1acfc9d628f679487cbafb3ea51da27b4daa4094
[strongswan.git] / src / libcharon / sa / ike_sa_manager.c
1 /*
2 * Copyright (C) 2005-2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 * Copyright (C) 2008-2012 Tobias Brunner
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20
21 #include "ike_sa_manager.h"
22
23 #include <daemon.h>
24 #include <sa/ike_sa_id.h>
25 #include <bus/bus.h>
26 #include <threading/condvar.h>
27 #include <threading/mutex.h>
28 #include <threading/rwlock.h>
29 #include <utils/linked_list.h>
30 #include <crypto/hashers/hasher.h>
31
32 /* the default size of the hash table (MUST be a power of 2) */
33 #define DEFAULT_HASHTABLE_SIZE 1
34
35 /* the maximum size of the hash table (MUST be a power of 2) */
36 #define MAX_HASHTABLE_SIZE (1 << 30)
37
38 /* the default number of segments (MUST be a power of 2) */
39 #define DEFAULT_SEGMENT_COUNT 1
40
41 typedef struct entry_t entry_t;
42
43 /**
44 * An entry in the linked list, contains IKE_SA, locking and lookup data.
45 */
46 struct entry_t {
47
48 /**
49 * Number of threads waiting for this ike_sa_t object.
50 */
51 int waiting_threads;
52
53 /**
54 * Condvar where threads can wait until ike_sa_t object is free for use again.
55 */
56 condvar_t *condvar;
57
58 /**
59 * Is this ike_sa currently checked out?
60 */
61 bool checked_out;
62
63 /**
64 * Does this SA drives out new threads?
65 */
66 bool driveout_new_threads;
67
68 /**
69 * Does this SA drives out waiting threads?
70 */
71 bool driveout_waiting_threads;
72
73 /**
74 * Identification of an IKE_SA (SPIs).
75 */
76 ike_sa_id_t *ike_sa_id;
77
78 /**
79 * The contained ike_sa_t object.
80 */
81 ike_sa_t *ike_sa;
82
83 /**
84 * hash of the IKE_SA_INIT message, used to detect retransmissions
85 */
86 chunk_t init_hash;
87
88 /**
89 * remote host address, required for DoS detection and duplicate
90 * checking (host with same my_id and other_id is *not* considered
91 * a duplicate if the address family differs)
92 */
93 host_t *other;
94
95 /**
96 * As responder: Is this SA half-open?
97 */
98 bool half_open;
99
100 /**
101 * own identity, required for duplicate checking
102 */
103 identification_t *my_id;
104
105 /**
106 * remote identity, required for duplicate checking
107 */
108 identification_t *other_id;
109
110 /**
111 * message ID currently processing, if any
112 */
113 u_int32_t message_id;
114 };
115
116 /**
117 * Implementation of entry_t.destroy.
118 */
119 static status_t entry_destroy(entry_t *this)
120 {
121 /* also destroy IKE SA */
122 this->ike_sa->destroy(this->ike_sa);
123 this->ike_sa_id->destroy(this->ike_sa_id);
124 chunk_free(&this->init_hash);
125 DESTROY_IF(this->other);
126 DESTROY_IF(this->my_id);
127 DESTROY_IF(this->other_id);
128 this->condvar->destroy(this->condvar);
129 free(this);
130 return SUCCESS;
131 }
132
133 /**
134 * Creates a new entry for the ike_sa_t list.
135 */
136 static entry_t *entry_create()
137 {
138 entry_t *this = malloc_thing(entry_t);
139
140 this->waiting_threads = 0;
141 this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
142
143 /* we set checkout flag when we really give it out */
144 this->checked_out = FALSE;
145 this->driveout_new_threads = FALSE;
146 this->driveout_waiting_threads = FALSE;
147 this->message_id = -1;
148 this->init_hash = chunk_empty;
149 this->other = NULL;
150 this->half_open = FALSE;
151 this->my_id = NULL;
152 this->other_id = NULL;
153 this->ike_sa_id = NULL;
154 this->ike_sa = NULL;
155
156 return this;
157 }
158
159 /**
160 * Function that matches entry_t objects by ike_sa_id_t.
161 */
162 static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
163 {
164 if (id->equals(id, entry->ike_sa_id))
165 {
166 return TRUE;
167 }
168 if ((id->get_responder_spi(id) == 0 ||
169 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
170 id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
171 {
172 /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
173 return TRUE;
174 }
175 return FALSE;
176 }
177
178 /**
179 * Function that matches entry_t objects by ike_sa_t pointers.
180 */
181 static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
182 {
183 return entry->ike_sa == ike_sa;
184 }
185
186 /**
187 * Hash function for ike_sa_id_t objects.
188 */
189 static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
190 {
191 /* IKEv2 does not mandate random SPIs (RFC 5996, 2.6), they just have to be
192 * locally unique, so we use our randomly allocated SPI whether we are
193 * initiator or responder to ensure a good distribution. The latter is not
194 * possible for IKEv1 as we don't know whether we are original initiator or
195 * not (based on the IKE header). But as RFC 2408, section 2.5.3 proposes
196 * SPIs (Cookies) to be allocated near random (we allocate them randomly
197 * anyway) it seems safe to always use the initiator SPI. */
198 if (ike_sa_id->get_ike_version(ike_sa_id) == IKEV1_MAJOR_VERSION ||
199 ike_sa_id->is_initiator(ike_sa_id))
200 {
201 return ike_sa_id->get_initiator_spi(ike_sa_id);
202 }
203 return ike_sa_id->get_responder_spi(ike_sa_id);
204 }
205
206 typedef struct half_open_t half_open_t;
207
208 /**
209 * Struct to manage half-open IKE_SAs per peer.
210 */
211 struct half_open_t {
212 /** chunk of remote host address */
213 chunk_t other;
214
215 /** the number of half-open IKE_SAs with that host */
216 u_int count;
217 };
218
219 /**
220 * Destroys a half_open_t object.
221 */
222 static void half_open_destroy(half_open_t *this)
223 {
224 chunk_free(&this->other);
225 free(this);
226 }
227
228 typedef struct connected_peers_t connected_peers_t;
229
230 struct connected_peers_t {
231 /** own identity */
232 identification_t *my_id;
233
234 /** remote identity */
235 identification_t *other_id;
236
237 /** ip address family of peer */
238 int family;
239
240 /** list of ike_sa_id_t objects of IKE_SAs between the two identities */
241 linked_list_t *sas;
242 };
243
244 static void connected_peers_destroy(connected_peers_t *this)
245 {
246 this->my_id->destroy(this->my_id);
247 this->other_id->destroy(this->other_id);
248 this->sas->destroy(this->sas);
249 free(this);
250 }
251
252 /**
253 * Function that matches connected_peers_t objects by the given ids.
254 */
255 static inline bool connected_peers_match(connected_peers_t *connected_peers,
256 identification_t *my_id, identification_t *other_id,
257 int family)
258 {
259 return my_id->equals(my_id, connected_peers->my_id) &&
260 other_id->equals(other_id, connected_peers->other_id) &&
261 (!family || family == connected_peers->family);
262 }
263
264 typedef struct segment_t segment_t;
265
266 /**
267 * Struct to manage segments of the hash table.
