Fixed deadlock if checkin_and_destroy is called during shutdown.
[strongswan.git] / src / libcharon / sa / ike_sa_manager.c
1 /*
2 * Copyright (C) 2005-2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 * Copyright (C) 2008-2012 Tobias Brunner
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20
21 #include "ike_sa_manager.h"
22
23 #include <daemon.h>
24 #include <sa/ike_sa_id.h>
25 #include <bus/bus.h>
26 #include <threading/condvar.h>
27 #include <threading/mutex.h>
28 #include <threading/rwlock.h>
29 #include <utils/linked_list.h>
30 #include <crypto/hashers/hasher.h>
31
32 /* the default size of the hash table (MUST be a power of 2) */
33 #define DEFAULT_HASHTABLE_SIZE 1
34
35 /* the maximum size of the hash table (MUST be a power of 2) */
36 #define MAX_HASHTABLE_SIZE (1 << 30)
37
38 /* the default number of segments (MUST be a power of 2) */
39 #define DEFAULT_SEGMENT_COUNT 1
40
41 typedef struct entry_t entry_t;
42
43 /**
44 * An entry in the linked list, contains IKE_SA, locking and lookup data.
45 */
46 struct entry_t {
47
48 /**
49 * Number of threads waiting for this ike_sa_t object.
50 */
51 int waiting_threads;
52
53 /**
54 * Condvar where threads can wait until ike_sa_t object is free for use again.
55 */
56 condvar_t *condvar;
57
58 /**
59 * Is this ike_sa currently checked out?
60 */
61 bool checked_out;
62
63 /**
64 * Does this SA drives out new threads?
65 */
66 bool driveout_new_threads;
67
68 /**
69 * Does this SA drives out waiting threads?
70 */
71 bool driveout_waiting_threads;
72
73 /**
74 * Identification of an IKE_SA (SPIs).
75 */
76 ike_sa_id_t *ike_sa_id;
77
78 /**
79 * The contained ike_sa_t object.
80 */
81 ike_sa_t *ike_sa;
82
83 /**
84 * hash of the IKE_SA_INIT message, used to detect retransmissions
85 */
86 chunk_t init_hash;
87
88 /**
89 * remote host address, required for DoS detection and duplicate
90 * checking (host with same my_id and other_id is *not* considered
91 * a duplicate if the address family differs)
92 */
93 host_t *other;
94
95 /**
96 * As responder: Is this SA half-open?
97 */
98 bool half_open;
99
100 /**
101 * own identity, required for duplicate checking
102 */
103 identification_t *my_id;
104
105 /**
106 * remote identity, required for duplicate checking
107 */
108 identification_t *other_id;
109
110 /**
111 * message ID currently processing, if any
112 */
113 u_int32_t message_id;
114 };
115
116 /**
117 * Implementation of entry_t.destroy.
118 */
119 static status_t entry_destroy(entry_t *this)
120 {
121 /* also destroy IKE SA */
122 this->ike_sa->destroy(this->ike_sa);
123 this->ike_sa_id->destroy(this->ike_sa_id);
124 chunk_free(&this->init_hash);
125 DESTROY_IF(this->other);
126 DESTROY_IF(this->my_id);
127 DESTROY_IF(this->other_id);
128 this->condvar->destroy(this->condvar);
129 free(this);
130 return SUCCESS;
131 }
132
133 /**
134 * Creates a new entry for the ike_sa_t list.
135 */
136 static entry_t *entry_create()
137 {
138 entry_t *this = malloc_thing(entry_t);
139
140 this->waiting_threads = 0;
141 this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
142
143 /* we set checkout flag when we really give it out */
144 this->checked_out = FALSE;
145 this->driveout_new_threads = FALSE;
146 this->driveout_waiting_threads = FALSE;
147 this->message_id = -1;
148 this->init_hash = chunk_empty;
149 this->other = NULL;
150 this->half_open = FALSE;
151 this->my_id = NULL;
152 this->other_id = NULL;
153 this->ike_sa_id = NULL;
154 this->ike_sa = NULL;
155
156 return this;
157 }
158
159 /**
160 * Function that matches entry_t objects by ike_sa_id_t.
161 */
162 static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
163 {
164 if (id->equals(id, entry->ike_sa_id))
165 {
166 return TRUE;
167 }
168 if ((id->get_responder_spi(id) == 0 ||
169 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
170 id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
171 {
172 /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
173 return TRUE;
174 }
175 return FALSE;
176 }
177
178 /**
179 * Function that matches entry_t objects by ike_sa_t pointers.
180 */
181 static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
182 {
183 return entry->ike_sa == ike_sa;
184 }
185
186 /**
187 * Hash function for ike_sa_id_t objects.
188 */
189 static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
190 {
191 /* IKEv2 does not mandate random SPIs (RFC 5996, 2.6), they just have to be
192 * locally unique, so we use our randomly allocated SPI whether we are
193 * initiator or responder to ensure a good distribution. The latter is not
194 * possible for IKEv1 as we don't know whether we are original initiator or
195 * not (based on the IKE header). But as RFC 2408, section 2.5.3 proposes
196 * SPIs (Cookies) to be allocated near random (we allocate them randomly
197 * anyway) it seems safe to always use the initiator SPI. */
198 if (ike_sa_id->get_ike_version(ike_sa_id) == IKEV1_MAJOR_VERSION ||
199 ike_sa_id->is_initiator(ike_sa_id))
200 {
201 return ike_sa_id->get_initiator_spi(ike_sa_id);
202 }
203 return ike_sa_id->get_responder_spi(ike_sa_id);
204 }
205
206 typedef struct half_open_t half_open_t;
207
208 /**
209 * Struct to manage half-open IKE_SAs per peer.
210 */
211 struct half_open_t {
212 /** chunk of remote host address */
213 chunk_t other;
214
215 /** the number of half-open IKE_SAs with that host */
216 u_int count;
217 };
218
219 /**
220 * Destroys a half_open_t object.
221 */
222 static void half_open_destroy(half_open_t *this)
223 {
224 chunk_free(&this->other);
225 free(this);
226 }
227
228 /**
229 * Function that matches half_open_t objects by the given IP address chunk.
230 */
231 static bool half_open_match(half_open_t *half_open, chunk_t *addr)
232 {
233 return chunk_equals(*addr, half_open->other);
234 }
235
236 typedef struct connected_peers_t connected_peers_t;
237
238 struct connected_peers_t {
239 /** own identity */
240 identification_t *my_id;
241
242 /** remote identity */
243 identification_t *other_id;
244
245 /** ip address family of peer */
246 int family;
247
248 /** list of ike_sa_id_t objects of IKE_SAs between the two identities */
249 linked_list_t *sas;
250 };
251
252 static void connected_peers_destroy(connected_peers_t *this)
253 {
254 this->my_id->destroy(this->my_id);
255 this->other_id->destroy(this->other_id);
256 this->sas->destroy(this->sas);
257 free(this);
258 }
259
260 /**
261 * Function that matches connected_peers_t objects by the given ids.
262 */
263 static bool connected_peers_match(connected_peers_t *connected_peers,
264 identification_t *my_id, identification_t *other_id,
265 uintptr_t family)
266 {
267 return my_id->equals(my_id, connected_peers->my_id) &&
268 other_id->equals(other_id, connected_peers->other_id) &&
269 (!family || family == connected_peers->family);
270 }
271
272 typedef struct segment_t segment_t;
273
274 /**
275 * Struct to manage segments of the hash table.
