2 * Copyright (C) 2005-2011 Martin Willi
3 * Copyright (C) 2011 revosec AG
4 * Copyright (C) 2008-2012 Tobias Brunner
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 #include "ike_sa_manager.h"
24 #include <sa/ike_sa_id.h>
26 #include <threading/condvar.h>
27 #include <threading/mutex.h>
28 #include <threading/rwlock.h>
29 #include <collections/linked_list.h>
30 #include <crypto/hashers/hasher.h>
32 /* the default size of the hash table (MUST be a power of 2) */
33 #define DEFAULT_HASHTABLE_SIZE 1
35 /* the maximum size of the hash table (MUST be a power of 2) */
36 #define MAX_HASHTABLE_SIZE (1 << 30)
38 /* the default number of segments (MUST be a power of 2) */
39 #define DEFAULT_SEGMENT_COUNT 1
41 typedef struct entry_t entry_t
;
44 * An entry in the linked list, contains IKE_SA, locking and lookup data.
49 * Number of threads waiting for this ike_sa_t object.
54 * Condvar where threads can wait until ike_sa_t object is free for use again.
59 * Is this ike_sa currently checked out?
64 * Does this SA drives out new threads?
66 bool driveout_new_threads
;
69 * Does this SA drives out waiting threads?
71 bool driveout_waiting_threads
;
74 * Identification of an IKE_SA (SPIs).
76 ike_sa_id_t
*ike_sa_id
;
79 * The contained ike_sa_t object.
84 * hash of the IKE_SA_INIT message, used to detect retransmissions
89 * remote host address, required for DoS detection and duplicate
90 * checking (host with same my_id and other_id is *not* considered
91 * a duplicate if the address family differs)
96 * As responder: Is this SA half-open?
101 * own identity, required for duplicate checking
103 identification_t
*my_id
;
106 * remote identity, required for duplicate checking
108 identification_t
*other_id
;
111 * message ID or hash of currently processing message, -1 if none
113 u_int32_t processing
;
117 * Implementation of entry_t.destroy.
119 static status_t
entry_destroy(entry_t
*this)
121 /* also destroy IKE SA */
122 this->ike_sa
->destroy(this->ike_sa
);
123 this->ike_sa_id
->destroy(this->ike_sa_id
);
124 chunk_free(&this->init_hash
);
125 DESTROY_IF(this->other
);
126 DESTROY_IF(this->my_id
);
127 DESTROY_IF(this->other_id
);
128 this->condvar
->destroy(this->condvar
);
134 * Creates a new entry for the ike_sa_t list.
136 static entry_t
*entry_create()
141 .condvar
= condvar_create(CONDVAR_TYPE_DEFAULT
),
149 * Function that matches entry_t objects by ike_sa_id_t.
151 static bool entry_match_by_id(entry_t
*entry
, ike_sa_id_t
*id
)
153 if (id
->equals(id
, entry
->ike_sa_id
))
157 if ((id
->get_responder_spi(id
) == 0 ||
158 entry
->ike_sa_id
->get_responder_spi(entry
->ike_sa_id
) == 0) &&
159 id
->get_initiator_spi(id
) == entry
->ike_sa_id
->get_initiator_spi(entry
->ike_sa_id
))
161 /* this is TRUE for IKE_SAs that we initiated but have not yet received a response */
168 * Function that matches entry_t objects by ike_sa_t pointers.
170 static bool entry_match_by_sa(entry_t
*entry
, ike_sa_t
*ike_sa
)
172 return entry
->ike_sa
== ike_sa
;
176 * Hash function for ike_sa_id_t objects.
178 static u_int
ike_sa_id_hash(ike_sa_id_t
*ike_sa_id
)
180 /* IKEv2 does not mandate random SPIs (RFC 5996, 2.6), they just have to be
181 * locally unique, so we use our randomly allocated SPI whether we are
182 * initiator or responder to ensure a good distribution. The latter is not
183 * possible for IKEv1 as we don't know whether we are original initiator or
184 * not (based on the IKE header). But as RFC 2408, section 2.5.3 proposes
185 * SPIs (Cookies) to be allocated near random (we allocate them randomly
186 * anyway) it seems safe to always use the initiator SPI. */
187 if (ike_sa_id
->get_ike_version(ike_sa_id
) == IKEV1_MAJOR_VERSION
||
188 ike_sa_id
->is_initiator(ike_sa_id
))
190 return ike_sa_id
->get_initiator_spi(ike_sa_id
);
192 return ike_sa_id
->get_responder_spi(ike_sa_id
);
195 typedef struct half_open_t half_open_t
;
198 * Struct to manage half-open IKE_SAs per peer.
201 /** chunk of remote host address */
204 /** the number of half-open IKE_SAs with that host */
209 * Destroys a half_open_t object.
211 static void half_open_destroy(half_open_t
*this)
213 chunk_free(&this->other
);
217 typedef struct connected_peers_t connected_peers_t
;
219 struct connected_peers_t
{
221 identification_t
*my_id
;
223 /** remote identity */
224 identification_t
*other_id
;
226 /** ip address family of peer */
229 /** list of ike_sa_id_t objects of IKE_SAs between the two identities */
233 static void connected_peers_destroy(connected_peers_t
*this)
235 this->my_id
->destroy(this->my_id
);
236 this->other_id
->destroy(this->other_id
);
237 this->sas
->destroy(this->sas
);
242 * Function that matches connected_peers_t objects by the given ids.
244 static inline bool connected_peers_match(connected_peers_t
*connected_peers
,
245 identification_t
*my_id
, identification_t
*other_id
,
248 return my_id
->equals(my_id
, connected_peers
->my_id
) &&
249 other_id
->equals(other_id
, connected_peers
->other_id
) &&
250 (!family
|| family
== connected_peers
->family
);
253 typedef struct init_hash_t init_hash_t
;
256 /** hash of IKE_SA_INIT or initial phase1 message (data is not cloned) */
259 /** our SPI allocated for the IKE_SA based on this message */
263 typedef struct segment_t segment_t
;
266 * Struct to manage segments of the hash table.
269 /** mutex to access a segment exclusively */
272 /** the number of entries in this segment */
276 typedef struct shareable_segment_t shareable_segment_t
;
279 * Struct to manage segments of the "half-open" and "connected peers" hash tables.
281 struct shareable_segment_t
{
282 /** rwlock to access a segment non-/exclusively */
285 /** the number of entries in this segment - in case of the "half-open table"
286 * it's the sum of all half_open_t.count in a segment. */
290 typedef struct table_item_t table_item_t
;
293 * Instead of using linked_list_t for each bucket we store the data in our own
294 * list to save memory.
296 struct table_item_t
{
297 /** data of this item */
300 /** next item in the overflow list */
304 typedef struct private_ike_sa_manager_t private_ike_sa_manager_t
;
307 * Additional private members of ike_sa_manager_t.
309 struct private_ike_sa_manager_t
{
311 * Public interface of ike_sa_manager_t.
313 ike_sa_manager_t
public;
316 * Hash table with entries for the ike_sa_t objects.
318 table_item_t
**ike_sa_table
;
321 * The size of the hash table.
326 * Mask to map the hashes to table rows.
331 * Segments of the hash table.
336 * The number of segments.
341 * Mask to map a table row to a segment.
346 * Hash table with half_open_t objects.
348 table_item_t
**half_open_table
;
351 * Segments of the "half-open" hash table.
