- reimplemented proper IKE SA deletion using a seperate state,
authorMartin Willi <martin@strongswan.org>
Tue, 23 May 2006 08:01:49 +0000 (08:01 -0000)
committerMartin Willi <martin@strongswan.org>
Tue, 23 May 2006 08:01:49 +0000 (08:01 -0000)
  should conform now to IKEv2

23 files changed:
src/charon/Makefile.am
src/charon/encoding/message.c
src/charon/encoding/payloads/encryption_payload.c
src/charon/sa/ike_sa.c
src/charon/sa/ike_sa.h
src/charon/sa/ike_sa_manager.c
src/charon/sa/ike_sa_manager.h
src/charon/sa/states/delete_requested.c [new file with mode: 0644]
src/charon/sa/states/delete_requested.h [new file with mode: 0644]
src/charon/sa/states/ike_auth_requested.c
src/charon/sa/states/ike_sa_established.c
src/charon/sa/states/ike_sa_init_requested.c
src/charon/sa/states/ike_sa_init_responded.c
src/charon/sa/states/initiator_init.c
src/charon/sa/states/initiator_init.h
src/charon/sa/states/responder_init.c
src/charon/sa/states/state.c
src/charon/sa/states/state.h
src/charon/threads/thread_pool.c
src/libstrongswan/types.c
src/libstrongswan/types.h
src/starter/starter.c
src/starter/starterstroke.c

index fa8b322..3db6ae4 100644 (file)
@@ -11,6 +11,7 @@ sa/states/state.c sa/states/state.h sa/states/ike_sa_init_requested.c sa/states/
 sa/states/ike_sa_init_responded.c sa/states/ike_sa_established.c sa/states/ike_sa_established.h \
 sa/states/responder_init.c sa/states/responder_init.h sa/states/initiator_init.c sa/states/initiator_init.h \
 sa/states/ike_sa_init_responded.h sa/states/ike_auth_requested.c sa/states/ike_auth_requested.h \
+sa/states/delete_requested.h sa/states/delete_requested.c \
 sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \
 sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \
 encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \
index a573152..9875a3d 100644 (file)
@@ -941,7 +941,7 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
                                iterator->destroy(iterator);
                                return FAILED;
                        }
-                       /* decrypt */                   
+                       /* decrypt */
                        encryption_payload->set_transforms(encryption_payload, crypter, signer);
                        this->logger->log(this->logger, CONTROL | LEVEL1, "Verify signature of encryption payload");
                        status = encryption_payload->verify_signature(encryption_payload, this->packet->get_data(this->packet));
@@ -955,8 +955,9 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
                        status = encryption_payload->decrypt(encryption_payload);
                        if (status != SUCCESS)
                        {
-                               this->logger->log(this->logger, ERROR | LEVEL1, "Encrypted payload could not be decrypted and parsed: %s", 
-                                                               mapping_find(status_m, status));
+                               this->logger->log(this->logger, ERROR | LEVEL1, 
+                                                                 "Encrypted payload could not be decrypted and parsed: %s", 
+                                                                 mapping_find(status_m, status));
                                iterator->destroy(iterator);
                                return status;
                        }
@@ -997,8 +998,9 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
                        while (encryption_payload->get_payload_count(encryption_payload) > 0)
                        {
                                encryption_payload->remove_first_payload(encryption_payload, &current_encrypted_payload);
-                               this->logger->log(this->logger, CONTROL | LEVEL1, "Insert unencrypted payload of type %s at end of list.",
-                                                                       mapping_find(payload_type_m,current_encrypted_payload->get_type(current_encrypted_payload)));
+                               this->logger->log(this->logger, CONTROL | LEVEL1, 
+                                                                 "Insert unencrypted payload of type %s at end of list.",
+                                                                  mapping_find(payload_type_m, current_encrypted_payload->get_type(current_encrypted_payload)));
                                this->payloads->insert_last(this->payloads,current_encrypted_payload);
                        }
                        
@@ -1007,14 +1009,15 @@ static status_t decrypt_payloads(private_message_t *this,crypter_t *crypter, sig
                }
 
                /* we allow unknown payloads of any type and don't bother if it was encrypted. Not our problem. */
-               if (current_payload_type != UNKNOWN_PAYLOAD)
+               if (current_payload_type != UNKNOWN_PAYLOAD && current_payload_type != NO_PAYLOAD)
                {
                        /* get the ruleset for found payload */
                        status = this->get_payload_rule(this, current_payload_type, &payload_rule);
                        if (status != SUCCESS)
                        {
                                /* payload is not allowed */
-                               this->logger->log(this->logger, ERROR | LEVEL1, "Payload type %s not allowed",mapping_find(payload_type_m,current_payload_type));
+                               this->logger->log(this->logger, ERROR | LEVEL1, "Payload type %s not allowed",
+                                                                 mapping_find(payload_type_m,current_payload_type));
                                iterator->destroy(iterator);
                                return status;
                        }
index e0ca74f..358f371 100644 (file)
@@ -556,13 +556,6 @@ static status_t parse(private_encryption_payload_t *this)
        status_t status;
        payload_type_t current_payload_type;
        
-       /* check if there is decrypted data */
-       if (this->decrypted.ptr == NULL)
-       {
-               this->logger->log(this->logger, ERROR, "unable to parse, no input!");
-               return INVALID_STATE;
-       }
-       
        /* build a parser on the decrypted data */
        parser = parser_create(this->decrypted);
        
index 5290bde..c012ce8 100644 (file)
@@ -42,6 +42,7 @@
 #include <sa/states/responder_init.h>
 #include <queues/jobs/retransmit_request_job.h>
 #include <queues/jobs/delete_established_ike_sa_job.h>
+#include <queues/jobs/delete_half_open_ike_sa_job.h>
 
 
 
@@ -186,43 +187,45 @@ struct private_ike_sa_t {
         * A logger for this IKE_SA.
         */
        logger_t *logger;
-
-       /**
-        * Resends the last sent reply.
-        * 
-        * @param this                          calling object
-        */
-       status_t (*resend_last_reply) (private_ike_sa_t *this);
 };
 
 /**
  * Implementation of ike_sa_t.process_message.
  */
-static status_t process_message (private_ike_sa_t *this, message_t *message)
+static status_t process_message(private_ike_sa_t *this, message_t *message)
 {
        u_int32_t message_id;
        exchange_type_t exchange_type;
        bool is_request;
-       
        /* We must process each request or response from remote host */
-
+       
        /* Find out type of message (request or response) */
        is_request = message->get_request(message);
        exchange_type = message->get_exchange_type(message);
-
+       
        this->logger->log(this->logger, CONTROL|LEVEL1, "Process %s of exchange type %s",
                                          (is_request) ? "request" : "response",mapping_find(exchange_type_m,exchange_type));
-
+       
        message_id = message->get_message_id(message);
-
+       
        /* 
         * It has to be checked, if the message has to be resent cause of lost packets!
         */
        if (is_request && (message_id == (this->message_id_in - 1)))
        {
-               /* Message can be resent ! */
-               this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
-               return (this->resend_last_reply(this));
+               /* resend last message, if any */
+               if (this->last_responded_message)
+               {
+                       packet_t *packet = this->last_responded_message->get_packet(this->last_responded_message);
+                       this->logger->log(this->logger, CONTROL|LEVEL1, "Resent request detected. Send stored reply.");
+                       charon->send_queue->add(charon->send_queue, packet);
+                       return SUCCESS;
+               }
+               else
+               {
+                       /* somebody does something nasty here... */
+                       return FAILED;
+               }
        }
        
        /* Now, the message id is checked for request AND reply */
@@ -253,7 +256,7 @@ static status_t process_message (private_ike_sa_t *this, message_t *message)
         * The specific state object is responsible to check if a message can be received in 
         * the state it represents.
         * The current state is also responsible to change the state object to the next state 
-        * by calling protected_ike_sa_t.set_new_state*/
+       * by calling protected_ike_sa_t.set_new_state*/
        return this->current_state->process_message(this->current_state,message);
 }
 
@@ -269,7 +272,7 @@ static void build_message(private_ike_sa_t *this, exchange_type_t type, bool req
        other = this->connection->get_other_host(this->connection);
 
        this->logger->log(this->logger, CONTROL|LEVEL2, "Build empty message");
-       new_message = message_create(); 
+       new_message = message_create();
        new_message->set_source(new_message, me->clone(me));
        new_message->set_destination(new_message, other->clone(other));
        new_message->set_exchange_type(new_message, type);
@@ -301,55 +304,6 @@ static status_t initiate_connection(private_ike_sa_t *this, connection_t *connec
 }
 
 /**
- * Implementation of ike_sa_t.send_delete_ike_sa_request.
- */
-static void send_delete_ike_sa_request (private_ike_sa_t *this)
-{
-       message_t *informational_request;
-       delete_payload_t *delete_payload;
-       crypter_t *crypter;
-       signer_t *signer;
-       packet_t *packet;
-       status_t status;
-       
-       if (this->current_state->get_state(this->current_state) != IKE_SA_ESTABLISHED)
-       {
-               return;
-       }
-       
-       /* build empty INFORMATIONAL message */
-       this->protected.build_message(&(this->protected), INFORMATIONAL, TRUE, &informational_request);
-       
-       delete_payload = delete_payload_create();
-       delete_payload->set_protocol_id(delete_payload, PROTO_IKE);
-               
-       informational_request->add_payload(informational_request,(payload_t *)delete_payload);
-       
-       if (this->ike_sa_id->is_initiator(this->ike_sa_id))
-       {
-               crypter = this->crypter_initiator;
-               signer = this->signer_initiator;
-       }
-       else
-       {
-               crypter = this->crypter_responder;
-               signer = this->signer_responder;
-       }
-       
-       status = informational_request->generate(informational_request,
-                                                                                        crypter,
-                                                                                        signer, &packet);
-       informational_request->destroy(informational_request);
-       if (status != SUCCESS)
-       {
-               this->logger->log(this->logger, ERROR, "Could not generate packet from message");
-               return ;
-       }
-       
-       charon->send_queue->add(charon->send_queue,packet);
-}
-
-/**
  * Implementation of ike_sa_t.get_id.
  */
 static ike_sa_id_t* get_id(private_ike_sa_t *this)
@@ -390,20 +344,6 @@ static identification_t* get_other_id(private_ike_sa_t *this)
 }
 
 /**
- * Implementation of private_ike_sa_t.resend_last_reply.
- */
-static status_t resend_last_reply(private_ike_sa_t *this)
-{
-       packet_t *packet;
-       
-       this->logger->log(this->logger, CONTROL | LEVEL1, "Going to retransmit last reply");
-       packet = this->last_responded_message->get_packet(this->last_responded_message);
-       charon->send_queue->add(charon->send_queue, packet);
-
-       return SUCCESS;
-}
-
-/**
  * Implementation of ike_sa_t.retransmit_request.
  */
 status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
@@ -431,22 +371,30 @@ status_t retransmit_request (private_ike_sa_t *this, u_int32_t message_id)
        
        return SUCCESS;
 }
+
+/**
+ * Implementation of ike_sa_t.get_state.
+ */
+static ike_sa_state_t get_state(private_ike_sa_t *this)
+{
+       return this->current_state->get_state(this->current_state);
+}
        
 /**
  * Implementation of protected_ike_sa_t.set_new_state.
  */
-static void set_new_state (private_ike_sa_t *this, state_t *state)
+static void set_new_state(private_ike_sa_t *this, state_t *state)
 {
        this->logger->log(this->logger, CONTROL, "statechange: %s => %s",
-                                         mapping_find(ike_sa_state_m,this->current_state->get_state(this->current_state)),
-                                         mapping_find(ike_sa_state_m,state->get_state(state)));
+                                         mapping_find(ike_sa_state_m, get_state(this)),
+                                         mapping_find(ike_sa_state_m, state->get_state(state)));
        this->current_state = state;
 }
 
 /**
  * Implementation of protected_ike_sa_t.get_connection.
  */
-static connection_t *get_connection (private_ike_sa_t *this)
+static connection_t *get_connection(private_ike_sa_t *this)
 {
        return this->connection;
 }
@@ -454,7 +402,7 @@ static connection_t *get_connection (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.set_connection.
  */
-static void set_connection (private_ike_sa_t *this,connection_t * connection)
+static void set_connection(private_ike_sa_t *this,connection_t * connection)
 {
        this->connection = connection;
 }
@@ -462,7 +410,7 @@ static void set_connection (private_ike_sa_t *this,connection_t * connection)
 /**
  * Implementation of protected_ike_sa_t.get_policy.
  */
-static policy_t *get_policy (private_ike_sa_t *this)
+static policy_t *get_policy(private_ike_sa_t *this)
 {
        return this->policy;
 }
@@ -470,7 +418,7 @@ static policy_t *get_policy (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.set_policy.
  */
-static void set_policy (private_ike_sa_t *this,policy_t * policy)
+static void set_policy(private_ike_sa_t *this,policy_t * policy)
 {
        this->policy = policy;
 }
@@ -478,7 +426,7 @@ static void set_policy (private_ike_sa_t *this,policy_t * policy)
 /**
  * Implementation of protected_ike_sa_t.get_prf.
  */
-static prf_t *get_prf (private_ike_sa_t *this)
+static prf_t *get_prf(private_ike_sa_t *this)
 {
        return this->prf;
 }
@@ -486,7 +434,7 @@ static prf_t *get_prf (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_prf.
  */
-static prf_t *get_child_prf (private_ike_sa_t *this)
+static prf_t *get_child_prf(private_ike_sa_t *this)
 {
        return this->child_prf;
 }
@@ -494,7 +442,7 @@ static prf_t *get_child_prf (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_prf_auth_i.
  */
-static prf_t *get_prf_auth_i (private_ike_sa_t *this)
+static prf_t *get_prf_auth_i(private_ike_sa_t *this)
 {
        return this->prf_auth_i;
 }
@@ -502,7 +450,7 @@ static prf_t *get_prf_auth_i (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_prf_auth_r.
  */
-static prf_t *get_prf_auth_r (private_ike_sa_t *this)
+static prf_t *get_prf_auth_r(private_ike_sa_t *this)
 {
        return this->prf_auth_r;
 }
@@ -701,7 +649,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, d
 /**
  * Implementation of protected_ike_sa_t.get_randomizer.
  */
-static randomizer_t *get_randomizer (private_ike_sa_t *this)
+static randomizer_t *get_randomizer(private_ike_sa_t *this)
 {
        return this->randomizer;
 }
@@ -709,7 +657,7 @@ static randomizer_t *get_randomizer (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_crypter_initiator.
  */
-static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
+static crypter_t *get_crypter_initiator(private_ike_sa_t *this)
 {
        return this->crypter_initiator;
 }
@@ -717,7 +665,7 @@ static crypter_t *get_crypter_initiator (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_signer_initiator.
  */
-static signer_t *get_signer_initiator (private_ike_sa_t *this)
+static signer_t *get_signer_initiator(private_ike_sa_t *this)
 {
        return this->signer_initiator;
 }
@@ -733,7 +681,7 @@ static crypter_t *get_crypter_responder(private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_signer_responder.
  */
-static signer_t *get_signer_responder (private_ike_sa_t *this)
+static signer_t *get_signer_responder(private_ike_sa_t *this)
 {
        return this->signer_responder;
 }
@@ -741,7 +689,7 @@ static signer_t *get_signer_responder (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.send_request.
  */
-static status_t send_request (private_ike_sa_t *this,message_t * message)
+static status_t send_request(private_ike_sa_t *this, message_t *message)
 {
        retransmit_request_job_t *retransmit_job;
        u_int32_t timeout;
@@ -783,29 +731,25 @@ static status_t send_request (private_ike_sa_t *this,message_t * message)
                                                this->message_id_out);
        charon->send_queue->add(charon->send_queue, packet);
        