268 */
269 struct segment_t {
270 /** mutex to access a segment exclusively */
271 mutex_t *mutex;
272
273 /** the number of entries in this segment */
274 u_int count;
275 };
276
277 typedef struct shareable_segment_t shareable_segment_t;
278
279 /**
280 * Struct to manage segments of the "half-open" and "connected peers" hash tables.
281 */
282 struct shareable_segment_t {
283 /** rwlock to access a segment non-/exclusively */
284 rwlock_t *lock;
285
286 /** the number of entries in this segment - in case of the "half-open table"
287 * it's the sum of all half_open_t.count in a segment. */
288 u_int count;
289 };
290
291 typedef struct table_item_t table_item_t;
292
293 /**
294 * Instead of using linked_list_t for each bucket we store the data in our own
295 * list to save memory.
296 */
297 struct table_item_t {
298 /** data of this item */
299 void *value;
300
301 /** next item in the overflow list */
302 table_item_t *next;
303 };
304
305 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
306
307 /**
308 * Additional private members of ike_sa_manager_t.
309 */
310 struct private_ike_sa_manager_t {
311 /**
312 * Public interface of ike_sa_manager_t.
313 */
314 ike_sa_manager_t public;
315
316 /**
317 * Hash table with entries for the ike_sa_t objects.
318 */
319 table_item_t **ike_sa_table;
320
321 /**
322 * The size of the hash table.
323 */
324 u_int table_size;
325
326 /**
327 * Mask to map the hashes to table rows.
328 */
329 u_int table_mask;
330
331 /**
332 * Segments of the hash table.
333 */
334 segment_t *segments;
335
336 /**
337 * The number of segments.
338 */
339 u_int segment_count;
340
341 /**
342 * Mask to map a table row to a segment.
343 */
344 u_int segment_mask;
345
346 /**
347 * Hash table with half_open_t objects.
348 */
349 table_item_t **half_open_table;
350
351 /**
352 * Segments of the "half-open" hash table.
353 */
354 shareable_segment_t *half_open_segments;
355
356 /**
357 * Hash table with connected_peers_t objects.
358 */
359 table_item_t **connected_peers_table;
360
361 /**
362 * Segments of the "connected peers" hash table.
363 */
364 shareable_segment_t *connected_peers_segments;
365
366 /**
367 * Hash table with chunk_t objects.
368 */
369 table_item_t **init_hashes_table;
370
371 /**
372 * Segments of the "hashes" hash table.
373 */
374 segment_t *init_hashes_segments;
375
376 /**
377 * RNG to get random SPIs for our side
378 */
379 rng_t *rng;
380
381 /**
382 * SHA1 hasher for IKE_SA_INIT retransmit detection
383 */
384 hasher_t *hasher;
385
386 /**
387 * reuse existing IKE_SAs in checkout_by_config
388 */
389 bool reuse_ikesa;
390 };
391
392 /**
393 * Acquire a lock to access the segment of the table row with the given index.
394 * It also works with the segment index directly.
395 */
396 static inline void lock_single_segment(private_ike_sa_manager_t *this,
397 u_int index)
398 {
399 mutex_t *lock = this->segments[index & this->segment_mask].mutex;
400 lock->lock(lock);
401 }
402
403 /**
404 * Release the lock required to access the segment of the table row with the given index.
405 * It also works with the segment index directly.
406 */
407 static inline void unlock_single_segment(private_ike_sa_manager_t *this,
408 u_int index)
409 {
410 mutex_t *lock = this->segments[index & this->segment_mask].mutex;
411 lock->unlock(lock);
412 }
413
414 /**
415 * Lock all segments
416 */
417 static void lock_all_segments(private_ike_sa_manager_t *this)
418 {
419 u_int i;
420
421 for (i = 0; i < this->segment_count; i++)
422 {
423 this->segments[i].mutex->lock(this->segments[i].mutex);
424 }
425 }
426
427 /**
428 * Unlock all segments
429 */
430 static void unlock_all_segments(private_ike_sa_manager_t *this)
431 {
432 u_int i;
433
434 for (i = 0; i < this->segment_count; i++)
435 {
436 this->segments[i].mutex->unlock(this->segments[i].mutex);
437 }
438 }
439
440 typedef struct private_enumerator_t private_enumerator_t;
441
442 /**
443 * hash table enumerator implementation
444 */
445 struct private_enumerator_t {
446
447 /**
448 * implements enumerator interface
449 */
450 enumerator_t enumerator;
451
452 /**
453 * associated ike_sa_manager_t
454 */
455 private_ike_sa_manager_t *manager;
456
457 /**
458 * current segment index
459 */
460 u_int segment;
461
462 /**
463 * currently enumerating entry
464 */
465 entry_t *entry;
466
467 /**
468 * current table row index
469 */
470 u_int row;
471
472 /**
473 * current table item
474 */
475 table_item_t *current;
476
477 /**
478 * previous table item
479 */
480 table_item_t *prev;
481 };
482
483 METHOD(enumerator_t, enumerate, bool,
484 private_enumerator_t *this, entry_t **entry, u_int *segment)
485 {
486 if (this->entry)
487 {
488 this->entry->condvar->signal(this->entry->condvar);
489 this->entry = NULL;
490 }
491 while (this->segment < this->manager->segment_count)
492 {
493 while (this->row < this->manager->table_size)
494 {
495 this->prev = this->current;
496 if (this->current)
497 {
498 this->current = this->current->next;
499 }
500 else
501 {
502 lock_single_segment(this->manager, this->segment);
503 this->current = this->manager->ike_sa_table[this->row];
504 }
505 if (this->current)
506 {
507 *entry = this->entry = this->current->value;
508 *segment = this->segment;
509 return TRUE;
510 }
511 unlock_single_segment(this->manager, this->segment);
512 this->row += this->manager->segment_count;
513 }
514 this->segment++;
515 this->row = this->segment;
516 }
517 return FALSE;
518 }
519
520 METHOD(enumerator_t, enumerator_destroy, void,
521 private_enumerator_t *this)
522 {
523 if (this->entry)
524 {
525 this->entry->condvar->signal(this->entry->condvar);
526 }
527 if (this->current)
528 {
529 unlock_single_segment(this->manager, this->segment);
530 }
531 free(this);
532 }
533
534 /**
535 * Creates an enumerator to enumerate the entries in the hash table.
536 */
537 static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
538 {
539 private_enumerator_t *enumerator;
540
541 INIT(enumerator,
542 .enumerator = {
543 .enumerate = (void*)_enumerate,
544 .destroy = _enumerator_destroy,
545 },
546 .manager = this,
547 );
548 return &enumerator->enumerator;
549 }
550
551 /**
552 * Put an entry into the hash table.
553 * Note: The caller has to unlock the returned segment.
554 */
555 static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
556 {
557 table_item_t *current, *item;
558 u_int row, segment;
559
560 INIT(item,
561 .value = entry,
562 );
563
564 row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
565 segment = row & this->segment_mask;
566
567 lock_single_segment(this, segment);
568 current = this->ike_sa_table[row];
569 if (current)
570 { /* insert at the front of current bucket */
571 item->next = current;
572 }
573 this->ike_sa_table[row] = item;
574 this->segments[segment].count++;
575 return segment;
576 }
577
578 /**
579 * Remove an entry from the hash table.
