/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
action_t close_action;
/**
- * Time before an SA gets invalid
+ * CHILD_SA lifetime config
*/
- u_int32_t lifetime;
-
- /**
- * Time before an SA gets rekeyed
- */
- u_int32_t rekeytime;
-
- /**
- * Time, which specifies the range of a random value
- * substracted from rekeytime.
- */
- u_int32_t jitter;
+ lifetime_cfg_t *lifetime;
/**
* enable IPComp
}
/**
- * Implementation of child_cfg_t.get_lifetime.
+ * Applies jitter to the rekey value. Returns the new rekey value.
+ * Note: The distribution of random values is not perfect, but it
+ * should get the job done.
*/
-static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
+static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
{
- if (rekey)
+ if (jitter == 0)
{
- if (this->jitter == 0)
- {
- return this->rekeytime;
- }
- return this->rekeytime - (random() % this->jitter);
+ return rekey;
}
- return this->lifetime;
+ jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
+ return rekey - jitter * (random() / (RAND_MAX + 1.0));
+}
+#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f)
+
+/**
+ * Implementation of child_cfg_t.get_lifetime.
+ */
+static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
+{
+ lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
+ memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t));
+ APPLY_JITTER(lft, time);
+ APPLY_JITTER(lft, bytes);
+ APPLY_JITTER(lft, packets);
+ return lft;
}
/**
{
free(this->updown);
}
+ free(this->lifetime);
free(this->name);
free(this);
}
/*
* Described in header-file
*/
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
- u_int32_t rekeytime, u_int32_t jitter,
- char *updown, bool hostaccess, ipsec_mode_t mode,
- action_t dpd_action, action_t close_action, bool ipcomp)
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+ char *updown, bool hostaccess,
+ ipsec_mode_t mode, action_t dpd_action,
+ action_t close_action, bool ipcomp)
{
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
- this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
+ this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
this->name = strdup(name);
this->lifetime = lifetime;
- this->rekeytime = rekeytime;
- this->jitter = jitter;
this->updown = updown ? strdup(updown) : NULL;
this->hostaccess = hostaccess;
this->mode = mode;
bool (*get_hostaccess) (child_cfg_t *this);
/**
- * Get the lifetime of a CHILD_SA.
+ * Get the lifetime configuration of a CHILD_SA.
*
- * If "rekey" is set to TRUE, a lifetime is returned before the first
- * rekeying should be started. If it is FALSE, the actual lifetime is
- * returned when the CHILD_SA must be deleted.
- * The rekey time automatically contains a jitter to avoid simlutaneous
- * rekeying.
- *
- * @param rekey TRUE to get rekey time
- * @return lifetime in seconds
+ * The rekey limits automatically contain a jitter to avoid simultaneous
+ * rekeying. These values will change with each call to this function.
+ *
+ * @return lifetime_cfg_t (has to be freed)
*/
- u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
+ lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
/**
* Get the mode to use for the CHILD_SA.
* Create a configuration template for CHILD_SA setup.
*
* The "name" string gets cloned.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeytime - random(0, jitter)). You should specify
- * lifetime > rekeytime > jitter.
+ *
+ * The lifetime_cfg_t object gets adopted by this config.
+ * To prevent two peers to start rekeying at the same time, a jitter may be
+ * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
+ *
* After a call to create, a reference is obtained (refcount = 1).
*
* @param name name of the child_cfg
- * @param lifetime lifetime after CHILD_SA expires and gets deleted
- * @param rekeytime time when rekeying should be initiated
- * @param jitter range of randomization time to remove from rekeytime
+ * @param lifetime lifetime_cfg_t for this child_cfg
* @param updown updown script to execute on up/down event
* @param hostaccess TRUE to allow access to the local host
* @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
* @param ipcomp use IPComp, if peer supports it
* @return child_cfg_t object
*/
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
- u_int32_t rekeytime, u_int32_t jitter,
- char *updown, bool hostaccess, ipsec_mode_t mode,
- action_t dpd_action, action_t close_action, bool ipcomp);
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+ char *updown, bool hostaccess,
+ ipsec_mode_t mode, action_t dpd_action,
+ action_t close_action, bool ipcomp);
#endif /** CHILD_CFG_H_ @}*/
projects / strongswan.git / commitdiff