Merge branch 'make-before-break'
[strongswan.git] / src / libcharon / sa / ike_sa_manager.c
1 /*
2 * Copyright (C) 2005-2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 * Copyright (C) 2008-2012 Tobias Brunner
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20
21 #include "ike_sa_manager.h"
22
23 #include <daemon.h>
24 #include <sa/ike_sa_id.h>
25 #include <bus/bus.h>
26 #include <threading/condvar.h>
27 #include <threading/mutex.h>
28 #include <threading/rwlock.h>
29 #include <collections/linked_list.h>
30 #include <crypto/hashers/hasher.h>
31 #include <processing/jobs/delete_ike_sa_job.h>
32
33 /* the default size of the hash table (MUST be a power of 2) */
34 #define DEFAULT_HASHTABLE_SIZE 1
35
36 /* the maximum size of the hash table (MUST be a power of 2) */
37 #define MAX_HASHTABLE_SIZE (1 << 30)
38
39 /* the default number of segments (MUST be a power of 2) */
40 #define DEFAULT_SEGMENT_COUNT 1
41
42 typedef struct entry_t entry_t;
43
44 /**
45 * An entry in the linked list, contains IKE_SA, locking and lookup data.
46 */
47 struct entry_t {
48
49 /**
50 * Number of threads waiting for this ike_sa_t object.
51 */
52 int waiting_threads;
53
54 /**
55 * Condvar where threads can wait until ike_sa_t object is free for use again.
56 */
57 condvar_t *condvar;
58
59 /**
60 * Is this ike_sa currently checked out?
61 */
62 bool checked_out;
63
64 /**
65 * Does this SA drives out new threads?
66 */
67 bool driveout_new_threads;
68
69 /**
70 * Does this SA drives out waiting threads?
71 */
72 bool driveout_waiting_threads;
73
74 /**
75 * Identification of an IKE_SA (SPIs).
76 */
77 ike_sa_id_t *ike_sa_id;
78
79 /**
80 * The contained ike_sa_t object.
81 */
82 ike_sa_t *ike_sa;
83
84 /**
85 * hash of the IKE_SA_INIT message, used to detect retransmissions
86 */
87 chunk_t init_hash;
88
89 /**
90 * remote host address, required for DoS detection and duplicate
91 * checking (host with same my_id and other_id is *not* considered
92 * a duplicate if the address family differs)
93 */
94 host_t *other;
95
96 /**
97 * As responder: Is this SA half-open?
98 */
99 bool half_open;
100
101 /**
102 * own identity, required for duplicate checking
103 */
104 identification_t *my_id;
105
106 /**
107 * remote identity, required for duplicate checking
108 */
109 identification_t *other_id;
110
111 /**
112 * message ID or hash of currently processing message, -1 if none
113 */
114 u_int32_t processing;
115 };
116
117 /**
118 * Implementation of entry_t.destroy.
119 */
120 static status_t entry_destroy(entry_t *this)
121 {
122 /* also destroy IKE SA */
123 this->ike_sa->destroy(this->ike_sa);
124 this->ike_sa_id->destroy(this->ike_sa_id);
125 chunk_free(&this->init_hash);
126 DESTROY_IF(this->other);
127 DESTROY_IF(this->my_id);
128 DESTROY_IF(this->other_id);
129 this->condvar->destroy(this->condvar);
130 free(this);
131 return SUCCESS;
132 }
133
134 /**
135 * Creates a new entry for the ike_sa_t list.
136 */
137 static entry_t *entry_create()
138 {
139 entry_t *this;
140
141 INIT(this,
142 .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
143 .processing = -1,
144 );
145
146 return this;
147 }
148
149 /**
150 * Function that matches entry_t objects by ike_sa_id_t.
151 */
152 static bool entry_match_by_id(entry_t *entry, ike_sa_id_t *id)
153 {
154 if (id->equals(id, entry->ike_sa_id))
155 {
156 return TRUE;
157 }
158 if ((id->get_responder_spi(id) == 0 ||
159 entry->ike_sa_id->get_responder_spi(entry->ike_sa_id) == 0) &&
160 id->get_initiator_spi(id) == entry->ike_sa_id->get_initiator_spi(entry->ike_sa_id))
161 {
162 /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
163 return TRUE;
164 }
165 return FALSE;
166 }
167
168 /**
169 * Function that matches entry_t objects by ike_sa_t pointers.
170 */
171 static bool entry_match_by_sa(entry_t *entry, ike_sa_t *ike_sa)
172 {
173 return entry->ike_sa == ike_sa;
174 }
175
176 /**
177 * Hash function for ike_sa_id_t objects.
178 */
179 static u_int ike_sa_id_hash(ike_sa_id_t *ike_sa_id)
180 {
181 /* IKEv2 does not mandate random SPIs (RFC 5996, 2.6), they just have to be
182 * locally unique, so we use our randomly allocated SPI whether we are
183 * initiator or responder to ensure a good distribution. The latter is not
184 * possible for IKEv1 as we don't know whether we are original initiator or
185 * not (based on the IKE header). But as RFC 2408, section 2.5.3 proposes
186 * SPIs (Cookies) to be allocated near random (we allocate them randomly
187 * anyway) it seems safe to always use the initiator SPI. */
188 if (ike_sa_id->get_ike_version(ike_sa_id) == IKEV1_MAJOR_VERSION ||
189 ike_sa_id->is_initiator(ike_sa_id))
190 {
191 return ike_sa_id->get_initiator_spi(ike_sa_id);
192 }
193 return ike_sa_id->get_responder_spi(ike_sa_id);
194 }
195
196 typedef struct half_open_t half_open_t;
197
198 /**
199 * Struct to manage half-open IKE_SAs per peer.
200 */
201 struct half_open_t {
202 /** chunk of remote host address */
203 chunk_t other;
204
205 /** the number of half-open IKE_SAs with that host */
206 u_int count;
207 };
208
209 /**
210 * Destroys a half_open_t object.
211 */
212 static void half_open_destroy(half_open_t *this)
213 {
214 chunk_free(&this->other);
215 free(this);
216 }
217
218 typedef struct connected_peers_t connected_peers_t;
219
220 struct connected_peers_t {
221 /** own identity */
222 identification_t *my_id;
223
224 /** remote identity */
225 identification_t *other_id;
226
227 /** ip address family of peer */
228 int family;
229
230 /** list of ike_sa_id_t objects of IKE_SAs between the two identities */
231 linked_list_t *sas;
232 };
233
234 static void connected_peers_destroy(connected_peers_t *this)
235 {
236 this->my_id->destroy(this->my_id);
237 this->other_id->destroy(this->other_id);
238 this->sas->destroy(this->sas);
239 free(this);
240 }
241
242 /**
243 * Function that matches connected_peers_t objects by the given ids.
244 */
245 static inline bool connected_peers_match(connected_peers_t *connected_peers,
246 identification_t *my_id, identification_t *other_id,
247 int family)
248 {
249 return my_id->equals(my_id, connected_peers->my_id) &&
250 other_id->equals(other_id, connected_peers->other_id) &&
251 (!family || family == connected_peers->family);
252 }
253
254 typedef struct init_hash_t init_hash_t;
255
256 struct init_hash_t {
257 /** hash of IKE_SA_INIT or initial phase1 message (data is not cloned) */
258 chunk_t hash;
259
260 /** our SPI allocated for the IKE_SA based on this message */
261 u_int64_t our_spi;
262 };
263
264 typedef struct segment_t segment_t;
265
266 /**
267 * Struct to manage segments of the hash table.
268 */
269 struct segment_t {
270 /** mutex to access a segment exclusively */
271 mutex_t *mutex;
272
273 /** the number of entries in this segment */
274 u_int count;
275 };
276
277 typedef struct shareable_segment_t shareable_segment_t;
278
279 /**
280 * Struct to manage segments of the "half-open" and "connected peers" hash tables.
281 */
282 struct shareable_segment_t {
283 /** rwlock to access a segment non-/exclusively */
284 rwlock_t *lock;
285
286 /** the number of entries in this segment - in case of the "half-open table"
287 * it's the sum of all half_open_t.count in a segment. */
288 u_int count;
289 };
290
291 typedef struct table_item_t table_item_t;
292
293 /**
294 * Instead of using linked_list_t for each bucket we store the data in our own
295 * list to save memory.
