static void log_child_sa(FILE *out, child_sa_t *child_sa, bool all)
{
u_int32_t rekey, now = time(NULL);
- u_int32_t use_in, use_out, use_fwd;
+ u_int32_t use_in, use_out;
encryption_algorithm_t encr_alg;
integrity_algorithm_t int_alg;
chunk_t encr_key, int_key;
- ipsec_mode_t mode;
-
- child_sa->get_stats(child_sa, &mode,
- &encr_alg, &encr_key, NULL, &int_alg, &int_key, NULL,
- &rekey, &use_in, &use_out, &use_fwd);
fprintf(out, "%12s{%d}: %N, %N",
child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
child_sa_state_names, child_sa->get_state(child_sa),
- ipsec_mode_names, mode);
+ ipsec_mode_names, child_sa->get_mode(child_sa));
if (child_sa->get_state(child_sa) == CHILD_INSTALLED)
{
if (child_sa->get_protocol(child_sa) == PROTO_ESP)
{
+ encr_alg = child_sa->get_encryption(child_sa, TRUE, &encr_key);
+
switch (encr_alg)
{
/* Algorithms with variable key size.
break;
}
}
+ int_alg = child_sa->get_integrity(child_sa, TRUE, &int_key);
switch (int_alg)
{
case AUTH_UNDEFINED:
}
fprintf(out, ", rekeying ");
+ rekey = child_sa->get_lifetime(child_sa, FALSE);
if (rekey)
{
fprintf(out, "in %#V", &now, &rekey);
}
fprintf(out, ", last use: ");
- use_in = max(use_in, use_fwd);
+ use_in = child_sa->get_usetime(child_sa, TRUE);
if (use_in)
{
fprintf(out, "%ds_i ", now - use_in);
{
fprintf(out, "no_i ");
}
+ use_out = child_sa->get_usetime(child_sa, FALSE);
if (use_out)
{
fprintf(out, "%ds_o ", now - use_out);
chunk_t int_key[2];
/**
- * time, on which SA was installed
+ * absolute time when rekeying is scheduled
*/
- time_t install_time;
+ time_t rekey_time;
/**
- * absolute time when rekeying is scheduled
+ * absolute time when the SA expires
*/
- time_t rekey_time;
+ time_t expire_time;
/**
* state of the CHILD_SA
}
/**
- * Implementation of child_sa_t.get_stats.
+ * Implementation of child_sa_t.get_usetime
*/
-static void get_stats(private_child_sa_t *this, ipsec_mode_t *mode,
- encryption_algorithm_t *encr_algo,
- chunk_t *encr_key_in, chunk_t *encr_key_out,
- integrity_algorithm_t *int_algo,
- chunk_t *int_key_in, chunk_t *int_key_out,
- u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
- u_int32_t *use_fwd)
+static u_int32_t get_usetime(private_child_sa_t *this, bool inbound)
{
- traffic_selector_t *my_ts, *other_ts;
enumerator_t *enumerator;
- u_int32_t in = 0, out = 0, fwd = 0, time;
-
+ traffic_selector_t *my_ts, *other_ts;
+ u_int32_t last_use = 0;
+
enumerator = create_policy_enumerator(this);
while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
{
-
- if (charon->kernel_interface->query_policy(charon->kernel_interface,
- other_ts, my_ts, POLICY_IN, &time) == SUCCESS)
- {
- in = max(in, time);
- }
- if (charon->kernel_interface->query_policy(charon->kernel_interface,
- my_ts, other_ts, POLICY_OUT, &time) == SUCCESS)
+ u_int32_t in, out, fwd;
+
+ if (inbound)
{
- out = max(out, time);
+ if (charon->kernel_interface->query_policy(charon->kernel_interface,
+ other_ts, my_ts, POLICY_IN, &in) == SUCCESS)
+ {
+ last_use = max(last_use, in);
+ }
+ if (charon->kernel_interface->query_policy(charon->kernel_interface,
+ other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS)
+ {
+ last_use = max(last_use, fwd);
+ }
}
- if (charon->kernel_interface->query_policy(charon->kernel_interface,
- other_ts, my_ts, POLICY_FWD, &time) == SUCCESS)
+ else
{
- fwd = max(fwd, time);
+ if (charon->kernel_interface->query_policy(charon->kernel_interface,
+ my_ts, other_ts, POLICY_OUT, &out) == SUCCESS)
+ {
+ last_use = max(last_use, out);
+ }
}
}
enumerator->destroy(enumerator);
+ return last_use;
+}
+
+/**
+ * Implementation of child_sa_t.get_lifetime
+ */
+static u_int32_t get_lifetime(private_child_sa_t *this, bool hard)
+{
+ if (hard)
+ {
+ return this->expire_time;
+ }
+ return this->rekey_time;
+}
-#define SET_PTR_IF(x, y) if (x) { *x = y; }
- SET_PTR_IF(mode, this->mode);
- SET_PTR_IF(encr_algo, this->enc_alg);
- SET_PTR_IF(encr_key_in, this->enc_key[0]);
- SET_PTR_IF(encr_key_out, this->enc_key[1]);
- SET_PTR_IF(int_algo, this->int_alg);
- SET_PTR_IF(int_key_in, this->int_key[0]);
- SET_PTR_IF(int_key_out, this->int_key[1]);
- SET_PTR_IF(rekey, this->rekey_time);
- SET_PTR_IF(use_in, in);
- SET_PTR_IF(use_out, out);
- SET_PTR_IF(use_fwd, fwd);
+/**
+ * Implementation of child_sa_t.get_integrity
+ */
+static integrity_algorithm_t get_integrity(private_child_sa_t *this,
+ bool inbound, chunk_t *key)
+{
+ *key = this->int_key[!!inbound];
+ return this->int_alg;
+}
+
+/**
+ * Implementation of child_sa_t.get_encryption
+ */
+static encryption_algorithm_t get_encryption(private_child_sa_t *this,
+ bool inbound, chunk_t *key)
+{
+ *key = this->enc_key[!!inbound];
+ return this->enc_alg;
+}
+
+/**
+ * Implementation of child_sa_t.get_mode
+ */
+static ipsec_mode_t get_mode(private_child_sa_t *this)
+{
+ return this->mode;
}
/**
static status_t install(private_child_sa_t *this, proposal_t *proposal,
ipsec_mode_t mode, prf_plus_t *prf_plus, bool mine)
{
- u_int32_t spi, cpi, soft, hard;
+ u_int32_t spi, cpi, soft, hard, now;
host_t *src, *dst;
status_t status;
int add_keymat;
this->int_alg, this->int_key[!!mine],
mode, IPCOMP_NONE, this->encap, mine);
- this->install_time = time(NULL);
- this->rekey_time = this->install_time + soft;
+ now = time(NULL);
+ this->rekey_time = now + soft;
+ this->expire_time = now + hard;
return status;
}
}
/**
- * Implementation of child_sa_t.get_use_time
- */
-static status_t get_use_time(private_child_sa_t *this,
- bool inbound, time_t *use_time)
-{
- enumerator_t *enumerator;
- traffic_selector_t *my_ts, *other_ts;
- status_t status = FAILED;
-
- *use_time = UNDEFINED_TIME;
-
- enumerator = create_policy_enumerator(this);
- while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
- {
- if (inbound)
- {
- time_t in = UNDEFINED_TIME, fwd = UNDEFINED_TIME;
-
- status = charon->kernel_interface->query_policy(
- charon->kernel_interface, other_ts, my_ts,
- POLICY_IN, (u_int32_t*)&in);
- status |= charon->kernel_interface->query_policy(
- charon->kernel_interface, other_ts, my_ts,
- POLICY_FWD, (u_int32_t*)&fwd);
- *use_time = max(in, fwd);
- }
- else
- {
- status = charon->kernel_interface->query_policy(
- charon->kernel_interface, my_ts, other_ts,
- POLICY_OUT, (u_int32_t*)use_time);
- }
- }
- enumerator->destroy(enumerator);
- return status;
-}
-
-/**
* Implementation of child_sa_t.update_hosts.
*/
static status_t update_hosts(private_child_sa_t *this,
this->public.get_spi = (u_int32_t(*)(child_sa_t*, bool))get_spi;
this->public.get_cpi = (u_int16_t(*)(child_sa_t*, bool))get_cpi;
this->public.get_protocol = (protocol_id_t(*)(child_sa_t*))get_protocol;
- this->public.get_stats = (void(*)(child_sa_t*, ipsec_mode_t*,encryption_algorithm_t*,chunk_t*,chunk_t*,integrity_algorithm_t*,chunk_t*,chunk_t*,u_int32_t*,u_int32_t*,u_int32_t*,u_int32_t*))get_stats;
+ this->public.get_mode = (ipsec_mode_t(*)(child_sa_t*))get_mode;
+ this->public.get_encryption = (encryption_algorithm_t(*)(child_sa_t*, bool, chunk_t*))get_encryption;
+ this->public.get_integrity = (integrity_algorithm_t(*)(child_sa_t*, bool, chunk_t*))get_integrity;
+ this->public.get_lifetime = (u_int32_t(*)(child_sa_t*, bool))get_lifetime;
+ this->public.get_usetime = (u_int32_t(*)(child_sa_t*, bool))get_usetime;
this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
this->public.add = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))add;
this->public.update = (status_t(*)(child_sa_t*,proposal_t*,ipsec_mode_t,prf_plus_t*))update;
this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*,ipsec_mode_t,protocol_id_t))add_policies;
this->public.get_traffic_selectors = (linked_list_t*(*)(child_sa_t*,bool))get_traffic_selectors;
this->public.create_policy_enumerator = (enumerator_t*(*)(child_sa_t*))create_policy_enumerator;
- this->public.get_use_time = (status_t (*)(child_sa_t*,bool,time_t*))get_use_time;
this->public.set_state = (void(*)(child_sa_t*,child_sa_state_t))set_state;
this->public.get_state = (child_sa_state_t(*)(child_sa_t*))get_state;
this->public.get_config = (child_cfg_t*(*)(child_sa_t*))get_config;
protocol_id_t (*get_protocol) (child_sa_t *this);
/**
- * Get info and statistics about this CHILD_SA.
+ * Get the IPsec mode of this CHILD_SA.
*
- * @param mode mode this IKE_SA uses
- * @param encr_algo encryption algorithm used by this CHILD_SA.
- * @param encr_key encryption key
- * @param int_algo integrity algorithm used by this CHILD_SA
- * @param int_key integrity key
- * @param rekey time when rekeying is scheduled
- * @param use_in time when last traffic was seen coming in
- * @param use_out time when last traffic was seen going out
- * @param use_fwd time when last traffic was getting forwarded
+ * @return TUNNEL | TRANSPORT | BEET
*/
- void (*get_stats)(child_sa_t *this, ipsec_mode_t *mode,
- encryption_algorithm_t *encr,
- chunk_t *encr_key_in, chunk_t *encr_key_out,
- integrity_algorithm_t *int_algo,
- chunk_t *int_key_in, chunk_t *int_key_out,
- u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
- u_int32_t *use_fwd);
+ ipsec_mode_t (*get_mode)(child_sa_t *this);
+
+ /**
+ * Get the IPsec encryption key.
+ *
+ * @param inbound TRUE for inbound, FALSE for outbound key
+ * @param key chunk where to write key pointer and length
+ * @return encryption algorithm
+ */
+ encryption_algorithm_t (*get_encryption)(child_sa_t *this, bool inbound,
+ chunk_t *key);
+ /**
+ * Get the IPsec integrity.
+ *
+ * @param inbound TRUE for inbound, FALSE for outbound key
+ * @param key chunk where to write key pointer and length
+ * @return integrity algorithm
+ */
+ integrity_algorithm_t (*get_integrity)(child_sa_t *this, bool inbound,
+ chunk_t *key);
+ /**
+ * Get the lifetime of the CHILD_SA.
+ *
+ * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
+ * @return lifetime in seconds
+ */
+ u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
+
+ /**
+ * Get last use time of the CHILD_SA.
+ *
+ * @param inbound TRUE for inbound traffic, FALSE for outbound
+ * @return time of last use in seconds
+ */
+ u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
/**
* Allocate SPIs for given proposals.
enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
/**
- * Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
- *
- * @param inbound query for in- or outbound usage
- * @param use_time the time
- * @return SUCCESS or FAILED
- */
- status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
-
- /**
* Get the state of the CHILD_SA.
*/
child_sa_state_t (*get_state) (child_sa_t *this);
* @param other_cpi other Compression Parameter Index
*/
void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
- u_int16_t other_cpi);
+ u_int16_t other_cpi);
/**
* Returns the Compression Parameter Index (CPI) allocated from the kernel.
projects / strongswan.git / commitdiff