]> git.ipfire.org Git - people/ms/strongswan.git/blob - programs/charon/charon/sa/child_sa.c
projects / people / ms / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
- renamed get_block_size of hasher
[people/ms/strongswan.git] / programs / charon / charon / sa / child_sa.c
1 /**
2 * @file child_sa.c
3 *
4 * @brief Implementation of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include <netdb.h>
24
25 #include "child_sa.h"
26
27 #include <daemon.h>
28
29
30 typedef struct sa_policy_t sa_policy_t;
31
32 /**
33 * Struct used to store information for a policy. This
34 * is needed since we must provide all this information
35 * for deleting a policy...
36 */
37 struct sa_policy_t {
38
39 /**
40 * Network on local side
41 */
42 host_t *my_net;
43
44 /**
45 * Network on remote side
46 */
47 host_t *other_net;
48
49 /**
50 * Number of bits for local network (subnet size)
51 */
52 u_int8_t my_net_mask;
53
54 /**
55 * Number of bits for remote network (subnet size)
56 */
57 u_int8_t other_net_mask;
58
59 /**
60 * Protocol for this policy, such as TCP/UDP/ICMP...
61 */
62 int upper_proto;
63 };
64
65 typedef struct private_child_sa_t private_child_sa_t;
66
67 /**
68 * Private data of a child_sa_t object.
69 */
70 struct private_child_sa_t {
71 /**
72 * Public interface of child_sa_t.
73 */
74 child_sa_t public;
75
76 /**
77 * IP of this peer
78 */
79 host_t *me;
80
81 /**
82 * IP of other peer
83 */
84 host_t *other;
85
86 /**
87 * Local security parameter index for AH protocol, 0 if not used
88 */
89 u_int32_t my_ah_spi;
90
91 /**
92 * Local security parameter index for ESP protocol, 0 if not used
93 */
94 u_int32_t my_esp_spi;
95
96 /**
97 * Remote security parameter index for AH protocol, 0 if not used
98 */
99 u_int32_t other_ah_spi;
100
101 /**
102 * Remote security parameter index for ESP protocol, 0 if not used
103 */
104 u_int32_t other_esp_spi;
105
106 /**
107 * List containing policy_id_t objects
108 */
109 linked_list_t *policies;
110
111 /**
112 * reqid used for this child_sa
113 */
114 u_int32_t reqid;
115
116 /**
117 * CHILD_SAs own logger
118 */
119 logger_t *logger;
120 };
121
122 /**
123 * Implements child_sa_t.alloc
124 */
125 static status_t alloc(private_child_sa_t *this, linked_list_t *proposals)
126 {
127 protocol_id_t protocols[2];
128 iterator_t *iterator;
129 proposal_t *proposal;
130 status_t status;
131 u_int i;
132
133 /* iterator through proposals */
134 iterator = proposals->create_iterator(proposals, TRUE);
135 while(iterator->has_next(iterator))
136 {
137 iterator->current(iterator, (void**)&proposal);
138 proposal->get_protocols(proposal, protocols);
139
140 /* check all protocols */
141 for (i = 0; i<2; i++)
142 {
143 switch (protocols[i])
144 {
145 case PROTO_AH:
146 /* do we already have an spi for AH?*/
147 if (this->my_ah_spi == 0)
148 {
149 /* nope, get one */
150 status = charon->kernel_interface->get_spi(
151 charon->kernel_interface,
152 this->me, this->other,
153 PROTO_AH, FALSE,
154 &(this->my_ah_spi));
155 }
156 /* update proposal */
157 proposal->set_spi(proposal, PROTO_AH, (u_int64_t)this->my_ah_spi);
158 break;
159 case PROTO_ESP:
160 /* do we already have an spi for ESP?*/
161 if (this->my_esp_spi == 0)
162 {
163 /* nope, get one */
164 status = charon->kernel_interface->get_spi(
165 charon->kernel_interface,
166 this->me, this->other,
167 PROTO_ESP, FALSE,
168 &(this->my_esp_spi));
169 }
170 /* update proposal */
171 proposal->set_spi(proposal, PROTO_ESP, (u_int64_t)this->my_esp_spi);
172 break;
173 default:
174 break;
175 }
176 if (status != SUCCESS)
177 {
178 iterator->destroy(iterator);
179 return FAILED;
180 }
181 }
182 }
183 iterator->destroy(iterator);
184 return SUCCESS;
185 }
186
187 static status_t install(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus, bool mine)
188 {
189 protocol_id_t protocols[2];
190 u_int32_t spi;
191 encryption_algorithm_t enc_algo;
192 integrity_algorithm_t int_algo;
193 chunk_t enc_key, int_key;
194 algorithm_t *algo;
195 crypter_t *crypter;