296 */
297 struct table_item_t {
298 /** data of this item */
299 void *value;
300
301 /** next item in the overflow list */
302 table_item_t *next;
303 };
304
305 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t;
306
307 /**
308 * Additional private members of ike_sa_manager_t.
309 */
310 struct private_ike_sa_manager_t {
311 /**
312 * Public interface of ike_sa_manager_t.
313 */
314 ike_sa_manager_t public;
315
316 /**
317 * Hash table with entries for the ike_sa_t objects.
318 */
319 table_item_t **ike_sa_table;
320
321 /**
322 * The size of the hash table.
323 */
324 u_int table_size;
325
326 /**
327 * Mask to map the hashes to table rows.
328 */
329 u_int table_mask;
330
331 /**
332 * Segments of the hash table.
333 */
334 segment_t *segments;
335
336 /**
337 * The number of segments.
338 */
339 u_int segment_count;
340
341 /**
342 * Mask to map a table row to a segment.
343 */
344 u_int segment_mask;
345
346 /**
347 * Hash table with half_open_t objects.
348 */
349 table_item_t **half_open_table;
350
351 /**
352 * Segments of the "half-open" hash table.
353 */
354 shareable_segment_t *half_open_segments;
355
356 /**
357 * Total number of half-open IKE_SAs.
358 */
359 refcount_t half_open_count;
360
361 /**
362 * Hash table with connected_peers_t objects.
363 */
364 table_item_t **connected_peers_table;
365
366 /**
367 * Segments of the "connected peers" hash table.
368 */
369 shareable_segment_t *connected_peers_segments;
370
371 /**
372 * Hash table with init_hash_t objects.
373 */
374 table_item_t **init_hashes_table;
375
376 /**
377 * Segments of the "hashes" hash table.
378 */
379 segment_t *init_hashes_segments;
380
381 /**
382 * RNG to get random SPIs for our side
383 */
384 rng_t *rng;
385
386 /**
387 * reuse existing IKE_SAs in checkout_by_config
388 */
389 bool reuse_ikesa;
390
391 /**
392 * Configured IKE_SA limit, if any
393 */
394 u_int ikesa_limit;
395 };
396
397 /**
398 * Acquire a lock to access the segment of the table row with the given index.
399 * It also works with the segment index directly.
400 */
401 static inline void lock_single_segment(private_ike_sa_manager_t *this,
402 u_int index)
403 {
404 mutex_t *lock = this->segments[index & this->segment_mask].mutex;
405 lock->lock(lock);
406 }
407
408 /**
409 * Release the lock required to access the segment of the table row with the given index.
410 * It also works with the segment index directly.
411 */
412 static inline void unlock_single_segment(private_ike_sa_manager_t *this,
413 u_int index)
414 {
415 mutex_t *lock = this->segments[index & this->segment_mask].mutex;
416 lock->unlock(lock);
417 }
418
419 /**
420 * Lock all segments
421 */
422 static void lock_all_segments(private_ike_sa_manager_t *this)
423 {
424 u_int i;
425
426 for (i = 0; i < this->segment_count; i++)
427 {
428 this->segments[i].mutex->lock(this->segments[i].mutex);
429 }
430 }
431
432 /**
433 * Unlock all segments
434 */
435 static void unlock_all_segments(private_ike_sa_manager_t *this)
436 {
437 u_int i;
438
439 for (i = 0; i < this->segment_count; i++)
440 {
441 this->segments[i].mutex->unlock(this->segments[i].mutex);
442 }
443 }
444
445 typedef struct private_enumerator_t private_enumerator_t;
446
447 /**
448 * hash table enumerator implementation
449 */
450 struct private_enumerator_t {
451
452 /**
453 * implements enumerator interface
454 */
455 enumerator_t enumerator;
456
457 /**
458 * associated ike_sa_manager_t
459 */
460 private_ike_sa_manager_t *manager;
461
462 /**
463 * current segment index
464 */
465 u_int segment;
466
467 /**
468 * currently enumerating entry
469 */
470 entry_t *entry;
471
472 /**
473 * current table row index
474 */
475 u_int row;
476
477 /**
478 * current table item
479 */
480 table_item_t *current;
481
482 /**
483 * previous table item
484 */
485 table_item_t *prev;
486 };
487
488 METHOD(enumerator_t, enumerate, bool,
489 private_enumerator_t *this, entry_t **entry, u_int *segment)
490 {
491 if (this->entry)
492 {
493 this->entry->condvar->signal(this->entry->condvar);
494 this->entry = NULL;
495 }
496 while (this->segment < this->manager->segment_count)
497 {
498 while (this->row < this->manager->table_size)
499 {
500 this->prev = this->current;
501 if (this->current)
502 {
503 this->current = this->current->next;
504 }
505 else
506 {
507 lock_single_segment(this->manager, this->segment);
508 this->current = this->manager->ike_sa_table[this->row];
509 }
510 if (this->current)
511 {
512 *entry = this->entry = this->current->value;
513 *segment = this->segment;
514 return TRUE;
515 }
516 unlock_single_segment(this->manager, this->segment);
517 this->row += this->manager->segment_count;
518 }
519 this->segment++;
520 this->row = this->segment;
521 }
522 return FALSE;
523 }
524
525 METHOD(enumerator_t, enumerator_destroy, void,
526 private_enumerator_t *this)
527 {
528 if (this->entry)
529 {
530 this->entry->condvar->signal(this->entry->condvar);
531 }
532 if (this->current)
533 {
534 unlock_single_segment(this->manager, this->segment);
535 }
536 free(this);
537 }
538
539 /**
540 * Creates an enumerator to enumerate the entries in the hash table.
541 */
542 static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this)
543 {
544 private_enumerator_t *enumerator;
545
546 INIT(enumerator,
547 .enumerator = {
548 .enumerate = (void*)_enumerate,
549 .destroy = _enumerator_destroy,
550 },
551 .manager = this,
552 );
553 return &enumerator->enumerator;
554 }
555
556 /**
557 * Put an entry into the hash table.
558 * Note: The caller has to unlock the returned segment.
559 */
560 static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry)
561 {
562 table_item_t *current, *item;
563 u_int row, segment;
564
565 INIT(item,
566 .value = entry,
567 );
568
569 row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
570 segment = row & this->segment_mask;
571
572 lock_single_segment(this, segment);
573 current = this->ike_sa_table[row];
574 if (current)
575 { /* insert at the front of current bucket */
576 item->next = current;
577 }
578 this->ike_sa_table[row] = item;
579 this->segments[segment].count++;
580 return segment;
581 }
582
583 /**
584 * Remove an entry from the hash table.
585 * Note: The caller MUST have a lock on the segment of this entry.
586 */
587 static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry)
588 {
589 table_item_t *item, *prev = NULL;
590 u_int row, segment;
591
592 row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask;
593 segment = row & this->segment_mask;
594 item = this->ike_sa_table[row];
595 while (item)
596 {
597 if (item->value == entry)
598 {
599 if (prev)
600 {
601 prev->next = item->next;
602 }
603 else
604 {
605 this->ike_sa_table[row] = item->next;
606 }
607 this->segments[segment].count--;
608 free(item);
609 break;
610 }
611 prev = item;
612 item = item->next;
613 }
614 }
615
616 /**
617 * Remove the entry at the current enumerator position.
618 */
619 static void remove_entry_at(private_enumerator_t *this)
620 {
621 this->entry = NULL;
622 if (this->current)
623 {
624 table_item_t *current = this->current;
625
626 this->manager->segments[this->segment].count--;
627 this->current = this->prev;
628
629 if (this->prev)
630 {
631 this->prev->next = current->next;
632 }
633 else
634 {
635 this->manager->ike_sa_table[this->row] = current->next;
636 unlock_single_segment(this->manager, this->segment);
637 }
638 free(current);
639 }
640 }
641
642 /**
643 * Find an entry using the provided match function to compare the entries for
644 * equality.
645 */
646 static status_t get_entry_by_match_function(private_ike_sa_manager_t *this,
647 ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment,
648 linked_list_match_t match, void *param)
649 {
650 table_item_t *item;
651 u_int row, seg;
652
653 row = ike_sa_id_hash(ike_sa_id) & this->table_mask;
654 seg = row & this->segment_mask;
655
656 lock_single_segment(this, seg);
657 item = this->ike_sa_table[row];
658 while (item)
659 {
660 if (match(item->value, param))
661 {
662 *entry = item->value;
663 *segment = seg;
664 /* the locked segment has to be unlocked by the caller */
665 return SUCCESS;
666 }
667 item = item->next;
668 }
669 unlock_single_segment(this, seg);
670 return NOT_FOUND;
671 }
672
673 /**
674 * Find an entry by ike_sa_id_t.
