
882 if (this->mode != MODE_TRANSPORT)
883 {
884 hydra->kernel_interface->add_policy(hydra->kernel_interface,
885 other, me, other_ts, my_ts, POLICY_FWD, POLICY_IPSEC,
886 &my_sa, this->mark_in, POLICY_PRIORITY_DEFAULT);
887 }
888 }
889 enumerator->destroy(enumerator);
890 }
891 }
892
893 if (!transport_proxy_mode)
894 {
895 /* apply hosts */
896 if (!me->equals(me, this->my_addr))
897 {
898 this->my_addr->destroy(this->my_addr);
899 this->my_addr = me->clone(me);
900 }
901 if (!other->equals(other, this->other_addr))
902 {
903 this->other_addr->destroy(this->other_addr);
904 this->other_addr = other->clone(other);
905 }
906 }
907
908 this->encap = encap;
909 set_state(this, old);
910
911 return SUCCESS;
912 }
913
914 METHOD(child_sa_t, destroy, void,
915 private_child_sa_t *this)
916 {
917 enumerator_t *enumerator;
918 traffic_selector_t *my_ts, *other_ts;
919 policy_priority_t priority;
920
921 priority = this->state == CHILD_ROUTED ? POLICY_PRIORITY_ROUTED
922 : POLICY_PRIORITY_DEFAULT;
923
924 set_state(this, CHILD_DESTROYING);
925
926 /* delete SAs in the kernel, if they are set up */
927 if (this->my_spi)
928 {
929 /* if CHILD was not established, use PROTO_ESP used during alloc_spi().
930 * TODO: For AH support, we have to store protocol specific SPI.s */
931 if (this->protocol == PROTO_NONE)
932 {
933 this->protocol = PROTO_ESP;
934 }
935 hydra->kernel_interface->del_sa(hydra->kernel_interface,
936 this->other_addr, this->my_addr, this->my_spi,
937 proto_ike2ip(this->protocol), this->my_cpi,
938 this->mark_in);
939 }
940 if (this->other_spi)
941 {
942 hydra->kernel_interface->del_sa(hydra->kernel_interface,
943 this->my_addr, this->other_addr, this->other_spi,
944 proto_ike2ip(this->protocol), this->other_cpi,
945 this->mark_out);
946 }
947
948 if (this->config->install_policy(this->config))
949 {
950 /* delete all policies in the kernel */
951 enumerator = create_policy_enumerator(this);
952 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
953 {
954 hydra->kernel_interface->del_policy(hydra->kernel_interface,
955 my_ts, other_ts, POLICY_OUT, this->reqid,
956 this->mark_out, priority);
957 hydra->kernel_interface->del_policy(hydra->kernel_interface,
958 other_ts, my_ts, POLICY_IN, this->reqid,
959 this->mark_in, priority);
960 if (this->mode != MODE_TRANSPORT)
961 {
962 hydra->kernel_interface->del_policy(hydra->kernel_interface,
963 other_ts, my_ts, POLICY_FWD, this->reqid,
964 this->mark_in, priority);
965 }
966 }
967 enumerator->destroy(enumerator);
968 }
969
970 this->my_ts->destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
971 this->other_ts->destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
972 this->my_addr->destroy(this->my_addr);
973 this->other_addr->destroy(this->other_addr);
974 DESTROY_IF(this->proposal);
975 this->config->destroy(this->config);
976 free(this);
977 }
978
979 /**
980 * Described in header.