276 */
277 struct segment_t {
278 /** mutex to access a segment exclusively */
279 mutex_t *mutex;
280
281 /** the number of entries in this segment */
282 u_int count;
283 };
284
285 typedef struct shareable_segment_t shareable_segment_t;
286
287 /**
288 * Struct to manage segments of the "half-open" and "connected peers" hash tables.
289 */
290 struct shareable_segment_t {
291 /** rwlock to access a segment non-/exclusively */
292 rwlock_t *lock;
293
294 /** the number of entries in this segment - in case of the "half-open table"
295 * it's the sum of all half_open_t.count in a segment. */
296 u_int count;
297 };
298
299 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
300
301 /**
302 * Additional private members of ike_sa_manager_t.
303 */
304 struct private_ike_sa_manager_t {
305 /**
306 * Public interface of ike_sa_manager_t.
307 */
308 ike_sa_manager_t public;
309
310 /**
311 * Hash table with entries for the ike_sa_t objects.
312 */
313 linked_list_t **ike_sa_table;
314
315 /**
316 * The size of the hash table.
317 */
318 u_int table_size;
319
320 /**
321 * Mask to map the hashes to table rows.
322 */
323 u_int table_mask;
324
325 /**
326 * Segments of the hash table.
327 */
328 segment_t *segments;
329
330 /**
331 * The number of segments.
332 */
333 u_int segment_count;
334
335 /**
336 * Mask to map a table row to a segment.
337 */
338 u_int segment_mask;
339
340 /**
341 * Hash table with half_open_t objects.
342 */
343 linked_list_t **half_open_table;
344
345 /**
346 * Segments of the "half-open" hash table.
347 */
348 shareable_segment_t *half_open_segments;
349
350 /**
351 * Hash table with connected_peers_t objects.
352 */
353 linked_list_t **connected_peers_table;
354
355 /**
356 * Segments of the "connected peers" hash table.
357 */
358 shareable_segment_t *connected_peers_segments;
359
360 /**
361 * Hash table with chunk_t objects.
362 */
363 linked_list_t **init_hashes_table;
364
365 /**
366 * Segments of the "hashes" hash table.
367 */
368 segment_t *init_hashes_segments;
369
370 /**
371 * RNG to get random SPIs for our side
372 */
373 rng_t *rng;
374
375 /**
376 * SHA1 hasher for IKE_SA_INIT retransmit detection
377 */
378 hasher_t *hasher;
379
380 /**
381 * reuse existing IKE_SAs in checkout_by_config
382 */
383 bool reuse_ikesa;
384 };
385
386 /**
387 * Acquire a lock to access the segment of the table row with the given index.
388 * It also works with the segment index directly.
389 */
390 static void lock_single_segment(private_ike_sa_manager_t *this, u_int index)
391 {
392 mutex_t *lock = this->segments[index & this->segment_mask].mutex;
393
394 lock->lock(lock);
395 }
396
397 /**
398 * Release the lock required to access the segment of the table row with the given index.
399 * It also works with the segment index directly.
400 */
401 static void unlock_single_segment(private_ike_sa_manager_t *this, u_int index)
402 {
403 mutex_t *lock = this->segments[index & this->segment_mask].mutex;
404
405 lock->unlock(lock);
406 }
407
408 /**
409 * Lock all segments
410 */
411 static void lock_all_segments(private_ike_sa_manager_t *this)
412 {
413 u_int i;
414
415 for (i = 0; i < this->segment_count; i++)
416 {
417 this->segments[i].mutex->lock(this->segments[i].mutex);
418 }
419 }
420
421 /**
422 * Unlock all segments
423 */
424 static void unlock_all_segments(private_ike_sa_manager_t *this)
425 {
426 u_int i;
427
428 for (i = 0; i < this->segment_count; i++)
429 {
430 this->segments[i].mutex->unlock(this->segments[i].mutex);
431 }
432 }
433
434 typedef struct private_enumerator_t private_enumerator_t;
435
436 /**
437 * hash table enumerator implementation
438 */
439 struct private_enumerator_t {
440
441 /**
442 * implements enumerator interface
443 */
444 enumerator_t enumerator;
445
446 /**
447 * associated ike_sa_manager_t
448 */
449 private_ike_sa_manager_t *manager;
450
451 /**
452 * current segment index
453 */
454 u_int segment;
455
456 /**
457 * currently enumerating entry
458 */
459 entry_t *entry;
460
461 /**
462 * current table row index
463 */
464 u_int row;
465
466 /**
467 * enumerator for the current table row
468 */
469 enumerator_t *current;
470 };
471
472 METHOD(enumerator_t, enumerate, bool,
473 private_enumerator_t *this, entry_t **entry, u_int *segment)
474 {
475 if (this->entry)
476 {
477 this->entry->condvar->signal(this->entry->condvar);
478 this->entry = NULL;
479 }
480 while (this->segment < this->manager->segment_count)
481 {
482 while (this->row < this->manager->table_size)
483 {
484 if (this->current)
485 {
486 entry_t *item;
487
488 if (this->current->enumerate(this->current, &item))
489 {
490 *entry = this->entry = item;
491 *segment = this->segment;
492 return TRUE;
493 }
494 this->current->destroy(this->current);
495 this->current = NULL;
496 unlock_single_segment(this->manager, this->segment);
497 }
498 else
499 {
500 linked_list_t *list;
501
502 lock_single_segment(this->manager, this->segment);
503 if ((list = this->manager->ike_sa_table[this->row]) != NULL &&
504 list->get_count(list))
505 {
506 this->current = list->create_enumerator(list);
507 continue;
508 }
509 unlock_single_segment(this->manager, this->segment);
510 }
511 this->row += this->manager->segment_count;
512 }
513 this->segment++;
514 this->row = this->segment;
515 }
516 return FALSE;
517 }
518
519 METHOD(enumerator_t, enumerator_destroy, void,
520 private_enumerator_t *this)
521 {
522 if (this->entry)
523 {
524 this->entry->condvar->signal(this->entry->condvar);
525 }
526 if (this->current)
527 {
528 this->current->destroy(this->current);
529 unlock_single_segment(this->manager, this->segment);
530 }
531 free(this);
532 }
533
534 /**
535 * Creates an enumerator to enumerate the entries in the hash table.
536 */
537 static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
538 {
539 private_enumerator_t *enumerator;
540
541 INIT(enumerator,
542 .enumerator = {
543 .enumerate = (void*)_enumerate,
544 .destroy = _enumerator_destroy,
545 },
546 .manager = this,
547 );
548 return &enumerator->enumerator;
549 }
550
551 /**
552 * Put an entry into the hash table.
553 * Note: The caller has to unlock the returned segment.
554 */
555 static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
556 {
557 linked_list_t *list;
558 u_int row, segment;
559
560 row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
561 segment = row & this->segment_mask;
562
563 lock_single_segment(this, segment);
564 list = this->ike_sa_table[row];
565 if (!list)
566 {
567 list = this->ike_sa_table[row] = linked_list_create();
568 }
569 list->insert_last(list, entry);
570 this->segments[segment].count++;
571 return segment;
572 }
573
574 /**
575 * Remove an entry from the hash table.
576 * Note: The caller MUST have a lock on the segment of this entry.