196 signer_t *signer;
197 size_t key_size;
198 host_t *src;
199 host_t *dst;
200 status_t status;
201 u_int i;
202
203 /* we must assign the roles to correctly set up the SAs */
204 if (mine)
205 {
206 src = this->me;
207 dst = this->other;
208 }
209 else
210 {
211 dst = this->me;
212 src = this->other;
213 }
214
215 proposal->get_protocols(proposal, protocols);
216 /* derive keys in order as protocols appear */
217 for (i = 0; i<2; i++)
218 {
219 if (protocols[i] != PROTO_NONE)
220 {
221
222 /* now we have to decide which spi to use. Use self allocated, if "mine",
223 * or the one in the proposal, if not "mine" (others). */
224 if (mine)
225 {
226 if (protocols[i] == PROTO_AH)
227 {
228 spi = this->my_ah_spi;
229 }
230 else
231 {
232 spi = this->my_esp_spi;
233 }
234 }
235 else /* use proposals spi */
236 {
237 spi = proposal->get_spi(proposal, protocols[i]);
238 if (protocols[i] == PROTO_AH)
239 {
240 this->other_ah_spi = spi;
241 }
242 else
243 {
244 this->other_esp_spi = spi;
245 }
246 }
247
248 /* derive encryption key first */
249 if (proposal->get_algorithm(proposal, protocols[i], ENCRYPTION_ALGORITHM, &algo))
250 {
251 enc_algo = algo->algorithm;
252 this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s, ",
253 mapping_find(protocol_id_m, protocols[i]),
254 mine ? "me" : "other",
255 mapping_find(transform_type_m, ENCRYPTION_ALGORITHM),
256 mapping_find(encryption_algorithm_m, enc_algo));
257
258 /* we must create a (unused) crypter, since its the only way to get the size
259 * of the key. This is not so nice, since charon must support all algorithms
260 * the kernel supports...
261 * TODO: build something of a encryption algorithm lookup function
262 */
263 crypter = crypter_create(enc_algo, algo->key_size);
264 key_size = crypter->get_key_size(crypter);
265 crypter->destroy(crypter);
266 prf_plus->allocate_bytes(prf_plus, key_size, &enc_key);
267 this->logger->log_chunk(this->logger, PRIVATE, "key:", enc_key);
268 }
269 else
270 {
271 enc_algo = ENCR_UNDEFINED;
272 }
273
274 /* derive integrity key */
275 if (proposal->get_algorithm(proposal, protocols[i], INTEGRITY_ALGORITHM, &algo))
276 {
277 int_algo = algo->algorithm;
278 this->logger->log(this->logger, CONTROL|LEVEL1, "%s for %s: using %s %s,",
279 mapping_find(protocol_id_m, protocols[i]),
280 mine ? "me" : "other",
281 mapping_find(transform_type_m, INTEGRITY_ALGORITHM),
282 mapping_find(integrity_algorithm_m, algo->algorithm));
283
284 signer = signer_create(int_algo);
285 key_size = signer->get_key_size(signer);
286 signer->destroy(signer);
287 prf_plus->allocate_bytes(prf_plus, key_size, &int_key);
288 this->logger->log_chunk(this->logger, PRIVATE, "key:", int_key);
289 }
290 else
291 {
292 int_algo = AUTH_UNDEFINED;
293 }
294 /* send keys down to kernel */
295 this->logger->log(this->logger, CONTROL|LEVEL1,
296 "installing 0x%.8x for %s, src %s dst %s",
297 ntohl(spi), mapping_find(protocol_id_m, protocols[i]),
298 src->get_address(src), dst->get_address(dst));
299 status = charon->kernel_interface->add_sa(charon->kernel_interface,
300 src, dst,
301 spi, protocols[i],
302 this->reqid,
303 enc_algo, enc_key,
304 int_algo, int_key, mine);
305 /* clean up for next round */
306 if (enc_algo != ENCR_UNDEFINED)
307 {
308 chunk_free(&enc_key);
309 }
310 if (int_algo != AUTH_UNDEFINED)
311 {
312 chunk_free(&int_key);
313 }
314
315 if (status != SUCCESS)
316 {
317 return FAILED;
318 }
319
320
321 }
322 }
323 return SUCCESS;
324 }
325
326 static status_t add(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
327 {
328 linked_list_t *list;
329
330 /* install others (initiators) SAs*/
331 if (install(this, proposal, prf_plus, FALSE) != SUCCESS)
332 {
333 return FAILED;
334 }
335
336 /* get SPIs for our SAs */
337 list = linked_list_create();
338 list->insert_last(list, proposal);
339 if (alloc(this, list) != SUCCESS)
340 {
341 list->destroy(list);
342 return FAILED;
343 }
344 list->destroy(list);
345
346 /* install our (responders) SAs */
347 if (install(this, proposal, prf_plus, TRUE) != SUCCESS)