580 * Note: The caller MUST have a lock on the segment of this entry.
581 */
582 static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
583 {
584 table_item_t *item, *prev = NULL;
585 u_int row, segment;
586
587 row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
588 segment = row & this->segment_mask;
589 item = this->ike_sa_table[row];
590 while (item)
591 {
592 if (item->value == entry)
593 {
594 if (prev)
595 {
596 prev->next = item->next;
597 }
598 else
599 {
600 this->ike_sa_table[row] = item->next;
601 }
602 this->segments[segment].count--;
603 free(item);
604 break;
605 }
606 prev = item;
607 item = item->next;
608 }
609 }
610
611 /**
612 * Remove the entry at the current enumerator position.
613 */
614 static void remove_entry_at(private_enumerator_t *this)
615 {
616 this->entry = NULL;
617 if (this->current)
618 {
619 table_item_t *current = this->current;
620
621 this->manager->segments[this->segment].count--;
622 this->current = this->prev;
623
624 if (this->prev)
625 {
626 this->prev->next = current->next;
627 }
628 else
629 {
630 this->manager->ike_sa_table[this->row] = current->next;
631 unlock_single_segment(this->manager, this->segment);
632 }
633 free(current);
634 }
635 }
636
637 /**
638 * Find an entry using the provided match function to compare the entries for
639 * equality.
640 */
641 static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
642 ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
643 linked_list_match_t match, void *p1, void *p2)
644 {
645 table_item_t *item;
646 u_int row, seg;
647
648 row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
649 seg = row & this->segment_mask;
650
651 lock_single_segment(this, seg);
652 item = this->ike_sa_table[row];
653 while (item)
654 {
655 if (match(item->value, p1, p2))
656 {
657 *entry = item->value;
658 *segment = seg;
659 /* the locked segment has to be unlocked by the caller */
660 return SUCCESS;
661 }
662 item = item->next;
663 }
664 unlock_single_segment(this, seg);
665 return NOT_FOUND;
666 }
667
668 /**
669 * Find an entry by ike_sa_id_t.
670 * Note: On SUCCESS, the caller has to unlock the segment.
671 */
672 static status_t get_entry_by_id(private_ike_sa_manager_t *this,
673 ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
674 {
675 return get_entry_by_match_function(this, ike_sa_id, entry, segment,
676 (linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
677 }
678
679 /**
680 * Find an entry by IKE_SA pointer.
681 * Note: On SUCCESS, the caller has to unlock the segment.
682 */
683 static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
684 ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
685 {
686 return get_entry_by_match_function(this, ike_sa_id, entry, segment,
687 (linked_list_match_t)entry_match_by_sa, ike_sa, NULL);
688 }
689
690 /**
691 * Wait until no other thread is using an IKE_SA, return FALSE if entry not
692 * acquirable.
693 */
694 static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
695 u_int segment)
696 {
697 if (entry->driveout_new_threads)
698 {
699 /* we are not allowed to get this */
700 return FALSE;
701 }
702 while (entry->checked_out && !entry->driveout_waiting_threads)
703 {
704 /* so wait until we can get it for us.
705 * we register us as waiting. */
706 entry->waiting_threads++;
707 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
708 entry->waiting_threads--;
709 }
710 /* hm, a deletion request forbids us to get this SA, get next one */
711 if (entry->driveout_waiting_threads)
712 {
713 /* we must signal here, others may be waiting on it, too */
714 entry->condvar->signal(entry->condvar);
715 return FALSE;
716 }
717 return TRUE;
718 }
719
720 /**
721 * Put a half-open SA into the hash table.
722 */
723 static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
724 {
725 table_item_t *item;
726 u_int row, segment;
727 rwlock_t *lock;
728 half_open_t *half_open;
729 chunk_t addr;
730
731 addr = entry->other->get_address(entry->other);
732 row = chunk_hash(addr) & this->table_mask;
733 segment = row & this->segment_mask;
734 lock = this->half_open_segments[segment].lock;
735 lock->write_lock(lock);
736 item = this->half_open_table[row];
737 while (item)
738 {
739 half_open = item->value;
740
741 if (chunk_equals(addr, half_open->other))
742 {
743 half_open->count++;
744 break;
745 }
746 item = item->next;
747 }
748
749 if (!item)
750 {
751 INIT(half_open,
752 .other = chunk_clone(addr),
753 .count = 1,
754 );
755 INIT(item,
756 .value = half_open,
757 .next = this->half_open_table[row],
758 );
759 this->half_open_table[row] = item;
760 }
761 this->half_open_segments[segment].count++;
762 lock->unlock(lock);
763 }
764
765 /**
766 * Remove a half-open SA from the hash table.
767 */
768 static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
769 {
770 table_item_t *item, *prev = NULL;
771 u_int row, segment;
772 rwlock_t *lock;
773 chunk_t addr;
774
775 addr = entry->other->get_address(entry->other);
776 row = chunk_hash(addr) & this->table_mask;
777 segment = row & this->segment_mask;
778 lock = this->half_open_segments[segment].lock;
779 lock->write_lock(lock);
780 item = this->half_open_table[row];
781 while (item)
782 {
783 half_open_t *half_open = item->value;
784
785 if (chunk_equals(addr, half_open->other))
786 {
787 if (--half_open->count == 0)
788 {
789 if (prev)
790 {
791 prev->next = item->next;
792 }
793 else
794 {
795 this->half_open_table[row] = item->next;
796 }
797 half_open_destroy(half_open);
798 free(item);
799 }
800 this->half_open_segments[segment].count--;
801 break;
802 }
803 prev = item;
804 item = item->next;
805 }
806 lock->unlock(lock);
807 }
808
809 /**
810 * Put an SA between two peers into the hash table.
811 */
812 static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
813 {
814 table_item_t *item;
815 u_int row, segment;
816 rwlock_t *lock;
817 connected_peers_t *connected_peers;
818 chunk_t my_id, other_id;
819 int family;
820
821 my_id = entry->my_id->get_encoding(entry->my_id);
822 other_id = entry->other_id->get_encoding(entry->other_id);
823 family = entry->other->get_family(entry->other);
824 row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
825 segment = row & this->segment_mask;
826 lock = this->connected_peers_segments[segment].lock;
827 lock->write_lock(lock);
828 item = this->connected_peers_table[row];
829 while (item)
830 {
831 connected_peers = item->value;
832
833 if (connected_peers_match(connected_peers, entry->my_id,
834 entry->other_id, family))
835 {
836 if (connected_peers->sas->find_first(connected_peers->sas,
837 (linked_list_match_t)entry->ike_sa_id->equals,
838 NULL, entry->ike_sa_id) == SUCCESS)
839 {
840 lock->unlock(lock);
841 return;
842 }
843 break;
844 }
845 item = item->next;
846 }
847
848 if (!item)
849 {
850 INIT(connected_peers,
851 .my_id = entry->my_id->clone(entry->my_id),
852 .other_id = entry->other_id->clone(entry->other_id),
853 .family = family,
854 .sas = linked_list_create(),
855 );
856 INIT(item,
857 .value = connected_peers,
858 .next = this->connected_peers_table[row],
859 );
860 this->connected_peers_table[row] = item;
861 }
862 connected_peers->sas->insert_last(connected_peers->sas,
863 entry->ike_sa_id->clone(entry->ike_sa_id));
864 this->connected_peers_segments[segment].count++;
865 lock->unlock(lock);
866 }
867
868 /**
869 * Remove an SA between two peers from the hash table.
