Derive a dynamic TS to multiple virtual IPs
authorMartin Willi <martin@revosec.ch>
Tue, 18 Sep 2012 10:46:36 +0000 (12:46 +0200)
committerMartin Willi <martin@revosec.ch>
Tue, 18 Sep 2012 15:11:03 +0000 (17:11 +0200)
src/libcharon/config/child_cfg.c
src/libcharon/config/child_cfg.h
src/libcharon/config/peer_cfg.c
src/libcharon/config/peer_cfg.h
src/libcharon/sa/child_sa.c
src/libcharon/sa/ikev1/tasks/quick_mode.c
src/libcharon/sa/ikev2/tasks/child_create.c
src/libcharon/sa/trap_manager.c

index b037158..e65f320 100644 (file)
@@ -237,12 +237,16 @@ METHOD(child_cfg_t, add_traffic_selector, void,
 }
 
 METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
-       private_child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host)
+       private_child_cfg_t *this, bool local, linked_list_t *supplied,
+       linked_list_t *hosts)
 {
        enumerator_t *e1, *e2;
        traffic_selector_t *ts1, *ts2, *selected;
-       linked_list_t *result = linked_list_create();
+       linked_list_t *result, *derived;
+       host_t *host;
 
+       result = linked_list_create();
+       derived = linked_list_create();
        if (local)
        {
                e1 = this->my_ts->create_enumerator(this->my_ts);
@@ -251,42 +255,48 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
        {
                e1 = this->other_ts->create_enumerator(this->other_ts);
        }
-
-       /* no list supplied, just fetch the stored traffic selectors */
-       if (supplied == NULL)
+       /* In a first step, replace "dynamic" TS with the host list */
+       while (e1->enumerate(e1, &ts1))
        {
-               DBG2(DBG_CFG, "proposing traffic selectors for %s:",
-                        local ? "us" : "other");
-               while (e1->enumerate(e1, &ts1))
+               if (ts1->is_dynamic(ts1))
                {
-                       /* we make a copy of the TS, this allows us to update dynamic TS' */
-                       selected = ts1->clone(ts1);
-                       if (host && selected->is_dynamic(selected))
+                       if (hosts)
                        {
-                               selected->set_address(selected, host);
+                               e2 = hosts->create_enumerator(hosts);
+                               while (e2->enumerate(e2, &host))
+                               {
+                                       ts2 = ts1->clone(ts1);
+                                       ts2->set_address(ts2, host);
+                                       result->insert_last(derived, ts2);
+                               }
+                               e2->destroy(e2);
                        }
-                       DBG2(DBG_CFG, " %R (derived from %R)", selected, ts1);
-                       result->insert_last(result, selected);
                }
-               e1->destroy(e1);
+               else
+               {
+                       derived->insert_last(derived, ts1->clone(ts1));
+               }
+       }
+       e1->destroy(e1);
+
+       DBG2(DBG_CFG, "%s traffic selectors for %s:",
+                supplied ? "selecting" : "proposing", local ? "us" : "other");
+       if (supplied == NULL)
+       {
+               while (derived->remove_first(derived, (void**)&ts1) == SUCCESS)
+               {
+                       DBG2(DBG_CFG, " %R", ts1);
+                       result->insert_last(result, ts1);
+               }
        }
        else
        {
-               DBG2(DBG_CFG, "selecting traffic selectors for %s:",
-                        local ? "us" : "other");
-               e2 = supplied->create_enumerator(supplied);
-               /* iterate over all stored selectors */
-               while (e1->enumerate(e1, &ts1))
+               e1 = supplied->create_enumerator(supplied);
+               /* enumerate all configured/derived selectors */
+               while (derived->remove_first(derived, (void**)&ts1) == SUCCESS)
                {
-                       /* we make a copy of the TS, as we have to update dynamic TS' */
-                       ts1 = ts1->clone(ts1);
-                       if (host && ts1->is_dynamic(ts1))
-                       {
-                               ts1->set_address(ts1, host);
-                       }
-
-                       /* iterate over all supplied traffic selectors */
-                       while (e2->enumerate(e2, &ts2))
+                       /* enumerate all supplied traffic selectors */
+                       while (e1->enumerate(e1, &ts2))
                        {
                                selected = ts1->get_subset(ts1, ts2);
                                if (selected)
@@ -301,13 +311,12 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
                                                 ts1, ts2);
                                }
                        }
-                       e2->destroy(e2);
-                       e2 = supplied->create_enumerator(supplied);
+                       supplied->reset_enumerator(supplied, e1);
                        ts1->destroy(ts1);
                }
                e1->destroy(e1);
-               e2->destroy(e2);
        }
+       derived->destroy(derived);
 