577 */
578 static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
579 {
580 linked_list_t *list;
581 u_int row, segment;
582
583 row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
584 segment = row & this->segment_mask;
585 list = this->ike_sa_table[row];
586 if (list)
587 {
588 entry_t *current;
589 enumerator_t *enumerator;
590
591 enumerator = list->create_enumerator(list);
592 while (enumerator->enumerate(enumerator, &current))
593 {
594 if (current == entry)
595 {
596 list->remove_at(list, enumerator);
597 this->segments[segment].count--;
598 break;
599 }
600 }
601 enumerator->destroy(enumerator);
602 }
603 }
604
605 /**
606 * Remove the entry at the current enumerator position.
607 */
608 static void remove_entry_at(private_enumerator_t *this)
609 {
610 this->entry = NULL;
611 if (this->current)
612 {
613 linked_list_t *list = this->manager->ike_sa_table[this->row];
614 list->remove_at(list, this->current);
615 this->manager->segments[this->segment].count--;
616 }
617 }
618
619 /**
620 * Find an entry using the provided match function to compare the entries for
621 * equality.
622 */
623 static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
624 ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
625 linked_list_match_t match, void *p1, void *p2)
626 {
627 entry_t *current;
628 linked_list_t *list;
629 u_int row, seg;
630
631 row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
632 seg = row & this->segment_mask;
633
634 lock_single_segment(this, seg);
635 list = this->ike_sa_table[row];
636 if (list)
637 {
638 if (list->find_first(list, match, (void**)&current, p1, p2) == SUCCESS)
639 {
640 *entry = current;
641 *segment = seg;
642 /* the locked segment has to be unlocked by the caller */
643 return SUCCESS;
644 }
645 }
646 unlock_single_segment(this, seg);
647 return NOT_FOUND;
648 }
649
650 /**
651 * Find an entry by ike_sa_id_t.
652 * Note: On SUCCESS, the caller has to unlock the segment.
653 */
654 static status_t get_entry_by_id(private_ike_sa_manager_t *this,
655 ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
656 {
657 return get_entry_by_match_function(this, ike_sa_id, entry, segment,
658 (linked_list_match_t)entry_match_by_id, ike_sa_id, NULL);
659 }
660
661 /**
662 * Find an entry by IKE_SA pointer.
663 * Note: On SUCCESS, the caller has to unlock the segment.
664 */
665 static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
666 ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
667 {
668 return get_entry_by_match_function(this, ike_sa_id, entry, segment,
669 (linked_list_match_t)entry_match_by_sa, ike_sa, NULL);
670 }
671
672 /**
673 * Wait until no other thread is using an IKE_SA, return FALSE if entry not
674 * acquirable.
675 */
676 static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
677 u_int segment)
678 {
679 if (entry->driveout_new_threads)
680 {
681 /* we are not allowed to get this */
682 return FALSE;
683 }
684 while (entry->checked_out && !entry->driveout_waiting_threads)
685 {
686 /* so wait until we can get it for us.
687 * we register us as waiting. */
688 entry->waiting_threads++;
689 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
690 entry->waiting_threads--;
691 }
692 /* hm, a deletion request forbids us to get this SA, get next one */
693 if (entry->driveout_waiting_threads)
694 {
695 /* we must signal here, others may be waiting on it, too */
696 entry->condvar->signal(entry->condvar);
697 return FALSE;
698 }
699 return TRUE;
700 }
701
702 /**
703 * Put a half-open SA into the hash table.
704 */
705 static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
706 {
707 half_open_t *half_open = NULL;
708 linked_list_t *list;
709 chunk_t addr;
710 u_int row, segment;
711 rwlock_t *lock;
712
713 addr = entry->other->get_address(entry->other);
714 row = chunk_hash(addr) & this->table_mask;
715 segment = row & this->segment_mask;
716 lock = this->half_open_segments[segment].lock;
717 lock->write_lock(lock);
718 list = this->half_open_table[row];
719 if (list)
720 {
721 half_open_t *current;
722
723 if (list->find_first(list, (linked_list_match_t)half_open_match,
724 (void**)&current, &addr) == SUCCESS)
725 {
726 half_open = current;
727 half_open->count++;
728 this->half_open_segments[segment].count++;
729 }
730 }
731 else
732 {
733 list = this->half_open_table[row] = linked_list_create();
734 }
735
736 if (!half_open)
737 {
738 INIT(half_open,
739 .other = chunk_clone(addr),
740 .count = 1,
741 );
742 list->insert_last(list, half_open);
743 this->half_open_segments[segment].count++;
744 }
745 lock->unlock(lock);
746 }
747
748 /**
749 * Remove a half-open SA from the hash table.
750 */
751 static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
752 {
753 linked_list_t *list;
754 chunk_t addr;
755 u_int row, segment;
756 rwlock_t *lock;
757
758 addr = entry->other->get_address(entry->other);
759 row = chunk_hash(addr) & this->table_mask;
760 segment = row & this->segment_mask;
761 lock = this->half_open_segments[segment].lock;
762 lock->write_lock(lock);
763 list = this->half_open_table[row];
764 if (list)
765 {
766 half_open_t *current;
767 enumerator_t *enumerator;
768
769 enumerator = list->create_enumerator(list);
770 while (enumerator->enumerate(enumerator, &current))
771 {
772 if (half_open_match(current, &addr))
773 {
774 if (--current->count == 0)
775 {
776 list->remove_at(list, enumerator);
777 half_open_destroy(current);
778 }
779 this->half_open_segments[segment].count--;
780 break;
781 }
782 }
783 enumerator->destroy(enumerator);
784 }
785 lock->unlock(lock);
786 }
787
788 /**
789 * Put an SA between two peers into the hash table.
790 */
791 static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
792 {
793 connected_peers_t *connected_peers = NULL;
794 chunk_t my_id, other_id;
795 linked_list_t *list;
796 u_int row, segment;
797 rwlock_t *lock;
798
799 my_id = entry->my_id->get_encoding(entry->my_id);
800 other_id = entry->other_id->get_encoding(entry->other_id);
801 row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
802 segment = row & this->segment_mask;
803 lock = this->connected_peers_segments[segment].lock;
804 lock->write_lock(lock);
805 list = this->connected_peers_table[row];
806 if (list)
807 {
808 connected_peers_t *current;
809
810 if (list->find_first(list, (linked_list_match_t)connected_peers_match,
811 (void**)&current, entry->my_id, entry->other_id,
812 (uintptr_t)entry->other->get_family(entry->other)) == SUCCESS)
813 {
814 connected_peers = current;
815 if (connected_peers->sas->find_first(connected_peers->sas,
816 (linked_list_match_t)entry->ike_sa_id->equals,
817 NULL, entry->ike_sa_id) == SUCCESS)
818 {
819 lock->unlock(lock);
820 return;
821 }
822 }
823 }
824 else
825 {
826 list = this->connected_peers_table[row] = linked_list_create();
827 }
828
829 if (!connected_peers)
830 {
831 INIT(connected_peers,
832 .my_id = entry->my_id->clone(entry->my_id),
833 .other_id = entry->other_id->clone(entry->other_id),
834 .family = entry->other->get_family(entry->other),
835 .sas = linked_list_create(),
836 );
837 list->insert_last(list, connected_peers);
838 }
839 connected_peers->sas->insert_last(connected_peers->sas,
840 entry->ike_sa_id->clone(entry->ike_sa_id));
841 this->connected_peers_segments[segment].count++;
842 lock->unlock(lock);
843 }
844
845 /**
846 * Remove an SA between two peers from the hash table.