+       /* replace last message for retransmit with current */
        if (this->last_requested_message != NULL)
        {
-               /* destroy message */
                this->last_requested_message->destroy(this->last_requested_message);
-       }       
-
+       }
        this->logger->log(this->logger, CONTROL|LEVEL3, "Replace last requested message with new one");
        this->last_requested_message = message;
        
-       retransmit_job = retransmit_request_job_create(this->message_id_out,this->ike_sa_id);
-       
-       status = charon->configuration->get_retransmit_timeout (charon->configuration,
-                                                                                               retransmit_job->get_retransmit_count(retransmit_job),&timeout);
-       
+       /* schedule a job for retransmission */
+       status = charon->configuration->get_retransmit_timeout(charon->configuration, 0, &timeout);
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, CONTROL|LEVEL2, "No retransmit job for message created!");
-               retransmit_job->destroy(retransmit_job);
        }
        else
        {
-               this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.",timeout);
-               charon->event_queue->add_relative(charon->event_queue,(job_t *) retransmit_job,timeout);
+               this->logger->log(this->logger, CONTROL|LEVEL2, "Request will be retransmitted in %d ms.", timeout);
+               retransmit_job = retransmit_request_job_create(this->message_id_out, this->ike_sa_id);
+               charon->event_queue->add_relative(charon->event_queue, (job_t *)retransmit_job, timeout);
        }
        
        /* message counter can now be increased */
@@ -819,7 +763,7 @@ static status_t send_request (private_ike_sa_t *this,message_t * message)
 /**
  * Implementation of protected_ike_sa_t.send_response.
  */
-static status_t send_response (private_ike_sa_t *this,message_t * message)
+static status_t send_response(private_ike_sa_t *this, message_t *message)
 {
        crypter_t *crypter;
        signer_t *signer;
@@ -832,7 +776,6 @@ static status_t send_response (private_ike_sa_t *this,message_t * message)
                return FAILED;  
        }
        
-
        if (this->ike_sa_id->is_initiator(this->ike_sa_id))
        {
                crypter = this->crypter_initiator;
@@ -922,7 +865,7 @@ static void set_last_replied_message_id (private_ike_sa_t *this,u_int32_t messag
 /**
  * Implementation of protected_ike_sa_t.get_last_responded_message.
  */
-static message_t * get_last_responded_message (private_ike_sa_t *this)
+static message_t *get_last_responded_message (private_ike_sa_t *this)
 {
        return this->last_responded_message;
 }
@@ -930,23 +873,15 @@ static message_t * get_last_responded_message (private_ike_sa_t *this)
 /**
  * Implementation of protected_ike_sa_t.get_last_requested_message.
  */
-static message_t * get_last_requested_message (private_ike_sa_t *this)
+static message_t *get_last_requested_message(private_ike_sa_t *this)
 {
        return this->last_requested_message;
 }
 
 /**
- * Implementation of ike_sa_t.get_state.
- */
-static ike_sa_state_t get_state (private_ike_sa_t *this)
-{
-       return this->current_state->get_state(this->current_state);
-}
-
-/**
  * Implementation of protected_ike_sa_t.add_child_sa.
  */
-static void add_child_sa (private_ike_sa_t *this, child_sa_t *child_sa)
+static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
 {
        this->child_sas->insert_last(this->child_sas, child_sa);
 }
@@ -954,7 +889,7 @@ static void add_child_sa (private_ike_sa_t *this, child_sa_t *child_sa)
 /**
  * Implementation of protected_ike_sa_t.reset_message_buffers.
  */
-static void reset_message_buffers (private_ike_sa_t *this)
+static void reset_message_buffers(private_ike_sa_t *this)
 {
        this->logger->log(this->logger, CONTROL|LEVEL2, "Reset message counters and destroy stored messages");
        /* destroy stored requested message */
@@ -983,6 +918,8 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
 {
        iterator_t *iterator;
        child_sa_t *child_sa;
+       host_t *my_host, *other_host;
+       identification_t *my_id, *other_id;
        
        /* only log if name == NULL or name == connection_name */
        if (name)
@@ -997,11 +934,11 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
                name = this->connection->get_name(this->connection);
        }
        
-       host_t *my_host    = this->connection->get_my_host(this->connection);
-       host_t *other_host = this->connection->get_other_host(this->connection);
+       my_host = this->connection->get_my_host(this->connection);
+       other_host = this->connection->get_other_host(this->connection);
 
-       identification_t *my_id    = this->connection->get_my_id(this->connection);
-       identification_t *other_id = this->connection->get_other_id(this->connection);
+       my_id = this->connection->get_my_id(this->connection);
+       other_id = this->connection->get_other_id(this->connection);
        
        if (logger == NULL)
        {
@@ -1029,9 +966,52 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
 }
 
 /**
+ * Implementation of public_ike_sa_t.delete.
+ */
+static status_t delete_(private_ike_sa_t *this)
+{
+       message_t *informational_request;
+       delete_payload_t *delete_payload;
+       u_int32_t timeout;
+       delete_half_open_ike_sa_job_t *job;
+       
+       if (get_state(this) != IKE_SA_ESTABLISHED)
+       {
+               this->logger->log(this->logger, ERROR, "Closing a not established IKE SA not allowed, aborting!");
+               return INVALID_STATE;
+       }
+       
+       build_message(this, INFORMATIONAL, TRUE, &informational_request);
+       /* delete for the full IKE_SA, this deletes all child_sa's implicit */  
+       delete_payload = delete_payload_create();
+       delete_payload->set_protocol_id(delete_payload, PROTO_IKE);
+       
+       informational_request->add_payload(informational_request, (payload_t*)delete_payload);
+       
+       if (send_request(this, informational_request) != SUCCESS)
+       {
+               /* send failed, but we ignore this, SA will get deleted anyway later */
+               informational_request->destroy(informational_request);
+       }
+       
+       /* transit to state delete_requested */
+       this->current_state->destroy(this->current_state);
+       set_new_state(this, (state_t*)delete_requested_create(this));
+       
+       /* there is no guarantee that the other peer will acknowledge the delete,
+        * so we have to set a timeout where we destroy the SA... This is done with
+        * the delete_half_open_ike_sa_job as used in IKE SA setup.
+        */
+       timeout = charon->configuration->get_half_open_ike_sa_timeout(charon->configuration);
+       job = delete_half_open_ike_sa_job_create(this->ike_sa_id);
+       charon->event_queue->add_relative(charon->event_queue, (job_t*)job, timeout);
+       return SUCCESS;
+}
+
+/**
  * Implementation of protected_ike_sa_t.destroy.
  */
-static void destroy (private_ike_sa_t *this)
+static void destroy(private_ike_sa_t *this)
 {
        child_sa_t *child_sa;
        
@@ -1039,9 +1019,12 @@ static void destroy (private_ike_sa_t *this)
                                          this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
                                          this->ike_sa_id->get_responder_spi(this->ike_sa_id),
                                          this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
+       
+       if (get_state(this) == IKE_SA_ESTABLISHED)
+       {
+               this->logger->log(this->logger, ERROR, "Destroying an established IKE SA without knowledge from remote peer!");
+       }
 
-       /* inform other peer of delete */
-       send_delete_ike_sa_request(this);
        while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
        {
                child_sa->destroy(child_sa);
@@ -1127,8 +1110,8 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        this->protected.public.get_connection = (connection_t*(*)(ike_sa_t*)) get_connection;
        this->protected.public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
        this->protected.public.get_state = (ike_sa_state_t (*) (ike_sa_t *this)) get_state;
-       this->protected.public.send_delete_ike_sa_request = (void (*)(ike_sa_t*)) send_delete_ike_sa_request;
        this->protected.public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
+       this->protected.public.delete = (status_t(*)(ike_sa_t*))delete_;
        this->protected.public.destroy = (void(*)(ike_sa_t*))destroy;
        
        /* protected functions */
@@ -1158,9 +1141,6 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
        
        this->protected.set_last_replied_message_id = (void (*) (protected_ike_sa_t *,u_int32_t)) set_last_replied_message_id;
        
-       /* private functions */
-       this->resend_last_reply = resend_last_reply;
-
        /* initialize private fields */
        this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
        
index a4ab82c..31a5ba8 100644 (file)
@@ -73,7 +73,7 @@ struct ike_sa_t {
         * @return                              
         *                                              - SUCCESS
         *                                              - FAILED
-        *                                              - DELETE_ME if this IKE_SA MUST be deleted
+        *                                              - DESTROY_ME if this IKE_SA MUST be deleted
         */
        status_t (*process_message) (ike_sa_t *this,message_t *message);
 
@@ -88,7 +88,7 @@ struct ike_sa_t {
         * @return                              
         *                                              - SUCCESS if initialization started
         *                                              - FAILED if in wrong state
-        *                                              - DELETE_ME if initialization failed and IKE_SA MUST be deleted
+        *                                              - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
         */
        status_t (*initiate_connection) (ike_sa_t *this, connection_t *connection);
        
@@ -102,15 +102,6 @@ struct ike_sa_t {
         *                                              - NOT_FOUND if request doesn't have to be retransmited
         */
        status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id);
-       
-       /**
-        * @brief Sends a request to delete IKE_SA.
-        * 
-        * Only supported in state IKE_SA_ESTABLISHED
-        * 
-        * @param this                  calling object
-        */
-       void (*send_delete_ike_sa_request) (ike_sa_t *this);
 
        /**
         * @brief Get the id of the SA.
@@ -188,6 +179,22 @@ struct ike_sa_t {
         * @param name          name of the connection
         */     
        void (*log_status) (ike_sa_t *this, logger_t *logger, char *name);
+       
+       /**
+        * @brief Initiates the deletion of an IKE_SA.
+        * 
+        * Sends a delete message to the remote peer and waits for
+        * its response. If the response comes in, or a timeout occur,
+        * the IKE SA gets deleted.
+        * 
+        * @param this                  calling object
+        * @return
+        *                                              - SUCCESS if deletion is initialized
+        *                                              - INVALID_STATE, if the IKE_SA is not in 
+        *                                                an established state and can not be
+        *                                                delete (but destroyed).
+        */
+       status_t (*delete) (ike_sa_t *this);
 
        /**
         * @brief Destroys a ike_sa_t object.
index e6c8e49..475898e 100644 (file)
@@ -137,7 +137,7 @@ struct private_ike_sa_manager_t {
        /**
         * @brief Get next spi.
         *
-        * We give out SPIs incremental starting at 1.
+        * We give out SPIs from a pseudo random source
         * 
         * @param this                  the ike_sa_manager
         * @return                              the next spi
@@ -232,7 +232,8 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
                        if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
                                && (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
                        {
-                               this->logger->log(this->logger,CONTROL | LEVEL2,"Found entry by initiator spi %d",ike_sa_id->get_initiator_spi(ike_sa_id));
+                               this->logger->log(this->logger, CONTROL|LEVEL2, "Found entry by initiator spi %d",
+                                                                 ike_sa_id->get_initiator_spi(ike_sa_id));
                                *entry = current;
                                status = SUCCESS;
                                break;
@@ -243,7 +244,8 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
                        if ((current->ike_sa_id->get_initiator_spi(current->ike_sa_id) == ike_sa_id->get_initiator_spi(ike_sa_id))
                                && (ike_sa_id->is_initiator(ike_sa_id) == current->ike_sa_id->is_initiator(current->ike_sa_id)))
                        {
-                               this->logger->log(this->logger,CONTROL | LEVEL2,"Found entry by initiator spi %d",ike_sa_id->get_initiator_spi(ike_sa_id));
+                               this->logger->log(this->logger, CONTROL|LEVEL2, "Found entry by initiator spi %d",
+                                                                 ike_sa_id->get_initiator_spi(ike_sa_id));
                                *entry = current;
                                status = SUCCESS;
                                break;
@@ -251,7 +253,7 @@ static status_t get_entry_by_id(private_ike_sa_manager_t *this, ike_sa_id_t *ike
                }
                if (current->ike_sa_id->equals(current->ike_sa_id, ike_sa_id))
                {
-                       this->logger->log(this->logger,CONTROL | LEVEL2,"Found entry by full ID");
+                       this->logger->log(this->logger, CONTROL|LEVEL2, "Found entry by full ID");
                        *entry = current;
                        status = SUCCESS;
                        break;
@@ -283,7 +285,7 @@ static status_t get_entry_by_sa(private_ike_sa_manager_t *this, ike_sa_t *ike_sa
                /* only pointers are compared */
                if (current->ike_sa == ike_sa)
                {
-                       this->logger->log(this->logger,CONTROL | LEVEL2,"Found entry by pointer");
+                       this->logger->log(this->logger, CONTROL|LEVEL2, "Found entry by pointer");
                        *entry = current;
                        status = SUCCESS;
                        break;
@@ -305,7 +307,7 @@ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *ent
        
        iterator = list->create_iterator(list, TRUE);
 
-       status = NOT_FOUND;     
+       status = NOT_FOUND;
        
        while (iterator->has_next(iterator))
        {
@@ -313,7 +315,7 @@ static status_t delete_entry(private_ike_sa_manager_t *this, ike_sa_entry_t *ent
                iterator->current(iterator, (void**)&current);
                if (current == entry) 
                {
-                       this->logger->log(this->logger,CONTROL | LEVEL2,"Found entry by pointer. Going to delete it.");
+                       this->logger->log(this->logger, CONTROL|LEVEL2, "Found entry by pointer. Going to delete it.");
                        iterator->remove(iterator);
                        entry->destroy(entry);
                        status = SUCCESS;
@@ -360,7 +362,7 @@ static void create_and_checkout(private_ike_sa_manager_t *this,ike_sa_t **ike_sa
        this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry);
 
        /* check ike_sa out */
-       this->logger->log(this->logger,CONTROL | LEVEL1 ,"New IKE_SA created and added to list of known IKE_SA's");
+       this->logger->log(this->logger, CONTROL|LEVEL1, "New IKE_SA created and added to list of known IKE_SA's");
        new_ike_sa_entry->checked_out = TRUE;
        *ike_sa = new_ike_sa_entry->ike_sa;
 
@@ -397,7 +399,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
                        /* can we give this ike_sa out to new requesters?*/
                        if (entry->driveout_new_threads)
                        {
-                               this->logger->log(this->logger,CONTROL|LEVEL1,"Drive out new thread for existing IKE_SA");
+                               this->logger->log(this->logger, CONTROL|LEVEL1, "Drive out new thread for existing IKE_SA");
                                /* no we can't */
                                retval = NOT_FOUND;
                        }
@@ -420,12 +422,12 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
                                {
                                        /* we must signal here, others are interested that we leave */
                                        pthread_cond_signal(&(entry->condvar));
-                                       this->logger->log(this->logger,CONTROL|LEVEL1,"Drive out waiting thread for existing IKE_SA");
+                                       this->logger->log(this->logger, CONTROL|LEVEL1, "Drive out waiting thread for existing IKE_SA");
                                        retval = NOT_FOUND;
                                }
                                else
                                {
-                                       this->logger->log(this->logger,CONTROL|LEVEL2,"IKE SA successfully checked out");
+                                       this->logger->log(this->logger, CONTROL|LEVEL2, "IKE SA successfully checked out");
                                        /* ok, this IKE_SA is finally ours */
                                        entry->checked_out = TRUE;
                                        *ike_sa = entry->ike_sa;
@@ -436,7 +438,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
                }
                else
                {
-                       this->logger->log(this->logger,ERROR | LEVEL1,"IKE SA not stored in known IKE_SA list");
+                       this->logger->log(this->logger, ERROR|LEVEL1, "IKE SA not stored in known IKE_SA list");
                        /* looks like there is no such IKE_SA, better luck next time... */
                        /* DON'T use return, we must unlock the mutex! */
                        retval = NOT_FOUND;
@@ -467,7 +469,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
                this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry);
                
