Annotation of embedaddon/strongswan/src/libcharon/sa/child_sa.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2006-2019 Tobias Brunner
! 3: * Copyright (C) 2016 Andreas Steffen
! 4: * Copyright (C) 2005-2008 Martin Willi
! 5: * Copyright (C) 2006 Daniel Roethlisberger
! 6: * Copyright (C) 2005 Jan Hutter
! 7: * HSR Hochschule fuer Technik Rapperswil
! 8: *
! 9: * This program is free software; you can redistribute it and/or modify it
! 10: * under the terms of the GNU General Public License as published by the
! 11: * Free Software Foundation; either version 2 of the License, or (at your
! 12: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 13: *
! 14: * This program is distributed in the hope that it will be useful, but
! 15: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 16: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 17: * for more details.
! 18: */
! 19:
! 20: #define _GNU_SOURCE
! 21: #include "child_sa.h"
! 22:
! 23: #include <stdio.h>
! 24: #include <string.h>
! 25: #include <time.h>
! 26:
! 27: #include <daemon.h>
! 28: #include <collections/array.h>
! 29:
! 30: ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
! 31: "CREATED",
! 32: "ROUTED",
! 33: "INSTALLING",
! 34: "INSTALLED",
! 35: "UPDATING",
! 36: "REKEYING",
! 37: "REKEYED",
! 38: "RETRYING",
! 39: "DELETING",
! 40: "DELETED",
! 41: "DESTROYING",
! 42: );
! 43:
! 44: ENUM_FLAGS(child_sa_outbound_state_names, CHILD_OUTBOUND_REGISTERED, CHILD_OUTBOUND_POLICIES,
! 45: "REGISTERED",
! 46: "SA",
! 47: "POLICIES",
! 48: );
! 49:
! 50: typedef struct private_child_sa_t private_child_sa_t;
! 51:
! 52: /**
! 53: * Private data of a child_sa_t object.
! 54: */
! 55: struct private_child_sa_t {
! 56: /**
! 57: * Public interface of child_sa_t.
! 58: */
! 59: child_sa_t public;
! 60:
! 61: /**
! 62: * address of us
! 63: */
! 64: host_t *my_addr;
! 65:
! 66: /**
! 67: * address of remote
! 68: */
! 69: host_t *other_addr;
! 70:
! 71: /**
! 72: * our actually used SPI, 0 if unused
! 73: */
! 74: uint32_t my_spi;
! 75:
! 76: /**
! 77: * others used SPI, 0 if unused
! 78: */
! 79: uint32_t other_spi;
! 80:
! 81: /**
! 82: * our Compression Parameter Index (CPI) used, 0 if unused
! 83: */
! 84: uint16_t my_cpi;
! 85:
! 86: /**
! 87: * others Compression Parameter Index (CPI) used, 0 if unused
! 88: */
! 89: uint16_t other_cpi;
! 90:
! 91: /**
! 92: * Array for local traffic selectors
! 93: */
! 94: array_t *my_ts;
! 95:
! 96: /**
! 97: * Array for remote traffic selectors
! 98: */
! 99: array_t *other_ts;
! 100:
! 101: /**
! 102: * Outbound encryption key cached during a rekeying
! 103: */
! 104: chunk_t encr_r;
! 105:
! 106: /**
! 107: * Outbound integrity key cached during a rekeying
! 108: */
! 109: chunk_t integ_r;
! 110:
! 111: /**
! 112: * Whether the outbound SA has only been registered yet during a rekeying
! 113: */
! 114: child_sa_outbound_state_t outbound_state;
! 115:
! 116: /**
! 117: * Whether the peer supports TFCv3
! 118: */
! 119: bool tfcv3;
! 120:
! 121: /**
! 122: * The outbound SPI of the CHILD_SA that replaced this one during a rekeying
! 123: */
! 124: uint32_t rekey_spi;
! 125:
! 126: /**
! 127: * Protocol used to protect this SA, ESP|AH
! 128: */
! 129: protocol_id_t protocol;
! 130:
! 131: /**
! 132: * reqid used for this child_sa
! 133: */
! 134: uint32_t reqid;
! 135:
! 136: /**
! 137: * Did we allocate/confirm and must release the reqid?
! 138: */
! 139: bool reqid_allocated;
! 140:
! 141: /**
! 142: * Is the reqid statically configured
! 143: */
! 144: bool static_reqid;
! 145:
! 146: /**
! 147: * Unique CHILD_SA identifier
! 148: */
! 149: uint32_t unique_id;
! 150:
! 151: /**
! 152: * Whether FWD policies in the outbound direction should be installed
! 153: */
! 154: bool policies_fwd_out;
! 155:
! 156: /**
! 157: * Inbound interface ID
! 158: */
! 159: uint32_t if_id_in;
! 160:
! 161: /**
! 162: * Outbound interface ID
! 163: */
! 164: uint32_t if_id_out;
! 165:
! 166: /**
! 167: * inbound mark used for this child_sa
! 168: */
! 169: mark_t mark_in;
! 170:
! 171: /**
! 172: * outbound mark used for this child_sa
! 173: */
! 174: mark_t mark_out;
! 175:
! 176: /**
! 177: * absolute time when rekeying is scheduled
! 178: */
! 179: time_t rekey_time;
! 180:
! 181: /**
! 182: * absolute time when the SA expires
! 183: */
! 184: time_t expire_time;
! 185:
! 186: /**
! 187: * absolute time when SA has been installed
! 188: */
! 189: time_t install_time;
! 190:
! 191: /**
! 192: * state of the CHILD_SA
! 193: */
! 194: child_sa_state_t state;
! 195:
! 196: /**
! 197: * TRUE if this CHILD_SA is used to install trap policies
! 198: */
! 199: bool trap;
! 200:
! 201: /**
! 202: * Specifies if UDP encapsulation is enabled (NAT traversal)
! 203: */
! 204: bool encap;
! 205:
! 206: /**
! 207: * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
! 208: */
! 209: ipcomp_transform_t ipcomp;
! 210:
! 211: /**
! 212: * mode this SA uses, tunnel/transport
! 213: */
! 214: ipsec_mode_t mode;
! 215:
! 216: /**
! 217: * Action to enforce if peer closes the CHILD_SA
! 218: */
! 219: action_t close_action;
! 220:
! 221: /**
! 222: * Action to enforce if peer is considered dead
! 223: */
! 224: action_t dpd_action;
! 225:
! 226: /**
! 227: * selected proposal
! 228: */
! 229: proposal_t *proposal;
! 230:
! 231: /**
! 232: * config used to create this child
! 233: */
! 234: child_cfg_t *config;
! 235:
! 236: /**
! 237: * time of last use in seconds (inbound)
! 238: */
! 239: time_t my_usetime;
! 240:
! 241: /**
! 242: * time of last use in seconds (outbound)
! 243: */
! 244: time_t other_usetime;
! 245:
! 246: /**
! 247: * last number of inbound bytes
! 248: */
! 249: uint64_t my_usebytes;
! 250:
! 251: /**
! 252: * last number of outbound bytes
! 253: */
! 254: uint64_t other_usebytes;
! 255:
! 256: /**
! 257: * last number of inbound packets
! 258: */
! 259: uint64_t my_usepackets;
! 260:
! 261: /**
! 262: * last number of outbound bytes
! 263: */
! 264: uint64_t other_usepackets;
! 265: };
! 266:
! 267: /**
! 268: * Convert an IKEv2 specific protocol identifier to the IP protocol identifier
! 269: */
! 270: static inline uint8_t proto_ike2ip(protocol_id_t protocol)
! 271: {
! 272: switch (protocol)
! 273: {
! 274: case PROTO_ESP:
! 275: return IPPROTO_ESP;
! 276: case PROTO_AH:
! 277: return IPPROTO_AH;
! 278: default:
! 279: return protocol;
! 280: }
! 281: }
! 282:
! 283: /**
! 284: * Returns the mark to use on the inbound SA
! 285: */
! 286: static inline mark_t mark_in_sa(private_child_sa_t *this)
! 287: {
! 288: if (this->config->has_option(this->config, OPT_MARK_IN_SA))
! 289: {