353 shareable_segment_t
*half_open_segments
;
356 * Hash table with connected_peers_t objects.
358 table_item_t
**connected_peers_table
;
361 * Segments of the "connected peers" hash table.
363 shareable_segment_t
*connected_peers_segments
;
366 * Hash table with init_hash_t objects.
368 table_item_t
**init_hashes_table
;
371 * Segments of the "hashes" hash table.
373 segment_t
*init_hashes_segments
;
376 * RNG to get random SPIs for our side
381 * SHA1 hasher for IKE_SA_INIT retransmit detection
386 * reuse existing IKE_SAs in checkout_by_config
391 * Configured IKE_SA limit, if any
397 * Acquire a lock to access the segment of the table row with the given index.
398 * It also works with the segment index directly.
400 static inline void lock_single_segment(private_ike_sa_manager_t
*this,
403 mutex_t
*lock
= this->segments
[index
& this->segment_mask
].mutex
;
408 * Release the lock required to access the segment of the table row with the given index.
409 * It also works with the segment index directly.
411 static inline void unlock_single_segment(private_ike_sa_manager_t
*this,
414 mutex_t
*lock
= this->segments
[index
& this->segment_mask
].mutex
;
421 static void lock_all_segments(private_ike_sa_manager_t
*this)
425 for (i
= 0; i
< this->segment_count
; i
++)
427 this->segments
[i
].mutex
->lock(this->segments
[i
].mutex
);
432 * Unlock all segments
434 static void unlock_all_segments(private_ike_sa_manager_t
*this)
438 for (i
= 0; i
< this->segment_count
; i
++)
440 this->segments
[i
].mutex
->unlock(this->segments
[i
].mutex
);
444 typedef struct private_enumerator_t private_enumerator_t
;
447 * hash table enumerator implementation
449 struct private_enumerator_t
{
452 * implements enumerator interface
454 enumerator_t enumerator
;
457 * associated ike_sa_manager_t
459 private_ike_sa_manager_t
*manager
;
462 * current segment index
467 * currently enumerating entry
472 * current table row index
479 table_item_t
*current
;
482 * previous table item
487 METHOD(enumerator_t
, enumerate
, bool,
488 private_enumerator_t
*this, entry_t
**entry
, u_int
*segment
)
492 this->entry
->condvar
->signal(this->entry
->condvar
);
495 while (this->segment
< this->manager
->segment_count
)
497 while (this->row
< this->manager
->table_size
)
499 this->prev
= this->current
;
502 this->current
= this->current
->next
;
506 lock_single_segment(this->manager
, this->segment
);
507 this->current
= this->manager
->ike_sa_table
[this->row
];
511 *entry
= this->entry
= this->current
->value
;
512 *segment
= this->segment
;
515 unlock_single_segment(this->manager
, this->segment
);
516 this->row
+= this->manager
->segment_count
;
519 this->row
= this->segment
;
524 METHOD(enumerator_t
, enumerator_destroy
, void,
525 private_enumerator_t
*this)
529 this->entry
->condvar
->signal(this->entry
->condvar
);
533 unlock_single_segment(this->manager
, this->segment
);
539 * Creates an enumerator to enumerate the entries in the hash table.
541 static enumerator_t
* create_table_enumerator(private_ike_sa_manager_t
*this)
543 private_enumerator_t
*enumerator
;
547 .enumerate
= (void*)_enumerate
,
548 .destroy
= _enumerator_destroy
,
552 return &enumerator
->enumerator
;
556 * Put an entry into the hash table.
557 * Note: The caller has to unlock the returned segment.
559 static u_int
put_entry(private_ike_sa_manager_t
*this, entry_t
*entry
)
561 table_item_t
*current
, *item
;
568 row
= ike_sa_id_hash(entry
->ike_sa_id
) & this->table_mask
;
569 segment
= row
& this->segment_mask
;
571 lock_single_segment(this, segment
);
572 current
= this->ike_sa_table
[row
];
574 { /* insert at the front of current bucket */
575 item
->next
= current
;
577 this->ike_sa_table
[row
] = item
;
578 this->segments
[segment
].count
++;
583 * Remove an entry from the hash table.
584 * Note: The caller MUST have a lock on the segment of this entry.
586 static void remove_entry(private_ike_sa_manager_t
*this, entry_t
*entry
)
588 table_item_t
*item
, *prev
= NULL
;
591 row
= ike_sa_id_hash(entry
->ike_sa_id
) & this->table_mask
;
592 segment
= row
& this->segment_mask
;
593 item
= this->ike_sa_table
[row
];
596 if (item
->value
== entry
)
600 prev
->next
= item
->next
;
604 this->ike_sa_table
[row
] = item
->next
;
606 this->segments
[segment
].count
--;
616 * Remove the entry at the current enumerator position.
618 static void remove_entry_at(private_enumerator_t
*this)
623 table_item_t
*current
= this->current
;
625 this->manager
->segments
[this->segment
].count
--;
626 this->current
= this->prev
;
630 this->prev
->next
= current
->next
;
634 this->manager
->ike_sa_table
[this->row
] = current
->next
;
635 unlock_single_segment(this->manager
, this->segment
);
642 * Find an entry using the provided match function to compare the entries for
645 static status_t
get_entry_by_match_function(private_ike_sa_manager_t
*this,
646 ike_sa_id_t
*ike_sa_id
, entry_t
**entry
, u_int
*segment
,
647 linked_list_match_t match
, void *param
)
652 row
= ike_sa_id_hash(ike_sa_id
) & this->table_mask
;
653 seg
= row
& this->segment_mask
;
655 lock_single_segment(this, seg
);
656 item
= this->ike_sa_table
[row
];
659 if (match(item
->value
, param
))
661 *entry
= item
->value
;
663 /* the locked segment has to be unlocked by the caller */
668 unlock_single_segment(this, seg
);
673 * Find an entry by ike_sa_id_t.
674 * Note: On SUCCESS, the caller has to unlock the segment.
676 static status_t
get_entry_by_id(private_ike_sa_manager_t
*this,
677 ike_sa_id_t
*ike_sa_id
, entry_t
**entry
, u_int
*segment
)
679 return get_entry_by_match_function(this, ike_sa_id
, entry
, segment
,
680 (linked_list_match_t
)entry_match_by_id
, ike_sa_id
);
684 * Find an entry by IKE_SA pointer.
685 * Note: On SUCCESS, the caller has to unlock the segment.
687 static status_t
get_entry_by_sa(private_ike_sa_manager_t
*this,
688 ike_sa_id_t
*ike_sa_id
, ike_sa_t
*ike_sa
, entry_t
**entry
, u_int
*segment
)
690 return get_entry_by_match_function(this, ike_sa_id
, entry
, segment
,
691 (linked_list_match_t
)entry_match_by_sa
, ike_sa
);
695 * Wait until no other thread is using an IKE_SA, return FALSE if entry not
698 static bool wait_for_entry(private_ike_sa_manager_t
*this, entry_t
*entry
,
701 if (entry
->driveout_new_threads
)
703 /* we are not allowed to get this */
706 while (entry
->checked_out
&& !entry
->driveout_waiting_threads
)
708 /* so wait until we can get it for us.
