diff options
27 files changed, 217 insertions, 372 deletions
diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index b66f23773..64ebb355f 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -23,7 +23,6 @@ config/backends/backend.h \ config/backends/local_backend.c config/backends/local_backend.h \ config/cfg_store.c config/cfg_store.h \ config/child_cfg.c config/child_cfg.h \ -config/configuration.c config/configuration.h \ config/credentials/local_credential_store.c config/credentials/local_credential_store.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ diff --git a/src/charon/config/backends/backend.h b/src/charon/config/backends/backend.h index a054a7221..52df0a287 100644 --- a/src/charon/config/backends/backend.h +++ b/src/charon/config/backends/backend.h @@ -6,7 +6,7 @@ */ /* - * Copyright (C) 2006 Martin Willi + * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,8 +34,12 @@ typedef struct backend_t backend_t; /** * @brief The interface for a configuration backend. * + * A configuration backend is registered in the cfg_store. It does the actual + * configuration lookup for the method it implements. See cfg_store_t for + * more information. + * * @b Constructors: - * - implementations constructor, such as local_backend_create() + * - none, use implementations of backend_t. * * @ingroup backends */ diff --git a/src/charon/config/backends/local_backend.h b/src/charon/config/backends/local_backend.h index 97c43b233..4caf4a896 100644 --- a/src/charon/config/backends/local_backend.h +++ b/src/charon/config/backends/local_backend.h @@ -84,7 +84,7 @@ struct local_backend_t { * * @return local_backend instance. * - * @ingroup config + * @ingroup backends */ local_backend_t *local_backend_create(void); diff --git a/src/charon/config/cfg_store.h b/src/charon/config/cfg_store.h index 04a4301bf..be36cd399 100644 --- a/src/charon/config/cfg_store.h +++ b/src/charon/config/cfg_store.h @@ -40,29 +40,22 @@ typedef struct cfg_store_t cfg_store_t; * access all this backends by a single call, this class wraps multiple * backends behind a single object. * Backends may be registered and unregister at runtime dynamically. - * - * +---------+ +---------+ +--------------+ | - * | | | | +--------------+ | | - * | |----->| config | +--------------+ |-+ <==|==> IPC - * | | | |------>| backends |-+ | - * | daemon |----->| | +--------------+ | - * | core | +---------+ | - * | | | - * | | +---------+ +--------------+ | - * | |<-----| | +--------------+ | | - * | | | control-| +--------------+ |-+ <==|==> IPC - * | |<-----| ler |------>| controllers |-+ | - * | | | | +--------------+ | - * +---------+ +---------+ | - * - * The daemon core only knows the simple and single cfg_store interface. - * The cfg_store wraps two kind of objects, backends and trustchains. - * If the daemon needs something, it asks the cfg_store. cfg_store - * asks all of its backends if they can fullfil the request. - * + * @verbatim + + +---------+ +-----------+ +--------------+ | + | | | | +--------------+ | | + | daemon |----->| cfg_store | +--------------+ |-+ <==|==> IPC + | core | | |---->| backends |-+ | + | |----->| | +--------------+ | + | | | | | + +---------+ +-----------+ | + + @endverbatim + * Configuration lookup is done only when acting as responder. For initating + * the corresponding controller is responsible to get a config to initiate. * * @b Constructors: - * - stroke_create() + * - cfg_store_create() * * @ingroup config */ diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h index eab30122a..6b2299089 100644 --- a/src/charon/config/child_cfg.h +++ b/src/charon/config/child_cfg.h @@ -36,7 +36,7 @@ typedef struct child_cfg_t child_cfg_t; * * These are equal