projects / strongswan.git / blob
? search:


1f5d5a3b3db760122c6959a835539e7ae43f5541
[strongswan.git] / src / libipsec / ipsec_sa_mgr.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "ipsec.h"
19 #include "ipsec_sa_mgr.h"
20
21 #include <utils/debug.h>
22 #include <library.h>
23 #include <processing/jobs/callback_job.h>
24 #include <threading/condvar.h>
25 #include <threading/mutex.h>
26 #include <collections/hashtable.h>
27 #include <collections/linked_list.h>
28
29 typedef struct private_ipsec_sa_mgr_t private_ipsec_sa_mgr_t;
30
31 /**
32 * Private additions to ipsec_sa_mgr_t.
33 */
34 struct private_ipsec_sa_mgr_t {
35
36 /**
37 * Public members of ipsec_sa_mgr_t.
38 */
39 ipsec_sa_mgr_t public;
40
41 /**
42 * Installed SAs
43 */
44 linked_list_t *sas;
45
46 /**
47 * SPIs allocated using get_spi()
48 */
49 hashtable_t *allocated_spis;
50
51 /**
52 * Mutex used to synchronize access to the SA manager
53 */
54 mutex_t *mutex;
55
56 /**
57 * RNG used to generate SPIs
58 */
59 rng_t *rng;
60 };
61
62 /**
63 * Struct to keep track of locked IPsec SAs
64 */
65 typedef struct {
66
67 /**
68 * IPsec SA
69 */
70 ipsec_sa_t *sa;
71
72 /**
73 * Set if this SA is currently in use by a thread
74 */
75 bool locked;
76
77 /**
78 * Condvar used by threads to wait for this entry
79 */
80 condvar_t *condvar;
81
82 /**
83 * Number of threads waiting for this entry
84 */
85 u_int waiting_threads;
86
87 /**
88 * Set if this entry is awaiting deletion
89 */
90 bool awaits_deletion;
91
92 } ipsec_sa_entry_t;
93
94 /**
95 * Helper struct for expiration events
96 */
97 typedef struct {
98
99 /**
100 * IPsec SA manager
101 */
102 private_ipsec_sa_mgr_t *manager;
103
104 /**
105 * Entry that expired
106 */
107 ipsec_sa_entry_t *entry;
108
109 /**
110 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
111 */
112 u_int32_t hard_offset;
113
114 } ipsec_sa_expired_t;
115
116 /*
117 * Used for the hash table of allocated SPIs
118 */
119 static bool spi_equals(u_int32_t *spi, u_int32_t *other_spi)
120 {
121 return *spi == *other_spi;
122 }
123
124 static u_int spi_hash(u_int32_t *spi)
125 {
126 return chunk_hash(chunk_from_thing(*spi));
127 }
128
129 /**
130 * Create an SA entry
131 */
132 static ipsec_sa_entry_t *create_entry(ipsec_sa_t *sa)
133 {
134 ipsec_sa_entry_t *this;
135
136 INIT(this,
137 .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
138 .sa = sa,
139 );
140 return this;
141 }
142
143 /**
144 * Destroy an SA entry
145 */
146 static void destroy_entry(ipsec_sa_entry_t *entry)
147 {
148 entry->condvar->destroy(entry->condvar);
149 entry->sa->destroy(entry->sa);
150 free(entry);
151 }
152
153 /**
154 * Makes sure an entry is safe to remove
155 * Must be called with this->mutex held.
156 *
157 * @return TRUE if entry can be removed, FALSE if entry is already
158 * being removed by another thread
159 */
160 static bool wait_remove_entry(private_ipsec_sa_mgr_t *this,
161 ipsec_sa_entry_t *entry)
162 {
163 if (entry->awaits_deletion)
164 {
165 /* this will be deleted by another thread already */
166 return FALSE;
167 }
168 entry->awaits_deletion = TRUE;
169 while (entry->locked)
170 {
171 entry->condvar->wait(entry->condvar, this->mutex);
172 }
173 while (entry->waiting_threads > 0)
174 {
175 entry->condvar->broadcast(entry->condvar);
176 entry->condvar->wait(entry->condvar, this->mutex);
177 }
178 return TRUE;
179 }
180
181 /**
182 * Waits until an is available and then locks it.
