aboutsummaryrefslogtreecommitdiffstats
path: root/src/charon
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2010-03-19 19:03:46 +0100
committerMartin Willi <martin@revosec.ch>2010-04-07 13:55:16 +0200
commit29a46aacade7a516c2fae5e9134a90b106f12c0e (patch)
tree93342e36b6538646f8e57f615f171f9660abfc16 /src/charon
parent3e8caf6af663d087b2ce5450c7355b0b6a0a6045 (diff)
downloadstrongswan-29a46aacade7a516c2fae5e9134a90b106f12c0e.tar.bz2
strongswan-29a46aacade7a516c2fae5e9134a90b106f12c0e.tar.xz
Moved ha plugin to libcharon
Diffstat (limited to 'src/charon')
-rw-r--r--src/charon/plugins/ha/Makefile.am19
-rw-r--r--src/charon/plugins/ha/ha_child.c170
-rw-r--r--src/charon/plugins/ha/ha_child.h57
-rw-r--r--src/charon/plugins/ha/ha_ctl.c132
-rw-r--r--src/charon/plugins/ha/ha_ctl.h47
-rw-r--r--src/charon/plugins/ha/ha_dispatcher.c737
-rw-r--r--src/charon/plugins/ha/ha_dispatcher.h50
-rw-r--r--src/charon/plugins/ha/ha_ike.c286
-rw-r--r--src/charon/plugins/ha/ha_ike.h57
-rw-r--r--src/charon/plugins/ha/ha_kernel.c229
-rw-r--r--src/charon/plugins/ha/ha_kernel.h70
-rw-r--r--src/charon/plugins/ha/ha_message.c665
-rw-r--r--src/charon/plugins/ha/ha_message.h207
-rw-r--r--src/charon/plugins/ha/ha_plugin.c163
-rw-r--r--src/charon/plugins/ha/ha_plugin.h52
-rw-r--r--src/charon/plugins/ha/ha_segments.c502
-rw-r--r--src/charon/plugins/ha/ha_segments.h111
-rw-r--r--src/charon/plugins/ha/ha_socket.c234
-rw-r--r--src/charon/plugins/ha/ha_socket.h60
-rw-r--r--src/charon/plugins/ha/ha_tunnel.c297
-rw-r--r--src/charon/plugins/ha/ha_tunnel.h57
21 files changed, 0 insertions, 4202 deletions
diff --git a/src/charon/plugins/ha/Makefile.am b/src/charon/plugins/ha/Makefile.am
deleted file mode 100644
index 52dc95de0..000000000
--- a/src/charon/plugins/ha/Makefile.am
+++ /dev/null
@@ -1,19 +0,0 @@
-
-INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/charon
-
-AM_CFLAGS = -rdynamic -DIPSEC_PIDDIR=\"${piddir}\"
-
-plugin_LTLIBRARIES = libstrongswan-ha.la
-libstrongswan_ha_la_SOURCES = \
- ha_plugin.h ha_plugin.c \
- ha_message.h ha_message.c \
- ha_socket.h ha_socket.c \
- ha_tunnel.h ha_tunnel.c \
- ha_dispatcher.h ha_dispatcher.c \
- ha_segments.h ha_segments.c \
- ha_kernel.h ha_kernel.c \
- ha_ctl.h ha_ctl.c \
- ha_ike.h ha_ike.c \
- ha_child.h ha_child.c
-libstrongswan_ha_la_LDFLAGS = -module
-
diff --git a/src/charon/plugins/ha/ha_child.c b/src/charon/plugins/ha/ha_child.c
deleted file mode 100644
index 2eb8e27f6..000000000
--- a/src/charon/plugins/ha/ha_child.c
+++ /dev/null
@@ -1,170 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_child.h"
-
-typedef struct private_ha_child_t private_ha_child_t;
-
-/**
- * Private data of an ha_child_t object.
- */
-struct private_ha_child_t {
-
- /**
- * Public ha_child_t interface.
- */
- ha_child_t public;
-
- /**
- * socket we use for syncing
- */
- ha_socket_t *socket;
-
- /**
- * tunnel securing sync messages
- */
- ha_tunnel_t *tunnel;
-};
-
-/**
- * Implementation of listener_t.child_keys
- */
-static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa,
- child_sa_t *child_sa, diffie_hellman_t *dh,
- chunk_t nonce_i, chunk_t nonce_r)
-{
- ha_message_t *m;
- chunk_t secret;
- proposal_t *proposal;
- u_int16_t alg, len;
- linked_list_t *list;
- enumerator_t *enumerator;
- traffic_selector_t *ts;
-
- if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
- { /* do not sync SA between nodes */
- return TRUE;
- }
-
- m = ha_message_create(HA_CHILD_ADD);
-
- m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
- m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE));
- m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE));
- m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE));
- m->add_attribute(m, HA_OUTBOUND_CPI, child_sa->get_cpi(child_sa, FALSE));
- m->add_attribute(m, HA_IPSEC_MODE, child_sa->get_mode(child_sa));
- m->add_attribute(m, HA_IPCOMP, child_sa->get_ipcomp(child_sa));
- m->add_attribute(m, HA_CONFIG_NAME, child_sa->get_name(child_sa));
-
- proposal = child_sa->get_proposal(child_sa);
- if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
- {
- m->add_attribute(m, HA_ALG_ENCR, alg);
- if (len)
- {
- m->add_attribute(m, HA_ALG_ENCR_LEN, len);
- }
- }
- if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
- {
- m->add_attribute(m, HA_ALG_INTEG, alg);
- }
- m->add_attribute(m, HA_NONCE_I, nonce_i);
- m->add_attribute(m, HA_NONCE_R, nonce_r);
- if (dh && dh->get_shared_secret(dh, &secret) == SUCCESS)
- {
- m->add_attribute(m, HA_SECRET, secret);
- chunk_clear(&secret);
- }
-
- list = child_sa->get_traffic_selectors(child_sa, TRUE);
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &ts))
- {
- m->add_attribute(m, HA_LOCAL_TS, ts);
- }
- enumerator->destroy(enumerator);
- list = child_sa->get_traffic_selectors(child_sa, FALSE);
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &ts))
- {
- m->add_attribute(m, HA_REMOTE_TS, ts);
- }
- enumerator->destroy(enumerator);
-
- this->socket->push(this->socket, m);
-
- return TRUE;
-}
-
-/**
- * Implementation of listener_t.child_state_change
- */
-static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa,
- child_sa_t *child_sa, child_sa_state_t state)
-{
- if (!ike_sa ||
- ike_sa->get_state(ike_sa) == IKE_PASSIVE ||
- ike_sa->get_state(ike_sa) == IKE_DESTROYING)
- { /* only sync active IKE_SAs */
- return TRUE;
- }
- if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
- { /* do not sync SA between nodes */
- return TRUE;
- }
-
-
- if (state == CHILD_DESTROYING)
- {
- ha_message_t *m;
-
- m = ha_message_create(HA_CHILD_DELETE);
-
- m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
- m->add_attribute(m, HA_INBOUND_SPI,
- child_sa->get_spi(child_sa, TRUE));
- this->socket->push(this->socket, m);
- }
- return TRUE;
-}
-
-/**
- * Implementation of ha_child_t.destroy.
- */
-static void destroy(private_ha_child_t *this)
-{
- free(this);
-}
-
-/**
- * See header
- */
-ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel)
-{
- private_ha_child_t *this = malloc_thing(private_ha_child_t);
-
- memset(&this->public.listener, 0, sizeof(listener_t));
- this->public.listener.child_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys;
- this->public.listener.child_state_change = (bool(*)(listener_t*,ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state))child_state_change;
- this->public.destroy = (void(*)(ha_child_t*))destroy;
-
- this->socket = socket;
- this->tunnel = tunnel;
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_child.h b/src/charon/plugins/ha/ha_child.h
deleted file mode 100644
index ea83495f7..000000000
--- a/src/charon/plugins/ha/ha_child.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_child ha_child
- * @{ @ingroup ha
- */
-
-#ifndef HA_CHILD_H_
-#define HA_CHILD_H_
-
-#include "ha_socket.h"
-#include "ha_tunnel.h"
-#include "ha_segments.h"
-
-#include <daemon.h>
-
-typedef struct ha_child_t ha_child_t;
-
-/**
- * Listener to synchronize CHILD_SAs.
- */
-struct ha_child_t {
-
- /**
- * Implements bus listener interface.
- */
- listener_t listener;
-
- /**
- * Destroy a ha_child_t.
- */
- void (*destroy)(ha_child_t *this);
-};
-
-/**
- * Create a ha_child instance.
- *
- * @param socket socket to use for sending synchronization messages
- * @param tunnel tunnel securing sync messages, if any
- * @return CHILD listener
- */
-ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel);
-
-#endif /* HA_CHILD_ @}*/
diff --git a/src/charon/plugins/ha/ha_ctl.c b/src/charon/plugins/ha/ha_ctl.c
deleted file mode 100644
index 441d26d9e..000000000
--- a/src/charon/plugins/ha/ha_ctl.c
+++ /dev/null
@@ -1,132 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_ctl.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/select.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <errno.h>
-#include <pthread.h>
-
-#include <processing/jobs/callback_job.h>
-
-#define HA_FIFO IPSEC_PIDDIR "/charon.ha"
-
-typedef struct private_ha_ctl_t private_ha_ctl_t;
-
-/**
- * Private data of an ha_ctl_t object.
- */
-struct private_ha_ctl_t {
-
- /**
- * Public ha_ctl_t interface.
- */
- ha_ctl_t public;
-
- /**
- * Segments to control
- */
- ha_segments_t *segments;
-
- /**
- * FIFO reader thread
- */
- callback_job_t *job;
-};
-
-/**
- * FIFO dispatching function
- */
-static job_requeue_t dispatch_fifo(private_ha_ctl_t *this)
-{
- int fifo, old;
- char buf[8];
- u_int segment;
-
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old);
- fifo = open(HA_FIFO, O_RDONLY);
- pthread_setcancelstate(old, NULL);
- if (fifo == -1)
- {
- DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno));
- sleep(1);
- return JOB_REQUEUE_FAIR;
- }
-
- memset(buf, 0, sizeof(buf));
- if (read(fifo, buf, sizeof(buf)-1) > 1)
- {
- segment = atoi(&buf[1]);
- if (segment)
- {
- switch (buf[0])
- {
- case '+':
- this->segments->activate(this->segments, segment, TRUE);
- break;
- case '-':
- this->segments->deactivate(this->segments, segment, TRUE);
- break;
- case '*':
- this->segments->resync(this->segments, segment);
- break;
- default:
- break;
- }
- }
- }
- close(fifo);
-
- return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implementation of ha_ctl_t.destroy.
- */
-static void destroy(private_ha_ctl_t *this)
-{
- this->job->cancel(this->job);
- free(this);
-}
-
-/**
- * See header
- */
-ha_ctl_t *ha_ctl_create(ha_segments_t *segments)
-{
- private_ha_ctl_t *this = malloc_thing(private_ha_ctl_t);
-
- this->public.destroy = (void(*)(ha_ctl_t*))destroy;
-
- if (access(HA_FIFO, R_OK|W_OK) != 0)
- {
- if (mkfifo(HA_FIFO, 600) != 0)
- {
- DBG1(DBG_CFG, "creating HA FIFO %s failed: %s",
- HA_FIFO, strerror(errno));
- }
- }
-
- this->segments = segments;
- this->job = callback_job_create((callback_job_cb_t)dispatch_fifo,
- this, NULL, NULL);
- charon->processor->queue_job(charon->processor, (job_t*)this->job);
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_ctl.h b/src/charon/plugins/ha/ha_ctl.h
deleted file mode 100644
index f33a809be..000000000
--- a/src/charon/plugins/ha/ha_ctl.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_ctl ha_ctl
- * @{ @ingroup ha
- */
-
-#ifndef HA_CTL_H_
-#define HA_CTL_H_
-
-#include "ha_segments.h"
-
-typedef struct ha_ctl_t ha_ctl_t;
-
-/**
- * HA Sync control interface using a FIFO.
- */
-struct ha_ctl_t {
-
- /**
- * Destroy a ha_ctl_t.
- */
- void (*destroy)(ha_ctl_t *this);
-};
-
-/**
- * Create a ha_ctl instance.
- *
- * @param segments segments to control
- * @return HA control interface
- */
-ha_ctl_t *ha_ctl_create(ha_segments_t *segments);
-
-#endif /* HA_CTL_ @}*/
diff --git a/src/charon/plugins/ha/ha_dispatcher.c b/src/charon/plugins/ha/ha_dispatcher.c
deleted file mode 100644
index 4acf7477a..000000000
--- a/src/charon/plugins/ha/ha_dispatcher.c
+++ /dev/null
@@ -1,737 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_dispatcher.h"
-
-#include <daemon.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_ha_dispatcher_t private_ha_dispatcher_t;
-
-/**
- * Private data of an ha_dispatcher_t object.
- */
-struct private_ha_dispatcher_t {
-
- /**
- * Public ha_dispatcher_t interface.