675 * Note: On SUCCESS, the caller has to unlock the segment.
676 */
677 static status_t get_entry_by_id(private_ike_sa_manager_t *this,
678 ike_sa_id_t *ike_sa_id, entry_t **entry, u_int *segment)
679 {
680 return get_entry_by_match_function(this, ike_sa_id, entry, segment,
681 (linked_list_match_t)entry_match_by_id, ike_sa_id);
682 }
683
684 /**
685 * Find an entry by IKE_SA pointer.
686 * Note: On SUCCESS, the caller has to unlock the segment.
687 */
688 static status_t get_entry_by_sa(private_ike_sa_manager_t *this,
689 ike_sa_id_t *ike_sa_id, ike_sa_t *ike_sa, entry_t **entry, u_int *segment)
690 {
691 return get_entry_by_match_function(this, ike_sa_id, entry, segment,
692 (linked_list_match_t)entry_match_by_sa, ike_sa);
693 }
694
695 /**
696 * Wait until no other thread is using an IKE_SA, return FALSE if entry not
697 * acquirable.
698 */
699 static bool wait_for_entry(private_ike_sa_manager_t *this, entry_t *entry,
700 u_int segment)
701 {
702 if (entry->driveout_new_threads)
703 {
704 /* we are not allowed to get this */
705 return FALSE;
706 }
707 while (entry->checked_out && !entry->driveout_waiting_threads)
708 {
709 /* so wait until we can get it for us.
710 * we register us as waiting. */
711 entry->waiting_threads++;
712 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
713 entry->waiting_threads--;
714 }
715 /* hm, a deletion request forbids us to get this SA, get next one */
716 if (entry->driveout_waiting_threads)
717 {
718 /* we must signal here, others may be waiting on it, too */
719 entry->condvar->signal(entry->condvar);
720 return FALSE;
721 }
722 return TRUE;
723 }
724
725 /**
726 * Put a half-open SA into the hash table.
727 */
728 static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry)
729 {
730 table_item_t *item;
731 u_int row, segment;
732 rwlock_t *lock;
733 half_open_t *half_open;
734 chunk_t addr;
735
736 addr = entry->other->get_address(entry->other);
737 row = chunk_hash(addr) & this->table_mask;
738 segment = row & this->segment_mask;
739 lock = this->half_open_segments[segment].lock;
740 lock->write_lock(lock);
741 item = this->half_open_table[row];
742 while (item)
743 {
744 half_open = item->value;
745
746 if (chunk_equals(addr, half_open->other))
747 {
748 half_open->count++;
749 break;
750 }
751 item = item->next;
752 }
753
754 if (!item)
755 {
756 INIT(half_open,
757 .other = chunk_clone(addr),
758 .count = 1,
759 );
760 INIT(item,
761 .value = half_open,
762 .next = this->half_open_table[row],
763 );
764 this->half_open_table[row] = item;
765 }
766 this->half_open_segments[segment].count++;
767 ref_get(&this->half_open_count);
768 lock->unlock(lock);
769 }
770
771 /**
772 * Remove a half-open SA from the hash table.
773 */
774 static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry)
775 {
776 table_item_t *item, *prev = NULL;
777 u_int row, segment;
778 rwlock_t *lock;
779 chunk_t addr;
780
781 addr = entry->other->get_address(entry->other);
782 row = chunk_hash(addr) & this->table_mask;
783 segment = row & this->segment_mask;
784 lock = this->half_open_segments[segment].lock;
785 lock->write_lock(lock);
786 item = this->half_open_table[row];
787 while (item)
788 {
789 half_open_t *half_open = item->value;
790
791 if (chunk_equals(addr, half_open->other))
792 {
793 if (--half_open->count == 0)
794 {
795 if (prev)
796 {
797 prev->next = item->next;
798 }
799 else
800 {
801 this->half_open_table[row] = item->next;
802 }
803 half_open_destroy(half_open);
804 free(item);
805 }
806 this->half_open_segments[segment].count--;
807 ignore_result(ref_put(&this->half_open_count));
808 break;
809 }
810 prev = item;
811 item = item->next;
812 }
813 lock->unlock(lock);
814 }
815
816 /**
817 * Put an SA between two peers into the hash table.
818 */
819 static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
820 {
821 table_item_t *item;
822 u_int row, segment;
823 rwlock_t *lock;
824 connected_peers_t *connected_peers;
825 chunk_t my_id, other_id;
826 int family;
827
828 my_id = entry->my_id->get_encoding(entry->my_id);
829 other_id = entry->other_id->get_encoding(entry->other_id);
830 family = entry->other->get_family(entry->other);
831 row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
832 segment = row & this->segment_mask;
833 lock = this->connected_peers_segments[segment].lock;
834 lock->write_lock(lock);
835 item = this->connected_peers_table[row];
836 while (item)
837 {
838 connected_peers = item->value;
839
840 if (connected_peers_match(connected_peers, entry->my_id,
841 entry->other_id, family))
842 {
843 if (connected_peers->sas->find_first(connected_peers->sas,
844 (linked_list_match_t)entry->ike_sa_id->equals,
845 NULL, entry->ike_sa_id) == SUCCESS)
846 {
847 lock->unlock(lock);
848 return;
849 }
850 break;
851 }
852 item = item->next;
853 }
854
855 if (!item)
856 {
857 INIT(connected_peers,
858 .my_id = entry->my_id->clone(entry->my_id),
859 .other_id = entry->other_id->clone(entry->other_id),
860 .family = family,
861 .sas = linked_list_create(),
862 );
863 INIT(item,
864 .value = connected_peers,
865 .next = this->connected_peers_table[row],
866 );
867 this->connected_peers_table[row] = item;
868 }
869 connected_peers->sas->insert_last(connected_peers->sas,
870 entry->ike_sa_id->clone(entry->ike_sa_id));
871 this->connected_peers_segments[segment].count++;
872 lock->unlock(lock);
873 }
874
875 /**
876 * Remove an SA between two peers from the hash table.
877 */
878 static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry)
879 {
880 table_item_t *item, *prev = NULL;
881 u_int row, segment;
882 rwlock_t *lock;
883 chunk_t my_id, other_id;
884 int family;
885
886 my_id = entry->my_id->get_encoding(entry->my_id);
887 other_id = entry->other_id->get_encoding(entry->other_id);
888 family = entry->other->get_family(entry->other);
889
890 row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask;
891 segment = row & this->segment_mask;
892
893 lock = this->connected_peers_segments[segment].lock;
894 lock->write_lock(lock);
895 item = this->connected_peers_table[row];
896 while (item)
897 {
898 connected_peers_t *current = item->value;
899
900 if (connected_peers_match(current, entry->my_id, entry->other_id,
901 family))
902 {
903 enumerator_t *enumerator;
904 ike_sa_id_t *ike_sa_id;
905
906 enumerator = current->sas->create_enumerator(current->sas);
907 while (enumerator->enumerate(enumerator, &ike_sa_id))
908 {
909 if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id))
910 {
911 current->sas->remove_at(current->sas, enumerator);
912 ike_sa_id->destroy(ike_sa_id);
913 this->connected_peers_segments[segment].count--;
914 break;
915 }
916 }
917 enumerator->destroy(enumerator);
918 if (current->sas->get_count(current->sas) == 0)
919 {
920 if (prev)
921 {
922 prev->next = item->next;
923 }
924 else
925 {
926 this->connected_peers_table[row] = item->next;
927 }
928 connected_peers_destroy(current);
929 free(item);
930 }
931 break;
932 }
933 prev = item;
934 item = item->next;
935 }
936 lock->unlock(lock);
937 }
938
939 /**
940 * Get a random SPI for new IKE_SAs
941 */
942 static u_int64_t get_spi(private_ike_sa_manager_t *this)
943 {
944 u_int64_t spi;
945
946 if (this->rng &&
947 this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi))
948 {
949 return spi;
950 }
951 return 0;
952 }
953
954 /**
955 * Calculate the hash of the initial IKE message. Memory for the hash is
956 * allocated on success.