        /* remove any redundant traffic selectors in the list */
        e1 = result->create_enumerator(result);
@@ -322,16 +331,14 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
                                {
                                        result->remove_at(result, e2);
                                        ts2->destroy(ts2);
-                                       e1->destroy(e1);
-                                       e1 = result->create_enumerator(result);
+                                       result->reset_enumerator(result, e1);
                                        break;
                                }
                                if (ts1->is_contained_in(ts1, ts2))
                                {
                                        result->remove_at(result, e1);
                                        ts1->destroy(ts1);
-                                       e2->destroy(e2);
-                                       e2 = result->create_enumerator(result);
+                                       result->reset_enumerator(result, e2);
                                        break;
                                }
                        }
index 370ff9d..6e8829a 100644 (file)
@@ -129,12 +129,12 @@ struct child_cfg_t {
         *
         * @param local                 TRUE for TS on local side, FALSE for remote
         * @param supplied              list with TS to select from, or NULL
-        * @param host                  address to use for narrowing "dynamic" TS', or NULL
+        * @param hosts                 addresses to use for narrowing "dynamic" TS', host_t
         * @return                              list containing the traffic selectors
         */
        linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
                                                                                        linked_list_t *supplied,
-                                                                                       host_t *host);
+                                                                                       linked_list_t *hosts);
        /**
         * Get the updown script to run for the CHILD_SA.
         *
index 59869ea..01ca026 100644 (file)
@@ -256,7 +256,7 @@ METHOD(peer_cfg_t, create_child_cfg_enumerator, enumerator_t*,
  * Check how good a list of TS matches a given child config
  */
 static int get_ts_match(child_cfg_t *cfg, bool local,
-                                               linked_list_t *sup_list, host_t *host)
+                                               linked_list_t *sup_list, linked_list_t *hosts)
 {
        linked_list_t *cfg_list;
        enumerator_t *sup_enum, *cfg_enum;
@@ -264,7 +264,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
        int match = 0, round;
 
        /* fetch configured TS list, narrowing dynamic TS */
-       cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host);
+       cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, hosts);
 
        /* use a round counter to rate leading TS with higher priority */
        round = sup_list->get_count(sup_list);
@@ -297,7 +297,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local,
 
 METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*,
        private_peer_cfg_t *this, linked_list_t *my_ts, linked_list_t *other_ts,
-       host_t *my_host, host_t *other_host)
+       linked_list_t *my_hosts, linked_list_t *other_hosts)
 {
        child_cfg_t *current, *found = NULL;
        enumerator_t *enumerator;
@@ -309,8 +309,8 @@ METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*,
        {
                int my_prio, other_prio;
 
-               my_prio = get_ts_match(current, TRUE, my_ts, my_host);
-               other_prio = get_ts_match(current, FALSE, other_ts, other_host);
+               my_prio = get_ts_match(current, TRUE, my_ts, my_hosts);
+               other_prio = get_ts_match(current, FALSE, other_ts, other_hosts);
 
                if (my_prio && other_prio)
                {
index 418e455..97089e1 100644 (file)
@@ -183,13 +183,13 @@ struct peer_cfg_t {
         *
         * @param my_ts                 TS for local side
         * @param other_ts              TS for remote side
-        * @param my_host               host to narrow down dynamic TS for local side
-        * @param other_host    host to narrow down dynamic TS for remote side
+        * @param my_hosts              hosts to narrow down dynamic TS for local side
+        * @param other_hosts   hosts to narrow down dynamic TS for remote side
         * @return                              selected CHILD config, or NULL if no match found
         */
-       child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
-                                                                         linked_list_t *other_ts, host_t *my_host,
-                                                                         host_t *other_host);
+       child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
+                                                       linked_list_t *my_ts, linked_list_t *other_ts,
+                                                       linked_list_t *my_hosts, linked_list_t *other_hosts);
 