- */
- ha_dispatcher_t public;
-
- /**
- * socket to pull messages from
- */
- ha_socket_t *socket;
-
- /**
- * segments to control
- */
- ha_segments_t *segments;
-
- /**
- * Dispatcher job
- */
- callback_job_t *job;
-};
-
-/**
- * Quick and dirty hack implementation of diffie_hellman_t.get_shared_secret
- */
-static status_t get_shared_secret(diffie_hellman_t *this, chunk_t *secret)
-{
- *secret = chunk_clone((*(chunk_t*)this->destroy));
- return SUCCESS;
-}
-
-/**
- * Process messages of type IKE_ADD
- */
-static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
- ike_sa_t *ike_sa = NULL, *old_sa = NULL;
- u_int16_t encr = 0, len = 0, integ = 0, prf = 0, old_prf = PRF_UNDEFINED;
- chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty;
- chunk_t secret = chunk_empty, old_skd = chunk_empty;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_IKE_ID:
- ike_sa = ike_sa_create(value.ike_sa_id);
- break;
- case HA_IKE_REKEY_ID:
- old_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
- value.ike_sa_id);
- break;
- case HA_NONCE_I:
- nonce_i = value.chunk;
- break;
- case HA_NONCE_R:
- nonce_r = value.chunk;
- break;
- case HA_SECRET:
- secret = value.chunk;
- break;
- case HA_OLD_SKD:
- old_skd = value.chunk;
- break;
- case HA_ALG_ENCR:
- encr = value.u16;
- break;
- case HA_ALG_ENCR_LEN:
- len = value.u16;
- break;
- case HA_ALG_INTEG:
- integ = value.u16;
- break;
- case HA_ALG_PRF:
- prf = value.u16;
- break;
- case HA_ALG_OLD_PRF:
- old_prf = value.u16;
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- if (ike_sa)
- {
- proposal_t *proposal;
- keymat_t *keymat;
- /* quick and dirty hack of a DH implementation ;-) */
- diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
- .destroy = (void*)&secret };
-
- proposal = proposal_create(PROTO_IKE);
- keymat = ike_sa->get_keymat(ike_sa);
- if (integ)
- {
- proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
- }
- if (encr)
- {
- proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
- }
- if (prf)
- {
- proposal->add_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, prf, 0);
- }
- charon->bus->set_sa(charon->bus, ike_sa);
- if (keymat->derive_ike_keys(keymat, proposal, &dh, nonce_i, nonce_r,
- ike_sa->get_id(ike_sa), old_prf, old_skd))
- {
- if (old_sa)
- {
- peer_cfg_t *peer_cfg = old_sa->get_peer_cfg(old_sa);
-
- if (peer_cfg)
- {
- ike_sa->set_peer_cfg(ike_sa, peer_cfg);
- ike_sa->inherit(ike_sa, old_sa);
- }
- charon->ike_sa_manager->checkin_and_destroy(
- charon->ike_sa_manager, old_sa);
- old_sa = NULL;
- }
- ike_sa->set_state(ike_sa, IKE_CONNECTING);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- }
- else
- {
- DBG1(DBG_IKE, "HA keymat derivation failed");
- ike_sa->destroy(ike_sa);
- }
- charon->bus->set_sa(charon->bus, NULL);
- proposal->destroy(proposal);
- }
- if (old_sa)
- {
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, old_sa);
- }
-}
-
-/**
- * Apply a condition flag to the IKE_SA if it is in set
- */
-static void set_condition(ike_sa_t *ike_sa, ike_condition_t set,
- ike_condition_t flag)
-{
- ike_sa->set_condition(ike_sa, flag, flag & set);
-}
-
-/**
- * Apply a extension flag to the IKE_SA if it is in set
- */
-static void set_extension(ike_sa_t *ike_sa, ike_extension_t set,
- ike_extension_t flag)
-{
- if (flag & set)
- {
- ike_sa->enable_extension(ike_sa, flag);
- }
-}
-
-/**
- * Process messages of type IKE_UPDATE
- */
-static void process_ike_update(private_ha_dispatcher_t *this,
- ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
- ike_sa_t *ike_sa = NULL;
- peer_cfg_t *peer_cfg = NULL;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- if (attribute != HA_IKE_ID && ike_sa == NULL)
- {
- /* must be first attribute */
- break;
- }
- switch (attribute)
- {
- case HA_IKE_ID:
- ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
- value.ike_sa_id);
- break;
- case HA_LOCAL_ID:
- ike_sa->set_my_id(ike_sa, value.id->clone(value.id));
- break;
- case HA_REMOTE_ID:
- ike_sa->set_other_id(ike_sa, value.id->clone(value.id));
- break;
- case HA_EAP_ID:
- ike_sa->set_eap_identity(ike_sa, value.id->clone(value.id));
- break;
- case HA_LOCAL_ADDR:
- ike_sa->set_my_host(ike_sa, value.host->clone(value.host));
- break;
- case HA_REMOTE_ADDR:
- ike_sa->set_other_host(ike_sa, value.host->clone(value.host));
- break;
- case HA_LOCAL_VIP:
- ike_sa->set_virtual_ip(ike_sa, TRUE, value.host);
- break;
- case HA_REMOTE_VIP:
- ike_sa->set_virtual_ip(ike_sa, FALSE, value.host);
- break;
- case HA_ADDITIONAL_ADDR:
- ike_sa->add_additional_address(ike_sa,
- value.host->clone(value.host));
- break;
- case HA_CONFIG_NAME:
- peer_cfg = charon->backends->get_peer_cfg_by_name(
- charon->backends, value.str);
- if (peer_cfg)
- {
- ike_sa->set_peer_cfg(ike_sa, peer_cfg);
- peer_cfg->destroy(peer_cfg);
- }
- else
- {
- DBG1(DBG_IKE, "HA is missing nodes peer configuration");
- }
- break;
- case HA_EXTENSIONS:
- set_extension(ike_sa, value.u32, EXT_NATT);
- set_extension(ike_sa, value.u32, EXT_MOBIKE);
- set_extension(ike_sa, value.u32, EXT_HASH_AND_URL);
- break;
- case HA_CONDITIONS:
- set_condition(ike_sa, value.u32, COND_NAT_ANY);
- set_condition(ike_sa, value.u32, COND_NAT_HERE);
- set_condition(ike_sa, value.u32, COND_NAT_THERE);
- set_condition(ike_sa, value.u32, COND_NAT_FAKE);
- set_condition(ike_sa, value.u32, COND_EAP_AUTHENTICATED);
- set_condition(ike_sa, value.u32, COND_CERTREQ_SEEN);
- set_condition(ike_sa, value.u32, COND_ORIGINAL_INITIATOR);
- break;
- case HA_INITIATE_MID:
- ike_sa->set_message_id(ike_sa, TRUE, value.u32);
- break;
- case HA_RESPOND_MID:
- ike_sa->set_message_id(ike_sa, FALSE, value.u32);
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- if (ike_sa)
- {
- if (ike_sa->get_state(ike_sa) == IKE_CONNECTING &&
- ike_sa->get_peer_cfg(ike_sa))
- {
- ike_sa->set_state(ike_sa, IKE_PASSIVE);
- }
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- }
-}
-
-/**
- * Process messages of type IKE_DELETE
- */
-static void process_ike_delete(private_ha_dispatcher_t *this,
- ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
- ike_sa_t *ike_sa;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_IKE_ID:
- ike_sa = charon->ike_sa_manager->checkout(
- charon->ike_sa_manager, value.ike_sa_id);
- if (ike_sa)
- {
- charon->ike_sa_manager->checkin_and_destroy(
- charon->ike_sa_manager, ike_sa);
- }
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Lookup a child cfg from the peer cfg by name
- */
-static child_cfg_t* find_child_cfg(ike_sa_t *ike_sa, char *name)
-{
- peer_cfg_t *peer_cfg;
- child_cfg_t *current, *found = NULL;
- enumerator_t *enumerator;
-
- peer_cfg = ike_sa->get_peer_cfg(ike_sa);
- if (peer_cfg)
- {
- enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg);
- while (enumerator->enumerate(enumerator, &current))
- {
- if (streq(current->get_name(current), name))
- {
- found = current;
- break;
- }
- }
- enumerator->destroy(enumerator);
- }
- return found;
-}
-
-/**
- * Process messages of type CHILD_ADD
- */
-static void process_child_add(private_ha_dispatcher_t *this,
- ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
- ike_sa_t *ike_sa = NULL;
- char *config_name;
- child_cfg_t *config = NULL;
- child_sa_t *child_sa;
- proposal_t *proposal;
- keymat_t *keymat;
- bool initiator, failed = FALSE;
- u_int32_t inbound_spi = 0, outbound_spi = 0;
- u_int16_t inbound_cpi = 0, outbound_cpi = 0;
- u_int8_t mode = MODE_TUNNEL, ipcomp = 0;
- u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0;
- chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty;
- chunk_t encr_i, integ_i, encr_r, integ_r;
- linked_list_t *local_ts, *remote_ts;
- /* quick and dirty hack of a DH implementation */
- diffie_hellman_t dh = { .get_shared_secret = get_shared_secret,
- .destroy = (void*)&secret };
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_IKE_ID:
- ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
- value.ike_sa_id);
- initiator = value.ike_sa_id->is_initiator(value.ike_sa_id);
- break;
- case HA_CONFIG_NAME:
- config_name = value.str;
- break;
- case HA_INBOUND_SPI:
- inbound_spi = value.u32;
- break;
- case HA_OUTBOUND_SPI:
- outbound_spi = value.u32;
- break;
- case HA_INBOUND_CPI:
- inbound_cpi = value.u32;
- break;
- case HA_OUTBOUND_CPI:
- outbound_cpi = value.u32;
- break;
- case HA_IPSEC_MODE:
- mode = value.u8;
- break;
- case HA_IPCOMP:
- ipcomp = value.u8;
- break;
- case HA_ALG_ENCR:
- encr = value.u16;
- break;
- case HA_ALG_ENCR_LEN:
- len = value.u16;
- break;
- case HA_ALG_INTEG:
- integ = value.u16;
- break;
- case HA_NONCE_I:
- nonce_i = value.chunk;
- break;
- case HA_NONCE_R:
- nonce_r = value.chunk;
- break;
- case HA_SECRET:
- secret = value.chunk;
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- if (!ike_sa)
- {
- DBG1(DBG_CHD, "IKE_SA for HA CHILD_SA not found");
- return;
- }
- config = find_child_cfg(ike_sa, config_name);
- if (!config)
- {
- DBG1(DBG_CHD, "HA is missing nodes child configuration");
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- return;
- }
-
- child_sa = child_sa_create(ike_sa->get_my_host(ike_sa),
- ike_sa->get_other_host(ike_sa), config, 0,
- ike_sa->has_condition(ike_sa, COND_NAT_ANY));
- child_sa->set_mode(child_sa, mode);
- child_sa->set_protocol(child_sa, PROTO_ESP);
- child_sa->set_ipcomp(child_sa, ipcomp);
-
- proposal = proposal_create(PROTO_ESP);
- if (integ)
- {
- proposal->add_algorithm(proposal, INTEGRITY_ALGORITHM, integ, 0);
- }
- if (encr)
- {
- proposal->add_algorithm(proposal, ENCRYPTION_ALGORITHM, encr, len);
- }
- keymat = ike_sa->get_keymat(ike_sa);
-
- if (!keymat->derive_child_keys(keymat, proposal, secret.ptr ? &dh : NULL,
- nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
- {
- DBG1(DBG_CHD, "HA CHILD_SA key derivation failed");
- child_sa->destroy(child_sa);
- proposal->destroy(proposal);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- return;
- }
- child_sa->set_proposal(child_sa, proposal);
- child_sa->set_state(child_sa, CHILD_INSTALLING);
- proposal->destroy(proposal);
-
- if (initiator)
- {
- if (child_sa->install(child_sa, encr_r, integ_r,
- inbound_spi, inbound_cpi, TRUE) != SUCCESS ||
- child_sa->install(child_sa, encr_i, integ_i,
- outbound_spi, outbound_cpi, FALSE) != SUCCESS)
- {
- failed = TRUE;
- }
- }
- else
- {
- if (child_sa->install(child_sa, encr_i, integ_i,
- inbound_spi, inbound_cpi, TRUE) != SUCCESS ||
- child_sa->install(child_sa, encr_r, integ_r,
- outbound_spi, outbound_cpi, FALSE) != SUCCESS)
- {
- failed = TRUE;
- }
- }
- chunk_clear(&encr_i);
- chunk_clear(&integ_i);
- chunk_clear(&encr_r);
- chunk_clear(&integ_r);
-
- if (failed)
- {
- DBG1(DBG_CHD, "HA CHILD_SA installation failed");
- child_sa->destroy(child_sa);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- return;
- }
-
- /* TODO: Change CHILD_SA API to avoid cloning twice */
- local_ts = linked_list_create();
- remote_ts = linked_list_create();
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_LOCAL_TS:
- local_ts->insert_last(local_ts, value.ts->clone(value.ts));
- break;
- case HA_REMOTE_TS:
- remote_ts->insert_last(remote_ts, value.ts->clone(value.ts));
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
- child_sa->add_policies(child_sa, local_ts, remote_ts);
- local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy));
- remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy));
-
- child_sa->set_state(child_sa, CHILD_INSTALLED);
- ike_sa->add_child_sa(ike_sa, child_sa);
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
-}
-
-/**
- * Process messages of type CHILD_DELETE
- */
-static void process_child_delete(private_ha_dispatcher_t *this,
- ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
- ike_sa_t *ike_sa = NULL;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_IKE_ID:
- ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
- value.ike_sa_id);
- break;
- case HA_INBOUND_SPI:
- if (ike_sa)
- {
- ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, value.u32);
- }
- break;
- default:
- break;
- }
- }
- if (ike_sa)
- {
- charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Process messages of type SEGMENT_TAKE/DROP
- */
-static void process_segment(private_ha_dispatcher_t *this,
- ha_message_t *message, bool take)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_SEGMENT:
- if (take)
- {
- DBG1(DBG_CFG, "remote node takes segment %d", value.u16);
- this->segments->deactivate(this->segments, value.u16, FALSE);
- }
- else
- {
- DBG1(DBG_CFG, "remote node drops segment %d", value.u16);
- this->segments->activate(this->segments, value.u16, FALSE);
- }
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Process messages of type STATUS
- */
-static void process_status(private_ha_dispatcher_t *this,
- ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
- segment_mask_t mask = 0;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_SEGMENT:
- mask |= SEGMENTS_BIT(value.u16);
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- this->segments->handle_status(this->segments, mask);
-}
-
-/**
- * Process messages of type RESYNC
- */
-static void process_resync(private_ha_dispatcher_t *this,
- ha_message_t *message)
-{
- ha_message_attribute_t attribute;
- ha_message_value_t value;
- enumerator_t *enumerator;
-
- enumerator = message->create_attribute_enumerator(message);
- while (enumerator->enumerate(enumerator, &attribute, &value))
- {
- switch (attribute)
- {
- case HA_SEGMENT:
- this->segments->resync(this->segments, value.u16);
- break;
- default:
- break;
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Dispatcher job function
- */
-static job_requeue_t dispatch(private_ha_dispatcher_t *this)
-{
- ha_message_t *message;
-
- message = this->socket->pull(this->socket);
- switch (message->get_type(message))
- {
- case HA_IKE_ADD:
- process_ike_add(this, message);
- break;
- case HA_IKE_UPDATE:
- process_ike_update(this, message);
- break;
- case HA_IKE_DELETE:
- process_ike_delete(this, message);
- break;
- case HA_CHILD_ADD:
- process_child_add(this, message);
- break;
- case HA_CHILD_DELETE:
- process_child_delete(this, message);
- break;
- case HA_SEGMENT_DROP:
- process_segment(this, message, FALSE);
- break;
- case HA_SEGMENT_TAKE:
- process_segment(this, message, TRUE);
- break;
- case HA_STATUS:
- process_status(this, message);
- break;
- case HA_RESYNC:
- process_resync(this, message);
- break;
- default:
- DBG1(DBG_CFG, "received unknown HA message type %d",
- message->get_type(message));
- break;
- }
- message->destroy(message);
-
- return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Implementation of ha_dispatcher_t.destroy.