! 290: return this->mark_in;
! 291: }
! 292: return (mark_t){};
! 293: }
! 294:
! 295: METHOD(child_sa_t, get_name, char*,
! 296: private_child_sa_t *this)
! 297: {
! 298: return this->config->get_name(this->config);
! 299: }
! 300:
! 301: METHOD(child_sa_t, get_reqid, uint32_t,
! 302: private_child_sa_t *this)
! 303: {
! 304: return this->reqid;
! 305: }
! 306:
! 307: METHOD(child_sa_t, get_unique_id, uint32_t,
! 308: private_child_sa_t *this)
! 309: {
! 310: return this->unique_id;
! 311: }
! 312:
! 313: METHOD(child_sa_t, get_config, child_cfg_t*,
! 314: private_child_sa_t *this)
! 315: {
! 316: return this->config;
! 317: }
! 318:
! 319: METHOD(child_sa_t, set_state, void,
! 320: private_child_sa_t *this, child_sa_state_t state)
! 321: {
! 322: if (this->state != state)
! 323: {
! 324: DBG2(DBG_CHD, "CHILD_SA %s{%d} state change: %N => %N",
! 325: get_name(this), this->unique_id,
! 326: child_sa_state_names, this->state,
! 327: child_sa_state_names, state);
! 328: charon->bus->child_state_change(charon->bus, &this->public, state);
! 329: this->state = state;
! 330: }
! 331: }
! 332:
! 333: METHOD(child_sa_t, get_state, child_sa_state_t,
! 334: private_child_sa_t *this)
! 335: {
! 336: return this->state;
! 337: }
! 338:
! 339: METHOD(child_sa_t, get_outbound_state, child_sa_outbound_state_t,
! 340: private_child_sa_t *this)
! 341: {
! 342: return this->outbound_state;
! 343: }
! 344:
! 345: METHOD(child_sa_t, get_spi, uint32_t,
! 346: private_child_sa_t *this, bool inbound)
! 347: {
! 348: return inbound ? this->my_spi : this->other_spi;
! 349: }
! 350:
! 351: METHOD(child_sa_t, get_cpi, uint16_t,
! 352: private_child_sa_t *this, bool inbound)
! 353: {
! 354: return inbound ? this->my_cpi : this->other_cpi;
! 355: }
! 356:
! 357: METHOD(child_sa_t, get_protocol, protocol_id_t,
! 358: private_child_sa_t *this)
! 359: {
! 360: return this->protocol;
! 361: }
! 362:
! 363: METHOD(child_sa_t, set_protocol, void,
! 364: private_child_sa_t *this, protocol_id_t protocol)
! 365: {
! 366: this->protocol = protocol;
! 367: }
! 368:
! 369: METHOD(child_sa_t, get_mode, ipsec_mode_t,
! 370: private_child_sa_t *this)
! 371: {
! 372: return this->mode;
! 373: }
! 374:
! 375: METHOD(child_sa_t, set_mode, void,
! 376: private_child_sa_t *this, ipsec_mode_t mode)
! 377: {
! 378: this->mode = mode;
! 379: }
! 380:
! 381: METHOD(child_sa_t, has_encap, bool,
! 382: private_child_sa_t *this)
! 383: {
! 384: return this->encap;
! 385: }
! 386:
! 387: METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t,
! 388: private_child_sa_t *this)
! 389: {
! 390: return this->ipcomp;
! 391: }
! 392:
! 393: METHOD(child_sa_t, set_ipcomp, void,
! 394: private_child_sa_t *this, ipcomp_transform_t ipcomp)
! 395: {
! 396: this->ipcomp = ipcomp;
! 397: }
! 398:
! 399: METHOD(child_sa_t, set_close_action, void,
! 400: private_child_sa_t *this, action_t action)
! 401: {
! 402: this->close_action = action;
! 403: }
! 404:
! 405: METHOD(child_sa_t, get_close_action, action_t,
! 406: private_child_sa_t *this)
! 407: {
! 408: return this->close_action;
! 409: }
! 410:
! 411: METHOD(child_sa_t, set_dpd_action, void,
! 412: private_child_sa_t *this, action_t action)
! 413: {
! 414: this->dpd_action = action;
! 415: }
! 416:
! 417: METHOD(child_sa_t, get_dpd_action, action_t,
! 418: private_child_sa_t *this)
! 419: {
! 420: return this->dpd_action;
! 421: }
! 422:
! 423: METHOD(child_sa_t, get_proposal, proposal_t*,
! 424: private_child_sa_t *this)
! 425: {
! 426: return this->proposal;
! 427: }
! 428:
! 429: METHOD(child_sa_t, set_proposal, void,
! 430: private_child_sa_t *this, proposal_t *proposal)
! 431: {
! 432: this->proposal = proposal->clone(proposal, 0);
! 433: }
! 434:
! 435: METHOD(child_sa_t, create_ts_enumerator, enumerator_t*,
! 436: private_child_sa_t *this, bool local)
! 437: {
! 438: if (local)
! 439: {
! 440: return array_create_enumerator(this->my_ts);
! 441: }
! 442: return array_create_enumerator(this->other_ts);
! 443: }
! 444:
! 445: typedef struct policy_enumerator_t policy_enumerator_t;
! 446:
! 447: /**
! 448: * Private policy enumerator
! 449: */
! 450: struct policy_enumerator_t {
! 451: /** implements enumerator_t */
! 452: enumerator_t public;
! 453: /** enumerator over own TS */
! 454: enumerator_t *mine;
! 455: /** enumerator over others TS */
! 456: enumerator_t *other;
! 457: /** array of others TS, to recreate enumerator */
! 458: array_t *array;
! 459: /** currently enumerating TS for "me" side */
! 460: traffic_selector_t *ts;
! 461: };
! 462:
! 463: METHOD(enumerator_t, policy_enumerate, bool,
! 464: policy_enumerator_t *this, va_list args)
! 465: {
! 466: traffic_selector_t *other_ts, **my_out, **other_out;
! 467:
! 468: VA_ARGS_VGET(args, my_out, other_out);
! 469:
! 470: while (this->ts || this->mine->enumerate(this->mine, &this->ts))
! 471: {
! 472: if (!this->other->enumerate(this->other, &other_ts))
! 473: { /* end of others list, restart with new of mine */
! 474: this->other->destroy(this->other);
! 475: this->other = array_create_enumerator(this->array);
! 476: this->ts = NULL;
! 477: continue;
! 478: }
! 479: if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
! 480: { /* family mismatch */
! 481: continue;
! 482: }
! 483: if (this->ts->get_protocol(this->ts) &&
! 484: other_ts->get_protocol(other_ts) &&
! 485: this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
! 486: { /* protocol mismatch */
! 487: continue;
! 488: }
! 489: if (my_out)
! 490: {
! 491: *my_out = this->ts;
! 492: }
! 493: if (other_out)
! 494: {
! 495: *other_out = other_ts;
! 496: }
! 497: return TRUE;
! 498: }
! 499: return FALSE;
! 500: }
! 501:
! 502: METHOD(enumerator_t, policy_destroy, void,
! 503: policy_enumerator_t *this)
! 504: {
! 505: this->mine->destroy(this->mine);
! 506: this->other->destroy(this->other);
! 507: free(this);
! 508: }
! 509:
! 510: METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
! 511: private_child_sa_t *this)
! 512: {
! 513: policy_enumerator_t *e;
! 514:
! 515: INIT(e,
! 516: .public = {
! 517: .enumerate = enumerator_enumerate_default,
! 518: .venumerate = _policy_enumerate,
! 519: .destroy = _policy_destroy,
! 520: },
! 521: .mine = array_create_enumerator(this->my_ts),
! 522: .other = array_create_enumerator(this->other_ts),
! 523: .array = this->other_ts,
! 524: .ts = NULL,
! 525: );
! 526:
! 527: return &e->public;
! 528: }
! 529:
! 530: /**
! 531: * update the cached usebytes
! 532: * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
! 533: * are available, and NOT_SUPPORTED if the kernel interface does not support
! 534: * querying the usebytes.