183 * Must only be called with this->mutex held
184 */
185 static bool wait_for_entry(private_ipsec_sa_mgr_t *this,
186 ipsec_sa_entry_t *entry)
187 {
188 while (entry->locked && !entry->awaits_deletion)
189 {
190 entry->waiting_threads++;
191 entry->condvar->wait(entry->condvar, this->mutex);
192 entry->waiting_threads--;
193 }
194 if (entry->awaits_deletion)
195 {
196 /* others may still be waiting, */
197 entry->condvar->signal(entry->condvar);
198 return FALSE;
199 }
200 entry->locked = TRUE;
201 return TRUE;
202 }
203
204 /**
205 * Flushes all entries
206 * Must be called with this->mutex held.
207 */
208 static void flush_entries(private_ipsec_sa_mgr_t *this)
209 {
210 ipsec_sa_entry_t *current;
211 enumerator_t *enumerator;
212
213 DBG2(DBG_ESP, "flushing SAD");
214
215 enumerator = this->sas->create_enumerator(this->sas);
216 while (enumerator->enumerate(enumerator, (void**)&current))
217 {
218 if (wait_remove_entry(this, current))
219 {
220 this->sas->remove_at(this->sas, enumerator);
221 destroy_entry(current);
222 }
223 }
224 enumerator->destroy(enumerator);
225 }
226
227 /*
228 * Different match functions to find SAs in the linked list
229 */
230 static bool match_entry_by_ptr(ipsec_sa_entry_t *item, ipsec_sa_entry_t *entry)
231 {
232 return item == entry;
233 }
234
235 static bool match_entry_by_sa_ptr(ipsec_sa_entry_t *item, ipsec_sa_t *sa)
236 {
237 return item->sa == sa;
238 }
239
240 static bool match_entry_by_spi_inbound(ipsec_sa_entry_t *item, u_int32_t *spi,
241 bool *inbound)
242 {
243 return item->sa->get_spi(item->sa) == *spi &&
244 item->sa->is_inbound(item->sa) == *inbound;
245 }
246
247 static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
248 host_t *src, host_t *dst)
249 {
250 return item->sa->match_by_spi_src_dst(item->sa, *spi, src, dst);
251 }
252
253 static bool match_entry_by_reqid_inbound(ipsec_sa_entry_t *item,
254 u_int32_t *reqid, bool *inbound)
255 {
256 return item->sa->match_by_reqid(item->sa, *reqid, *inbound);
257 }
258
259 static bool match_entry_by_spi_dst(ipsec_sa_entry_t *item, u_int32_t *spi,
260 host_t *dst)
261 {
262 return item->sa->match_by_spi_dst(item->sa, *spi, dst);
263 }
264
265 /**
266 * Remove an entry
267 */
268 static bool remove_entry(private_ipsec_sa_mgr_t *this, ipsec_sa_entry_t *entry)
269 {
270 ipsec_sa_entry_t *current;
271 enumerator_t *enumerator;
272 bool removed = FALSE;
273
274 enumerator = this->sas->create_enumerator(this->sas);
275 while (enumerator->enumerate(enumerator, (void**)&current))
276 {
277 if (current == entry)
278 {
279 if (wait_remove_entry(this, current))
280 {
281 this->sas->remove_at(this->sas, enumerator);
282 removed = TRUE;
283 }
284 break;
285 }
286 }
287 enumerator->destroy(enumerator);
288 return removed;
289 }
290
291 /**
292 * Callback for expiration events
293 */
294 static job_requeue_t sa_expired(ipsec_sa_expired_t *expired)
295 {
296 private_ipsec_sa_mgr_t *this = expired->manager;
297
298 this->mutex->lock(this->mutex);
299 if (this->sas->find_first(this->sas, (void*)match_entry_by_ptr,
300 NULL, expired->entry) == SUCCESS)
301 {
302 u_int32_t hard_offset = expired->hard_offset;
303 ipsec_sa_t *sa = expired->entry->sa;
304
305 ipsec->events->expire(ipsec->events, sa->get_reqid(sa),
306 sa->get_protocol(sa), sa->get_spi(sa),
307 hard_offset == 0);
308 if (hard_offset)
309 { /* soft limit reached, schedule hard expire */