348 {
349 return FAILED;
350 }
351
352 return SUCCESS;
353 }
354
355 static status_t update(private_child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus)
356 {
357 /* install our (initator) SAs */
358 if (install(this, proposal, prf_plus, TRUE) != SUCCESS)
359 {
360 return FAILED;
361 }
362 /* install his (responder) SAs */
363 if (install(this, proposal, prf_plus, FALSE) != SUCCESS)
364 {
365 return FAILED;
366 }
367
368 return SUCCESS;
369 }
370
371 static status_t add_policies(private_child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list)
372 {
373 iterator_t *my_iter, *other_iter;
374 traffic_selector_t *my_ts, *other_ts;
375
376 /* iterate over both lists */
377 my_iter = my_ts_list->create_iterator(my_ts_list, TRUE);
378 other_iter = other_ts_list->create_iterator(other_ts_list, TRUE);
379 while (my_iter->has_next(my_iter))
380 {
381 my_iter->current(my_iter, (void**)&my_ts);
382 other_iter->reset(other_iter);
383 while (other_iter->has_next(other_iter))
384 {
385 /* set up policies for every entry in my_ts_list to every entry in other_ts_list */
386 int family;
387 chunk_t from_addr;
388 u_int16_t from_port, to_port;
389 sa_policy_t *policy;
390 status_t status;
391
392 other_iter->current(other_iter, (void**)&other_ts);
393
394 /* only set up policies if protocol matches */
395 if (my_ts->get_protocol(my_ts) != other_ts->get_protocol(other_ts))
396 {
397 continue;
398 }
399 policy = malloc_thing(sa_policy_t);
400 policy->upper_proto = my_ts->get_protocol(my_ts);
401
402 /* calculate net and ports for local side */
403 family = my_ts->get_type(my_ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
404 from_addr = my_ts->get_from_address(my_ts);
405 from_port = my_ts->get_from_port(my_ts);
406 to_port = my_ts->get_to_port(my_ts);
407 from_port = (from_port != to_port) ? 0 : from_port;
408 policy->my_net = host_create_from_chunk(family, from_addr, from_port);
409 policy->my_net_mask = my_ts->get_netmask(my_ts);
410 chunk_free(&from_addr);
411
412 /* calculate net and ports for remote side */
413 family = other_ts->get_type(other_ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6;
414 from_addr = other_ts->get_from_address(other_ts);
415 from_port = other_ts->get_from_port(other_ts);
416 to_port = other_ts->get_to_port(other_ts);
417 from_port = (from_port != to_port) ? 0 : from_port;
418 policy->other_net = host_create_from_chunk(family, from_addr, from_port);
419 policy->other_net_mask = other_ts->get_netmask(other_ts);
420 chunk_free(&from_addr);
421
422 /* install 3 policies: out, in and forward */
423 status = charon->kernel_interface->add_policy(charon->kernel_interface,
424 this->me, this->other,
425 policy->my_net, policy->other_net,
426 policy->my_net_mask, policy->other_net_mask,
427 XFRM_POLICY_OUT, policy->upper_proto,
428 this->my_ah_spi, this->my_esp_spi,
429 this->reqid);
430
431 status |= charon->kernel_interface->add_policy(charon->kernel_interface,
432 this->other, this->me,
433 policy->other_net, policy->my_net,
434 policy->other_net_mask, policy->my_net_mask,
435 XFRM_POLICY_IN, policy->upper_proto,
436 this->my_ah_spi, this->my_esp_spi,
437 this->reqid);
438
439 status |= charon->kernel_interface->add_policy(charon->kernel_interface,
440 this->other, this->me,
441 policy->other_net, policy->my_net,
442 policy->other_net_mask, policy->my_net_mask,
443 XFRM_POLICY_FWD, policy->upper_proto,
444 this->my_ah_spi, this->my_esp_spi,
445 this->reqid);
446
447 if (status != SUCCESS)
448 {
449 my_iter->destroy(my_iter);
450 other_iter->destroy(other_iter);
451 policy->my_net->destroy(policy->my_net);
452 policy->other_net->destroy(policy->other_net);
453 free(policy);
454 return status;
455 }
456
457 /* add it to the policy list, since we want to know which policies we own */
458 this->policies->insert_last(this->policies, policy);
459 }
460 }
461
462 my_iter->destroy(my_iter);
463 other_iter->destroy(other_iter);
464 return SUCCESS;
465 }
466
467 /**
468 * Implementation of child_sa_t.log_status.