709 * we register us as waiting. */
710 entry
->waiting_threads
++;
711 entry
->condvar
->wait(entry
->condvar
, this->segments
[segment
].mutex
);
712 entry
->waiting_threads
--;
714 /* hm, a deletion request forbids us to get this SA, get next one */
715 if (entry
->driveout_waiting_threads
)
717 /* we must signal here, others may be waiting on it, too */
718 entry
->condvar
->signal(entry
->condvar
);
725 * Put a half-open SA into the hash table.
727 static void put_half_open(private_ike_sa_manager_t
*this, entry_t
*entry
)
732 half_open_t
*half_open
;
735 addr
= entry
->other
->get_address(entry
->other
);
736 row
= chunk_hash(addr
) & this->table_mask
;
737 segment
= row
& this->segment_mask
;
738 lock
= this->half_open_segments
[segment
].lock
;
739 lock
->write_lock(lock
);
740 item
= this->half_open_table
[row
];
743 half_open
= item
->value
;
745 if (chunk_equals(addr
, half_open
->other
))
756 .other
= chunk_clone(addr
),
761 .next
= this->half_open_table
[row
],
763 this->half_open_table
[row
] = item
;
765 this->half_open_segments
[segment
].count
++;
770 * Remove a half-open SA from the hash table.
772 static void remove_half_open(private_ike_sa_manager_t
*this, entry_t
*entry
)
774 table_item_t
*item
, *prev
= NULL
;
779 addr
= entry
->other
->get_address(entry
->other
);
780 row
= chunk_hash(addr
) & this->table_mask
;
781 segment
= row
& this->segment_mask
;
782 lock
= this->half_open_segments
[segment
].lock
;
783 lock
->write_lock(lock
);
784 item
= this->half_open_table
[row
];
787 half_open_t
*half_open
= item
->value
;
789 if (chunk_equals(addr
, half_open
->other
))
791 if (--half_open
->count
== 0)
795 prev
->next
= item
->next
;
799 this->half_open_table
[row
] = item
->next
;
801 half_open_destroy(half_open
);
804 this->half_open_segments
[segment
].count
--;
814 * Put an SA between two peers into the hash table.
816 static void put_connected_peers(private_ike_sa_manager_t
*this, entry_t
*entry
)
821 connected_peers_t
*connected_peers
;
822 chunk_t my_id
, other_id
;
825 my_id
= entry
->my_id
->get_encoding(entry
->my_id
);
826 other_id
= entry
->other_id
->get_encoding(entry
->other_id
);
827 family
= entry
->other
->get_family(entry
->other
);
828 row
= chunk_hash_inc(other_id
, chunk_hash(my_id
)) & this->table_mask
;
829 segment
= row
& this->segment_mask
;
830 lock
= this->connected_peers_segments
[segment
].lock
;
831 lock
->write_lock(lock
);
832 item
= this->connected_peers_table
[row
];
835 connected_peers
= item
->value
;
837 if (connected_peers_match(connected_peers
, entry
->my_id
,
838 entry
->other_id
, family
))
840 if (connected_peers
->sas
->find_first(connected_peers
->sas
,
841 (linked_list_match_t
)entry
->ike_sa_id
->equals
,
842 NULL
, entry
->ike_sa_id
) == SUCCESS
)
854 INIT(connected_peers
,
855 .my_id
= entry
->my_id
->clone(entry
->my_id
),
856 .other_id
= entry
->other_id
->clone(entry
->other_id
),
858 .sas
= linked_list_create(),
861 .value
= connected_peers
,
862 .next
= this->connected_peers_table
[row
],
864 this->connected_peers_table
[row
] = item
;
866 connected_peers
->sas
->insert_last(connected_peers
->sas
,
867 entry
->ike_sa_id
->clone(entry
->ike_sa_id
));
868 this->connected_peers_segments
[segment
].count
++;
873 * Remove an SA between two peers from the hash table.
875 static void remove_connected_peers(private_ike_sa_manager_t
*this, entry_t
*entry
)
877 table_item_t
*item
, *prev
= NULL
;
880 chunk_t my_id
, other_id
;
883 my_id
= entry
->my_id
->get_encoding(entry
->my_id
);
884 other_id
= entry
->other_id
->get_encoding(entry
->other_id
);
885 family
= entry
->other
->get_family(entry
->other
);
887 row
= chunk_hash_inc(other_id
, chunk_hash(my_id
)) & this->table_mask
;
888 segment
= row
& this->segment_mask
;
890 lock
= this->connected_peers_segments
[segment
].lock
;
891 lock
->write_lock(lock
);
892 item
= this->connected_peers_table
[row
];
895 connected_peers_t
*current
= item
->value
;
897 if (connected_peers_match(current
, entry
->my_id
, entry
->other_id
,
900 enumerator_t
*enumerator
;
901 ike_sa_id_t
*ike_sa_id
;
903 enumerator
= current
->sas
->create_enumerator(current
->sas
);
904 while (enumerator
->enumerate(enumerator
, &ike_sa_id
))
906 if (ike_sa_id
->equals(ike_sa_id
, entry
->ike_sa_id
))
908 current
->sas
->remove_at(current
->sas
, enumerator
);
909 ike_sa_id
->destroy(ike_sa_id
);
910 this->connected_peers_segments
[segment
].count
--;
914 enumerator
->destroy(enumerator
);
915 if (current
->sas
->get_count(current
->sas
) == 0)
919 prev
->next
= item
->next
;
923 this->connected_peers_table
[row
] = item
->next
;
925 connected_peers_destroy(current
);
937 * Get a random SPI for new IKE_SAs
939 static u_int64_t
get_spi(private_ike_sa_manager_t
*this)
944 this->rng
->get_bytes(this->rng
, sizeof(spi
), (u_int8_t
*)&spi
))
952 * Calculate the hash of the initial IKE message. Memory for the hash is
953 * allocated on success.
955 * @returns TRUE on success
957 static bool get_init_hash(private_ike_sa_manager_t
*this, message_t
*message
,
963 { /* this might be the case when flush() has been called */
966 if (message
->get_first_payload_type(message
) == FRAGMENT_V1
)
967 { /* only hash the source IP, port and SPI for fragmented init messages */
971 src
= message
->get_source(message
);
972 if (!this->hasher
->allocate_hash(this->hasher
,
973 src
->get_address(src
), NULL
))
977 port
= src
->get_port(src
);
978 if (!this->hasher
->allocate_hash(this->hasher
,
979 chunk_from_thing(port
), NULL
))
983 spi
= message
->get_initiator_spi(message
);
984 return this->hasher
->allocate_hash(this->hasher
,
985 chunk_from_thing(spi
), hash
);
987 if (message
->get_exchange_type(message
) == ID_PROT
)
988 { /* include the source for Main Mode as the hash will be the same if
989 * SPIs are reused by two initiators that use the same proposal */
990 src
= message
->get_source(message
);
992 if (!this->hasher
->allocate_hash(this->hasher
,
993 src
->get_address(src
), NULL
))
998 return this->hasher
->allocate_hash(this->hasher
,
999 message
->get_packet_data(message
), hash
);
1003 * Check if we already have created an IKE_SA based on the initial IKE message
1004 * with the given hash.
1005 * If not the hash is stored, the hash data is not(!) cloned.
1007 * Also, the local SPI is returned. In case of a retransmit this is already
1008 * stored together with the hash, otherwise it is newly allocated and should
1009 * be used to create the IKE_SA.