310 expired->hard_offset = 0;
311 this->mutex->unlock(this->mutex);
312 return JOB_RESCHEDULE(hard_offset);
313 }
314 /* hard limit reached */
315 if (remove_entry(this, expired->entry))
316 {
317 destroy_entry(expired->entry);
318 }
319 }
320 this->mutex->unlock(this->mutex);
321 return JOB_REQUEUE_NONE;
322 }
323
324 /**
325 * Schedule a job to handle IPsec SA expiration
326 */
327 static void schedule_expiration(private_ipsec_sa_mgr_t *this,
328 ipsec_sa_entry_t *entry)
329 {
330 lifetime_cfg_t *lifetime = entry->sa->get_lifetime(entry->sa);
331 ipsec_sa_expired_t *expired;
332 callback_job_t *job;
333 u_int32_t timeout;
334
335 INIT(expired,
336 .manager = this,
337 .entry = entry,
338 );
339
340 /* schedule a rekey first, a hard timeout will be scheduled then, if any */
341 expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
342 timeout = lifetime->time.rekey;
343
344 if (lifetime->time.life <= lifetime->time.rekey ||
345 lifetime->time.rekey == 0)
346 { /* no rekey, schedule hard timeout */
347 expired->hard_offset = 0;
348 timeout = lifetime->time.life;
349 }
350
351 job = callback_job_create((callback_job_cb_t)sa_expired, expired,
352 (callback_job_cleanup_t)free, NULL);
353 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, timeout);
354 }
355
356 /**
357 * Remove all allocated SPIs
358 */
359 static void flush_allocated_spis(private_ipsec_sa_mgr_t *this)
360 {
361 enumerator_t *enumerator;
362 u_int32_t *current;
363
364 DBG2(DBG_ESP, "flushing allocated SPIs");
365 enumerator = this->allocated_spis->create_enumerator(this->allocated_spis);
366 while (enumerator->enumerate(enumerator, NULL, (void**)&current))
367 {
368 this->allocated_spis->remove_at(this->allocated_spis, enumerator);
369 DBG2(DBG_ESP, " removed allocated SPI %.8x", ntohl(*current));
370 free(current);
371 }
372 enumerator->destroy(enumerator);
373 }
374
375 /**
376 * Pre-allocate an SPI for an inbound SA
377 */
378 static bool allocate_spi(private_ipsec_sa_mgr_t *this, u_int32_t spi)
379 {
380 u_int32_t *spi_alloc;
381
382 if (this->allocated_spis->get(this->allocated_spis, &spi) ||
383 this->sas->find_first(this->sas, (void*)match_entry_by_spi_inbound,
384 NULL, &spi, TRUE) == SUCCESS)
385 {
386 return FALSE;
387 }
388 spi_alloc = malloc_thing(u_int32_t);
389 *spi_alloc = spi;
390 this->allocated_spis->put(this->allocated_spis, spi_alloc, spi_alloc);
391 return TRUE;
392 }
393
394 METHOD(ipsec_sa_mgr_t, get_spi, status_t,
395 private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int8_t protocol,
396 u_int32_t reqid, u_int32_t *spi)
397 {
398 u_int32_t spi_new;
399
400 DBG2(DBG_ESP, "allocating SPI for reqid {%u}", reqid);
401
402 this->mutex->lock(this->mutex);
403 if (!this->rng)
404 {
405 this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
406 if (!this->rng)
407 {
408 this->mutex->unlock(this->mutex);
409 DBG1(DBG_ESP, "failed to create RNG for SPI generation");
410 return FAILED;
411 }
412 }
413
414 do
415 {
416 if (!this->rng->get_bytes(this->rng, sizeof(spi_new),
417 (u_int8_t*)&spi_new))
418 {
419 this->mutex->unlock(this->mutex);
420 DBG1(DBG_ESP, "failed to allocate SPI for reqid {%u}", reqid);
421 return FAILED;
422 }
423 /* make sure the SPI is valid (not in range 0-255) */
424 spi_new |= 0x00000100;
425 spi_new = htonl(spi_new);
426 }
427 while (!allocate_spi(this, spi_new));