                /* check ike_sa out */
-               this->logger->log(this->logger,CONTROL | LEVEL1 ,"IKE_SA added to list of known IKE_SA's");
+               this->logger->log(this->logger, CONTROL|LEVEL1 ,"IKE_SA added to list of known IKE_SA's");
                new_ike_sa_entry->checked_out = TRUE;
                *ike_sa = new_ike_sa_entry->ike_sa;
                
@@ -476,7 +478,7 @@ static status_t checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id,
        else
        {
                /* responder set, initiator not: here is something seriously wrong! */
-               this->logger->log(this->logger,ERROR | LEVEL1, "Invalid IKE_SA SPI's");
+               this->logger->log(this->logger, ERROR|LEVEL1, "Invalid IKE_SA SPI's");
                /* DON'T use return, we must unlock the mutex! */
                retval = INVALID_ARG;
        }
@@ -644,13 +646,13 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
                entry->ike_sa_id->replace_values(entry->ike_sa_id, ike_sa->get_id(ike_sa));
                /* signal waiting threads */
                entry->checked_out = FALSE;
-               this->logger->log(this->logger,CONTROL | LEVEL1,"Checkin of IKE_SA successful.");
+               this->logger->log(this->logger, CONTROL|LEVEL1, "Checkin of IKE_SA successful.");
                pthread_cond_signal(&(entry->condvar));
                retval = SUCCESS;
        }
        else
        {
-               this->logger->log(this->logger,ERROR,"Fatal Error: Tried to checkin nonexisting IKE_SA");
+               this->logger->log(this->logger, ERROR, "Tried to checkin nonexisting IKE_SA");
                /* this SA is no more, this REALLY should not happen */
                retval = NOT_FOUND;
        }
@@ -660,9 +662,9 @@ static status_t checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 
 
 /**
- * Implementation of ike_sa_manager_t.checkin_and_delete.
+ * Implementation of ike_sa_manager_t.checkin_and_destroy.
  */
-static status_t checkin_and_delete(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
+static status_t checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa)
 {
        /* deletion is a bit complex, we must garant that no thread is waiting for
         * this SA.
@@ -682,21 +684,21 @@ static status_t checkin_and_delete(private_ike_sa_manager_t *this, ike_sa_t *ike
                entry->driveout_waiting_threads = TRUE;
 
                /* wait until all workers have done their work */
-               while (entry->waiting_threads > 0)
+               while (entry->waiting_threads)
                {
-                       /* let the other threads do some work*/
-                       pthread_cond_signal(&(entry->condvar));
+                       /* let the other threads leave the manager */
+                       pthread_cond_broadcast(&(entry->condvar));
                        /* and the nice thing, they will wake us again when their work is done */
                        pthread_cond_wait(&(entry->condvar), &(this->mutex));
                }
                /* ok, we are alone now, no threads waiting in the entry's condvar */
                this->delete_entry(this, entry);
-               this->logger->log(this->logger,CONTROL | LEVEL1,"Checkin and delete of IKE_SA successful");
+               this->logger->log(this->logger, CONTROL|LEVEL1, "Checkin and destroy of IKE_SA successful");
                retval = SUCCESS;
        }
        else
        {
-               this->logger->log(this->logger,ERROR,"Fatal Error: Tried to checkin and delete nonexisting IKE_SA");
+               this->logger->log(this->logger,ERROR, "Tried to checkin and delete nonexisting IKE_SA");
                retval = NOT_FOUND;
        }
        
@@ -707,7 +709,7 @@ static status_t checkin_and_delete(private_ike_sa_manager_t *this, ike_sa_t *ike
 /**
  * Implementation of ike_sa_manager_t.delete.
  */
-static status_t delete(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
+static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
 {
        /* deletion is a bit complex, we must garant that no thread is waiting for
         * this SA.
@@ -721,25 +723,38 @@ static status_t delete(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id)
 
        if (this->get_entry_by_id(this, ike_sa_id, &entry) == SUCCESS)
        {
-               /* mark it, so now new threads can acquire this SA */
-               entry->driveout_new_threads = TRUE;
-
-               /* wait until all workers have done their work */
-               while (entry->waiting_threads)
+               /* we try a delete. If it succeeds, our job is done here. The
+                * other peer will reply, and the IKE SA gets the finally deleted...
+                */
+               if (entry->ike_sa->delete(entry->ike_sa) == SUCCESS)
                {
-                       /* wake up all */
-                       pthread_cond_signal(&(entry->condvar));
-                       /* and the nice thing, they will wake us again when their work is done */
-                       pthread_cond_wait(&(entry->condvar), &(this->mutex));
+                       this->logger->log(this->logger, CONTROL|LEVEL1, "Initiated delete for IKE_SA");
+               }
+               /* but if the IKE SA is not in a state where the deletion is negotiated with
+                * the other peer, we can destroy the IKE SA on our own. For this, we must
+                * be sure that really NO other threads are waiting for this SA...
+                */
+               else
+               {
+                       /* mark it, so now new threads can acquire this SA */
+                       entry->driveout_new_threads = TRUE;
+                       /* wait until all workers have done their work */
+                       while (entry->waiting_threads)
+                       {
+                               /* wake up all */
+                               pthread_cond_broadcast(&(entry->condvar));
+                               /* and the nice thing, they will wake us again when their work is done */
+                               pthread_cond_wait(&(entry->condvar), &(this->mutex));
+                       }
+                       /* ok, we are alone now, no threads waiting in the entry's condvar */
+                       this->delete_entry(this, entry);
+                       this->logger->log(this->logger, CONTROL|LEVEL1, "Destroyed IKE_SA");
                }
-               /* ok, we are alone now, no threads waiting in the entry's condvar */
-               this->delete_entry(this, entry);
-               this->logger->log(this->logger,CONTROL | LEVEL1,"Delete of IKE_SA successful");
                retval = SUCCESS;
        }
        else
        {
-               this->logger->log(this->logger,ERROR,"Fatal Error: Tried to delete nonexisting IKE_SA");
+               this->logger->log(this->logger,ERROR, "Tried to delete nonexisting IKE_SA");
                retval = NOT_FOUND;
        }
 
@@ -782,9 +797,9 @@ static void destroy(private_ike_sa_manager_t *this)
                while (entry->waiting_threads)
                {
                        /* wake up all */
-                       pthread_cond_signal(&(entry->condvar));
+                       pthread_cond_broadcast(&(entry->condvar));
                        /* go sleeping until they are gone */
-                       pthread_cond_wait(&(entry->condvar), &(this->mutex));           
+                       pthread_cond_wait(&(entry->condvar), &(this->mutex));
                }
        }
        this->logger->log(this->logger,CONTROL | LEVEL2,"Delete all IKE_SA's");
@@ -821,8 +836,8 @@ ike_sa_manager_t *ike_sa_manager_create()
        this->public.get_ike_sa_list_by_name = (linked_list_t*(*)(ike_sa_manager_t*,const char*))get_ike_sa_list_by_name;
        this->public.log_status = (void(*)(ike_sa_manager_t*,logger_t*,char*))log_status;
        this->public.checkin = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin;
-       this->public.delete = (status_t(*)(ike_sa_manager_t*,ike_sa_id_t*))delete;
-       this->public.checkin_and_delete = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_delete;
+       this->public.delete = (status_t(*)(ike_sa_manager_t*,ike_sa_id_t*))delete_;
+       this->public.checkin_and_destroy = (status_t(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy;
 
        /* initialize private functions */
        this->get_next_spi = get_next_spi;
index d4cd749..a608052 100644 (file)
@@ -149,10 +149,14 @@ struct ike_sa_manager_t {
        
        /**
         * @brief Delete a SA, which was not checked out.
-        * 
+        *
+        * If the state allows it, the IKE SA is destroyed immediately. If it is
+        * in the state ike_sa_established or further, a delete message
+        * is sent to the remote peer, which has to be acknowledged.
+        *
         * @warning do not use this when the SA is already checked out, this will
         * deadlock!
-        *  
+        *
         * @param this                          the manager object
         * @param ike_sa_id[in/out]     the SA identifier
         * @returns                             
@@ -162,7 +166,14 @@ struct ike_sa_manager_t {
        status_t (*delete) (ike_sa_manager_t* this, ike_sa_id_t *ike_sa_id);
        
        /**
-        * @brief Delete a checked out SA.
+        * @brief Destroy a checked out SA.
+        *
+        * The IKE SA is destroyed without notification of the remote peer.
+        * Use this only if the other peer doesn't respond or behaves not
+        * as predicted.
+        * Checking in and destruction is an atomic operation (for the IKE_SA),
+        * so this can be called if the SA is in a "unclean" state, without the
+        * risk that another thread can get the SA.
         *
         * @param this                          the manager object
         * @param ike_sa                        SA to delete
@@ -170,7 +181,7 @@ struct ike_sa_manager_t {
         *                                                      - SUCCESS if found
         *                                                      - NOT_FOUND when no such SA is available
         */
-       status_t (*checkin_and_delete) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
+       status_t (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
        
        /**
         * @brief Destroys the manager with all associated SAs.
diff --git a/src/charon/sa/states/delete_requested.c b/src/charon/sa/states/delete_requested.c
new file mode 100644 (file)
index 0000000..ff6ec1d
--- /dev/null
@@ -0,0 +1,163 @@
+/**
+ * @file delete_requested.c
+ *
+ * @brief Implementation of delete_requested_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "delete_requested.h"
+
+#include <daemon.h>
+
+
+typedef struct private_delete_requested_t private_delete_requested_t;
+
+/**
+ * Private data of a delete_requested_t object.
+ */
+struct private_delete_requested_t {
+       
+       /**
+        * methods of the state_t interface
+        */
+       delete_requested_t public;
+       
+       /** 
+        * Assigned IKE_SA.
+        */
+       protected_ike_sa_t *ike_sa;
+       
+       /** 
+        * Assigned logger. Use logger of IKE_SA.
+        */
+       logger_t *logger;
+};
+
+/**
+ * Implements state_t.get_state
+ */
+static status_t process_message(private_delete_requested_t *this, message_t *message)
+{
+       ike_sa_id_t *ike_sa_id;
+       crypter_t *crypter;
+       signer_t *signer;
+       status_t status;
+       
+       /* Notation as follows:
+        * Mx{D} means: Message, with message ID "x", containing a Delete payload
+        *
+        * The clarifcation Document says in 5.8, that a IKE_SA delete should not
+        * be acknowledged with the same delete. This only makes sense for CHILD_SAs,
+        * as they are paired. IKE_SAs are not, there is only one for both ends.
+        *
+        * Normal case:
+        * ----------------
+        * Mx{D}  -->
+        *       <--      Mx{}
+        * Delete request is sent, and we wait for the acknowledge.
+        *
+        * Special case 1:
+        * ---------------
+        * Mx{D}  -->
+        *       <--      My{D}
+        * My{}   -->
+        *       <--      Mx{}
+        * Both initate a delete at the same time. We ack the delete, but wait for
+        * our delete to be acknowledged.
+        */
+       
+       if (message->get_exchange_type(message) != INFORMATIONAL)
+       {
+               /* anything other than information is ignored. We can an will not handle
+                * messages such as CREATE_CHILD_SA */
+               this->logger->log(this->logger, ERROR | LEVEL1, 
+                                                 "%s messages not supported in state delete_requested. Ignored",
+                                                 mapping_find(exchange_type_m, message->get_exchange_type(message)));
+               return FAILED;
+       }
+       
+       if (message->get_request(message))
+       {
+               /* if it is a request, not a reply to our delete request, we 
+                * just acknowledge this. We stay in our state, as the other peer
+                * has to ACK our request.
+                */
+               message_t *acknowledge;
+               this->ike_sa->build_message(this->ike_sa, INFORMATIONAL, FALSE, &acknowledge);
+               return this->ike_sa->send_response(this->ike_sa, acknowledge);
+       }
+       
+       /* get signer for verification and crypter for decryption */
+       ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
+       if (!ike_sa_id->is_initiator(ike_sa_id))
+       {
+               crypter = this->ike_sa->get_crypter_initiator(this->ike_sa);
+               signer = this->ike_sa->get_signer_initiator(this->ike_sa);
+       }
+       else
+       {
+               crypter = this->ike_sa->get_crypter_responder(this->ike_sa);
+               signer = this->ike_sa->get_signer_responder(this->ike_sa);
+       }
+       
+       /* parse incoming message, check if it's proper signed */
+       status = message->parse_body(message, crypter, signer);
+       if (status != SUCCESS)
+       {
+               this->logger->log(this->logger, AUDIT, "INFORMATIONAL message decryption failed. Ignoring message");
+               return status;
+       }
+       
+       /* ok, he knows about the deletion, destroy this IKE SA */
+       return DESTROY_ME;
+}
+
+/**
+ * Implementation of state_t.get_state.
+ */
+static ike_sa_state_t get_state(private_delete_requested_t *this)
+{
+       return DELETE_REQUESTED;
+}
+
+/**
+ * Implementation of state_t.get_state
+ */
+static void destroy(private_delete_requested_t *this)
+{
+       free(this);
+}
+
+/* 
+ * Described in header.
+ */
+delete_requested_t *delete_requested_create(protected_ike_sa_t *ike_sa)
+{
+       private_delete_requested_t *this = malloc_thing(private_delete_requested_t);
+
+       /* interface functions */
+       this->public.state_interface.process_message = (status_t (*) (state_t *,message_t *)) process_message;
+       this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
+       this->public.state_interface.destroy  = (void (*) (state_t *)) destroy;
+       
+       /* private data */
+       this->ike_sa = ike_sa;
+       this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
+       
+       return &(this->public);
+}
diff --git a/src/charon/sa/states/delete_requested.h b/src/charon/sa/states/delete_requested.h
new file mode 100644 (file)
index 0000000..a4c6dab
--- /dev/null
@@ -0,0 +1,57 @@
+/**
+ * @file delete_requested.h
+ * 
+ * @brief Interface of delete_requested_t.
+ * 
+ */
+
+/*
+ * Copyright (C) 2006 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef DELETE_REQUESTED_H_
+#define DELETE_REQUESTED_H_
+
+#include <sa/states/state.h>
+#include <sa/ike_sa.h>
+
+typedef struct delete_requested_t delete_requested_t;
+
+/**
+ * @brief This class represents an the state of a half closed IKE_SA.
+ * 
+ * @b Constructors:
+ * - delete_requested_create()
+ * 
+ * @ingroup states
+ */
+struct delete_requested_t {
+       /**
+        * methods of the state_t interface
+        */
+       state_t state_interface;
+
+};
+
+/**
+ * @brief Constructor of class delete_requested_t
+ * 
+ * @param ike_sa       assigned ike_sa
+ * @return                     created delete_requested_t object
+ * 
+ * @ingroup states
+ */
+delete_requested_t *delete_requested_create(protected_ike_sa_t *ike_sa);
+
+#endif /*DELETE_REQUESTED_H_*/
index 3d49f44..069f165 100644 (file)
@@ -107,7 +107,7 @@ struct private_ike_auth_requested_t {
         * @param idr_payload   ID payload of responder
         * @return                              
         *                                              - SUCCESS
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         */
        status_t (*process_idr_payload) (private_ike_auth_requested_t *this, id_payload_t *idr_payload);
        
@@ -118,7 +118,7 @@ struct private_ike_auth_requested_t {
         * @param sa_payload    SA payload of responder
         *
         *                                              - SUCCESS
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         */
        status_t (*process_sa_payload) (private_ike_auth_requested_t *this, sa_payload_t *sa_payload);
        
@@ -130,7 +130,7 @@ struct private_ike_auth_requested_t {
         * @param other_id_payload      ID payload of responder
         *
         *                                              - SUCCESS
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         */
        status_t (*process_auth_payload) (private_ike_auth_requested_t *this, auth_payload_t *auth_payload, id_payload_t *other_id_payload);
        
