child_cfg_t now takes a lifetime_cfg_t to configure the lifetime limits. Also adjusted the jitter calculation, so it works for values > RAND_MAX.

2 files changed, 47 insertions, 51 deletions

diff --git a/src/charon/config/child_cfg.c b/src/charon/config/child_cfg.c
index 990ee3fd6..6cddd9280 100644
--- a/src/charon/config/child_cfg.c
+++ b/src/charon/config/child_cfg.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -97,20 +97,9 @@ struct private_child_cfg_t {
 	action_t close_action;
 	
 	/**
-	 * Time before an SA gets invalid
+	 * CHILD_SA lifetime config
 	 */
-	u_int32_t lifetime;
-	
-	/**
-	 * Time before an SA gets rekeyed
-	 */
-	u_int32_t rekeytime;
-	
-	/**
-	 * Time, which specifies the range of a random value
-	 * substracted from rekeytime.
-	 */
-	u_int32_t jitter;
+	lifetime_cfg_t *lifetime;
 	
 	/**
 	 * enable IPComp
@@ -361,19 +350,32 @@ static bool get_hostaccess(private_child_cfg_t *this)
 }
 
 /**
- * Implementation of child_cfg_t.get_lifetime.
+ * Applies jitter to the rekey value. Returns the new rekey value.
+ * Note: The distribution of random values is not perfect, but it
+ * should get the job done.
  */
-static u_int32_t get_lifetime(private_child_cfg_t *this, bool rekey)
+static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter)
 {
-	if (rekey)
+	if (jitter == 0)
 	{
-		if (this->jitter == 0)
-		{
-			return this->rekeytime;
-		}
-		return this->rekeytime - (random() % this->jitter);
+		return rekey;
 	}
-	return this->lifetime;
+	jitter = (jitter == UINT64_MAX) ? jitter : jitter + 1;
+	return rekey - jitter * (random() / (RAND_MAX + 1.0));
+}
+#define APPLY_JITTER(l, f) l->rekey_##f = apply_jitter(l->rekey_##f, l->jitter_##f)
+
+/**
+ * Implementation of child_cfg_t.get_lifetime.
+ */
+static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this)
+{
+	lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t);
+	memcpy(lft, this->lifetime, sizeof(lifetime_cfg_t));
+	APPLY_JITTER(lft, time);
+	APPLY_JITTER(lft, bytes);
+	APPLY_JITTER(lft, packets);
+	return lft;
 }
 
 /**
@@ -478,6 +480,7 @@ static void destroy(private_child_cfg_t *this)
 		{
 			free(this->updown);
 		}
+		free(this->lifetime);
 		free(this->name);
 		free(this);
 	}
@@ -486,10 +489,10 @@ static void destroy(private_child_cfg_t *this)
 /*
  * Described in header-file
  */
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
-							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, ipsec_mode_t mode,
-							  action_t dpd_action, action_t close_action, bool ipcomp)
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp)
 {
 	private_child_cfg_t *this = malloc_thing(private_child_cfg_t);
 
@@ -504,7 +507,7 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode;
 	this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action;
 	this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action;
-	this->public.get_lifetime = (u_int32_t (*) (child_cfg_t *,bool))get_lifetime;
+	this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime;
 	this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group;
 	this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options;
 	this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp;
@@ -515,8 +518,6 @@ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
 	
 	this->name = strdup(name);
 	this->lifetime = lifetime;
-	this->rekeytime = rekeytime;
-	this->jitter = jitter;
 	this->updown = updown ? strdup(updown) : NULL;
 	this->hostaccess = hostaccess;
 	this->mode = mode;
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index a72034e6a..7bae8d9a6 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -214,18 +214,14 @@ struct child_cfg_t {
 	bool (*get_hostaccess) (child_cfg_t *this);
 
 	/**
-	 * Get the lifetime of a CHILD_SA.
+	 * Get the lifetime configuration of a CHILD_SA.
 	 *
-	 * If "rekey" is set to TRUE, a lifetime is returned before the first
-	 * rekeying should be started. If it is FALSE, the actual lifetime is
-	 * returned when the CHILD_SA must be deleted.
-	 * The rekey time automatically contains a jitter to avoid simlutaneous
-	 * rekeying.
-	 * 
-	 * @param rekey			TRUE to get rekey time
-	 * @return				lifetime in seconds
+	 * The rekey limits automatically contain a jitter to avoid simultaneous
+	 * rekeying. These values will change with each call to this function.
+	 *
+	 * @return				lifetime_cfg_t (has to be freed)
 	 */
-	u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
+	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
 	
 	/**
 	 * Get the mode to use for the CHILD_SA.
@@ -311,16 +307,15 @@ struct child_cfg_t {
  * Create a configuration template for CHILD_SA setup.
  * 
  * The "name" string gets cloned.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeytime - random(0, jitter)). You should specify
- * lifetime > rekeytime > jitter.
+ *
+ * The lifetime_cfg_t object gets adopted by this config.
+ * To prevent two peers to start rekeying at the same time, a jitter may be
+ * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
+ *
  * After a call to create, a reference is obtained (refcount = 1).
  * 
  * @param name				name of the child_cfg
- * @param lifetime			lifetime after CHILD_SA expires and gets deleted
- * @param rekeytime			time when rekeying should be initiated
- * @param jitter			range of randomization time to remove from rekeytime
+ * @param lifetime			lifetime_cfg_t for this child_cfg
  * @param updown			updown script to execute on up/down event
  * @param hostaccess		TRUE to allow access to the local host
  * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
@@ -329,9 +324,9 @@ struct child_cfg_t {
  * @param ipcomp			use IPComp, if peer supports it
  * @return 					child_cfg_t object
  */
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
-							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, ipsec_mode_t mode,
-							  action_t dpd_action, action_t close_action, bool ipcomp);
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp);
 
 #endif /** CHILD_CFG_H_ @}*/