- */
-static void destroy(private_ha_dispatcher_t *this)
-{
- this->job->cancel(this->job);
- free(this);
-}
-
-/**
- * See header
- */
-ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
- ha_segments_t *segments)
-{
- private_ha_dispatcher_t *this = malloc_thing(private_ha_dispatcher_t);
-
- this->public.destroy = (void(*)(ha_dispatcher_t*))destroy;
-
- this->socket = socket;
- this->segments = segments;
- this->job = callback_job_create((callback_job_cb_t)dispatch,
- this, NULL, NULL);
- charon->processor->queue_job(charon->processor, (job_t*)this->job);
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_dispatcher.h b/src/charon/plugins/ha/ha_dispatcher.h
deleted file mode 100644
index d2baace3f..000000000
--- a/src/charon/plugins/ha/ha_dispatcher.h
+++ /dev/null
@@ -1,50 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_dispatcher ha_dispatcher
- * @{ @ingroup ha
- */
-
-#ifndef HA_DISPATCHER_H_
-#define HA_DISPATCHER_H_
-
-#include "ha_socket.h"
-#include "ha_segments.h"
-
-typedef struct ha_dispatcher_t ha_dispatcher_t;
-
-/**
- * The dispatcher pulls messages in a thread an processes them.
- */
-struct ha_dispatcher_t {
-
- /**
- * Destroy a ha_dispatcher_t.
- */
- void (*destroy)(ha_dispatcher_t *this);
-};
-
-/**
- * Create a ha_dispatcher instance pulling from socket.
- *
- * @param socket socket to pull messages from
- * @param segments segments to control based on received messages
- * @return dispatcher object
- */
-ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket,
- ha_segments_t *segments);
-
-#endif /* HA_DISPATCHER_ @}*/
diff --git a/src/charon/plugins/ha/ha_ike.c b/src/charon/plugins/ha/ha_ike.c
deleted file mode 100644
index 501c79b43..000000000
--- a/src/charon/plugins/ha/ha_ike.c
+++ /dev/null
@@ -1,286 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_ike.h"
-
-typedef struct private_ha_ike_t private_ha_ike_t;
-
-/**
- * Private data of an ha_ike_t object.
- */
-struct private_ha_ike_t {
-
- /**
- * Public ha_ike_t interface.
- */
- ha_ike_t public;
-
- /**
- * socket we use for syncing
- */
- ha_socket_t *socket;
-
- /**
- * tunnel securing sync messages
- */
- ha_tunnel_t *tunnel;
-};
-
-/**
- * Return condition if it is set on ike_sa
- */
-static ike_condition_t copy_condition(ike_sa_t *ike_sa, ike_condition_t cond)
-{
- if (ike_sa->has_condition(ike_sa, cond))
- {
- return cond;
- }
- return 0;
-}
-
-/**
- * Return extension if it is supported by peers IKE_SA
- */
-static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
-{
- if (ike_sa->supports_extension(ike_sa, ext))
- {
- return ext;
- }
- return 0;
-}
-
-/**
- * Implementation of listener_t.ike_keys
- */
-static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa,
- diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
- ike_sa_t *rekey)
-{
- ha_message_t *m;
- chunk_t secret;
- proposal_t *proposal;
- u_int16_t alg, len;
-
- if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
- { /* do not sync SA between nodes */
- return TRUE;
- }
- if (dh->get_shared_secret(dh, &secret) != SUCCESS)
- {
- return TRUE;
- }
-
- m = ha_message_create(HA_IKE_ADD);
- m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
-
- if (rekey)
- {
- chunk_t skd;
- keymat_t *keymat;
-
- keymat = rekey->get_keymat(rekey);
- m->add_attribute(m, HA_IKE_REKEY_ID, rekey->get_id(rekey));
- m->add_attribute(m, HA_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
- m->add_attribute(m, HA_OLD_SKD, skd);
- }
-
- proposal = ike_sa->get_proposal(ike_sa);
- if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
- {
- m->add_attribute(m, HA_ALG_ENCR, alg);
- if (len)
- {
- m->add_attribute(m, HA_ALG_ENCR_LEN, len);
- }
- }
- if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
- {
- m->add_attribute(m, HA_ALG_INTEG, alg);
- }
- if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
- {
- m->add_attribute(m, HA_ALG_PRF, alg);
- }
- m->add_attribute(m, HA_NONCE_I, nonce_i);
- m->add_attribute(m, HA_NONCE_R, nonce_r);
- m->add_attribute(m, HA_SECRET, secret);
- chunk_clear(&secret);
-
- this->socket->push(this->socket, m);
-
- return TRUE;
-}
-
-/**
- * Implementation of listener_t.ike_updown
- */
-static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
-{
- ha_message_t *m;
-
- if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
- { /* only sync active IKE_SAs */
- return TRUE;
- }
- if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
- { /* do not sync SA between nodes */
- return TRUE;
- }
-
- if (up)
- {
- iterator_t *iterator;
- peer_cfg_t *peer_cfg;
- u_int32_t extension, condition;
- host_t *addr;
- identification_t *eap_id;
- ike_sa_id_t *id;
-
- peer_cfg = ike_sa->get_peer_cfg(ike_sa);
-
- condition = copy_condition(ike_sa, COND_NAT_ANY)
- | copy_condition(ike_sa, COND_NAT_HERE)
- | copy_condition(ike_sa, COND_NAT_THERE)
- | copy_condition(ike_sa, COND_NAT_FAKE)
- | copy_condition(ike_sa, COND_EAP_AUTHENTICATED)
- | copy_condition(ike_sa, COND_CERTREQ_SEEN)
- | copy_condition(ike_sa, COND_ORIGINAL_INITIATOR);
-
- extension = copy_extension(ike_sa, EXT_NATT)
- | copy_extension(ike_sa, EXT_MOBIKE)
- | copy_extension(ike_sa, EXT_HASH_AND_URL);
-
- eap_id = ike_sa->get_eap_identity(ike_sa);
- id = ike_sa->get_id(ike_sa);
-
- m = ha_message_create(HA_IKE_UPDATE);
- m->add_attribute(m, HA_IKE_ID, id);
- m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa));
- m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa));
- m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa));
- m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
- m->add_attribute(m, HA_CONDITIONS, condition);
- m->add_attribute(m, HA_EXTENSIONS, extension);
- m->add_attribute(m, HA_CONFIG_NAME, peer_cfg->get_name(peer_cfg));
- if (eap_id)
- {
- m->add_attribute(m, HA_EAP_ID, eap_id);
- }
- iterator = ike_sa->create_additional_address_iterator(ike_sa);
- while (iterator->iterate(iterator, (void**)&addr))
- {
- m->add_attribute(m, HA_ADDITIONAL_ADDR, addr);
- }
- iterator->destroy(iterator);
- }
- else
- {
- m = ha_message_create(HA_IKE_DELETE);
- m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
- }
- this->socket->push(this->socket, m);
- return TRUE;
-}
-
-/**
- * Implementation of listener_t.ike_rekey
- */
-static bool ike_rekey(private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
-{
- ike_updown(this, old, FALSE);
- ike_updown(this, new, TRUE);
- return TRUE;
-}
-
-/**
- * Implementation of listener_t.message
- */
-static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa,
- message_t *message, bool incoming)
-{
- if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
- { /* do not sync SA between nodes */
- return TRUE;
- }
-
- if (message->get_exchange_type(message) != IKE_SA_INIT &&
- message->get_request(message))
- { /* we sync on requests, but skip it on IKE_SA_INIT */
- ha_message_t *m;
- u_int32_t mid;
-
- m = ha_message_create(HA_IKE_UPDATE);
- m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
- mid = message->get_message_id(message) + 1;
- if (incoming)
- {
- m->add_attribute(m, HA_RESPOND_MID, mid);
- }
- else
- {
- m->add_attribute(m, HA_INITIATE_MID, mid);
- }
- this->socket->push(this->socket, m);
- }
- if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
- message->get_exchange_type(message) == IKE_AUTH &&
- !message->get_request(message))
- { /* After IKE_SA has been established, sync peers virtual IP.
- * We cannot sync it in the state_change hook, it is installed later.
- * TODO: where to sync local VIP? */
- ha_message_t *m;
- host_t *vip;
-
- vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
- if (vip)
- {
- m = ha_message_create(HA_IKE_UPDATE);
- m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
- m->add_attribute(m, HA_REMOTE_VIP, vip);
- this->socket->push(this->socket, m);
- }
- }
- return TRUE;
-}
-
-/**
- * Implementation of ha_ike_t.destroy.
- */
-static void destroy(private_ha_ike_t *this)
-{
- free(this);
-}
-
-/**
- * See header
- */
-ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel)
-{
- private_ha_ike_t *this = malloc_thing(private_ha_ike_t);
-
- memset(&this->public.listener, 0, sizeof(listener_t));
- this->public.listener.ike_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh,chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys;
- this->public.listener.ike_updown = (bool(*)(listener_t*,ike_sa_t *ike_sa, bool up))ike_updown;
- this->public.listener.ike_rekey = (bool(*)(listener_t*,ike_sa_t *old, ike_sa_t *new))ike_rekey;
- this->public.listener.message = (bool(*)(listener_t*, ike_sa_t *, message_t *,bool))message_hook;
- this->public.destroy = (void(*)(ha_ike_t*))destroy;
-
- this->socket = socket;
- this->tunnel = tunnel;
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_ike.h b/src/charon/plugins/ha/ha_ike.h
deleted file mode 100644
index 9de210e67..000000000
--- a/src/charon/plugins/ha/ha_ike.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_ike ha_ike
- * @{ @ingroup ha
- */
-
-#ifndef HA_IKE_H_
-#define HA_IKE_H_
-
-#include "ha_socket.h"
-#include "ha_tunnel.h"
-#include "ha_segments.h"
-
-#include <daemon.h>
-
-typedef struct ha_ike_t ha_ike_t;
-
-/**
- * Listener to synchronize IKE_SAs.
- */
-struct ha_ike_t {
-
- /**
- * Implements bus listener interface.
- */
- listener_t listener;
-
- /**
- * Destroy a ha_ike_t.
- */
- void (*destroy)(ha_ike_t *this);
-};
-
-/**
- * Create a ha_ike instance.
- *
- * @param socket socket to use for sending synchronization messages
- * @param tunnel tunnel securing sync messages, if any
- * @return IKE listener
- */
-ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel);
-
-#endif /* HA_IKE_ @}*/
diff --git a/src/charon/plugins/ha/ha_kernel.c b/src/charon/plugins/ha/ha_kernel.c
deleted file mode 100644
index 0ad9c22c3..000000000
--- a/src/charon/plugins/ha/ha_kernel.c
+++ /dev/null
@@ -1,229 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_kernel.h"
-
-typedef u_int32_t u32;
-typedef u_int8_t u8;
-
-#include <linux/jhash.h>
-#include <string.h>
-#include <errno.h>
-#include <unistd.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-
-#define CLUSTERIP_DIR "/proc/net/ipt_CLUSTERIP"
-
-typedef struct private_ha_kernel_t private_ha_kernel_t;
-
-/**
- * Private data of an ha_kernel_t object.
- */
-struct private_ha_kernel_t {
-
- /**
- * Public ha_kernel_t interface.