@@ -142,7 +142,7 @@ struct private_ike_auth_requested_t {
         * @param ts_payload    TS payload of responder
         *
         *                                              - SUCCESS
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         */
        status_t (*process_ts_payload) (private_ike_auth_requested_t *this, bool ts_initiator, ts_payload_t *ts_payload);
        
@@ -154,7 +154,7 @@ struct private_ike_auth_requested_t {
         *
         *                                              - SUCCESS
         *                                              - FAILED
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         */
        status_t (*process_notify_payload) (private_ike_auth_requested_t *this, notify_payload_t *notify_payload);
        
@@ -281,7 +281,7 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
        if (!(idr_payload && sa_payload && auth_payload && tsi_payload && tsr_payload))
        {
                this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
 
        /* process all payloads */
@@ -341,13 +341,13 @@ static status_t process_message(private_ike_auth_requested_t *this, message_t *i
                if (status != SUCCESS)
                {
                        this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
-                       return DELETE_ME;
+                       return DESTROY_ME;
                }
                status = this->child_sa->add_policies(this->child_sa, this->my_ts, this->other_ts);
                if (status != SUCCESS)
                {
                        this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA policy! Deleting IKE_SA");
-                       return DELETE_ME;
+                       return DESTROY_ME;
                }
                this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
        }
@@ -386,7 +386,7 @@ static status_t process_idr_payload(private_ike_auth_requested_t *this, id_paylo
        {
                other_id->destroy(other_id);
                this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not acceptable ID. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        connection = this->ike_sa->get_connection(this->ike_sa);
@@ -424,7 +424,7 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
                        proposal->destroy(proposal);
                }
                proposal_list->destroy(proposal_list);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* we have to re-check here if other's selection is valid */
@@ -439,7 +439,7 @@ static status_t process_sa_payload(private_ike_auth_requested_t *this, sa_payloa
        if (proposal == NULL)
        {
                this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a not offered proposal. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* apply proposal */
@@ -462,7 +462,7 @@ static status_t process_auth_payload(private_ike_auth_requested_t *this, auth_pa
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Verification of IKE_AUTH reply failed. Deleting IKE_SA");
-               return DELETE_ME;       
+               return DESTROY_ME;      
        }
 
        this->logger->log(this->logger, CONTROL|LEVEL1, "AUTH data verified successfully");
@@ -521,19 +521,19 @@ static status_t process_notify_payload(private_ike_auth_requested_t *this, notif
                case INVALID_SYNTAX:
                {
                        this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an INVALID_SYNTAX notify. Deleting IKE_SA");
-                       return DELETE_ME;       
+                       return DESTROY_ME;      
                        
                }
                case AUTHENTICATION_FAILED:
                {
                        this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an AUTHENTICATION_FAILED notify. Deleting IKE_SA");
-                       return DELETE_ME;       
+                       return DESTROY_ME;      
                        
                }
                case SINGLE_PAIR_REQUIRED:
                {
                        this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained a SINGLE_PAIR_REQUIRED notify. Deleting IKE_SA");
-                       return DELETE_ME;               
+                       return DESTROY_ME;              
                }
                default:
                {
@@ -546,7 +546,7 @@ static status_t process_notify_payload(private_ike_auth_requested_t *this, notif
                        {
                                this->logger->log(this->logger, AUDIT, "IKE_AUTH reply contained an unknown notify error (%d). Deleting IKE_SA",
                                                                  notify_message_type);
-                               return DELETE_ME;       
+                               return DESTROY_ME;      
 
                        }
                        else
index e91409f..782b608 100644 (file)
@@ -46,22 +46,59 @@ struct private_ike_sa_established_t {
         * Assigned logger. Use logger of IKE_SA.
         */
        logger_t *logger;
-       
-       /**
-        * Process a notify payload
-        * 
-        * @param this                          calling object
-        * @param notify_payload        notify payload
-        * @param response                      response message of type INFORMATIONAL
-        *
-        *                                              - SUCCESS
-        *                                              - FAILED
-        *                                              - DELETE_ME
-        */
-       status_t (*process_notify_payload) (private_ike_sa_established_t *this, notify_payload_t *notify_payload,message_t *response);
 };
 
 /**
+ * Process an informational request
+ */
+static status_t process_informational(private_ike_sa_established_t *this, message_t *request, message_t *response)
+{
+       delete_payload_t *delete_request = NULL;
+       iterator_t *payloads = request->get_payload_iterator(request);
+       
+       while (payloads->has_next(payloads))
+       {
+               payload_t *payload;
+               payloads->current(payloads, (void**)&payload);
+               
+               switch (payload->get_type(payload))
+               {
+                       case DELETE:
+                       {
+                               delete_request = (delete_payload_t *) payload;
+                               break;
+                       }
+                       default:
+                       {
+                               this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", 
+                                                                 mapping_find(payload_type_m, payload->get_type(payload)), 
+                                                                 payload->get_type(payload));
+                               break;
+                       }
+               }
+       }
+       /* iterator can be destroyed */
+       payloads->destroy(payloads);
+       
+       if (delete_request)
+       {
+               if (delete_request->get_protocol_id(delete_request) == PROTO_IKE)
+               {
+                       this->logger->log(this->logger, CONTROL, "DELETE request for IKE_SA received");
+                       /* we reply with an empty informational message */
+                       return DESTROY_ME;
+               }
+               else
+               {
+                       this->logger->log(this->logger, CONTROL, "DELETE request for CHILD_SA received. Ignored");
+                       response->destroy(response);
+                       return SUCCESS;
+               }
+       }
+       return SUCCESS;
+}
+
+/**
  * Implements state_t.get_state
  */
 static status_t process_message(private_ike_sa_established_t *this, message_t *message)
@@ -74,22 +111,16 @@ static status_t process_message(private_ike_sa_established_t *this, message_t *m
        signer_t *signer;
        status_t status;
        
-       if (message->get_exchange_type(message) != INFORMATIONAL)
-       {
-               this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state ike_sa_established",
-                                                       mapping_find(exchange_type_m,message->get_exchange_type(message)));
-               return FAILED;
-       }
-       
+       /* only requests are allowed, responses are handled in sub-states */
        if (!message->get_request(message))
        {
-               this->logger->log(this->logger, ERROR | LEVEL1, "INFORMATIONAL responses not handled in state ike_sa_established");
+               this->logger->log(this->logger, ERROR | LEVEL1, 
+                                                 "INFORMATIONAL responses not handled in state ike_sa_established");
                return FAILED;
        }
        
-       ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
-       
        /* get signer for verification and crypter for decryption */
+       ike_sa_id = this->ike_sa->public.get_id(&(this->ike_sa->public));
        if (!ike_sa_id->is_initiator(ike_sa_id))
        {
                crypter = this->ike_sa->get_crypter_initiator(this->ike_sa);
@@ -105,99 +136,50 @@ static status_t process_message(private_ike_sa_established_t *this, message_t *m
        status = message->parse_body(message, crypter, signer);
        if (status != SUCCESS)
        {
-               this->logger->log(this->logger, AUDIT, "INFORMATIONAL request decryption failed. Ignoring message");
+               this->logger->log(this->logger, AUDIT, "%s request decryption failed. Ignoring message",
+                                                 mapping_find(exchange_type_m, message->get_exchange_type(message)));
                return status;
        }
        
-       /* build empty INFORMATIONAL message */
-       this->ike_sa->build_message(this->ike_sa, INFORMATIONAL, FALSE, &response);
-       
-       payloads = message->get_payload_iterator(message);
+       /* prepare a reply of the same type */
+       this->ike_sa->build_message(this->ike_sa, message->get_exchange_type(message), FALSE, &response);
        
-       while (payloads->has_next(payloads))
+       /* handle the different message types in their functions */
+       switch (message->get_exchange_type(message))
        {
-               payload_t *payload;
-               payloads->current(payloads, (void**)&payload);
-               
-               switch (payload->get_type(payload))
-               {
-                       case NOTIFY:
-                       {
-                               notify_payload_t *notify_payload = (notify_payload_t *) payload;
-                               /* handle the notify directly, abort if no further processing required */
-                               status = this->process_notify_payload(this, notify_payload,response);
-                               if (status != SUCCESS)
-                               {
-                                       payloads->destroy(payloads);
-                                       response->destroy(response);
-                                       return status;
-                               }
-                       }
-                       case DELETE:
-                       {
-                               delete_request = (delete_payload_t *) payload;
-                               break;
-                       }
-                       default:
-                       {
-                               this->logger->log(this->logger, ERROR|LEVEL1, "Ignoring Payload %s (%d)", 
-                                                                       mapping_find(payload_type_m, payload->get_type(payload)), payload->get_type(payload));
-                               break;
-                       }
-               }
+               case INFORMATIONAL:
+                       status = process_informational(this, message, response);
+                       break;
+               default:
+                       this->logger->log(this->logger, ERROR | LEVEL1, 
+                                                         "Message of type %s currently not supported in state ike_sa_established",
+                                                         mapping_find(exchange_type_m, message->get_exchange_type(message)));
+                       status = NOT_SUPPORTED;
        }
-       /* iterator can be destroyed */
-       payloads->destroy(payloads);
        
-       if (delete_request)
-       {       
-               if (delete_request->get_protocol_id(delete_request) == PROTO_IKE)
+       /* if we get a DESTROY_ME, we respond to follow strict request/reply scheme */
+       if (status == SUCCESS || status == DESTROY_ME)
+       {
+               if (this->ike_sa->send_response(this->ike_sa, response) != SUCCESS)
                {
-                       this->logger->log(this->logger, AUDIT, "DELETE request for IKE_SA received");
+                       /* something is seriously wrong, kill connection */
+                       this->logger->log(this->logger, AUDIT, "Unable to send reply. Deleting IKE_SA");
                        response->destroy(response);
-                       return DELETE_ME;
+                       status = DESTROY_ME;
                }
-               else
+               else if (status == DESTROY_ME)
                {
-                       this->logger->log(this->logger, AUDIT, "DELETE request for CHILD_SA received. Ignored");
-                       response->destroy(response);
-                       return SUCCESS;
+                       /* switch to delete_requested. This is not absolutly correct, but we
+                       * allow the clean destruction of an SA only in this state. */
+                       this->ike_sa->set_new_state(this->ike_sa, (state_t*)delete_requested_create(this));
+                       this->public.state_interface.destroy(&(this->public.state_interface));
                }
        }
-       
-       status = this->ike_sa->send_response(this->ike_sa, response);
-       /* message can now be sent (must not be destroyed) */
-       if (status != SUCCESS)
+       else
        {
-               this->logger->log(this->logger, AUDIT, "Unable to send INFORMATIONAL reply");
                response->destroy(response);
-               return FAILED;
        }
-       
-       return SUCCESS;
-}
-
-/**
- * Implementation of private_ike_sa_established_t.process_notify_payload;
- */
-static status_t process_notify_payload (private_ike_sa_established_t *this, notify_payload_t *notify_payload, message_t *response)
-{
-       notify_message_type_t notify_message_type = notify_payload->get_notify_message_type(notify_payload);
-       
-       this->logger->log(this->logger, CONTROL|LEVEL1, "Process notify type %s for protocol %s",
-                                         mapping_find(notify_message_type_m, notify_message_type),
-                                         mapping_find(protocol_id_m, notify_payload->get_protocol_id(notify_payload)));
-                                         
-       switch (notify_message_type)
-       {
-               default:
-               {
-                       this->logger->log(this->logger, AUDIT, "INFORMATIONAL request contained an unknown notify (%d), ignored.", notify_message_type);
-               }
-       }
-
-
-       return SUCCESS; 
+       return status;
 }
 
 /**
@@ -228,9 +210,6 @@ ike_sa_established_t *ike_sa_established_create(protected_ike_sa_t *ike_sa)
        this->public.state_interface.get_state = (ike_sa_state_t (*) (state_t *)) get_state;
        this->public.state_interface.destroy  = (void (*) (state_t *)) destroy;
        
-       /* private functions */
-       this->process_notify_payload = process_notify_payload;
-       
        /* private data */
        this->ike_sa = ike_sa;
        this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
index 04fef3d..6befa96 100644 (file)
@@ -325,7 +325,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        if (!(nonce_payload && sa_payload && ke_payload))
        {
                this->logger->log(this->logger, AUDIT, "IKE_SA_INIT reply did not contain all required payloads. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        status = this->process_nonce_payload (this,nonce_payload);
@@ -351,7 +351,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* apply the address on wich we really received the packet */
@@ -407,7 +407,7 @@ static status_t process_message(private_ike_sa_init_requested_t *this, message_t
        {
                this->logger->log(this->logger, AUDIT, "Unable to send IKE_AUTH request. Deleting IKE_SA");
                request->destroy(request);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        this->ike_sa->set_last_replied_message_id(this->ike_sa,ike_sa_init_reply->get_message_id(ike_sa_init_reply));
@@ -456,7 +456,7 @@ status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t
                        proposal->destroy(proposal);
                }
                proposal_list->destroy(proposal_list);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* we have to re-check if the others selection is valid */
@@ -470,7 +470,7 @@ status_t process_sa_payload (private_ike_sa_init_requested_t *this, sa_payload_t
        if (this->proposal == NULL)
        {
                this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained selected proposal we did not offer. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        return SUCCESS;
@@ -544,7 +544,7 @@ static status_t build_auth_payload (private_ike_sa_init_requested_t *this, id_pa
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Could not generate AUTH data for IKE_AUTH request. Deleting IKE_SA");
-               return DELETE_ME;               
+               return DESTROY_ME;              
        }
        
        this->logger->log(this->logger, CONTROL|LEVEL2, "Add AUTH payload to message");
@@ -573,7 +573,7 @@ static status_t build_sa_payload (private_ike_sa_init_requested_t *this, message
        if (this->child_sa->alloc(this->child_sa, proposal_list) != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        sa_payload = sa_payload_create_from_proposal_list(proposal_list);
@@ -637,12 +637,12 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
                case NO_PROPOSAL_CHOSEN:
                {
                        this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained a NO_PROPOSAL_CHOSEN notify. Deleting IKE_SA");
-                       return DELETE_ME;
+                       return DESTROY_ME;
                }
                case INVALID_MAJOR_VERSION:
                {
                        this->logger->log(this->logger, AUDIT, "IKE_SA_INIT response contained a INVALID_MAJOR_VERSION notify. Deleting IKE_SA");
-                       return DELETE_ME;                                               
+                       return DESTROY_ME;                                              
                }
                case INVALID_KE_PAYLOAD:
                {
@@ -671,7 +671,7 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
                                this->logger->log(this->logger, AUDIT, 
                                                                  "Peer does only accept DH group %s, which we do not accept! Aborting",
                                                                  mapping_find(diffie_hellman_group_m, dh_group));
-                               return DELETE_ME;
+                               return DESTROY_ME;
                        }
                        
