aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTobias Brunner <tobias@strongswan.org>2009-08-27 11:27:10 +0200
committerTobias Brunner <tobias@strongswan.org>2009-09-01 12:50:50 +0200
commitcaf87c7dcb74b728616d52de9b24328a25c67342 (patch)
treee3a75ef2e42142b9edfd9f7db19d4de2c15781ef /src
parent86e4728550fbf4188c827bbc8f81ca0e243b3031 (diff)
downloadstrongswan-caf87c7dcb74b728616d52de9b24328a25c67342.tar.bz2
strongswan-caf87c7dcb74b728616d52de9b24328a25c67342.tar.xz
child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.
Diffstat (limited to 'src')
-rw-r--r--src/charon/config/child_cfg.c61
-rw-r--r--src/charon/config/child_cfg.h37
2 files changed, 47 insertions, 51 deletions
diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 990ee3fd6..6cddd9280 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -97,20 +97,9 @@ struct private_child_cfg_t {
action_t close_action;
/**
- * Time before an SA gets invalid
+ * CHILD_SA lifetime config
*/
- u_int32_t lifetime;
-
- /**
- * Time before an SA gets rekeyed
- */
- u_int32_t rekeytime;
-
- /**
- * Time, which specifies the range of a random value
- * substracted from rekeytime.
- */
- u_int32_t jitter;
+ lifetime_cfg_t *lifetime;
/**
* enable IPComp
@@ -361,19 +350,32 @@ static bool get_hostaccess(private_child_cfg_t *this)
}
/**
- * Implementation of child_cfg_t.get_lifetime.
+ * Applies jitter to the rekey value. Returns the new rekey value.
+ * Note: The distribution of random values is not perfect, but it
+ * should get the job done.
*/
-static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
+static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
{
- if (rekey)
+ if (jitter == 0)
{
- if (this->jitter == 0)
- {
- return this->rekeytime;
- }
- return this->rekeytime - (random() % this->jitter);
+ return rekey;
}
- return this->lifetime;
+ jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
+ return rekey - jitter * (random() / (RAND_MAX + 1.0));
+}
+#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f)
+
+/**
+ * Implementation of child_cfg_t.get_lifetime.
+ */
+static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
+{
+ lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
+ memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t));
+ APPLY_JITTER(lft, time);
+ APPLY_JITTER(lft, bytes);
+ APPLY_JITTER(lft, packets);
+ return lft;
}
/**
@@ -478,6 +480,7 @@ static void destroy(private_child_cfg_t *this)
{
free(this->updown);
}
+ free(this->lifetime);
free(this->name);
free(this);
}
@@ -486,10 +489,10 @@ static void destroy(private_child_cfg_t *this)
/*
* Described in header-file
*/
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
- u_int32_t rekeytime, u_int32_t jitter,
- char *updown, bool hostaccess, ipsec_mode_t mode,
- action_t dpd_action, action_t close_action, bool ipcomp)
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+ char *updown, bool hostaccess,
+ ipsec_mode_t mode, action_t dpd_action,
+ action_t close_action, bool ipcomp)
{
private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
@@ -504,7 +507,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
- this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
+ this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
@@ -515,8 +518,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
this->name = strdup(name);
this->lifetime = lifetime;
- this->rekeytime = rekeytime;
- this->jitter = jitter;
this->updown = updown ? strdup(updown) : NULL;
this->hostaccess = hostaccess;
this->mode = mode;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index a72034e6a..7bae8d9a6 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -214,18 +214,14 @@ struct child_cfg_t {
bool (*get_hostaccess) (child_cfg_t *this);
/**
- * Get the lifetime of a CHILD_SA.
+ * Get the lifetime configuration of a CHILD_SA.
*
- * If "rekey" is set to TRUE, a lifetime is returned before the first
- * rekeying should be started. If it is FALSE, the actual lifetime is
- * returned when the CHILD_SA must be deleted.
- * The rekey time automatically contains a jitter to avoid simlutaneous
- * rekeying.
- *
- * @param rekey TRUE to get rekey time
- * @return lifetime in seconds
+ * The rekey limits automatically contain a jitter to avoid simultaneous
+ * rekeying. These values will change with each call to this function.
+ *
+ * @return lifetime_cfg_t (has to be freed)
*/
- u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
+ lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
/**
* Get the mode to use for the CHILD_SA.
@@ -311,16 +307,15 @@ struct child_cfg_t {
* Create a configuration template for CHILD_SA setup.
*
* The "name" string gets cloned.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeytime - random(0, jitter)). You should specify
- * lifetime > rekeytime > jitter.
+ *
+ * The lifetime_cfg_t object gets adopted by this config.
+ * To prevent two peers to start rekeying at the same time, a jitter may be
+ * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
+ *
* After a call to create, a reference is obtained (refcount = 1).
*
* @param name name of the child_cfg
- * @param lifetime lifetime after CHILD_SA expires and gets deleted
- * @param rekeytime time when rekeying should be initiated
- * @param jitter range of randomization time to remove from rekeytime
+ * @param lifetime lifetime_cfg_t for this child_cfg
* @param updown updown script to execute on up/down event
* @param hostaccess TRUE to allow access to the local host
* @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
@@ -329,9 +324,9 @@ struct child_cfg_t {
* @param ipcomp use IPComp, if peer supports it
* @return child_cfg_t object
*/
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
- u_int32_t rekeytime, u_int32_t jitter,
- char *updown, bool hostaccess, ipsec_mode_t mode,
- action_t dpd_action, action_t close_action, bool ipcomp);
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+ char *updown, bool hostaccess,
+ ipsec_mode_t mode, action_t dpd_action,
+ action_t close_action, bool ipcomp);
#endif /** CHILD_CFG_H_ @}*/