870 */
871 static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
872 {
873 table_item_t *item, *prev = NULL;
874 u_int row, segment;
875 rwlock_t *lock;
876 chunk_t my_id, other_id;
877 int family;
878
879 my_id = entry->my_id->get_encoding(entry->my_id);
880 other_id = entry->other_id->get_encoding(entry->other_id);
881 family = entry->other->get_family(entry->other);
882
883 row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
884 segment = row & this->segment_mask;
885
886 lock = this->connected_peers_segments[segment].lock;
887 lock->write_lock(lock);
888 item = this->connected_peers_table[row];
889 while (item)
890 {
891 connected_peers_t *current = item->value;
892
893 if (connected_peers_match(current, entry->my_id, entry->other_id,
894 family))
895 {
896 enumerator_t *enumerator;
897 ike_sa_id_t *ike_sa_id;
898
899 enumerator = current->sas->create_enumerator(current->sas);
900 while (enumerator->enumerate(enumerator, &ike_sa_id))
901 {
902 if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
903 {
904 current->sas->remove_at(current->sas, enumerator);
905 ike_sa_id->destroy(ike_sa_id);
906 this->connected_peers_segments[segment].count--;
907 break;
908 }
909 }
910 enumerator->destroy(enumerator);
911 if (current->sas->get_count(current->sas) == 0)
912 {
913 if (prev)
914 {
915 prev->next = item->next;
916 }
917 else
918 {
919 this->connected_peers_table[row] = item->next;
920 }
921 connected_peers_destroy(current);
922 free(item);
923 }
924 break;
925 }
926 prev = item;
927 item = item->next;
928 }
929 lock->unlock(lock);
930 }
931
932 /**
933 * Check if we already have created an IKE_SA based on the initial IKE message
934 * with the given hash.
935 * If not the hash is stored, the hash data is not(!) cloned.
936 *
937 * @returns TRUE if the message with the given hash was seen before
938 */
939 static bool check_and_put_init_hash(private_ike_sa_manager_t *this,
940 chunk_t init_hash)
941 {
942 table_item_t *item;
943 u_int row, segment;
944 mutex_t *mutex;
945 chunk_t *chunk;
946
947 row = chunk_hash(init_hash) & this->table_mask;
948 segment = row & this->segment_mask;
949 mutex = this->init_hashes_segments[segment].mutex;
950 mutex->lock(mutex);
951 item = this->init_hashes_table[row];
952 while (item)
953 {
954 chunk_t *current = item->value;
955
956 if (chunk_equals(init_hash, *current))
957 {
958 mutex->unlock(mutex);
959 return TRUE;
960 }
961 item = item->next;
962 }
963
964 INIT(chunk,
965 .len = init_hash.len,
966 .ptr = init_hash.ptr,
967 );
968 INIT(item,
969 .value = chunk,
970 .next = this->init_hashes_table[row],
971 );
972 this->init_hashes_table[row] = item;
973 mutex->unlock(mutex);
974 return FALSE;
975 }
976
977 /**
978 * Remove the hash of an initial IKE message from the cache.
979 */
980 static void remove_init_hash(private_ike_sa_manager_t *this, chunk_t init_hash)
981 {
982 table_item_t *item, *prev = NULL;
983 u_int row, segment;
984 mutex_t *mutex;
985
986 row = chunk_hash(init_hash) & this->table_mask;
987 segment = row & this->segment_mask;
988 mutex = this->init_hashes_segments[segment].mutex;
989 mutex->lock(mutex);
990 item = this->init_hashes_table[row];
991 while (item)
992 {
993 chunk_t *current = item->value;
994
995 if (chunk_equals(init_hash, *current))
996 {
997 if (prev)
998 {
999 prev->next = item->next;
1000 }
1001 else
1002 {
1003 this->init_hashes_table[row] = item->next;
1004 }
1005 free(current);
1006 free(item);
1007 break;
1008 }
1009 prev = item;
1010 item = item->next;
1011 }
1012 mutex->unlock(mutex);
1013 }
1014
1015 /**
1016 * Get a random SPI for new IKE_SAs
1017 */
1018 static u_int64_t get_spi(private_ike_sa_manager_t *this)
1019 {
1020 u_int64_t spi = 0;
1021
1022 if (this->rng)
1023 {
1024 this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
1025 }
1026 return spi;
1027 }
1028
1029 METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
1030 private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
1031 {
1032 ike_sa_t *ike_sa = NULL;
1033 entry_t *entry;
1034 u_int segment;
1035
1036 DBG2(DBG_MGR, "checkout IKE_SA");
1037
1038 if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
1039 {
1040 if (wait_for_entry(this, entry, segment))
1041 {
1042 entry->checked_out = TRUE;
1043 ike_sa = entry->ike_sa;
1044 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1045 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1046 }
1047 unlock_single_segment(this, segment);
1048 }
1049 charon->bus->set_sa(charon->bus, ike_sa);
1050 return ike_sa;
1051 }
1052
1053 METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
1054 private_ike_sa_manager_t* this, ike_version_t version, bool initiator)
1055 {
1056 ike_sa_id_t *ike_sa_id;
1057 ike_sa_t *ike_sa;
1058 u_int8_t ike_version;
1059
1060 ike_version = version == IKEV1 ? IKEV1_MAJOR_VERSION : IKEV2_MAJOR_VERSION;
1061
1062 if (initiator)
1063 {
1064 ike_sa_id = ike_sa_id_create(ike_version, get_spi(this), 0, TRUE);
1065 }
1066 else
1067 {
1068 ike_sa_id = ike_sa_id_create(ike_version, 0, get_spi(this), FALSE);
1069 }
1070 ike_sa = ike_sa_create(ike_sa_id, initiator, version);
1071 ike_sa_id->destroy(ike_sa_id);
1072
1073 if (ike_sa)
1074 {
1075 DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1076 ike_sa->get_unique_id(ike_sa));
1077 }
1078 return ike_sa;
1079 }
1080
1081 METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
1082 private_ike_sa_manager_t* this, message_t *message)
1083 {
1084 u_int segment;
1085 entry_t *entry;
1086 ike_sa_t *ike_sa = NULL;
1087 ike_sa_id_t *id;
1088 ike_version_t ike_version;
1089 bool is_init = FALSE;
1090
1091 id = message->get_ike_sa_id(message);
1092 /* clone the IKE_SA ID so we can modify the initiator flag */
1093 id = id->clone(id);
1094 id->switch_initiator(id);
1095
1096 DBG2(DBG_MGR, "checkout IKE_SA by message");
1097
1098 if (id->get_responder_spi(id) == 0)
1099 {
1100 if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
1101 {
1102 if (message->get_exchange_type(message) == IKE_SA_INIT &&
1103 message->get_request(message))
1104 {
1105 ike_version = IKEV2;
1106 is_init = TRUE;
1107 }
1108 }
1109 else
1110 {
1111 if (message->get_exchange_type(message) == ID_PROT ||
1112 message->get_exchange_type(message) == AGGRESSIVE)
1113 {
1114 ike_version = IKEV1;
1115 is_init = TRUE;
1116 if (id->is_initiator(id))
1117 { /* not set in IKEv1, switch back before applying to new SA */
1118 id->switch_initiator(id);
1119 }
1120 }
1121 }
1122 }
1123
1124 if (is_init && this->hasher)
1125 { /* initial request. checking for the hasher prevents crashes once
1126 * flush() has been called */
1127 chunk_t hash;
1128
1129 this->hasher->allocate_hash(this->hasher,
1130 message->get_packet_data(message), &hash);
1131
1132 /* ensure this is not a retransmit of an already handled init message */
1133 if (check_and_put_init_hash(this, hash))
1134 {
1135 chunk_free(&hash);
1136 id->destroy(id);
1137 DBG1(DBG_MGR, "ignoring %s, already processing",
1138 ike_version == IKEV2 ? "IKE_SA_INIT" : "initial IKE message");
1139 return NULL;
1140 }
1141
1142 /* no IKE_SA yet, create a new one */
1143 id->set_responder_spi(id, get_spi(this));
1144 ike_sa = ike_sa_create(id, FALSE, ike_version);
1145 if (ike_sa)
1146 {
1147 entry = entry_create();
1148 entry->ike_sa = ike_sa;
1149 entry->ike_sa_id = id->clone(id);
1150
1151 segment = put_entry(this, entry);
1152 entry->checked_out = TRUE;