to those defined in XFRM, so don't change. * - * @ingroup child_cfg + * @ingroup config */ enum mode_t { /** transport mode, no inner address */ @@ -57,14 +57,16 @@ extern enum_name_t *mode_names; * * After creation, proposals and traffic selectors may be added to the config. * A child_cfg object is referenced multiple times, and is not thread save. - * Reading from the object is save, adding things is not allowed when other + * Reading from the object is save, adding things is not allowed while other * threads may access the object. * A reference counter handles the number of references hold to this config. + * + * @see peer_cfg_t to get an overview over the configurations. * * @b Constructors: * - child_cfg_create() * - * @ingroup child_cfg + * @ingroup config */ struct child_cfg_t { @@ -229,11 +231,10 @@ struct child_cfg_t { * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET * @return child_cfg_t object * - * @ingroup child_cfg + * @ingroup config */ child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime, - u_int32_t rekeytime, u_int32_t jitter, - char *updown, bool hostaccess, - mode_t mode); + u_int32_t rekeytime, u_int32_t jitter, + char *updown, bool hostaccess, mode_t mode); #endif /* CHILD_CFG_H_ */ diff --git a/src/charon/config/configuration.c b/src/charon/config/configuration.c deleted file mode 100755 index 488ba9a5e..000000000 --- a/src/charon/config/configuration.c +++ /dev/null @@ -1,162 +0,0 @@ -/** - * @file configuration.c - * - * @brief Implementation of configuration_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <math.h> - -#include "configuration.h" - -#include <library.h> - -/** - * Timeout in milliseconds after that a half open IKE_SA gets deleted. - */ -#define HALF_OPEN_IKE_SA_TIMEOUT 30000 - -/** - * Retransmission uses a backoff algorithm. The timeout is calculated using - * TIMEOUT * (BASE ** try). - * When try reaches TRIES, retransmission is given up. - * - * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us: - * - * | relative | absolute - * --------------------------------------------------------- - * 4s * (1.8 ** (0 % 5)) = 4s 4s - * 4s * (1.8 ** (1 % 5)) = 7s 11s - * 4s * (1.8 ** (2 % 5)) = 13s 24s - * 4s * (1.8 ** (3 % 5)) = 23s 47s - * 4s * (1.8 ** (4 % 5)) = 42s 89s - * 4s * (1.8 ** (5 % 5)) = 76s 165s - * - * The peer is considered dead after 2min 45s when no reply comes in. - */ - -/** - * First retransmit timeout in milliseconds. - * Timeout value is increasing in each retransmit round. - */ -#define RETRANSMIT_TIMEOUT 4000 - -/** - * Base which is raised to the power of the retransmission count. - */ -#define RETRANSMIT_BASE 1.8 - -/** - * Number of retransmits done in a retransmit sequence - */ -#define RETRANSMIT_TRIES 5 - -/** - * Keepalive interval in seconds. - */ -#define KEEPALIVE_INTERVAL 20 - -/** - * retry interval in seconds. - */ -#define RETRY_INTERVAL 30 - -/** - * jitter to user for retrying - */ -#define RETRY_JITTER 20 - - -typedef struct private_configuration_t private_configuration_t; - -/** - * Private data of an configuration_t object. - */ -struct private_configuration_t { - - /** - * Public part of configuration_t object. - */ - configuration_t public; - -}; - -/** - * Implementation of configuration_t.get_retransmit_timeout. - */ -static u_int32_t get_retransmit_timeout (private_configuration_t *this, - u_int32_t retransmit_count) -{ - if (retransmit_count > RETRANSMIT_TRIES) - { - /* give up */ - return 0; - } - return (u_int32_t) - (RETRANSMIT_TIMEOUT * pow(RETRANSMIT_BASE, retransmit_count)); -} - -/** - * Implementation of configuration_t.get_half_open_ike_sa_timeout. - */ -static u_int32_t get_half_open_ike_sa_timeout (private_configuration_t *this) -{ - return HALF_OPEN_IKE_SA_TIMEOUT; -} - -/** - * Implementation of configuration_t.get_keepalive_interval. - */ -static u_int32_t get_keepalive_interval (private_configuration_t *this) -{ - return KEEPALIVE_INTERVAL; -} - -/** - * Implementation of configuration_t.get_retry_interval. - */ -static u_int32_t get_retry_interval (private_configuration_t *this) -{ - return RETRY_INTERVAL - (random() % RETRY_JITTER); -} - -/** - * Implementation of configuration_t.destroy. - */ -static void destroy(private_configuration_t *this) -{ - free(this); -} - -/* - * Described in header-file - */ -configuration_t *configuration_create() -{ - private_configuration_t *this = malloc_thing(private_configuration_t); - - /* public functions */ - this->public.destroy = (void(*)(configuration_t*))destroy; - this->public.get_retransmit_timeout = (u_int32_t (*) (configuration_t*,u_int32_t))get_retransmit_timeout; - this->public.get_half_open_ike_sa_timeout = (u_int32_t (*) (configuration_t*)) get_half_open_ike_sa_timeout; - this->public.get_keepalive_interval = (u_int32_t (*) (configuration_t*)) get_keepalive_interval; - this->public.get_retry_interval = (u_int32_t (*) (configuration_t*)) get_retry_interval; - - return (&this->public); -} diff --git a/src/charon/config/configuration.h b/src/charon/config/configuration.h deleted file mode 100755 index c1207171d..000000000 --- a/src/charon/config/configuration.h +++ /dev/null @@ -1,102 +0,0 @@ -/** - * @file configuration.h - * - * @brief Interface configuration_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef CONFIGURATION_H_ -#define CONFIGURATION_H_ - -typedef struct configuration_t configuration_t; - -#include <library.h> - -/** - * @brief The interface for various daemon related configs. - * - * @b Constructors: - * - configuration_create() - * - * @ingroup config - */ -struct configuration_t { - - /** - * @brief Returns the retransmit timeout. - * - * A return value of zero means the request should not be - * retransmitted again. - * - * @param this calling object - * @param retransmitted number of times a message was retransmitted so far - * @return time in milliseconds, when to do next retransmit - */ - u_int32_t (*get_retransmit_timeout) (configuration_t *this, - u_int32_t retransmitted); - - /** - * @brief Returns the timeout for an half open IKE_SA in ms. - * - * Half open means that the IKE_SA is still on a not established state - * - * @param this calling object - * @return timeout in milliseconds (ms) - */ - u_int32_t (*get_half_open_ike_sa_timeout) (configuration_t *this); - - /** - * @brief Returns the keepalive interval in s. - * - * The keepalive interval defines the idle time after which a - * NAT keepalive packet should be sent. - * - * @param this calling object - * @return interval in s - */ - u_int32_t (*get_keepalive_interval) (configuration_t *this); - - /** - * @brief Returns the interval to retry a failed action again. - * - * In some situations, the protocol may be in a state where processing - * is not possible and an action must be retried (e.g. rekeying). - * - * @param this calling object - * @return interval in s - */ - u_int32_t (*get_retry_interval) (configuration_t *this); - - /** - * @brief Destroys a configuration_t object. - * - * @param this calling object - */ - void (*destroy) (configuration_t *this); -}; - -/** - * @brief Creates a configuration backend. - * - * @return static_configuration_t object - * - * @ingroup config - */ -configuration_t *configuration_create(void); - -#endif /*CONFIGURATION_H_*/ diff --git a/src/charon/config/ike_cfg.h b/src/charon/config/ike_cfg.h index f8f5a3500..ccea0a527 100644 --- a/src/charon/config/ike_cfg.h +++ b/src/charon/config/ike_cfg.h @@ -36,10 +36,12 @@ typedef struct ike_cfg_t ike_cfg_t; /** * @brief An ike_cfg_t defines the rules to set up an IKE_SA. * + * @see peer_cfg_t to get an overview over the configurations. + * * @b Constructors: * - ike_cfg_create() * - * @ingroup ike_cfg + * @ingroup config */ struct ike_cfg_t { diff --git a/src/charon/config/peer_cfg.h b/src/charon/config/peer_cfg.h index b0e3c8a3a..7e6b8c62a 100644 --- a/src/charon/config/peer_cfg.h +++ b/src/charon/config/peer_cfg.h @@ -69,7 +69,7 @@ extern enum_name_t *cert_policy_names; * * These values are the same as in pluto/starter, so do not modify them! * - * @ingroup peer_cfg + * @ingroup config */ enum dpd_action_t { /** DPD disabled */ @@ -90,10 +90,26 @@ extern enum_name_t *dpd_action_names; /** * @brief Configuration of a peer, specified by IDs. * + * The peer config defines a connection between two given IDs. It contains + * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains + * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer. + * @verbatim + + +-------------------+ +---------------+ + +---------------+ | peer_cfg | +---------------+ | + | ike_cfg | +-------------------+ | child_cfg | | + +---------------+ | - ids | +---------------+ | + | - hosts | 1 1 | - cas | 1 n | - proposals | | + | - proposals |<------| - auth info |-------->| - traffic sel | | + | - ... | | - dpd config | | - ... |-+ + +---------------+ | - ... | +---------------+ + +-------------------+ + @endverbatim + * * @b Constructors: * - peer_cfg_create() * - * @ingroup peer_cfg + * @ingroup config */ struct peer_cfg_t { diff --git a/src/charon/config/proposal.h b/src/charon/config/proposal.h index abcb40999..4bee08e28 100644 --- a/src/charon/config/proposal.h +++ b/src/charon/config/proposal.h @@ -102,6 +102,8 @@ extern enum_name_t *extended_sequence_numbers_names; /** * Struct used to store different kinds of algorithms. The internal * lists of algorithms contain such structures. + * + * @ingroup config */ struct algorithm_t { /** diff --git a/src/charon/control/stroke_interface.c b/src/charon/control/stroke_interface.c index 51e6c6dc1..8d9c94eb9 100755 --- a/src/charon/control/stroke_interface.c +++ b/src/charon/control/stroke_interface.c @@ -327,7 +327,10 @@ static void stroke_add_conn(private_stroke_interface_t *this, { my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0); } - other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0); + if (msg->add_conn.other.virtual_ip) + { + other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0); + } if (msg->add_conn.me.tohost) { @@ -448,6 +451,8 @@ static void stroke_add_conn(private_stroke_interface_t *this, if (use_existing) { + DESTROY_IF(my_vip); + DESTROY_IF(other_vip); my_host->destroy(my_host); my_id->destroy(my_id); my_ca->destroy(my_ca); diff --git a/src/charon/control/stroke_interface.h b/src/charon/control/stroke_interface.h index 8ba81ad70..7fab28fec 100644 --- a/src/charon/control/stroke_interface.h +++ b/src/charon/control/stroke_interface.h @@ -39,7 +39,7 @@ typedef struct stroke_t stroke_t; * @b Constructors: * - stroke_create() * - * @ingroup threads + * @ingroup control */ struct stroke_t { @@ -58,7 +58,7 @@ struct stroke_t { * @param backend backend to store received configurations * @return stroke_t object * - * @ingroup threads + * @ingroup control */ stroke_t *stroke_create(local_backend_t *backend); diff --git a/src/charon/daemon.c b/src/charon/daemon.c index ef07d6531..9640f1cf2 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -176,7 +176,6 @@ static void destroy(private_daemon_t *this) /* destroy other infrastructure */ DESTROY_IF(this->public.job_queue); DESTROY_IF(this->public.event_queue); - DESTROY_IF(this->public.configuration); DESTROY_IF(this->public.credentials); DESTROY_IF(this->public.cfg_store); DESTROY_IF(this->public.local_backend); @@ -258,7 +257,6 @@ static void initialize(private_daemon_t *this, bool strict, bool syslog, DBG1(DBG_DMN, "starting charon (strongSwan Version %s)", VERSION); - this->public.configuration = configuration_create(); this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT); this->public.ike_sa_manager = ike_sa_manager_create(); this->public.job_queue = job_queue_create(); @@ -334,7 +332,6 @@ private_daemon_t *daemon_create(void) this->public.ike_sa_manager = NULL; this->public.job_queue = NULL; this->public.event_queue = NULL; - this->public.configuration = NULL; this->public.credentials = NULL; this->public.cfg_store = NULL; this->public.local_backend = NULL; diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 6ba676812..ebc38738e 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -97,6 +97,14 @@ typedef struct daemon_t daemon_t; */ /** + * @defgroup bus bus + * + * Signaling bus and its listeners. + * + * @ingroup charon + */ + +/** * @defgroup config config * * Classes implementing configuration related things. @@ -105,6 +113,30 @@ typedef struct daemon_t daemon_t; */ /** + * @defgroup backends backends + * + * Classes implementing configuration backends. + * + * @ingroup config + */ + +/** + * @defgroup credentials credentials + * + * Trust chain verification and certificate store. + * + * @ingroup config + */ + +/** + * @defgroup control control + * + * Classes which control the daemon using IPC mechanisms. + * + * @ingroup charon + */ + +/** * @defgroup encoding encoding * * Classes used to encode and decode IKEv2 messages. @@ -121,52 +153,49 @@ typedef struct daemon_t daemon_t; */ /** - * @defgroup network network + * @defgroup kernel kernel * - * Classes for network relevant stuff. + * Classes to configure and query the kernel. * * @ingroup charon */ /** - * @defgroup queues queues + * @defgroup network network * - * Different kind of queues - * (thread save lists). + * Classes for sending and receiving UDP packets over the network. * * @ingroup charon */ /** - * @defgroup jobs jobs + * @defgroup processing processing * - * Jobs used in job queue and event queue. + * Queueing, scheduling and processing of jobs * - * @ingroup queues + * @ingroup charon */ /** - * @defgroup sa sa + * @defgroup jobs jobs * - * Security associations for IKE and IPSec, - * and some helper classes. + * Jobs to queue, schedule and process. * - * @ingroup charon + * @ingroup processing */ /** - * @defgroup tasks tasks + * @defgroup sa sa * - * Tasks process and build message payloads. They are used to create - * and process multiple exchanges. + * Security associations for IKE and IPSec, and its helper classes. * - * @ingroup sa + * @ingroup charon */ /** * @defgroup authenticators authenticators * - * Authenticator classes to prove identity of peer. + * Authenticator classes to prove identity of a peer. * * @ingroup sa */ @@ -174,25 +203,18 @@ typedef struct daemon_t daemon_t; /** * @defgroup eap eap * - * EAP authentication module interface and it's implementations. + * EAP module loader, interface and it's implementations. * * @ingroup authenticators */ - + /** - * @defgroup threads threads - * - * Threaded classes, which will do their job alone. - * - * @ingroup charon - */ - -/** - * @defgroup bus bus + * @defgroup tasks tasks * - * Signaling bus and its listeners. + * Tasks process and build message payloads. They are used to create + * and process multiple exchanges. * - * @ingroup charon + * @ingroup sa */ /** @@ -316,11 +338,6 @@ struct daemon_t { ike_sa_manager_t *ike_sa_manager; /** - * A configuration_t