- */
- ha_kernel_t public;
-
- /**
- * Init value for jhash
- */
- u_int initval;
-
- /**
- * Total number of ClusterIP segments
- */
- u_int count;
-};
-
-/**
- * Implementation of ha_kernel_t.in_segment
- */
-static bool in_segment(private_ha_kernel_t *this, host_t *host, u_int segment)
-{
- if (host->get_family(host) == AF_INET)
- {
- unsigned long hash;
- u_int32_t addr;
-
- addr = *(u_int32_t*)host->get_address(host).ptr;
- hash = jhash_1word(ntohl(addr), this->initval);
-
- if ((((u_int64_t)hash * this->count) >> 32) + 1 == segment)
- {
- return TRUE;
- }
- }
- return FALSE;
-}
-
-/**
- * Activate/Deactivate a segment for a given clusterip file
- */
-static void enable_disable(private_ha_kernel_t *this, u_int segment,
- char *file, bool enable)
-{
- char cmd[8];
- int fd;
-
- snprintf(cmd, sizeof(cmd), "%c%d\n", enable ? '+' : '-', segment);
-
- fd = open(file, O_WRONLY);
- if (fd == -1)
- {
- DBG1(DBG_CFG, "opening CLUSTERIP file '%s' failed: %s",
- file, strerror(errno));
- return;
- }
- if (write(fd, cmd, strlen(cmd) == -1))
- {
- DBG1(DBG_CFG, "writing to CLUSTERIP file '%s' failed: %s",
- file, strerror(errno));
- }
- close(fd);
-}
-
-/**
- * Get the currenlty active segments in the kernel for a clusterip file
- */
-static segment_mask_t get_active(private_ha_kernel_t *this, char *file)
-{
- char buf[256];
- segment_mask_t mask = 0;
- ssize_t len;
- int fd;
-
- fd = open(file, O_RDONLY);
- if (fd == -1)
- {
- DBG1(DBG_CFG, "opening CLUSTERIP file '%s' failed: %s",
- file, strerror(errno));
- return 0;
- }
- len = read(fd, buf, sizeof(buf)-1);
- if (len == -1)
- {
- DBG1(DBG_CFG, "reading from CLUSTERIP file '%s' failed: %s",
- file, strerror(errno));
- }
- else
- {
- enumerator_t *enumerator;
- u_int segment;
- char *token;
-
- buf[len] = '\0';
- enumerator = enumerator_create_token(buf, ",", " ");
- while (enumerator->enumerate(enumerator, &token))
- {
- segment = atoi(token);
- if (segment)
- {
- mask |= SEGMENTS_BIT(segment);
- }
- }
- enumerator->destroy(enumerator);
- }
- return mask;
-}
-
-/**
- * Implementation of ha_kernel_t.activate
- */
-static void activate(private_ha_kernel_t *this, u_int segment)
-{
- enumerator_t *enumerator;
- char *file;
-
- enumerator = enumerator_create_directory(CLUSTERIP_DIR);
- while (enumerator->enumerate(enumerator, NULL, &file, NULL))
- {
- enable_disable(this, segment, file, TRUE);
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of ha_kernel_t.deactivate
- */
-static void deactivate(private_ha_kernel_t *this, u_int segment)
-{
- enumerator_t *enumerator;
- char *file;
-
- enumerator = enumerator_create_directory(CLUSTERIP_DIR);
- while (enumerator->enumerate(enumerator, NULL, &file, NULL))
- {
- enable_disable(this, segment, file, FALSE);
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Disable all not-yet disabled segments on all clusterip addresses
- */
-static void disable_all(private_ha_kernel_t *this)
-{
- enumerator_t *enumerator;
- segment_mask_t active;
- char *file;
- int i;
-
- enumerator = enumerator_create_directory(CLUSTERIP_DIR);
- while (enumerator->enumerate(enumerator, NULL, &file, NULL))
- {
- active = get_active(this, file);
- for (i = 1; i <= this->count; i++)
- {
- if (active & SEGMENTS_BIT(i))
- {
- enable_disable(this, i, file, FALSE);
- }
- }
- }
- enumerator->destroy(enumerator);
-}
-
-/**
- * Implementation of ha_kernel_t.destroy.
- */
-static void destroy(private_ha_kernel_t *this)
-{
- free(this);
-}
-
-/**
- * See header
- */
-ha_kernel_t *ha_kernel_create(u_int count)
-{
- private_ha_kernel_t *this = malloc_thing(private_ha_kernel_t);
-
- this->public.in_segment = (bool(*)(ha_kernel_t*, host_t *host, u_int segment))in_segment;
- this->public.activate = (void(*)(ha_kernel_t*, u_int segment))activate;
- this->public.deactivate = (void(*)(ha_kernel_t*, u_int segment))deactivate;
- this->public.destroy = (void(*)(ha_kernel_t*))destroy;
-
- this->initval = 0;
- this->count = count;
-
- disable_all(this);
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_kernel.h b/src/charon/plugins/ha/ha_kernel.h
deleted file mode 100644
index b37cc7667..000000000
--- a/src/charon/plugins/ha/ha_kernel.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_kernel ha_kernel
- * @{ @ingroup ha
- */
-
-#ifndef HA_KERNEL_H_
-#define HA_KERNEL_H_
-
-typedef struct ha_kernel_t ha_kernel_t;
-
-#include "ha_segments.h"
-
-/**
- * HA segment kernel configuration interface.
- */
-struct ha_kernel_t {
-
- /**
- * Check if a host is in a segment.
- *
- * @param host host to check
- * @param segment segment
- * @return TRUE if host belongs to segment
- */
- bool (*in_segment)(ha_kernel_t *this, host_t *host, u_int segment);
-
- /**
- * Activate a segment at kernel level for all cluster addresses.
- *
- * @param segment segment to activate
- */
- void (*activate)(ha_kernel_t *this, u_int segment);
-
- /**
- * Deactivate a segment at kernel level for all cluster addresses.
- *
- * @param segment segment to deactivate
- */
- void (*deactivate)(ha_kernel_t *this, u_int segment);
-
- /**
- * Destroy a ha_kernel_t.
- */
- void (*destroy)(ha_kernel_t *this);
-};
-
-/**
- * Create a ha_kernel instance.
- *
- * @param count total number of segments to use
- * @param active bitmask of initially active segments
- */
-ha_kernel_t *ha_kernel_create(u_int count);
-
-#endif /* HA_KERNEL_ @}*/
diff --git a/src/charon/plugins/ha/ha_message.c b/src/charon/plugins/ha/ha_message.c
deleted file mode 100644
index cd6c90af3..000000000
--- a/src/charon/plugins/ha/ha_message.c
+++ /dev/null
@@ -1,665 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#define _GNU_SOURCE
-#include <string.h>
-#include <arpa/inet.h>
-
-#include "ha_message.h"
-
-#include <daemon.h>
-
-#define ALLOCATION_BLOCK 64
-
-typedef struct private_ha_message_t private_ha_message_t;
-
-/**
- * Private data of an ha_message_t object.
- */
-struct private_ha_message_t {
-
- /**
- * Public ha_message_t interface.
- */
- ha_message_t public;
-
- /**
- * Allocated size of buf
- */
- size_t allocated;
-
- /**
- * Buffer containing encoded data
- */
- chunk_t buf;
-};
-
-typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t;
-
-/**
- * Encoding if an ike_sa_id_t
- */
-struct ike_sa_id_encoding_t {
- u_int64_t initiator_spi;
- u_int64_t responder_spi;
- u_int8_t initiator;
-} __attribute__((packed));
-
-typedef struct identification_encoding_t identification_encoding_t;
-
-/**
- * Encoding of a identification_t
- */
-struct identification_encoding_t {
- u_int8_t type;
- u_int8_t len;
- char encoding[];
-} __attribute__((packed));
-
-typedef struct host_encoding_t host_encoding_t;
-
-/**
- * encoding of a host_t
- */
-struct host_encoding_t {
- u_int16_t port;
- u_int8_t family;
- char encoding[];
-} __attribute__((packed));
-
-typedef struct ts_encoding_t ts_encoding_t;
-
-/**
- * encoding of a traffic_selector_t
- */
-struct ts_encoding_t {
- u_int8_t type;
- u_int8_t protocol;
- u_int16_t from_port;
- u_int16_t to_port;
- u_int8_t dynamic;
- char encoding[];
-} __attribute__((packed));
-
-/**
- * Implementation of ha_message_t.get_type
- */
-static ha_message_type_t get_type(private_ha_message_t *this)
-{
- return this->buf.ptr[1];
-}
-
-/**
- * check for space in buffer, increase if necessary
- */
-static void check_buf(private_ha_message_t *this, size_t len)
-{
- int increased = 0;
-
- while (this->buf.len + len > this->allocated)
- { /* double size */
- this->allocated += ALLOCATION_BLOCK;
- increased++;
- }
- if (increased)
- {
- this->buf.ptr = realloc(this->buf.ptr, this->allocated);
- }
-}
-
-/**
- * Implementation of ha_message_t.add_attribute
- */
-static void add_attribute(private_ha_message_t *this,
- ha_message_attribute_t attribute, ...)
-{
- size_t len;
- va_list args;
-
- check_buf(this, sizeof(u_int8_t));
- this->buf.ptr[this->buf.len] = attribute;
- this->buf.len += sizeof(u_int8_t);
-
- va_start(args, attribute);
- switch (attribute)
- {
- /* ike_sa_id_t* */
- case HA_IKE_ID:
- case HA_IKE_REKEY_ID:
- {
- ike_sa_id_encoding_t *enc;
- ike_sa_id_t *id;
-
- id = va_arg(args, ike_sa_id_t*);
- check_buf(this, sizeof(ike_sa_id_encoding_t));
- enc = (ike_sa_id_encoding_t*)(this->buf.ptr + this->buf.len);
- this->buf.len += sizeof(ike_sa_id_encoding_t);
- enc->initiator = id->is_initiator(id);
- enc->initiator_spi = id->get_initiator_spi(id);
- enc->responder_spi = id->get_responder_spi(id);
- break;
- }
- /* identification_t* */
- case HA_LOCAL_ID:
- case HA_REMOTE_ID:
- case HA_EAP_ID:
- {
- identification_encoding_t *enc;
- identification_t *id;
- chunk_t data;
-
- id = va_arg(args, identification_t*);
- data = id->get_encoding(id);
- check_buf(this, sizeof(identification_encoding_t) + data.len);
- enc = (identification_encoding_t*)(this->buf.ptr + this->buf.len);
- this->buf.len += sizeof(identification_encoding_t) + data.len;
- enc->type = id->get_type(id);
- enc->len = data.len;
- memcpy(enc->encoding, data.ptr, data.len);
- break;
- }
- /* host_t* */
- case HA_LOCAL_ADDR:
- case HA_REMOTE_ADDR:
- case HA_LOCAL_VIP:
- case HA_REMOTE_VIP:
- case HA_ADDITIONAL_ADDR:
- {
- host_encoding_t *enc;
- host_t *host;
- chunk_t data;
-
- host = va_arg(args, host_t*);
- data = host->get_address(host);
- check_buf(this, sizeof(host_encoding_t) + data.len);
- enc = (host_encoding_t*)(this->buf.ptr + this->buf.len);
- this->buf.len += sizeof(host_encoding_t) + data.len;
- enc->family = host->get_family(host);
- enc->port = htons(host->get_port(host));
- memcpy(enc->encoding, data.ptr, data.len);
- break;
- }
- /* char* */
- case HA_CONFIG_NAME:
- {
- char *str;
-
- str = va_arg(args, char*);
- len = strlen(str) + 1;
- check_buf(this, len);
- memcpy(this->buf.ptr + this->buf.len, str, len);
- this->buf.len += len;
- break;
- }
- /* u_int8_t */
- case HA_IPSEC_MODE:
- case HA_IPCOMP:
- {
- u_int8_t val;
-
- val = va_arg(args, u_int);
- check_buf(this, sizeof(val));
- this->buf.ptr[this->buf.len] = val;
- this->buf.len += sizeof(val);
- break;
- }
- /* u_int16_t */
- case HA_ALG_PRF:
- case HA_ALG_OLD_PRF:
- case HA_ALG_ENCR:
- case HA_ALG_ENCR_LEN:
- case HA_ALG_INTEG:
- case HA_INBOUND_CPI:
- case HA_OUTBOUND_CPI:
- case HA_SEGMENT:
- {
- u_int16_t val;
-
- val = va_arg(args, u_int);
- check_buf(this, sizeof(val));
- *(u_int16_t*)(this->buf.ptr + this->buf.len) = htons(val);
- this->buf.len += sizeof(val);
- break;
- }
- /** u_int32_t */
- case HA_CONDITIONS:
- case HA_EXTENSIONS:
- case HA_INBOUND_SPI:
- case HA_OUTBOUND_SPI:
- case HA_INITIATE_MID:
- case HA_RESPOND_MID:
- {
- u_int32_t val;
-
- val = va_arg(args, u_int);
- check_buf(this, sizeof(val));
- *(u_int32_t*)(this->buf.ptr + this->buf.len) = htonl(val);
- this->buf.len += sizeof(val);
- break;
- }
- /** chunk_t */
- case HA_NONCE_I:
- case HA_NONCE_R:
- case HA_SECRET:
- case HA_OLD_SKD:
- {
- chunk_t chunk;
-
- chunk = va_arg(args, chunk_t);
- check_buf(this, chunk.len + sizeof(u_int16_t));
- *(u_int16_t*)(this->buf.ptr + this->buf.len) = htons(chunk.len);
- memcpy(this->buf.ptr + this->buf.len + sizeof(u_int16_t),
- chunk.ptr, chunk.len);
- this->buf.len += chunk.len + sizeof(u_int16_t);;
- break;
- }
- /** traffic_selector_t */
- case HA_LOCAL_TS:
- case HA_REMOTE_TS:
- {
- ts_encoding_t *enc;
- traffic_selector_t *ts;
- chunk_t data;
-
- ts = va_arg(args, traffic_selector_t*);
- data = chunk_cata("cc", ts->get_from_address(ts),
- ts->get_to_address(ts));
- check_buf(this, sizeof(ts_encoding_t) + data.len);
- enc = (ts_encoding_t*)(this->buf.ptr + this->buf.len);
- this->buf.len += sizeof(ts_encoding_t) + data.len;
- enc->type = ts->get_type(ts);
- enc->protocol = ts->get_protocol(ts);
- enc->from_port = htons(ts->get_from_port(ts));
- enc->to_port = htons(ts->get_to_port(ts));
- enc->dynamic = ts->is_dynamic(ts);
- memcpy(enc->encoding, data.ptr, data.len);
- break;
- }
- default:
- {
- DBG1(DBG_CFG, "unable to encode, attribute %d unknown", attribute);
- this->buf.len -= sizeof(u_int8_t);
- break;
- }
- }
- va_end(args);
-}
-
-/**
- * Attribute enumerator implementation
- */