                        /* Going to change state back to initiator_init_t */
@@ -691,7 +691,7 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
                        this->public.state_interface.destroy(&(this->public.state_interface));
                        if (initiator_init_state->retry_initiate_connection (initiator_init_state, dh_group) != SUCCESS)
                        {
-                               return DELETE_ME;
+                               return DESTROY_ME;
                        }
                        return FAILED;
                }
@@ -705,7 +705,7 @@ static status_t process_notify_payload(private_ike_sa_init_requested_t *this, no
                        {
                                this->logger->log(this->logger, AUDIT, "IKE_SA_INIT reply contained an unknown notify error (%d). Deleting IKE_SA",
                                                                  notify_message_type);
-                               return DELETE_ME;       
+                               return DESTROY_ME;      
                        }
                        else
                        {
index 84187f0..3a37924 100644 (file)
@@ -152,7 +152,7 @@ struct private_ike_sa_init_responded_t {
         * @param this          calling object
         * @param notify_payload payload to process
         * @return
-        *                                      - DELETE_ME if IKE_SA should be deleted
+        *                                      - DESTROY_ME if IKE_SA should be deleted
         *                                      - SUCCSS if processed successfull
         */
        status_t (*process_notify_payload) (private_ike_sa_init_responded_t *this, notify_payload_t* notify_payload);
@@ -210,7 +210,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                        this->logger->log(this->logger, ERROR | LEVEL1, "IKE_AUTH request contains unsupported payload with critical flag set. "
                                                                                                                        "Deleting IKE_SA");
                        this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, UNSUPPORTED_CRITICAL_PAYLOAD, CHUNK_INITIALIZER);
-                       return DELETE_ME;
+                       return DESTROY_ME;
                }
                else
                {
@@ -291,7 +291,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
        if (!(idi_request && sa_request && auth_request && tsi_request && tsr_request))
        {
                this->logger->log(this->logger, AUDIT, "IKE_AUTH reply did not contain all required payloads. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
                
        /* build response */
@@ -335,7 +335,7 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
        {
                this->logger->log(this->logger, AUDIT, "Unable to send IKE_AUTH reply. Deleting IKE_SA");
                response->destroy(response);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* install child SA policies */
@@ -355,12 +355,12 @@ static status_t process_message(private_ike_sa_init_responded_t *this, message_t
                if (status != SUCCESS)
                {
                        this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA policy! Deleting IKE_SA");
-                       return DELETE_ME;
+                       return DESTROY_ME;
                }
                this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
        }
        
-       /* create new state */                                          
+       /* create new state */
        this->ike_sa->set_new_state(this->ike_sa, (state_t*)ike_sa_established_create(this->ike_sa));
        this->destroy_after_state_change(this);
        
@@ -403,7 +403,7 @@ static status_t build_idr_payload(private_ike_sa_init_responded_t *this, id_payl
        {
                this->logger->log(this->logger, AUDIT, "We don't have a policy for IDs %s - %s. Deleting IKE_SA", 
                                                  my_id->get_string(my_id), other_id->get_string(other_id));
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* get my id from policy, which must contain a fully qualified valid id */
@@ -462,7 +462,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
        {
                this->logger->log(this->logger, AUDIT, "IKE_AUTH request did not contain any proposals we accept. Deleting IKE_SA");
                this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
-               return DELETE_ME;       
+               return DESTROY_ME;      
        }
        
        /* set up child sa */
@@ -481,7 +481,7 @@ static status_t build_sa_payload(private_ike_sa_init_responded_t *this, sa_paylo
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Could not install CHILD_SA! Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* create payload with selected propsal */
@@ -508,7 +508,7 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
                this->logger->log(this->logger, AUDIT, "IKE_AUTH request verification failed. Deleting IKE_SA");
                this->ike_sa->send_notify(this->ike_sa, IKE_AUTH, AUTHENTICATION_FAILED, CHUNK_INITIALIZER);
                authenticator->destroy(authenticator);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
                
        status = authenticator->compute_auth_data(authenticator,&auth_reply, this->ike_sa_init_response_data,this->received_nonce,my_id_payload,FALSE);
@@ -516,8 +516,7 @@ static status_t build_auth_payload(private_ike_sa_init_responded_t *this, auth_p
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Unable to build authentication data for IKE_AUTH reply. Deleting IKE_SA");
-               return DELETE_ME;
-               
+               return DESTROY_ME;
        }
        
        response->add_payload(response, (payload_t *)auth_reply);
index 35d1523..9636d8f 100644 (file)
@@ -131,7 +131,7 @@ static status_t initiate_connection (private_initiator_init_t *this, connection_
        {
                this->logger->log(this->logger, ERROR | LEVEL1, "Could not get a policy for '%s - %s', aborting",
                                                  my_id->get_string(my_id), other_id->get_string(other_id));
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        this->ike_sa->set_policy(this->ike_sa,policy);
        
@@ -157,7 +157,7 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm
        if (dh_group == MODP_UNDEFINED)
        {
                this->logger->log(this->logger, AUDIT, "No DH group acceptable for initialization, Aborting");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        connection = this->ike_sa->get_connection(this->ike_sa);
@@ -181,7 +181,7 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm
        {
                this->logger->log(this->logger, ERROR, "Building nonce payload failed. Aborting");
                message->destroy(message);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* message can now be sent (must not be destroyed) */
@@ -190,7 +190,7 @@ status_t retry_initiate_connection (private_initiator_init_t *this, diffie_hellm
        {
                this->logger->log(this->logger, AUDIT, "Unable to initiate connection, could not send message. Aborting");
                message->destroy(message);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        message = this->ike_sa->get_last_requested_message(this->ike_sa);
index 6b4940a..903c580 100644 (file)
@@ -52,7 +52,7 @@ struct initiator_init_t {
         * @param connection    connection to initiate
         * @return                              
         *                                              - SUCCESS
-        *                                              - DELETE_ME if something failed
+        *                                              - DESTROY_ME if something failed
         */
        status_t (*initiate_connection) (initiator_init_t *this, connection_t *connection);
        
@@ -65,7 +65,7 @@ struct initiator_init_t {
         * @param dh_group_priority     dh group priority to try with
         * @return                              
         *                                                      - SUCCESS
-        *                                                      - DELETE_ME if something failed (see log for error)
+        *                                                      - DESTROY_ME if something failed (see log for error)
         */
        status_t (*retry_initiate_connection) (initiator_init_t *this, int dh_group_priority);
 };
index 10acf64..8ee7726 100644 (file)
@@ -97,7 +97,7 @@ struct private_responder_init_t {
         * @param sa_request    The received SA payload
         * @param response              the SA payload is added to this response message_t object.
         * @return
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         *                                              - SUCCESS
         */
        status_t (*build_sa_payload) (private_responder_init_t *this,sa_payload_t *sa_request, message_t *response);
@@ -108,7 +108,7 @@ struct private_responder_init_t {
         * @param this          calling object
         * @param ke_request    The received KE payload
         * @param response              the KE payload is added to this response message_t object.
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         *                                              - SUCCESS
         */
        status_t (*build_ke_payload) (private_responder_init_t *this,ke_payload_t *ke_request, message_t *response);
@@ -119,7 +119,7 @@ struct private_responder_init_t {
         * @param this                  calling object
         * @param nonce_request The received NONCE payload
         * @param response              the NONCE payload is added to this response message_t object.
-        *                                              - DELETE_ME
+        *                                              - DESTROY_ME
         *                                              - SUCCESS
         */
        status_t (*build_nonce_payload) (private_responder_init_t *this,nonce_payload_t *nonce_request, message_t *response);   
@@ -164,12 +164,12 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        if (message->get_exchange_type(message) != IKE_SA_INIT)
        {
                this->logger->log(this->logger, ERROR | LEVEL1, "Message of type %s not supported in state responder_init",mapping_find(exchange_type_m,message->get_exchange_type(message)));
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        if (!message->get_request(message))
        {
                this->logger->log(this->logger, ERROR | LEVEL1, "IKE_SA_INIT responses not allowed state ike_sa_init_responded");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* this is the first message to process, so get host infos */
@@ -182,7 +182,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
                /* no configuration matches given hosts */
                this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request does not match any available connection. Deleting IKE_SA");
                /* TODO: inform requestor */
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        this->ike_sa->set_connection(this->ike_sa,connection);
        
@@ -200,7 +200,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
                {
                        this->logger->log(this->logger, AUDIT, "Unable to parse IKE_SA_INIT request. Deleting IKE_SA");
                }
-               return DELETE_ME;
+               return DESTROY_ME;
        }
 
        payloads = message->get_payload_iterator(message);      
@@ -251,7 +251,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        if (!(sa_request && ke_request && nonce_request))
        {
                this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request did not contain all required payloads. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        this->ike_sa->build_message(this->ike_sa, IKE_SA_INIT, FALSE, &response);
@@ -282,7 +282,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        if (status != SUCCESS)
        {
                this->logger->log(this->logger, AUDIT, "Transform objects could not be created from selected proposal. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        /* message can now be sent (must not be destroyed) */
@@ -291,7 +291,7 @@ static status_t process_message(private_responder_init_t *this, message_t *messa
        {
                this->logger->log(this->logger, AUDIT, "Unable to send IKE_SA_INIT response. Deleting IKE_SA");
                response->destroy(response);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
 
        /* state can now be changed */
@@ -340,7 +340,7 @@ static status_t build_sa_payload(private_responder_init_t *this,sa_payload_t *sa
        {
                this->logger->log(this->logger, AUDIT, "IKE_SA_INIT request did not contain any acceptable proposals. Deleting IKE_SA");
                this->ike_sa->send_notify(this->ike_sa, IKE_SA_INIT, NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        /* get selected DH group to force policy, this is very restrictive!? */
        this->proposal->get_algorithm(this->proposal, PROTO_IKE, DIFFIE_HELLMAN_GROUP, &algo);
@@ -372,7 +372,7 @@ static status_t build_ke_payload(private_responder_init_t *this,ke_payload_t *ke
        if (group == MODP_UNDEFINED)
        {
                this->logger->log(this->logger, AUDIT, "No diffie hellman group to select. Deleting IKE_SA");
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        
        if (this->dh_group_number != group)
@@ -387,7 +387,7 @@ static status_t build_ke_payload(private_responder_init_t *this,ke_payload_t *ke
                accepted_group_chunk.ptr = (u_int8_t*) &(accepted_group);
                accepted_group_chunk.len = 2;
                this->ike_sa->send_notify(this->ike_sa,IKE_SA_INIT,INVALID_KE_PAYLOAD,accepted_group_chunk);
-               return DELETE_ME;
+               return DESTROY_ME;
        }
                        
        /* create diffie hellman object to handle DH exchange */
@@ -396,7 +396,7 @@ static status_t build_ke_payload(private_responder_init_t *this,ke_payload_t *ke
        {
                this->logger->log(this->logger, AUDIT, "Could not generate DH object with group %d. Deleting IKE_SA",
                                                        mapping_find(diffie_hellman_group_m,group) );
-               return DELETE_ME;
+               return DESTROY_ME;
        }
        this->logger->log(this->logger, CONTROL | LEVEL2, "Set other DH public value");
        
index 595f5ab..eda2987 100644 (file)
@@ -33,5 +33,6 @@ mapping_t ike_sa_state_m[] = {
        {IKE_SA_INIT_RESPONDED, "IKE_SA_INIT_RESPONDED"},
        {IKE_AUTH_REQUESTED, "IKE_AUTH_REQUESTED"},
        {IKE_SA_ESTABLISHED, "IKE_SA_ESTABLISHED"},
+       {DELETE_REQUESTED, "DELETE_REQUESTED"},
        {MAPPING_END, NULL}
 };
index c93068d..0f39aec 100644 (file)
@@ -90,9 +90,20 @@ enum ike_sa_state_t {
         * 
         * In this state, all the informations for an IKE_SA and one CHILD_SA are known.
         * 
-        * Implemented in class ike_sa_established_t.
+        * Implemented in class ike_sa_established_t.
         */
-       IKE_SA_ESTABLISHED = 6
+       IKE_SA_ESTABLISHED = 6,
+
+       /**
+        * @brief An IKE SA has sent a DELETE IKE_SA to the other peer.
+        * 
+        * After a call to ike_sa.close(), the IKE_SA sends a delete message 
+        * to the remote peer and switches to this state. It waits until the
+        * message is aknowledged, or a certain timout occurs.
+        * 
+        * Implemented in class delete_requested.
+        */
+       DELETE_REQUESTED = 7
 };
 
 
@@ -122,6 +133,7 @@ typedef struct state_t state_t;
  * - IKE_SA_INIT_RESPONDED: implemented in ike_sa_init_responded_t
  * - IKE_AUTH_REQUESTED: implemented in ike_auth_requested_t
  * - IKE_SA_ESTABLISHED: implemented in ike_sa_established_t
+ * - DELETE_REQUESTED: implemented in delete_requested_t
  * 
  * @b Constructors:
  *  - initiator_init_create()
@@ -130,6 +142,7 @@ typedef struct state_t state_t;
  *  - ike_sa_init_responded_create()
  *  - ike_auth_requested_create()
  *  - ike_sa_established_create()
+ *  - delete_requested_create()
  * 
  * @ingroup states
  */
@@ -143,7 +156,7 @@ struct state_t {
         * @return                              
         *                                              - SUCCESSFUL
         *                                              - FAILED
-        *                                              - DELETE_ME if belonging IKE_SA should be deleted
+        *                                              - DESTROY_ME if belonging IKE_SA should be deleted
         */
        status_t (*process_message) (state_t *this,message_t *message);
 
index 57b2539..51d29c2 100644 (file)
@@ -146,8 +146,8 @@ static void process_jobs(private_thread_pool_t *this)
        
        this->worker_logger->log(this->worker_logger, CONTROL, "worker thread running,    thread_ID: %06d", (int)pthread_self());
 
-       for (;;) {
-               
+       for (;;)
+       {
                job = charon->job_queue->get(charon->job_queue);
                job_type = job->get_type(job);
                this->worker_logger->log(this->worker_logger, CONTROL|LEVEL2, "Process job of type %s", 
@@ -207,47 +207,43 @@ static void process_jobs(private_thread_pool_t *this)
  */
 static void process_incoming_packet_job(private_thread_pool_t *this, incoming_packet_job_t *job)
 {
-       packet_t        *packet;
-       message_t       *message;
-       ike_sa_t        *ike_sa;
+       packet_t *packet;
+       message_t *message;
+       ike_sa_t *ike_sa;
        ike_sa_id_t *ike_sa_id;
-       status_t        status;
-       
+       status_t status;
        
        packet = job->get_packet(job);
-                               
+       
        message = message_create_from_packet(packet);
-
        status = message->parse_header(message);
        if (status != SUCCESS)
        {
                this->worker_logger->log(this->worker_logger, ERROR, "Message header could not be verified!");                          
                message->destroy(message);
-               return;                                                                         
+               return;
        }
-                               
+       
        this->worker_logger->log(this->worker_logger, CONTROL|LEVEL2, "Message is a %s %s", 
                                                         mapping_find(exchange_type_m, message->get_exchange_type(message)),
                                                         message->get_request(message) ? "request" : "reply");
-                               
-       if ((message->get_major_version(message) != IKE_MAJOR_VERSION) || 
-                       (message->get_minor_version(message) != IKE_MINOR_VERSION))
+       
+       if ((message->get_major_version(message) != IKE_MAJOR_VERSION) ||
+               (message->get_minor_version(message) != IKE_MINOR_VERSION))
        {
-               this->worker_logger->log(this->worker_logger, ERROR | LEVEL2, "IKE version %d.%d not supported", 
-                                                                       message->get_major_version(message),
-                                                                       message->get_minor_version(message));   
-               /*
-                * This check is not handled in state_t object of IKE_SA to increase speed.
-                */
+               this->worker_logger->log(this->worker_logger, ERROR | LEVEL2,
+                                                                "IKE version %d.%d not supported",
+                                                                message->get_major_version(message),
+                                                                message->get_minor_version(message));
                if ((message->get_exchange_type(message) == IKE_SA_INIT) && (message->get_request(message)))
-                       {
+               {
                        message_t *response;
                        message->get_ike_sa_id(message, &ike_sa_id);
                        ike_sa_id->switch_initiator(ike_sa_id);
                        response = message_create_notify_reply(message->get_destination(message),
-                                                                                                       message->get_source(message),
-                                                                                                       IKE_SA_INIT,
-                                                                                                       FALSE,ike_sa_id,INVALID_MAJOR_VERSION);
+                                                                                                  message->get_source(message),
+                                                                                                  IKE_SA_INIT, FALSE, ike_sa_id,
+                                                                                                  INVALID_MAJOR_VERSION);
                        message->destroy(message);
                        ike_sa_id->destroy(ike_sa_id);
                        status = response->generate(response, NULL, NULL, &packet);
@@ -265,27 +261,24 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa
                message->destroy(message);
                return;
        }
-                               
+       
        message->get_ike_sa_id(message, &ike_sa_id);
-                       
+       
        ike_sa_id->switch_initiator(ike_sa_id);
-                               
+       
        this->worker_logger->log(this->worker_logger, CONTROL|LEVEL3, "Checking out IKE SA %lld:%lld, role %s", 
                                                         ike_sa_id->get_initiator_spi(ike_sa_id),
                                                         ike_sa_id->get_responder_spi(ike_sa_id),
                                                         ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
-                               
+       
        status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
        if ((status != SUCCESS) && (status != CREATED))
        {
                this->worker_logger->log(this->worker_logger, ERROR, "IKE SA could not be checked out");
                ike_sa_id->destroy(ike_sa_id);  
                message->destroy(message);
-
-               /*
-                * TODO send notify reply of type INVALID_IKE_SPI if SPI could not be found ?
-                */
-
+               
+               /* TODO: send notify reply of type INVALID_IKE_SPI if SPI could not be found ? */
                return;
        }
 