469 */
470 static void log_status(private_child_sa_t *this, logger_t *logger, char* name)
471 {
472 iterator_t *iterator;
473 sa_policy_t *policy;
474 struct protoent *proto;
475 char proto_buf[8] = "";
476 char *proto_name = proto_buf;
477
478 if (logger == NULL)
479 {
480 logger = this->logger;
481 }
482 logger->log(logger, CONTROL|LEVEL1, "\"%s\": protected with ESP (0x%x/0x%x), AH (0x%x,0x%x):",
483 name,
484 htonl(this->my_esp_spi), htonl(this->other_esp_spi),
485 htonl(this->my_ah_spi), htonl(this->other_ah_spi));
486 iterator = this->policies->create_iterator(this->policies, TRUE);
487 while (iterator->has_next(iterator))
488 {
489 iterator->current(iterator, (void**)&policy);
490 if (policy->upper_proto)
491 {
492 proto = getprotobynumber(policy->upper_proto);
493 if (proto)
494 {
495 proto_name = proto->p_name;
496 }
497 else
498 {
499 snprintf(proto_buf, sizeof(proto_buf), "<%d>", policy->upper_proto);
500 }
501 }
502 logger->log(logger, CONTROL, "\"%s\": %s/%d==%s==%s/%d",
503 name,
504 policy->my_net->get_address(policy->my_net), policy->my_net_mask,
505 proto_name,
506 policy->other_net->get_address(policy->other_net), policy->other_net_mask);
507 }
508 iterator->destroy(iterator);
509 }
510
511 /**
512 * Implementation of child_sa_t.destroy.
513 */
514 static void destroy(private_child_sa_t *this)
515 {
516 /* delete all policys in the kernel */
517 sa_policy_t *policy;
518 while (this->policies->remove_last(this->policies, (void**)&policy) == SUCCESS)
519 {
520 charon->kernel_interface->del_policy(charon->kernel_interface,
521 this->me, this->other,
522 policy->my_net, policy->other_net,
523 policy->my_net_mask, policy->other_net_mask,
524 XFRM_POLICY_OUT, policy->upper_proto);
525
526 charon->kernel_interface->del_policy(charon->kernel_interface,
527 this->other, this->me,
528 policy->other_net, policy->my_net,
529 policy->other_net_mask, policy->my_net_mask,
530 XFRM_POLICY_IN, policy->upper_proto);
531
532 charon->kernel_interface->del_policy(charon->kernel_interface,
533 this->other, this->me,
534 policy->other_net, policy->my_net,
535 policy->other_net_mask, policy->my_net_mask,
536 XFRM_POLICY_FWD, policy->upper_proto);
537
538 policy->my_net->destroy(policy->my_net);
539 policy->other_net->destroy(policy->other_net);
540 free(policy);
541 }
542 this->policies->destroy(this->policies);
543
544 /* delete SAs in the kernel, if they are set up */
545 if (this->my_ah_spi)
546 {
547 charon->kernel_interface->del_sa(charon->kernel_interface,
548 this->other, this->my_ah_spi, PROTO_AH);
549 charon->kernel_interface->del_sa(charon->kernel_interface,
550 this->me, this->other_ah_spi, PROTO_AH);
551 }
552 if (this->my_esp_spi)
553 {
554 charon->kernel_interface->del_sa(charon->kernel_interface,
555 this->other, this->my_esp_spi, PROTO_ESP);
556 charon->kernel_interface->del_sa(charon->kernel_interface,
557 this->me, this->other_esp_spi, PROTO_ESP);
558 }
559 free(this);
560 }
561
562 /*
563 * Described in header.
564 */
565 child_sa_t * child_sa_create(host_t *me, host_t* other)
566 {
567 static u_int32_t reqid = 0xc0000000;
568 private_child_sa_t *this = malloc_thing(private_child_sa_t);
569
570 /* public functions */
571 this->public.alloc = (status_t(*)(child_sa_t*,linked_list_t*))alloc;
572 this->public.add = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))add;
573 this->public.update = (status_t(*)(child_sa_t*,proposal_t*,prf_plus_t*))update;
574 this->public.add_policies = (status_t (*)(child_sa_t*, linked_list_t*,linked_list_t*))add_policies;
575 this->public.log_status = (void (*)(child_sa_t*, logger_t*, char*))log_status;
576 this->public.destroy = (void(*)(child_sa_t*))destroy;
577
578 /* private data */
579 this->logger = logger_manager->get_logger(logger_manager, CHILD_SA);
580 this->me = me;
581 this->other = other;
582 this->my_ah_spi = 0;
583 this->my_esp_spi = 0;
584 this->other_ah_spi = 0;
585 this->other_esp_spi = 0;
586 this->reqid = reqid++;
587 this->policies = linked_list_create();
588
589 return (&this->public);
590 }
Michael's strongswan development tree