! 535: */
! 536: static status_t update_usebytes(private_child_sa_t *this, bool inbound)
! 537: {
! 538: status_t status = FAILED;
! 539: uint64_t bytes, packets;
! 540: time_t time;
! 541:
! 542: if (inbound)
! 543: {
! 544: if (this->my_spi)
! 545: {
! 546: kernel_ipsec_sa_id_t id = {
! 547: .src = this->other_addr,
! 548: .dst = this->my_addr,
! 549: .spi = this->my_spi,
! 550: .proto = proto_ike2ip(this->protocol),
! 551: .mark = mark_in_sa(this),
! 552: .if_id = this->if_id_in,
! 553: };
! 554: kernel_ipsec_query_sa_t query = {};
! 555:
! 556: status = charon->kernel->query_sa(charon->kernel, &id, &query,
! 557: &bytes, &packets, &time);
! 558: if (status == SUCCESS)
! 559: {
! 560: if (bytes > this->my_usebytes)
! 561: {
! 562: this->my_usebytes = bytes;
! 563: this->my_usepackets = packets;
! 564: if (time)
! 565: {
! 566: this->my_usetime = time;
! 567: }
! 568: }
! 569: else
! 570: {
! 571: status = FAILED;
! 572: }
! 573: }
! 574: }
! 575: }
! 576: else
! 577: {
! 578: if (this->other_spi && (this->outbound_state & CHILD_OUTBOUND_SA))
! 579: {
! 580: kernel_ipsec_sa_id_t id = {
! 581: .src = this->my_addr,
! 582: .dst = this->other_addr,
! 583: .spi = this->other_spi,
! 584: .proto = proto_ike2ip(this->protocol),
! 585: .mark = this->mark_out,
! 586: .if_id = this->if_id_out,
! 587: };
! 588: kernel_ipsec_query_sa_t query = {};
! 589:
! 590: status = charon->kernel->query_sa(charon->kernel, &id, &query,
! 591: &bytes, &packets, &time);
! 592: if (status == SUCCESS)
! 593: {
! 594: if (bytes > this->other_usebytes)
! 595: {
! 596: this->other_usebytes = bytes;
! 597: this->other_usepackets = packets;
! 598: if (time)
! 599: {
! 600: this->other_usetime = time;
! 601: }
! 602: }
! 603: else
! 604: {
! 605: status = FAILED;
! 606: }
! 607: }
! 608: }
! 609: }
! 610: return status;
! 611: }
! 612:
! 613: /**
! 614: * updates the cached usetime
! 615: */
! 616: static bool update_usetime(private_child_sa_t *this, bool inbound)
! 617: {
! 618: enumerator_t *enumerator;
! 619: traffic_selector_t *my_ts, *other_ts;
! 620: time_t last_use = 0;
! 621:
! 622: enumerator = create_policy_enumerator(this);
! 623: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 624: {
! 625: time_t in, out, fwd;
! 626:
! 627: if (inbound)
! 628: {
! 629: kernel_ipsec_policy_id_t id = {
! 630: .dir = POLICY_IN,
! 631: .src_ts = other_ts,
! 632: .dst_ts = my_ts,
! 633: .mark = this->mark_in,
! 634: .if_id = this->if_id_in,
! 635: };
! 636: kernel_ipsec_query_policy_t query = {};
! 637:
! 638: if (charon->kernel->query_policy(charon->kernel, &id, &query,
! 639: &in) == SUCCESS)
! 640: {
! 641: last_use = max(last_use, in);
! 642: }
! 643: if (this->mode != MODE_TRANSPORT)
! 644: {
! 645: id.dir = POLICY_FWD;
! 646: if (charon->kernel->query_policy(charon->kernel, &id, &query,
! 647: &fwd) == SUCCESS)
! 648: {
! 649: last_use = max(last_use, fwd);
! 650: }
! 651: }
! 652: }
! 653: else
! 654: {
! 655: kernel_ipsec_policy_id_t id = {
! 656: .dir = POLICY_OUT,
! 657: .src_ts = my_ts,
! 658: .dst_ts = other_ts,
! 659: .mark = this->mark_out,
! 660: .if_id = this->if_id_out,
! 661: .interface = this->config->get_interface(this->config),
! 662: };
! 663: kernel_ipsec_query_policy_t query = {};
! 664:
! 665: if (charon->kernel->query_policy(charon->kernel, &id, &query,
! 666: &out) == SUCCESS)
! 667: {
! 668: last_use = max(last_use, out);
! 669: }
! 670: }
! 671: }
! 672: enumerator->destroy(enumerator);
! 673:
! 674: if (last_use == 0)
! 675: {
! 676: return FALSE;
! 677: }
! 678: if (inbound)
! 679: {
! 680: this->my_usetime = last_use;
! 681: }
! 682: else
! 683: {
! 684: this->other_usetime = last_use;
! 685: }
! 686: return TRUE;
! 687: }
! 688:
! 689: METHOD(child_sa_t, get_usestats, void,
! 690: private_child_sa_t *this, bool inbound,
! 691: time_t *time, uint64_t *bytes, uint64_t *packets)
! 692: {
! 693: if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED)
! 694: {
! 695: /* there was traffic since last update or the kernel interface
! 696: * does not support querying the number of usebytes.
! 697: */
! 698: if (time)
! 699: {
! 700: if (!update_usetime(this, inbound) && !bytes && !packets)
! 701: {
! 702: /* if policy query did not yield a usetime, query SAs instead */
! 703: update_usebytes(this, inbound);
! 704: }
! 705: }
! 706: }
! 707: if (time)
! 708: {
! 709: *time = inbound ? this->my_usetime : this->other_usetime;
! 710: }
! 711: if (bytes)
! 712: {
! 713: *bytes = inbound ? this->my_usebytes : this->other_usebytes;
! 714: }
! 715: if (packets)
! 716: {
! 717: *packets = inbound ? this->my_usepackets : this->other_usepackets;
! 718: }
! 719: }
! 720:
! 721: METHOD(child_sa_t, get_mark, mark_t,
! 722: private_child_sa_t *this, bool inbound)
! 723: {
! 724: return inbound ? this->mark_in : this->mark_out;
! 725: }
! 726:
! 727: METHOD(child_sa_t, get_if_id, uint32_t,
! 728: private_child_sa_t *this, bool inbound)
! 729: {
! 730: return inbound ? this->if_id_in : this->if_id_out;
! 731: }
! 732:
! 733: METHOD(child_sa_t, get_lifetime, time_t,
! 734: private_child_sa_t *this, bool hard)
! 735: {
! 736: return hard ? this->expire_time : this->rekey_time;
! 737: }
! 738:
! 739: METHOD(child_sa_t, get_installtime, time_t,
! 740: private_child_sa_t *this)
! 741: {
! 742: return this->install_time;
! 743: }
! 744:
! 745: METHOD(child_sa_t, alloc_spi, uint32_t,
! 746: private_child_sa_t *this, protocol_id_t protocol)
! 747: {
! 748: if (charon->kernel->get_spi(charon->kernel, this->other_addr, this->my_addr,
! 749: proto_ike2ip(protocol), &this->my_spi) == SUCCESS)
! 750: {
! 751: /* if we allocate a SPI, but then are unable to establish the SA, we
! 752: * need to know the protocol family to delete the partial SA */
! 753: this->protocol = protocol;
! 754: return this->my_spi;
! 755: }
! 756: return 0;
! 757: }
! 758:
! 759: METHOD(child_sa_t, alloc_cpi, uint16_t,
! 760: private_child_sa_t *this)
! 761: {
! 762: if (charon->kernel->get_cpi(charon->kernel, this->other_addr, this->my_addr,
! 763: &this->my_cpi) == SUCCESS)
! 764: {
! 765: return this->my_cpi;
! 766: }
! 767: return 0;
! 768: }
! 769:
! 770: /**
! 771: * Install the given SA in the kernel
! 772: */
! 773: static status_t install_internal(private_child_sa_t *this, chunk_t encr,
! 774: chunk_t integ, uint32_t spi, uint16_t cpi, bool initiator, bool inbound,
! 775: bool tfcv3)
! 776: {
! 777: uint16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
! 778: uint16_t esn = NO_EXT_SEQ_NUMBERS;
! 779: linked_list_t *my_ts, *other_ts, *src_ts, *dst_ts;
! 780: time_t now;
! 781: kernel_ipsec_sa_id_t id;
! 782: kernel_ipsec_add_sa_t sa;
! 783: lifetime_cfg_t *lifetime;
! 784: uint32_t tfc = 0;
! 785: host_t *src, *dst;
! 786: status_t status;
! 787: bool update = FALSE;
! 788:
! 789: /* BEET requires the bound address from the traffic selectors */
! 790: my_ts = linked_list_create_from_enumerator(
! 791: array_create_enumerator(this->my_ts));
! 792: other_ts = linked_list_create_from_enumerator(
! 793: array_create_enumerator(this->other_ts));
! 794:
! 795: /* now we have to decide which spi to use. Use self allocated, if "in",
! 796: * or the one in the proposal, if not "in" (others). Additionally,
! 797: * source and dest host switch depending on the role */
! 798: if (inbound)
! 799: {
! 800: dst = this->my_addr;
! 801: src = this->other_addr;
! 802: if (this->my_spi == spi)
! 803: { /* alloc_spi has been called, do an SA update */
! 804: update = TRUE;
! 805: }