@@ -296,25 +289,25 @@ static void process_incoming_packet_job(private_thread_pool_t *this, incoming_pa
                this->create_delete_half_open_ike_sa_job(this,ike_sa_id, 
                                charon->configuration->get_half_open_ike_sa_timeout(charon->configuration));
        }
-
+       
        status = ike_sa->process_message(ike_sa, message);
-                               
+       
        this->worker_logger->log(this->worker_logger, CONTROL|LEVEL3, "%s IKE SA %lld:%lld, role %s", 
-                                                        (status == DELETE_ME) ? "Checkin and delete" : "Checkin",
+                                                        (status == DESTROY_ME) ? "Checkin and delete" : "Checkin",
                                                         ike_sa_id->get_initiator_spi(ike_sa_id),
                                                         ike_sa_id->get_responder_spi(ike_sa_id),
                                                         ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder");
        ike_sa_id->destroy(ike_sa_id);
-               
-       if (status == DELETE_ME)
+       
+       if (status == DESTROY_ME)
        {
-               status = charon->ike_sa_manager->checkin_and_delete(charon->ike_sa_manager, ike_sa);
+               status = charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
        }
        else
        {
                status = charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
        }
-                                       
+       
        if (status != SUCCESS)
        {
                this->worker_logger->log(this->worker_logger, ERROR, "Checkin of IKE SA failed!");
@@ -345,7 +338,7 @@ static void process_initiate_ike_sa_job(private_thread_pool_t *this, initiate_ik
        {
                this->worker_logger->log(this->worker_logger, ERROR, "Initiation returned %s, going to delete IKE_SA.", 
                                                                 mapping_find(status_m, status));
-               charon->ike_sa_manager->checkin_and_delete(charon->ike_sa_manager, ike_sa);
+               charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
                return;
        }
 
@@ -373,11 +366,10 @@ static void process_delete_half_open_ike_sa_job(private_thread_pool_t *this, del
        status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
        if ((status != SUCCESS) && (status != CREATED))
        {
-               this->worker_logger->log(this->worker_logger, CONTROL | LEVEL3, "IKE SA seems to be already deleted and so doesn't have to be deleted");
+               this->worker_logger->log(this->worker_logger, CONTROL | LEVEL3, "IKE SA seems to be already deleted");
                return;
        }
        
-
        switch (ike_sa->get_state(ike_sa))
        {
                case INITIATOR_INIT:
@@ -385,9 +377,10 @@ static void process_delete_half_open_ike_sa_job(private_thread_pool_t *this, del
                case IKE_SA_INIT_REQUESTED:
                case IKE_SA_INIT_RESPONDED:
                case IKE_AUTH_REQUESTED:
+               case DELETE_REQUESTED:
                {
                        /* IKE_SA is half open and gets deleted! */
-                       status = charon->ike_sa_manager->checkin_and_delete(charon->ike_sa_manager, ike_sa);
+                       status = charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, ike_sa);
                        if (status != SUCCESS)
                        {
                                this->worker_logger->log(this->worker_logger, ERROR, "Could not checkin and delete checked out IKE_SA!");
@@ -415,39 +408,14 @@ static void process_delete_established_ike_sa_job(private_thread_pool_t *this, d
        ike_sa_id_t *ike_sa_id = job->get_ike_sa_id(job);
        ike_sa_t *ike_sa;
        status_t status;        
-       status = charon->ike_sa_manager->checkout(charon->ike_sa_manager,ike_sa_id, &ike_sa);
-       if ((status != SUCCESS) && (status != CREATED))
-       {
-               this->worker_logger->log(this->worker_logger, CONTROL | LEVEL3, "IKE SA seems to be already deleted and so doesn't have to be deleted");
-               return;
-       }
-
-       switch (ike_sa->get_state(ike_sa))
-       {
-               case INITIATOR_INIT:
-               case RESPONDER_INIT:
-               case IKE_SA_INIT_REQUESTED:
-               case IKE_SA_INIT_RESPONDED:
-               case IKE_AUTH_REQUESTED:
-               {
-                       break;
-               }
-               default:
-               {
-                       this->worker_logger->log(this->worker_logger, CONTROL, "Send delete request for IKE_SA.");                      
-                       ike_sa->send_delete_ike_sa_request(ike_sa);
-                       break;
-               }
-       }
-       this->worker_logger->log(this->worker_logger, CONTROL, "Delete established IKE_SA.");   
-       status = charon->ike_sa_manager->checkin_and_delete(charon->ike_sa_manager, ike_sa);
+       status = charon->ike_sa_manager->delete(charon->ike_sa_manager, ike_sa_id);
        if (status != SUCCESS)
        {
-               this->worker_logger->log(this->worker_logger, ERROR, "Could not checkin and delete checked out IKE_SA!");
+               this->worker_logger->log(this->worker_logger, CONTROL, "IKE SA didn't exist anymore");
+               return;
        }
 }
 
-
 /**
  * Implementation of private_thread_pool_t.process_retransmit_request_job.
  */
@@ -470,7 +438,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm
        if ((status != SUCCESS) && (status != CREATED))
        {
                job->destroy(job);
-               this->worker_logger->log(this->worker_logger, ERROR, "IKE SA could not be checked out. Already deleted?");
+               this->worker_logger->log(this->worker_logger, ERROR|LEVEL1, "IKE SA could not be checked out. Already deleted?");
                return;
        }
                                
@@ -478,7 +446,7 @@ static void process_retransmit_request_job(private_thread_pool_t *this, retransm
                                
        if (status != SUCCESS)
        {
-               this->worker_logger->log(this->worker_logger, CONTROL | LEVEL3, "Message doesn't have to be retransmitted");
+               this->worker_logger->log(this->worker_logger, CONTROL|LEVEL3, "Message doesn't have to be retransmitted");
                stop_retransmitting = TRUE;
        }
                                
index 3427b94..6ba2a00 100644 (file)
@@ -39,7 +39,7 @@ mapping_t status_m[] = {
        {PARSE_ERROR, "PARSE_ERROR"},
        {VERIFY_ERROR, "VERIFY_ERROR"},
        {INVALID_STATE, "INVALID_STATE"},
-       {DELETE_ME, "DELETE_ME"},
+       {DESTROY_ME, "DESTROY_ME"},
        {CREATED, "CREATED"},
        {MAPPING_END, NULL}
 };
index 0498bda..14aee2c 100644 (file)
@@ -61,10 +61,10 @@ enum status_t {
        /**
         * Out of ressources.
         */
-       
        OUT_OF_RES,
+       
        /**
-        * Already done.
+        * The suggested operation is already done
         */
        ALREADY_DONE,
        
@@ -99,9 +99,9 @@ enum status_t {
        INVALID_STATE,
        
        /**
-        * Delete object which function belongs to.
+        * Destroy object which called method belongs to.
         */
-       DELETE_ME,
+       DESTROY_ME,
        
        /**
         * An object got created.
index ee7eae3..88e190e 100644 (file)
@@ -55,534 +55,595 @@ static unsigned int _action_ = 0;
 static void
 fsig(int signal)
 {
-       switch (signal)
-       {
+    switch (signal)
+    {
        case SIGCHLD:
-               {
-                       int status;
-                       pid_t pid;
-                       char *name = NULL;
-
-                       while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
-               {
-                               if (pid == starter_pluto_pid())
-                               name = " (Pluto)";
-                               if (pid == starter_charon_pid())
-                                       name = " (Charon)";
-                               if (WIFSIGNALED(status))
-                                       DBG(DBG_CONTROL,
-                                               DBG_log("child %d%s has been killed by sig %d\n",
-                                                       pid, name?name:"", WTERMSIG(status))
-                               )
-                               else if (WIFSTOPPED(status))
-                                       DBG(DBG_CONTROL,
-                                               DBG_log("child %d%s has been stopped by sig %d\n",
-                                                       pid, name?name:"", WSTOPSIG(status))
-                               )
-                               else if (WIFEXITED(status))
-                               DBG(DBG_CONTROL,
-                                               DBG_log("child %d%s has quit (exit code %d)\n",
-                                                       pid, name?name:"", WEXITSTATUS(status))
-                                       )
-                               else
-                                       DBG(DBG_CONTROL,
-                                               DBG_log("child %d%s has quit", pid, name?name:"")
-                               )
-
-                               if (pid == starter_pluto_pid())
-                                       starter_pluto_sigchild(pid);
-                               if (pid == starter_charon_pid())
-                                       starter_charon_sigchild(pid);
-                       }
-               }
-               break;
-
-    case SIGPIPE:
-               /** ignore **/
-               break;
-
-    case SIGALRM:
-                       _action_ |= FLAG_ACTION_START_PLUTO;
-                       _action_ |= FLAG_ACTION_START_CHARON;
-               break;
-
-    case SIGHUP:
-               _action_ |= FLAG_ACTION_UPDATE;
-               break;
-
-    case SIGTERM:
-    case SIGQUIT:
-    case SIGINT:
-       _action_ |= FLAG_ACTION_QUIT;
-               break;
-
-    case SIGUSR1:
-               _action_ |= FLAG_ACTION_RELOAD;
-               _action_ |= FLAG_ACTION_UPDATE;
-               break;
-
-    default:
-               plog("fsig(): unknown signal %d -- investigate", signal);
-               break;
+       {
+           int status;
+           pid_t pid;
+           char *name = NULL;
+
+           while ((pid = waitpid(-1, &status, WNOHANG)) > 0)
+           {
+               if (pid == starter_pluto_pid())
+                   name = " (Pluto)";
+               if (pid == starter_charon_pid())
+                   name = " (Charon)";
+               if (WIFSIGNALED(status))
+                   DBG(DBG_CONTROL,
+                       DBG_log("child %d%s has been killed by sig %d\n",
+                               pid, name?name:"", WTERMSIG(status))
+                      )
+               else if (WIFSTOPPED(status))
+                   DBG(DBG_CONTROL,
+                       DBG_log("child %d%s has been stopped by sig %d\n",
+                               pid, name?name:"", WSTOPSIG(status))
+                      )
+               else if (WIFEXITED(status))
+                   DBG(DBG_CONTROL,
+                       DBG_log("child %d%s has quit (exit code %d)\n",
+                               pid, name?name:"", WEXITSTATUS(status))
+                      )
+               else
+                   DBG(DBG_CONTROL,
+                       DBG_log("child %d%s has quit", pid, name?name:"")
+                      )
+               if (pid == starter_pluto_pid())
+                   starter_pluto_sigchild(pid);
+               if (pid == starter_charon_pid())
+                   starter_charon_sigchild(pid);
+           }
+       }
+       break;
+
+       case SIGPIPE:
+           /** ignore **/
+           break;
+
+       case SIGALRM:
+           _action_ |= FLAG_ACTION_START_PLUTO;
+           _action_ |= FLAG_ACTION_START_CHARON;
+           break;
+
+       case SIGHUP:
+           _action_ |= FLAG_ACTION_UPDATE;
+           break;
+
+       case SIGTERM:
+       case SIGQUIT:
+       case SIGINT:
+           _action_ |= FLAG_ACTION_QUIT;
+           break;
+
+       case SIGUSR1:
+           _action_ |= FLAG_ACTION_RELOAD;
+           _action_ |= FLAG_ACTION_UPDATE;
+           break;
+
+       default:
+           plog("fsig(): unknown signal %d -- investigate", signal);
+           break;
     }
 }
 
 static void
 usage(char *name)
 {
-       fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
-                                       "[--debug|--debug-more|--debug-all]\n");
-       exit(1);
+    fprintf(stderr, "Usage: starter [--nofork] [--auto-update <sec>] "
+           "[--debug|--debug-more|--debug-all]\n");
+    exit(1);
 }
 
 int main (int argc, char **argv)
 {
-       starter_config_t *cfg = NULL;
-       starter_config_t *new_cfg;
-       starter_conn_t *conn, *conn2;
-       starter_ca_t *ca, *ca2;
+    starter_config_t *cfg = NULL;
+    starter_config_t *new_cfg;
+    starter_conn_t *conn, *conn2;
+    starter_ca_t *ca, *ca2;
 
-       struct stat stb;
+    struct stat stb;
 
-       char *err = NULL;
-       int i;
-       int id = 1;
-       struct timeval tv;
-       unsigned long auto_update = 0;
-       time_t last_reload;
-       bool no_fork = FALSE;
+    char *err = NULL;
+    int i;
+    int id = 1;
+    struct timeval tv;
+    unsigned long auto_update = 0;
+    time_t last_reload;
+    bool no_fork = FALSE;
 
-       /* global variables defined in log.h */
-       log_to_stderr = TRUE;
-       base_debugging = DBG_NONE;
+    /* global variables defined in log.h */
+    log_to_stderr = TRUE;
+    base_debugging = DBG_NONE;
 
     /* parse command line */
-       for (i = 1; i < argc; i++)
+    for (i = 1; i < argc; i++)
+    {
+       if (streq(argv[i], "--debug"))
        {
-               if (streq(argv[i], "--debug"))
-               {
-                       base_debugging |= DBG_CONTROL;
-               }
-               else if (streq(argv[i], "--debug-more"))
-               {
-                       base_debugging |= DBG_CONTROLMORE;
-               }
-               else if (streq(argv[i], "--debug-all"))
-               {
-                       base_debugging |= DBG_ALL;
-               }
-               else if (streq(argv[i], "--nofork"))
-               {
-                       no_fork = TRUE;
-               }
-               else if (streq(argv[i], "--auto-update") && i+1 < argc)
-               {
-                       auto_update = atoi(argv[++i]);
-                       if (!auto_update)
-                               usage(argv[0]);
-               }
-               else
-               {
-                       usage(argv[0]);
-               }
+           base_debugging |= DBG_CONTROL;
        }
-
-       /* Init */
-       init_log("ipsec_starter");
-       cur_debugging = base_debugging;
-
-       signal(SIGHUP,  fsig);
-       signal(SIGCHLD, fsig);
-       signal(SIGPIPE, fsig);
-       signal(SIGINT,  fsig);
-       signal(SIGTERM, fsig);
-       signal(SIGQUIT, fsig);
-       signal(SIGALRM, fsig);
-       signal(SIGUSR1, fsig);
-
-       plog("Starting strongSwan %s IPsec [starter]...", ipsec_version_code());
-
-       /* verify that we can start */
-       if (getuid() != 0)
+       else if (streq(argv[i], "--debug-more"))
        {
-               plog("permission denied (must be superuser)");
-               exit(1);
+           base_debugging |= DBG_CONTROLMORE;
        }
-
-       if (stat(PLUTO_PID_FILE, &stb) == 0)
+       else if (streq(argv[i], "--debug-all"))
        {
-               plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
+           base_debugging |= DBG_ALL;
        }
-       else
+       else if (streq(argv[i], "--nofork"))
        {
-               _action_ |= FLAG_ACTION_START_PLUTO;
+           no_fork = TRUE;
        }
-       if (stat(CHARON_PID_FILE, &stb) == 0)
+       else if (streq(argv[i], "--auto-update") && i+1 < argc)
        {
-               plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
+           auto_update = atoi(argv[++i]);
+           if (!auto_update)
+               usage(argv[0]);
        }
        else
        {
-               _action_ |= FLAG_ACTION_START_CHARON;
-       }
-       if (stat(DEV_RANDOM, &stb) != 0)
-       {
-               plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
-               exit(1);
+           usage(argv[0]);
        }
+    }
 
