Annotation of embedaddon/strongswan/src/libipsec/ipsec_sa_mgr.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2012-2017 Tobias Brunner
! 3: * Copyright (C) 2012 Giuliano Grassi
! 4: * Copyright (C) 2012 Ralf Sager
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18: #include "ipsec.h"
! 19: #include "ipsec_sa_mgr.h"
! 20:
! 21: #include <utils/debug.h>
! 22: #include <library.h>
! 23: #include <processing/jobs/callback_job.h>
! 24: #include <threading/condvar.h>
! 25: #include <threading/mutex.h>
! 26: #include <collections/hashtable.h>
! 27: #include <collections/linked_list.h>
! 28:
! 29: typedef struct private_ipsec_sa_mgr_t private_ipsec_sa_mgr_t;
! 30:
! 31: /**
! 32: * Private additions to ipsec_sa_mgr_t.
! 33: */
! 34: struct private_ipsec_sa_mgr_t {
! 35:
! 36: /**
! 37: * Public members of ipsec_sa_mgr_t.
! 38: */
! 39: ipsec_sa_mgr_t public;
! 40:
! 41: /**
! 42: * Installed SAs
! 43: */
! 44: linked_list_t *sas;
! 45:
! 46: /**
! 47: * SPIs allocated using get_spi()
! 48: */
! 49: hashtable_t *allocated_spis;
! 50:
! 51: /**
! 52: * Mutex used to synchronize access to the SA manager
! 53: */
! 54: mutex_t *mutex;
! 55:
! 56: /**
! 57: * RNG used to generate SPIs
! 58: */
! 59: rng_t *rng;
! 60: };
! 61:
! 62: /**
! 63: * Struct to keep track of locked IPsec SAs
! 64: */
! 65: typedef struct {
! 66:
! 67: /**
! 68: * IPsec SA
! 69: */
! 70: ipsec_sa_t *sa;
! 71:
! 72: /**
! 73: * Set if this SA is currently in use by a thread
! 74: */
! 75: bool locked;
! 76:
! 77: /**
! 78: * Condvar used by threads to wait for this entry
! 79: */
! 80: condvar_t *condvar;
! 81:
! 82: /**
! 83: * Number of threads waiting for this entry
! 84: */
! 85: u_int waiting_threads;
! 86:
! 87: /**
! 88: * Set if this entry is awaiting deletion
! 89: */
! 90: bool awaits_deletion;
! 91:
! 92: } ipsec_sa_entry_t;
! 93:
! 94: /**
! 95: * Helper struct for expiration events
! 96: */
! 97: typedef struct {
! 98:
! 99: /**
! 100: * IPsec SA manager
! 101: */
! 102: private_ipsec_sa_mgr_t *manager;
! 103:
! 104: /**
! 105: * Entry that expired
! 106: */
! 107: ipsec_sa_entry_t *entry;
! 108:
! 109: /**
! 110: * SPI of the expired entry
! 111: */
! 112: uint32_t spi;
! 113:
! 114: /**
! 115: * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
! 116: */
! 117: uint32_t hard_offset;
! 118:
! 119: } ipsec_sa_expired_t;
! 120:
! 121: /*
! 122: * Used for the hash table of allocated SPIs
! 123: */
! 124: static bool spi_equals(uint32_t *spi, uint32_t *other_spi)
! 125: {
! 126: return *spi == *other_spi;
! 127: }
! 128:
! 129: static u_int spi_hash(uint32_t *spi)
! 130: {
! 131: return chunk_hash(chunk_from_thing(*spi));
! 132: }
! 133:
! 134: /**
! 135: * Create an SA entry
! 136: */
! 137: static ipsec_sa_entry_t *create_entry(ipsec_sa_t *sa)
! 138: {
! 139: ipsec_sa_entry_t *this;
! 140:
! 141: INIT(this,
! 142: .condvar = condvar_create(CONDVAR_TYPE_DEFAULT),
! 143: .sa = sa,
! 144: );
! 145: return this;
! 146: }
! 147:
! 148: /**
! 149: * Destroy an SA entry
! 150: */
! 151: static void destroy_entry(ipsec_sa_entry_t *entry)
! 152: {
! 153: entry->condvar->destroy(entry->condvar);
! 154: entry->sa->destroy(entry->sa);
! 155: free(entry);
! 156: }
! 157:
! 158: /**
! 159: * Makes sure an entry is safe to remove
! 160: * Must be called with this->mutex held.
