src/libcharon/plugins/ha/ha_child.c - manifest_repos/strongswan - Git at Google

 /*
  * Copyright (C) 2008 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  *
  * This program is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  * for more details.
  */

 #include "ha_child.h"

 typedef struct private_ha_child_t private_ha_child_t;

 /**
  * Private data of an ha_child_t object.
  */
 struct private_ha_child_t {

 	/**
 	 * Public ha_child_t interface.
 	 */
 	ha_child_t public;

 	/**
 	 * socket we use for syncing
 	 */
 	ha_socket_t *socket;

 	/**
 	 * tunnel securing sync messages
 	 */
 	ha_tunnel_t *tunnel;

 	/**
 	 * Segment handling
 	 */
 	ha_segments_t *segments;

 	/**
 	 * Kernel helper
 	 */
 	ha_kernel_t *kernel;
 };

 METHOD(listener_t, child_keys, bool,
 	private_ha_child_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa,
 	bool initiator, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
 {
 	ha_message_t *m;
 	chunk_t secret;
 	proposal_t *proposal;
 	uint16_t alg, len;
 	linked_list_t *local_ts, *remote_ts;
 	enumerator_t *enumerator;
 	traffic_selector_t *ts;
 	u_int seg_i, seg_o;

 	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
 	{	/* do not sync SA between nodes */
 		return TRUE;
 	}

 	m = ha_message_create(HA_CHILD_ADD);

 	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
 	m->add_attribute(m, HA_INITIATOR, (uint8_t)initiator);
 	m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
 	m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
 	m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
 	m->add_attribute(m, HA_OUTBOUND_CPI, child_sa->get_cpi(child_sa, FALSE));
 	m->add_attribute(m, HA_IPSEC_MODE, child_sa->get_mode(child_sa));
 	m->add_attribute(m, HA_IPCOMP, child_sa->get_ipcomp(child_sa));
 	m->add_attribute(m, HA_CONFIG_NAME, child_sa->get_name(child_sa));

 	proposal = child_sa->get_proposal(child_sa);
 	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
 	{
 		m->add_attribute(m, HA_ALG_ENCR, alg);
 		if (len)
 		{
 			m->add_attribute(m, HA_ALG_ENCR_LEN, len);
 		}
 	}
 	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
 	{
 		m->add_attribute(m, HA_ALG_INTEG, alg);
 	}
 	if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
 	{
 		m->add_attribute(m, HA_ALG_DH, alg);
 	}
 	if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, &alg, NULL))
 	{
 		m->add_attribute(m, HA_ESN, alg);
 	}
 	m->add_attribute(m, HA_NONCE_I, nonce_i);
 	m->add_attribute(m, HA_NONCE_R, nonce_r);
 	if (dh && dh->get_shared_secret(dh, &secret))
 	{
 		m->add_attribute(m, HA_SECRET, secret);
 		chunk_clear(&secret);
 	}

 	local_ts = linked_list_create();
 	remote_ts = linked_list_create();

 	enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_LOCAL_TS, ts);
 		local_ts->insert_last(local_ts, ts);
 	}
 	enumerator->destroy(enumerator);

 	enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
 	while (enumerator->enumerate(enumerator, &ts))
 	{
 		m->add_attribute(m, HA_REMOTE_TS, ts);
 		remote_ts->insert_last(remote_ts, ts);
 	}
 	enumerator->destroy(enumerator);

 	seg_i = this->kernel->get_segment_spi(this->kernel,
 			ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE));
 	seg_o = this->kernel->get_segment_spi(this->kernel,
 			ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
 	DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R === %#R "
 		"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
 		child_sa->get_unique_id(child_sa), local_ts, remote_ts,
 		seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
 		seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");

 	local_ts->destroy(local_ts);
 	remote_ts->destroy(remote_ts);

 	this->socket->push(this->socket, m);
 	m->destroy(m);

 	return TRUE;
 }

 METHOD(listener_t, child_state_change, bool,
 	private_ha_child_t *this, ike_sa_t *ike_sa,
 	child_sa_t *child_sa, child_sa_state_t state)
 {
 	if (!ike_sa ||
 		ike_sa->get_state(ike_sa) == IKE_PASSIVE ||
 		ike_sa->get_state(ike_sa) == IKE_DESTROYING)
 	{	/* only sync active IKE_SAs */
 		return TRUE;
 	}
 	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
 	{	/* do not sync SA between nodes */
 		return TRUE;
 	}


 	if (state == CHILD_DESTROYING)
 	{
 		ha_message_t *m;

 		m = ha_message_create(HA_CHILD_DELETE);

 		m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
 		m->add_attribute(m, HA_INBOUND_SPI,
 						 child_sa->get_spi(child_sa, TRUE));
 		this->socket->push(this->socket, m);
 		m->destroy(m);
 	}
 	return TRUE;
 }

 METHOD(ha_child_t, destroy, void,
 	private_ha_child_t *this)
 {
 	free(this);
 }

 /**
  * See header
  */
 ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
 							ha_segments_t *segments, ha_kernel_t *kernel)
 {
 	private_ha_child_t *this;

 	INIT(this,
 		.public = {
 			.listener = {
 				.child_keys = _child_keys,
 				.child_state_change = _child_state_change,
 			},
 			.destroy = _destroy,
 		},
 		.socket = socket,
 		.tunnel = tunnel,
 		.segments = segments,
 		.kernel = kernel,
 	);

 	return &this->public;
 }
	/*
	* Copyright (C) 2008 Martin Willi
	* HSR Hochschule fuer Technik Rapperswil
	*
	* This program is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License as published by the
	* Free Software Foundation; either version 2 of the License, or (at your
	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	*
	* This program is distributed in the hope that it will be useful, but
	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* for more details.
	*/