-typedef struct {
- /** implementes enumerator_t */
- enumerator_t public;
- /** position in message */
- chunk_t buf;
- /** cleanup handler of current element, if any */
- void (*cleanup)(void* data);
- /** data to pass to cleanup handler */
- void *cleanup_data;
-} attribute_enumerator_t;
-
-/**
- * Implementation of create_attribute_enumerator().enumerate
- */
-static bool attribute_enumerate(attribute_enumerator_t *this,
- ha_message_attribute_t *attr_out,
- ha_message_value_t *value)
-{
- ha_message_attribute_t attr;
-
- if (this->cleanup)
- {
- this->cleanup(this->cleanup_data);
- this->cleanup = NULL;
- }
- if (this->buf.len < 1)
- {
- return FALSE;
- }
- attr = this->buf.ptr[0];
- this->buf = chunk_skip(this->buf, 1);
- switch (attr)
- {
- /* ike_sa_id_t* */
- case HA_IKE_ID:
- case HA_IKE_REKEY_ID:
- {
- ike_sa_id_encoding_t *enc;
-
- if (this->buf.len < sizeof(ike_sa_id_encoding_t))
- {
- return FALSE;
- }
- enc = (ike_sa_id_encoding_t*)(this->buf.ptr);
- value->ike_sa_id = ike_sa_id_create(enc->initiator_spi,
- enc->responder_spi, enc->initiator);
- *attr_out = attr;
- this->cleanup = (void*)value->ike_sa_id->destroy;
- this->cleanup_data = value->ike_sa_id;
- this->buf = chunk_skip(this->buf, sizeof(ike_sa_id_encoding_t));
- return TRUE;
- }
- /* identification_t* */
- case HA_LOCAL_ID:
- case HA_REMOTE_ID:
- case HA_EAP_ID:
- {
- identification_encoding_t *enc;
-
- enc = (identification_encoding_t*)(this->buf.ptr);
- if (this->buf.len < sizeof(identification_encoding_t) ||
- this->buf.len < sizeof(identification_encoding_t) + enc->len)
- {
- return FALSE;
- }
- value->id = identification_create_from_encoding(enc->type,
- chunk_create(enc->encoding, enc->len));
- *attr_out = attr;
- this->cleanup = (void*)value->id->destroy;
- this->cleanup_data = value->id;
- this->buf = chunk_skip(this->buf,
- sizeof(identification_encoding_t) + enc->len);
- return TRUE;
- }
- /* host_t* */
- case HA_LOCAL_ADDR:
- case HA_REMOTE_ADDR:
- case HA_LOCAL_VIP:
- case HA_REMOTE_VIP:
- case HA_ADDITIONAL_ADDR:
- {
- host_encoding_t *enc;
-
- enc = (host_encoding_t*)(this->buf.ptr);
- if (this->buf.len < sizeof(host_encoding_t))
- {
- return FALSE;
- }
- value->host = host_create_from_chunk(enc->family,
- chunk_create(enc->encoding,
- this->buf.len - sizeof(host_encoding_t)),
- ntohs(enc->port));
- if (!value->host)
- {
- return FALSE;
- }
- *attr_out = attr;
- this->cleanup = (void*)value->host->destroy;
- this->cleanup_data = value->host;
- this->buf = chunk_skip(this->buf, sizeof(host_encoding_t) +
- value->host->get_address(value->host).len);
- return TRUE;
- }
- /* char* */
- case HA_CONFIG_NAME:
- {
- size_t len;
-
- len = strnlen(this->buf.ptr, this->buf.len);
- if (len >= this->buf.len)
- {
- return FALSE;
- }
- value->str = this->buf.ptr;
- *attr_out = attr;
- this->buf = chunk_skip(this->buf, len + 1);
- return TRUE;
- }
- /* u_int8_t */
- case HA_IPSEC_MODE:
- case HA_IPCOMP:
- {
- if (this->buf.len < sizeof(u_int8_t))
- {
- return FALSE;
- }
- value->u8 = *(u_int8_t*)this->buf.ptr;
- *attr_out = attr;
- this->buf = chunk_skip(this->buf, sizeof(u_int8_t));
- return TRUE;
- }
- /** u_int16_t */
- case HA_ALG_PRF:
- case HA_ALG_OLD_PRF:
- case HA_ALG_ENCR:
- case HA_ALG_ENCR_LEN:
- case HA_ALG_INTEG:
- case HA_INBOUND_CPI:
- case HA_OUTBOUND_CPI:
- case HA_SEGMENT:
- {
- if (this->buf.len < sizeof(u_int16_t))
- {
- return FALSE;
- }
- value->u16 = ntohs(*(u_int16_t*)this->buf.ptr);
- *attr_out = attr;
- this->buf = chunk_skip(this->buf, sizeof(u_int16_t));
- return TRUE;
- }
- /** u_int32_t */
- case HA_CONDITIONS:
- case HA_EXTENSIONS:
- case HA_INBOUND_SPI:
- case HA_OUTBOUND_SPI:
- case HA_INITIATE_MID:
- case HA_RESPOND_MID:
- {
- if (this->buf.len < sizeof(u_int32_t))
- {
- return FALSE;
- }
- value->u32 = ntohl(*(u_int32_t*)this->buf.ptr);
- *attr_out = attr;
- this->buf = chunk_skip(this->buf, sizeof(u_int32_t));
- return TRUE;
- }
- /** chunk_t */
- case HA_NONCE_I:
- case HA_NONCE_R:
- case HA_SECRET:
- case HA_OLD_SKD:
- {
- size_t len;
-
- if (this->buf.len < sizeof(u_int16_t))
- {
- return FALSE;
- }
- len = ntohs(*(u_int16_t*)this->buf.ptr);
- this->buf = chunk_skip(this->buf, sizeof(u_int16_t));
- if (this->buf.len < len)
- {
- return FALSE;
- }
- value->chunk.len = len;
- value->chunk.ptr = this->buf.ptr;
- *attr_out = attr;
- this->buf = chunk_skip(this->buf, len);
- return TRUE;
- }
- case HA_LOCAL_TS:
- case HA_REMOTE_TS:
- {
- ts_encoding_t *enc;
- host_t *host;
- int addr_len;
-
- enc = (ts_encoding_t*)(this->buf.ptr);
- if (this->buf.len < sizeof(ts_encoding_t))
- {
- return FALSE;
- }
- switch (enc->type)
- {
- case TS_IPV4_ADDR_RANGE:
- addr_len = 4;
- if (this->buf.len < sizeof(ts_encoding_t) + 2 * addr_len)
- {
- return FALSE;
- }
- break;
- case TS_IPV6_ADDR_RANGE:
- addr_len = 16;
- if (this->buf.len < sizeof(ts_encoding_t) + 2 * addr_len)
- {
- return FALSE;
- }
- break;
- default:
- return FALSE;
- }
- if (enc->dynamic)
- {
- host = host_create_from_chunk(0,
- chunk_create(enc->encoding, addr_len), 0);
- if (!host)
- {
- return FALSE;
- }
- value->ts = traffic_selector_create_dynamic(enc->protocol,
- ntohs(enc->from_port), ntohs(enc->to_port));
- value->ts->set_address(value->ts, host);
- host->destroy(host);
- }
- else
- {
- value->ts = traffic_selector_create_from_bytes(enc->protocol,
- enc->type, chunk_create(enc->encoding, addr_len),
- ntohs(enc->from_port),
- chunk_create(enc->encoding + addr_len, addr_len),
- ntohs(enc->to_port));
- if (!value->ts)
- {
- return FALSE;
- }
- }
- *attr_out = attr;
- this->cleanup = (void*)value->ts->destroy;
- this->cleanup_data = value->ts;
- this->buf = chunk_skip(this->buf, sizeof(ts_encoding_t)
- + addr_len * 2);
- return TRUE;
- }
- default:
- {
- return FALSE;
- }
- }
-}
-
-/**
- * Implementation of create_attribute_enumerator().destroy
- */
-static void enum_destroy(attribute_enumerator_t *this)
-{
- if (this->cleanup)
- {
- this->cleanup(this->cleanup_data);
- }
- free(this);
-}
-
-/**
- * Implementation of ha_message_t.create_attribute_enumerator
- */
-static enumerator_t* create_attribute_enumerator(private_ha_message_t *this)
-{
- attribute_enumerator_t *e = malloc_thing(attribute_enumerator_t);
-
- e->public.enumerate = (void*)attribute_enumerate;
- e->public.destroy = (void*)enum_destroy;
-
- e->buf = chunk_skip(this->buf, 2);
- e->cleanup = NULL;
- e->cleanup_data = NULL;
-
- return &e->public;
-}
-
-/**
- * Implementation of ha_message_t.get_encoding
- */
-static chunk_t get_encoding(private_ha_message_t *this)
-{
- return this->buf;
-}
-
-/**
- * Implementation of ha_message_t.destroy.
- */
-static void destroy(private_ha_message_t *this)
-{
- free(this->buf.ptr);
- free(this);
-}
-
-
-static private_ha_message_t *ha_message_create_generic()
-{
- private_ha_message_t *this = malloc_thing(private_ha_message_t);
-
- this->public.get_type = (ha_message_type_t(*)(ha_message_t*))get_type;
- this->public.add_attribute = (void(*)(ha_message_t*, ha_message_attribute_t attribute, ...))add_attribute;
- this->public.create_attribute_enumerator = (enumerator_t*(*)(ha_message_t*))create_attribute_enumerator;
- this->public.get_encoding = (chunk_t(*)(ha_message_t*))get_encoding;
- this->public.destroy = (void(*)(ha_message_t*))destroy;
-
- return this;
-}
-
-/**
- * See header
- */
-ha_message_t *ha_message_create(ha_message_type_t type)
-{
- private_ha_message_t *this = ha_message_create_generic();
-
- this->allocated = ALLOCATION_BLOCK;
- this->buf.ptr = malloc(this->allocated);
- this->buf.len = 2;
- this->buf.ptr[0] = HA_MESSAGE_VERSION;
- this->buf.ptr[1] = type;
-
- return &this->public;
-}
-
-/**
- * See header
- */
-ha_message_t *ha_message_parse(chunk_t data)
-{
- private_ha_message_t *this;
-
- if (data.len < 2)
- {
- DBG1(DBG_CFG, "HA message too short");
- return NULL;
- }
- if (data.ptr[0] != HA_MESSAGE_VERSION)
- {
- DBG1(DBG_CFG, "HA message has version %d, expected %d",
- data.ptr[0], HA_MESSAGE_VERSION);
- return NULL;
- }
-
- this = ha_message_create_generic();
- this->buf = chunk_clone(data);
- this->allocated = this->buf.len;
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_message.h b/src/charon/plugins/ha/ha_message.h
deleted file mode 100644
index 620413288..000000000
--- a/src/charon/plugins/ha/ha_message.h
+++ /dev/null
@@ -1,207 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_message ha_message
- * @{ @ingroup ha
- */
-
-#ifndef HA_MESSAGE_H_
-#define HA_MESSAGE_H_
-
-#include <library.h>
-#include <utils/host.h>
-#include <utils/identification.h>
-#include <sa/ike_sa_id.h>
-#include <config/traffic_selector.h>
-
-/**
- * Protocol version of this implementation
- */
-#define HA_MESSAGE_VERSION 1
-
-typedef struct ha_message_t ha_message_t;
-typedef enum ha_message_type_t ha_message_type_t;
-typedef enum ha_message_attribute_t ha_message_attribute_t;
-typedef union ha_message_value_t ha_message_value_t;
-
-/**
- * Type of a HA message
- */
-enum ha_message_type_t {
- /** add a completely new IKE_SA */
- HA_IKE_ADD = 1,
- /** update an existing IKE_SA (message IDs, address update, ...) */
- HA_IKE_UPDATE,
- /** delete an existing IKE_SA */
- HA_IKE_DELETE,
- /** add a new CHILD_SA */
- HA_CHILD_ADD,
- /** delete an existing CHILD_SA */
- HA_CHILD_DELETE,
- /** segments the sending node is giving up */
- HA_SEGMENT_DROP,
- /** segments the sending node is taking over */
- HA_SEGMENT_TAKE,
- /** status with the segments the sending node is currently serving */
- HA_STATUS,
- /** segments the receiving node is requested to resync */
- HA_RESYNC,
-};
-
-/**
- * Type of attributes contained in a message
- */
-enum ha_message_attribute_t {
- /** ike_sa_id_t*, to identify IKE_SA */
- HA_IKE_ID = 1,
- /** ike_Sa_id_t*, identifies IKE_SA which gets rekeyed */
- HA_IKE_REKEY_ID,
- /** identification_t*, local identity */
- HA_LOCAL_ID,
- /** identification_t*, remote identity */
- HA_REMOTE_ID,
- /** identification_t*, EAP identity */
- HA_EAP_ID,
- /** host_t*, local address */
- HA_LOCAL_ADDR,
- /** host_t*, remote address */
- HA_REMOTE_ADDR,
- /** char*, name of configuration */
- HA_CONFIG_NAME,
- /** u_int32_t, bitset of ike_condition_t */
- HA_CONDITIONS,
- /** u_int32_t, bitset of ike_extension_t */
- HA_EXTENSIONS,
- /** host_t*, local virtual IP */
- HA_LOCAL_VIP,
- /** host_t*, remote virtual IP */
- HA_REMOTE_VIP,
- /** host_t*, additional MOBIKE peer address */
- HA_ADDITIONAL_ADDR,
- /** chunk_t, initiators nonce */
- HA_NONCE_I,
- /** chunk_t, responders nonce */
- HA_NONCE_R,
- /** chunk_t, diffie hellman shared secret */
- HA_SECRET,
- /** chunk_t, SKd of old SA if rekeying */
- HA_OLD_SKD,
- /** u_int16_t, pseudo random function */
- HA_ALG_PRF,
- /** u_int16_t, old pseudo random function if rekeying */
- HA_ALG_OLD_PRF,
- /** u_int16_t, encryption algorithm */
- HA_ALG_ENCR,
- /** u_int16_t, encryption key size in bytes */
- HA_ALG_ENCR_LEN,
- /** u_int16_t, integrity protection algorithm */
- HA_ALG_INTEG,
- /** u_int8_t, IPsec mode, TUNNEL|TRANSPORT|... */
- HA_IPSEC_MODE,
- /** u_int8_t, IPComp protocol */
- HA_IPCOMP,
- /** u_int32_t, inbound security parameter index */
- HA_INBOUND_SPI,
- /** u_int32_t, outbound security parameter index */
- HA_OUTBOUND_SPI,
- /** u_int16_t, inbound security parameter index */
- HA_INBOUND_CPI,
- /** u_int16_t, outbound security parameter index */
- HA_OUTBOUND_CPI,
- /** traffic_selector_t*, local traffic selector */
- HA_LOCAL_TS,
- /** traffic_selector_t*, remote traffic selector */
- HA_REMOTE_TS,
- /** u_int32_t, initiating message ID */
- HA_INITIATE_MID,
- /** u_int32_t, responding message ID */
- HA_RESPOND_MID,
- /** u_int16_t, HA segment */
- HA_SEGMENT,
-};
-
-/**
- * Union to enumerate typed attributes in a message
- */
-union ha_message_value_t {
- u_int8_t u8;
- u_int16_t u16;
- u_int32_t u32;
- char *str;
- chunk_t chunk;
- ike_sa_id_t *ike_sa_id;
- identification_t *id;
- host_t *host;
- traffic_selector_t *ts;
-};
-
-/**
- * Abstracted message passed between nodes in a HA cluster.