1011 * @returns ALREADY_DONE if the message with the given hash has been seen before
1012 * NOT_FOUND if the message hash was not found
1013 * FAILED if the SPI allocation failed
1015 static status_t
check_and_put_init_hash(private_ike_sa_manager_t
*this,
1016 chunk_t init_hash
, u_int64_t
*our_spi
)
1024 row
= chunk_hash(init_hash
) & this->table_mask
;
1025 segment
= row
& this->segment_mask
;
1026 mutex
= this->init_hashes_segments
[segment
].mutex
;
1028 item
= this->init_hashes_table
[row
];
1031 init_hash_t
*current
= item
->value
;
1033 if (chunk_equals(init_hash
, current
->hash
))
1035 *our_spi
= current
->our_spi
;
1036 mutex
->unlock(mutex
);
1037 return ALREADY_DONE
;
1042 spi
= get_spi(this);
1050 .len
= init_hash
.len
,
1051 .ptr
= init_hash
.ptr
,
1057 .next
= this->init_hashes_table
[row
],
1059 this->init_hashes_table
[row
] = item
;
1060 *our_spi
= init
->our_spi
;
1061 mutex
->unlock(mutex
);
1066 * Remove the hash of an initial IKE message from the cache.
1068 static void remove_init_hash(private_ike_sa_manager_t
*this, chunk_t init_hash
)
1070 table_item_t
*item
, *prev
= NULL
;
1074 row
= chunk_hash(init_hash
) & this->table_mask
;
1075 segment
= row
& this->segment_mask
;
1076 mutex
= this->init_hashes_segments
[segment
].mutex
;
1078 item
= this->init_hashes_table
[row
];
1081 init_hash_t
*current
= item
->value
;
1083 if (chunk_equals(init_hash
, current
->hash
))
1087 prev
->next
= item
->next
;
1091 this->init_hashes_table
[row
] = item
->next
;
1100 mutex
->unlock(mutex
);
1103 METHOD(ike_sa_manager_t
, checkout
, ike_sa_t
*,
1104 private_ike_sa_manager_t
*this, ike_sa_id_t
*ike_sa_id
)
1106 ike_sa_t
*ike_sa
= NULL
;
1110 DBG2(DBG_MGR
, "checkout IKE_SA");
1112 if (get_entry_by_id(this, ike_sa_id
, &entry
, &segment
) == SUCCESS
)
1114 if (wait_for_entry(this, entry
, segment
))
1116 entry
->checked_out
= TRUE
;
1117 ike_sa
= entry
->ike_sa
;
1118 DBG2(DBG_MGR
, "IKE_SA %s[%u] successfully checked out",
1119 ike_sa
->get_name(ike_sa
), ike_sa
->get_unique_id(ike_sa
));
1121 unlock_single_segment(this, segment
);
1123 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1127 METHOD(ike_sa_manager_t
, checkout_new
, ike_sa_t
*,
1128 private_ike_sa_manager_t
* this, ike_version_t version
, bool initiator
)
1130 ike_sa_id_t
*ike_sa_id
;
1132 u_int8_t ike_version
;
1135 ike_version
= version
== IKEV1
? IKEV1_MAJOR_VERSION
: IKEV2_MAJOR_VERSION
;
1137 spi
= get_spi(this);
1140 DBG1(DBG_MGR
, "failed to allocate SPI for new IKE_SA");
1146 ike_sa_id
= ike_sa_id_create(ike_version
, spi
, 0, TRUE
);
1150 ike_sa_id
= ike_sa_id_create(ike_version
, 0, spi
, FALSE
);
1152 ike_sa
= ike_sa_create(ike_sa_id
, initiator
, version
);
1153 ike_sa_id
->destroy(ike_sa_id
);
1157 DBG2(DBG_MGR
, "created IKE_SA %s[%u]", ike_sa
->get_name(ike_sa
),
1158 ike_sa
->get_unique_id(ike_sa
));
1164 * Get the message ID or message hash to detect early retransmissions
1166 static u_int32_t
get_message_id_or_hash(message_t
*message
)
1168 /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */
1169 if (message
->get_major_version(message
) == IKEV1_MAJOR_VERSION
&&
1170 message
->get_message_id(message
) == 0)
1172 return chunk_hash(message
->get_packet_data(message
));
1174 return message
->get_message_id(message
);
1177 METHOD(ike_sa_manager_t
, checkout_by_message
, ike_sa_t
*,
1178 private_ike_sa_manager_t
* this, message_t
*message
)
1182 ike_sa_t
*ike_sa
= NULL
;
1184 ike_version_t ike_version
;
1185 bool is_init
= FALSE
;
1187 id
= message
->get_ike_sa_id(message
);
1188 /* clone the IKE_SA ID so we can modify the initiator flag */
1190 id
->switch_initiator(id
);
1192 DBG2(DBG_MGR
, "checkout IKE_SA by message");
1194 if (id
->get_responder_spi(id
) == 0)
1196 if (message
->get_major_version(message
) == IKEV2_MAJOR_VERSION
)
1198 if (message
->get_exchange_type(message
) == IKE_SA_INIT
&&
1199 message
->get_request(message
))
1201 ike_version
= IKEV2
;
1207 if (message
->get_exchange_type(message
) == ID_PROT
||
1208 message
->get_exchange_type(message
) == AGGRESSIVE
)
1210 ike_version
= IKEV1
;
1212 if (id
->is_initiator(id
))
1213 { /* not set in IKEv1, switch back before applying to new SA */
1214 id
->switch_initiator(id
);
1225 if (!get_init_hash(this, message
, &hash
))
1227 DBG1(DBG_MGR
, "ignoring message, failed to hash message");
1232 /* ensure this is not a retransmit of an already handled init message */
1233 switch (check_and_put_init_hash(this, hash
, &our_spi
))
1236 { /* we've not seen this packet yet, create a new IKE_SA */
1237 if (!this->ikesa_limit
||
1238 this->public.get_count(&this->public) < this->ikesa_limit
)
1240 id
->set_responder_spi(id
, our_spi
);
1241 ike_sa
= ike_sa_create(id
, FALSE
, ike_version
);
1244 entry
= entry_create();
1245 entry
->ike_sa
= ike_sa
;
1246 entry
->ike_sa_id
= id
;
1248 segment
= put_entry(this, entry
);
1249 entry
->checked_out
= TRUE
;
1250 unlock_single_segment(this, segment
);
1252 entry
->processing
= get_message_id_or_hash(message
);
1253 entry
->init_hash
= hash
;
1255 DBG2(DBG_MGR
, "created IKE_SA %s[%u]",
1256 ike_sa
->get_name(ike_sa
),
1257 ike_sa
->get_unique_id(ike_sa
));
1259 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1264 DBG1(DBG_MGR
, "creating IKE_SA failed, ignoring message");
1269 DBG1(DBG_MGR
, "ignoring %N, hitting IKE_SA limit (%u)",
1270 exchange_type_names
, message
->get_exchange_type(message
),
1273 remove_init_hash(this, hash
);
1279 { /* we failed to allocate an SPI */
1282 DBG1(DBG_MGR
, "ignoring message, failed to allocate SPI");
1289 /* it looks like we already handled this init message to some degree */
1290 id
->set_responder_spi(id
, our_spi
);
1294 if (get_entry_by_id(this, id
, &entry
, &segment
) == SUCCESS
)
1296 /* only check out if we are not already processing it. */
1297 if (entry
->processing
== get_message_id_or_hash(message
))
1299 DBG1(DBG_MGR
, "ignoring request with ID %u, already processing",