! 161: *
! 162: * @return TRUE if entry can be removed, FALSE if entry is already
! 163: * being removed by another thread
! 164: */
! 165: static bool wait_remove_entry(private_ipsec_sa_mgr_t *this,
! 166: ipsec_sa_entry_t *entry)
! 167: {
! 168: if (entry->awaits_deletion)
! 169: {
! 170: /* this will be deleted by another thread already */
! 171: return FALSE;
! 172: }
! 173: entry->awaits_deletion = TRUE;
! 174: while (entry->locked)
! 175: {
! 176: entry->condvar->wait(entry->condvar, this->mutex);
! 177: }
! 178: while (entry->waiting_threads > 0)
! 179: {
! 180: entry->condvar->broadcast(entry->condvar);
! 181: entry->condvar->wait(entry->condvar, this->mutex);
! 182: }
! 183: return TRUE;
! 184: }
! 185:
! 186: /**
! 187: * Waits until an is available and then locks it.
! 188: * Must only be called with this->mutex held
! 189: */
! 190: static bool wait_for_entry(private_ipsec_sa_mgr_t *this,
! 191: ipsec_sa_entry_t *entry)
! 192: {
! 193: while (entry->locked && !entry->awaits_deletion)
! 194: {
! 195: entry->waiting_threads++;
! 196: entry->condvar->wait(entry->condvar, this->mutex);
! 197: entry->waiting_threads--;
! 198: }
! 199: if (entry->awaits_deletion)
! 200: {
! 201: /* others may still be waiting, */
! 202: entry->condvar->signal(entry->condvar);
! 203: return FALSE;
! 204: }
! 205: entry->locked = TRUE;
! 206: return TRUE;
! 207: }
! 208:
! 209: /**
! 210: * Flushes all entries
! 211: * Must be called with this->mutex held.
! 212: */
! 213: static void flush_entries(private_ipsec_sa_mgr_t *this)
! 214: {
! 215: ipsec_sa_entry_t *current;
! 216: enumerator_t *enumerator;
! 217:
! 218: DBG2(DBG_ESP, "flushing SAD");
! 219:
! 220: enumerator = this->sas->create_enumerator(this->sas);
! 221: while (enumerator->enumerate(enumerator, (void**)¤t))
! 222: {
! 223: if (wait_remove_entry(this, current))
! 224: {
! 225: this->sas->remove_at(this->sas, enumerator);
! 226: destroy_entry(current);
! 227: }
! 228: }
! 229: enumerator->destroy(enumerator);
! 230: }
! 231:
! 232: CALLBACK(match_entry_by_sa_ptr, bool,
! 233: ipsec_sa_entry_t *item, va_list args)
! 234: {
! 235: ipsec_sa_t *sa;
! 236:
! 237: VA_ARGS_VGET(args, sa);
! 238: return item->sa == sa;
! 239: }
! 240:
! 241: CALLBACK(match_entry_by_spi_inbound, bool,
! 242: ipsec_sa_entry_t *item, va_list args)
! 243: {
! 244: uint32_t spi;
! 245: int inbound;
! 246:
! 247: VA_ARGS_VGET(args, spi, inbound);
! 248: return item->sa->get_spi(item->sa) == spi &&
! 249: item->sa->is_inbound(item->sa) == inbound;
! 250: }
! 251:
! 252: static bool match_entry_by_spi_src_dst(ipsec_sa_entry_t *item, uint32_t spi,
! 253: host_t *src, host_t *dst)
! 254: {
! 255: return item->sa->match_by_spi_src_dst(item->sa, spi, src, dst);
! 256: }
! 257:
! 258: CALLBACK(match_entry_by_spi_src_dst_cb, bool,
! 259: ipsec_sa_entry_t *item, va_list args)
! 260: {
! 261: host_t *src, *dst;
! 262: uint32_t spi;