847 */
848 static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
849 {
850 chunk_t my_id, other_id;
851 linked_list_t *list;
852 u_int row, segment;
853 rwlock_t *lock;
854
855 my_id = entry->my_id->get_encoding(entry->my_id);
856 other_id = entry->other_id->get_encoding(entry->other_id);
857 row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
858 segment = row & this->segment_mask;
859
860 lock = this->connected_peers_segments[segment].lock;
861 lock->write_lock(lock);
862 list = this->connected_peers_table[row];
863 if (list)
864 {
865 connected_peers_t *current;
866 enumerator_t *enumerator;
867
868 enumerator = list->create_enumerator(list);
869 while (enumerator->enumerate(enumerator, &current))
870 {
871 if (connected_peers_match(current, entry->my_id, entry->other_id,
872 (uintptr_t)entry->other->get_family(entry->other)))
873 {
874 ike_sa_id_t *ike_sa_id;
875 enumerator_t *inner;
876
877 inner = current->sas->create_enumerator(current->sas);
878 while (inner->enumerate(inner, &ike_sa_id))
879 {
880 if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
881 {
882 current->sas->remove_at(current->sas, inner);
883 ike_sa_id->destroy(ike_sa_id);
884 this->connected_peers_segments[segment].count--;
885 break;
886 }
887 }
888 inner->destroy(inner);
889 if (current->sas->get_count(current->sas) == 0)
890 {
891 list->remove_at(list, enumerator);
892 connected_peers_destroy(current);
893 }
894 break;
895 }
896 }
897 enumerator->destroy(enumerator);
898 }
899 lock->unlock(lock);
900 }
901
902 /**
903 * Check if we already have created an IKE_SA based on the initial IKE message
904 * with the given hash.
905 * If not the hash is stored, the hash data is not(!) cloned.
906 *
907 * @returns TRUE if the message with the given hash was seen before
908 */
909 static bool check_and_put_init_hash(private_ike_sa_manager_t *this,
910 chunk_t init_hash)
911 {
912 chunk_t *clone;
913 linked_list_t *list;
914 u_int row, segment;
915 mutex_t *mutex;
916 chunk_t *chunk;
917
918 row = chunk_hash(init_hash) & this->table_mask;
919 segment = row & this->segment_mask;
920 mutex = this->init_hashes_segments[segment].mutex;
921 mutex->lock(mutex);
922 list = this->init_hashes_table[row];
923 if (list)
924 {
925 chunk_t *current;
926
927 if (list->find_first(list, (linked_list_match_t)chunk_equals_ptr,
928 (void**)&current, &init_hash) == SUCCESS)
929 {
930 mutex->unlock(mutex);
931 return TRUE;
932 }
933 }
934 else
935 {
936 list = this->init_hashes_table[row] = linked_list_create();
937 }
938
939 INIT(chunk,
940 .len = init_hash.len,
941 .ptr = init_hash.ptr,
942 );
943 list->insert_last(list, chunk);
944 mutex->unlock(mutex);
945 return FALSE;
946 }
947
948 /**
949 * Remove the hash of an initial IKE message from the cache.
950 */
951 static void remove_init_hash(private_ike_sa_manager_t *this, chunk_t init_hash)
952 {
953 linked_list_t *list;
954 u_int row, segment;
955 mutex_t *mutex;
956
957 row = chunk_hash(init_hash) & this->table_mask;
958 segment = row & this->segment_mask;
959 mutex = this->init_hashes_segments[segment].mutex;
960 mutex->lock(mutex);
961 list = this->init_hashes_table[row];
962 if (list)
963 {
964 enumerator_t *enumerator;
965 chunk_t *current;
966
967 enumerator = list->create_enumerator(list);
968 while (enumerator->enumerate(enumerator, &current))
969 {
970 if (chunk_equals_ptr(current, &init_hash))
971 {
972 list->remove_at(list, enumerator);
973 free(current);
974 break;
975 }
976 }
977 enumerator->destroy(enumerator);
978 }
979 mutex->unlock(mutex);
980 }
981
982 /**
983 * Get a random SPI for new IKE_SAs
984 */
985 static u_int64_t get_spi(private_ike_sa_manager_t *this)
986 {
987 u_int64_t spi = 0;
988
989 if (this->rng)
990 {
991 this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi);
992 }
993 return spi;
994 }
995
996 METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
997 private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
998 {
999 ike_sa_t *ike_sa = NULL;
1000 entry_t *entry;
1001 u_int segment;
1002
1003 DBG2(DBG_MGR, "checkout IKE_SA");
1004
1005 if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
1006 {
1007 if (wait_for_entry(this, entry, segment))
1008 {
1009 entry->checked_out = TRUE;
1010 ike_sa = entry->ike_sa;
1011 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1012 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1013 }
1014 unlock_single_segment(this, segment);
1015 }
1016 charon->bus->set_sa(charon->bus, ike_sa);
1017 return ike_sa;
1018 }
1019
1020 METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
1021 private_ike_sa_manager_t* this, ike_version_t version, bool initiator)
1022 {
1023 ike_sa_id_t *ike_sa_id;
1024 ike_sa_t *ike_sa;
1025 u_int8_t ike_version;
1026
1027 ike_version = version == IKEV1 ? IKEV1_MAJOR_VERSION : IKEV2_MAJOR_VERSION;
1028
1029 if (initiator)
1030 {
1031 ike_sa_id = ike_sa_id_create(ike_version, get_spi(this), 0, TRUE);
1032 }
1033 else
1034 {
1035 ike_sa_id = ike_sa_id_create(ike_version, 0, get_spi(this), FALSE);
1036 }
1037 ike_sa = ike_sa_create(ike_sa_id, initiator, version);
1038 ike_sa_id->destroy(ike_sa_id);
1039
1040 if (ike_sa)
1041 {
1042 DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1043 ike_sa->get_unique_id(ike_sa));
1044 }
1045 return ike_sa;
1046 }
1047
1048 METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
1049 private_ike_sa_manager_t* this, message_t *message)
1050 {
1051 u_int segment;
1052 entry_t *entry;
1053 ike_sa_t *ike_sa = NULL;
1054 ike_sa_id_t *id;
1055 ike_version_t ike_version;
1056 bool is_init = FALSE;
1057
1058 id = message->get_ike_sa_id(message);
1059 /* clone the IKE_SA ID so we can modify the initiator flag */
1060 id = id->clone(id);
1061 id->switch_initiator(id);
1062
1063 DBG2(DBG_MGR, "checkout IKE_SA by message");
1064
1065 if (id->get_responder_spi(id) == 0)
1066 {
1067 if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
1068 {
1069 if (message->get_exchange_type(message) == IKE_SA_INIT &&
1070 message->get_request(message))
1071 {
1072 ike_version = IKEV2;
1073 is_init = TRUE;
1074 }
1075 }
1076 else
1077 {
1078 if (message->get_exchange_type(message) == ID_PROT ||
1079 message->get_exchange_type(message) == AGGRESSIVE)
1080 {
1081 ike_version = IKEV1;
1082 is_init = TRUE;
1083 if (id->is_initiator(id))
1084 { /* not set in IKEv1, switch back before applying to new SA */
1085 id->switch_initiator(id);
1086 }
1087 }
1088 }
1089 }
1090
1091 if (is_init && this->hasher)
1092 { /* initial request. checking for the hasher prevents crashes once
1093 * flush() has been called */
1094 chunk_t hash;
1095
1096 this->hasher->allocate_hash(this->hasher,
1097 message->get_packet_data(message), &hash);
1098
1099 /* ensure this is not a retransmit of an already handled init message */
1100 if (check_and_put_init_hash(this, hash))
1101 {
1102 chunk_free(&hash);
1103 id->destroy(id);
1104 DBG1(DBG_MGR, "ignoring %s, already processing",
1105 ike_version == IKEV2 ? "IKE_SA_INIT" : "initial IKE message");
1106 return NULL;
1107 }
1108
1109 /* no IKE_SA yet, create a new one */
1110 id->set_responder_spi(id, get_spi(this));
1111 ike_sa = ike_sa_create(id, FALSE, ike_version);
1112 if (ike_sa)
1113 {
1114 entry = entry_create();
1115 entry->ike_sa = ike_sa;
1116 entry->ike_sa_id = id->clone(id);
1117
1118 segment = put_entry(this, entry);
1119 entry->checked_out = TRUE;
1120 unlock_single_segment(this, segment);