! 806: this->my_spi = spi;
! 807: this->my_cpi = cpi;
! 808: dst_ts = my_ts;
! 809: src_ts = other_ts;
! 810: }
! 811: else
! 812: {
! 813: src = this->my_addr;
! 814: dst = this->other_addr;
! 815: this->other_spi = spi;
! 816: this->other_cpi = cpi;
! 817: src_ts = my_ts;
! 818: dst_ts = other_ts;
! 819:
! 820: if (tfcv3)
! 821: {
! 822: tfc = this->config->get_tfc(this->config);
! 823: }
! 824: this->outbound_state |= CHILD_OUTBOUND_SA;
! 825: }
! 826:
! 827: DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
! 828: protocol_id_names, this->protocol);
! 829:
! 830: /* send SA down to the kernel */
! 831: DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
! 832:
! 833: this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
! 834: &enc_alg, &size);
! 835: this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
! 836: &int_alg, &size);
! 837: this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
! 838: &esn, NULL);
! 839:
! 840: if (int_alg == AUTH_HMAC_SHA2_256_128 &&
! 841: this->config->has_option(this->config, OPT_SHA256_96))
! 842: {
! 843: DBG2(DBG_CHD, " using %N with 96-bit truncation",
! 844: integrity_algorithm_names, int_alg);
! 845: int_alg = AUTH_HMAC_SHA2_256_96;
! 846: }
! 847:
! 848: if (!this->reqid_allocated && !this->static_reqid)
! 849: {
! 850: status = charon->kernel->alloc_reqid(charon->kernel, my_ts, other_ts,
! 851: this->mark_in, this->mark_out, this->if_id_in,
! 852: this->if_id_out, &this->reqid);
! 853: if (status != SUCCESS)
! 854: {
! 855: my_ts->destroy(my_ts);
! 856: other_ts->destroy(other_ts);
! 857: return status;
! 858: }
! 859: this->reqid_allocated = TRUE;
! 860: }
! 861:
! 862: lifetime = this->config->get_lifetime(this->config, TRUE);
! 863:
! 864: now = time_monotonic(NULL);
! 865: if (lifetime->time.rekey)
! 866: {
! 867: if (this->rekey_time)
! 868: {
! 869: this->rekey_time = min(this->rekey_time, now + lifetime->time.rekey);
! 870: }
! 871: else
! 872: {
! 873: this->rekey_time = now + lifetime->time.rekey;
! 874: }
! 875: }
! 876: if (lifetime->time.life)
! 877: {
! 878: this->expire_time = now + lifetime->time.life;
! 879: }
! 880:
! 881: if (!lifetime->time.jitter && !inbound)
! 882: { /* avoid triggering multiple rekey events */
! 883: lifetime->time.rekey = 0;
! 884: }
! 885:
! 886: id = (kernel_ipsec_sa_id_t){
! 887: .src = src,
! 888: .dst = dst,
! 889: .spi = spi,
! 890: .proto = proto_ike2ip(this->protocol),
! 891: .mark = inbound ? mark_in_sa(this) : this->mark_out,
! 892: .if_id = inbound ? this->if_id_in : this->if_id_out,
! 893: };
! 894: sa = (kernel_ipsec_add_sa_t){
! 895: .reqid = this->reqid,
! 896: .mode = this->mode,
! 897: .src_ts = src_ts,
! 898: .dst_ts = dst_ts,
! 899: .interface = inbound ? NULL : this->config->get_interface(this->config),
! 900: .lifetime = lifetime,
! 901: .enc_alg = enc_alg,
! 902: .enc_key = encr,
! 903: .int_alg = int_alg,
! 904: .int_key = integ,
! 905: .replay_window = this->config->get_replay_window(this->config),
! 906: .tfc = tfc,
! 907: .ipcomp = this->ipcomp,
! 908: .cpi = cpi,
! 909: .encap = this->encap,
! 910: .hw_offload = this->config->get_hw_offload(this->config),
! 911: .mark = this->config->get_set_mark(this->config, inbound),
! 912: .esn = esn,
! 913: .copy_df = !this->config->has_option(this->config, OPT_NO_COPY_DF),
! 914: .copy_ecn = !this->config->has_option(this->config, OPT_NO_COPY_ECN),
! 915: .copy_dscp = this->config->get_copy_dscp(this->config),
! 916: .initiator = initiator,
! 917: .inbound = inbound,
! 918: .update = update,
! 919: };
! 920:
! 921: if (sa.mark.value == MARK_SAME)
! 922: {
! 923: sa.mark.value = inbound ? this->mark_in.value : this->mark_out.value;
! 924: }
! 925:
! 926: status = charon->kernel->add_sa(charon->kernel, &id, &sa);
! 927:
! 928: my_ts->destroy(my_ts);
! 929: other_ts->destroy(other_ts);
! 930: free(lifetime);
! 931:
! 932: return status;
! 933: }
! 934:
! 935: METHOD(child_sa_t, install, status_t,
! 936: private_child_sa_t *this, chunk_t encr, chunk_t integ, uint32_t spi,
! 937: uint16_t cpi, bool initiator, bool inbound, bool tfcv3)
! 938: {
! 939: return install_internal(this, encr, integ, spi, cpi, initiator, inbound,
! 940: tfcv3);
! 941: }
! 942:
! 943: /**
! 944: * Check kernel interface if policy updates are required
! 945: */
! 946: static bool require_policy_update()
! 947: {
! 948: kernel_feature_t f;
! 949:
! 950: f = charon->kernel->get_features(charon->kernel);
! 951: return !(f & KERNEL_NO_POLICY_UPDATES);
! 952: }
! 953:
! 954: /**
! 955: * Prepare SA config to install/delete policies
! 956: */
! 957: static void prepare_sa_cfg(private_child_sa_t *this, ipsec_sa_cfg_t *my_sa,
! 958: ipsec_sa_cfg_t *other_sa)
! 959: {
! 960: enumerator_t *enumerator;
! 961:
! 962: *my_sa = (ipsec_sa_cfg_t){
! 963: .mode = this->mode,
! 964: .reqid = this->reqid,
! 965: .ipcomp = {
! 966: .transform = this->ipcomp,
! 967: },
! 968: };
! 969: *other_sa = *my_sa;
! 970:
! 971: my_sa->ipcomp.cpi = this->my_cpi;
! 972: other_sa->ipcomp.cpi = this->other_cpi;
! 973:
! 974: if (this->protocol == PROTO_ESP)
! 975: {
! 976: my_sa->esp.use = TRUE;
! 977: my_sa->esp.spi = this->my_spi;
! 978: other_sa->esp.use = TRUE;
! 979: other_sa->esp.spi = this->other_spi;
! 980: }
! 981: else
! 982: {
! 983: my_sa->ah.use = TRUE;
! 984: my_sa->ah.spi = this->my_spi;
! 985: other_sa->ah.use = TRUE;
! 986: other_sa->ah.spi = this->other_spi;
! 987: }
! 988:
! 989: enumerator = create_policy_enumerator(this);
! 990: while (enumerator->enumerate(enumerator, NULL, NULL))
! 991: {
! 992: my_sa->policy_count++;
! 993: other_sa->policy_count++;
! 994: }
! 995: enumerator->destroy(enumerator);
! 996: }
! 997:
! 998: /**
! 999: * Install inbound policies: in, fwd
! 1000: */
! 1001: static status_t install_policies_inbound(private_child_sa_t *this,
! 1002: host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
! 1003: traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
! 1004: ipsec_sa_cfg_t *other_sa, policy_type_t type,
! 1005: policy_priority_t priority, uint32_t manual_prio)
! 1006: {
! 1007: kernel_ipsec_policy_id_t in_id = {
! 1008: .dir = POLICY_IN,
! 1009: .src_ts = other_ts,
! 1010: .dst_ts = my_ts,
! 1011: .mark = this->mark_in,
! 1012: .if_id = this->if_id_in,
! 1013: };
! 1014: kernel_ipsec_manage_policy_t in_policy = {
! 1015: .type = type,
! 1016: .prio = priority,
! 1017: .manual_prio = manual_prio,
! 1018: .src = other_addr,
! 1019: .dst = my_addr,
! 1020: .sa = my_sa,
! 1021: };
! 1022: status_t status = SUCCESS;
! 1023:
! 1024: status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy);
! 1025: if (this->mode != MODE_TRANSPORT)
! 1026: {
! 1027: in_id.dir = POLICY_FWD;
! 1028: status |= charon->kernel->add_policy(charon->kernel, &in_id, &in_policy);
! 1029: }
! 1030: return status;
! 1031: }
! 1032:
! 1033: /**
! 1034: * Install outbound policies: out, [fwd]
! 1035: */
! 1036: static status_t install_policies_outbound(private_child_sa_t *this,
! 1037: host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
! 1038: traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
! 1039: ipsec_sa_cfg_t *other_sa, policy_type_t type,
! 1040: policy_priority_t priority, uint32_t manual_prio)
! 1041: {
! 1042: kernel_ipsec_policy_id_t out_id = {
! 1043: .dir = POLICY_OUT,
! 1044: .src_ts = my_ts,
! 1045: .dst_ts = other_ts,
! 1046: .mark = this->mark_out,
! 1047: .if_id = this->if_id_out,
! 1048: .interface = this->config->get_interface(this->config),
! 1049: };