! 263:
! 264: VA_ARGS_VGET(args, spi, src, dst);
! 265: return match_entry_by_spi_src_dst(item, spi, src, dst);
! 266: }
! 267:
! 268: CALLBACK(match_entry_by_reqid_inbound, bool,
! 269: ipsec_sa_entry_t *item, va_list args)
! 270: {
! 271: uint32_t reqid;
! 272: int inbound;
! 273:
! 274: VA_ARGS_VGET(args, reqid, inbound);
! 275: return item->sa->match_by_reqid(item->sa, reqid, inbound);
! 276: }
! 277:
! 278: CALLBACK(match_entry_by_spi_dst, bool,
! 279: ipsec_sa_entry_t *item, va_list args)
! 280: {
! 281: host_t *dst;
! 282: uint32_t spi;
! 283:
! 284: VA_ARGS_VGET(args, spi, dst);
! 285: return item->sa->match_by_spi_dst(item->sa, spi, dst);
! 286: }
! 287:
! 288: /**
! 289: * Remove an entry
! 290: */
! 291: static bool remove_entry(private_ipsec_sa_mgr_t *this, ipsec_sa_entry_t *entry)
! 292: {
! 293: ipsec_sa_entry_t *current;
! 294: enumerator_t *enumerator;
! 295: bool removed = FALSE;
! 296:
! 297: enumerator = this->sas->create_enumerator(this->sas);
! 298: while (enumerator->enumerate(enumerator, (void**)¤t))
! 299: {
! 300: if (current == entry)
! 301: {
! 302: if (wait_remove_entry(this, current))
! 303: {
! 304: this->sas->remove_at(this->sas, enumerator);
! 305: removed = TRUE;
! 306: }
! 307: break;
! 308: }
! 309: }
! 310: enumerator->destroy(enumerator);
! 311: return removed;
! 312: }
! 313:
! 314: /**
! 315: * Callback for expiration events
! 316: */
! 317: static job_requeue_t sa_expired(ipsec_sa_expired_t *expired)
! 318: {
! 319: private_ipsec_sa_mgr_t *this = expired->manager;
! 320:
! 321: this->mutex->lock(this->mutex);
! 322: if (this->sas->find_first(this->sas, NULL, (void**)&expired->entry) &&
! 323: expired->spi == expired->entry->sa->get_spi(expired->entry->sa))
! 324: { /* only if we find the right SA at this pointer location */
! 325: uint32_t hard_offset;
! 326:
! 327: hard_offset = expired->hard_offset;
! 328: expired->entry->sa->expire(expired->entry->sa, hard_offset == 0);
! 329: if (hard_offset)
! 330: { /* soft limit reached, schedule hard expire */
! 331: expired->hard_offset = 0;
! 332: this->mutex->unlock(this->mutex);
! 333: return JOB_RESCHEDULE(hard_offset);
! 334: }
! 335: /* hard limit reached */
! 336: if (remove_entry(this, expired->entry))
! 337: {
! 338: destroy_entry(expired->entry);
! 339: }
! 340: }
! 341: this->mutex->unlock(this->mutex);
! 342: return JOB_REQUEUE_NONE;
! 343: }
! 344:
! 345: /**
! 346: * Schedule a job to handle IPsec SA expiration
! 347: */
! 348: static void schedule_expiration(private_ipsec_sa_mgr_t *this,
! 349: ipsec_sa_entry_t *entry)
! 350: {
! 351: lifetime_cfg_t *lifetime = entry->sa->get_lifetime(entry->sa);
! 352: ipsec_sa_expired_t *expired;
! 353: callback_job_t *job;
! 354: uint32_t timeout;
! 355:
! 356: if (!lifetime->time.life)
! 357: { /* no expiration at all */
! 358: return;
! 359: }
! 360:
! 361: INIT(expired,
! 362: .manager = this,