1121
1122 entry->message_id = message->get_message_id(message);
1123 entry->init_hash = hash;
1124
1125 DBG2(DBG_MGR, "created IKE_SA %s[%u]",
1126 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1127 }
1128 else
1129 {
1130 remove_init_hash(this, hash);
1131 chunk_free(&hash);
1132 DBG1(DBG_MGR, "ignoring message, no such IKE_SA");
1133 }
1134 id->destroy(id);
1135 charon->bus->set_sa(charon->bus, ike_sa);
1136 return ike_sa;
1137 }
1138
1139 if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
1140 {
1141 /* only check out in IKEv2 if we are not already processing it */
1142 if (message->get_request(message) &&
1143 message->get_message_id(message) == entry->message_id)
1144 {
1145 DBG1(DBG_MGR, "ignoring request with ID %u, already processing",
1146 entry->message_id);
1147 }
1148 else if (wait_for_entry(this, entry, segment))
1149 {
1150 ike_sa_id_t *ike_id;
1151
1152 ike_id = entry->ike_sa->get_id(entry->ike_sa);
1153 entry->checked_out = TRUE;
1154 entry->message_id = message->get_message_id(message);
1155 if (ike_id->get_responder_spi(ike_id) == 0)
1156 {
1157 ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
1158 }
1159 ike_sa = entry->ike_sa;
1160 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1161 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1162 }
1163 unlock_single_segment(this, segment);
1164 }
1165 id->destroy(id);
1166 charon->bus->set_sa(charon->bus, ike_sa);
1167 return ike_sa;
1168 }
1169
1170 METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
1171 private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
1172 {
1173 enumerator_t *enumerator;
1174 entry_t *entry;
1175 ike_sa_t *ike_sa = NULL;
1176 peer_cfg_t *current_peer;
1177 ike_cfg_t *current_ike;
1178 u_int segment;
1179
1180 DBG2(DBG_MGR, "checkout IKE_SA by config");
1181
1182 if (!this->reuse_ikesa)
1183 { /* IKE_SA reuse disable by config */
1184 ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
1185 charon->bus->set_sa(charon->bus, ike_sa);
1186 return ike_sa;
1187 }
1188
1189 enumerator = create_table_enumerator(this);
1190 while (enumerator->enumerate(enumerator, &entry, &segment))
1191 {
1192 if (!wait_for_entry(this, entry, segment))
1193 {
1194 continue;
1195 }
1196 if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
1197 { /* skip IKE_SAs which are not usable */
1198 continue;
1199 }
1200
1201 current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
1202 if (current_peer && current_peer->equals(current_peer, peer_cfg))
1203 {
1204 current_ike = current_peer->get_ike_cfg(current_peer);
1205 if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
1206 {
1207 entry->checked_out = TRUE;
1208 ike_sa = entry->ike_sa;
1209 DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
1210 ike_sa->get_unique_id(ike_sa),
1211 current_peer->get_name(current_peer));
1212 break;
1213 }
1214 }
1215 }
1216 enumerator->destroy(enumerator);
1217
1218 if (!ike_sa)
1219 { /* no IKE_SA using such a config, hand out a new */
1220 ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
1221 }
1222 charon->bus->set_sa(charon->bus, ike_sa);
1223 return ike_sa;
1224 }
1225
1226 METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
1227 private_ike_sa_manager_t *this, u_int32_t id, bool child)
1228 {
1229 enumerator_t *enumerator, *children;
1230 entry_t *entry;
1231 ike_sa_t *ike_sa = NULL;
1232 child_sa_t *child_sa;
1233 u_int segment;
1234
1235 DBG2(DBG_MGR, "checkout IKE_SA by ID");
1236
1237 enumerator = create_table_enumerator(this);
1238 while (enumerator->enumerate(enumerator, &entry, &segment))
1239 {
1240 if (wait_for_entry(this, entry, segment))
1241 {
1242 /* look for a child with such a reqid ... */
1243 if (child)
1244 {
1245 children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
1246 while (children->enumerate(children, (void**)&child_sa))
1247 {
1248 if (child_sa->get_reqid(child_sa) == id)
1249 {
1250 ike_sa = entry->ike_sa;
1251 break;
1252 }
1253 }
1254 children->destroy(children);
1255 }
1256 else /* ... or for a IKE_SA with such a unique id */
1257 {
1258 if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
1259 {
1260 ike_sa = entry->ike_sa;
1261 }
1262 }
1263 /* got one, return */
1264 if (ike_sa)
1265 {
1266 entry->checked_out = TRUE;
1267 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1268 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1269 break;
1270 }
1271 }
1272 }
1273 enumerator->destroy(enumerator);
1274
1275 charon->bus->set_sa(charon->bus, ike_sa);
1276 return ike_sa;
1277 }
1278
1279 METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
1280 private_ike_sa_manager_t *this, char *name, bool child)
1281 {
1282 enumerator_t *enumerator, *children;
1283 entry_t *entry;
1284 ike_sa_t *ike_sa = NULL;
1285 child_sa_t *child_sa;
1286 u_int segment;
1287
1288 enumerator = create_table_enumerator(this);
1289 while (enumerator->enumerate(enumerator, &entry, &segment))
1290 {
1291 if (wait_for_entry(this, entry, segment))
1292 {
1293 /* look for a child with such a policy name ... */
1294 if (child)
1295 {
1296 children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
1297 while (children->enumerate(children, (void**)&child_sa))
1298 {
1299 if (streq(child_sa->get_name(child_sa), name))
1300 {
1301 ike_sa = entry->ike_sa;
1302 break;
1303 }
1304 }
1305 children->destroy(children);
1306 }
1307 else /* ... or for a IKE_SA with such a connection name */
1308 {
1309 if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
1310 {
1311 ike_sa = entry->ike_sa;
1312 }
1313 }
1314 /* got one, return */
1315 if (ike_sa)
1316 {
1317 entry->checked_out = TRUE;
1318 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1319 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1320 break;
1321 }
1322 }
1323 }
1324 enumerator->destroy(enumerator);
1325
1326 charon->bus->set_sa(charon->bus, ike_sa);
1327 return ike_sa;
1328 }
1329
1330 /**
1331 * enumerator filter function, waiting variant
1332 */
1333 static bool enumerator_filter_wait(private_ike_sa_manager_t *this,
1334 entry_t **in, ike_sa_t **out, u_int *segment)
1335 {
1336 if (wait_for_entry(this, *in, *segment))
1337 {
1338 *out = (*in)->ike_sa;
1339 charon->bus->set_sa(charon->bus, *out);
1340 return TRUE;
1341 }
1342 return FALSE;
1343 }
1344
1345 /**
1346 * enumerator filter function, skipping variant
1347 */
1348 static bool enumerator_filter_skip(private_ike_sa_manager_t *this,
1349 entry_t **in, ike_sa_t **out, u_int *segment)
1350 {
1351 if (!(*in)->driveout_new_threads &&
1352 !(*in)->driveout_waiting_threads &&
1353 !(*in)->checked_out)
1354 {
1355 *out = (*in)->ike_sa;
1356 charon->bus->set_sa(charon->bus, *out);
1357 return TRUE;
1358 }
1359 return FALSE;
1360 }
1361
1362 /**
1363 * Reset threads SA after enumeration
1364 */
1365 static void reset_sa(void *data)
1366 {
1367 charon->bus->set_sa(charon->bus, NULL);
1368 }
1369
1370 METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*,
1371 private_ike_sa_manager_t* this, bool wait)
1372 {
1373 return enumerator_create_filter(create_table_enumerator(this),
1374 wait ? (void*)enumerator_filter_wait : (void*)enumerator_filter_skip,
1375 this, reset_sa);
1376 }
1377
1378 METHOD(ike_sa_manager_t, checkin, void,
1379 private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
1380 {
1381 /* to check the SA back in, we look for the pointer of the ike_sa
1382 * in all entries.