-       if (stat(DEV_URANDOM, &stb)!= 0)
-       {
-               plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
-               exit(1);
-       }
+    /* Init */
+    init_log("ipsec_starter");
+    cur_debugging = base_debugging;
 
-       cfg = confread_load(CONFIG_FILE);
-       if (!cfg)
-       {
-               plog("unable to start strongSwan -- errors in config");
-               exit(1);
-       }
+    signal(SIGHUP,  fsig);
+    signal(SIGCHLD, fsig);
+    signal(SIGPIPE, fsig);
+    signal(SIGINT,  fsig);
+    signal(SIGTERM, fsig);
+    signal(SIGQUIT, fsig);
+    signal(SIGALRM, fsig);
+    signal(SIGUSR1, fsig);
 
-       /* determine if we have a native netkey IPsec stack */
-       if (!starter_netkey_init())
-       {
-               plog("nor netkey IPSec stack detected");
-               exit(1);
-       }
+    plog("Starting strongSwan %s IPsec [starter]...", ipsec_version_code());
 
-       last_reload = time(NULL);
+    /* verify that we can start */
+    if (getuid() != 0)
+    {
+       plog("permission denied (must be superuser)");
+       exit(1);
+    }
 
-       if (stat(STARTER_PID_FILE, &stb) == 0)
-       {
-               plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
-               exit(0);
-       }
+    if (stat(PLUTO_PID_FILE, &stb) == 0)
+    {
+       plog("pluto is already running (%s exists) -- skipping pluto start", PLUTO_PID_FILE);
+    }
+    else
+    {
+       _action_ |= FLAG_ACTION_START_PLUTO;
+    }
+    if (stat(CHARON_PID_FILE, &stb) == 0)
+    {
+       plog("charon is already running (%s exists) -- skipping charon start", CHARON_PID_FILE);
+    }
+    else
+    {
+       _action_ |= FLAG_ACTION_START_CHARON;
+    }
+    if (stat(DEV_RANDOM, &stb) != 0)
+    {
+       plog("unable to start strongSwan IPsec -- no %s!", DEV_RANDOM);
+       exit(1);
+    }
 
-       /* fork if we're not debugging stuff */
-       if (!no_fork)
+    if (stat(DEV_URANDOM, &stb)!= 0)
+    {
+       plog("unable to start strongSwan IPsec -- no %s!", DEV_URANDOM);
+       exit(1);
+    }
+
+    cfg = confread_load(CONFIG_FILE);
+    if (!cfg)
+    {
+       plog("unable to start strongSwan -- errors in config");
+       exit(1);
+    }
+
+    /* determine if we have a native netkey IPsec stack */
+    if (!starter_netkey_init())
+    {
+       plog("nor netkey IPSec stack detected");
+       exit(1);
+    }
+
+    last_reload = time(NULL);
+
+    if (stat(STARTER_PID_FILE, &stb) == 0)
+    {
+       plog("starter is already running (%s exists) -- no fork done", STARTER_PID_FILE);
+       exit(0);
+    }
+
+    /* fork if we're not debugging stuff */
+    if (!no_fork)
+    {
+       log_to_stderr = FALSE;
+
+       switch (fork())
        {
-               log_to_stderr = FALSE;
+           case 0:
+           {
+               int fnull = open("/dev/null", O_RDWR);
 
-               switch (fork())
+               if (fnull >= 0)
                {
-               case 0:
-                       {
-                               int fnull = open("/dev/null", O_RDWR);
-
-                               if (fnull >= 0)
-                               {
-                                       dup2(fnull, STDIN_FILENO);
-                                       dup2(fnull, STDOUT_FILENO);
-                                       dup2(fnull, STDERR_FILENO);
-                                       close(fnull);
-                               }
-                       }
-                       break;
-               case -1:
-                       plog("can't fork: %s", strerror(errno));
-                       break;
-               default:
-                       exit(0);
+                   dup2(fnull, STDIN_FILENO);
+                   dup2(fnull, STDOUT_FILENO);
+                   dup2(fnull, STDERR_FILENO);
+                   close(fnull);
                }
+           }
+           break;
+           case -1:
+               plog("can't fork: %s", strerror(errno));
+               break;
+           default:
+               exit(0);
+       }
     }
 
     /* save pid file in /var/run/starter.pid */
     {
-               FILE *fd = fopen(STARTER_PID_FILE, "w");
+       FILE *fd = fopen(STARTER_PID_FILE, "w");
 
-               if (fd)
-               {
-                       fprintf(fd, "%u\n", getpid());
-                       fclose(fd);
-               }
+       if (fd)
+       {
+           fprintf(fd, "%u\n", getpid());
+           fclose(fd);
+       }
     }
 
     for (;;)
     {
-               /*
-                * Stop pluto/charon (if started) and exit
-                */
-               if (_action_ & FLAG_ACTION_QUIT)
-               {
-                       if (starter_pluto_pid())
-                               starter_stop_pluto();
-                       if (starter_charon_pid())
-                               starter_stop_charon();
-                       starter_netkey_cleanup();
-                       confread_free(cfg);
-                       unlink(STARTER_PID_FILE);
-                       unlink(INFO_FILE);
+       /*
+        * Stop pluto/charon (if started) and exit
+        */
+       if (_action_ & FLAG_ACTION_QUIT)
+       {
+           if (starter_pluto_pid())
+               starter_stop_pluto();
+           if (starter_charon_pid())
+               starter_stop_charon();
+           starter_netkey_cleanup();
+           confread_free(cfg);
+           unlink(STARTER_PID_FILE);
+           unlink(INFO_FILE);
 #ifdef LEAK_DETECTIVE
-                       report_leaks();
+           report_leaks();
 #endif /* LEAK_DETECTIVE */
-                       close_log();
-                       plog("ipsec starter stopped");
-                       exit(0);
-               }
+           close_log();
+           plog("ipsec starter stopped");
+           exit(0);
+       }
 
-               /*
-                * Delete all connections. Will be added below
-                */
-               if (_action_ & FLAG_ACTION_RELOAD)
+       /*
+        * Delete all connections. Will be added below
+        */
+       if (_action_ & FLAG_ACTION_RELOAD)
+       {
+           if (starter_pluto_pid() || starter_charon_pid())
+           {
+               for (conn = cfg->conn_first; conn; conn = conn->next)
                {
-                       if (starter_pluto_pid() || starter_charon_pid())
+                   if (conn->state == STATE_ADDED)
+                   {
+                       if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
                        {
-                               for (conn = cfg->conn_first; conn; conn = conn->next)
-                               {
-                                       if (conn->state == STATE_ADDED)
-                                       {
-                                               if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                                       starter_stroke_del_conn(conn);
-                                               else
-                                                       starter_whack_del_conn(conn);
-                                               conn->state = STATE_TO_ADD;
-                               }
-                               }
-                               for (ca = cfg->ca_first; ca; ca = ca->next)
-                               {
-                                       if (ca->state == STATE_ADDED)
-                                       {
-                                               starter_whack_del_ca(ca);
-                                               ca->state = STATE_TO_ADD;
-                                       }
-                               }
+                           if (starter_charon_pid())
+                           {
+                               starter_stroke_del_conn(conn);
+                           }
                        }
-                       _action_ &= ~FLAG_ACTION_RELOAD;
+                       else
+                       {
+                           if (starter_pluto_pid())
+                           {
+                               starter_whack_del_conn(conn);
+                               conn->state = STATE_TO_ADD;
+                           }
+                       }
+                   }
                }
+               for (ca = cfg->ca_first; ca; ca = ca->next)
+               {
+                   if (ca->state == STATE_ADDED)
+                   {
+                       if (starter_pluto_pid())
+                       {
+                           starter_whack_del_ca(ca);
+                           ca->state = STATE_TO_ADD;
+                       }
+                   }
+               }
+           }
+           _action_ &= ~FLAG_ACTION_RELOAD;
+       }
 
-               /*
-                * Update configuration
-                */
-               if (_action_ & FLAG_ACTION_UPDATE)
+       /*
+        * Update configuration
+        */
+       if (_action_ & FLAG_ACTION_UPDATE)
+       {
+           err = NULL;
+           DBG(DBG_CONTROL,
+               DBG_log("Reloading config...")
+              );
+           new_cfg = confread_load(CONFIG_FILE);
+
+           if (new_cfg)
+           {
+               /* Switch to new config. New conn will be loaded below */
+               if (!starter_cmp_defaultroute(&new_cfg->defaultroute
+                                  , &cfg->defaultroute))
+               {
+                   _action_ |= FLAG_ACTION_LISTEN;
+               }
+
+               if (!starter_cmp_pluto(cfg, new_cfg)) 
+               {
+                   plog("Pluto has changed");
+                   if (starter_pluto_pid())
+                       starter_stop_pluto();
+                   _action_ &= ~FLAG_ACTION_LISTEN;
+                   _action_ |= FLAG_ACTION_START_PLUTO;
+               }
+               else
                {
-                       err = NULL;
-                       DBG(DBG_CONTROL,
-                               DBG_log("Reloading config...")
-                       )
-                       new_cfg = confread_load(CONFIG_FILE);
+                   /* Only reload conn and ca sections if pluto is not killed */
 
-                       if (new_cfg)
+                   /* Look for new connections that are already loaded */
+                   for (conn = cfg->conn_first; conn; conn = conn->next)
+                   {
+                       if (conn->state == STATE_ADDED)
                        {
-                               /* Switch to new config. New conn will be loaded below */
-                               if (!starter_cmp_defaultroute(&new_cfg->defaultroute
-                               , &cfg->defaultroute))
+                           for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
+                           {
+                               if (conn2->state == STATE_TO_ADD && starter_cmp_conn(conn, conn2))
                                {
-                                       _action_ |= FLAG_ACTION_LISTEN;
+                                   conn->state = STATE_REPLACED;
+                                   conn2->state = STATE_ADDED;
+                                   conn2->id = conn->id;
+                                   break;
                                }
+                           }
+                       }
+                   }
 
-                               if (!starter_cmp_pluto(cfg, new_cfg)) 
+                   /* Remove conn sections that have become unused */
+                   for (conn = cfg->conn_first; conn; conn = conn->next)
+                   {
+                       if (conn->state == STATE_ADDED)
+                       {
+                           if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+                           {
+                               if (starter_charon_pid())
                                {
-                                       plog("Pluto has changed");
-                                       if (starter_pluto_pid())
-                                               starter_stop_pluto();
-                                       _action_ &= ~FLAG_ACTION_LISTEN;
-                                       _action_ |= FLAG_ACTION_START_PLUTO;
+                                   starter_stroke_del_conn(conn);
                                }
-                               else
+                           }
+                           else
+                           {
+                               if (starter_pluto_pid())
                                {
-                                       /* Only reload conn and ca sections if pluto is not killed */
-
-                                       /* Look for new connections that are already loaded */
-                                       for (conn = cfg->conn_first; conn; conn = conn->next)
-                                       {
-                                               if (conn->state == STATE_ADDED)
-                                               {
-                                                       for (conn2 = new_cfg->conn_first; conn2; conn2 = conn2->next)
-                                                       {
-                                                               if (conn2->state == STATE_TO_ADD
-                                                               && starter_cmp_conn(conn, conn2))
-                                                               {
-                                                                       conn->state = STATE_REPLACED;
-                                                                       conn2->state = STATE_ADDED;
-                                                                       conn2->id = conn->id;
-                                                                       break;
-                                                               }
-                                                       }
-                                               }
-                                       }
-
-                                       /* Remove conn sections that have become unused */
-                                       for (conn = cfg->conn_first; conn; conn = conn->next)
-                                       {
-                                               if (conn->state == STATE_ADDED)
-                                               {
-                                                       if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                                               starter_stroke_del_conn(conn);
-                                                       else
-                                                               starter_whack_del_conn(conn);
-                                               }
-                                       }
-
-                                       /* Look for new ca sections that are already loaded */
-                                       for (ca = cfg->ca_first; ca; ca = ca->next)
-                                       {
-                                               if (ca->state == STATE_ADDED)
-                                               {
-                                                       for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
-                                                       {
-                                                               if (ca2->state == STATE_TO_ADD
-                                                               && starter_cmp_ca(ca, ca2))
-                                                               {
-                                                                       ca->state = STATE_REPLACED;
-                                                                       ca2->state = STATE_ADDED;
-                                                                       break;
-                                                               }
-                                               }
-                                               }
-                                       }
-
-                                       /* Remove ca sections that have become unused */
-                                       for (ca = cfg->ca_first; ca; ca = ca->next)
-                                       {
-                                               if (ca->state == STATE_ADDED)
-                                               starter_whack_del_ca(ca);
-                                       }
+                                   starter_whack_del_conn(conn);
                                }
-                               confread_free(cfg);
-                               cfg = new_cfg;
-                       }
-                       else
-                       {
-                               plog("can't reload config file: %s -- keeping old one");
+                           }
                        }
-                       _action_ &= ~FLAG_ACTION_UPDATE;
-                       last_reload = time(NULL);
-               }
+                   }
 
-               /*
-                * Start pluto
-                */
-               if (_action_ & FLAG_ACTION_START_PLUTO)
-               {
-                       if (cfg->setup.plutostart && !starter_pluto_pid())
+                   /* Look for new ca sections that are already loaded */
+                   for (ca = cfg->ca_first; ca; ca = ca->next)
+                   {
+                       if (ca->state == STATE_ADDED)
                        {
-                               DBG(DBG_CONTROL,
-                                       DBG_log("Attempting to start pluto...")
-                               )
-
-                               if (starter_start_pluto(cfg, no_fork) == 0)
+                           for (ca2 = new_cfg->ca_first; ca2; ca2 = ca2->next)
+                           {
+                               if (ca2->state == STATE_TO_ADD && starter_cmp_ca(ca, ca2))
                                {
-                                       starter_whack_listen();
-                               }
-                               else
-                               {
-                                       /* schedule next try */
-                                       alarm(PLUTO_RESTART_DELAY);
+                                   ca->state = STATE_REPLACED;
+                                   ca2->state = STATE_ADDED;
+                                   break;
                                }
+                           }
                        }
-                       _action_ &= ~FLAG_ACTION_START_PLUTO;
+                   }
 
-                       for (ca = cfg->ca_first; ca; ca = ca->next)
+                   /* Remove ca sections that have become unused */
+                   for (ca = cfg->ca_first; ca; ca = ca->next)
+                   {
+                       if (ca->state == STATE_ADDED)
                        {
-                               if (ca->state == STATE_ADDED)
-                               ca->state = STATE_TO_ADD;
+                           if (starter_pluto_pid())
+                           {
+                               starter_whack_del_ca(ca);
+                           }
                        }
+                   }
+               }
+               confread_free(cfg);
+               cfg = new_cfg;
+           }
+           else
+           {
+               plog("can't reload config file: %s -- keeping old one");
+           }
+           _action_ &= ~FLAG_ACTION_UPDATE;
+           last_reload = time(NULL);
+       }
 