! 1050: kernel_ipsec_manage_policy_t out_policy = {
! 1051: .type = type,
! 1052: .prio = priority,
! 1053: .manual_prio = manual_prio,
! 1054: .src = my_addr,
! 1055: .dst = other_addr,
! 1056: .sa = other_sa,
! 1057: };
! 1058: status_t status = SUCCESS;
! 1059:
! 1060: status |= charon->kernel->add_policy(charon->kernel, &out_id, &out_policy);
! 1061:
! 1062: if (this->mode != MODE_TRANSPORT && this->policies_fwd_out)
! 1063: {
! 1064: /* install an "outbound" FWD policy in case there is a drop policy
! 1065: * matching outbound forwarded traffic, to allow another tunnel to use
! 1066: * the reversed subnets and do the same we don't set a reqid (this also
! 1067: * allows the kernel backend to distinguish between the two types of
! 1068: * FWD policies). To avoid problems with symmetrically overlapping
! 1069: * policies of two SAs we install them with reduced priority. As they
! 1070: * basically act as bypass policies for drop policies we use a higher
! 1071: * priority than is used for them. */
! 1072: out_id.dir = POLICY_FWD;
! 1073: other_sa->reqid = 0;
! 1074: if (priority == POLICY_PRIORITY_DEFAULT)
! 1075: {
! 1076: out_policy.prio = POLICY_PRIORITY_ROUTED;
! 1077: }
! 1078: status |= charon->kernel->add_policy(charon->kernel, &out_id,
! 1079: &out_policy);
! 1080: /* reset the reqid for any other further policies */
! 1081: other_sa->reqid = this->reqid;
! 1082: }
! 1083: return status;
! 1084: }
! 1085:
! 1086: /**
! 1087: * Install all policies
! 1088: */
! 1089: static status_t install_policies_internal(private_child_sa_t *this,
! 1090: host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
! 1091: traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
! 1092: ipsec_sa_cfg_t *other_sa, policy_type_t type,
! 1093: policy_priority_t priority, uint32_t manual_prio, bool outbound)
! 1094: {
! 1095: status_t status = SUCCESS;
! 1096:
! 1097: status |= install_policies_inbound(this, my_addr, other_addr, my_ts,
! 1098: other_ts, my_sa, other_sa, type, priority, manual_prio);
! 1099: if (outbound)
! 1100: {
! 1101: status |= install_policies_outbound(this, my_addr, other_addr, my_ts,
! 1102: other_ts, my_sa, other_sa, type, priority, manual_prio);
! 1103: }
! 1104: return status;
! 1105: }
! 1106:
! 1107: /**
! 1108: * Delete inbound policies: in, fwd
! 1109: */
! 1110: static void del_policies_inbound(private_child_sa_t *this,
! 1111: host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
! 1112: traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
! 1113: ipsec_sa_cfg_t *other_sa, policy_type_t type,
! 1114: policy_priority_t priority, uint32_t manual_prio)
! 1115: {
! 1116: kernel_ipsec_policy_id_t in_id = {
! 1117: .dir = POLICY_IN,
! 1118: .src_ts = other_ts,
! 1119: .dst_ts = my_ts,
! 1120: .mark = this->mark_in,
! 1121: .if_id = this->if_id_in,
! 1122: };
! 1123: kernel_ipsec_manage_policy_t in_policy = {
! 1124: .type = type,
! 1125: .prio = priority,
! 1126: .manual_prio = manual_prio,
! 1127: .src = other_addr,
! 1128: .dst = my_addr,
! 1129: .sa = my_sa,
! 1130: };
! 1131:
! 1132: charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
! 1133:
! 1134: if (this->mode != MODE_TRANSPORT)
! 1135: {
! 1136: in_id.dir = POLICY_FWD;
! 1137: charon->kernel->del_policy(charon->kernel, &in_id, &in_policy);
! 1138: }
! 1139: }
! 1140:
! 1141: /**
! 1142: * Delete outbound policies: out, [fwd]
! 1143: */
! 1144: static void del_policies_outbound(private_child_sa_t *this,
! 1145: host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
! 1146: traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
! 1147: ipsec_sa_cfg_t *other_sa, policy_type_t type,
! 1148: policy_priority_t priority, uint32_t manual_prio)
! 1149: {
! 1150: kernel_ipsec_policy_id_t out_id = {
! 1151: .dir = POLICY_OUT,
! 1152: .src_ts = my_ts,
! 1153: .dst_ts = other_ts,
! 1154: .mark = this->mark_out,
! 1155: .if_id = this->if_id_out,
! 1156: .interface = this->config->get_interface(this->config),
! 1157: };
! 1158: kernel_ipsec_manage_policy_t out_policy = {
! 1159: .type = type,
! 1160: .prio = priority,
! 1161: .manual_prio = manual_prio,
! 1162: .src = my_addr,
! 1163: .dst = other_addr,
! 1164: .sa = other_sa,
! 1165: };
! 1166:
! 1167: charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
! 1168:
! 1169: if (this->mode != MODE_TRANSPORT && this->policies_fwd_out)
! 1170: {
! 1171: out_id.dir = POLICY_FWD;
! 1172: other_sa->reqid = 0;
! 1173: if (priority == POLICY_PRIORITY_DEFAULT)
! 1174: {
! 1175: out_policy.prio = POLICY_PRIORITY_ROUTED;
! 1176: }
! 1177: charon->kernel->del_policy(charon->kernel, &out_id, &out_policy);
! 1178: other_sa->reqid = this->reqid;
! 1179: }
! 1180: }
! 1181:
! 1182: /**
! 1183: * Delete in- and outbound policies
! 1184: */
! 1185: static void del_policies_internal(private_child_sa_t *this,
! 1186: host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
! 1187: traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
! 1188: ipsec_sa_cfg_t *other_sa, policy_type_t type,
! 1189: policy_priority_t priority, uint32_t manual_prio, bool outbound)
! 1190: {
! 1191: if (outbound)
! 1192: {
! 1193: del_policies_outbound(this, my_addr, other_addr, my_ts, other_ts, my_sa,
! 1194: other_sa, type, priority, manual_prio);
! 1195: }
! 1196: del_policies_inbound(this, my_addr, other_addr, my_ts, other_ts, my_sa,
! 1197: other_sa, type, priority, manual_prio);
! 1198: }
! 1199:
! 1200: METHOD(child_sa_t, set_policies, void,
! 1201: private_child_sa_t *this, linked_list_t *my_ts_list,
! 1202: linked_list_t *other_ts_list)
! 1203: {
! 1204: enumerator_t *enumerator;
! 1205: traffic_selector_t *my_ts, *other_ts;
! 1206:
! 1207: if (array_count(this->my_ts))
! 1208: {
! 1209: array_destroy_offset(this->my_ts,
! 1210: offsetof(traffic_selector_t, destroy));
! 1211: this->my_ts = array_create(0, 0);
! 1212: }
! 1213: enumerator = my_ts_list->create_enumerator(my_ts_list);
! 1214: while (enumerator->enumerate(enumerator, &my_ts))
! 1215: {
! 1216: array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
! 1217: }
! 1218: enumerator->destroy(enumerator);
! 1219: array_sort(this->my_ts, (void*)traffic_selector_cmp, NULL);
! 1220:
! 1221: if (array_count(this->other_ts))
! 1222: {
! 1223: array_destroy_offset(this->other_ts,
! 1224: offsetof(traffic_selector_t, destroy));
! 1225: this->other_ts = array_create(0, 0);
! 1226: }
! 1227: enumerator = other_ts_list->create_enumerator(other_ts_list);
! 1228: while (enumerator->enumerate(enumerator, &other_ts))
! 1229: {
! 1230: array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
! 1231: }
! 1232: enumerator->destroy(enumerator);
! 1233: array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL);
! 1234: }
! 1235:
! 1236: METHOD(child_sa_t, install_policies, status_t,
! 1237: private_child_sa_t *this)
! 1238: {
! 1239: enumerator_t *enumerator;
! 1240: linked_list_t *my_ts_list, *other_ts_list;
! 1241: traffic_selector_t *my_ts, *other_ts;
! 1242: status_t status = SUCCESS;
! 1243: bool install_outbound = FALSE;
! 1244:
! 1245: if (!this->reqid_allocated && !this->static_reqid)
! 1246: {
! 1247: my_ts_list = linked_list_create_from_enumerator(
! 1248: array_create_enumerator(this->my_ts));
! 1249: other_ts_list = linked_list_create_from_enumerator(
! 1250: array_create_enumerator(this->other_ts));
! 1251: status = charon->kernel->alloc_reqid(
! 1252: charon->kernel, my_ts_list, other_ts_list,
! 1253: this->mark_in, this->mark_out, this->if_id_in,