1383 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
1384 * on reception of a IKE_SA_INIT response) the lookup will work but
1385 * updating of the SPI MAY be necessary...
1386 */
1387 entry_t *entry;
1388 ike_sa_id_t *ike_sa_id;
1389 host_t *other;
1390 identification_t *my_id, *other_id;
1391 u_int segment;
1392
1393 ike_sa_id = ike_sa->get_id(ike_sa);
1394 my_id = ike_sa->get_my_id(ike_sa);
1395 other_id = ike_sa->get_other_id(ike_sa);
1396 other = ike_sa->get_other_host(ike_sa);
1397
1398 DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1399 ike_sa->get_unique_id(ike_sa));
1400
1401 /* look for the entry */
1402 if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
1403 {
1404 /* ike_sa_id must be updated */
1405 entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
1406 /* signal waiting threads */
1407 entry->checked_out = FALSE;
1408 entry->message_id = -1;
1409 /* check if this SA is half-open */
1410 if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
1411 {
1412 /* not half open anymore */
1413 entry->half_open = FALSE;
1414 remove_half_open(this, entry);
1415 }
1416 else if (entry->half_open && !other->ip_equals(other, entry->other))
1417 {
1418 /* the other host's IP has changed, we must update the hash table */
1419 remove_half_open(this, entry);
1420 DESTROY_IF(entry->other);
1421 entry->other = other->clone(other);
1422 put_half_open(this, entry);
1423 }
1424 else if (!entry->half_open &&
1425 !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
1426 ike_sa->get_state(ike_sa) == IKE_CONNECTING)
1427 {
1428 /* this is a new half-open SA */
1429 entry->half_open = TRUE;
1430 entry->other = other->clone(other);
1431 put_half_open(this, entry);
1432 }
1433 DBG2(DBG_MGR, "check-in of IKE_SA successful.");
1434 entry->condvar->signal(entry->condvar);
1435 }
1436 else
1437 {
1438 entry = entry_create();
1439 entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1440 entry->ike_sa = ike_sa;
1441 segment = put_entry(this, entry);
1442 }
1443
1444 /* apply identities for duplicate test */
1445 if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
1446 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
1447 entry->my_id == NULL && entry->other_id == NULL)
1448 {
1449 if (ike_sa->get_version(ike_sa) == IKEV1)
1450 {
1451 /* If authenticated and received INITIAL_CONTACT,
1452 * delete any existing IKE_SAs with that peer. */
1453 if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN))
1454 {
1455 this->public.check_uniqueness(&this->public, ike_sa, TRUE);
1456 ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE);
1457 }
1458 }
1459
1460 entry->my_id = my_id->clone(my_id);
1461 entry->other_id = other_id->clone(other_id);
1462 if (!entry->other)
1463 {
1464 entry->other = other->clone(other);
1465 }
1466 put_connected_peers(this, entry);
1467 }
1468
1469 unlock_single_segment(this, segment);
1470
1471 charon->bus->set_sa(charon->bus, NULL);
1472 }
1473
1474 METHOD(ike_sa_manager_t, checkin_and_destroy, void,
1475 private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
1476 {
1477 /* deletion is a bit complex, we must ensure that no thread is waiting for
1478 * this SA.
1479 * We take this SA from the table, and start signaling while threads
1480 * are in the condvar.