instance. - */ - configuration_t *configuration; - - /** * A connection_store_t instance. */ cfg_store_t *cfg_store; diff --git a/src/charon/kernel/kernel_interface.h b/src/charon/kernel/kernel_interface.h index 34b06f594..2a3eaff7a 100644 --- a/src/charon/kernel/kernel_interface.h +++ b/src/charon/kernel/kernel_interface.h @@ -35,6 +35,8 @@ typedef struct kernel_interface_t kernel_interface_t; /** * Configuration for NAT-T + * + * @ingroup kernel */ struct natt_conf_t { /** source port to use for UDP-encapsulated packets */ @@ -47,6 +49,8 @@ struct natt_conf_t { * Direction of a policy. These are equal to those * defined in xfrm.h, but we want to stay implementation * neutral here. + * + * @ingroup kernel */ enum policy_dir_t { /** Policy for inbound traffic */ @@ -71,7 +75,7 @@ enum policy_dir_t { * @b Constructors: * - kernel_interface_create() * - * @ingroup threads + * @ingroup kernel */ struct kernel_interface_t { @@ -324,7 +328,7 @@ struct kernel_interface_t { /** * @brief Creates an object of type kernel_interface_t. * - * @ingroup threads + * @ingroup kernel */ kernel_interface_t *kernel_interface_create(void); diff --git a/src/charon/network/receiver.h b/src/charon/network/receiver.h index 68d9136c0..1bfa7b764 100644 --- a/src/charon/network/receiver.h +++ b/src/charon/network/receiver.h @@ -54,7 +54,7 @@ typedef struct receiver_t receiver_t; * @b Constructors: * - receiver_create() * - * @ingroup threads + * @ingroup network */ struct receiver_t { @@ -74,7 +74,7 @@ struct receiver_t { * * @return receiver_t object * - * @ingroup threads + * @ingroup network */ receiver_t * receiver_create(void); diff --git a/src/charon/network/sender.h b/src/charon/network/sender.h index 4f42f6f9e..6f2a06891 100644 --- a/src/charon/network/sender.h +++ b/src/charon/network/sender.h @@ -35,7 +35,7 @@ typedef struct sender_t sender_t; * @b Constructors: * - sender_create() * - * @ingroup threads + * @ingroup network */ struct sender_t { @@ -67,7 +67,7 @@ struct sender_t { * * @return created sender object * - * @ingroup threads + * @ingroup network */ sender_t * sender_create(void); diff --git a/src/charon/processing/event_queue.h b/src/charon/processing/event_queue.h index 3258b254f..c85286bf2 100644 --- a/src/charon/processing/event_queue.h +++ b/src/charon/processing/event_queue.h @@ -45,7 +45,7 @@ typedef struct event_queue_t event_queue_t; * @b Constructors: * - event_queue_create() * - * @ingroup queues + * @ingroup processing */ struct event_queue_t { @@ -111,7 +111,7 @@ struct event_queue_t { * * @returns event_queue_t object * - * @ingroup queues + * @ingroup processing */ event_queue_t *event_queue_create(void); diff --git a/src/charon/processing/job_queue.h b/src/charon/processing/job_queue.h index 26e1492d8..9b58588ae 100644 --- a/src/charon/processing/job_queue.h +++ b/src/charon/processing/job_queue.h @@ -40,7 +40,7 @@ typedef struct job_queue_t job_queue_t; * @b Constructors: * - job_queue_create() * - * @ingroup queues + * @ingroup processing */ struct job_queue_t { @@ -93,7 +93,7 @@ struct job_queue_t { * * @return job_queue_t object * - * @ingroup queues + * @ingroup processing */ job_queue_t *job_queue_create(void); diff --git a/src/charon/processing/scheduler.h b/src/charon/processing/scheduler.h index daecce3c6..bea93e7c9 100644 --- a/src/charon/processing/scheduler.h +++ b/src/charon/processing/scheduler.h @@ -39,7 +39,7 @@ typedef struct scheduler_t scheduler_t; * @b Constructors: * - scheduler_create() * - * @ingroup threads + * @ingroup processing */ struct scheduler_t { @@ -61,7 +61,7 @@ struct scheduler_t { * - scheduler_t object * - NULL if thread could not be started * - * @ingroup threads + * @ingroup processing */ scheduler_t * scheduler_create(void); diff --git a/src/charon/processing/thread_pool.h b/src/charon/processing/thread_pool.h index 8e1989bda..09a6312a8 100644 --- a/src/charon/processing/thread_pool.h +++ b/src/charon/processing/thread_pool.h @@ -41,7 +41,7 @@ typedef struct thread_pool_t thread_pool_t; * * @todo Add support for dynamic thread handling * - * @ingroup threads + * @ingroup processing */ struct thread_pool_t { @@ -79,7 +79,7 @@ struct thread_pool_t { * - thread_pool_t object if one ore more threads could be started, or * - NULL if no threads could be created * - * @ingroup threads + * @ingroup processing */ thread_pool_t *thread_pool_create(size_t pool_size); diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index b1fced89b..db445f818 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -436,15 +436,14 @@ static status_t send_dpd(private_ike_sa_t *this) static void send_keepalive(private_ike_sa_t *this) { send_keepalive_job_t *job; - time_t last_out, now, diff, interval; + time_t last_out, now, diff; last_out = get_use_time(this, FALSE); now = time(NULL); diff = now - last_out; - interval = charon->configuration->get_keepalive_interval(charon->configuration); - if (diff >= interval) + if (diff >= KEEPALIVE_INTERVAL) { packet_t *packet; chunk_t data; @@ -462,7 +461,7 @@ static void send_keepalive(private_ike_sa_t *this) } job = send_keepalive_job_create(this->ike_sa_id); charon->event_queue->add_relative(charon->event_queue, (job_t*)job, - (interval - diff) * 1000); + (KEEPALIVE_INTERVAL - diff) * 1000); } /** @@ -526,9 +525,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) { /* delete may fail if a packet gets lost, so set a timeout */ job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); - charon->event_queue->add_relative(charon->event_queue, job, - charon->configuration->get_half_open_ike_sa_timeout( - charon->configuration)); + charon->event_queue->add_relative(charon->event_queue, job, + HALF_OPEN_IKE_SA_TIMEOUT); break; } default: @@ -747,10 +745,9 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) /* add a timeout if peer does not establish it completely */ job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE); charon->event_queue->add_relative(charon->event_queue, job, - charon->configuration->get_half_open_ike_sa_timeout( - charon->configuration)); + HALF_OPEN_IKE_SA_TIMEOUT); } - + /* check if message is trustworthy, and update host information */ if (this->state == IKE_CREATED || message->get_exchange_type(message) != IKE_SA_INIT) diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index c386f92eb..7f51fb213 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -34,7 +34,6 @@ typedef struct ike_sa_t ike_sa_t; #include <sa/ike_sa_id.h> #include <sa/child_sa.h> #include <sa/tasks/task.h> -#include <config/configuration.h> #include <utils/randomizer.h> #include <crypto/prfs/prf.h> #include <crypto/crypters/crypter.h> @@ -43,6 +42,35 @@ typedef struct ike_sa_t ike_sa_t; #include <config/ike_cfg.h> /** + * Timeout in milliseconds after that a half open IKE_SA gets deleted. + * + * @ingroup sa + */ +#define HALF_OPEN_IKE_SA_TIMEOUT 30000 + +/** + * Interval to send keepalives when NATed, in seconds. + * + * @ingroup sa + */ +#define KEEPALIVE_INTERVAL 20 + +/** + * After which time rekeying should be retried if it failed, in seconds. + * + * @ingroup sa + */ +#define RETRY_INTERVAL 30 + +/** + * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry. + * + * @ingroup sa + */ +#define RETRY_JITTER 20 + + +/** * @brief State of an IKE_SA. * * An IKE_SA passes various states in its lifetime. A newly created diff --git a/src/charon/sa/task_manager.c b/src/charon/sa/task_manager.c index cbdc67837..9633ba740 