957 *
958 * @returns TRUE on success
959 */
960 static bool get_init_hash(hasher_t *hasher, message_t *message, chunk_t *hash)
961 {
962 host_t *src;
963
964 if (message->get_first_payload_type(message) == PLV1_FRAGMENT)
965 { /* only hash the source IP, port and SPI for fragmented init messages */
966 u_int16_t port;
967 u_int64_t spi;
968
969 src = message->get_source(message);
970 if (!hasher->allocate_hash(hasher, src->get_address(src), NULL))
971 {
972 return FALSE;
973 }
974 port = src->get_port(src);
975 if (!hasher->allocate_hash(hasher, chunk_from_thing(port), NULL))
976 {
977 return FALSE;
978 }
979 spi = message->get_initiator_spi(message);
980 return hasher->allocate_hash(hasher, chunk_from_thing(spi), hash);
981 }
982 if (message->get_exchange_type(message) == ID_PROT)
983 { /* include the source for Main Mode as the hash will be the same if
984 * SPIs are reused by two initiators that use the same proposal */
985 src = message->get_source(message);
986
987 if (!hasher->allocate_hash(hasher, src->get_address(src), NULL))
988 {
989 return FALSE;
990 }
991 }
992 return hasher->allocate_hash(hasher, message->get_packet_data(message), hash);
993 }
994
995 /**
996 * Check if we already have created an IKE_SA based on the initial IKE message
997 * with the given hash.
998 * If not the hash is stored, the hash data is not(!) cloned.
999 *
1000 * Also, the local SPI is returned. In case of a retransmit this is already
1001 * stored together with the hash, otherwise it is newly allocated and should
1002 * be used to create the IKE_SA.
1003 *
1004 * @returns ALREADY_DONE if the message with the given hash has been seen before
1005 * NOT_FOUND if the message hash was not found
1006 * FAILED if the SPI allocation failed
1007 */
1008 static status_t check_and_put_init_hash(private_ike_sa_manager_t *this,
1009 chunk_t init_hash, u_int64_t *our_spi)
1010 {
1011 table_item_t *item;
1012 u_int row, segment;
1013 mutex_t *mutex;
1014 init_hash_t *init;
1015 u_int64_t spi;
1016
1017 row = chunk_hash(init_hash) & this->table_mask;
1018 segment = row & this->segment_mask;
1019 mutex = this->init_hashes_segments[segment].mutex;
1020 mutex->lock(mutex);
1021 item = this->init_hashes_table[row];
1022 while (item)
1023 {
1024 init_hash_t *current = item->value;
1025
1026 if (chunk_equals(init_hash, current->hash))
1027 {
1028 *our_spi = current->our_spi;
1029 mutex->unlock(mutex);
1030 return ALREADY_DONE;
1031 }
1032 item = item->next;
1033 }
1034
1035 spi = get_spi(this);
1036 if (!spi)
1037 {
1038 return FAILED;
1039 }
1040
1041 INIT(init,
1042 .hash = {
1043 .len = init_hash.len,
1044 .ptr = init_hash.ptr,
1045 },
1046 .our_spi = spi,
1047 );
1048 INIT(item,
1049 .value = init,
1050 .next = this->init_hashes_table[row],
1051 );
1052 this->init_hashes_table[row] = item;
1053 *our_spi = init->our_spi;
1054 mutex->unlock(mutex);
1055 return NOT_FOUND;
1056 }
1057
1058 /**
1059 * Remove the hash of an initial IKE message from the cache.
1060 */
1061 static void remove_init_hash(private_ike_sa_manager_t *this, chunk_t init_hash)
1062 {
1063 table_item_t *item, *prev = NULL;
1064 u_int row, segment;
1065 mutex_t *mutex;
1066
1067 row = chunk_hash(init_hash) & this->table_mask;
1068 segment = row & this->segment_mask;
1069 mutex = this->init_hashes_segments[segment].mutex;
1070 mutex->lock(mutex);
1071 item = this->init_hashes_table[row];
1072 while (item)
1073 {
1074 init_hash_t *current = item->value;
1075
1076 if (chunk_equals(init_hash, current->hash))
1077 {
1078 if (prev)
1079 {
1080 prev->next = item->next;
1081 }
1082 else
1083 {
1084 this->init_hashes_table[row] = item->next;
1085 }
1086 free(current);
1087 free(item);
1088 break;
1089 }
1090 prev = item;
1091 item = item->next;
1092 }
1093 mutex->unlock(mutex);
1094 }
1095
1096 METHOD(ike_sa_manager_t, checkout, ike_sa_t*,
1097 private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
1098 {
1099 ike_sa_t *ike_sa = NULL;
1100 entry_t *entry;
1101 u_int segment;
1102
1103 DBG2(DBG_MGR, "checkout IKE_SA");
1104
1105 if (get_entry_by_id(this, ike_sa_id, &entry, &segment) == SUCCESS)
1106 {
1107 if (wait_for_entry(this, entry, segment))
1108 {
1109 entry->checked_out = TRUE;
1110 ike_sa = entry->ike_sa;
1111 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1112 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1113 }
1114 unlock_single_segment(this, segment);
1115 }
1116 charon->bus->set_sa(charon->bus, ike_sa);
1117 return ike_sa;
1118 }
1119
1120 METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*,
1121 private_ike_sa_manager_t* this, ike_version_t version, bool initiator)
1122 {
1123 ike_sa_id_t *ike_sa_id;
1124 ike_sa_t *ike_sa;
1125 u_int8_t ike_version;
1126 u_int64_t spi;
1127
1128 ike_version = version == IKEV1 ? IKEV1_MAJOR_VERSION : IKEV2_MAJOR_VERSION;
1129
1130 spi = get_spi(this);
1131 if (!spi)
1132 {
1133 DBG1(DBG_MGR, "failed to allocate SPI for new IKE_SA");
1134 return NULL;
1135 }
1136
1137 if (initiator)
1138 {
1139 ike_sa_id = ike_sa_id_create(ike_version, spi, 0, TRUE);
1140 }
1141 else
1142 {
1143 ike_sa_id = ike_sa_id_create(ike_version, 0, spi, FALSE);
1144 }
1145 ike_sa = ike_sa_create(ike_sa_id, initiator, version);
1146 ike_sa_id->destroy(ike_sa_id);
1147
1148 if (ike_sa)
1149 {
1150 DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1151 ike_sa->get_unique_id(ike_sa));
1152 }
1153 return ike_sa;
1154 }
1155
1156 /**
1157 * Get the message ID or message hash to detect early retransmissions
1158 */
1159 static u_int32_t get_message_id_or_hash(message_t *message)
1160 {
1161 /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */
1162 if (message->get_major_version(message) == IKEV1_MAJOR_VERSION &&
1163 message->get_message_id(message) == 0)
1164 {
1165 return chunk_hash(message->get_packet_data(message));
1166 }
1167 return message->get_message_id(message);
1168 }
1169
1170 METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*,
1171 private_ike_sa_manager_t* this, message_t *message)
1172 {
1173 u_int segment;
1174 entry_t *entry;
1175 ike_sa_t *ike_sa = NULL;
1176 ike_sa_id_t *id;
1177 ike_version_t ike_version;
1178 bool is_init = FALSE;
1179
1180 id = message->get_ike_sa_id(message);
1181 /* clone the IKE_SA ID so we can modify the initiator flag */
1182 id = id->clone(id);
1183 id->switch_initiator(id);
1184
1185 DBG2(DBG_MGR, "checkout IKE_SA by message");
1186
1187 if (id->get_responder_spi(id) == 0)
1188 {
1189 if (message->get_major_version(message) == IKEV2_MAJOR_VERSION)
1190 {
1191 if (message->get_exchange_type(message) == IKE_SA_INIT &&
1192 message->get_request(message))
1193 {
1194 ike_version = IKEV2;
1195 is_init = TRUE;
1196 }
1197 }
1198 else
1199 {
1200 if (message->get_exchange_type(message) == ID_PROT ||
1201 message->get_exchange_type(message) == AGGRESSIVE)
1202 {
1203 ike_version = IKEV1;
1204 is_init = TRUE;
1205 if (id->is_initiator(id))
1206 { /* not set in IKEv1, switch back before applying to new SA */
1207 id->switch_initiator(id);
1208 }
1209 }
1210 }
1211 }
1212
1213 if (is_init)
1214 {
1215 hasher_t *hasher;
1216 u_int64_t our_spi;
1217 chunk_t hash;
1218
1219 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
1220 if (!hasher || !get_init_hash(hasher, message, &hash))
1221 {
1222 DBG1(DBG_MGR, "ignoring message, failed to hash message");
1223 DESTROY_IF(hasher);
1224 id->destroy(id);
1225 return NULL;
1226 }
1227 hasher->destroy(hasher);
1228
1229 /* ensure this is not a retransmit of an already handled init message */
1230 switch (check_and_put_init_hash(this, hash, &our_spi))
1231 {
1232 case NOT_FOUND:
1233 { /* we've not seen this packet yet, create a new IKE_SA */
1234 if (!this->ikesa_limit ||
1235 this->public.get_count(&this->public) < this->ikesa_limit)
1236 {
1237 id->set_responder_spi(id, our_spi);
1238 ike_sa = ike_sa_create(id, FALSE, ike_version);
1239 if (ike_sa)
1240 {
1241 entry = entry_create();
1242 entry->ike_sa = ike_sa;
1243 entry->ike_sa_id = id;