1302 else if (wait_for_entry(this, entry
, segment
))
1304 ike_sa_id_t
*ike_id
;
1306 ike_id
= entry
->ike_sa
->get_id(entry
->ike_sa
);
1307 entry
->checked_out
= TRUE
;
1308 if (message
->get_first_payload_type(message
) != FRAGMENT_V1
)
1310 entry
->processing
= get_message_id_or_hash(message
);
1312 if (ike_id
->get_responder_spi(ike_id
) == 0)
1314 ike_id
->set_responder_spi(ike_id
, id
->get_responder_spi(id
));
1316 ike_sa
= entry
->ike_sa
;
1317 DBG2(DBG_MGR
, "IKE_SA %s[%u] successfully checked out",
1318 ike_sa
->get_name(ike_sa
), ike_sa
->get_unique_id(ike_sa
));
1320 unlock_single_segment(this, segment
);
1324 charon
->bus
->alert(charon
->bus
, ALERT_INVALID_IKE_SPI
, message
);
1327 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1331 METHOD(ike_sa_manager_t
, checkout_by_config
, ike_sa_t
*,
1332 private_ike_sa_manager_t
*this, peer_cfg_t
*peer_cfg
)
1334 enumerator_t
*enumerator
;
1336 ike_sa_t
*ike_sa
= NULL
;
1337 peer_cfg_t
*current_peer
;
1338 ike_cfg_t
*current_ike
;
1341 DBG2(DBG_MGR
, "checkout IKE_SA by config");
1343 if (!this->reuse_ikesa
)
1344 { /* IKE_SA reuse disable by config */
1345 ike_sa
= checkout_new(this, peer_cfg
->get_ike_version(peer_cfg
), TRUE
);
1346 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1350 enumerator
= create_table_enumerator(this);
1351 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
1353 if (!wait_for_entry(this, entry
, segment
))
1357 if (entry
->ike_sa
->get_state(entry
->ike_sa
) == IKE_DELETING
)
1358 { /* skip IKE_SAs which are not usable */
1362 current_peer
= entry
->ike_sa
->get_peer_cfg(entry
->ike_sa
);
1363 if (current_peer
&& current_peer
->equals(current_peer
, peer_cfg
))
1365 current_ike
= current_peer
->get_ike_cfg(current_peer
);
1366 if (current_ike
->equals(current_ike
, peer_cfg
->get_ike_cfg(peer_cfg
)))
1368 entry
->checked_out
= TRUE
;
1369 ike_sa
= entry
->ike_sa
;
1370 DBG2(DBG_MGR
, "found existing IKE_SA %u with a '%s' config",
1371 ike_sa
->get_unique_id(ike_sa
),
1372 current_peer
->get_name(current_peer
));
1377 enumerator
->destroy(enumerator
);
1380 { /* no IKE_SA using such a config, hand out a new */
1381 ike_sa
= checkout_new(this, peer_cfg
->get_ike_version(peer_cfg
), TRUE
);
1383 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1387 METHOD(ike_sa_manager_t
, checkout_by_id
, ike_sa_t
*,
1388 private_ike_sa_manager_t
*this, u_int32_t id
, bool child
)
1390 enumerator_t
*enumerator
, *children
;
1392 ike_sa_t
*ike_sa
= NULL
;
1393 child_sa_t
*child_sa
;
1396 DBG2(DBG_MGR
, "checkout IKE_SA by ID");
1398 enumerator
= create_table_enumerator(this);
1399 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
1401 if (wait_for_entry(this, entry
, segment
))
1403 /* look for a child with such a reqid ... */
1406 children
= entry
->ike_sa
->create_child_sa_enumerator(entry
->ike_sa
);
1407 while (children
->enumerate(children
, (void**)&child_sa
))
1409 if (child_sa
->get_reqid(child_sa
) == id
)
1411 ike_sa
= entry
->ike_sa
;
1415 children
->destroy(children
);
1417 else /* ... or for a IKE_SA with such a unique id */
1419 if (entry
->ike_sa
->get_unique_id(entry
->ike_sa
) == id
)
1421 ike_sa
= entry
->ike_sa
;
1424 /* got one, return */
1427 entry
->checked_out
= TRUE
;
1428 DBG2(DBG_MGR
, "IKE_SA %s[%u] successfully checked out",
1429 ike_sa
->get_name(ike_sa
), ike_sa
->get_unique_id(ike_sa
));
1434 enumerator
->destroy(enumerator
);
1436 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1440 METHOD(ike_sa_manager_t
, checkout_by_name
, ike_sa_t
*,
1441 private_ike_sa_manager_t
*this, char *name
, bool child
)
1443 enumerator_t
*enumerator
, *children
;
1445 ike_sa_t
*ike_sa
= NULL
;
1446 child_sa_t
*child_sa
;
1449 enumerator
= create_table_enumerator(this);
1450 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
1452 if (wait_for_entry(this, entry
, segment
))
1454 /* look for a child with such a policy name ... */
1457 children
= entry
->ike_sa
->create_child_sa_enumerator(entry
->ike_sa
);
1458 while (children
->enumerate(children
, (void**)&child_sa
))
1460 if (streq(child_sa
->get_name(child_sa
), name
))
1462 ike_sa
= entry
->ike_sa
;
1466 children
->destroy(children
);
1468 else /* ... or for a IKE_SA with such a connection name */
1470 if (streq(entry
->ike_sa
->get_name(entry
->ike_sa
), name
))
1472 ike_sa
= entry
->ike_sa
;
1475 /* got one, return */
1478 entry
->checked_out
= TRUE
;
1479 DBG2(DBG_MGR
, "IKE_SA %s[%u] successfully checked out",
1480 ike_sa
->get_name(ike_sa
), ike_sa
->get_unique_id(ike_sa
));
1485 enumerator
->destroy(enumerator
);
1487 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1492 * enumerator filter function, waiting variant
1494 static bool enumerator_filter_wait(private_ike_sa_manager_t
*this,
1495 entry_t
**in
, ike_sa_t
**out
, u_int
*segment
)
1497 if (wait_for_entry(this, *in
, *segment
))
1499 *out
= (*in
)->ike_sa
;
1500 charon
->bus
->set_sa(charon
->bus
, *out
);
1507 * enumerator filter function, skipping variant
1509 static bool enumerator_filter_skip(private_ike_sa_manager_t
*this,
1510 entry_t
**in
, ike_sa_t
**out
, u_int
*segment
)
1512 if (!(*in
)->driveout_new_threads
&&
1513 !(*in
)->driveout_waiting_threads
&&
1514 !(*in
)->checked_out
)
1516 *out
= (*in
)->ike_sa
;
1517 charon
->bus
->set_sa(charon
->bus
, *out
);
1524 * Reset threads SA after enumeration
1526 static void reset_sa(void *data
)
1528 charon
->bus
->set_sa(charon
->bus
, NULL
);
1531 METHOD(ike_sa_manager_t
, create_enumerator
, enumerator_t
*,
1532 private_ike_sa_manager_t
* this, bool wait
)
1534 return enumerator_create_filter(create_table_enumerator(this),
1535 wait
? (void*)enumerator_filter_wait
: (void*)enumerator_filter_skip
,
1539 METHOD(ike_sa_manager_t
, checkin
, void,
1540 private_ike_sa_manager_t
*this, ike_sa_t
*ike_sa
)
1542 /* to check the SA back in, we look for the pointer of the ike_sa
1544 * The lookup is done by initiator SPI, so even if the SPI has changed (e.g.