-                       for (conn = cfg->conn_first; conn; conn = conn->next)
-                       {
-                               if (conn->state == STATE_ADDED)
-                                       conn->state = STATE_TO_ADD;
-                       }
+       /*
+        * Start pluto
+        */
+       if (_action_ & FLAG_ACTION_START_PLUTO)
+       {
+           if (cfg->setup.plutostart && !starter_pluto_pid())
+           {
+               DBG(DBG_CONTROL,
+                   DBG_log("Attempting to start pluto...")
+                  );
+
+               if (starter_start_pluto(cfg, no_fork) == 0)
+               {
+                   starter_whack_listen();
                }
+               else
+               {
+                   /* schedule next try */
+                   alarm(PLUTO_RESTART_DELAY);
+               }
+           }
+           _action_ &= ~FLAG_ACTION_START_PLUTO;
+
+           for (ca = cfg->ca_first; ca; ca = ca->next)
+           {
+               if (ca->state == STATE_ADDED)
+                   ca->state = STATE_TO_ADD;
+           }
+
+           for (conn = cfg->conn_first; conn; conn = conn->next)
+           {
+               if (conn->state == STATE_ADDED)
+                   conn->state = STATE_TO_ADD;
+           }
+       }
        
-               /*
-                * Start charon
-                */
-               if (_action_ & FLAG_ACTION_START_CHARON)
+       /*
+        * Start charon
+        */
+       if (_action_ & FLAG_ACTION_START_CHARON)
+       {
+           if (cfg->setup.charonstart && !starter_charon_pid())
+           {
+               DBG(DBG_CONTROL,
+                   DBG_log("Attempting to start charon...")
+                  );
+               if (starter_start_charon(cfg, no_fork))
                {
-                       if (cfg->setup.charonstart && !starter_charon_pid())
-                       {
-                               DBG(DBG_CONTROL,
-                                       DBG_log("Attempting to start charon...")
-                               )
-                               if (starter_start_charon(cfg, no_fork))
-                               {
-                                       /* schedule next try */
-                                       alarm(PLUTO_RESTART_DELAY);
-                               }
-                       }
-                       _action_ &= ~FLAG_ACTION_START_CHARON;
+                   /* schedule next try */
+                   alarm(PLUTO_RESTART_DELAY);
                }
+           }
+           _action_ &= ~FLAG_ACTION_START_CHARON;
+       }
 
-               /*
-                * Tell pluto to reread its interfaces
-                */
-               if (_action_ & FLAG_ACTION_LISTEN)
+       /*
+        * Tell pluto to reread its interfaces
+        */
+       if (_action_ & FLAG_ACTION_LISTEN)
+       {
+           if (starter_pluto_pid())
+           {
+               starter_whack_listen();
+               _action_ &= ~FLAG_ACTION_LISTEN;
+           }
+       }
+
+       /*
+        * Add stale conn and ca sections
+        */
+       if (starter_pluto_pid() || starter_charon_pid())
+       {
+           for (ca = cfg->ca_first; ca; ca = ca->next)
+           {
+               if (ca->state == STATE_TO_ADD)
                {
-                       starter_whack_listen();
-                       _action_ &= ~FLAG_ACTION_LISTEN;
+                   if (starter_pluto_pid())
+                   {
+                       starter_whack_add_ca(ca);
+                       ca->state = STATE_ADDED;
+                   }
                }
+           }
 
-               /*
-                * Add stale conn and ca sections
-                */
-               if (starter_pluto_pid() || starter_charon_pid())
+           for (conn = cfg->conn_first; conn; conn = conn->next)
+           {
+               if (conn->state == STATE_TO_ADD)
                {
-                       for (ca = cfg->ca_first; ca; ca = ca->next)
+                   if (conn->id == 0)
+                   {
+                       /* affect new unique id */
+                       conn->id = id++;
+                   }
+                   if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+                   {
+                       if (starter_charon_pid())
                        {
-                               if (ca->state == STATE_TO_ADD)
-                               {
-                                       starter_whack_add_ca(ca);
-                                       ca->state = STATE_ADDED;
-                               }
+                           starter_stroke_add_conn(conn);
                        }
+                   }
+                   else
+                   {
+                       if (starter_pluto_pid())
+                       {
+                           starter_whack_add_conn(conn);
+                       }
+                   }
+                   conn->state = STATE_ADDED;
 
-                       for (conn = cfg->conn_first; conn; conn = conn->next)
+                   if (conn->startup == STARTUP_START)
+                   {
+                       if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
                        {
-                               if (conn->state == STATE_TO_ADD)
-                               {
-                                       if (conn->id == 0)
-                                       {
-                                               /* affect new unique id */
-                                               conn->id = id++;
-                               }
-                                       if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                               starter_stroke_add_conn(conn);
-                                       else
-                                               starter_whack_add_conn(conn);
-                                       conn->state = STATE_ADDED;
-
-                                       if (conn->startup == STARTUP_START)
-                                       {
-                                               if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                                       starter_stroke_initiate_conn(conn);
-                                               else
-                                                       starter_whack_initiate_conn(conn);
-                                       }
-                                       else if (conn->startup == STARTUP_ROUTE)
-                                       {
-                                               if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
-                                                       starter_stroke_route_conn(conn);
-                                               else
-                                                       starter_whack_route_conn(conn);
-                                       }
-                               }
+                           if (starter_charon_pid())
+                           {
+                               starter_stroke_initiate_conn(conn);
+                           }
+                       }
+                       else
+                       {
+                           if (starter_pluto_pid())
+                           {
+                               starter_whack_initiate_conn(conn);
+                           }
+                       }
+                   }
+                   else if (conn->startup == STARTUP_ROUTE)
+                   {
+                       if (conn->keyexchange == KEY_EXCHANGE_IKEV2)
+                       {
+                           if (starter_charon_pid())
+                           {
+                               starter_stroke_route_conn(conn);
+                           }
+                       }
+                       else
+                       {
+                           if (starter_pluto_pid())
+                           {
+                                starter_whack_route_conn(conn);
+                           }
                        }
+                   }
                }
+           }
+       }
 
-               /*
-                * If auto_update activated, when to stop select
-                */
-               if (auto_update)
-               {
-                       time_t now = time(NULL);
+       /*
+        * If auto_update activated, when to stop select
+        */
+       if (auto_update)
+       {
+           time_t now = time(NULL);
 
-                       tv.tv_sec = (now < last_reload + auto_update)
-                               ? (last_reload + auto_update-now) : 0;
-                       tv.tv_usec = 0;
-               }
+           tv.tv_sec = (now < last_reload + auto_update)
+                   ? (last_reload + auto_update-now) : 0;
+           tv.tv_usec = 0;
+       }
 
-               /*
-                * Wait for something to happen
-                */
-               if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
-               {
-                       /* timeout -> auto_update */
-                       _action_ |= FLAG_ACTION_UPDATE;
-               }
+       /*
+        * Wait for something to happen
+        */
+       if (select(0, NULL, NULL, NULL, auto_update ? &tv : NULL) == 0)
+       {
+           /* timeout -> auto_update */
+           _action_ |= FLAG_ACTION_UPDATE;
        }
+    }
 
-       return 0;
+    return 0;
 }
 
index 67a0995..6fd8384 100644 (file)
 #include "confread.h"
 #include "files.h"
 
-static char* push_string(stroke_msg_t **strm, char *string)
+static char* 
+push_string(stroke_msg_t **strm, char *string)
 {
-       stroke_msg_t *stroke_msg;
-       size_t string_length;
-
-       if (string == NULL)
-       {
-               return NULL;
-       }
-       stroke_msg = *strm;
-       string_length = strlen(string) + 1;
-       stroke_msg->length += string_length;
-
-       stroke_msg = realloc(stroke_msg, stroke_msg->length);
-       strcpy((char*)stroke_msg + stroke_msg->length - string_length, string);
-
-       *strm = stroke_msg;
-       return (char*)(u_int)stroke_msg->length - string_length;
+    stroke_msg_t *stroke_msg;
+    size_t string_length;
+
+    if (string == NULL)
+    {
+       return NULL;
+    }
+    stroke_msg = *strm;
+    string_length = strlen(string) + 1;
+    stroke_msg->length += string_length;
+
+    stroke_msg = realloc(stroke_msg, stroke_msg->length);
+    strcpy((char*)stroke_msg + stroke_msg->length - string_length, string);
+
+    *strm = stroke_msg;
+    return (char*)(u_int)stroke_msg->length - string_length;
 }
 
 static int
 send_stroke_msg (stroke_msg_t *msg)
 {
-       struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
-       int sock;
-       int byte_count;
-       char buffer[64];
-
-       sock = socket(AF_UNIX, SOCK_STREAM, 0);
-       if (sock < 0)
-       {
-               plog("socket() failed: %s", strerror(errno));
-               return -1;
-       }
-       if (connect(sock, (struct sockaddr *)&ctl_addr, 
-               offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
-       {
-               plog("connect(charon_ctl) failed: %s", strerror(errno));
-               close(sock);
-               return -1;
-       }
-
-       /* send message */
-    if (write(sock, msg, msg->length) != msg->length)
-       {
-               plog("write(charon_ctl) failed: %s", strerror(errno));
-               close(sock);
-               return -1;
-       }
-       while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
-       {
-               buffer[byte_count] = '\0';
-               plog("%s", buffer);
-       }
-       if (byte_count < 0)
-       {
-               plog("read() failed: %s", strerror(errno));
-       }
+    struct sockaddr_un ctl_addr = { AF_UNIX, CHARON_CTL_FILE };
+    int sock;
+    int byte_count;
+    char buffer[64];
+
+    sock = socket(AF_UNIX, SOCK_STREAM, 0);
+    if (sock < 0)
+    {
+       plog("socket() failed: %s", strerror(errno));
+       return -1;
+    }
+    if (connect(sock, (struct sockaddr *)&ctl_addr, 
+       offsetof(struct sockaddr_un, sun_path) + strlen(ctl_addr.sun_path)) < 0)
+    {
+       plog("connect(charon_ctl) failed: %s", strerror(errno));
+       close(sock);
+       return -1;
+    }
 
+    /* send message */
+    if (write(sock, msg, msg->length) != msg->length)
+    {
+       plog("write(charon_ctl) failed: %s", strerror(errno));
        close(sock);
-       return 0;
+       return -1;
+    }
+    while ((byte_count = read(sock, buffer, sizeof(buffer)-1)) > 0)
+    {
+       buffer[byte_count] = '\0';
+       plog("%s", buffer);
+    }
+    if (byte_count < 0)
+    {
+       plog("read() failed: %s", strerror(errno));
+    }
+
+    close(sock);
+    return 0;
 }
 
-static char *
+static char*
 connection_name(starter_conn_t *conn)
 {
-       /* if connection name is '%auto', create a new name like conn_xxxxx */
-       static char buf[32];
-
-       if (streq(conn->name, "%auto"))
-       {
-               sprintf(buf, "conn_%ld", conn->id);
-               return buf;
-       }
-       return conn->name;
+    /* if connection name is '%auto', create a new name like conn_xxxxx */
+    static char buf[32];
+
+    if (streq(conn->name, "%auto"))
+    {
+       sprintf(buf, "conn_%ld", conn->id);
+       return buf;
+    }
+    return conn->name;
 }
 
 
-int starter_stroke_add_conn(starter_conn_t *conn)
+int 
+starter_stroke_add_conn(starter_conn_t *conn)
 {
-       stroke_msg_t *msg = malloc(sizeof(stroke_msg_t));
-       int res;
+    stroke_msg_t *msg = malloc(sizeof(stroke_msg_t));
+    int res;
 
-       msg->length = sizeof(stroke_msg_t);
-       msg->type = STR_ADD_CONN;
+    msg->length = sizeof(stroke_msg_t);
+    msg->type = STR_ADD_CONN;
 
-       msg->add_conn.name = push_string(&msg, connection_name(conn));
+    msg->add_conn.name = push_string(&msg, connection_name(conn));
 
-       msg->add_conn.me.id = push_string(&msg, conn->left.id);
-       msg->add_conn.me.cert = push_string(&msg, conn->left.cert);
-       msg->add_conn.me.address = push_string(&msg, inet_ntoa(conn->left.addr.u.v4.sin_addr));
-       msg->add_conn.me.subnet = push_string(&msg, inet_ntoa(conn->left.subnet.addr.u.v4.sin_addr));
-       msg->add_conn.me.subnet_mask = conn->left.subnet.maskbits;
+    msg->add_conn.me.id = push_string(&msg, conn->left.id);
+    msg->add_conn.me.cert = push_string(&msg, conn->left.cert);
+    msg->add_conn.me.address = push_string(&msg, inet_ntoa(conn->left.addr.u.v4.sin_addr));
+    msg->add_conn.me.subnet = push_string(&msg, inet_ntoa(conn->left.subnet.addr.u.v4.sin_addr));
+    msg->add_conn.me.subnet_mask = conn->left.subnet.maskbits;
 
-       msg->add_conn.other.id = push_string(&msg, conn->right.id);
-       msg->add_conn.other.cert = push_string(&msg, conn->right.cert);
-       msg->add_conn.other.address = push_string(&msg, inet_ntoa(conn->right.addr.u.v4.sin_addr));
-       msg->add_conn.other.subnet = push_string(&msg, inet_ntoa(conn->right.subnet.addr.u.v4.sin_addr));
-       msg->add_conn.other.subnet_mask = conn->right.subnet.maskbits;
+    msg->add_conn.other.id = push_string(&msg, conn->right.id);
+    msg->add_conn.other.cert = push_string(&msg, conn->right.cert);
+    msg->add_conn.other.address = push_string(&msg, inet_ntoa(conn->right.addr.u.v4.sin_addr));
+    msg->add_conn.other.subnet = push_string(&msg, inet_ntoa(conn->right.subnet.addr.u.v4.sin_addr));
+    msg->add_conn.other.subnet_mask = conn->right.subnet.maskbits;
 
-       res = send_stroke_msg(msg);
-       free(msg);
-       return res;
+    res = send_stroke_msg(msg);
+    free(msg);
+    return res;
 }
 
-int starter_stroke_del_conn(starter_conn_t *conn)
+int 
+starter_stroke_del_conn(starter_conn_t *conn)
 {
-       return 0;
+    return 0;
 }
 
-int starter_stroke_route_conn(starter_conn_t *conn)
+int 
+starter_stroke_route_conn(starter_conn_t *conn)
 {
-       stroke_msg_t *msg = malloc(sizeof(stroke_msg_t));
-       int res;
-
-       msg->length = sizeof(stroke_msg_t);
-       msg->type = STR_INSTALL;
-       msg->install.name = push_string(&msg, connection_name(conn));
-       res = send_stroke_msg(msg);
-       free(msg);
-       return res;
+    stroke_msg_t *msg = malloc(sizeof(stroke_msg_t));
+    int res;
+
+    msg->length = sizeof(stroke_msg_t);
+    msg->type = STR_INSTALL;
+    msg->install.name = push_string(&msg, connection_name(conn));
+    res = send_stroke_msg(msg);
+    free(msg);
+    return res;
 }
 
-int starter_stroke_initiate_conn(starter_conn_t *conn)
+int 
+starter_stroke_initiate_conn(starter_conn_t *conn)
 {
-       stroke_msg_t *msg = malloc(sizeof(stroke_msg_t));
-       int res;
-
-       msg->length = sizeof(stroke_msg_t);
-       msg->type = STR_INITIATE;
-       msg->initiate.name = push_string(&msg, connection_name(conn));
-       res = send_stroke_msg(msg);
-       free(msg);
-       return res;
+    stroke_msg_t *msg = malloc(sizeof(stroke_msg_t));
+    int res;
+
+    msg->length = sizeof(stroke_msg_t);
+    msg->type = STR_INITIATE;
+    msg->initiate.name = push_string(&msg, connection_name(conn));
+    res = send_stroke_msg(msg);
+    free(msg);
+    return res;
 }