1244
1245 segment = put_entry(this, entry);
1246 entry->checked_out = TRUE;
1247 unlock_single_segment(this, segment);
1248
1249 entry->processing = get_message_id_or_hash(message);
1250 entry->init_hash = hash;
1251
1252 DBG2(DBG_MGR, "created IKE_SA %s[%u]",
1253 ike_sa->get_name(ike_sa),
1254 ike_sa->get_unique_id(ike_sa));
1255
1256 charon->bus->set_sa(charon->bus, ike_sa);
1257 return ike_sa;
1258 }
1259 else
1260 {
1261 DBG1(DBG_MGR, "creating IKE_SA failed, ignoring message");
1262 }
1263 }
1264 else
1265 {
1266 DBG1(DBG_MGR, "ignoring %N, hitting IKE_SA limit (%u)",
1267 exchange_type_names, message->get_exchange_type(message),
1268 this->ikesa_limit);
1269 }
1270 remove_init_hash(this, hash);
1271 chunk_free(&hash);
1272 id->destroy(id);
1273 return NULL;
1274 }
1275 case FAILED:
1276 { /* we failed to allocate an SPI */
1277 chunk_free(&hash);
1278 id->destroy(id);
1279 DBG1(DBG_MGR, "ignoring message, failed to allocate SPI");
1280 return NULL;
1281 }
1282 case ALREADY_DONE:
1283 default:
1284 break;
1285 }
1286 /* it looks like we already handled this init message to some degree */
1287 id->set_responder_spi(id, our_spi);
1288 chunk_free(&hash);
1289 }
1290
1291 if (get_entry_by_id(this, id, &entry, &segment) == SUCCESS)
1292 {
1293 /* only check out if we are not already processing it. */
1294 if (entry->processing == get_message_id_or_hash(message))
1295 {
1296 DBG1(DBG_MGR, "ignoring request with ID %u, already processing",
1297 entry->processing);
1298 }
1299 else if (wait_for_entry(this, entry, segment))
1300 {
1301 ike_sa_id_t *ike_id;
1302
1303 ike_id = entry->ike_sa->get_id(entry->ike_sa);
1304 entry->checked_out = TRUE;
1305 if (message->get_first_payload_type(message) != PLV1_FRAGMENT &&
1306 message->get_first_payload_type(message) != PLV2_FRAGMENT)
1307 { /* TODO-FRAG: this fails if there are unencrypted payloads */
1308 entry->processing = get_message_id_or_hash(message);
1309 }
1310 if (ike_id->get_responder_spi(ike_id) == 0)
1311 {
1312 ike_id->set_responder_spi(ike_id, id->get_responder_spi(id));
1313 }
1314 ike_sa = entry->ike_sa;
1315 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1316 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1317 }
1318 unlock_single_segment(this, segment);
1319 }
1320 else
1321 {
1322 charon->bus->alert(charon->bus, ALERT_INVALID_IKE_SPI, message);
1323 }
1324 id->destroy(id);
1325 charon->bus->set_sa(charon->bus, ike_sa);
1326 return ike_sa;
1327 }
1328
1329 METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*,
1330 private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg)
1331 {
1332 enumerator_t *enumerator;
1333 entry_t *entry;
1334 ike_sa_t *ike_sa = NULL;
1335 peer_cfg_t *current_peer;
1336 ike_cfg_t *current_ike;
1337 u_int segment;
1338
1339 DBG2(DBG_MGR, "checkout IKE_SA by config");
1340
1341 if (!this->reuse_ikesa)
1342 { /* IKE_SA reuse disable by config */
1343 ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
1344 charon->bus->set_sa(charon->bus, ike_sa);
1345 return ike_sa;
1346 }
1347
1348 enumerator = create_table_enumerator(this);
1349 while (enumerator->enumerate(enumerator, &entry, &segment))
1350 {
1351 if (!wait_for_entry(this, entry, segment))
1352 {
1353 continue;
1354 }
1355 if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING)
1356 { /* skip IKE_SAs which are not usable */
1357 continue;
1358 }
1359
1360 current_peer = entry->ike_sa->get_peer_cfg(entry->ike_sa);
1361 if (current_peer && current_peer->equals(current_peer, peer_cfg))
1362 {
1363 current_ike = current_peer->get_ike_cfg(current_peer);
1364 if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg)))
1365 {
1366 entry->checked_out = TRUE;
1367 ike_sa = entry->ike_sa;
1368 DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config",
1369 ike_sa->get_unique_id(ike_sa),
1370 current_peer->get_name(current_peer));
1371 break;
1372 }
1373 }
1374 }
1375 enumerator->destroy(enumerator);
1376
1377 if (!ike_sa)
1378 { /* no IKE_SA using such a config, hand out a new */
1379 ike_sa = checkout_new(this, peer_cfg->get_ike_version(peer_cfg), TRUE);
1380 }
1381 charon->bus->set_sa(charon->bus, ike_sa);
1382 return ike_sa;
1383 }
1384
1385 METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*,
1386 private_ike_sa_manager_t *this, u_int32_t id)
1387 {
1388 enumerator_t *enumerator;
1389 entry_t *entry;
1390 ike_sa_t *ike_sa = NULL;
1391 u_int segment;
1392
1393 DBG2(DBG_MGR, "checkout IKE_SA by ID %u", id);
1394
1395 enumerator = create_table_enumerator(this);
1396 while (enumerator->enumerate(enumerator, &entry, &segment))
1397 {
1398 if (wait_for_entry(this, entry, segment))
1399 {
1400 if (entry->ike_sa->get_unique_id(entry->ike_sa) == id)
1401 {
1402 ike_sa = entry->ike_sa;
1403 entry->checked_out = TRUE;
1404 break;
1405 }
1406 }
1407 }
1408 enumerator->destroy(enumerator);
1409
1410 if (ike_sa)
1411 {
1412 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1413 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1414 }
1415 charon->bus->set_sa(charon->bus, ike_sa);
1416 return ike_sa;
1417 }
1418
1419 METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*,
1420 private_ike_sa_manager_t *this, char *name, bool child)
1421 {
1422 enumerator_t *enumerator, *children;
1423 entry_t *entry;
1424 ike_sa_t *ike_sa = NULL;
1425 child_sa_t *child_sa;
1426 u_int segment;
1427
1428 enumerator = create_table_enumerator(this);
1429 while (enumerator->enumerate(enumerator, &entry, &segment))
1430 {
1431 if (wait_for_entry(this, entry, segment))
1432 {
1433 /* look for a child with such a policy name ... */
1434 if (child)
1435 {
1436 children = entry->ike_sa->create_child_sa_enumerator(entry->ike_sa);
1437 while (children->enumerate(children, (void**)&child_sa))
1438 {
1439 if (streq(child_sa->get_name(child_sa), name))
1440 {
1441 ike_sa = entry->ike_sa;
1442 break;
1443 }
1444 }
1445 children->destroy(children);
1446 }
1447 else /* ... or for a IKE_SA with such a connection name */
1448 {
1449 if (streq(entry->ike_sa->get_name(entry->ike_sa), name))
1450 {
1451 ike_sa = entry->ike_sa;
1452 }
1453 }
1454 /* got one, return */
1455 if (ike_sa)
1456 {
1457 entry->checked_out = TRUE;
1458 DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out",
1459 ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa));
1460 break;
1461 }
1462 }
1463 }
1464 enumerator->destroy(enumerator);
1465
1466 charon->bus->set_sa(charon->bus, ike_sa);
1467 return ike_sa;
1468 }
1469
1470 /**
1471 * enumerator filter function, waiting variant
1472 */
1473 static bool enumerator_filter_wait(private_ike_sa_manager_t *this,
1474 entry_t **in, ike_sa_t **out, u_int *segment)
1475 {
1476 if (wait_for_entry(this, *in, *segment))
1477 {
1478 *out = (*in)->ike_sa;
1479 charon->bus->set_sa(charon->bus, *out);
1480 return TRUE;
1481 }
1482 return FALSE;
1483 }
1484
1485 /**
1486 * enumerator filter function, skipping variant
1487 */
1488 static bool enumerator_filter_skip(private_ike_sa_manager_t *this,
1489 entry_t **in, ike_sa_t **out, u_int *segment)
1490 {
1491 if (!(*in)->driveout_new_threads &&
1492 !(*in)->driveout_waiting_threads &&
1493 !(*in)->checked_out)
1494 {
1495 *out = (*in)->ike_sa;
1496 charon->bus->set_sa(charon->bus, *out);
1497 return TRUE;
1498 }
1499 return FALSE;
1500 }
1501
1502 /**
1503 * Reset threads SA after enumeration
1504 */
1505 static void reset_sa(void *data)
1506 {
1507 charon->bus->set_sa(charon->bus, NULL);
1508 }
1509
1510 METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*,
1511 private_ike_sa_manager_t* this, bool wait)
1512 {
1513 return enumerator_create_filter(create_table_enumerator(this),
1514 wait ? (void*)enumerator_filter_wait : (void*)enumerator_filter_skip,
1515 this, reset_sa);
1516 }
1517
1518 METHOD(ike_sa_manager_t, checkin, void,
1519 private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
1520 {
1521 /* to check the SA back in, we look for the pointer of the ike_sa
1522 * in all entries.