1481 */
1482 entry_t *entry;
1483 ike_sa_id_t *ike_sa_id;
1484 u_int segment;
1485
1486 ike_sa_id = ike_sa->get_id(ike_sa);
1487
1488 DBG2(DBG_MGR, "checkin and destroy IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1489 ike_sa->get_unique_id(ike_sa));
1490
1491 if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
1492 {
1493 if (entry->driveout_waiting_threads && entry->driveout_new_threads)
1494 { /* it looks like flush() has been called and the SA is being deleted
1495 * anyway, just check it in */
1496 DBG2(DBG_MGR, "ignored check-in and destroy of IKE_SA during shutdown");
1497 entry->checked_out = FALSE;
1498 entry->condvar->broadcast(entry->condvar);
1499 unlock_single_segment(this, segment);
1500 return;
1501 }
1502
1503 /* drive out waiting threads, as we are in hurry */
1504 entry->driveout_waiting_threads = TRUE;
1505 /* mark it, so no new threads can get this entry */
1506 entry->driveout_new_threads = TRUE;
1507 /* wait until all workers have done their work */
1508 while (entry->waiting_threads)
1509 {
1510 /* wake up all */
1511 entry->condvar->broadcast(entry->condvar);
1512 /* they will wake us again when their work is done */
1513 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
1514 }
1515 remove_entry(this, entry);
1516 unlock_single_segment(this, segment);
1517
1518 if (entry->half_open)
1519 {
1520 remove_half_open(this, entry);
1521 }
1522 if (entry->my_id && entry->other_id)
1523 {
1524 remove_connected_peers(this, entry);
1525 }
1526 if (entry->init_hash.ptr)
1527 {
1528 remove_init_hash(this, entry->init_hash);
1529 }
1530
1531 entry_destroy(entry);
1532
1533 DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
1534 }
1535 else
1536 {
1537 DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
1538 ike_sa->destroy(ike_sa);
1539 }
1540 charon->bus->set_sa(charon->bus, NULL);
1541 }
1542
1543 /**
1544 * Cleanup function for create_id_enumerator
1545 */
1546 static void id_enumerator_cleanup(linked_list_t *ids)
1547 {
1548 ids->destroy_offset(ids, offsetof(ike_sa_id_t, destroy));
1549 }
1550
1551 METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
1552 private_ike_sa_manager_t *this, identification_t *me,
1553 identification_t *other, int family)
1554 {
1555 linked_list_t *list, *ids = NULL;
1556 connected_peers_t *current;
1557 u_int row, segment;
1558 rwlock_t *lock;
1559
1560 row = chunk_hash_inc(other->get_encoding(other),
1561 chunk_hash(me->get_encoding(me))) & this->table_mask;
1562 segment = row & this->segment_mask;
1563
1564 lock = this->connected_peers_segments[segment & this->segment_mask].lock;
1565 lock->read_lock(lock);
1566 list = this->connected_peers_table[row];
1567 if (list)
1568 {
1569 if (list->find_first(list, (linked_list_match_t)connected_peers_match,
1570 (void**)&current, me, other, (uintptr_t)family) == SUCCESS)
1571 {
1572 ids = current->sas->clone_offset(current->sas,
1573 offsetof(ike_sa_id_t, clone));
1574 }
1575 }
1576 lock->unlock(lock);
1577
1578 if (!ids)
1579 {
1580 return enumerator_create_empty();
1581 }
1582 return enumerator_create_cleaner(ids->create_enumerator(ids),
1583 (void*)id_enumerator_cleanup, ids);
1584 }
1585
1586 METHOD(ike_sa_manager_t, check_uniqueness, bool,
1587 private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
1588 {
1589 bool cancel = FALSE;
1590 peer_cfg_t *peer_cfg;
1591 unique_policy_t policy;
1592 enumerator_t *enumerator;
1593 ike_sa_id_t *id = NULL;
1594 identification_t *me, *other;
1595 host_t *other_host;
1596
1597 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
1598 policy = peer_cfg->get_unique_policy(peer_cfg);
1599 if (policy == UNIQUE_NO && !force_replace)
1600 {
1601 return FALSE;
1602 }
1603 me = ike_sa->get_my_id(ike_sa);
1604 other = ike_sa->get_other_id(ike_sa);
1605 other_host = ike_sa->get_other_host(ike_sa);
1606
1607 enumerator = create_id_enumerator(this, me, other,
1608 other_host->get_family(other_host));
1609 while (enumerator->enumerate(enumerator, &id))
1610 {
1611 status_t status = SUCCESS;
1612 ike_sa_t *duplicate;
1613
1614 duplicate = checkout(this, id);
1615 if (!duplicate)
1616 {
1617 continue;
1618 }
1619 if (force_replace)
1620 {
1621 DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
1622 "received INITIAL_CONTACT", other);
1623 checkin_and_destroy(this, duplicate);
1624 continue;
1625 }
1626 peer_cfg = duplicate->get_peer_cfg(duplicate);
1627 if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
1628 {
1629 switch (duplicate->get_state(duplicate))
1630 {
1631 case IKE_ESTABLISHED:
1632 case IKE_REKEYING:
1633 switch (policy)
1634 {
1635 case UNIQUE_REPLACE:
1636 DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer "
1637 "'%Y' due to uniqueness policy", other);
1638 status = duplicate->delete(duplicate);
1639 break;
1640 case UNIQUE_KEEP:
1641 cancel = TRUE;
1642 /* we keep the first IKE_SA and delete all
1643 * other duplicates that might exist */
1644 policy = UNIQUE_REPLACE;
1645 break;
1646 default:
1647 break;
1648 }
1649 break;
1650 default:
1651 break;
1652 }
1653 }
1654 if (status == DESTROY_ME)
1655 {
1656 checkin_and_destroy(this, duplicate);
1657 }
1658 else
1659 {
1660 checkin(this, duplicate);
1661 }
1662 }
1663 enumerator->destroy(enumerator);
1664 /* reset thread's current IKE_SA after checkin */
1665 charon->bus->set_sa(charon->bus, ike_sa);
1666 return cancel;
1667 }
1668
1669 METHOD(ike_sa_manager_t, has_contact, bool,
1670 private_ike_sa_manager_t *this, identification_t *me,
1671 identification_t *other, int family)
1672 {
1673 linked_list_t *list;
1674 u_int row, segment;
1675 rwlock_t *lock;
1676 bool found = FALSE;
1677
1678 row = chunk_hash_inc(other->get_encoding(other),
1679 chunk_hash(me->get_encoding(me))) & this->table_mask;
1680 segment = row & this->segment_mask;
1681 lock = this->connected_peers_segments[segment & this->segment_mask].lock;
1682 lock->read_lock(lock);
1683 list = this->connected_peers_table[row];
1684 if (list)
1685 {
1686 if (list->find_first(list, (linked_list_match_t)connected_peers_match,
1687 NULL, me, other, family) == SUCCESS)
1688 {
1689 found = TRUE;
1690 }
1691 }
1692 lock->unlock(lock);
1693
1694 return found;
1695 }
1696
1697 METHOD(ike_sa_manager_t, get_count, u_int,
1698 private_ike_sa_manager_t *this)
1699 {
1700 u_int segment, count = 0;
1701 mutex_t *mutex;
1702
1703 for (segment = 0; segment < this->segment_count; segment++)
1704 {
1705 mutex = this->segments[segment & this->segment_mask].mutex;
1706 mutex->lock(mutex);
1707 count += this->segments[segment].count;
1708 mutex->unlock(mutex);
1709 }
1710 return count;
1711 }
1712
1713 METHOD(ike_sa_manager_t, get_half_open_count, u_int,
1714 private_ike_sa_manager_t *this, host_t *ip)
1715 {
1716 linked_list_t *list;
1717 u_int segment, row;
1718 rwlock_t *lock;
1719 chunk_t addr;
1720 u_int count = 0;
1721
1722 if (ip)
1723 {
1724 addr = ip->get_address(ip);
1725 row = chunk_hash(addr) & this->table_mask;
1726 segment = row & this->segment_mask;
1727 lock = this->half_open_segments[segment & this->segment_mask].lock;
1728 lock->read_lock(lock);
1729 if ((list = this->half_open_table[row]) != NULL)
1730 {
1731 half_open_t *current;
1732
1733 if (list->find_first(list, (linked_list_match_t)half_open_match,
1734 (void**)&current, &addr) == SUCCESS)
1735 {
1736 count = current->count;
1737 }
1738 }
1739 lock->unlock(lock);
1740 }
1741 else
1742 {
1743 for (segment = 0; segment < this->segment_count; segment++)
1744 {
1745 lock = this->half_open_segments[segment & this->segment_mask].lock;
1746 lock->read_lock(lock);
1747 count += this->half_open_segments[segment].count;
1748 lock->unlock(lock);
1749 }
1750 }
1751 return count;
1752 }
1753
1754 METHOD(ike_sa_manager_t, flush, void,
1755 private_ike_sa_manager_t *this)