- */
-struct ha_message_t {
-
- /**
- * Get the type of the message.
- *
- * @return message type
- */
- ha_message_type_t (*get_type)(ha_message_t *this);
-
- /**
- * Add an attribute to a message.
- *
- * @param attribute attribute type to add
- * @param ... attribute specific data
- */
- void (*add_attribute)(ha_message_t *this,
- ha_message_attribute_t attribute, ...);
-
- /**
- * Create an enumerator over all attributes in a message.
- *
- * @return enumerator over attribute, ha_message_value_t
- */
- enumerator_t* (*create_attribute_enumerator)(ha_message_t *this);
-
- /**
- * Get the message in a encoded form.
- *
- * @return chunk pointing to internal data
- */
- chunk_t (*get_encoding)(ha_message_t *this);
-
- /**
- * Destroy a ha_message_t.
- */
- void (*destroy)(ha_message_t *this);
-};
-
-/**
- * Create a new ha_message instance, ready for adding attributes
- *
- * @param version protocol version to create a message from
- * @param type type of the message
- */
-ha_message_t *ha_message_create(ha_message_type_t type);
-
-/**
- * Create a ha_message from encoded data.
- *
- * @param data encoded message data
- */
-ha_message_t *ha_message_parse(chunk_t data);
-
-#endif /* HA_MESSAGE_ @}*/
diff --git a/src/charon/plugins/ha/ha_plugin.c b/src/charon/plugins/ha/ha_plugin.c
deleted file mode 100644
index 661db8af8..000000000
--- a/src/charon/plugins/ha/ha_plugin.c
+++ /dev/null
@@ -1,163 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_plugin.h"
-#include "ha_ike.h"
-#include "ha_child.h"
-#include "ha_socket.h"
-#include "ha_tunnel.h"
-#include "ha_dispatcher.h"
-#include "ha_segments.h"
-#include "ha_ctl.h"
-
-#include <daemon.h>
-#include <config/child_cfg.h>
-
-typedef struct private_ha_plugin_t private_ha_plugin_t;
-
-/**
- * private data of ha plugin
- */
-struct private_ha_plugin_t {
-
- /**
- * implements plugin interface
- */
- ha_plugin_t public;
-
- /**
- * Communication socket
- */
- ha_socket_t *socket;
-
- /**
- * Tunnel securing sync messages.
- */
- ha_tunnel_t *tunnel;
-
- /**
- * IKE_SA synchronization
- */
- ha_ike_t *ike;
-
- /**
- * CHILD_SA synchronization
- */
- ha_child_t *child;
-
- /**
- * Dispatcher to process incoming messages
- */
- ha_dispatcher_t *dispatcher;
-
- /**
- * Active/Passive segment management
- */
- ha_segments_t *segments;
-
- /**
- * Interface to control segments at kernel level
- */
- ha_kernel_t *kernel;
-
- /**
- * Segment control interface via FIFO
- */
- ha_ctl_t *ctl;
-};
-
-/**
- * Implementation of plugin_t.destroy
- */
-static void destroy(private_ha_plugin_t *this)
-{
- DESTROY_IF(this->ctl);
- charon->bus->remove_listener(charon->bus, &this->segments->listener);
- charon->bus->remove_listener(charon->bus, &this->ike->listener);
- charon->bus->remove_listener(charon->bus, &this->child->listener);
- this->ike->destroy(this->ike);
- this->child->destroy(this->child);
- this->dispatcher->destroy(this->dispatcher);
- this->segments->destroy(this->segments);
- this->kernel->destroy(this->kernel);
- this->socket->destroy(this->socket);
- DESTROY_IF(this->tunnel);
- free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *plugin_create()
-{
- private_ha_plugin_t *this;
- char *local, *remote, *secret;
- u_int count;
- bool fifo, monitor, resync;
-
- local = lib->settings->get_str(lib->settings,
- "charon.plugins.ha.local", NULL);
- remote = lib->settings->get_str(lib->settings,
- "charon.plugins.ha.remote", NULL);
- secret = lib->settings->get_str(lib->settings,
- "charon.plugins.ha.secret", NULL);
- fifo = lib->settings->get_bool(lib->settings,
- "charon.plugins.ha.fifo_interface", TRUE);
- monitor = lib->settings->get_bool(lib->settings,
- "charon.plugins.ha.monitor", TRUE);
- resync = lib->settings->get_bool(lib->settings,
- "charon.plugins.ha.resync", TRUE);
- count = min(SEGMENTS_MAX, lib->settings->get_int(lib->settings,
- "charon.plugins.ha.segment_count", 1));
- if (!local || !remote)
- {
- DBG1(DBG_CFG, "HA config misses local/remote address");
- return NULL;
- }
-
- this = malloc_thing(private_ha_plugin_t);
-
- this->public.plugin.destroy = (void(*)(plugin_t*))destroy;
- this->tunnel = NULL;
- this->ctl = NULL;
-
- if (secret)
- {
- this->tunnel = ha_tunnel_create(local, remote, secret);
- }
- this->socket = ha_socket_create(local, remote);
- if (!this->socket)
- {
- DESTROY_IF(this->tunnel);
- free(this);
- return NULL;
- }
- this->kernel = ha_kernel_create(count);
- this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel,
- count, strcmp(local, remote) > 0, monitor, resync);
- if (fifo)
- {
- this->ctl = ha_ctl_create(this->segments);
- }
- this->dispatcher = ha_dispatcher_create(this->socket, this->segments);
- this->ike = ha_ike_create(this->socket, this->tunnel);
- this->child = ha_child_create(this->socket, this->tunnel);
- charon->bus->add_listener(charon->bus, &this->segments->listener);
- charon->bus->add_listener(charon->bus, &this->ike->listener);
- charon->bus->add_listener(charon->bus, &this->child->listener);
-
- return &this->public.plugin;
-}
-
diff --git a/src/charon/plugins/ha/ha_plugin.h b/src/charon/plugins/ha/ha_plugin.h
deleted file mode 100644
index e83712fa6..000000000
--- a/src/charon/plugins/ha/ha_plugin.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha ha
- * @ingroup cplugins
- *
- * @defgroup ha_plugin ha_plugin
- * @{ @ingroup ha
- */
-
-#ifndef HA_PLUGIN_H_
-#define HA_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-/**
- * UDP port we use for communication
- */
-#define HA_PORT 4510
-
-typedef struct ha_plugin_t ha_plugin_t;
-
-/**
- * Plugin to synchronize state in a high availability cluster.
- */
-struct ha_plugin_t {
-
- /**
- * implements plugin interface
- */
- plugin_t plugin;
-};
-
-/**
- * Create a ha_plugin instance.
- */
-plugin_t *plugin_create();
-
-#endif /* HA_PLUGIN_H_ @}*/
diff --git a/src/charon/plugins/ha/ha_segments.c b/src/charon/plugins/ha/ha_segments.c
deleted file mode 100644
index 3575d05b8..000000000
--- a/src/charon/plugins/ha/ha_segments.c
+++ /dev/null
@@ -1,502 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_segments.h"
-
-#include <pthread.h>
-
-#include <utils/mutex.h>
-#include <utils/linked_list.h>
-#include <processing/jobs/callback_job.h>
-
-#define HEARTBEAT_DELAY 1000
-#define HEARTBEAT_TIMEOUT 2100
-
-typedef struct private_ha_segments_t private_ha_segments_t;
-
-/**
- * Private data of an ha_segments_t object.
- */
-struct private_ha_segments_t {
-
- /**
- * Public ha_segments_t interface.