        /**
         * Add an authentication config to the peer configuration.
index c3fbd8b..1245734 100644 (file)
@@ -1125,12 +1125,14 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
                chunk_t addr;
                host_t *host;
                enumerator_t *enumerator;
-               linked_list_t *my_ts_list, *other_ts_list;
+               linked_list_t *my_ts_list, *other_ts_list, *list;
                traffic_selector_t *my_ts, *other_ts;
 
                this->mode = MODE_TRANSPORT;
 
-               my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me);
+               list = linked_list_create_with_items(me, NULL);
+               my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, list);
+               list->destroy(list);
                enumerator = my_ts_list->create_enumerator(my_ts_list);
                if (enumerator->enumerate(enumerator, &my_ts))
                {
@@ -1151,7 +1153,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other,
                enumerator->destroy(enumerator);
                my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy));
 
-               other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other);
+               list = linked_list_create_with_items(other, NULL);
+               other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, list);
+               list->destroy(list);
                enumerator = other_ts_list->create_enumerator(other_ts_list);
                if (enumerator->enumerate(enumerator, &other_ts))
                {
index 39fbd59..b0f9fa1 100644 (file)
@@ -198,36 +198,36 @@ static bool have_pool(ike_sa_t *ike_sa)
 }
 
 /**
- * Get host to use for dynamic traffic selectors
+ * Get hosts to use for dynamic traffic selectors
  */
-static host_t *get_dynamic_host(ike_sa_t *ike_sa, bool local)
+static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
 {
        enumerator_t *enumerator;
+       linked_list_t *list;
        host_t *host;
 
+       list = linked_list_create();
        enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
-       if (!enumerator->enumerate(enumerator, &host))
+       while (enumerator->enumerate(enumerator, &host))
        {
+               list->insert_last(list, host);
+       }
+       enumerator->destroy(enumerator);
+
+       if (list->get_count(list) == 0)
+       {       /* no virtual IPs assigned */
                if (local)
                {
                        host = ike_sa->get_my_host(ike_sa);
+                       list->insert_last(list, host);
                }
-               else
-               {
-                       if (have_pool(ike_sa))
-                       {
-                               /* we have an IP address pool, but didn't negotiate a
-                                * virtual IP. */
-                               host = NULL;
-                       }
-                       else
-                       {
-                               host = ike_sa->get_other_host(ike_sa);
-                       }
+               else if (!have_pool(ike_sa))
+               {       /* use host only if we don't have a pool configured */
+                       host = ike_sa->get_other_host(ike_sa);
+                       list->insert_last(list, host);
                }
        }
-       enumerator->destroy(enumerator);
-       return host;
+       return list;
 }
 
 /**
@@ -452,10 +452,12 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local,
                                                                         linked_list_t *supplied)
 {
        traffic_selector_t *ts;
-       linked_list_t *list;
+       linked_list_t *list, *hosts;
 