1523 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
1524 * on reception of a IKE_SA_INIT response) the lookup will work but
1525 * updating of the SPI MAY be necessary...
1526 */
1527 entry_t *entry;
1528 ike_sa_id_t *ike_sa_id;
1529 host_t *other;
1530 identification_t *my_id, *other_id;
1531 u_int segment;
1532
1533 ike_sa_id = ike_sa->get_id(ike_sa);
1534 my_id = ike_sa->get_my_id(ike_sa);
1535 other_id = ike_sa->get_other_eap_id(ike_sa);
1536 other = ike_sa->get_other_host(ike_sa);
1537
1538 DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1539 ike_sa->get_unique_id(ike_sa));
1540
1541 /* look for the entry */
1542 if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
1543 {
1544 /* ike_sa_id must be updated */
1545 entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
1546 /* signal waiting threads */
1547 entry->checked_out = FALSE;
1548 entry->processing = -1;
1549 /* check if this SA is half-open */
1550 if (entry->half_open && ike_sa->get_state(ike_sa) != IKE_CONNECTING)
1551 {
1552 /* not half open anymore */
1553 entry->half_open = FALSE;
1554 remove_half_open(this, entry);
1555 }
1556 else if (entry->half_open && !other->ip_equals(other, entry->other))
1557 {
1558 /* the other host's IP has changed, we must update the hash table */
1559 remove_half_open(this, entry);
1560 DESTROY_IF(entry->other);
1561 entry->other = other->clone(other);
1562 put_half_open(this, entry);
1563 }
1564 else if (!entry->half_open &&
1565 !entry->ike_sa_id->is_initiator(entry->ike_sa_id) &&
1566 ike_sa->get_state(ike_sa) == IKE_CONNECTING)
1567 {
1568 /* this is a new half-open SA */
1569 entry->half_open = TRUE;
1570 entry->other = other->clone(other);
1571 put_half_open(this, entry);
1572 }
1573 DBG2(DBG_MGR, "check-in of IKE_SA successful.");
1574 entry->condvar->signal(entry->condvar);
1575 }
1576 else
1577 {
1578 entry = entry_create();
1579 entry->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1580 entry->ike_sa = ike_sa;
1581 segment = put_entry(this, entry);
1582 }
1583
1584 /* apply identities for duplicate test */
1585 if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
1586 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
1587 entry->my_id == NULL && entry->other_id == NULL)
1588 {
1589 if (ike_sa->get_version(ike_sa) == IKEV1)
1590 {
1591 /* If authenticated and received INITIAL_CONTACT,
1592 * delete any existing IKE_SAs with that peer. */
1593 if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN))
1594 {
1595 this->public.check_uniqueness(&this->public, ike_sa, TRUE);
1596 ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE);
1597 }
1598 }
1599
1600 entry->my_id = my_id->clone(my_id);
1601 entry->other_id = other_id->clone(other_id);
1602 if (!entry->other)
1603 {
1604 entry->other = other->clone(other);
1605 }
1606 put_connected_peers(this, entry);
1607 }
1608
1609 unlock_single_segment(this, segment);
1610
1611 charon->bus->set_sa(charon->bus, NULL);
1612 }
1613
1614 METHOD(ike_sa_manager_t, checkin_and_destroy, void,
1615 private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
1616 {
1617 /* deletion is a bit complex, we must ensure that no thread is waiting for
1618 * this SA.
1619 * We take this SA from the table, and start signaling while threads
1620 * are in the condvar.
1621 */
1622 entry_t *entry;
1623 ike_sa_id_t *ike_sa_id;
1624 u_int segment;
1625
1626 ike_sa_id = ike_sa->get_id(ike_sa);
1627
1628 DBG2(DBG_MGR, "checkin and destroy IKE_SA %s[%u]", ike_sa->get_name(ike_sa),
1629 ike_sa->get_unique_id(ike_sa));
1630
1631 if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS)
1632 {
1633 if (entry->driveout_waiting_threads && entry->driveout_new_threads)
1634 { /* it looks like flush() has been called and the SA is being deleted
1635 * anyway, just check it in */
1636 DBG2(DBG_MGR, "ignored check-in and destroy of IKE_SA during shutdown");
1637 entry->checked_out = FALSE;
1638 entry->condvar->broadcast(entry->condvar);
1639 unlock_single_segment(this, segment);
1640 return;
1641 }
1642
1643 /* drive out waiting threads, as we are in hurry */
1644 entry->driveout_waiting_threads = TRUE;
1645 /* mark it, so no new threads can get this entry */
1646 entry->driveout_new_threads = TRUE;
1647 /* wait until all workers have done their work */
1648 while (entry->waiting_threads)
1649 {
1650 /* wake up all */
1651 entry->condvar->broadcast(entry->condvar);
1652 /* they will wake us again when their work is done */
1653 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
1654 }
1655 remove_entry(this, entry);
1656 unlock_single_segment(this, segment);
1657
1658 if (entry->half_open)
1659 {
1660 remove_half_open(this, entry);
1661 }
1662 if (entry->my_id && entry->other_id)
1663 {
1664 remove_connected_peers(this, entry);
1665 }
1666 if (entry->init_hash.ptr)
1667 {
1668 remove_init_hash(this, entry->init_hash);
1669 }
1670
1671 entry_destroy(entry);
1672
1673 DBG2(DBG_MGR, "check-in and destroy of IKE_SA successful");
1674 }
1675 else
1676 {
1677 DBG1(DBG_MGR, "tried to check-in and delete nonexisting IKE_SA");
1678 ike_sa->destroy(ike_sa);
1679 }
1680 charon->bus->set_sa(charon->bus, NULL);
1681 }
1682
1683 /**
1684 * Cleanup function for create_id_enumerator
1685 */
1686 static void id_enumerator_cleanup(linked_list_t *ids)
1687 {
1688 ids->destroy_offset(ids, offsetof(ike_sa_id_t, destroy));
1689 }
1690
1691 METHOD(ike_sa_manager_t, create_id_enumerator, enumerator_t*,
1692 private_ike_sa_manager_t *this, identification_t *me,
1693 identification_t *other, int family)
1694 {
1695 table_item_t *item;
1696 u_int row, segment;
1697 rwlock_t *lock;
1698 linked_list_t *ids = NULL;
1699
1700 row = chunk_hash_inc(other->get_encoding(other),
1701 chunk_hash(me->get_encoding(me))) & this->table_mask;
1702 segment = row & this->segment_mask;
1703
1704 lock = this->connected_peers_segments[segment].lock;
1705 lock->read_lock(lock);
1706 item = this->connected_peers_table[row];
1707 while (item)
1708 {
1709 connected_peers_t *current = item->value;
1710
1711 if (connected_peers_match(current, me, other, family))
1712 {
1713 ids = current->sas->clone_offset(current->sas,
1714 offsetof(ike_sa_id_t, clone));
1715 break;
1716 }
1717 item = item->next;
1718 }
1719 lock->unlock(lock);
1720
1721 if (!ids)
1722 {
1723 return enumerator_create_empty();
1724 }
1725 return enumerator_create_cleaner(ids->create_enumerator(ids),
1726 (void*)id_enumerator_cleanup, ids);
1727 }
1728
1729 /**
1730 * Move all CHILD_SAs from old to new
1731 */
1732 static void adopt_children(ike_sa_t *old, ike_sa_t *new)
1733 {
1734 enumerator_t *enumerator;
1735 child_sa_t *child_sa;
1736
1737 enumerator = old->create_child_sa_enumerator(old);