- */
- ha_segments_t public;
-
- /**
- * communication socket
- */
- ha_socket_t *socket;
-
- /**
- * Sync tunnel, if any
- */
- ha_tunnel_t *tunnel;
-
- /**
- * Interface to control segments at kernel level
- */
- ha_kernel_t *kernel;
-
- /**
- * Mutex to lock segment manipulation
- */
- mutex_t *mutex;
-
- /**
- * Condvar to wait for heartbeats
- */
- condvar_t *condvar;
-
- /**
- * Job checking for heartbeats
- */
- callback_job_t *job;
-
- /**
- * Total number of ClusterIP segments
- */
- u_int count;
-
- /**
- * mask of active segments
- */
- segment_mask_t active;
-
- /**
- * Node number
- */
- u_int node;
-};
-
-/**
- * Log currently active segments
- */
-static void log_segments(private_ha_segments_t *this, bool activated,
- u_int segment)
-{
- char buf[64] = "none", *pos = buf;
- int i;
- bool first = TRUE;
-
- for (i = 1; i <= this->count; i++)
- {
- if (this->active & SEGMENTS_BIT(i))
- {
- if (first)
- {
- first = FALSE;
- }
- else
- {
- pos += snprintf(pos, buf + sizeof(buf) - pos, ",");
- }
- pos += snprintf(pos, buf + sizeof(buf) - pos, "%d", i);
- }
- }
- DBG1(DBG_CFG, "HA segment %d %sactivated, now active: %s",
- segment, activated ? "" : "de", buf);
-}
-
-/**
- * Enable/Disable a specific segment
- */
-static void enable_disable(private_ha_segments_t *this, u_int segment,
- bool enable, bool notify)
-{
- ike_sa_t *ike_sa;
- enumerator_t *enumerator;
- ike_sa_state_t old, new;
- ha_message_t *message = NULL;
- ha_message_type_t type;
- bool changes = FALSE;
-
- if (segment > this->count)
- {
- return;
- }
-
- if (enable)
- {
- old = IKE_PASSIVE;
- new = IKE_ESTABLISHED;
- type = HA_SEGMENT_TAKE;
- if (!(this->active & SEGMENTS_BIT(segment)))
- {
- this->active |= SEGMENTS_BIT(segment);
- this->kernel->activate(this->kernel, segment);
- changes = TRUE;
- }
- }
- else
- {
- old = IKE_ESTABLISHED;
- new = IKE_PASSIVE;
- type = HA_SEGMENT_DROP;
- if (this->active & SEGMENTS_BIT(segment))
- {
- this->active &= ~SEGMENTS_BIT(segment);
- this->kernel->deactivate(this->kernel, segment);
- changes = TRUE;
- }
- }
-
- if (changes)
- {
- enumerator = charon->ike_sa_manager->create_enumerator(charon->ike_sa_manager);
- while (enumerator->enumerate(enumerator, &ike_sa))
- {
- if (ike_sa->get_state(ike_sa) != old)
- {
- continue;
- }
- if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
- {
- continue;
- }
- if (this->kernel->in_segment(this->kernel,
- ike_sa->get_other_host(ike_sa), segment))
- {
- ike_sa->set_state(ike_sa, new);
- }
- }
- enumerator->destroy(enumerator);
- log_segments(this, enable, segment);
- }
-
- if (notify)
- {
- message = ha_message_create(type);
- message->add_attribute(message, HA_SEGMENT, segment);
- this->socket->push(this->socket, message);
- }
-}
-
-/**
- * Enable/Disable all or a specific segment, do locking
- */
-static void enable_disable_all(private_ha_segments_t *this, u_int segment,
- bool enable, bool notify)
-{
- int i;
-
- this->mutex->lock(this->mutex);
- if (segment == 0)
- {
- for (i = 1; i <= this->count; i++)
- {
- enable_disable(this, i, enable, notify);
- }
- }
- else
- {
- enable_disable(this, segment, enable, notify);
- }
- this->mutex->unlock(this->mutex);
-}
-
-/**
- * Implementation of ha_segments_t.activate
- */
-static void activate(private_ha_segments_t *this, u_int segment, bool notify)
-{
- enable_disable_all(this, segment, TRUE, notify);
-}
-
-/**
- * Implementation of ha_segments_t.deactivate
- */
-static void deactivate(private_ha_segments_t *this, u_int segment, bool notify)
-{
- enable_disable_all(this, segment, FALSE, notify);
-}
-
-/**
- * Rekey all children of an IKE_SA
- */
-static status_t rekey_children(ike_sa_t *ike_sa)
-{
- iterator_t *iterator;
- child_sa_t *child_sa;
- status_t status = SUCCESS;
-
- iterator = ike_sa->create_child_sa_iterator(ike_sa);
- while (iterator->iterate(iterator, (void**)&child_sa))
- {
- DBG1(DBG_CFG, "resyncing CHILD_SA");
- status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa),
- child_sa->get_spi(child_sa, TRUE));
- if (status == DESTROY_ME)
- {
- break;
- }
- }
- iterator->destroy(iterator);
- return status;
-}
-
-/**
- * Implementation of ha_segments_t.resync
- */
-static void resync(private_ha_segments_t *this, u_int segment)
-{
- ike_sa_t *ike_sa;
- enumerator_t *enumerator;
- linked_list_t *list;
- ike_sa_id_t *id;
-
- list = linked_list_create();
- this->mutex->lock(this->mutex);
-
- if (segment > 0 && segment <= this->count)
- {
- DBG1(DBG_CFG, "resyncing HA segment %d", segment);
-
- /* we do the actual rekeying in a seperate loop to avoid rekeying
- * an SA twice. */
- enumerator = charon->ike_sa_manager->create_enumerator(
- charon->ike_sa_manager);
- while (enumerator->enumerate(enumerator, &ike_sa))
- {
- if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
- this->kernel->in_segment(this->kernel,
- ike_sa->get_other_host(ike_sa), segment))
- {
- id = ike_sa->get_id(ike_sa);
- list->insert_last(list, id->clone(id));
- }
- }
- enumerator->destroy(enumerator);
- }
- this->mutex->unlock(this->mutex);
-
- while (list->remove_last(list, (void**)&id) == SUCCESS)
- {
- ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
- id->destroy(id);
- if (ike_sa)
- {
- DBG1(DBG_CFG, "resyncing IKE_SA");
- if (ike_sa->rekey(ike_sa) != DESTROY_ME)
- {
- if (rekey_children(ike_sa) != DESTROY_ME)
- {
- charon->ike_sa_manager->checkin(
- charon->ike_sa_manager, ike_sa);
- continue;
- }
- }
- charon->ike_sa_manager->checkin_and_destroy(
- charon->ike_sa_manager, ike_sa);
- }
- }
- list->destroy(list);
-}
-
-/**
- * Implementation of listener_t.alert
- */
-static bool alert_hook(private_ha_segments_t *this, ike_sa_t *ike_sa,
- alert_t alert, va_list args)
-{
- if (alert == ALERT_SHUTDOWN_SIGNAL)
- {
- deactivate(this, 0, TRUE);
- }
- return TRUE;
-}
-
-/**
- * Request a resync of all segments
- */
-static job_requeue_t request_resync(private_ha_segments_t *this)
-{
- ha_message_t *message;
- int i;
-
- message = ha_message_create(HA_RESYNC);
- for (i = 1; i <= this->count; i++)
- {
- message->add_attribute(message, HA_SEGMENT, i);
- }
- this->socket->push(this->socket, message);
- return JOB_REQUEUE_NONE;
-}
-
-/**
- * Monitor heartbeat activity of remote node
- */
-static job_requeue_t watchdog(private_ha_segments_t *this)
-{
- int oldstate;
- bool timeout;
-
- this->mutex->lock(this->mutex);
- pthread_cleanup_push((void*)this->mutex->unlock, this->mutex);
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
- timeout = this->condvar->timed_wait(this->condvar, this->mutex,
- HEARTBEAT_TIMEOUT);
- pthread_setcancelstate(oldstate, NULL);
- pthread_cleanup_pop(TRUE);
- if (timeout)
- {
- DBG1(DBG_CFG, "no heartbeat received, taking all segments");
- activate(this, 0, TRUE);
- /* disable heartbeat detection util we get one */
- this->job = NULL;
- return JOB_REQUEUE_NONE;
- }
- return JOB_REQUEUE_DIRECT;
-}
-
-/**
- * Start the heartbeat detection thread
- */
-static void start_watchdog(private_ha_segments_t *this)
-{
- this->job = callback_job_create((callback_job_cb_t)watchdog,
- this, NULL, NULL);
- charon->processor->queue_job(charon->processor, (job_t*)this->job);
-}
-
-/**
- * Implementation of ha_segments_t.handle_status
- */
-static void handle_status(private_ha_segments_t *this, segment_mask_t mask)
-{
- segment_mask_t missing;
- int i;
-
- this->mutex->lock(this->mutex);
-
- missing = ~(this->active | mask);
-
- for (i = 1; i <= this->count; i++)
- {
- if (missing & SEGMENTS_BIT(i))
- {
- if (this->node == i % 2)
- {
- DBG1(DBG_CFG, "HA segment %d was not handled, taking", i);
- enable_disable(this, i, TRUE, TRUE);
- }
- else
- {
- DBG1(DBG_CFG, "HA segment %d was not handled, dropping", i);
- enable_disable(this, i, FALSE, TRUE);
- }
- }
- }
-
- this->mutex->unlock(this->mutex);
- this->condvar->signal(this->condvar);
-
- if (!this->job)
- {
- DBG1(DBG_CFG, "received heartbeat, reenabling watchdog");
- start_watchdog(this);
- }
-}
-
-/**
- * Send a status message with our active segments
- */
-static job_requeue_t send_status(private_ha_segments_t *this)
-{
- ha_message_t *message;
- int i;
-
- message = ha_message_create(HA_STATUS);
-
- for (i = 1; i <= this->count; i++)
- {
- if (this->active & SEGMENTS_BIT(i))
- {
- message->add_attribute(message, HA_SEGMENT, i);
- }
- }
-
- this->socket->push(this->socket, message);
-
- /* schedule next invocation */
- charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*)
- callback_job_create((callback_job_cb_t)
- send_status, this, NULL, NULL),
- HEARTBEAT_DELAY);
-
- return JOB_REQUEUE_NONE;
-}
-
-/**
- * Implementation of ha_segments_t.destroy.
- */
-static void destroy(private_ha_segments_t *this)
-{
- if (this->job)
- {
- this->job->cancel(this->job);
- }
- this->mutex->destroy(this->mutex);
- this->condvar->destroy(this->condvar);
- free(this);
-}
-
-/**
- * See header
- */
-ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
- ha_tunnel_t *tunnel, u_int count, u_int node,
- bool monitor, bool sync)
-{
- private_ha_segments_t *this = malloc_thing(private_ha_segments_t);
-
- memset(&this->public.listener, 0, sizeof(listener_t));
- this->public.listener.alert = (bool(*)(listener_t*, ike_sa_t *, alert_t, va_list))alert_hook;
- this->public.activate = (void(*)(ha_segments_t*, u_int segment,bool))activate;
- this->public.deactivate = (void(*)(ha_segments_t*, u_int segment,bool))deactivate;
- this->public.resync = (void(*)(ha_segments_t*, u_int segment))resync;
- this->public.handle_status = (void(*)(ha_segments_t*, segment_mask_t mask))handle_status;
- this->public.destroy = (void(*)(ha_segments_t*))destroy;
-
- this->socket = socket;
- this->tunnel = tunnel;
- this->kernel = kernel;
- this->mutex = mutex_create(MUTEX_TYPE_DEFAULT);
- this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT);
- this->count = count;
- this->node = node;
- this->job = NULL;
-
- /* initially all segments are deactivated */
- this->active = 0;
-
- if (monitor)
- {
- send_status(this);
- start_watchdog(this);
- }
-
- if (sync)
- {
- /* request a resync as soon as we are up */
- charon->processor->queue_job(charon->processor, (job_t*)
- callback_job_create((callback_job_cb_t)request_resync,
- this, NULL, NULL));
- }
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_segments.h b/src/charon/plugins/ha/ha_segments.h
deleted file mode 100644
index 6d1cd5441..000000000
--- a/src/charon/plugins/ha/ha_segments.h
+++ /dev/null
@@ -1,111 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_segments ha_segments
- * @{ @ingroup ha
- */
-
-#ifndef HA_SEGMENTS_H_
-#define HA_SEGMENTS_H_
-
-#include <daemon.h>
-
-typedef struct ha_segments_t ha_segments_t;
-
-typedef u_int16_t segment_mask_t;
-
-/**
- * maximum number of segments
- */
-#define SEGMENTS_MAX (sizeof(segment_mask_t)*8)
-
-/**
- * Get the bit in the mask of a segment
- */
-#define SEGMENTS_BIT(segment) (0x01 << (segment - 1))
-
-#include "ha_socket.h"
-#include "ha_tunnel.h"
-#include "ha_kernel.h"
-
-/**
- * Segmentation of peers into active and passive.
- */
-struct ha_segments_t {
-
- /**
- * Implements listener interface to catch daemon shutdown.
- */
- listener_t listener;
-
- /**
- * Activate a set of IKE_SAs identified by a segment.
- *
- * @param segment numerical segment to takeover, 0 for all
- * @param notify wheter to notify other nodes about activation
- */
- void (*activate)(ha_segments_t *this, u_int segment, bool notify);
-
- /**
- * Deactivate a set of IKE_SAs identified by a segment.
- *
- * @param segment numerical segment to takeover, 0 for all
- * @param notify wheter to notify other nodes about deactivation
- */
- void (*deactivate)(ha_segments_t *this, u_int segment, bool notify);
-
- /**
- * Resync an active segment.
- *
- * To reintegrade a node into the cluster, resynchronization is reqired.
- * IKE_SAs and CHILD_SAs are synced automatically during rekeying. A call
- * to this method enforces a rekeying immediately sync all state of a
- * segment.
- *
- * @param segment segment to resync
- */
- void (*resync)(ha_segments_t *this, u_int segment);
-
- /**
- * Handle a status message from the remote node.
- *
- * @param mask segments the remote node is serving actively
- */
- void (*handle_status)(ha_segments_t *this, segment_mask_t mask);
-
- /**
- * Destroy a ha_segments_t.
- */
- void (*destroy)(ha_segments_t *this);
-};
-
-/**
- * Create a ha_segments instance.
- *
- * @param socket socket to communicate segment (de-)activation
- * @param kernel interface to control segments at kernel level
- * @param tunnel HA tunnel
- * @param count number of segments the cluster uses
- * @param node node, currently 1 or 0
- * @param monitor should we use monitoring functionality
- * @param resync request a complete resync on startup
- * @return segment object
- */
-ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel,
- ha_tunnel_t *tunnel, u_int count, u_int node,
- bool monitor, bool resync);
-
-#endif /* HA_SEGMENTS_ @}*/
diff --git a/src/charon/plugins/ha/ha_socket.c b/src/charon/plugins/ha/ha_socket.c
deleted file mode 100644
index b84b02868..000000000
--- a/src/charon/plugins/ha/ha_socket.c
+++ /dev/null
@@ -1,234 +0,0 @@
-/*
- * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_socket.h"
-#include "ha_plugin.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <errno.h>
-#include <unistd.h>
-#include <pthread.h>
-
-#include <daemon.h>
-#include <utils/host.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_ha_socket_t private_ha_socket_t;
-
-/**
- * Private data of an ha_socket_t object.
- */
-struct private_ha_socket_t {
-
- /**
- * Public ha_socket_t interface.