-       list = this->config->get_traffic_selectors(this->config, local,
-                                                       supplied, get_dynamic_host(this->ike_sa, local));
+       hosts = get_dynamic_hosts(this->ike_sa, local);
+       list = this->config->get_traffic_selectors(this->config,
+                                                                                          local, supplied, hosts);
+       hosts->destroy(hosts);
        if (list->get_first(list, (void**)&ts) == SUCCESS)
        {
                if (this->initiator && list->get_count(list) > 1)
@@ -887,7 +889,7 @@ METHOD(task_t, process_r, status_t,
                case QM_INIT:
                {
                        sa_payload_t *sa_payload;
-                       linked_list_t *tsi, *tsr, *list = NULL;
+                       linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
                        peer_cfg_t *peer_cfg;
                        u_int16_t group;
                        bool private;
@@ -910,9 +912,12 @@ METHOD(task_t, process_r, status_t,
                        tsi = linked_list_create_with_items(this->tsi, NULL);
                        tsr = linked_list_create_with_items(this->tsr, NULL);
                        this->tsi = this->tsr = NULL;
+                       hostsi = get_dynamic_hosts(this->ike_sa, FALSE);
+                       hostsr = get_dynamic_hosts(this->ike_sa, TRUE);
                        this->config = peer_cfg->select_child_cfg(peer_cfg, tsr, tsi,
-                                                                               get_dynamic_host(this->ike_sa, TRUE),
-                                                                               get_dynamic_host(this->ike_sa, FALSE));
+                                                                                                         hostsr, hostsi);
+                       hostsi->destroy(hostsi);
+                       hostsr->destroy(hostsr);
                        if (this->config)
                        {
                                this->tsi = select_ts(this, FALSE, tsi);
index 9901187..46a1655 100644 (file)
@@ -308,36 +308,36 @@ static bool have_pool(ike_sa_t *ike_sa)
 }
 
 /**
- * Get host to use for dynamic traffic selectors
+ * Get hosts to use for dynamic traffic selectors
  */
-static host_t *get_dynamic_host(ike_sa_t *ike_sa, bool local)
+static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
 {
        enumerator_t *enumerator;
+       linked_list_t *list;
        host_t *host;
 
+       list = linked_list_create();
        enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
-       if (!enumerator->enumerate(enumerator, &host))
+       while (enumerator->enumerate(enumerator, &host))
        {
+               list->insert_last(list, host);
+       }
+       enumerator->destroy(enumerator);
+
+       if (list->get_count(list) == 0)
+       {       /* no virtual IPs assigned */
                if (local)
                {
                        host = ike_sa->get_my_host(ike_sa);
+                       list->insert_last(list, host);
                }
-               else
-               {
-                       if (have_pool(ike_sa))
-                       {
-                               /* we have an IP address pool, but didn't negotiate a
-                                * virtual IP. */
-                               host = NULL;
-                       }
-                       else
-                       {
-                               host = ike_sa->get_other_host(ike_sa);
-                       }
+               else if (!have_pool(ike_sa))
+               {       /* use host only if we don't have a pool configured */
+                       host = ike_sa->get_other_host(ike_sa);
+                       list->insert_last(list, host);
                }
        }
-       enumerator->destroy(enumerator);
-       return host;
+       return list;
 }
 
 /**
@@ -353,7 +353,7 @@ static status_t select_and_install(private_child_create_t *this,
        chunk_t nonce_i, nonce_r;
        chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
        chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
-       linked_list_t *my_ts, *other_ts;
+       linked_list_t *my_ts, *other_ts, *list;
        host_t *me, *other;
        bool private;
 
@@ -422,10 +422,14 @@ static status_t select_and_install(private_child_create_t *this,
                my_ts = this->tsr;
                other_ts = this->tsi;
        }
-       my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts,
-                                                                               get_dynamic_host(this->ike_sa, TRUE));
-       other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts,
-                                                                               get_dynamic_host(this->ike_sa, FALSE));
+       list = get_dynamic_hosts(this->ike_sa, TRUE);
+       my_ts = this->config->get_traffic_selectors(this->config,
+                                                                                               TRUE, my_ts, list);
+       list->destroy(list);
+       list = get_dynamic_hosts(this->ike_sa, FALSE);
+       other_ts = this->config->get_traffic_selectors(this->config,
+                                                                                               FALSE, other_ts, list);
+       list->destroy(list);
 
        if (this->initiator)
        {
@@ -796,6 +800,7 @@ METHOD(task_t, build_i, status_t,
        enumerator_t *enumerator;
        host_t *vip;
        peer_cfg_t *peer_cfg;
+       linked_list_t *list;
 
        switch (message->get_exchange_type(message))
        {
@@ -835,24 +840,37 @@ METHOD(task_t, build_i, status_t,
        }
 