! 363: .entry = entry,
! 364: .spi = entry->sa->get_spi(entry->sa),
! 365: );
! 366:
! 367: /* schedule a rekey first, a hard timeout will be scheduled then, if any */
! 368: expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
! 369: timeout = lifetime->time.rekey;
! 370:
! 371: if (lifetime->time.life <= lifetime->time.rekey ||
! 372: lifetime->time.rekey == 0)
! 373: { /* no rekey, schedule hard timeout */
! 374: expired->hard_offset = 0;
! 375: timeout = lifetime->time.life;
! 376: }
! 377:
! 378: job = callback_job_create((callback_job_cb_t)sa_expired, expired,
! 379: (callback_job_cleanup_t)free, NULL);
! 380: lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, timeout);
! 381: }
! 382:
! 383: /**
! 384: * Remove all allocated SPIs
! 385: */
! 386: static void flush_allocated_spis(private_ipsec_sa_mgr_t *this)
! 387: {
! 388: enumerator_t *enumerator;
! 389: uint32_t *current;
! 390:
! 391: DBG2(DBG_ESP, "flushing allocated SPIs");
! 392: enumerator = this->allocated_spis->create_enumerator(this->allocated_spis);
! 393: while (enumerator->enumerate(enumerator, NULL, (void**)¤t))
! 394: {
! 395: this->allocated_spis->remove_at(this->allocated_spis, enumerator);
! 396: DBG2(DBG_ESP, " removed allocated SPI %.8x", ntohl(*current));
! 397: free(current);
! 398: }
! 399: enumerator->destroy(enumerator);
! 400: }
! 401:
! 402: /**
! 403: * Pre-allocate an SPI for an inbound SA
! 404: */
! 405: static bool allocate_spi(private_ipsec_sa_mgr_t *this, uint32_t spi)
! 406: {
! 407: uint32_t *spi_alloc;
! 408:
! 409: if (this->allocated_spis->get(this->allocated_spis, &spi) ||
! 410: this->sas->find_first(this->sas, match_entry_by_spi_inbound,
! 411: NULL, spi, TRUE))
! 412: {
! 413: return FALSE;
! 414: }
! 415: spi_alloc = malloc_thing(uint32_t);
! 416: *spi_alloc = spi;
! 417: this->allocated_spis->put(this->allocated_spis, spi_alloc, spi_alloc);
! 418: return TRUE;
! 419: }
! 420:
! 421: METHOD(ipsec_sa_mgr_t, get_spi, status_t,
! 422: private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol,
! 423: uint32_t *spi)
! 424: {
! 425: uint32_t spi_min, spi_max, spi_new;
! 426:
! 427: spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
! 428: 0x00000100, lib->ns);
! 429: spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
! 430: 0xffffffff, lib->ns);
! 431: if (spi_min > spi_max)
! 432: {
! 433: spi_new = spi_min;
! 434: spi_min = spi_max;
! 435: spi_max = spi_new;
! 436: }
! 437: /* make sure the SPI is valid (not in range 0-255) */
! 438: spi_min = max(spi_min, 0x00000100);
! 439: spi_max = max(spi_max, 0x00000100);
! 440:
! 441: this->mutex->lock(this->mutex);
! 442: if (!this->rng)
! 443: {
! 444: this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
! 445: if (!this->rng)
! 446: {
! 447: this->mutex->unlock(this->mutex);
! 448: DBG1(DBG_ESP, "failed to create RNG for SPI generation");
! 449: return FAILED;
! 450: }