1738 while (enumerator->enumerate(enumerator, &child_sa))
1739 {
1740 old->remove_child_sa(old, enumerator);
1741 new->add_child_sa(new, child_sa);
1742 }
1743 enumerator->destroy(enumerator);
1744 }
1745
1746 /**
1747 * Delete an existing IKE_SA due to a unique replace policy
1748 */
1749 static status_t enforce_replace(private_ike_sa_manager_t *this,
1750 ike_sa_t *duplicate, ike_sa_t *new,
1751 identification_t *other, host_t *host)
1752 {
1753 charon->bus->alert(charon->bus, ALERT_UNIQUE_REPLACE);
1754
1755 if (host->equals(host, duplicate->get_other_host(duplicate)))
1756 {
1757 /* looks like a reauthentication attempt */
1758 if (!new->has_condition(new, COND_INIT_CONTACT_SEEN))
1759 {
1760 /* IKEv1 implicitly takes over children, IKEv2 recreates them
1761 * explicitly. */
1762 adopt_children(duplicate, new);
1763 }
1764 /* For IKEv1 we have to delay the delete for the old IKE_SA. Some
1765 * peers need to complete the new SA first, otherwise the quick modes
1766 * might get lost. For IKEv2 we do the same, as we want overlapping
1767 * CHILD_SAs to keep connectivity up. */
1768 lib->scheduler->schedule_job(lib->scheduler, (job_t*)
1769 delete_ike_sa_job_create(duplicate->get_id(duplicate), TRUE), 10);
1770 return SUCCESS;
1771 }
1772 DBG1(DBG_IKE, "deleting duplicate IKE_SA for peer '%Y' due to "
1773 "uniqueness policy", other);
1774 return duplicate->delete(duplicate);
1775 }
1776
1777 METHOD(ike_sa_manager_t, check_uniqueness, bool,
1778 private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace)
1779 {
1780 bool cancel = FALSE;
1781 peer_cfg_t *peer_cfg;
1782 unique_policy_t policy;
1783 enumerator_t *enumerator;
1784 ike_sa_id_t *id = NULL;
1785 identification_t *me, *other;
1786 host_t *other_host;
1787
1788 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
1789 policy = peer_cfg->get_unique_policy(peer_cfg);
1790 if (policy == UNIQUE_NEVER || (policy == UNIQUE_NO && !force_replace))
1791 {
1792 return FALSE;
1793 }
1794 me = ike_sa->get_my_id(ike_sa);
1795 other = ike_sa->get_other_eap_id(ike_sa);
1796 other_host = ike_sa->get_other_host(ike_sa);
1797
1798 enumerator = create_id_enumerator(this, me, other,
1799 other_host->get_family(other_host));
1800 while (enumerator->enumerate(enumerator, &id))
1801 {
1802 status_t status = SUCCESS;
1803 ike_sa_t *duplicate;
1804
1805 duplicate = checkout(this, id);
1806 if (!duplicate)
1807 {
1808 continue;
1809 }
1810 if (force_replace)
1811 {
1812 DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', "
1813 "received INITIAL_CONTACT", other);
1814 charon->bus->ike_updown(charon->bus, duplicate, FALSE);
1815 checkin_and_destroy(this, duplicate);
1816 continue;
1817 }
1818 peer_cfg = duplicate->get_peer_cfg(duplicate);
1819 if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa)))
1820 {
1821 switch (duplicate->get_state(duplicate))
1822 {
1823 case IKE_ESTABLISHED:
1824 case IKE_REKEYING:
1825 switch (policy)
1826 {
1827 case UNIQUE_REPLACE:
1828 status = enforce_replace(this, duplicate, ike_sa,
1829 other, other_host);
1830 break;
1831 case UNIQUE_KEEP:
1832 /* potential reauthentication? */
1833 if (!other_host->equals(other_host,
1834 duplicate->get_other_host(duplicate)))
1835 {
1836 cancel = TRUE;
1837 /* we keep the first IKE_SA and delete all
1838 * other duplicates that might exist */
1839 policy = UNIQUE_REPLACE;
1840 }
1841 break;
1842 default:
1843 break;
1844 }
1845 break;
1846 default:
1847 break;
1848 }
1849 }
1850 if (status == DESTROY_ME)
1851 {
1852 checkin_and_destroy(this, duplicate);
1853 }
1854 else
1855 {
1856 checkin(this, duplicate);
1857 }
1858 }
1859 enumerator->destroy(enumerator);
1860 /* reset thread's current IKE_SA after checkin */
1861 charon->bus->set_sa(charon->bus, ike_sa);
1862 return cancel;
1863 }
1864
1865 METHOD(ike_sa_manager_t, has_contact, bool,
1866 private_ike_sa_manager_t *this, identification_t *me,
1867 identification_t *other, int family)
1868 {
1869 table_item_t *item;
1870 u_int row, segment;
1871 rwlock_t *lock;
1872 bool found = FALSE;
1873
1874 row = chunk_hash_inc(other->get_encoding(other),
1875 chunk_hash(me->get_encoding(me))) & this->table_mask;
1876 segment = row & this->segment_mask;
1877 lock = this->connected_peers_segments[segment].lock;
1878 lock->read_lock(lock);
1879 item = this->connected_peers_table[row];
1880 while (item)
1881 {
1882 if (connected_peers_match(item->value, me, other, family))
1883 {
1884 found = TRUE;
1885 break;
1886 }
1887 item = item->next;
1888 }
1889 lock->unlock(lock);
1890
1891 return found;
1892 }
1893
1894 METHOD(ike_sa_manager_t, get_count, u_int,
1895 private_ike_sa_manager_t *this)
1896 {
1897 u_int segment, count = 0;
1898 mutex_t *mutex;
1899
1900 for (segment = 0; segment < this->segment_count; segment++)
1901 {
1902 mutex = this->segments[segment & this->segment_mask].mutex;
1903 mutex->lock(mutex);
1904 count += this->segments[segment].count;
1905 mutex->unlock(mutex);
1906 }
1907 return count;
1908 }
1909
1910 METHOD(ike_sa_manager_t, get_half_open_count, u_int,
1911 private_ike_sa_manager_t *this, host_t *ip)
1912 {
1913 table_item_t *item;
1914 u_int row, segment;
1915 rwlock_t *lock;
1916 chunk_t addr;
1917 u_int count = 0;
1918
1919 if (ip)
1920 {
1921 addr = ip->get_address(ip);
1922 row = chunk_hash(addr) & this->table_mask;
1923 segment = row & this->segment_mask;
1924 lock = this->half_open_segments[segment].lock;
1925 lock->read_lock(lock);
1926 item = this->half_open_table[row];
1927 while (item)
1928 {
1929 half_open_t *half_open = item->value;
1930
1931 if (chunk_equals(addr, half_open->other))
1932 {
1933 count = half_open->count;
1934 break;
1935 }
1936 item = item->next;
1937 }
1938 lock->unlock(lock);
1939 }
1940 else
1941 {
1942 count = (u_int)ref_cur(&this->half_open_count);
1943 }
1944 return count;
1945 }
1946
1947 METHOD(ike_sa_manager_t, flush, void,
1948 private_ike_sa_manager_t *this)
1949 {
1950 /* destroy all list entries */
1951 enumerator_t *enumerator;
1952 entry_t *entry;
1953 u_int segment;
1954
1955 lock_all_segments(this);
1956 DBG2(DBG_MGR, "going to destroy IKE_SA manager and all managed IKE_SA's");
1957 /* Step 1: drive out all waiting threads */
1958 DBG2(DBG_MGR, "set driveout flags for all stored IKE_SA's");
1959 enumerator = create_table_enumerator(this);
1960 while (enumerator->enumerate(enumerator, &entry, &segment))
1961 {
1962 /* do not accept new threads, drive out waiting threads */
1963 entry->driveout_new_threads = TRUE;
1964 entry->driveout_waiting_threads = TRUE;
1965 }
1966 enumerator->destroy(enumerator);
1967 DBG2(DBG_MGR, "wait for all threads to leave IKE_SA's");
1968 /* Step 2: wait until all are gone */
1969 enumerator = create_table_enumerator(this);