- */
- ha_socket_t public;
-
- /**
- * UDP communication socket fd
- */
- int fd;
-
- /**
- * local host to receive/send from
- */
- host_t *local;
-
- /**
- * remote host to receive/send to
- */
- host_t *remote;
-};
-
-/**
- * Data to pass to the send_message() callback job
- */
-typedef struct {
- ha_message_t *message;
- private_ha_socket_t *this;
-} job_data_t;
-
-/**
- * Cleanup job data
- */
-static void job_data_destroy(job_data_t *this)
-{
- this->message->destroy(this->message);
- free(this);
-}
-
-/**
- * Callback to asynchronously send messages
- */
-static job_requeue_t send_message(job_data_t *data)
-{
- private_ha_socket_t *this;
- chunk_t chunk;
-
- this = data->this;
- chunk = data->message->get_encoding(data->message);
- if (send(this->fd, chunk.ptr, chunk.len, 0) < chunk.len)
- {
- DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
- }
- return JOB_REQUEUE_NONE;
-}
-
-/**
- * Implementation of ha_socket_t.push
- */
-static void push(private_ha_socket_t *this, ha_message_t *message)
-{
- chunk_t chunk;
-
- /* Try to send synchronously, but non-blocking. */
- chunk = message->get_encoding(message);
- if (send(this->fd, chunk.ptr, chunk.len, MSG_DONTWAIT) < chunk.len)
- {
- if (errno == EAGAIN)
- {
- callback_job_t *job;
- job_data_t *data;
-
- /* Fallback to asynchronous transmission. This is required, as sendto()
- * is a blocking call if it acquires a policy. We could end up in a
- * deadlock, as we own an IKE_SA. */
- data = malloc_thing(job_data_t);
- data->message = message;
- data->this = this;
-
- job = callback_job_create((callback_job_cb_t)send_message,
- data, (void*)job_data_destroy, NULL);
- charon->processor->queue_job(charon->processor, (job_t*)job);
- return;
- }
- DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno));
- }
- message->destroy(message);
-}
-
-/**
- * Implementation of ha_socket_t.pull
- */
-static ha_message_t *pull(private_ha_socket_t *this)
-{
- while (TRUE)
- {
- ha_message_t *message;
- char buf[1024];
- int oldstate;
- ssize_t len;
-
- pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate);
- len = recv(this->fd, buf, sizeof(buf), 0);
- pthread_setcancelstate(oldstate, NULL);
- if (len <= 0)
- {
- switch (errno)
- {
- case ECONNREFUSED:
- case EINTR:
- continue;
- default:
- DBG1(DBG_CFG, "pulling HA message failed: %s",
- strerror(errno));
- sleep(1);
- }
- }
- message = ha_message_parse(chunk_create(buf, len));
- if (message)
- {
- return message;
- }
- }
-}
-
-/**
- * Open and connect the HA socket
- */
-static bool open_socket(private_ha_socket_t *this)
-{
- this->fd = socket(this->local->get_family(this->local), SOCK_DGRAM, 0);
- if (this->fd == -1)
- {
- DBG1(DBG_CFG, "opening HA socket failed: %s", strerror(errno));
- return FALSE;
- }
-
- if (bind(this->fd, this->local->get_sockaddr(this->local),
- *this->local->get_sockaddr_len(this->local)) == -1)
- {
- DBG1(DBG_CFG, "binding HA socket failed: %s", strerror(errno));
- close(this->fd);
- this->fd = -1;
- return FALSE;
- }
- if (connect(this->fd, this->remote->get_sockaddr(this->remote),
- *this->remote->get_sockaddr_len(this->remote)) == -1)
- {
- DBG1(DBG_CFG, "connecting HA socket failed: %s", strerror(errno));
- close(this->fd);
- this->fd = -1;
- return FALSE;
- }
-
- return TRUE;
-}
-
-/**
- * Implementation of ha_socket_t.destroy.
- */
-static void destroy(private_ha_socket_t *this)
-{
- if (this->fd != -1)
- {
- close(this->fd);
- }
- DESTROY_IF(this->local);
- DESTROY_IF(this->remote);
- free(this);
-}
-
-/**
- * See header
- */
-ha_socket_t *ha_socket_create(char *local, char *remote)
-{
- private_ha_socket_t *this = malloc_thing(private_ha_socket_t);
-
- this->public.push = (void(*)(ha_socket_t*, ha_message_t*))push;
- this->public.pull = (ha_message_t*(*)(ha_socket_t*))pull;
- this->public.destroy = (void(*)(ha_socket_t*))destroy;
-
- this->local = host_create_from_dns(local, 0, HA_PORT);
- this->remote = host_create_from_dns(remote, 0, HA_PORT);
- this->fd = -1;
-
- if (!this->local || !this->remote)
- {
- DBG1(DBG_CFG, "invalid local/remote HA address");
- destroy(this);
- return NULL;
- }
- if (!open_socket(this))
- {
- destroy(this);
- return NULL;
- }
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_socket.h b/src/charon/plugins/ha/ha_socket.h
deleted file mode 100644
index 8d398e22b..000000000
--- a/src/charon/plugins/ha/ha_socket.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_socket ha_socket
- * @{ @ingroup ha
- */
-
-#ifndef HA_SOCKET_H_
-#define HA_SOCKET_H_
-
-#include "ha_message.h"
-
-#include <sa/ike_sa.h>
-
-typedef struct ha_socket_t ha_socket_t;
-
-/**
- * Socket to send/received SA synchronization data
- */
-struct ha_socket_t {
-
- /**
- * Push synchronization information to the responsible node.
- *
- * @param message message to send, gets destroyed by push()
- */
- void (*push)(ha_socket_t *this, ha_message_t *message);
-
- /**
- * Pull synchronization information from a peer we are responsible.
- *
- * @return received message
- */
- ha_message_t *(*pull)(ha_socket_t *this);
-
- /**
- * Destroy a ha_socket_t.
- */
- void (*destroy)(ha_socket_t *this);
-};
-
-/**
- * Create a ha_socket instance.
- */
-ha_socket_t *ha_socket_create(char *local, char *remote);
-
-#endif /* HA_SOCKET_ @}*/
diff --git a/src/charon/plugins/ha/ha_tunnel.c b/src/charon/plugins/ha/ha_tunnel.c
deleted file mode 100644
index 97a252dae..000000000
--- a/src/charon/plugins/ha/ha_tunnel.c
+++ /dev/null
@@ -1,297 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "ha_tunnel.h"
-#include "ha_plugin.h"
-
-#include <daemon.h>
-#include <utils/identification.h>
-#include <processing/jobs/callback_job.h>
-
-typedef struct private_ha_tunnel_t private_ha_tunnel_t;
-typedef struct ha_backend_t ha_backend_t;
-typedef struct ha_creds_t ha_creds_t;
-
-/**
- * Serves credentials for the HA SA
- */
-struct ha_creds_t {
-
- /**
- * Implements credential_set_t
- */
- credential_set_t public;
-
- /**
- * own identity
- */
- identification_t *local;
-
- /**
- * peer identity
- */
- identification_t *remote;
-
- /**
- * Shared key to serve
- */
- shared_key_t *key;
-};
-
-/**
- * Serves configurations for the HA SA
- */
-struct ha_backend_t {
-
- /**
- * Implements backend_t
- */
- backend_t public;
-
- /**
- * peer config we serve
- */
- peer_cfg_t *cfg;
-};
-
-/**
- * Private data of an ha_tunnel_t object.
- */
-struct private_ha_tunnel_t {
-
- /**
- * Public ha_tunnel_t interface.
- */
- ha_tunnel_t public;
-
- /**
- * Reqid of installed trap
- */
- u_int32_t trap;
-
- /**
- * backend for HA SA
- */
- ha_backend_t backend;
-
- /**
- * credential set for HA SA
- */
- ha_creds_t creds;
-};
-
-/**
- * Implementation of ha_tunnel_t.is_sa
- */
-static bool is_sa(private_ha_tunnel_t *this, ike_sa_t *ike_sa)
-{
- peer_cfg_t *cfg = this->backend.cfg;
-
- return cfg && ike_sa->get_ike_cfg(ike_sa) == cfg->get_ike_cfg(cfg);
-}
-
-/**
- * Enumerator over HA shared_key
- */
-typedef struct {
- /** Implements enumerator_t */
- enumerator_t public;
- /** a single secret we serve */
- shared_key_t *key;
-} shared_enum_t;
-
-/**
- * Implementation of shared_enum_t.enumerate
- */
-static bool shared_enumerate(shared_enum_t *this, shared_key_t **key,
- id_match_t *me, id_match_t *other)
-{
- if (this->key)
- {
- if (me)
- {
- *me = ID_MATCH_PERFECT;
- }
- if (other)
- {
- *other = ID_MATCH_PERFECT;
- }
- *key = this->key;
- this->key = NULL;
- return TRUE;
- }
- return FALSE;
-}
-
-/**
- * Implements ha_creds_t.create_shared_enumerator
- */
-static enumerator_t* create_shared_enumerator(ha_creds_t *this,
- shared_key_type_t type, identification_t *me,
- identification_t *other)
-{
- shared_enum_t *enumerator;
-
- if (type != SHARED_IKE && type != SHARED_ANY)
- {
- return NULL;
- }
- if (me && !me->equals(me, this->local))
- {
- return NULL;
- }
- if (other && !other->equals(other, this->remote))
- {
- return NULL;
- }
-
- enumerator = malloc_thing(shared_enum_t);
- enumerator->public.enumerate = (void*)shared_enumerate;
- enumerator->public.destroy = (void*)free;
- enumerator->key = this->key;
-
- return &enumerator->public;
-}
-
-/**
- * Implementation of backend_t.create_peer_cfg_enumerator.
- */
-static enumerator_t* create_peer_cfg_enumerator(ha_backend_t *this,
- identification_t *me, identification_t *other)
-{
- return enumerator_create_single(this->cfg, NULL);
-}
-
-/**
- * Implementation of backend_t.create_ike_cfg_enumerator.
- */
-static enumerator_t* create_ike_cfg_enumerator(ha_backend_t *this,
- host_t *me, host_t *other)
-{
- return enumerator_create_single(this->cfg->get_ike_cfg(this->cfg), NULL);
-}
-
-/**
- * Install configs and a a trap for secured HA message exchange
- */
-static void setup_tunnel(private_ha_tunnel_t *this,
- char *local, char *remote, char *secret)
-{
- peer_cfg_t *peer_cfg;
- ike_cfg_t *ike_cfg;
- auth_cfg_t *auth_cfg;
- child_cfg_t *child_cfg;
- traffic_selector_t *ts;
- lifetime_cfg_t lifetime = {
- .time = {
- .life = 21600, .rekey = 20400, .jitter = 400,
- },
- };
-
- /* setup credentials */
- this->creds.local = identification_create_from_string(local);
- this->creds.remote = identification_create_from_string(remote);
- this->creds.key = shared_key_create(SHARED_IKE,
- chunk_clone(chunk_create(secret, strlen(secret))));
- this->creds.public.create_private_enumerator = (void*)return_null;
- this->creds.public.create_cert_enumerator = (void*)return_null;
- this->creds.public.create_shared_enumerator = (void*)create_shared_enumerator;
- this->creds.public.create_cdp_enumerator = (void*)return_null;
- this->creds.public.cache_cert = (void*)nop;
-
- charon->credentials->add_set(charon->credentials, &this->creds.public);
-
- /* create config and backend */
- ike_cfg = ike_cfg_create(FALSE, FALSE, local, remote);
- ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
- peer_cfg = peer_cfg_create("ha", 2, ike_cfg, CERT_NEVER_SEND,
- UNIQUE_KEEP, 0, 86400, 0, 7200, 3600, FALSE, 30,
- NULL, NULL, FALSE, NULL, NULL);
-
- auth_cfg = auth_cfg_create();
- auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
- auth_cfg->add(auth_cfg, AUTH_RULE_IDENTITY,
- identification_create_from_string(local));
- peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, TRUE);
-
- auth_cfg = auth_cfg_create();
- auth_cfg->add(auth_cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
- auth_cfg->add(auth_cfg, AUTH_RULE_IDENTITY,
- identification_create_from_string(remote));
- peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE);
-
- child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE,
- MODE_TRANSPORT, ACTION_NONE, ACTION_NONE, FALSE);
- ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
- child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
- ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
- child_cfg->add_traffic_selector(child_cfg, TRUE, ts);
- ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT);
- child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
- ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535);
- child_cfg->add_traffic_selector(child_cfg, FALSE, ts);
- child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
- peer_cfg->add_child_cfg(peer_cfg, child_cfg);
-
- this->backend.cfg = peer_cfg;
- this->backend.public.create_peer_cfg_enumerator = (void*)create_peer_cfg_enumerator;
- this->backend.public.create_ike_cfg_enumerator = (void*)create_ike_cfg_enumerator;
- this->backend.public.get_peer_cfg_by_name = (void*)return_null;
-
- charon->backends->add_backend(charon->backends, &this->backend.public);
-
- /* install an acquiring trap */
- this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg);
-}
-
-/**
- * Implementation of ha_tunnel_t.destroy.
- */
-static void destroy(private_ha_tunnel_t *this)
-{
- if (this->backend.cfg)
- {
- charon->backends->remove_backend(charon->backends, &this->backend.public);
- this->backend.cfg->destroy(this->backend.cfg);
- }
- if (this->creds.key)
- {
- charon->credentials->remove_set(charon->credentials, &this->creds.public);
- this->creds.key->destroy(this->creds.key);
- }
- this->creds.local->destroy(this->creds.local);
- this->creds.remote->destroy(this->creds.remote);
- if (this->trap)
- {
- charon->traps->uninstall(charon->traps, this->trap);
- }
- free(this);
-}
-
-/**
- * See header
- */
-ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret)
-{
- private_ha_tunnel_t *this = malloc_thing(private_ha_tunnel_t);
-
- this->public.is_sa = (bool(*)(ha_tunnel_t*, ike_sa_t *ike_sa))is_sa;
- this->public.destroy = (void(*)(ha_tunnel_t*))destroy;
-
- setup_tunnel(this, local, remote, secret);
-
- return &this->public;
-}
-
diff --git a/src/charon/plugins/ha/ha_tunnel.h b/src/charon/plugins/ha/ha_tunnel.h
deleted file mode 100644
index 085fb6122..000000000
--- a/src/charon/plugins/ha/ha_tunnel.h
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup ha_ ha_tunnel
- * @{ @ingroup ha
- */
-
-#ifndef HA_TUNNEL_H_
-#define HA_TUNNEL_H_
-
-#include <sa/ike_sa.h>
-
-typedef struct ha_tunnel_t ha_tunnel_t;
-
-/**
- * Socket to send/received SA synchronization data
- */
-struct ha_tunnel_t {
-
- /**
- * Check if an IKE_SA is used for exchanging HA messages.
- *
- * @param ike_Sa ike_sa to check
- * @return TRUE if IKE_SA is used to secure HA messages
- */
- bool (*is_sa)(ha_tunnel_t *this, ike_sa_t *ike_sa);
-
- /**
- * Destroy a ha_tunnel_t.
- */
- void (*destroy)(ha_tunnel_t *this);
-};
-
-/**
- * Create a ha_tunnel instance.
- *
- * @param local local address of HA tunnel
- * @param remote remote address of HA tunnel
- * @param secret PSK tunnel authentication secret
- * @return HA tunnel instance
- */
-ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret);
-
-#endif /* HA_TUNNEL_H_ @}*/
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-27 23:20:28 +0000