! 451: }
! 452:
! 453: do
! 454: {
! 455: if (!this->rng->get_bytes(this->rng, sizeof(spi_new),
! 456: (uint8_t*)&spi_new))
! 457: {
! 458: this->mutex->unlock(this->mutex);
! 459: DBG1(DBG_ESP, "failed to allocate SPI");
! 460: return FAILED;
! 461: }
! 462: spi_new = spi_min + spi_new % (spi_max - spi_min + 1);
! 463: spi_new = htonl(spi_new);
! 464: }
! 465: while (!allocate_spi(this, spi_new));
! 466: this->mutex->unlock(this->mutex);
! 467:
! 468: *spi = spi_new;
! 469:
! 470: DBG2(DBG_ESP, "allocated SPI %.8x", ntohl(*spi));
! 471: return SUCCESS;
! 472: }
! 473:
! 474: METHOD(ipsec_sa_mgr_t, add_sa, status_t,
! 475: private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint32_t spi,
! 476: uint8_t protocol, uint32_t reqid, mark_t mark, uint32_t tfc,
! 477: lifetime_cfg_t *lifetime, uint16_t enc_alg, chunk_t enc_key,
! 478: uint16_t int_alg, chunk_t int_key, ipsec_mode_t mode, uint16_t ipcomp,
! 479: uint16_t cpi, bool initiator, bool encap, bool esn, bool inbound,
! 480: bool update)
! 481: {
! 482: ipsec_sa_entry_t *entry;
! 483: ipsec_sa_t *sa_new;
! 484:
! 485: DBG2(DBG_ESP, "adding SAD entry with SPI %.8x and reqid {%u}",
! 486: ntohl(spi), reqid);
! 487: DBG2(DBG_ESP, " using encryption algorithm %N with key size %d",
! 488: encryption_algorithm_names, enc_alg, enc_key.len * 8);
! 489: DBG2(DBG_ESP, " using integrity algorithm %N with key size %d",
! 490: integrity_algorithm_names, int_alg, int_key.len * 8);
! 491:
! 492: sa_new = ipsec_sa_create(spi, src, dst, protocol, reqid, mark, tfc,
! 493: lifetime, enc_alg, enc_key, int_alg, int_key, mode,
! 494: ipcomp, cpi, encap, esn, inbound);
! 495: if (!sa_new)
! 496: {
! 497: DBG1(DBG_ESP, "failed to create SAD entry");
! 498: return FAILED;
! 499: }
! 500:
! 501: this->mutex->lock(this->mutex);
! 502:
! 503: if (update)
! 504: { /* remove any pre-allocated SPIs */
! 505: uint32_t *spi_alloc;
! 506:
! 507: spi_alloc = this->allocated_spis->remove(this->allocated_spis, &spi);
! 508: free(spi_alloc);
! 509: }
! 510:
! 511: if (this->sas->find_first(this->sas, match_entry_by_spi_src_dst_cb, NULL,
! 512: spi, src, dst))
! 513: {
! 514: this->mutex->unlock(this->mutex);
! 515: DBG1(DBG_ESP, "failed to install SAD entry: already installed");
! 516: sa_new->destroy(sa_new);
! 517: return FAILED;
! 518: }
! 519:
! 520: entry = create_entry(sa_new);
! 521: schedule_expiration(this, entry);
! 522: this->sas->insert_first(this->sas, entry);
! 523:
! 524: this->mutex->unlock(this->mutex);
! 525: return SUCCESS;
! 526: }
! 527:
! 528: METHOD(ipsec_sa_mgr_t, update_sa, status_t,
! 529: private_ipsec_sa_mgr_t *this, uint32_t spi, uint8_t protocol,
! 530: uint16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst,
! 531: bool encap, bool new_encap, mark_t mark)
! 532: {
! 533: ipsec_sa_entry_t *entry = NULL;
! 534:
! 535: DBG2(DBG_ESP, "updating SAD entry with SPI %.8x from %#H..%#H to %#H..%#H",