1153 unlock_single_segment(this, segment);
1154
1155 entry->message_id = message->get_message_id(message);
1156 entry->init_hash = hash;
1157
1158 DBG2(DBG_MGR, "created IKE_SA %s[%u]",
1159 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1160 }
1161 else
1162 {
1163 remove_init_hash(this, hash);
1164 chunk_free(&hash);
1165 DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
1166 }
1167 id->destroy(id);
1168 charon->bus->set_sa(charon->bus, ike_sa);
1169 return ike_sa;
1170 }
1171
1172 if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
1173 {
1174 /* only check out in IKEv2 if we are not already processing it */
1175 if (message->get_request(message) &&
1176 message->get_message_id(message) == entry->message_id)
1177 {
1178 DBG1(DBG_MGR, "ignoring request with ID %u, already processing",
1179 entry->message_id);
1180 }
1181 else if (wait_for_entry(this, entry, segment))
1182 {
1183 ike_sa_id_t *ike_id;
1184
1185 ike_id = entry->ike_sa->get_id(entry->ike_sa);
1186 entry->checked_out = TRUE;
1187 entry->message_id = message->get_message_id(message);
1188 if (ike_id->get_responder_spi(ike_id) == 0)
1189 {
1190 ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
1191 }
1192 ike_sa = entry->ike_sa;
1193 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1194 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1195 }
1196 unlock_single_segment(this, segment);
1197 }
1198 id->destroy(id);
1199 charon->bus->set_sa(charon->bus, ike_sa);
1200 return ike_sa;
1201 }
1202
1203 METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
1204 private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
1205 {
1206 enumerator_t *enumerator;
1207 entry_t *entry;
1208 ike_sa_t *ike_sa = NULL;
1209 peer_cfg_t *current_peer;
1210 ike_cfg_t *current_ike;
1211 u_int segment;
1212
1213 DBG2(DBG_MGR, "checkout IKE_SA by config");
1214
1215 if (!this->reuse_ikesa)
1216 { /* IKE_SA reuse disable by config */
1217 ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
1218 charon->bus->set_sa(charon->bus, ike_sa);
1219 return ike_sa;
1220 }
1221
1222 enumerator = create_table_enumerator(this);
1223 while (enumerator->enumerate(enumerator, &entry, &segment))
1224 {
1225 if (!wait_for_entry(this, entry, segment))
1226 {
1227 continue;
1228 }
1229 if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
1230 { /* skip IKE_SAs which are not usable */
1231 continue;
1232 }
1233
1234 current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
1235 if (current_peer && current_peer->equals(current_peer, peer_cfg))
1236 {
1237 current_ike = current_peer->get_ike_cfg(current_peer);
1238 if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
1239 {
1240 entry->checked_out = TRUE;
1241 ike_sa = entry->ike_sa;
1242 DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
1243 ike_sa->get_unique_id(ike_sa),
1244 current_peer->get_name(current_peer));
1245 break;
1246 }
1247 }
1248 }
1249 enumerator->destroy(enumerator);
1250
1251 if (!ike_sa)
1252 { /* no IKE_SA using such a config, hand out a new */
1253 ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
1254 }
1255 charon->bus->set_sa(charon->bus, ike_sa);
1256 return ike_sa;
1257 }
1258
1259 METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
1260 private_ike_sa_manager_t *this, u_int32_t id, bool child)
1261 {
1262 enumerator_t *enumerator, *children;
1263 entry_t *entry;
1264 ike_sa_t *ike_sa = NULL;
1265 child_sa_t *child_sa;
1266 u_int segment;
1267
1268 DBG2(DBG_MGR, "checkout IKE_SA by ID");
1269
1270 enumerator = create_table_enumerator(this);
1271 while (enumerator->enumerate(enumerator, &entry, &segment))
1272 {
1273 if (wait_for_entry(this, entry, segment))
1274 {
1275 /* look for a child with such a reqid ... */
1276 if (child)
1277 {
1278 children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
1279 while (children->enumerate(children, (void**)&child_sa))
1280 {
1281 if (child_sa->get_reqid(child_sa) == id)
1282 {
1283 ike_sa = entry->ike_sa;
1284 break;
1285 }
1286 }
1287 children->destroy(children);
1288 }
1289 else /* ... or for a IKE_SA with such a unique id */
1290 {
1291 if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
1292 {
1293 ike_sa = entry->ike_sa;
1294 }
1295 }
1296 /* got one, return */
1297 if (ike_sa)
1298 {
1299 entry->checked_out = TRUE;
1300 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1301 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1302 break;
1303 }
1304 }
1305 }
1306 enumerator->destroy(enumerator);
1307
1308 charon->bus->set_sa(charon->bus, ike_sa);
1309 return ike_sa;
1310 }
1311
1312 METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
1313 private_ike_sa_manager_t *this, char *name, bool child)
1314 {
1315 enumerator_t *enumerator, *children;
1316 entry_t *entry;
1317 ike_sa_t *ike_sa = NULL;
1318 child_sa_t *child_sa;
1319 u_int segment;
1320
1321 enumerator = create_table_enumerator(this);
1322 while (enumerator->enumerate(enumerator, &entry, &segment))
1323 {
1324 if (wait_for_entry(this, entry, segment))
1325 {
1326 /* look for a child with such a policy name ... */
1327 if (child)
1328 {
1329 children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
1330 while (children->enumerate(children, (void**)&child_sa))
1331 {
1332 if (streq(child_sa->get_name(child_sa), name))
1333 {
1334 ike_sa = entry->ike_sa;
1335 break;
1336 }
1337 }
1338 children->destroy(children);
1339 }
1340 else /* ... or for a IKE_SA with such a connection name */
1341 {
1342 if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
1343 {
1344 ike_sa = entry->ike_sa;
1345 }
1346 }
1347 /* got one, return */
1348 if (ike_sa)
1349 {
1350 entry->checked_out = TRUE;
1351 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1352 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1353 break;
1354 }
1355 }
1356 }
1357 enumerator->destroy(enumerator);
1358
1359 charon->bus->set_sa(charon->bus, ike_sa);
1360 return ike_sa;
1361 }
1362
1363 /**
1364 * enumerator filter function, waiting variant
1365 */
1366 static bool enumerator_filter_wait(private_ike_sa_manager_t *this,
1367 entry_t **in, ike_sa_t **out, u_int *segment)
1368 {
1369 if (wait_for_entry(this, *in, *segment))
1370 {
1371 *out = (*in)->ike_sa;
1372 charon->bus->set_sa(charon->bus, *out);
1373 return TRUE;
1374 }
1375 return FALSE;
1376 }
1377
1378 /**
1379 * enumerator filter function, skipping variant
1380 */
1381 static bool enumerator_filter_skip(private_ike_sa_manager_t *this,
1382 entry_t **in, ike_sa_t **out, u_int *segment)
1383 {
1384 if (!(*in)->driveout_new_threads &&
1385 !(*in)->driveout_waiting_threads &&
1386 !(*in)->checked_out)
1387 {
1388 *out = (*in)->ike_sa;
1389 charon->bus->set_sa(charon->bus, *out);
1390 return TRUE;
1391 }
1392 return FALSE;
1393 }
1394
1395 /**
1396 * Reset threads SA after enumeration
1397 */
1398 static void reset_sa(void *data)
1399 {
1400 charon->bus->set_sa(charon->bus, NULL);
1401 }
1402
1403 METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*,
1404 private_ike_sa_manager_t* this, bool wait)
1405 {
1406 return enumerator_create_filter(create_table_enumerator(this),
1407 wait ? (void*)enumerator_filter_wait : (void*)enumerator_filter_skip,
1408 this, reset_sa);
1409 }
1410
1411 METHOD(ike_sa_manager_t, checkin, void,
1412 private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
1413 {
1414 /* to check the SA back in, we look for the pointer of the ike_sa
1415 * in all entries.