! 1254: this->if_id_out, &this->reqid);
! 1255: my_ts_list->destroy(my_ts_list);
! 1256: other_ts_list->destroy(other_ts_list);
! 1257: if (status != SUCCESS)
! 1258: {
! 1259: return status;
! 1260: }
! 1261: this->reqid_allocated = TRUE;
! 1262: }
! 1263:
! 1264: if (!(this->outbound_state & CHILD_OUTBOUND_REGISTERED))
! 1265: {
! 1266: install_outbound = TRUE;
! 1267: this->outbound_state |= CHILD_OUTBOUND_POLICIES;
! 1268: }
! 1269:
! 1270: if (!this->config->has_option(this->config, OPT_NO_POLICIES))
! 1271: {
! 1272: policy_priority_t priority;
! 1273: ipsec_sa_cfg_t my_sa, other_sa;
! 1274: uint32_t manual_prio;
! 1275:
! 1276: prepare_sa_cfg(this, &my_sa, &other_sa);
! 1277: manual_prio = this->config->get_manual_prio(this->config);
! 1278:
! 1279: /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
! 1280: * entry) we install a trap policy */
! 1281: this->trap = this->state == CHILD_CREATED;
! 1282: priority = this->trap ? POLICY_PRIORITY_ROUTED
! 1283: : POLICY_PRIORITY_DEFAULT;
! 1284:
! 1285: /* enumerate pairs of traffic selectors */
! 1286: enumerator = create_policy_enumerator(this);
! 1287: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 1288: {
! 1289: status |= install_policies_internal(this, this->my_addr,
! 1290: this->other_addr, my_ts, other_ts,
! 1291: &my_sa, &other_sa, POLICY_IPSEC, priority,
! 1292: manual_prio, install_outbound);
! 1293: if (status != SUCCESS)
! 1294: {
! 1295: break;
! 1296: }
! 1297: }
! 1298: enumerator->destroy(enumerator);
! 1299: }
! 1300:
! 1301: if (status == SUCCESS && this->trap)
! 1302: {
! 1303: set_state(this, CHILD_ROUTED);
! 1304: }
! 1305: return status;
! 1306: }
! 1307:
! 1308: METHOD(child_sa_t, register_outbound, status_t,
! 1309: private_child_sa_t *this, chunk_t encr, chunk_t integ, uint32_t spi,
! 1310: uint16_t cpi, bool tfcv3)
! 1311: {
! 1312: status_t status;
! 1313:
! 1314: /* if the kernel supports installing SPIs with policies we install the
! 1315: * SA immediately as it will only be used once we update the policies */
! 1316: if (charon->kernel->get_features(charon->kernel) & KERNEL_POLICY_SPI)
! 1317: {
! 1318: status = install_internal(this, encr, integ, spi, cpi, FALSE, FALSE,
! 1319: tfcv3);
! 1320: }
! 1321: else
! 1322: {
! 1323: DBG2(DBG_CHD, "registering outbound %N SA", protocol_id_names,
! 1324: this->protocol);
! 1325: DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), this->my_addr,
! 1326: this->other_addr);
! 1327:
! 1328: this->other_spi = spi;
! 1329: this->other_cpi = cpi;
! 1330: this->encr_r = chunk_clone(encr);
! 1331: this->integ_r = chunk_clone(integ);
! 1332: this->tfcv3 = tfcv3;
! 1333: status = SUCCESS;
! 1334: }
! 1335: this->outbound_state |= CHILD_OUTBOUND_REGISTERED;
! 1336: return status;
! 1337: }
! 1338:
! 1339: METHOD(child_sa_t, install_outbound, status_t,
! 1340: private_child_sa_t *this)
! 1341: {
! 1342: enumerator_t *enumerator;
! 1343: traffic_selector_t *my_ts, *other_ts;
! 1344: status_t status = SUCCESS;
! 1345:
! 1346: if (!(this->outbound_state & CHILD_OUTBOUND_SA))
! 1347: {
! 1348: status = install_internal(this, this->encr_r, this->integ_r,
! 1349: this->other_spi, this->other_cpi, FALSE,
! 1350: FALSE, this->tfcv3);
! 1351: chunk_clear(&this->encr_r);
! 1352: chunk_clear(&this->integ_r);
! 1353: }
! 1354: this->outbound_state &= ~CHILD_OUTBOUND_REGISTERED;
! 1355: if (status != SUCCESS)
! 1356: {
! 1357: return status;
! 1358: }
! 1359: if (!this->config->has_option(this->config, OPT_NO_POLICIES) &&
! 1360: !(this->outbound_state & CHILD_OUTBOUND_POLICIES))
! 1361: {
! 1362: ipsec_sa_cfg_t my_sa, other_sa;
! 1363: uint32_t manual_prio;
! 1364:
! 1365: prepare_sa_cfg(this, &my_sa, &other_sa);
! 1366: manual_prio = this->config->get_manual_prio(this->config);
! 1367:
! 1368: enumerator = create_policy_enumerator(this);
! 1369: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 1370: {
! 1371: status |= install_policies_outbound(this, this->my_addr,
! 1372: this->other_addr, my_ts, other_ts,
! 1373: &my_sa, &other_sa, POLICY_IPSEC,
! 1374: POLICY_PRIORITY_DEFAULT, manual_prio);
! 1375: if (status != SUCCESS)
! 1376: {
! 1377: break;
! 1378: }
! 1379: }
! 1380: enumerator->destroy(enumerator);
! 1381: }
! 1382: this->outbound_state |= CHILD_OUTBOUND_POLICIES;
! 1383: return status;
! 1384: }
! 1385:
! 1386: METHOD(child_sa_t, remove_outbound, void,
! 1387: private_child_sa_t *this)
! 1388: {
! 1389: enumerator_t *enumerator;
! 1390: traffic_selector_t *my_ts, *other_ts;
! 1391:
! 1392: if (!(this->outbound_state & CHILD_OUTBOUND_SA))
! 1393: {
! 1394: if (this->outbound_state & CHILD_OUTBOUND_REGISTERED)
! 1395: {
! 1396: chunk_clear(&this->encr_r);
! 1397: chunk_clear(&this->integ_r);
! 1398: this->outbound_state = CHILD_OUTBOUND_NONE;
! 1399: }
! 1400: return;
! 1401: }
! 1402:
! 1403: if (!this->config->has_option(this->config, OPT_NO_POLICIES) &&
! 1404: (this->outbound_state & CHILD_OUTBOUND_POLICIES))
! 1405: {
! 1406: ipsec_sa_cfg_t my_sa, other_sa;
! 1407: uint32_t manual_prio;
! 1408:
! 1409: prepare_sa_cfg(this, &my_sa, &other_sa);
! 1410: manual_prio = this->config->get_manual_prio(this->config);
! 1411:
! 1412: enumerator = create_policy_enumerator(this);
! 1413: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 1414: {
! 1415: del_policies_outbound(this, this->my_addr, this->other_addr,
! 1416: my_ts, other_ts, &my_sa, &other_sa,
! 1417: POLICY_IPSEC, POLICY_PRIORITY_DEFAULT,
! 1418: manual_prio);
! 1419: }
! 1420: enumerator->destroy(enumerator);
! 1421: }
! 1422:
! 1423: kernel_ipsec_sa_id_t id = {
! 1424: .src = this->my_addr,
! 1425: .dst = this->other_addr,
! 1426: .spi = this->other_spi,
! 1427: .proto = proto_ike2ip(this->protocol),
! 1428: .mark = this->mark_out,
! 1429: .if_id = this->if_id_out,
! 1430: };
! 1431: kernel_ipsec_del_sa_t sa = {
! 1432: .cpi = this->other_cpi,
! 1433: };
! 1434: charon->kernel->del_sa(charon->kernel, &id, &sa);
! 1435: this->outbound_state = CHILD_OUTBOUND_NONE;
! 1436: }
! 1437:
! 1438: METHOD(child_sa_t, set_rekey_spi, void,
! 1439: private_child_sa_t *this, uint32_t spi)
! 1440: {
! 1441: this->rekey_spi = spi;
! 1442: }
! 1443:
! 1444: METHOD(child_sa_t, get_rekey_spi, uint32_t,
! 1445: private_child_sa_t *this)
! 1446: {
! 1447: return this->rekey_spi;
! 1448: }
! 1449:
! 1450: CALLBACK(reinstall_vip, void,
! 1451: host_t *vip, va_list args)
! 1452: {
! 1453: host_t *me;
! 1454: char *iface;
! 1455:
! 1456: VA_ARGS_VGET(args, me);
! 1457: if (charon->kernel->get_interface(charon->kernel, me, &iface))
! 1458: {
! 1459: charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
! 1460: charon->kernel->add_ip(charon->kernel, vip, -1, iface);
! 1461: free(iface);
! 1462: }
! 1463: }
! 1464:
! 1465: /**
! 1466: * Update addresses and encap state of IPsec SAs in the kernel
! 1467: */
! 1468: static status_t update_sas(private_child_sa_t *this, host_t *me, host_t *other,
! 1469: bool encap)
! 1470: {
! 1471: /* update our (initiator) SA */
! 1472: if (this->my_spi)
! 1473: {
! 1474: kernel_ipsec_sa_id_t id = {
! 1475: .src = this->other_addr,
! 1476: .dst = this->my_addr,
! 1477: .spi = this->my_spi,
! 1478: .proto = proto_ike2ip(this->protocol),
! 1479: .mark = mark_in_sa(this),
! 1480: .if_id = this->if_id_in,
! 1481: };
! 1482: kernel_ipsec_update_sa_t sa = {
! 1483: .cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
! 1484: .new_src = other,
! 1485: .new_dst = me,
! 1486: .encap = this->encap,
! 1487: .new_encap = encap,