428 this->mutex->unlock(this->mutex);
429
430 *spi = spi_new;
431
432 DBG2(DBG_ESP, "allocated SPI %.8x for reqid {%u}", ntohl(*spi), reqid);
433 return SUCCESS;
434 }
435
436 METHOD(ipsec_sa_mgr_t, add_sa, status_t,
437 private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
438 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
439 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
440 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp,
441 u_int16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
442 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
443 {
444 ipsec_sa_entry_t *entry;
445 ipsec_sa_t *sa_new;
446
447 DBG2(DBG_ESP, "adding SAD entry with SPI %.8x and reqid {%u}",
448 ntohl(spi), reqid);
449 DBG2(DBG_ESP, " using encryption algorithm %N with key size %d",
450 encryption_algorithm_names, enc_alg, enc_key.len * 8);
451 DBG2(DBG_ESP, " using integrity algorithm %N with key size %d",
452 integrity_algorithm_names, int_alg, int_key.len * 8);
453
454 sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc,
455 lifetime, enc_alg, enc_key, int_alg, int_key, mode,
456 ipcomp, cpi, encap, esn, inbound, src_ts, dst_ts);
457 if (!sa_new)
458 {
459 DBG1(DBG_ESP, "failed to create SAD entry");
460 return FAILED;
461 }
462
463 this->mutex->lock(this->mutex);
464
465 if (inbound)
466 { /* remove any pre-allocated SPIs */
467 u_int32_t *spi_alloc;
468
469 spi_alloc = this->allocated_spis->remove(this->allocated_spis, &spi);
470 free(spi_alloc);
471 }
472
473 if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
474 NULL, &spi, src, dst) == SUCCESS)
475 {
476 this->mutex->unlock(this->mutex);
477 DBG1(DBG_ESP, "failed to install SAD entry: already installed");
478 sa_new->destroy(sa_new);
479 return FAILED;
480 }
481
482 entry = create_entry(sa_new);
483 schedule_expiration(this, entry);
484 this->sas->insert_last(this->sas, entry);
485
486 this->mutex->unlock(this->mutex);
487 return SUCCESS;
488 }
489
490 METHOD(ipsec_sa_mgr_t, update_sa, status_t,
491 private_ipsec_sa_mgr_t *this, u_int32_t spi, u_int8_t protocol,
492 u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
493 bool encap, bool new_encap, mark_t mark)
494 {
495 ipsec_sa_entry_t *entry = NULL;
496
497 DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
498 ntohl(spi), src, dst, new_src, new_dst);
499
500 if (!new_encap)
501 {
502 DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP "
503 "encapsulation");
504 return NOT_SUPPORTED;
505 }
506
507 this->mutex->lock(this->mutex);
508 if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_src_dst,
509 (void**)&entry, &spi, src, dst) == SUCCESS &&
510 wait_for_entry(this, entry))
511 {
512 entry->sa->set_source(entry->sa, new_src);
513 entry->sa->set_destination(entry->sa, new_dst);
514 /* checkin the entry */
515 entry->locked = FALSE;
516 entry->condvar->signal(entry->condvar);
517 }
518 this->mutex->unlock(this->mutex);
519
520 if (!entry)
521 {
522 DBG1(DBG_ESP, "failed to update SAD entry: not found");
523 return FAILED;
524 }
525 return SUCCESS;
526 }
527
528 METHOD(ipsec_sa_mgr_t, del_sa, status_t,
529 private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, u_int32_t spi,
530 u_int8_t protocol, u_int16_t cpi, mark_t mark)
531 {
532 ipsec_sa_entry_t *current, *found = NULL;
533 enumerator_t *enumerator;
534
535 this->mutex->lock(this->mutex);