1545 * on reception of a IKE_SA_INIT response) the lookup will work but
1546 * updating of the SPI MAY be necessary...
1549 ike_sa_id_t
*ike_sa_id
;
1551 identification_t
*my_id
, *other_id
;
1554 ike_sa_id
= ike_sa
->get_id(ike_sa
);
1555 my_id
= ike_sa
->get_my_id(ike_sa
);
1556 other_id
= ike_sa
->get_other_eap_id(ike_sa
);
1557 other
= ike_sa
->get_other_host(ike_sa
);
1559 DBG2(DBG_MGR
, "checkin IKE_SA %s[%u]", ike_sa
->get_name(ike_sa
),
1560 ike_sa
->get_unique_id(ike_sa
));
1562 /* look for the entry */
1563 if (get_entry_by_sa(this, ike_sa_id
, ike_sa
, &entry
, &segment
) == SUCCESS
)
1565 /* ike_sa_id must be updated */
1566 entry
->ike_sa_id
->replace_values(entry
->ike_sa_id
, ike_sa
->get_id(ike_sa
));
1567 /* signal waiting threads */
1568 entry
->checked_out
= FALSE
;
1569 entry
->processing
= -1;
1570 /* check if this SA is half-open */
1571 if (entry
->half_open
&& ike_sa
->get_state(ike_sa
) != IKE_CONNECTING
)
1573 /* not half open anymore */
1574 entry
->half_open
= FALSE
;
1575 remove_half_open(this, entry
);
1577 else if (entry
->half_open
&& !other
->ip_equals(other
, entry
->other
))
1579 /* the other host's IP has changed, we must update the hash table */
1580 remove_half_open(this, entry
);
1581 DESTROY_IF(entry
->other
);
1582 entry
->other
= other
->clone(other
);
1583 put_half_open(this, entry
);
1585 else if (!entry
->half_open
&&
1586 !entry
->ike_sa_id
->is_initiator(entry
->ike_sa_id
) &&
1587 ike_sa
->get_state(ike_sa
) == IKE_CONNECTING
)
1589 /* this is a new half-open SA */
1590 entry
->half_open
= TRUE
;
1591 entry
->other
= other
->clone(other
);
1592 put_half_open(this, entry
);
1594 DBG2(DBG_MGR
, "check-in of IKE_SA successful.");
1595 entry
->condvar
->signal(entry
->condvar
);
1599 entry
= entry_create();
1600 entry
->ike_sa_id
= ike_sa_id
->clone(ike_sa_id
);
1601 entry
->ike_sa
= ike_sa
;
1602 segment
= put_entry(this, entry
);
1605 /* apply identities for duplicate test */
1606 if ((ike_sa
->get_state(ike_sa
) == IKE_ESTABLISHED
||
1607 ike_sa
->get_state(ike_sa
) == IKE_PASSIVE
) &&
1608 entry
->my_id
== NULL
&& entry
->other_id
== NULL
)
1610 if (ike_sa
->get_version(ike_sa
) == IKEV1
)
1612 /* If authenticated and received INITIAL_CONTACT,
1613 * delete any existing IKE_SAs with that peer. */
1614 if (ike_sa
->has_condition(ike_sa
, COND_INIT_CONTACT_SEEN
))
1616 this->public.check_uniqueness(&this->public, ike_sa
, TRUE
);
1617 ike_sa
->set_condition(ike_sa
, COND_INIT_CONTACT_SEEN
, FALSE
);
1621 entry
->my_id
= my_id
->clone(my_id
);
1622 entry
->other_id
= other_id
->clone(other_id
);
1625 entry
->other
= other
->clone(other
);
1627 put_connected_peers(this, entry
);
1630 unlock_single_segment(this, segment
);
1632 charon
->bus
->set_sa(charon
->bus
, NULL
);
1635 METHOD(ike_sa_manager_t
, checkin_and_destroy
, void,
1636 private_ike_sa_manager_t
*this, ike_sa_t
*ike_sa
)
1638 /* deletion is a bit complex, we must ensure that no thread is waiting for
1640 * We take this SA from the table, and start signaling while threads
1641 * are in the condvar.
1644 ike_sa_id_t
*ike_sa_id
;
1647 ike_sa_id
= ike_sa
->get_id(ike_sa
);
1649 DBG2(DBG_MGR
, "checkin and destroy IKE_SA %s[%u]", ike_sa
->get_name(ike_sa
),
1650 ike_sa
->get_unique_id(ike_sa
));
1652 if (get_entry_by_sa(this, ike_sa_id
, ike_sa
, &entry
, &segment
) == SUCCESS
)
1654 if (entry
->driveout_waiting_threads
&& entry
->driveout_new_threads
)
1655 { /* it looks like flush() has been called and the SA is being deleted
1656 * anyway, just check it in */
1657 DBG2(DBG_MGR
, "ignored check-in and destroy of IKE_SA during shutdown");
1658 entry
->checked_out
= FALSE
;
1659 entry
->condvar
->broadcast(entry
->condvar
);
1660 unlock_single_segment(this, segment
);
1664 /* drive out waiting threads, as we are in hurry */
1665 entry
->driveout_waiting_threads
= TRUE
;
1666 /* mark it, so no new threads can get this entry */
1667 entry
->driveout_new_threads
= TRUE
;
1668 /* wait until all workers have done their work */
1669 while (entry
->waiting_threads
)
1672 entry
->condvar
->broadcast(entry
->condvar
);
1673 /* they will wake us again when their work is done */
1674 entry
->condvar
->wait(entry
->condvar
, this->segments
[segment
].mutex
);
1676 remove_entry(this, entry
);
1677 unlock_single_segment(this, segment
);
1679 if (entry
->half_open
)
1681 remove_half_open(this, entry
);
1683 if (entry
->my_id
&& entry
->other_id
)
1685 remove_connected_peers(this, entry
);
1687 if (entry
->init_hash
.ptr
)
1689 remove_init_hash(this, entry
->init_hash
);
1692 entry_destroy(entry
);
1694 DBG2(DBG_MGR
, "check-in and destroy of IKE_SA successful");
1698 DBG1(DBG_MGR
, "tried to check-in and delete nonexisting IKE_SA");
1699 ike_sa
->destroy(ike_sa
);
1701 charon
->bus
->set_sa(charon
->bus
, NULL
);
1705 * Cleanup function for create_id_enumerator
1707 static void id_enumerator_cleanup(linked_list_t
*ids
)
1709 ids
->destroy_offset(ids
, offsetof(ike_sa_id_t
, destroy
));
1712 METHOD(ike_sa_manager_t
, create_id_enumerator
, enumerator_t
*,
1713 private_ike_sa_manager_t
*this, identification_t
*me
,
1714 identification_t
*other
, int family
)
1719 linked_list_t
*ids
= NULL
;
1721 row
= chunk_hash_inc(other
->get_encoding(other
),
1722 chunk_hash(me
->get_encoding(me
))) & this->table_mask
;
1723 segment
= row
& this->segment_mask
;
1725 lock
= this->connected_peers_segments
[segment
].lock
;
1726 lock
->read_lock(lock
);
1727 item
= this->connected_peers_table
[row
];
1730 connected_peers_t
*current
= item
->value
;
1732 if (connected_peers_match(current
, me
, other
, family
))
1734 ids
= current
->sas
->clone_offset(current
->sas
,
1735 offsetof(ike_sa_id_t
, clone
));
1744 return enumerator_create_empty();
1746 return enumerator_create_cleaner(ids