! 1488: };
! 1489: if (charon->kernel->update_sa(charon->kernel, &id,
! 1490: &sa) == NOT_SUPPORTED)
! 1491: {
! 1492: return NOT_SUPPORTED;
! 1493: }
! 1494: }
! 1495:
! 1496: /* update his (responder) SA */
! 1497: if (this->other_spi && (this->outbound_state & CHILD_OUTBOUND_SA))
! 1498: {
! 1499: kernel_ipsec_sa_id_t id = {
! 1500: .src = this->my_addr,
! 1501: .dst = this->other_addr,
! 1502: .spi = this->other_spi,
! 1503: .proto = proto_ike2ip(this->protocol),
! 1504: .mark = this->mark_out,
! 1505: .if_id = this->if_id_out,
! 1506: };
! 1507: kernel_ipsec_update_sa_t sa = {
! 1508: .cpi = this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
! 1509: .new_src = me,
! 1510: .new_dst = other,
! 1511: .encap = this->encap,
! 1512: .new_encap = encap,
! 1513: };
! 1514: if (charon->kernel->update_sa(charon->kernel, &id,
! 1515: &sa) == NOT_SUPPORTED)
! 1516: {
! 1517: return NOT_SUPPORTED;
! 1518: }
! 1519: }
! 1520: /* we currently ignore the actual return values above */
! 1521: return SUCCESS;
! 1522: }
! 1523:
! 1524: METHOD(child_sa_t, update, status_t,
! 1525: private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips,
! 1526: bool encap)
! 1527: {
! 1528: child_sa_state_t old;
! 1529: bool transport_proxy_mode;
! 1530:
! 1531: /* anything changed at all? */
! 1532: if (me->equals(me, this->my_addr) &&
! 1533: other->equals(other, this->other_addr) && this->encap == encap)
! 1534: {
! 1535: return SUCCESS;
! 1536: }
! 1537:
! 1538: old = this->state;
! 1539: set_state(this, CHILD_UPDATING);
! 1540: transport_proxy_mode = this->mode == MODE_TRANSPORT &&
! 1541: this->config->has_option(this->config,
! 1542: OPT_PROXY_MODE);
! 1543:
! 1544: if (!this->config->has_option(this->config, OPT_NO_POLICIES) &&
! 1545: require_policy_update())
! 1546: {
! 1547: ipsec_sa_cfg_t my_sa, other_sa;
! 1548: enumerator_t *enumerator;
! 1549: traffic_selector_t *my_ts, *other_ts;
! 1550: uint32_t manual_prio;
! 1551: status_t state;
! 1552: bool outbound;
! 1553:
! 1554: prepare_sa_cfg(this, &my_sa, &other_sa);
! 1555: manual_prio = this->config->get_manual_prio(this->config);
! 1556: outbound = (this->outbound_state & CHILD_OUTBOUND_POLICIES);
! 1557:
! 1558: enumerator = create_policy_enumerator(this);
! 1559: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 1560: {
! 1561: /* install drop policy to avoid traffic leaks, acquires etc. */
! 1562: if (outbound)
! 1563: {
! 1564: install_policies_outbound(this, this->my_addr, this->other_addr,
! 1565: my_ts, other_ts, &my_sa, &other_sa, POLICY_DROP,
! 1566: POLICY_PRIORITY_DEFAULT, manual_prio);
! 1567: }
! 1568: /* remove old policies */
! 1569: del_policies_internal(this, this->my_addr, this->other_addr,
! 1570: my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
! 1571: POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
! 1572: }
! 1573: enumerator->destroy(enumerator);
! 1574:
! 1575: /* update the IPsec SAs */
! 1576: state = update_sas(this, me, other, encap);
! 1577:
! 1578: enumerator = create_policy_enumerator(this);
! 1579: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 1580: {
! 1581: traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
! 1582:
! 1583: /* reinstall the previous policies if we can't update the SAs */
! 1584: if (state == NOT_SUPPORTED)
! 1585: {
! 1586: install_policies_internal(this, this->my_addr, this->other_addr,
! 1587: my_ts, other_ts, &my_sa, &other_sa, POLICY_IPSEC,
! 1588: POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
! 1589: }
! 1590: else
! 1591: {
! 1592: /* check if we have to update a "dynamic" traffic selector */
! 1593: if (!me->ip_equals(me, this->my_addr) &&
! 1594: my_ts->is_host(my_ts, this->my_addr))
! 1595: {
! 1596: old_my_ts = my_ts->clone(my_ts);
! 1597: my_ts->set_address(my_ts, me);
! 1598: }
! 1599: if (!other->ip_equals(other, this->other_addr) &&
! 1600: other_ts->is_host(other_ts, this->other_addr))
! 1601: {
! 1602: old_other_ts = other_ts->clone(other_ts);
! 1603: other_ts->set_address(other_ts, other);
! 1604: }
! 1605:
! 1606: /* we reinstall the virtual IP to handle interface roaming
! 1607: * correctly */
! 1608: vips->invoke_function(vips, reinstall_vip, me);
! 1609:
! 1610: /* reinstall updated policies */
! 1611: install_policies_internal(this, me, other, my_ts, other_ts,
! 1612: &my_sa, &other_sa, POLICY_IPSEC,
! 1613: POLICY_PRIORITY_DEFAULT, manual_prio, outbound);
! 1614: }
! 1615: /* remove the drop policy */
! 1616: if (outbound)
! 1617: {
! 1618: del_policies_outbound(this, this->my_addr, this->other_addr,
! 1619: old_my_ts ?: my_ts, old_other_ts ?: other_ts,
! 1620: &my_sa, &other_sa, POLICY_DROP,
! 1621: POLICY_PRIORITY_DEFAULT, manual_prio);
! 1622: }
! 1623:
! 1624: DESTROY_IF(old_my_ts);
! 1625: DESTROY_IF(old_other_ts);
! 1626: }
! 1627: enumerator->destroy(enumerator);
! 1628:
! 1629: if (state == NOT_SUPPORTED)
! 1630: {
! 1631: set_state(this, old);
! 1632: return NOT_SUPPORTED;
! 1633: }
! 1634:
! 1635: }
! 1636: else if (!transport_proxy_mode)
! 1637: {
! 1638: if (update_sas(this, me, other, encap) == NOT_SUPPORTED)
! 1639: {
! 1640: set_state(this, old);
! 1641: return NOT_SUPPORTED;
! 1642: }
! 1643: }
! 1644:
! 1645: if (!transport_proxy_mode)
! 1646: {
! 1647: /* apply hosts */
! 1648: if (!me->equals(me, this->my_addr))
! 1649: {
! 1650: this->my_addr->destroy(this->my_addr);
! 1651: this->my_addr = me->clone(me);
! 1652: }
! 1653: if (!other->equals(other, this->other_addr))
! 1654: {
! 1655: this->other_addr->destroy(this->other_addr);
! 1656: this->other_addr = other->clone(other);
! 1657: }
! 1658: }
! 1659:
! 1660: this->encap = encap;
! 1661: set_state(this, old);
! 1662:
! 1663: return SUCCESS;
! 1664: }
! 1665:
! 1666: METHOD(child_sa_t, destroy, void,
! 1667: private_child_sa_t *this)
! 1668: {
! 1669: enumerator_t *enumerator;
! 1670: traffic_selector_t *my_ts, *other_ts;
! 1671: policy_priority_t priority;
! 1672:
! 1673: priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT;
! 1674:
! 1675: set_state(this, CHILD_DESTROYING);
! 1676:
! 1677: if (!this->config->has_option(this->config, OPT_NO_POLICIES))
! 1678: {
! 1679: ipsec_sa_cfg_t my_sa, other_sa;
! 1680: uint32_t manual_prio;
! 1681: bool del_outbound;
! 1682:
! 1683: prepare_sa_cfg(this, &my_sa, &other_sa);
! 1684: manual_prio = this->config->get_manual_prio(this->config);
! 1685: del_outbound = (this->outbound_state & CHILD_OUTBOUND_POLICIES) ||
! 1686: this->trap;
! 1687:
! 1688: /* delete all policies in the kernel */
! 1689: enumerator = create_policy_enumerator(this);
! 1690: while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
! 1691: {
! 1692: del_policies_internal(this, this->my_addr,
! 1693: this->other_addr, my_ts, other_ts, &my_sa, &other_sa,
! 1694: POLICY_IPSEC, priority, manual_prio, del_outbound);
! 1695: }
! 1696: enumerator->destroy(enumerator);
! 1697: }
! 1698:
! 1699: /* delete SAs in the kernel, if they are set up */
! 1700: if (this->my_spi)
! 1701: {
! 1702: kernel_ipsec_sa_id_t id = {
! 1703: .src = this->other_addr,
! 1704: .dst = this->my_addr,
! 1705: .spi = this->my_spi,
! 1706: .proto = proto_ike2ip(this->protocol),
! 1707: .mark = mark_in_sa(this),
! 1708: .if_id = this->if_id_in,
! 1709: };
! 1710: kernel_ipsec_del_sa_t sa = {
! 1711: .cpi = this->my_cpi,
! 1712: };
! 1713: charon->kernel->del_sa(charon->kernel, &id, &sa);
! 1714: }
! 1715: if (this->other_spi && (this->outbound_state & CHILD_OUTBOUND_SA))
! 1716: {
! 1717: kernel_ipsec_sa_id_t id = {