	#include "ha_child.h"

	typedef struct private_ha_child_t private_ha_child_t;

	/**
	* Private data of an ha_child_t object.
	*/
	struct private_ha_child_t {

	/**
	* Public ha_child_t interface.
	*/
	ha_child_t public;

	/**
	* socket we use for syncing
	*/
	ha_socket_t *socket;

	/**
	* tunnel securing sync messages
	*/
	ha_tunnel_t *tunnel;

	/**
	* Segment handling
	*/
	ha_segments_t *segments;

	/**
	* Kernel helper
	*/
	ha_kernel_t *kernel;
	};

	METHOD(listener_t, child_keys, bool,
	private_ha_child_t this, ike_sa_t ike_sa, child_sa_t *child_sa,
	bool initiator, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r)
	{
	ha_message_t *m;
	chunk_t secret;
	proposal_t *proposal;
	uint16_t alg, len;
	linked_list_t local_ts, remote_ts;
	enumerator_t *enumerator;
	traffic_selector_t *ts;
	u_int seg_i, seg_o;

	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
	{ /* do not sync SA between nodes */
	return TRUE;
	}

	m = ha_message_create(HA_CHILD_ADD);

	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
	m->add_attribute(m, HA_INITIATOR, (uint8_t)initiator);
	m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
	m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
	m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
	m->add_attribute(m, HA_OUTBOUND_CPI, child_sa->get_cpi(child_sa, FALSE));
	m->add_attribute(m, HA_IPSEC_MODE, child_sa->get_mode(child_sa));
	m->add_attribute(m, HA_IPCOMP, child_sa->get_ipcomp(child_sa));
	m->add_attribute(m, HA_CONFIG_NAME, child_sa->get_name(child_sa));

	proposal = child_sa->get_proposal(child_sa);
	if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
	{
	m->add_attribute(m, HA_ALG_ENCR, alg);
	if (len)
	{
	m->add_attribute(m, HA_ALG_ENCR_LEN, len);
	}
	}
	if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
	{
	m->add_attribute(m, HA_ALG_INTEG, alg);
	}
	if (proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP, &alg, NULL))
	{
	m->add_attribute(m, HA_ALG_DH, alg);
	}
	if (proposal->get_algorithm(proposal, EXTENDED_SEQUENCE_NUMBERS, &alg, NULL))
	{
	m->add_attribute(m, HA_ESN, alg);
	}
	m->add_attribute(m, HA_NONCE_I, nonce_i);
	m->add_attribute(m, HA_NONCE_R, nonce_r);
	if (dh && dh->get_shared_secret(dh, &secret))
	{
	m->add_attribute(m, HA_SECRET, secret);
	chunk_clear(&secret);
	}

	local_ts = linked_list_create();
	remote_ts = linked_list_create();

	enumerator = child_sa->create_ts_enumerator(child_sa, TRUE);
	while (enumerator->enumerate(enumerator, &ts))
	{
	m->add_attribute(m, HA_LOCAL_TS, ts);
	local_ts->insert_last(local_ts, ts);
	}
	enumerator->destroy(enumerator);

	enumerator = child_sa->create_ts_enumerator(child_sa, FALSE);
	while (enumerator->enumerate(enumerator, &ts))
	{
	m->add_attribute(m, HA_REMOTE_TS, ts);
	remote_ts->insert_last(remote_ts, ts);
	}
	enumerator->destroy(enumerator);

	seg_i = this->kernel->get_segment_spi(this->kernel,
	ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE));
	seg_o = this->kernel->get_segment_spi(this->kernel,
	ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE));
	DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R === %#R "
	"(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa),
	child_sa->get_unique_id(child_sa), local_ts, remote_ts,
	seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "",
	seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : "");

	local_ts->destroy(local_ts);
	remote_ts->destroy(remote_ts);

	this->socket->push(this->socket, m);
	m->destroy(m);

	return TRUE;
	}

	METHOD(listener_t, child_state_change, bool,
	private_ha_child_t this, ike_sa_t ike_sa,
	child_sa_t *child_sa, child_sa_state_t state)
	{
	if (!ike_sa \|\|
	ike_sa->get_state(ike_sa) == IKE_PASSIVE \|\|
	ike_sa->get_state(ike_sa) == IKE_DESTROYING)
	{ /* only sync active IKE_SAs */
	return TRUE;
	}
	if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
	{ /* do not sync SA between nodes */
	return TRUE;
	}


	if (state == CHILD_DESTROYING)
	{
	ha_message_t *m;

	m = ha_message_create(HA_CHILD_DELETE);

	m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
	m->add_attribute(m, HA_INBOUND_SPI,
	child_sa->get_spi(child_sa, TRUE));
	this->socket->push(this->socket, m);
	m->destroy(m);
	}
	return TRUE;
	}

	METHOD(ha_child_t, destroy, void,
	private_ha_child_t *this)
	{
	free(this);
	}

	/**
	* See header
	*/
	ha_child_t ha_child_create(ha_socket_t socket, ha_tunnel_t *tunnel,
	ha_segments_t segments, ha_kernel_t kernel)
	{
	private_ha_child_t *this;

	INIT(this,
	.public = {
	.listener = {
	.child_keys = _child_keys,
	.child_state_change = _child_state_change,
	},
	.destroy = _destroy,
	},
	.socket = socket,
	.tunnel = tunnel,
	.segments = segments,
	.kernel = kernel,
	);

	return &this->public;
	}