        /* check if we want a virtual IP, but don't have one */
+       list = linked_list_create();
        peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
-       enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
-       if (!this->reqid && enumerator->enumerate(enumerator, &vip))
+       if (!this->reqid)
        {
-               /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
-               vip = host_create_any(vip->get_family(vip));
-               this->tsi = this->config->get_traffic_selectors(this->config, TRUE,
-                                                                                                               NULL, vip);
-               vip->destroy(vip);
+               enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
+               while (enumerator->enumerate(enumerator, &vip))
+               {
+                       /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
+                       vip = host_create_any(vip->get_family(vip));
+                       list->insert_last(list, vip);
+               }
+               enumerator->destroy(enumerator);
        }
-       else
-       {       /* but narrow it for host2host / if we already have a vip */
-               this->tsi = this->config->get_traffic_selectors(this->config, TRUE, NULL,
-                                                                               get_dynamic_host(this->ike_sa, TRUE));
+       if (list->get_count(list))
+       {
+               this->tsi = this->config->get_traffic_selectors(this->config,
+                                                                                                               TRUE, NULL, list);
+               list->destroy_offset(list, offsetof(host_t, destroy));
        }
-       enumerator->destroy(enumerator);
-       this->tsr = this->config->get_traffic_selectors(this->config, FALSE, NULL,
-                                                                               get_dynamic_host(this->ike_sa, FALSE));
+       else
+       {       /* no virtual IPs configured */
+               list->destroy(list);
+               list = get_dynamic_hosts(this->ike_sa, TRUE);
+               this->tsi = this->config->get_traffic_selectors(this->config,
+                                                                                                               TRUE, NULL, list);
+               list->destroy(list);
+       }
+       list = get_dynamic_hosts(this->ike_sa, FALSE);
+       this->tsr = this->config->get_traffic_selectors(this->config,
+                                                                                                       FALSE, NULL, list);
+       list->destroy(list);
 
        if (this->packet_tsi)
        {
@@ -1008,10 +1026,14 @@ METHOD(task_t, build_r, status_t,
        peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
        if (!this->config && peer_cfg && this->tsi && this->tsr)
        {
+               linked_list_t *listr, *listi;
+
+               listr = get_dynamic_hosts(this->ike_sa, TRUE);
+               listi = get_dynamic_hosts(this->ike_sa, FALSE);
                this->config = peer_cfg->select_child_cfg(peer_cfg,
-                                                                               this->tsr, this->tsi,
-                                                                               get_dynamic_host(this->ike_sa, TRUE),
-                                                                               get_dynamic_host(this->ike_sa, FALSE));
+                                                                                       this->tsr, this->tsi, listr, listi);
+               listr->destroy(listr);
+               listi->destroy(listi);
        }
 
        if (this->config == NULL)
index b3d9e15..fdcfa0a 100644 (file)
@@ -98,7 +98,7 @@ METHOD(trap_manager_t, install, u_int32_t,
        ike_cfg_t *ike_cfg;
        child_sa_t *child_sa;
        host_t *me, *other;
-       linked_list_t *my_ts, *other_ts;
+       linked_list_t *my_ts, *other_ts, *list;
        enumerator_t *enumerator;
        bool found = FALSE;
        status_t status;
@@ -152,10 +152,14 @@ METHOD(trap_manager_t, install, u_int32_t,
 
        /* create and route CHILD_SA */
        child_sa = child_sa_create(me, other, child, 0, FALSE);
-       my_ts = child->get_traffic_selectors(child, TRUE, NULL, me);
-       other_ts = child->get_traffic_selectors(child, FALSE, NULL, other);
-       me->destroy(me);
-       other->destroy(other);
+
+       list = linked_list_create_with_items(me, NULL);
+       my_ts = child->get_traffic_selectors(child, TRUE, NULL, list);
+       list->destroy_offset(list, offsetof(host_t, destroy));
+
+       list = linked_list_create_with_items(other, NULL);
+       other_ts = child->get_traffic_selectors(child, FALSE, NULL, list);
+       list->destroy_offset(list, offsetof(host_t, destroy));
 
        /* while we don't know the finally negotiated protocol (ESP|AH), we
         * could iterate all proposals for a best guess (TODO). But as we