->create_enumerator(ids
),
1747 (void*)id_enumerator_cleanup
, ids
);
1751 * Move all CHILD_SAs from old to new
1753 static void adopt_children(ike_sa_t
*old
, ike_sa_t
*new)
1755 enumerator_t
*enumerator
;
1756 child_sa_t
*child_sa
;
1758 enumerator
= old
->create_child_sa_enumerator(old
);
1759 while (enumerator
->enumerate(enumerator
, &child_sa
))
1761 old
->remove_child_sa(old
, enumerator
);
1762 new->add_child_sa(new, child_sa
);
1764 enumerator
->destroy(enumerator
);
1767 METHOD(ike_sa_manager_t
, check_uniqueness
, bool,
1768 private_ike_sa_manager_t
*this, ike_sa_t
*ike_sa
, bool force_replace
)
1770 bool cancel
= FALSE
;
1771 peer_cfg_t
*peer_cfg
;
1772 unique_policy_t policy
;
1773 enumerator_t
*enumerator
;
1774 ike_sa_id_t
*id
= NULL
;
1775 identification_t
*me
, *other
;
1778 peer_cfg
= ike_sa
->get_peer_cfg(ike_sa
);
1779 policy
= peer_cfg
->get_unique_policy(peer_cfg
);
1780 if (policy
== UNIQUE_NEVER
|| (policy
== UNIQUE_NO
&& !force_replace
))
1784 me
= ike_sa
->get_my_id(ike_sa
);
1785 other
= ike_sa
->get_other_eap_id(ike_sa
);
1786 other_host
= ike_sa
->get_other_host(ike_sa
);
1788 enumerator
= create_id_enumerator(this, me
, other
,
1789 other_host
->get_family(other_host
));
1790 while (enumerator
->enumerate(enumerator
, &id
))
1792 status_t status
= SUCCESS
;
1793 ike_sa_t
*duplicate
;
1795 duplicate
= checkout(this, id
);
1802 DBG1(DBG_IKE
, "destroying duplicate IKE_SA for peer '%Y', "
1803 "received INITIAL_CONTACT", other
);
1804 charon
->bus
->ike_updown(charon
->bus
, duplicate
, FALSE
);
1805 checkin_and_destroy(this, duplicate
);
1808 peer_cfg
= duplicate
->get_peer_cfg(duplicate
);
1809 if (peer_cfg
&& peer_cfg
->equals(peer_cfg
, ike_sa
->get_peer_cfg(ike_sa
)))
1811 switch (duplicate
->get_state(duplicate
))
1813 case IKE_ESTABLISHED
:
1817 case UNIQUE_REPLACE
:
1818 charon
->bus
->alert(charon
->bus
, ALERT_UNIQUE_REPLACE
);
1819 if (duplicate
->get_version(duplicate
) == IKEV1
)
1821 adopt_children(duplicate
, ike_sa
);
1823 DBG1(DBG_IKE
, "deleting duplicate IKE_SA for peer "
1824 "'%Y' due to uniqueness policy", other
);
1825 status
= duplicate
->delete(duplicate
);
1829 /* we keep the first IKE_SA and delete all
1830 * other duplicates that might exist */
1831 policy
= UNIQUE_REPLACE
;
1841 if (status
== DESTROY_ME
)
1843 checkin_and_destroy(this, duplicate
);
1847 checkin(this, duplicate
);
1850 enumerator
->destroy(enumerator
);
1851 /* reset thread's current IKE_SA after checkin */
1852 charon
->bus
->set_sa(charon
->bus
, ike_sa
);
1856 METHOD(ike_sa_manager_t
, has_contact
, bool,
1857 private_ike_sa_manager_t
*this, identification_t
*me
,
1858 identification_t
*other
, int family
)
1865 row
= chunk_hash_inc(other
->get_encoding(other
),
1866 chunk_hash(me
->get_encoding(me
))) & this->table_mask
;
1867 segment
= row
& this->segment_mask
;
1868 lock
= this->connected_peers_segments
[segment
].lock
;
1869 lock
->read_lock(lock
);
1870 item
= this->connected_peers_table
[row
];
1873 if (connected_peers_match(item
->value
, me
, other
, family
))
1885 METHOD(ike_sa_manager_t
, get_count
, u_int
,
1886 private_ike_sa_manager_t
*this)
1888 u_int segment
, count
= 0;
1891 for (segment
= 0; segment
< this->segment_count
; segment
++)
1893 mutex
= this->segments
[segment
& this->segment_mask
].mutex
;
1895 count
+= this->segments
[segment
].count
;
1896 mutex
->unlock(mutex
);
1901 METHOD(ike_sa_manager_t
, get_half_open_count
, u_int
,
1902 private_ike_sa_manager_t
*this, host_t
*ip
)
1912 addr
= ip
->get_address(ip
);
1913 row
= chunk_hash(addr
) & this->table_mask
;
1914 segment
= row
& this->segment_mask
;
1915 lock
= this->half_open_segments
[segment
].lock
;
1916 lock
->read_lock(lock
);
1917 item
= this->half_open_table
[row
];
1920 half_open_t
*half_open
= item
->value
;
1922 if (chunk_equals(addr
, half_open
->other
))
1924 count
= half_open
->count
;
1933 for (segment
= 0; segment
< this->segment_count
; segment
++)
1935 lock
= this->half_open_segments
[segment
].lock
;
1936 lock
->read_lock(lock
);
1937 count
+= this->half_open_segments
[segment
].count
;
1944 METHOD(ike_sa_manager_t
, flush
, void,
1945 private_ike_sa_manager_t
*this)
1947 /* destroy all list entries */
1948 enumerator_t
*enumerator
;
1952 lock_all_segments(this);
1953 DBG2(DBG_MGR
, "going to destroy IKE_SA manager and all managed IKE_SA's");
1954 /* Step 1: drive out all waiting threads */
1955 DBG2(DBG_MGR
, "set driveout flags for all stored IKE_SA's");
1956 enumerator
= create_table_enumerator(this);
1957 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
1959 /* do not accept new threads, drive out waiting threads */
1960 entry
->driveout_new_threads
= TRUE
;
1961 entry
->driveout_waiting_threads
= TRUE
;
1963 enumerator
->destroy(enumerator
);
1964 DBG2(DBG_MGR
, "wait for all threads to leave IKE_SA's");
1965 /* Step 2: wait until all are gone */
1966 enumerator
= create_table_enumerator(this);
1967 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
1969 while (entry
->waiting_threads
|| entry
->checked_out
)
1972 entry
->condvar
->broadcast(entry
->condvar
);
1973 /* go sleeping until they are gone */
1974 entry
->condvar
->wait(entry
->condvar
, this->segments
[segment
].mutex
);
1977 enumerator
->destroy(enumerator
);
1978 DBG2(DBG_MGR
, "delete all IKE_SA's");
1979 /* Step 3: initiate deletion of all IKE_SAs */
1980 enumerator
= create_table_enumerator(this);
1981 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
1983 charon
->bus
->set_sa(charon
->bus
, entry
->ike_sa
);
1984 if (entry
->ike_sa
->get_version(entry
->ike_sa
) == IKEV2
)
1985 { /* as the delete never gets processed, fire down events */
1986 switch (entry
->ike_sa
->get_state(entry
->ike_sa
))
1988 case IKE_ESTABLISHED
:
1991 charon
->bus