100644 --- a/src/charon/sa/task_manager.c +++ b/src/charon/sa/task_manager.c @@ -22,6 +22,8 @@ #include "task_manager.h" +#include <math.h> + #include <daemon.h> #include <sa/tasks/ike_init.h> #include <sa/tasks/ike_natd.h> @@ -210,9 +212,12 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) u_int32_t timeout; job_t *job; - timeout = charon->configuration->get_retransmit_timeout( - charon->configuration, this->initiating.retransmitted); - if (timeout == 0) + if (this->initiating.retransmitted <= RETRANSMIT_TRIES) + { + timeout = (u_int32_t)(RETRANSMIT_TIMEOUT * + pow(RETRANSMIT_BASE, this->initiating.retransmitted)); + } + else { DBG1(DBG_IKE, "giving up after %d retransmits", this->initiating.retransmitted - 1); diff --git a/src/charon/sa/task_manager.h b/src/charon/sa/task_manager.h index c766d4a65..fb34aab6a 100644 --- a/src/charon/sa/task_manager.h +++ b/src/charon/sa/task_manager.h @@ -31,6 +31,28 @@ typedef struct task_manager_t task_manager_t; #include <sa/tasks/task.h> /** + * First retransmit timeout in milliseconds. + * + * @ingroup sa + */ +#define RETRANSMIT_TIMEOUT 4000 + +/** + * Base which is raised to the power of the retransmission try. + * + * @ingroup sa + */ +#define RETRANSMIT_BASE 1.8 + +/** + * Number of retransmits done before giving up. + * + * @ingroup sa + */ +#define RETRANSMIT_TRIES 5 + + +/** * @brief The task manager, juggles task and handles message exchanges. * * On incoming requests, the task manager creates new tasks on demand and @@ -43,6 +65,24 @@ typedef struct task_manager_t task_manager_t; * For the initial IKE_SA setup, several tasks are queued: One for the * unauthenticated IKE_SA setup, one for authentication, one for CHILD_SA setup * and maybe one for virtual IP assignement. + * The task manager is also responsible for retransmission. It uses a backoff + * algorithm. The timeout is calculated using + * RETRANSMIT_TIMEOUT * (RETRANSMIT_BASE ** try). + * When try reaches RETRANSMIT_TRIES, retransmission is given up. + * + * Using an initial TIMEOUT of 4s, a BASE of 1.8, and 5 TRIES gives us: + * @verbatim + | relative | absolute + --------------------------------------------------------- + 4s * (1.8 ** 0) = 4s 4s + 4s * (1.8 ** 1) = 7s 11s + 4s * (1.8 ** 2) = 13s 24s + 4s * (1.8 ** 3) = 23s 47s + 4s * (1.8 ** 4) = 42s 89s + 4s * (1.8 ** 5) = 76s 165s + + @endberbatim + * The peer is considered dead after 2min 45s when no reply comes in. * * @b Constructors: * - task_manager_create() diff --git a/src/charon/sa/tasks/child_rekey.c b/src/charon/sa/tasks/child_rekey.c index af0e4d3b5..1621357cc 100644 --- a/src/charon/sa/tasks/child_rekey.c +++ b/src/charon/sa/tasks/child_rekey.c @@ -192,8 +192,8 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) this->collision->get_type(this->collision) == CHILD_DELETE)) { job_t *job; - u_int32_t retry = charon->configuration->get_retry_interval( - charon->configuration); + u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER); + job = (job_t*)rekey_child_sa_job_create( this->child_sa->get_reqid(this->child_sa), this->child_sa->get_protocol(this->child_sa), diff --git a/src/charon/sa/tasks/ike_rekey.c b/src/charon/sa/tasks/ike_rekey.c index 04dd229ea..3c3eae5df 100644 --- a/src/charon/sa/tasks/ike_rekey.c +++ b/src/charon/sa/tasks/ike_rekey.c @@ -169,8 +169,7 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) this->collision->get_type(this->collision) == IKE_DELETE)) { job_t *job; - u_int32_t retry = charon->configuration->get_retry_interval( - charon->configuration); + u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER); job = (job_t*)rekey_ike_sa_job_create( this->ike_sa->get_id(this->ike_sa), FALSE); DBG1(DBG_IKE, "IKE_SA rekeying failed, " |