1416 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
1417 * on reception of a IKE_SA_INIT response) the lookup will work but
1418 * updating of the SPI MAY be necessary...
1419 */
1420 entry_t *entry;
1421 ike_sa_id_t *ike_sa_id;
1422 host_t *other;
1423 identification_t *my_id, *other_id;
1424 u_int segment;
1425
1426 ike_sa_id = ike_sa->get_id(ike_sa);
1427 my_id = ike_sa->get_my_id(ike_sa);
1428 other_id = ike_sa->get_other_id(ike_sa);
1429 other = ike_sa->get_other_host(ike_sa);
1430
1431 DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1432 ike_sa->get_unique_id(ike_sa));
1433
1434 /* look for the entry */
1435 if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
1436 {
1437 /* ike_sa_id must be updated */
1438 entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
1439 /* signal waiting threads */
1440 entry->checked_out = FALSE;
1441 entry->message_id = -1;
1442 /* check if this SA is half-open */
1443 if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
1444 {
1445 /* not half open anymore */
1446 entry->half_open = FALSE;
1447 remove_half_open(this, entry);
1448 }
1449 else if (entry->half_open && !other->ip_equals(other, entry->other))
1450 {
1451 /* the other host's IP has changed, we must update the hash table */
1452 remove_half_open(this, entry);
1453 DESTROY_IF(entry->other);
1454 entry->other = other->clone(other);
1455 put_half_open(this, entry);
1456 }
1457 else if (!entry->half_open &&
1458 !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
1459 ike_sa->get_state(ike_sa) == IKE_CONNECTING)
1460 {
1461 /* this is a new half-open SA */
1462 entry->half_open = TRUE;
1463 entry->other = other->clone(other);
1464 put_half_open(this, entry);
1465 }
1466 DBG2(DBG_MGR, "check-in of IKE_SA successful.");
1467 entry->condvar->signal(entry->condvar);
1468 }
1469 else
1470 {
1471 entry = entry_create();
1472 entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1473 entry->ike_sa = ike_sa;
1474 segment = put_entry(this, entry);
1475 }
1476
1477 /* apply identities for duplicate test */
1478 if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
1479 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
1480 entry->my_id == NULL && entry->other_id == NULL)
1481 {
1482 if (ike_sa->get_version(ike_sa) == IKEV1)
1483 {
1484 /* If authenticated and received INITIAL_CONTACT,
1485 * delete any existing IKE_SAs with that peer. */
1486 if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN))
1487 {
1488 this->public.check_uniqueness(&this->public, ike_sa, TRUE);
1489 ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE);
1490 }
1491 }
1492
1493 entry->my_id = my_id->clone(my_id);
1494 entry->other_id = other_id->clone(other_id);
1495 if (!entry->other)
1496 {
1497 entry->other = other->clone(other);
1498 }
1499 put_connected_peers(this, entry);
1500 }
1501
1502 unlock_single_segment(this, segment);
1503
1504 charon->bus->set_sa(charon->bus, NULL);
1505 }
1506
1507 METHOD(ike_sa_manager_t, checkin_and_destroy, void,
1508 private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
1509 {
1510 /* deletion is a bit complex, we must ensure that no thread is waiting for
1511 * this SA.
1512 * We take this SA from the table, and start signaling while threads
1513 * are in the condvar.