536 enumerator = this->sas->create_enumerator(this->sas);
537 while (enumerator->enumerate(enumerator, (void**)&current))
538 {
539 if (match_entry_by_spi_src_dst(current, &spi, src, dst))
540 {
541 if (wait_remove_entry(this, current))
542 {
543 this->sas->remove_at(this->sas, enumerator);
544 found = current;
545 }
546 break;
547 }
548 }
549 enumerator->destroy(enumerator);
550 this->mutex->unlock(this->mutex);
551
552 if (found)
553 {
554 DBG2(DBG_ESP, "deleted %sbound SAD entry with SPI %.8x",
555 found->sa->is_inbound(found->sa) ? "in" : "out", ntohl(spi));
556 destroy_entry(found);
557 return SUCCESS;
558 }
559 return FAILED;
560 }
561
562 METHOD(ipsec_sa_mgr_t, checkout_by_reqid, ipsec_sa_t*,
563 private_ipsec_sa_mgr_t *this, u_int32_t reqid, bool inbound)
564 {
565 ipsec_sa_entry_t *entry;
566 ipsec_sa_t *sa = NULL;
567
568 this->mutex->lock(this->mutex);
569 if (this->sas->find_first(this->sas, (void*)match_entry_by_reqid_inbound,
570 (void**)&entry, &reqid, &inbound) == SUCCESS &&
571 wait_for_entry(this, entry))
572 {
573 sa = entry->sa;
574 }
575 this->mutex->unlock(this->mutex);
576 return sa;
577 }
578
579 METHOD(ipsec_sa_mgr_t, checkout_by_spi, ipsec_sa_t*,
580 private_ipsec_sa_mgr_t *this, u_int32_t spi, host_t *dst)
581 {
582 ipsec_sa_entry_t *entry;
583 ipsec_sa_t *sa = NULL;
584
585 this->mutex->lock(this->mutex);
586 if (this->sas->find_first(this->sas, (void*)match_entry_by_spi_dst,
587 (void**)&entry, &spi, dst) == SUCCESS &&
588 wait_for_entry(this, entry))
589 {
590 sa = entry->sa;
591 }
592 this->mutex->unlock(this->mutex);
593 return sa;
594 }
595
596 METHOD(ipsec_sa_mgr_t, checkin, void,
597 private_ipsec_sa_mgr_t *this, ipsec_sa_t *sa)
598 {
599 ipsec_sa_entry_t *entry;
600
601 this->mutex->lock(this->mutex);
602 if (this->sas->find_first(this->sas, (void*)match_entry_by_sa_ptr,
603 (void**)&entry, sa) == SUCCESS)
604 {
605 if (entry->locked)
606 {
607 entry->locked = FALSE;
608 entry->condvar->signal(entry->condvar);
609 }
610 }
611 this->mutex->unlock(this->mutex);
612 }
613
614 METHOD(ipsec_sa_mgr_t, flush_sas, status_t,
615 private_ipsec_sa_mgr_t *this)
616 {
617 this->mutex->lock(this->mutex);
618 flush_entries(this);
619 this->mutex->unlock(this->mutex);
620 return SUCCESS;
621 }
622
623 METHOD(ipsec_sa_mgr_t, destroy, void,
624 private_ipsec_sa_mgr_t *this)
625 {
626 this->mutex->lock(this->mutex);
627 flush_entries(this);
628 flush_allocated_spis(this);
629 this->mutex->unlock(this->mutex);
630
631 this->allocated_spis->destroy(this->allocated_spis);
632 this->sas->destroy(this->sas);
633
634 this->mutex->destroy(this->mutex);
635 DESTROY_IF(this->rng);
636 free(this);
637 }
638
639 /**
640 * Described in header.
641 */
642 ipsec_sa_mgr_t *ipsec_sa_mgr_create()
643 {
644 private_ipsec_sa_mgr_t *this;
645
646 INIT(this,
647 .public = {
648 .get_spi = _get_spi,
649 .add_sa = _add_sa,
650 .update_sa = _update_sa,
651 .del_sa = _del_sa,
652 .checkout_by_spi = _checkout_by_spi,
653 .checkout_by_reqid = _checkout_by_reqid,
654 .checkin = _checkin,
655 .flush_sas = _flush_sas,
656 .destroy = _destroy,
657 },
658 .sas = linked_list_create(),
659 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
660 .allocated_spis = hashtable_create((hashtable_hash_t)spi_hash,
661 (hashtable_equals_t)spi_equals, 16),
662 );
663
664 return &this->public;
665 }
strongSwan - IPsec VPN