981 */
982 child_sa_t * child_sa_create(host_t *me, host_t* other,
983 child_cfg_t *config, u_int32_t rekey, bool encap)
984 {
985 static u_int32_t reqid = 0;
986 private_child_sa_t *this;
987
988 INIT(this,
989 .public = {
990 .get_name = _get_name,
991 .get_reqid = _get_reqid,
992 .get_config = _get_config,
993 .get_state = _get_state,
994 .set_state = _set_state,
995 .get_spi = _get_spi,
996 .get_cpi = _get_cpi,
997 .get_protocol = _get_protocol,
998 .set_protocol = _set_protocol,
999 .get_mode = _get_mode,
1000 .set_mode = _set_mode,
1001 .get_proposal = _get_proposal,
1002 .set_proposal = _set_proposal,
1003 .get_lifetime = _get_lifetime,
1004 .get_usestats = _get_usestats,
1005 .has_encap = _has_encap,
1006 .get_ipcomp = _get_ipcomp,
1007 .set_ipcomp = _set_ipcomp,
1008 .get_close_action = _get_close_action,
1009 .set_close_action = _set_close_action,
1010 .get_dpd_action = _get_dpd_action,
1011 .set_dpd_action = _set_dpd_action,
1012 .alloc_spi = _alloc_spi,
1013 .alloc_cpi = _alloc_cpi,
1014 .install = _install,
1015 .update = _update,
1016 .add_policies = _add_policies,
1017 .get_traffic_selectors = _get_traffic_selectors,
1018 .create_policy_enumerator = _create_policy_enumerator,
1019 .destroy = _destroy,
1020 },
1021 .my_addr = me->clone(me),
1022 .other_addr = other->clone(other),
1023 .encap = encap,
1024 .ipcomp = IPCOMP_NONE,
1025 .state = CHILD_CREATED,
1026 .my_ts = linked_list_create(),
1027 .other_ts = linked_list_create(),
1028 .protocol = PROTO_NONE,
1029 .mode = MODE_TUNNEL,
1030 .close_action = config->get_close_action(config),
1031 .dpd_action = config->get_dpd_action(config),
1032 .reqid = config->get_reqid(config),
1033 .mark_in = config->get_mark(config, TRUE),
1034 .mark_out = config->get_mark(config, FALSE),
1035 );
1036
1037 this->config = config;
1038 config->get_ref(config);
1039
1040 if (!this->reqid)
1041 {
1042 /* reuse old reqid if we are rekeying an existing CHILD_SA */
1043 this->reqid = rekey ? rekey : ++reqid;
1044 }
1045
1046 /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
1047 if (config->get_mode(config) == MODE_TRANSPORT &&
1048 config->use_proxy_mode(config))
1049 {
1050 ts_type_t type;
1051 int family;
1052 chunk_t addr;
1053 host_t *host;
1054 enumerator_t *enumerator;
1055 linked_list_t *my_ts_list, *other_ts_list;
1056 traffic_selector_t *my_ts, *other_ts;
1057
1058 this->mode = MODE_TRANSPORT;
1059
1060 my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
1061 enumerator = my_ts_list->create_enumerator(my_ts_list);
1062 if (enumerator->enumerate(enumerator, &my_ts))
1063 {
1064 if (my_ts->is_host(my_ts, NULL) &&
1065 !my_ts->is_host(my_ts, this->my_addr))
1066 {
1067 type = my_ts->get_type(my_ts);
1068 family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
1069 addr = my_ts->get_from_address(my_ts);
1070 host = host_create_from_chunk(family, addr, 0);
1071 free(addr.ptr);
1072 DBG1(DBG_CHD, "my address: %H is a transport mode proxy for %H",
1073 this->my_addr, host);
1074 this->my_addr->destroy(this->my_addr);
1075 this->my_addr = host;
1076 }
1077 }
1078 enumerator->destroy(enumerator);
1079 my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
1080
1081 other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
1082 enumerator = other_ts_list->create_enumerator(other_ts_list);
1083 if (enumerator->enumerate(enumerator, &other_ts))
1084 {
1085 if (other_ts->is_host(other_ts, NULL) &&
1086 !other_ts->is_host(other_ts, this->other_addr))
1087 {
1088 type = other_ts->get_type(other_ts);
1089 family = (type == TS_IPV4_ADDR_RANGE) ? AF_INET : AF_INET6;
1090 addr = other_ts->get_from_address(other_ts);
1091 host = host_create_from_chunk(family, addr, 0);
1092 free(addr.ptr);
1093 DBG1(DBG_CHD, "other address: %H is a transport mode proxy for %H",
1094 this->other_addr, host);
1095 this->other_addr->destroy(this->other_addr);
1096 this->other_addr = host;
1097 }
1098 }
1099 enumerator->destroy(enumerator);
1100 other_ts_list->destroy_offset(other_ts_list, offsetof(traffic_selector_t, destroy));
1101 }
1102
1103 return &this->public;
1104 }
strongSwan - IPsec VPN