1514 */
1515 entry_t *entry;
1516 ike_sa_id_t *ike_sa_id;
1517 u_int segment;
1518
1519 ike_sa_id = ike_sa->get_id(ike_sa);
1520
1521 DBG2(DBG_MGR, "checkin and destroy IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1522 ike_sa->get_unique_id(ike_sa));
1523
1524 if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
1525 {
1526 if (entry->driveout_waiting_threads && entry->driveout_new_threads)
1527 { /* it looks like flush() has been called and the SA is being deleted
1528 * anyway, just check it in */
1529 DBG2(DBG_MGR, "ignored check-in and destroy of IKE_SA during shutdown");
1530 entry->checked_out = FALSE;
1531 entry->condvar->broadcast(entry->condvar);
1532 unlock_single_segment(this, segment);
1533 return;
1534 }
1535
1536 /* drive out waiting threads, as we are in hurry */
1537 entry->driveout_waiting_threads = TRUE;
1538 /* mark it, so no new threads can get this entry */
1539 entry->driveout_new_threads = TRUE;
1540 /* wait until all workers have done their work */
1541 while (entry->waiting_threads)
1542 {
1543 /* wake up all */
1544 entry->condvar->broadcast(entry->condvar);
1545 /* they will wake us again when their work is done */
1546 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
1547 }
1548 remove_entry(this, entry);
1549 unlock_single_segment(this, segment);
1550
1551 if (entry->half_open)
1552 {
1553 remove_half_open(this, entry);
1554 }
1555 if (entry->my_id && entry->other_id)
1556 {
1557 remove_connected_peers(this, entry);
1558 }
1559 if (entry->init_hash.ptr)
1560 {
1561 remove_init_hash(this, entry->init_hash);
1562 }
1563
1564 entry_destroy(entry);
1565
1566 DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
1567 }
1568 else
1569 {
1570 DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
1571 ike_sa->destroy(ike_sa);
1572 }
1573 charon->bus->set_sa(charon->bus, NULL);
1574 }
1575
1576 /**
1577 * Cleanup function for create_id_enumerator
1578 */
1579 static void id_enumerator_cleanup(linked_list_t *ids)
1580 {
1581 ids->destroy_offset(ids, offsetof(ike_sa_id_t, destroy));
1582 }
1583
1584 METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
1585 private_ike_sa_manager_t *this, identification_t *me,
1586 identification_t *other, int family)
1587 {
1588 table_item_t *item;
1589 u_int row, segment;
1590 rwlock_t *lock;
1591 linked_list_t *ids = NULL;
1592
1593 row = chunk_hash_inc(other->get_encoding(other),
1594 chunk_hash(me->get_encoding(me))) & this->table_mask;
1595 segment = row & this->segment_mask;
1596
1597 lock = this->connected_peers_segments[segment].lock;
1598 lock->read_lock(lock);
1599 item = this->connected_peers_table[row];
1600 while (item)
1601 {
1602 connected_peers_t *current = item->value;
1603
1604 if (connected_peers_match(current, me, other, family))
1605 {
1606 ids = current->sas->clone_offset(current->sas,
1607 offsetof(ike_sa_id_t, clone));
1608 break;
1609 }
1610 item = item->next;
1611 }
1612 lock->unlock(lock);
1613
1614 if (!ids)
1615 {
1616 return enumerator_create_empty();
1617 }
1618 return enumerator_create_cleaner(ids->create_enumerator(ids),
1619 (void*)id_enumerator_cleanup, ids);
1620 }
1621
1622 METHOD(ike_sa_manager_t, check_uniqueness, bool,
1623 private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
1624 {
1625 bool cancel = FALSE;
1626 peer_cfg_t *peer_cfg;
1627 unique_policy_t policy;
1628 enumerator_t *enumerator;
1629 ike_sa_id_t *id = NULL;
1630 identification_t *me, *other;
1631 host_t *other_host;
1632
1633 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
1634 policy = peer_cfg->get_unique_policy(peer_cfg);
1635 if (policy == UNIQUE_NO && !force_replace)
1636 {
1637 return FALSE;
1638 }
1639 me = ike_sa->get_my_id(ike_sa);
1640 other = ike_sa->get_other_id(ike_sa);
1641 other_host = ike_sa->get_other_host(ike_sa);
1642
1643 enumerator = create_id_enumerator(this, me, other,
1644 other_host->get_family(other_host));
1645 while (enumerator->enumerate(enumerator, &id))
1646 {
1647 status_t status = SUCCESS;
1648 ike_sa_t *duplicate;
1649
1650 duplicate = checkout(this, id);
1651 if (!duplicate)
1652 {
1653 continue;
1654 }
1655 if (force_replace)
1656 {
1657 DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
1658 "received INITIAL_CONTACT", other);
1659 checkin_and_destroy(this, duplicate);
1660 continue;
1661 }
1662 peer_cfg = duplicate->get_peer_cfg(duplicate);
1663 if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
1664 {
1665 switch (duplicate->get_state(duplicate))
1666 {
1667 case IKE_ESTABLISHED:
1668 case IKE_REKEYING:
1669 switch (policy)
1670 {
1671 case UNIQUE_REPLACE:
1672 DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
1673 "'%Y' due to uniqueness policy", other);
1674 status = duplicate->delete(duplicate);
1675 break;
1676 case UNIQUE_KEEP:
1677 cancel = TRUE;
1678 /* we keep the first IKE_SA and delete all
1679 * other duplicates that might exist */
1680 policy = UNIQUE_REPLACE;
1681 break;
1682 default:
1683 break;
1684 }
1685 break;
1686 default:
1687 break;
1688 }
1689 }
1690 if (status == DESTROY_ME)
1691 {
1692 checkin_and_destroy(this, duplicate);
1693 }
1694 else
1695 {
1696 checkin(this, duplicate);
1697 }
1698 }
1699 enumerator->destroy(enumerator);
1700 /* reset thread's current IKE_SA after checkin */
1701 charon->bus->set_sa(charon->bus, ike_sa);
1702 return cancel;
1703 }
1704
1705 METHOD(ike_sa_manager_t, has_contact, bool,
1706 private_ike_sa_manager_t *this, identification_t *me,
1707 identification_t *other, int family)
1708 {
1709 table_item_t *item;
1710 u_int row, segment;
1711 rwlock_t *lock;
1712 bool found = FALSE;
1713
1714 row = chunk_hash_inc(other->get_encoding(other),
1715 chunk_hash(me->get_encoding(me))) & this->table_mask;
1716 segment = row & this->segment_mask;
1717 lock = this->connected_peers_segments[segment].lock;
1718 lock->read_lock(lock);
1719 item = this->connected_peers_table[row];
1720 while (item)
1721 {
1722 if (connected_peers_match(item->value, me, other, family))
1723 {
1724 found = TRUE;
1725 break;
1726 }
1727 item = item->next;
1728 }
1729 lock->unlock(lock);
1730
1731 return found;
1732 }
1733
1734 METHOD(ike_sa_manager_t, get_count, u_int,
1735 private_ike_sa_manager_t *this)
1736 {
1737 u_int segment, count = 0;
1738 mutex_t *mutex;
1739
1740 for (segment = 0; segment < this->segment_count; segment++)
1741 {
1742 mutex = this->segments[segment & this->segment_mask].mutex;
1743 mutex->lock(mutex);
1744 count += this->segments[segment].count;
1745 mutex->unlock(mutex);
1746 }
1747 return count;
1748 }
1749
1750 METHOD(ike_sa_manager_t, get_half_open_count, u_int,
1751 private_ike_sa_manager_t *this, host_t *ip)
1752 {
1753 table_item_t *item;
1754 u_int row, segment;
1755 rwlock_t *lock;
1756 chunk_t addr;
1757 u_int count = 0;
1758
1759 if (ip)
1760 {
1761 addr = ip->get_address(ip);
1762 row = chunk_hash(addr) & this->table_mask;
1763 segment = row & this->segment_mask;
1764 lock = this->half_open_segments[segment].lock;
1765 lock->read_lock(lock);
1766 item = this->half_open_table[row];
1767 while (item)
1768 {
1769 half_open_t *half_open = item->value;
1770
1771 if (chunk_equals(addr, half_open->other))
1772 {
1773 count = half_open->count;
1774 break;
1775 }
1776 }
1777 lock->unlock(lock);
1778 }
1779 else
1780 {
1781 for (segment = 0; segment < this->segment_count; segment++)
1782 {
1783 lock = this->half_open_segments[segment].lock;
1784 lock->read_lock(lock);
1785 count += this->half_open_segments[segment].count;
1786 lock->unlock(lock);
1787 }
1788 }
1789 return count;
1790 }
1791
1792 METHOD(ike_sa_manager_t, flush, void,