1970 while (enumerator->enumerate(enumerator, &entry, &segment))
1971 {
1972 while (entry->waiting_threads || entry->checked_out)
1973 {
1974 /* wake up all */
1975 entry->condvar->broadcast(entry->condvar);
1976 /* go sleeping until they are gone */
1977 entry->condvar->wait(entry->condvar, this->segments[segment].mutex);
1978 }
1979 }
1980 enumerator->destroy(enumerator);
1981 DBG2(DBG_MGR, "delete all IKE_SA's");
1982 /* Step 3: initiate deletion of all IKE_SAs */
1983 enumerator = create_table_enumerator(this);
1984 while (enumerator->enumerate(enumerator, &entry, &segment))
1985 {
1986 charon->bus->set_sa(charon->bus, entry->ike_sa);
1987 if (entry->ike_sa->get_version(entry->ike_sa) == IKEV2)
1988 { /* as the delete never gets processed, fire down events */
1989 switch (entry->ike_sa->get_state(entry->ike_sa))
1990 {
1991 case IKE_ESTABLISHED:
1992 case IKE_REKEYING:
1993 case IKE_DELETING:
1994 charon->bus->ike_updown(charon->bus, entry->ike_sa, FALSE);
1995 break;
1996 default:
1997 break;
1998 }
1999 }
2000 entry->ike_sa->delete(entry->ike_sa);
2001 }
2002 enumerator->destroy(enumerator);
2003
2004 DBG2(DBG_MGR, "destroy all entries");
2005 /* Step 4: destroy all entries */
2006 enumerator = create_table_enumerator(this);
2007 while (enumerator->enumerate(enumerator, &entry, &segment))
2008 {
2009 charon->bus->set_sa(charon->bus, entry->ike_sa);
2010 if (entry->half_open)
2011 {
2012 remove_half_open(this, entry);
2013 }
2014 if (entry->my_id && entry->other_id)
2015 {
2016 remove_connected_peers(this, entry);
2017 }
2018 if (entry->init_hash.ptr)
2019 {
2020 remove_init_hash(this, entry->init_hash);
2021 }
2022 remove_entry_at((private_enumerator_t*)enumerator);
2023 entry_destroy(entry);
2024 }
2025 enumerator->destroy(enumerator);
2026 charon->bus->set_sa(charon->bus, NULL);
2027 unlock_all_segments(this);
2028
2029 this->rng->destroy(this->rng);
2030 this->rng = NULL;
2031 }
2032
2033 METHOD(ike_sa_manager_t, destroy, void,
2034 private_ike_sa_manager_t *this)
2035 {
2036 u_int i;
2037
2038 /* these are already cleared in flush() above */
2039 free(this->ike_sa_table);
2040 free(this->half_open_table);
2041 free(this->connected_peers_table);
2042 free(this->init_hashes_table);
2043 for (i = 0; i < this->segment_count; i++)
2044 {
2045 this->segments[i].mutex->destroy(this->segments[i].mutex);
2046 this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock);
2047 this->connected_peers_segments[i].lock->destroy(this->connected_peers_segments[i].lock);
2048 this->init_hashes_segments[i].mutex->destroy(this->init_hashes_segments[i].mutex);
2049 }
2050 free(this->segments);
2051 free(this->half_open_segments);
2052 free(this->connected_peers_segments);
2053 free(this->init_hashes_segments);
2054
2055 free(this);
2056 }
2057
2058 /**
2059 * This function returns the next-highest power of two for the given number.
2060 * The algorithm works by setting all bits on the right-hand side of the most
2061 * significant 1 to 1 and then increments the whole number so it rolls over
2062 * to the nearest power of two. Note: returns 0 for n == 0
2063 */
2064 static u_int get_nearest_powerof2(u_int n)
2065 {
2066 u_int i;
2067
2068 --n;
2069 for (i = 1; i < sizeof(u_int) * 8; i <<= 1)
2070 {
2071 n |= n >> i;
2072 }
2073 return ++n;
2074 }
2075
2076 /*
2077 * Described in header.
2078 */
2079 ike_sa_manager_t *ike_sa_manager_create()
2080 {
2081 private_ike_sa_manager_t *this;
2082 u_int i;
2083
2084 INIT(this,
2085 .public = {
2086 .checkout = _checkout,
2087 .checkout_new = _checkout_new,
2088 .checkout_by_message = _checkout_by_message,
2089 .checkout_by_config = _checkout_by_config,
2090 .checkout_by_id = _checkout_by_id,
2091 .checkout_by_name = _checkout_by_name,
2092 .check_uniqueness = _check_uniqueness,
2093 .has_contact = _has_contact,
2094 .create_enumerator = _create_enumerator,
2095 .create_id_enumerator = _create_id_enumerator,
2096 .checkin = _checkin,
2097 .checkin_and_destroy = _checkin_and_destroy,
2098 .get_count = _get_count,
2099 .get_half_open_count = _get_half_open_count,
2100 .flush = _flush,
2101 .destroy = _destroy,
2102 },
2103 );
2104
2105 this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
2106 if (this->rng == NULL)
2107 {
2108 DBG1(DBG_MGR, "manager initialization failed, no RNG supported");
2109 free(this);
2110 return NULL;
2111 }
2112
2113 this->ikesa_limit = lib->settings->get_int(lib->settings,
2114 "%s.ikesa_limit", 0, lib->ns);
2115
2116 this->table_size = get_nearest_powerof2(lib->settings->get_int(
2117 lib->settings, "%s.ikesa_table_size",
2118 DEFAULT_HASHTABLE_SIZE, lib->ns));
2119 this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE));
2120 this->table_mask = this->table_size - 1;
2121
2122 this->segment_count = get_nearest_powerof2(lib->settings->get_int(
2123 lib->settings, "%s.ikesa_table_segments",
2124 DEFAULT_SEGMENT_COUNT, lib->ns));
2125 this->segment_count = max(1, min(this->segment_count, this->table_size));
2126 this->segment_mask = this->segment_count - 1;
2127
2128 this->ike_sa_table = calloc(this->table_size, sizeof(table_item_t*));
2129 this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t));
2130 for (i = 0; i < this->segment_count; i++)
2131 {
2132 this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
2133 this->segments[i].count = 0;
2134 }
2135
2136 /* we use the same table parameters for the table to track half-open SAs */
2137 this->half_open_table = calloc(this->table_size, sizeof(table_item_t*));
2138 this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
2139 for (i = 0; i < this->segment_count; i++)
2140 {
2141 this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
2142 this->half_open_segments[i].count = 0;
2143 }
2144
2145 /* also for the hash table used for duplicate tests */
2146 this->connected_peers_table = calloc(this->table_size, sizeof(table_item_t*));
2147 this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t));
2148 for (i = 0; i < this->segment_count; i++)
2149 {
2150 this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
2151 this->connected_peers_segments[i].count = 0;
2152 }
2153
2154 /* and again for the table of hashes of seen initial IKE messages */
2155 this->init_hashes_table = calloc(this->table_size, sizeof(table_item_t*));
2156 this->init_hashes_segments = calloc(this->segment_count, sizeof(segment_t));
2157 for (i = 0; i < this->segment_count; i++)
2158 {
2159 this->init_hashes_segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
2160 this->init_hashes_segments[i].count = 0;
2161 }
2162
2163 this->reuse_ikesa = lib->settings->get_bool(lib->settings,
2164 "%s.reuse_ikesa", TRUE, lib->ns);
2165 return &this->public;
2166 }