! 536: ntohl(spi), src, dst, new_src, new_dst);
! 537:
! 538: if (!new_encap)
! 539: {
! 540: DBG1(DBG_ESP, "failed to update SAD entry: can't deactivate UDP "
! 541: "encapsulation");
! 542: return NOT_SUPPORTED;
! 543: }
! 544:
! 545: this->mutex->lock(this->mutex);
! 546: if (this->sas->find_first(this->sas, match_entry_by_spi_src_dst_cb,
! 547: (void**)&entry, spi, src, dst) &&
! 548: wait_for_entry(this, entry))
! 549: {
! 550: entry->sa->set_source(entry->sa, new_src);
! 551: entry->sa->set_destination(entry->sa, new_dst);
! 552: /* checkin the entry */
! 553: entry->locked = FALSE;
! 554: entry->condvar->signal(entry->condvar);
! 555: }
! 556: this->mutex->unlock(this->mutex);
! 557:
! 558: if (!entry)
! 559: {
! 560: DBG1(DBG_ESP, "failed to update SAD entry: not found");
! 561: return FAILED;
! 562: }
! 563: return SUCCESS;
! 564: }
! 565:
! 566: METHOD(ipsec_sa_mgr_t, query_sa, status_t,
! 567: private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
! 568: uint32_t spi, uint8_t protocol, mark_t mark,
! 569: uint64_t *bytes, uint64_t *packets, time_t *time)
! 570: {
! 571: ipsec_sa_entry_t *entry = NULL;
! 572:
! 573: this->mutex->lock(this->mutex);
! 574: if (this->sas->find_first(this->sas, match_entry_by_spi_src_dst_cb,
! 575: (void**)&entry, spi, src, dst) &&
! 576: wait_for_entry(this, entry))
! 577: {
! 578: entry->sa->get_usestats(entry->sa, bytes, packets, time);
! 579: /* checkin the entry */
! 580: entry->locked = FALSE;
! 581: entry->condvar->signal(entry->condvar);
! 582: }
! 583: this->mutex->unlock(this->mutex);
! 584:
! 585: return entry ? SUCCESS : NOT_FOUND;
! 586: }
! 587:
! 588: METHOD(ipsec_sa_mgr_t, del_sa, status_t,
! 589: private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint32_t spi,
! 590: uint8_t protocol, uint16_t cpi, mark_t mark)
! 591: {
! 592: ipsec_sa_entry_t *current, *found = NULL;
! 593: enumerator_t *enumerator;
! 594:
! 595: this->mutex->lock(this->mutex);
! 596: enumerator = this->sas->create_enumerator(this->sas);
! 597: while (enumerator->enumerate(enumerator, (void**)¤t))
! 598: {
! 599: if (match_entry_by_spi_src_dst(current, spi, src, dst))
! 600: {
! 601: if (wait_remove_entry(this, current))
! 602: {
! 603: this->sas->remove_at(this->sas, enumerator);
! 604: found = current;
! 605: }
! 606: break;
! 607: }
! 608: }
! 609: enumerator->destroy(enumerator);
! 610: this->mutex->unlock(this->mutex);
! 611:
! 612: if (found)
! 613: {
! 614: DBG2(DBG_ESP, "deleted %sbound SAD entry with SPI %.8x",
! 615: found->sa->is_inbound(found->sa) ? "in" : "out", ntohl(spi));
! 616: destroy_entry(found);
! 617: return SUCCESS;
! 618: }
! 619: return FAILED;
! 620: }
! 621:
! 622: METHOD(ipsec_sa_mgr_t, checkout_by_reqid, ipsec_sa_t*,
! 623: private_ipsec_sa_mgr_t *this, uint32_t reqid, bool inbound)
! 624: {
! 625: ipsec_sa_entry_t *entry;
! 626: ipsec_sa_t *sa = NULL;
! 627:
! 628: this->mutex->lock(this->mutex);
! 629: if (this->sas->find_first(this->sas, match_entry_by_reqid_inbound,
! 630: (void**)&entry, reqid, inbound) &&
! 631: wait_for_entry(this, entry))
! 632: {
! 633: sa = entry->sa;
! 634: }
! 635: this->mutex->unlock(this->mutex);
! 636: return sa;
! 637: }
! 638:
! 639: METHOD(ipsec_sa_mgr_t, checkout_by_spi, ipsec_sa_t*,
! 640: private_ipsec_sa_mgr_t *this, uint32_t spi, host_t *dst)
! 641: {
! 642: ipsec_sa_entry_t *entry;
! 643: ipsec_sa_t *sa = NULL;
! 644:
! 645: this->mutex->lock(this->mutex);
! 646: if (this->sas->find_first(this->sas, match_entry_by_spi_dst,
! 647: (void**)&entry, spi, dst) &&
! 648: wait_for_entry(this, entry))
! 649: {
! 650: sa = entry->sa;
! 651: }
! 652: this->mutex->unlock(this->mutex);
! 653: return sa;
! 654: }
! 655:
! 656: METHOD(ipsec_sa_mgr_t, checkin, void,
! 657: private_ipsec_sa_mgr_t *this, ipsec_sa_t *sa)
! 658: {
! 659: ipsec_sa_entry_t *entry;
! 660:
! 661: this->mutex->lock(this->mutex);
! 662: if (this->sas->find_first(this->sas, match_entry_by_sa_ptr,
! 663: (void**)&entry, sa))
! 664: {
! 665: if (entry->locked)
! 666: {
! 667: entry->locked = FALSE;
! 668: entry->condvar->signal(entry->condvar);
! 669: }
! 670: }
! 671: this->mutex->unlock(this->mutex);
! 672: }
! 673:
! 674: METHOD(ipsec_sa_mgr_t, flush_sas, status_t,
! 675: private_ipsec_sa_mgr_t *this)
! 676: {
! 677: this->mutex->lock(this->mutex);
! 678: flush_entries(this);
! 679: this->mutex->unlock(this->mutex);
! 680: return SUCCESS;
! 681: }
! 682:
! 683: METHOD(ipsec_sa_mgr_t, destroy, void,
! 684: private_ipsec_sa_mgr_t *this)
! 685: {
! 686: this->mutex->lock(this->mutex);
! 687: flush_entries(this);
! 688: flush_allocated_spis(this);
! 689: this->mutex->unlock(this->mutex);
! 690:
! 691: this->allocated_spis->destroy(this->allocated_spis);
! 692: this->sas->destroy(this->sas);
! 693:
! 694: this->mutex->destroy(this->mutex);
! 695: DESTROY_IF(this->rng);
! 696: free(this);
! 697: }
! 698:
! 699: /**
! 700: * Described in header.
! 701: */
! 702: ipsec_sa_mgr_t *ipsec_sa_mgr_create()
! 703: {
! 704: private_ipsec_sa_mgr_t *this;
! 705:
! 706: INIT(this,
! 707: .public = {
! 708: .get_spi = _get_spi,
! 709: .add_sa = _add_sa,
! 710: .update_sa = _update_sa,
! 711: .query_sa = _query_sa,
! 712: .del_sa = _del_sa,
! 713: .checkout_by_spi = _checkout_by_spi,
! 714: .checkout_by_reqid = _checkout_by_reqid,
! 715: .checkin = _checkin,
! 716: .flush_sas = _flush_sas,
! 717: .destroy = _destroy,
! 718: },
! 719: .sas = linked_list_create(),
! 720: .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
! 721: .allocated_spis = hashtable_create((hashtable_hash_t)spi_hash,
! 722: (hashtable_equals_t)spi_equals, 16),
! 723: );
! 724:
! 725: return &this->public;
! 726: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ipsec_sa_mgr.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libipsec