1793 private_ike_sa_manager_t *this)
1794 {
1795 /* destroy all list entries */
1796 enumerator_t *enumerator;
1797 entry_t *entry;
1798 u_int segment;
1799
1800 lock_all_segments(this);
1801 DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
1802 /* Step 1: drive out all waiting threads */
1803 DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
1804 enumerator = create_table_enumerator(this);
1805 while (enumerator->enumerate(enumerator, &entry, &segment))
1806 {
1807 /* do not accept new threads, drive out waiting threads */
1808 entry->driveout_new_threads = TRUE;
1809 entry->driveout_waiting_threads = TRUE;
1810 }
1811 enumerator->destroy(enumerator);
1812 DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
1813 /* Step 2: wait until all are gone */
1814 enumerator = create_table_enumerator(this);
1815 while (enumerator->enumerate(enumerator, &entry, &segment))
1816 {
1817 while (entry->waiting_threads || entry->checked_out)
1818 {
1819 /* wake up all */
1820 entry->condvar->broadcast(entry->condvar);
1821 /* go sleeping until they are gone */
1822 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
1823 }
1824 }
1825 enumerator->destroy(enumerator);
1826 DBG2(DBG_MGR, "delete all IKE_SA's");
1827 /* Step 3: initiate deletion of all IKE_SAs */
1828 enumerator = create_table_enumerator(this);
1829 while (enumerator->enumerate(enumerator, &entry, &segment))
1830 {
1831 charon->bus->set_sa(charon->bus, entry->ike_sa);
1832 if (entry->ike_sa->get_version(entry->ike_sa) == IKEV2)
1833 { /* as the delete never gets processed, fire down events */
1834 switch (entry->ike_sa->get_state(entry->ike_sa))
1835 {
1836 case IKE_ESTABLISHED:
1837 case IKE_REKEYING:
1838 case IKE_DELETING:
1839 charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
1840 break;
1841 default:
1842 break;
1843 }
1844 }
1845 entry->ike_sa->delete(entry->ike_sa);
1846 }
1847 enumerator->destroy(enumerator);
1848
1849 DBG2(DBG_MGR, "destroy all entries");
1850 /* Step 4: destroy all entries */
1851 enumerator = create_table_enumerator(this);
1852 while (enumerator->enumerate(enumerator, &entry, &segment))
1853 {
1854 charon->bus->set_sa(charon->bus, entry->ike_sa);
1855 if (entry->half_open)
1856 {
1857 remove_half_open(this, entry);
1858 }
1859 if (entry->my_id && entry->other_id)
1860 {
1861 remove_connected_peers(this, entry);
1862 }
1863 if (entry->init_hash.ptr)
1864 {
1865 remove_init_hash(this, entry->init_hash);
1866 }
1867 remove_entry_at((private_enumerator_t*)enumerator);
1868 entry_destroy(entry);
1869 }
1870 enumerator->destroy(enumerator);
1871 charon->bus->set_sa(charon->bus, NULL);
1872 unlock_all_segments(this);
1873
1874 this->rng->destroy(this->rng);
1875 this->rng = NULL;
1876 this->hasher->destroy(this->hasher);
1877 this->hasher = NULL;
1878 }
1879
1880 METHOD(ike_sa_manager_t, destroy, void,
1881 private_ike_sa_manager_t *this)
1882 {
1883 u_int i;
1884
1885 /* these are already cleared in flush() above */
1886 free(this->ike_sa_table);
1887 free(this->half_open_table);
1888 free(this->connected_peers_table);
1889 free(this->init_hashes_table);
1890 for (i = 0; i < this->segment_count; i++)
1891 {
1892 this->segments[i].mutex->destroy(this->segments[i].mutex);
1893 this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
1894 this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
1895 this->init_hashes_segments[i].mutex->destroy(this->init_hashes_segments[i].mutex);
1896 }
1897 free(this->segments);
1898 free(this->half_open_segments);
1899 free(this->connected_peers_segments);
1900 free(this->init_hashes_segments);
1901
1902 free(this);
1903 }
1904
1905 /**
1906 * This function returns the next-highest power of two for the given number.
1907 * The algorithm works by setting all bits on the right-hand side of the most
1908 * significant 1 to 1 and then increments the whole number so it rolls over
1909 * to the nearest power of two. Note: returns 0 for n == 0
1910 */
1911 static u_int get_nearest_powerof2(u_int n)
1912 {
1913 u_int i;
1914
1915 --n;
1916 for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
1917 {
1918 n |= n >> i;
1919 }
1920 return ++n;
1921 }
1922
1923 /*
1924 * Described in header.
1925 */
1926 ike_sa_manager_t *ike_sa_manager_create()
1927 {
1928 private_ike_sa_manager_t *this;
1929 u_int i;
1930
1931 INIT(this,
1932 .public = {
1933 .checkout = _checkout,
1934 .checkout_new = _checkout_new,
1935 .checkout_by_message = _checkout_by_message,
1936 .checkout_by_config = _checkout_by_config,
1937 .checkout_by_id = _checkout_by_id,
1938 .checkout_by_name = _checkout_by_name,
1939 .check_uniqueness = _check_uniqueness,
1940 .has_contact = _has_contact,
1941 .create_enumerator = _create_enumerator,
1942 .create_id_enumerator = _create_id_enumerator,
1943 .checkin = _checkin,
1944 .checkin_and_destroy = _checkin_and_destroy,
1945 .get_count = _get_count,
1946 .get_half_open_count = _get_half_open_count,
1947 .flush = _flush,
1948 .destroy = _destroy,
1949 },
1950 );
1951
1952 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
1953 if (this->hasher == NULL)
1954 {
1955 DBG1(DBG_MGR, "manager initialization failed, no hasher supported");
1956 free(this);
1957 return NULL;
1958 }
1959 this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1960 if (this->rng == NULL)
1961 {
1962 DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
1963 this->hasher->destroy(this->hasher);
1964 free(this);
1965 return NULL;
1966 }
1967
1968 this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
1969 "charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
1970 this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
1971 this->table_mask = this->table_size - 1;
1972
1973 this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
1974 "charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
1975 this->segment_count = max(1, min(this->segment_count, this->table_size));
1976 this->segment_mask = this->segment_count - 1;
1977
1978 this->ike_sa_table = calloc(this->table_size, sizeof(table_item_t*));
1979 this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
1980 for (i = 0; i < this->segment_count; i++)
1981 {
1982 this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
1983 this->segments[i].count = 0;
1984 }
1985
1986 /* we use the same table parameters for the table to track half-open SAs */
1987 this->half_open_table = calloc(this->table_size, sizeof(table_item_t*));
1988 this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
1989 for (i = 0; i < this->segment_count; i++)
1990 {
1991 this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
1992 this->half_open_segments[i].count = 0;
1993 }
1994
1995 /* also for the hash table used for duplicate tests */
1996 this->connected_peers_table = calloc(this->table_size, sizeof(table_item_t*));
1997 this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
1998 for (i = 0; i < this->segment_count; i++)
1999 {
2000 this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
2001 this->connected_peers_segments[i].count = 0;
2002 }
2003
2004 /* and again for the table of hashes of seen initial IKE messages */
2005 this->init_hashes_table = calloc(this->table_size, sizeof(table_item_t*));
2006 this->init_hashes_segments = calloc(this->segment_count, sizeof(segment_t));
2007 for (i = 0; i < this->segment_count; i++)
2008 {
2009 this->init_hashes_segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
2010 this->init_hashes_segments[i].count = 0;
2011 }
2012
2013 this->reuse_ikesa = lib->settings->get_bool(lib->settings,
2014 "charon.reuse_ikesa", TRUE);
2015 return &this->public;
2016 }