->ike_updown(charon
->bus
, entry
->ike_sa
, FALSE
);
1997 entry
->ike_sa
->delete(entry
->ike_sa
);
1999 enumerator
->destroy(enumerator
);
2001 DBG2(DBG_MGR
, "destroy all entries");
2002 /* Step 4: destroy all entries */
2003 enumerator
= create_table_enumerator(this);
2004 while (enumerator
->enumerate(enumerator
, &entry
, &segment
))
2006 charon
->bus
->set_sa(charon
->bus
, entry
->ike_sa
);
2007 if (entry
->half_open
)
2009 remove_half_open(this, entry
);
2011 if (entry
->my_id
&& entry
->other_id
)
2013 remove_connected_peers(this, entry
);
2015 if (entry
->init_hash
.ptr
)
2017 remove_init_hash(this, entry
->init_hash
);
2019 remove_entry_at((private_enumerator_t
*)enumerator
);
2020 entry_destroy(entry
);
2022 enumerator
->destroy(enumerator
);
2023 charon
->bus
->set_sa(charon
->bus
, NULL
);
2024 unlock_all_segments(this);
2026 this->rng
->destroy(this->rng
);
2028 this->hasher
->destroy(this->hasher
);
2029 this->hasher
= NULL
;
2032 METHOD(ike_sa_manager_t
, destroy
, void,
2033 private_ike_sa_manager_t
*this)
2037 /* these are already cleared in flush() above */
2038 free(this->ike_sa_table
);
2039 free(this->half_open_table
);
2040 free(this->connected_peers_table
);
2041 free(this->init_hashes_table
);
2042 for (i
= 0; i
< this->segment_count
; i
++)
2044 this->segments
[i
].mutex
->destroy(this->segments
[i
].mutex
);
2045 this->half_open_segments
[i
].lock
->destroy(this->half_open_segments
[i
].lock
);
2046 this->connected_peers_segments
[i
].lock
->destroy(this->connected_peers_segments
[i
].lock
);
2047 this->init_hashes_segments
[i
].mutex
->destroy(this->init_hashes_segments
[i
].mutex
);
2049 free(this->segments
);
2050 free(this->half_open_segments
);
2051 free(this->connected_peers_segments
);
2052 free(this->init_hashes_segments
);
2058 * This function returns the next-highest power of two for the given number.
2059 * The algorithm works by setting all bits on the right-hand side of the most
2060 * significant 1 to 1 and then increments the whole number so it rolls over
2061 * to the nearest power of two. Note: returns 0 for n == 0
2063 static u_int
get_nearest_powerof2(u_int n
)
2068 for (i
= 1; i
< sizeof(u_int
) * 8; i
<<= 1)
2076 * Described in header.
2078 ike_sa_manager_t
*ike_sa_manager_create()
2080 private_ike_sa_manager_t
*this;
2085 .checkout
= _checkout
,
2086 .checkout_new
= _checkout_new
,
2087 .checkout_by_message
= _checkout_by_message
,
2088 .checkout_by_config
= _checkout_by_config
,
2089 .checkout_by_id
= _checkout_by_id
,
2090 .checkout_by_name
= _checkout_by_name
,
2091 .check_uniqueness
= _check_uniqueness
,
2092 .has_contact
= _has_contact
,
2093 .create_enumerator
= _create_enumerator
,
2094 .create_id_enumerator
= _create_id_enumerator
,
2095 .checkin
= _checkin
,
2096 .checkin_and_destroy
= _checkin_and_destroy
,
2097 .get_count
= _get_count
,
2098 .get_half_open_count
= _get_half_open_count
,
2100 .destroy
= _destroy
,
2104 this->hasher
= lib
->crypto
->create_hasher(lib
->crypto
, HASH_PREFERRED
);
2105 if (this->hasher
== NULL
)
2107 DBG1(DBG_MGR
, "manager initialization failed, no hasher supported");
2111 this->rng
= lib
->crypto
->create_rng(lib
->crypto
, RNG_WEAK
);
2112 if (this->rng
== NULL
)
2114 DBG1(DBG_MGR
, "manager initialization failed, no RNG supported");
2115 this->hasher
->destroy(this->hasher
);
2120 this->ikesa_limit
= lib
->settings
->get_int(lib
->settings
,
2121 "%s.ikesa_limit", 0, charon
->name
);
2123 this->table_size
= get_nearest_powerof2(lib
->settings
->get_int(
2124 lib
->settings
, "%s.ikesa_table_size",
2125 DEFAULT_HASHTABLE_SIZE
, charon
->name
));
2126 this->table_size
= max(1, min(this->table_size
, MAX_HASHTABLE_SIZE
));
2127 this->table_mask
= this->table_size
- 1;
2129 this->segment_count
= get_nearest_powerof2(lib
->settings
->get_int(
2130 lib
->settings
, "%s.ikesa_table_segments",
2131 DEFAULT_SEGMENT_COUNT
, charon
->name
));
2132 this->segment_count
= max(1, min(this->segment_count
, this->table_size
));
2133 this->segment_mask
= this->segment_count
- 1;
2135 this->ike_sa_table
= calloc(this->table_size
, sizeof(table_item_t
*));
2136 this->segments
= (segment_t
*)calloc(this->segment_count
, sizeof(segment_t
));
2137 for (i
= 0; i
< this->segment_count
; i
++)
2139 this->segments
[i
].mutex
= mutex_create(MUTEX_TYPE_RECURSIVE
);
2140 this->segments
[i
].count
= 0;
2143 /* we use the same table parameters for the table to track half-open SAs */
2144 this->half_open_table
= calloc(this->table_size
, sizeof(table_item_t
*));
2145 this->half_open_segments
= calloc(this->segment_count
, sizeof(shareable_segment_t
));
2146 for (i
= 0; i
< this->segment_count
; i
++)
2148 this->half_open_segments
[i
].lock
= rwlock_create(RWLOCK_TYPE_DEFAULT
);
2149 this->half_open_segments
[i
].count
= 0;
2152 /* also for the hash table used for duplicate tests */
2153 this->connected_peers_table
= calloc(this->table_size
, sizeof(table_item_t
*));
2154 this->connected_peers_segments
= calloc(this->segment_count
, sizeof(shareable_segment_t
));
2155 for (i
= 0; i
< this->segment_count
; i
++)
2157 this->connected_peers_segments
[i
].lock
= rwlock_create(RWLOCK_TYPE_DEFAULT
);
2158 this->connected_peers_segments
[i
].count
= 0;
2161 /* and again for the table of hashes of seen initial IKE messages */
2162 this->init_hashes_table
= calloc(this->table_size
, sizeof(table_item_t
*));
2163 this->init_hashes_segments
= calloc(this->segment_count
, sizeof(segment_t
));
2164 for (i
= 0; i
< this->segment_count
; i
++)
2166 this->init_hashes_segments
[i
].mutex
= mutex_create(MUTEX_TYPE_RECURSIVE
);
2167 this->init_hashes_segments
[i
].count
= 0;
2170 this->reuse_ikesa
= lib
->settings
->get_bool(lib
->settings
,
2171 "%s.reuse_ikesa", TRUE
, charon
->name
);
2172 return &this->public;