! 1718: .src = this->my_addr,
! 1719: .dst = this->other_addr,
! 1720: .spi = this->other_spi,
! 1721: .proto = proto_ike2ip(this->protocol),
! 1722: .mark = this->mark_out,
! 1723: .if_id = this->if_id_out,
! 1724: };
! 1725: kernel_ipsec_del_sa_t sa = {
! 1726: .cpi = this->other_cpi,
! 1727: };
! 1728: charon->kernel->del_sa(charon->kernel, &id, &sa);
! 1729: }
! 1730:
! 1731: if (this->reqid_allocated)
! 1732: {
! 1733: if (charon->kernel->release_reqid(charon->kernel,
! 1734: this->reqid, this->mark_in, this->mark_out,
! 1735: this->if_id_in, this->if_id_out) != SUCCESS)
! 1736: {
! 1737: DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
! 1738: }
! 1739: }
! 1740:
! 1741: array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
! 1742: array_destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
! 1743: this->my_addr->destroy(this->my_addr);
! 1744: this->other_addr->destroy(this->other_addr);
! 1745: DESTROY_IF(this->proposal);
! 1746: this->config->destroy(this->config);
! 1747: chunk_clear(&this->encr_r);
! 1748: chunk_clear(&this->integ_r);
! 1749: free(this);
! 1750: }
! 1751:
! 1752: /**
! 1753: * Get proxy address for one side, if any
! 1754: */
! 1755: static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
! 1756: {
! 1757: host_t *host = NULL;
! 1758: uint8_t mask;
! 1759: enumerator_t *enumerator;
! 1760: linked_list_t *ts_list, *list;
! 1761: traffic_selector_t *ts;
! 1762:
! 1763: list = linked_list_create_with_items(ike, NULL);
! 1764: ts_list = config->get_traffic_selectors(config, local, NULL, list, FALSE);
! 1765: list->destroy(list);
! 1766:
! 1767: enumerator = ts_list->create_enumerator(ts_list);
! 1768: while (enumerator->enumerate(enumerator, &ts))
! 1769: {
! 1770: if (ts->is_host(ts, NULL) && ts->to_subnet(ts, &host, &mask))
! 1771: {
! 1772: DBG1(DBG_CHD, "%s address: %H is a transport mode proxy for %H",
! 1773: local ? "my" : "other", ike, host);
! 1774: break;
! 1775: }
! 1776: }
! 1777: enumerator->destroy(enumerator);
! 1778: ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
! 1779:
! 1780: if (!host)
! 1781: {
! 1782: host = ike->clone(ike);
! 1783: }
! 1784: return host;
! 1785: }
! 1786:
! 1787: /*
! 1788: * Described in header
! 1789: */
! 1790: child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
! 1791: child_sa_create_t *data)
! 1792: {
! 1793: private_child_sa_t *this;
! 1794: static refcount_t unique_id = 0, unique_mark = 0;
! 1795:
! 1796: INIT(this,
! 1797: .public = {
! 1798: .get_name = _get_name,
! 1799: .get_reqid = _get_reqid,
! 1800: .get_unique_id = _get_unique_id,
! 1801: .get_config = _get_config,
! 1802: .get_state = _get_state,
! 1803: .set_state = _set_state,
! 1804: .get_outbound_state = _get_outbound_state,
! 1805: .get_spi = _get_spi,
! 1806: .get_cpi = _get_cpi,
! 1807: .get_protocol = _get_protocol,
! 1808: .set_protocol = _set_protocol,
! 1809: .get_mode = _get_mode,
! 1810: .set_mode = _set_mode,
! 1811: .get_proposal = _get_proposal,
! 1812: .set_proposal = _set_proposal,
! 1813: .get_lifetime = _get_lifetime,
! 1814: .get_installtime = _get_installtime,
! 1815: .get_usestats = _get_usestats,
! 1816: .get_mark = _get_mark,
! 1817: .get_if_id = _get_if_id,
! 1818: .has_encap = _has_encap,
! 1819: .get_ipcomp = _get_ipcomp,
! 1820: .set_ipcomp = _set_ipcomp,
! 1821: .get_close_action = _get_close_action,
! 1822: .set_close_action = _set_close_action,
! 1823: .get_dpd_action = _get_dpd_action,
! 1824: .set_dpd_action = _set_dpd_action,
! 1825: .alloc_spi = _alloc_spi,
! 1826: .alloc_cpi = _alloc_cpi,
! 1827: .install = _install,
! 1828: .register_outbound = _register_outbound,
! 1829: .install_outbound = _install_outbound,
! 1830: .remove_outbound = _remove_outbound,
! 1831: .set_rekey_spi = _set_rekey_spi,
! 1832: .get_rekey_spi = _get_rekey_spi,
! 1833: .update = _update,
! 1834: .set_policies = _set_policies,
! 1835: .install_policies = _install_policies,
! 1836: .create_ts_enumerator = _create_ts_enumerator,
! 1837: .create_policy_enumerator = _create_policy_enumerator,
! 1838: .destroy = _destroy,
! 1839: },
! 1840: .encap = data->encap,
! 1841: .ipcomp = IPCOMP_NONE,
! 1842: .state = CHILD_CREATED,
! 1843: .my_ts = array_create(0, 0),
! 1844: .other_ts = array_create(0, 0),
! 1845: .protocol = PROTO_NONE,
! 1846: .mode = MODE_TUNNEL,
! 1847: .close_action = config->get_close_action(config),
! 1848: .dpd_action = config->get_dpd_action(config),
! 1849: .reqid = config->get_reqid(config),
! 1850: .unique_id = ref_get(&unique_id),
! 1851: .mark_in = config->get_mark(config, TRUE),
! 1852: .mark_out = config->get_mark(config, FALSE),
! 1853: .if_id_in = config->get_if_id(config, TRUE) ?: data->if_id_in_def,
! 1854: .if_id_out = config->get_if_id(config, FALSE) ?: data->if_id_out_def,
! 1855: .install_time = time_monotonic(NULL),
! 1856: .policies_fwd_out = config->has_option(config, OPT_FWD_OUT_POLICIES),
! 1857: );
! 1858:
! 1859: this->config = config;
! 1860: config->get_ref(config);
! 1861:
! 1862: if (data->mark_in)
! 1863: {
! 1864: this->mark_in.value = data->mark_in;
! 1865: }
! 1866: if (data->mark_out)
! 1867: {
! 1868: this->mark_out.value = data->mark_out;
! 1869: }
! 1870: if (data->if_id_in)
! 1871: {
! 1872: this->if_id_in = data->if_id_in;
! 1873: }
! 1874: if (data->if_id_out)
! 1875: {
! 1876: this->if_id_out = data->if_id_out;
! 1877: }
! 1878:
! 1879: allocate_unique_if_ids(&this->if_id_in, &this->if_id_out);
! 1880:
! 1881: if (MARK_IS_UNIQUE(this->mark_in.value) ||
! 1882: MARK_IS_UNIQUE(this->mark_out.value))
! 1883: {
! 1884: refcount_t mark = 0;
! 1885: bool unique_dir = this->mark_in.value == MARK_UNIQUE_DIR ||
! 1886: this->mark_out.value == MARK_UNIQUE_DIR;
! 1887:
! 1888: if (!unique_dir)
! 1889: {
! 1890: mark = ref_get(&unique_mark);
! 1891: }
! 1892: if (MARK_IS_UNIQUE(this->mark_in.value))
! 1893: {
! 1894: this->mark_in.value = unique_dir ? ref_get(&unique_mark) : mark;
! 1895: }
! 1896: if (MARK_IS_UNIQUE(this->mark_out.value))
! 1897: {
! 1898: this->mark_out.value = unique_dir ? ref_get(&unique_mark) : mark;
! 1899: }
! 1900: }
! 1901:
! 1902: if (!this->reqid)
! 1903: {
! 1904: /* reuse old reqid if we are rekeying an existing CHILD_SA and when
! 1905: * initiating a trap policy. While the reqid cache would find the same
! 1906: * reqid for our selectors, this does not work in a special case: If an
! 1907: * SA is triggered by a trap policy, but the negotiated TS get
! 1908: * narrowed, we still must reuse the same reqid to successfully
! 1909: * replace the temporary SA on the kernel level. Rekeying such an SA
! 1910: * requires an explicit reqid, as the cache currently knows the original
! 1911: * selectors only for that reqid. */
! 1912: this->reqid = data->reqid;
! 1913: }
! 1914: else
! 1915: {
! 1916: this->static_reqid = TRUE;
! 1917: }
! 1918:
! 1919: /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
! 1920: if (config->get_mode(config) == MODE_TRANSPORT &&
! 1921: config->has_option(config, OPT_PROXY_MODE))
! 1922: {
! 1923: this->mode = MODE_TRANSPORT;
! 1924:
! 1925: this->my_addr = get_proxy_addr(config, me, TRUE);
! 1926: this->other_addr = get_proxy_addr(config, other, FALSE);
! 1927: }
! 1928: else
! 1929: {
! 1930: this->my_addr = me->clone(me);
! 1931: this->other_addr = other->clone(other);
! 1932: }
! 1933: return &this->public;
! 1934: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to child_sa.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa