]> git.ipfire.org Git - people/ms/strongswan.git/blob - Source/charon/sa/child_sa.c
projects / people / ms / strongswan.git / blob
? search:


faadf27ceeea26de98cd9210528dbf9579c604c8
[people/ms/strongswan.git] / Source / charon / sa / child_sa.c
1 /**
2 * @file child_sa.c
3 *
4 * @brief Implementation of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "child_sa.h"
24
25
26 #include <utils/allocator.h>
27 #include <daemon.h>
28
29
30 typedef struct policy_t policy_t;
31
32 /**
33 * Struct used to store information for a policy. This
34 * is needed since we must provide all this information
35 * for deleting a policy...
36 */
37 struct policy_t {
38
39 /**
40 * Network on local side
41 */
42 host_t *my_net;
43
44 /**
45 * Network on remote side
46 */
47 host_t *other_net;
48
49 /**
50 * Number of bits for local network (subnet size)
51 */
52 u_int8_t my_net_mask;
53
54 /**
55 * Number of bits for remote network (subnet size)
56 */
57 u_int8_t other_net_mask;
58
59 /**
60 * Protocol for this policy, such as TCP/UDP/ICMP...
61 */
62 int upper_proto;
63 };
64
65 typedef struct private_child_sa_t private_child_sa_t;
66
67 /**
68 * Private data of a child_sa_t object.
69 */
70 struct private_child_sa_t {
71 /**
72 * Public interface of child_sa_t.
73 */
74 child_sa_t public;
75
76 /**
77 * IP of this peer
78 */
79 host_t *me;
80
81 /**
82 * IP of other peer
83 */
84 host_t *other;
85
86 /**
87 * Local security parameter index for AH protocol, 0 if not used
88 */
89 u_int32_t my_ah_spi;
90
91 /**
92 * Local security parameter index for ESP protocol, 0 if not used
93 */
94 u_int32_t my_esp_spi;
95
96 /**
97 * Remote security parameter index for AH protocol, 0 if not used
98 */
99 u_int32_t other_ah_spi;
100
101 /**
102 * Remote security parameter index for ESP protocol, 0 if not used
103 */
104 u_int32_t other_esp_spi;
105
106 /**
107 * List containing policy_id_t objects
108 */
109 linked_list_t *policies;
110
111 /**
112 * reqid used for this child_sa
113 */
114 u_int32_t reqid;
115
116 /**
117 * CHILD_SAs own logger
118 */
119 logger_t *logger;
120 };
121
122 /**
123 * Implements child_sa_t.alloc
124 */
125 static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
126 {
127 protocol_id_t protocols[2];
128 iterator_t *iterator;
129 proposal_t *proposal;
130 status_t status;
131 u_int i;
132
133 /* iterator through proposals */
134 iterator = proposals->create_iterator(proposals, TRUE);
135 while(iterator->has_next(iterator))
136 {
137 iterator->current(iterator, (void**)&proposal);
138 proposal->get_protocols(proposal, protocols);
139
140 /* check all protocols */
141 for (i = 0; i<2; i++)
142 {
143 switch (protocols[i])
144 {
145 case AH:
146 /* do we already have an spi for AH?*/
147 if (this->my_ah_spi == 0)
148 {
149 /* nope, get one */
150 status = charon->kernel_interface->get_spi(
151 charon->kernel_interface,
152 this->me, this->other,
153 AH, FALSE,
154 &(this->my_ah_spi));
155 }
156 /* update proposal */
157 proposal->set_spi(proposal, AH, (u_int64_t)this->my_ah_spi);
158 break;
159 case ESP:
160 /* do we already have an spi for ESP?*/
161 if (this->my_esp_spi == 0)
162 {
163 /* nope, get one */
164 status = charon->kernel_interface->get_spi(
165 charon->kernel_interface,
166 this->me, this->other,
167 ESP, FALSE,
168 &(this->my_esp_spi));
169 }
170 /* update proposal */
171 proposal->set_spi(proposal, ESP, (u_int64_t)this->my_esp_spi);
172 break;
173 default:
174 break;
175 }
176 if (status != SUCCESS)
177 {
178 iterator->destroy(iterator);
179 return FAILED;
180 }
181 }
182 }
183 iterator->destroy(iterator);
184 return SUCCESS;
185 }
186
187 static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine)
188 {
189 protocol_id_t protocols[2];
190 u_int32_t spi;
191 encryption_algorithm_t enc_algo;
192 integrity_algorithm_t int_algo;
193 chunk_t enc_key, int_key;
194 algorithm_t *algo;
195 crypter_t *crypter;
196 signer_t *signer;
197 size_t key_size;
198 host_t *src;
199 host_t *dst;
200 status_t status;
201 u_int i;
202
203 /* we must assign the roles to correctly set up the SAs */
204 if (mine)
205 {
206 src = this->me;
207 dst = this->other;
208 }
209 else
210 {
211 dst = this->me;
212 src = this->other;
213 }
214
215 proposal->get_protocols(proposal, protocols);
216 /* derive keys in order as protocols appear */
217 for (i = 0; i<2; i++)
218 {
219 if (protocols[i] != UNDEFINED_PROTOCOL_ID)
220 {
221
222 /* now we have to decide which spi to use. Use self allocated, if "mine",
223 * or the one in the proposal, if not "mine" (others). */
224 if (mine)
225 {
226 if (protocols[i] == AH)
227 {
228 spi = this->my_ah_spi;
229 }
230 else
231 {
232 spi = this->my_esp_spi;
233 }
234 }
235 else /* use proposals spi */
236 {
237 spi = proposal->get_spi(proposal, protocols[i]);
238 if (protocols[i] == AH)
239 {
240 this->other_ah_spi = spi;
241 }
242 else
243 {
244 this->other_esp_spi = spi;
245 }
246 }
247
248 /* derive encryption key first */
249 if (proposal->get_algorithm(proposal, protocols[i], ENCRYPTION_ALGORITHM, &algo))
250 {
251 enc_algo = algo->algorithm;
252 this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ",
253 mapping_find(protocol_id_m, protocols[i]),
254 mine ? "me" : "other",
255 mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
256 mapping_find(encryption_algorithm_m, enc_algo));
257
258 /* we must create a (unused) crypter, since its the only way to get the size
259 * of the key. This is not so nice, since charon must support all algorithms
260 * the kernel supports...
261 * TODO: build something of a encryption algorithm lookup function
262 */
263 crypter = crypter_create(enc_algo, algo->key_size);
264 key_size = crypter->get_key_size(crypter);
265 crypter->destroy(crypter);
266 prf_plus->allocate_bytes(prf_plus, key_size, &enc_key);
267 this->logger->log_chunk(this->logger, PRIVATE, "key:", &enc_key);
268 }
269 else
270 {
271 enc_algo = ENCR_UNDEFINED;
272 }
273
274 /* derive integrity key */
275 if (proposal->get_algorithm(proposal, protocols[i], INTEGRITY_ALGORITHM, &algo))
276 {
277 int_algo = algo->algorithm;
278 this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,",
279 mapping_find(protocol_id_m, protocols[i]),
280 mine ? "me" : "other",
281 mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
282 mapping_find(integrity_algorithm_m, algo->algorithm));
283
284 signer = signer_create(int_algo);
285 key_size = signer->get_key_size(signer);
286 signer->destroy(signer);
287 prf_plus->allocate_bytes(prf_plus, key_size, &int_key);
288 this->logger->log_chunk(this->logger, PRIVATE, "key:", &int_key);
289 }
290 else
291 {
292 int_algo = AUTH_UNDEFINED;
293 }
294 /* send keys down to kernel */
295 this->logger->log(this->logger, CONTROL|LEVEL1,
296 "installing 0x%.8x for %s, src %s dst %s",
297 ntohl(spi), mapping_find(protocol_id_m, protocols[i]),
298 src->get_address(src), dst->get_address(dst));
299 status = charon->kernel_interface->add_sa(charon->kernel_interface,
300 src, dst,
301 spi, protocols[i],
302 this->reqid,
303 enc_algo, enc_key,
304 int_algo, int_key, mine);
305 /* clean up for next round */
306 if (enc_algo != ENCR_UNDEFINED)
307 {
308 allocator_free_chunk(&enc_key);
309 }
310 if (int_algo != AUTH_UNDEFINED)
311 {
312 allocator_free_chunk(&int_key);
313 }
314
315 if (status != SUCCESS)
316 {
317 return FAILED;
318 }
319
320
321 }
322 }
323 return SUCCESS;
324 }
325
326 static status_t add(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
327 {
328 linked_list_t *list;
329
330 /* install others (initiators) SAs*/
331 if (install(this, proposal, prf_plus, FALSE) != SUCCESS)
332 {
333 return FAILED;
334 }
335
336 /* get SPIs for our SAs */
337 list = linked_list_create();
338 list->insert_last(list, proposal);
339 if (alloc(this, list) != SUCCESS)
340 {
341 list->destroy(list);
342 return FAILED;
343 }
344 list->destroy(list);
345
346 /* install our (responders) SAs */
347 if (install(this, proposal, prf_plus, TRUE) != SUCCESS)
348 {
349 return FAILED;
350 }
351
352 return SUCCESS;
353 }
354
355 static status_t update(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
356 {
357 /* install our (initator) SAs */
358 if (install(this, proposal, prf_plus, TRUE) != SUCCESS)
359 {
360 return FAILED;
361 }
362 /* install his (responder) SAs */
363 if (install(this, proposal, prf_plus, FALSE) != SUCCESS)
364 {
365 return FAILED;
366 }
367
368 return SUCCESS;
369 }
370
371 static u_int8_t get_mask(chunk_t start, chunk_t end)
372 {
373 int byte, bit, mask = 0;
374
375 if (start.len != end.len)
376 {
377 return 0;
378 }
379 for (byte = 0; byte < start.len; byte++)
380 {
381 for (bit = 7; bit >= 0; bit--)
382 {
383 if ((*(start.ptr + byte) | (1<<bit)) ==
384 (*(end.ptr + byte) | (1<<bit)))
385 {
386 mask++;
387 }
388 else
389 {
390 return mask;
391 }
392 }
393 }
394 return start.len * 8;
395 }
396
397 static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list)
398 {
399 iterator_t *my_iter, *other_iter;
400 traffic_selector_t *my_ts, *other_ts;
401
402 /* iterate over both lists */
403 my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
404 other_iter = other_ts_list->create_iterator(other_ts_list, TRUE);
405 while (my_iter->has_next(my_iter))
406 {
407 my_iter->current(my_iter, (void**)&my_ts);
408 other_iter->reset(other_iter);
409 while (other_iter->has_next(other_iter))
410 {
411 /* set up policies for every entry in my_ts_list to every entry in other_ts_list */
412 int family;
413 chunk_t from_addr, to_addr;
414 u_int16_t from_port, to_port;
415 policy_t *policy;
416 status_t status;
417
418 other_iter->current(other_iter, (void**)&other_ts);
419
420 /* only set up policies if protocol matches */
421 if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts))
422 {
423 continue;
424 }
425 policy = allocator_alloc_thing(policy_t);
426 policy->upper_proto = my_ts->get_protocol(my_ts);
427
428 /* calculate net and ports for local side */
429 family = my_ts->get_type(my_ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
430 from_addr = my_ts->get_from_address(my_ts);
431 to_addr = my_ts->get_to_address(my_ts);
432 from_port = my_ts->get_from_port(my_ts);
433 to_port = my_ts->get_to_port(my_ts);
434 from_port = (from_port != to_port) ? 0 : from_port;
435 policy->my_net = host_create_from_chunk(family, from_addr, from_port);
436 policy->my_net_mask = get_mask(from_addr, to_addr);
437 allocator_free_chunk(&from_addr);
438 allocator_free_chunk(&to_addr);
439
440 /* calculate net and ports for remote side */
441 family = other_ts->get_type(other_ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
442 from_addr = other_ts->get_from_address(other_ts);
443 to_addr = other_ts->get_to_address(other_ts);
444 from_port = other_ts->get_from_port(other_ts);
445 to_port = other_ts->get_to_port(other_ts);
446 from_port = (from_port != to_port) ? 0 : from_port;
447 policy->other_net = host_create_from_chunk(family, from_addr, from_port);
448 policy->other_net_mask = get_mask(from_addr, to_addr);
449 allocator_free_chunk(&from_addr);
450 allocator_free_chunk(&to_addr);
451
452 /* install 3 policies: out, in and forward */
453 status = charon->kernel_interface->add_policy(charon->kernel_interface,
454 this->me, this->other,
455 policy->my_net, policy->other_net,
456 policy->my_net_mask, policy->other_net_mask,
457 XFRM_POLICY_OUT, policy->upper_proto,
458 this->my_ah_spi, this->my_esp_spi,
459 this->reqid);
460
461 status |= charon->kernel_interface->add_policy(charon->kernel_interface,
462 this->other, this->me,
463 policy->other_net, policy->my_net,
464 policy->other_net_mask, policy->my_net_mask,
465 XFRM_POLICY_IN, policy->upper_proto,
466 this->my_ah_spi, this->my_esp_spi,
467 this->reqid);
468
469 status |= charon->kernel_interface->add_policy(charon->kernel_interface,
470 this->other, this->me,
471 policy->other_net, policy->my_net,
472 policy->other_net_mask, policy->my_net_mask,
473 XFRM_POLICY_FWD, policy->upper_proto,
474 this->my_ah_spi, this->my_esp_spi,
475 this->reqid);
476
477 if (status != SUCCESS)
478 {
479 my_iter->destroy(my_iter);
480 other_iter->destroy(other_iter);
481 allocator_free(policy);
482 return status;
483 }
484
485 /* add it to the policy list, since we want to know which policies we own */
486 this->policies->insert_last(this->policies, policy);
487 }
488 }
489
490 my_iter->destroy(my_iter);
491 other_iter->destroy(other_iter);
492 return SUCCESS;
493 }
494
495 /**
496 * Implementation of child_sa_t.destroy.
497 */
498 static void destroy(private_child_sa_t *this)
499 {
500 /* delete all policys in the kernel */
501 policy_t *policy;
502 while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
503 {
504 charon->kernel_interface->del_policy(charon->kernel_interface,
505 this->me, this->other,
506 policy->my_net, policy->other_net,
507 policy->my_net_mask, policy->other_net_mask,
508 XFRM_POLICY_OUT, policy->upper_proto);
509
510 charon->kernel_interface->del_policy(charon->kernel_interface,
511 this->other, this->me,
512 policy->other_net, policy->my_net,
513 policy->other_net_mask, policy->my_net_mask,
514 XFRM_POLICY_IN, policy->upper_proto);
515
516 charon->kernel_interface->del_policy(charon->kernel_interface,
517 this->other, this->me,
518 policy->other_net, policy->my_net,
519 policy->other_net_mask, policy->my_net_mask,
520 XFRM_POLICY_FWD, policy->upper_proto);
521
522 policy->my_net->destroy(policy->my_net);
523 policy->other_net->destroy(policy->other_net);
524 allocator_free(policy);
525 }
526 this->policies->destroy(this->policies);
527
528 /* delete SAs in the kernel, if they are set up */
529 if (this->my_ah_spi)
530 {
531 charon->kernel_interface->del_sa(charon->kernel_interface,
532 this->other, this->my_ah_spi, AH);
533 charon->kernel_interface->del_sa(charon->kernel_interface,
534 this->me, this->other_ah_spi, AH);
535 }
536 if (this->my_esp_spi)
537 {
538 charon->kernel_interface->del_sa(charon->kernel_interface,
539 this->other, this->my_esp_spi, ESP);
540 charon->kernel_interface->del_sa(charon->kernel_interface,
541 this->me, this->other_esp_spi, ESP);
542 }
543
544 charon->logger_manager->destroy_logger(charon->logger_manager, this->logger);
545 allocator_free(this);
546 }
547
548 /*
549 * Described in header.
550 */
551 child_sa_t * child_sa_create(host_t *me, host_t* other)
552 {
553 static u_int32_t reqid = 1;
554 private_child_sa_t *this = allocator_alloc_thing(private_child_sa_t);
555
556 /* public functions */
557 this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
558 this->public.add = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))add;
559 this->public.update = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))update;
560 this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
561 this->public.destroy = (void(*)(child_sa_t*))destroy;
562
563 /* private data */
564 this->logger = charon->logger_manager->create_logger(charon->logger_manager, CHILD_SA, NULL);
565 this->me = me;
566 this->other = other;
567 this->my_ah_spi = 0;
568 this->my_esp_spi = 0;
569 this->other_ah_spi = 0;
570 this->other_esp_spi = 0;
571 this->reqid = reqid++;
572 this->policies = linked_list_create();
573
574 return (&this->public);
575 }
Michael's strongswan development tree