1756 {
1757 /* destroy all list entries */
1758 enumerator_t *enumerator;
1759 entry_t *entry;
1760 u_int segment;
1761
1762 lock_all_segments(this);
1763 DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
1764 /* Step 1: drive out all waiting threads */
1765 DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
1766 enumerator = create_table_enumerator(this);
1767 while (enumerator->enumerate(enumerator, &entry, &segment))
1768 {
1769 /* do not accept new threads, drive out waiting threads */
1770 entry->driveout_new_threads = TRUE;
1771 entry->driveout_waiting_threads = TRUE;
1772 }
1773 enumerator->destroy(enumerator);
1774 DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
1775 /* Step 2: wait until all are gone */
1776 enumerator = create_table_enumerator(this);
1777 while (enumerator->enumerate(enumerator, &entry, &segment))
1778 {
1779 while (entry->waiting_threads || entry->checked_out)
1780 {
1781 /* wake up all */
1782 entry->condvar->broadcast(entry->condvar);
1783 /* go sleeping until they are gone */
1784 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
1785 }
1786 }
1787 enumerator->destroy(enumerator);
1788 DBG2(DBG_MGR, "delete all IKE_SA's");
1789 /* Step 3: initiate deletion of all IKE_SAs */
1790 enumerator = create_table_enumerator(this);
1791 while (enumerator->enumerate(enumerator, &entry, &segment))
1792 {
1793 charon->bus->set_sa(charon->bus, entry->ike_sa);
1794 if (entry->ike_sa->get_version(entry->ike_sa) == IKEV2)
1795 { /* as the delete never gets processed, fire down events */
1796 switch (entry->ike_sa->get_state(entry->ike_sa))
1797 {
1798 case IKE_ESTABLISHED:
1799 case IKE_REKEYING:
1800 case IKE_DELETING:
1801 charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
1802 break;
1803 default:
1804 break;
1805 }
1806 }
1807 entry->ike_sa->delete(entry->ike_sa);
1808 }
1809 enumerator->destroy(enumerator);
1810
1811 DBG2(DBG_MGR, "destroy all entries");
1812 /* Step 4: destroy all entries */
1813 enumerator = create_table_enumerator(this);
1814 while (enumerator->enumerate(enumerator, &entry, &segment))
1815 {
1816 charon->bus->set_sa(charon->bus, entry->ike_sa);
1817 if (entry->half_open)
1818 {
1819 remove_half_open(this, entry);
1820 }
1821 if (entry->my_id && entry->other_id)
1822 {
1823 remove_connected_peers(this, entry);
1824 }
1825 if (entry->init_hash.ptr)
1826 {
1827 remove_init_hash(this, entry->init_hash);
1828 }
1829 remove_entry_at((private_enumerator_t*)enumerator);
1830 entry_destroy(entry);
1831 }
1832 enumerator->destroy(enumerator);
1833 charon->bus->set_sa(charon->bus, NULL);
1834 unlock_all_segments(this);
1835
1836 this->rng->destroy(this->rng);
1837 this->rng = NULL;
1838 this->hasher->destroy(this->hasher);
1839 this->hasher = NULL;
1840 }
1841
1842 METHOD(ike_sa_manager_t, destroy, void,
1843 private_ike_sa_manager_t *this)
1844 {
1845 u_int i;
1846
1847 for (i = 0; i < this->table_size; i++)
1848 {
1849 DESTROY_IF(this->ike_sa_table[i]);
1850 DESTROY_IF(this->half_open_table[i]);
1851 DESTROY_IF(this->connected_peers_table[i]);
1852 DESTROY_IF(this->init_hashes_table[i]);
1853 }
1854 free(this->ike_sa_table);
1855 free(this->half_open_table);
1856 free(this->connected_peers_table);
1857 free(this->init_hashes_table);
1858 for (i = 0; i < this->segment_count; i++)
1859 {
1860 this->segments[i].mutex->destroy(this->segments[i].mutex);
1861 this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
1862 this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
1863 this->init_hashes_segments[i].mutex->destroy(this->init_hashes_segments[i].mutex);
1864 }
1865 free(this->segments);
1866 free(this->half_open_segments);
1867 free(this->connected_peers_segments);
1868 free(this->init_hashes_segments);
1869
1870 free(this);
1871 }
1872
1873 /**
1874 * This function returns the next-highest power of two for the given number.
1875 * The algorithm works by setting all bits on the right-hand side of the most
1876 * significant 1 to 1 and then increments the whole number so it rolls over
1877 * to the nearest power of two. Note: returns 0 for n == 0
1878 */
1879 static u_int get_nearest_powerof2(u_int n)
1880 {
1881 u_int i;
1882
1883 --n;
1884 for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
1885 {
1886 n |= n >> i;
1887 }
1888 return ++n;
1889 }
1890
1891 /*
1892 * Described in header.
1893 */
1894 ike_sa_manager_t *ike_sa_manager_create()
1895 {
1896 private_ike_sa_manager_t *this;
1897 u_int i;
1898
1899 INIT(this,
1900 .public = {
1901 .checkout = _checkout,
1902 .checkout_new = _checkout_new,
1903 .checkout_by_message = _checkout_by_message,
1904 .checkout_by_config = _checkout_by_config,
1905 .checkout_by_id = _checkout_by_id,
1906 .checkout_by_name = _checkout_by_name,
1907 .check_uniqueness = _check_uniqueness,
1908 .has_contact = _has_contact,
1909 .create_enumerator = _create_enumerator,
1910 .create_id_enumerator = _create_id_enumerator,
1911 .checkin = _checkin,
1912 .checkin_and_destroy = _checkin_and_destroy,
1913 .get_count = _get_count,
1914 .get_half_open_count = _get_half_open_count,
1915 .flush = _flush,
1916 .destroy = _destroy,
1917 },
1918 );
1919
1920 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
1921 if (this->hasher == NULL)
1922 {
1923 DBG1(DBG_MGR, "manager initialization failed, no hasher supported");
1924 free(this);
1925 return NULL;
1926 }
1927 this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
1928 if (this->rng == NULL)
1929 {
1930 DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
1931 this->hasher->destroy(this->hasher);
1932 free(this);
1933 return NULL;
1934 }
1935
1936 this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings,
1937 "charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE));
1938 this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
1939 this->table_mask = this->table_size - 1;
1940
1941 this->segment_count = get_nearest_powerof2(lib->settings->get_int(lib->settings,
1942 "charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT));
1943 this->segment_count = max(1, min(this->segment_count, this->table_size));
1944 this->segment_mask = this->segment_count - 1;
1945
1946 this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*));
1947 this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
1948 for (i = 0; i < this->segment_count; i++)
1949 {
1950 this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
1951 this->segments[i].count = 0;
1952 }
1953
1954 /* we use the same table parameters for the table to track half-open SAs */
1955 this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*));
1956 this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
1957 for (i = 0; i < this->segment_count; i++)
1958 {
1959 this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
1960 this->half_open_segments[i].count = 0;
1961 }
1962
1963 /* also for the hash table used for duplicate tests */
1964 this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*));
1965 this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
1966 for (i = 0; i < this->segment_count; i++)
1967 {
1968 this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
1969 this->connected_peers_segments[i].count = 0;
1970 }
1971
1972 /* and again for the table of hashes of seen initial IKE messages */
1973 this->init_hashes_table = calloc(this->table_size, sizeof(linked_list_t*));
1974 this->init_hashes_segments = calloc(this->segment_count, sizeof(segment_t));
1975 for (i = 0; i < this->segment_count; i++)
1976 {
1977 this->init_hashes_segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
1978 this->init_hashes_segments[i].count = 0;
1979 }
1980
1981 this->reuse_ikesa = lib->settings->get_bool(lib->settings,
1982 "charon.reuse_ikesa", TRUE);
1983 return &this->public;
1984 }