diff options
author | Tobias Brunner <tobias@strongswan.org> | 2009-08-27 11:27:10 +0200 |
---|---|---|
committer | Tobias Brunner <tobias@strongswan.org> | 2009-09-01 12:50:50 +0200 |
commit | caf87c7dcb74b728616d52de9b24328a25c67342 (patch) | |
tree | e3a75ef2e42142b9edfd9f7db19d4de2c15781ef /src | |
parent | 86e4728550fbf4188c827bbc8f81ca0e243b3031 (diff) | |
download | strongswan-caf87c7dcb74b728616d52de9b24328a25c67342.tar.bz2 strongswan-caf87c7dcb74b728616d52de9b24328a25c67342.tar.xz |
child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.
Diffstat (limited to 'src')
-rw-r--r-- | src/charon/config/child_cfg.c | 61 | ||||
-rw-r--r-- | src/charon/config/child_cfg.h | 37 |
2 files changed, 47 insertions, 51 deletions
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c index 990ee3fd6..6cddd9280 100644 --- a/src/charon/config/child_cfg.c +++ b/src/charon/config/child_cfg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2009 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil @@ -97,20 +97,9 @@ struct private_child_cfg_t { action_t close_action; /** - * Time before an SA gets invalid + * CHILD_SA lifetime config */ - u_int32_t lifetime; - - /** - * Time before an SA gets rekeyed - */ - u_int32_t rekeytime; - - /** - * Time, which specifies the range of a random value - * substracted from rekeytime. - */ - u_int32_t jitter; + lifetime_cfg_t *lifetime; /** * enable IPComp @@ -361,19 +350,32 @@ static bool get_hostaccess(private_child_cfg_t *this) } /** - * Implementation of child_cfg_t.get_lifetime. + * Applies jitter to the rekey value. Returns the new rekey value. + * Note: The distribution of random values is not perfect, but it + * should get the job done. */ -static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey) +static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter) { - if (rekey) + if (jitter == 0) { - if (this->jitter == 0) - { - return this->rekeytime; - } - return this->rekeytime - (random() % this->jitter); + return rekey; } - return this->lifetime; + jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1; + return rekey - jitter * (random() / (RAND_MAX + 1.0)); +} +#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f) + +/** + * Implementation of child_cfg_t.get_lifetime. + */ +static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this) +{ + lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t); + memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t)); + APPLY_JITTER(lft, time); + APPLY_JITTER(lft, bytes); + APPLY_JITTER(lft, packets); + return lft; } /** @@ -478,6 +480,7 @@ static void destroy(private_child_cfg_t *this) { free(this->updown); } + free(this->lifetime); free(this->name); free(this); } @@ -486,10 +489,10 @@ static void destroy(private_child_cfg_t *this) /* * Described in header-file */ -child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, - u_int32_t rekeytime, u_int32_t jitter, - char *updown, bool hostaccess, ipsec_mode_t mode, - action_t dpd_action, action_t close_action, bool ipcomp) +child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, + char *updown, bool hostaccess, + ipsec_mode_t mode, action_t dpd_action, + action_t close_action, bool ipcomp) { private_child_cfg_t *this = malloc_thing(private_child_cfg_t); @@ -504,7 +507,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode; this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action; this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action; - this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime; + this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime; this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; @@ -515,8 +518,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, this->name = strdup(name); this->lifetime = lifetime; - this->rekeytime = rekeytime; - this->jitter = jitter; this->updown = updown ? strdup(updown) : NULL; this->hostaccess = hostaccess; this->mode = mode; diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h index a72034e6a..7bae8d9a6 100644 --- a/src/charon/config/child_cfg.h +++ b/src/charon/config/child_cfg.h @@ -214,18 +214,14 @@ struct child_cfg_t { bool (*get_hostaccess) (child_cfg_t *this); /** - * Get the lifetime of a CHILD_SA. + * Get the lifetime configuration of a CHILD_SA. * - * If "rekey" is set to TRUE, a lifetime is returned before the first - * rekeying should be started. If it is FALSE, the actual lifetime is - * returned when the CHILD_SA must be deleted. - * The rekey time automatically contains a jitter to avoid simlutaneous - * rekeying. - * - * @param rekey TRUE to get rekey time - * @return lifetime in seconds + * The rekey limits automatically contain a jitter to avoid simultaneous + * rekeying. These values will change with each call to this function. + * + * @return lifetime_cfg_t (has to be freed) */ - u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey); + lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this); /** * Get the mode to use for the CHILD_SA. @@ -311,16 +307,15 @@ struct child_cfg_t { * Create a configuration template for CHILD_SA setup. * * The "name" string gets cloned. - * Lifetimes are in seconds. To prevent to peers to start rekeying at the - * same time, a jitter may be specified. Rekeying of an SA starts at - * (rekeytime - random(0, jitter)). You should specify - * lifetime > rekeytime > jitter. + * + * The lifetime_cfg_t object gets adopted by this config. + * To prevent two peers to start rekeying at the same time, a jitter may be + * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)). + * * After a call to create, a reference is obtained (refcount = 1). * * @param name name of the child_cfg - * @param lifetime lifetime after CHILD_SA expires and gets deleted - * @param rekeytime time when rekeying should be initiated - * @param jitter range of randomization time to remove from rekeytime + * @param lifetime lifetime_cfg_t for this child_cfg * @param updown updown script to execute on up/down event * @param hostaccess TRUE to allow access to the local host * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET @@ -329,9 +324,9 @@ struct child_cfg_t { * @param ipcomp use IPComp, if peer supports it * @return child_cfg_t object */ -child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, - u_int32_t rekeytime, u_int32_t jitter, - char *updown, bool hostaccess, ipsec_mode_t mode, - action_t dpd_action, action_t close_action, bool ipcomp); +child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, + char *updown, bool hostaccess, + ipsec_mode_t mode, action_t dpd_action, + action_t close_action, bool ipcomp); #endif /** CHILD_CFG_H_ @}*/ |