diff options
| -rw-r--r-- | src/libcharon/config/child_cfg.c | 79 | ||||
| -rw-r--r-- | src/libcharon/config/child_cfg.h | 4 | ||||
| -rw-r--r-- | src/libcharon/config/peer_cfg.c | 10 | ||||
| -rw-r--r-- | src/libcharon/config/peer_cfg.h | 10 | ||||
| -rw-r--r-- | src/libcharon/sa/child_sa.c | 10 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev1/tasks/quick_mode.c | 51 | ||||
| -rw-r--r-- | src/libcharon/sa/ikev2/tasks/child_create.c | 100 | ||||
| -rw-r--r-- | src/libcharon/sa/trap_manager.c | 14 |
8 files changed, 160 insertions, 118 deletions
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index b037158d3..e65f32022 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -237,12 +237,16 @@ METHOD(child_cfg_t, add_traffic_selector, void, } METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, - private_child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host) + private_child_cfg_t *this, bool local, linked_list_t *supplied, + linked_list_t *hosts) { enumerator_t *e1, *e2; traffic_selector_t *ts1, *ts2, *selected; - linked_list_t *result = linked_list_create(); + linked_list_t *result, *derived; + host_t *host; + result = linked_list_create(); + derived = linked_list_create(); if (local) { e1 = this->my_ts->create_enumerator(this->my_ts); @@ -251,42 +255,48 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, { e1 = this->other_ts->create_enumerator(this->other_ts); } - - /* no list supplied, just fetch the stored traffic selectors */ - if (supplied == NULL) + /* In a first step, replace "dynamic" TS with the host list */ + while (e1->enumerate(e1, &ts1)) { - DBG2(DBG_CFG, "proposing traffic selectors for %s:", - local ? "us" : "other"); - while (e1->enumerate(e1, &ts1)) + if (ts1->is_dynamic(ts1)) { - /* we make a copy of the TS, this allows us to update dynamic TS' */ - selected = ts1->clone(ts1); - if (host && selected->is_dynamic(selected)) + if (hosts) { - selected->set_address(selected, host); + e2 = hosts->create_enumerator(hosts); + while (e2->enumerate(e2, &host)) + { + ts2 = ts1->clone(ts1); + ts2->set_address(ts2, host); + result->insert_last(derived, ts2); + } + e2->destroy(e2); } - DBG2(DBG_CFG, " %R (derived from %R)", selected, ts1); - result->insert_last(result, selected); } - e1->destroy(e1); + else + { + derived->insert_last(derived, ts1->clone(ts1)); + } + } + e1->destroy(e1); + + DBG2(DBG_CFG, "%s traffic selectors for %s:", + supplied ? "selecting" : "proposing", local ? "us" : "other"); + if (supplied == NULL) + { + while (derived->remove_first(derived, (void**)&ts1) == SUCCESS) + { + DBG2(DBG_CFG, " %R", ts1); + result->insert_last(result, ts1); + } } else { - DBG2(DBG_CFG, "selecting traffic selectors for %s:", - local ? "us" : "other"); - e2 = supplied->create_enumerator(supplied); - /* iterate over all stored selectors */ - while (e1->enumerate(e1, &ts1)) + e1 = supplied->create_enumerator(supplied); + /* enumerate all configured/derived selectors */ + while (derived->remove_first(derived, (void**)&ts1) == SUCCESS) { - /* we make a copy of the TS, as we have to update dynamic TS' */ - ts1 = ts1->clone(ts1); - if (host && ts1->is_dynamic(ts1)) - { - ts1->set_address(ts1, host); - } - - /* iterate over all supplied traffic selectors */ - while (e2->enumerate(e2, &ts2)) + /* enumerate all supplied traffic selectors */ + while (e1->enumerate(e1, &ts2)) { selected = ts1->get_subset(ts1, ts2); if (selected) @@ -301,13 +311,12 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, ts1, ts2); } } - e2->destroy(e2); - e2 = supplied->create_enumerator(supplied); + supplied->reset_enumerator(supplied, e1); ts1->destroy(ts1); } e1->destroy(e1); - e2->destroy(e2); } + derived->destroy(derived); /* remove any redundant traffic selectors in the list */ e1 = result->create_enumerator(result); @@ -322,16 +331,14 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, { result->remove_at(result, e2); ts2->destroy(ts2); - e1->destroy(e1); - e1 = result->create_enumerator(result); + result->reset_enumerator(result, e1); break; } if (ts1->is_contained_in(ts1, ts2)) { result->remove_at(result, e1); ts1->destroy(ts1); - e2->destroy(e2); - e2 = result->create_enumerator(result); + result->reset_enumerator(result, e2); break; } } diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 370ff9d58..6e8829a47 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -129,12 +129,12 @@ struct child_cfg_t { * * @param local TRUE for TS on local side, FALSE for remote * @param supplied list with TS to select from, or NULL - * @param host address to use for narrowing "dynamic" TS', or NULL + * @param hosts addresses to use for narrowing "dynamic" TS', host_t * @return list containing the traffic selectors */ linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, linked_list_t *supplied, - host_t *host); + linked_list_t *hosts); /** * Get the updown script to run for the CHILD_SA. * diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 59869eab2..01ca026e1 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -256,7 +256,7 @@ METHOD(peer_cfg_t, create_child_cfg_enumerator, enumerator_t*, * Check how good a list of TS matches a given child config */ static int get_ts_match(child_cfg_t *cfg, bool local, - linked_list_t *sup_list, host_t *host) + linked_list_t *sup_list, linked_list_t *hosts) { linked_list_t *cfg_list; enumerator_t *sup_enum, *cfg_enum; @@ -264,7 +264,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local, int match = 0, round; /* fetch configured TS list, narrowing dynamic TS */ - cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, host); + cfg_list = cfg->get_traffic_selectors(cfg, local, NULL, hosts); /* use a round counter to rate leading TS with higher priority */ round = sup_list->get_count(sup_list); @@ -297,7 +297,7 @@ static int get_ts_match(child_cfg_t *cfg, bool local, METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*, private_peer_cfg_t *this, linked_list_t *my_ts, linked_list_t *other_ts, - host_t *my_host, host_t *other_host) + linked_list_t *my_hosts, linked_list_t *other_hosts) { child_cfg_t *current, *found = NULL; enumerator_t *enumerator; @@ -309,8 +309,8 @@ METHOD(peer_cfg_t, select_child_cfg, child_cfg_t*, { int my_prio, other_prio; - my_prio = get_ts_match(current, TRUE, my_ts, my_host); - other_prio = get_ts_match(current, FALSE, other_ts, other_host); + my_prio = get_ts_match(current, TRUE, my_ts, my_hosts); + other_prio = get_ts_match(current, FALSE, other_ts, other_hosts); if (my_prio && other_prio) { diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index 418e45532..97089e1b0 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -183,13 +183,13 @@ struct peer_cfg_t { * * @param my_ts TS for local side * @param other_ts TS for remote side - * @param my_host host to narrow down dynamic TS for local side - * @param other_host host to narrow down dynamic TS for remote side + * @param my_hosts hosts to narrow down dynamic TS for local side + * @param other_hosts hosts to narrow down dynamic TS for remote side * @return selected CHILD config, or NULL if no match found */ - child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts, - linked_list_t *other_ts, host_t *my_host, - host_t *other_host); + child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, + linked_list_t *my_ts, linked_list_t *other_ts, + linked_list_t *my_hosts, linked_list_t *other_hosts); /** * Add an authentication config to the peer configuration. diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index c3fbd8b53..1245734c9 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -1125,12 +1125,14 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, chunk_t addr; host_t *host; enumerator_t *enumerator; - linked_list_t *my_ts_list, *other_ts_list; + linked_list_t *my_ts_list, *other_ts_list, *list; traffic_selector_t *my_ts, *other_ts; this->mode = MODE_TRANSPORT; - my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, me); + list = linked_list_create_with_items(me, NULL); + my_ts_list = config->get_traffic_selectors(config, TRUE, NULL, list); + list->destroy(list); enumerator = my_ts_list->create_enumerator(my_ts_list); if (enumerator->enumerate(enumerator, &my_ts)) { @@ -1151,7 +1153,9 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, enumerator->destroy(enumerator); my_ts_list->destroy_offset(my_ts_list, offsetof(traffic_selector_t, destroy)); - other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, other); + list = linked_list_create_with_items(other, NULL); + other_ts_list = config->get_traffic_selectors(config, FALSE, NULL, list); + list->destroy(list); enumerator = other_ts_list->create_enumerator(other_ts_list); if (enumerator->enumerate(enumerator, &other_ts)) { diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c index 39fbd59e0..b0f9fa1a0 100644 --- a/src/libcharon/sa/ikev1/tasks/quick_mode.c +++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c @@ -198,36 +198,36 @@ static bool have_pool(ike_sa_t *ike_sa) } /** - * Get host to use for dynamic traffic selectors + * Get hosts to use for dynamic traffic selectors */ -static host_t *get_dynamic_host(ike_sa_t *ike_sa, bool local) +static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local) { enumerator_t *enumerator; + linked_list_t *list; host_t *host; + list = linked_list_create(); enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local); - if (!enumerator->enumerate(enumerator, &host)) + while (enumerator->enumerate(enumerator, &host)) { + list->insert_last(list, host); + } + enumerator->destroy(enumerator); + + if (list->get_count(list) == 0) + { /* no virtual IPs assigned */ if (local) { host = ike_sa->get_my_host(ike_sa); + list->insert_last(list, host); } - else - { - if (have_pool(ike_sa)) - { - /* we have an IP address pool, but didn't negotiate a - * virtual IP. */ - host = NULL; - } - else - { - host = ike_sa->get_other_host(ike_sa); - } + else if (!have_pool(ike_sa)) + { /* use host only if we don't have a pool configured */ + host = ike_sa->get_other_host(ike_sa); + list->insert_last(list, host); } } - enumerator->destroy(enumerator); - return host; + return list; } /** @@ -452,10 +452,12 @@ static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local, linked_list_t *supplied) { traffic_selector_t *ts; - linked_list_t *list; + linked_list_t *list, *hosts; - list = this->config->get_traffic_selectors(this->config, local, - supplied, get_dynamic_host(this->ike_sa, local)); + hosts = get_dynamic_hosts(this->ike_sa, local); + list = this->config->get_traffic_selectors(this->config, + local, supplied, hosts); + hosts->destroy(hosts); if (list->get_first(list, (void**)&ts) == SUCCESS) { if (this->initiator && list->get_count(list) > 1) @@ -887,7 +889,7 @@ METHOD(task_t, process_r, status_t, case QM_INIT: { sa_payload_t *sa_payload; - linked_list_t *tsi, *tsr, *list = NULL; + linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL; peer_cfg_t *peer_cfg; u_int16_t group; bool private; @@ -910,9 +912,12 @@ METHOD(task_t, process_r, status_t, tsi = linked_list_create_with_items(this->tsi, NULL); tsr = linked_list_create_with_items(this->tsr, NULL); this->tsi = this->tsr = NULL; + hostsi = get_dynamic_hosts(this->ike_sa, FALSE); + hostsr = get_dynamic_hosts(this->ike_sa, TRUE); this->config = peer_cfg->select_child_cfg(peer_cfg, tsr, tsi, - get_dynamic_host(this->ike_sa, TRUE), - get_dynamic_host(this->ike_sa, FALSE)); + hostsr, hostsi); + hostsi->destroy(hostsi); + hostsr->destroy(hostsr); if (this->config) { this->tsi = select_ts(this, FALSE, tsi); diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c index 990118732..46a165546 100644 --- a/src/libcharon/sa/ikev2/tasks/child_create.c +++ b/src/libcharon/sa/ikev2/tasks/child_create.c @@ -308,36 +308,36 @@ static bool have_pool(ike_sa_t *ike_sa) } /** - * Get host to use for dynamic traffic selectors + * Get hosts to use for dynamic traffic selectors */ -static host_t *get_dynamic_host(ike_sa_t *ike_sa, bool local) +static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local) { enumerator_t *enumerator; + linked_list_t *list; host_t *host; + list = linked_list_create(); enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local); - if (!enumerator->enumerate(enumerator, &host)) + while (enumerator->enumerate(enumerator, &host)) { + list->insert_last(list, host); + } + enumerator->destroy(enumerator); + + if (list->get_count(list) == 0) + { /* no virtual IPs assigned */ if (local) { host = ike_sa->get_my_host(ike_sa); + list->insert_last(list, host); } - else - { - if (have_pool(ike_sa)) - { - /* we have an IP address pool, but didn't negotiate a - * virtual IP. */ - host = NULL; - } - else - { - host = ike_sa->get_other_host(ike_sa); - } + else if (!have_pool(ike_sa)) + { /* use host only if we don't have a pool configured */ + host = ike_sa->get_other_host(ike_sa); + list->insert_last(list, host); } } - enumerator->destroy(enumerator); - return host; + return list; } /** @@ -353,7 +353,7 @@ static status_t select_and_install(private_child_create_t *this, chunk_t nonce_i, nonce_r; chunk_t encr_i = chunk_empty, encr_r = chunk_empty; chunk_t integ_i = chunk_empty, integ_r = chunk_empty; - linked_list_t *my_ts, *other_ts; + linked_list_t *my_ts, *other_ts, *list; host_t *me, *other; bool private; @@ -422,10 +422,14 @@ static status_t select_and_install(private_child_create_t *this, my_ts = this->tsr; other_ts = this->tsi; } - my_ts = this->config->get_traffic_selectors(this->config, TRUE, my_ts, - get_dynamic_host(this->ike_sa, TRUE)); - other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, - get_dynamic_host(this->ike_sa, FALSE)); + list = get_dynamic_hosts(this->ike_sa, TRUE); + my_ts = this->config->get_traffic_selectors(this->config, + TRUE, my_ts, list); + list->destroy(list); + list = get_dynamic_hosts(this->ike_sa, FALSE); + other_ts = this->config->get_traffic_selectors(this->config, + FALSE, other_ts, list); + list->destroy(list); if (this->initiator) { @@ -796,6 +800,7 @@ METHOD(task_t, build_i, status_t, enumerator_t *enumerator; host_t *vip; peer_cfg_t *peer_cfg; + linked_list_t *list; switch (message->get_exchange_type(message)) { @@ -835,24 +840,37 @@ METHOD(task_t, build_i, status_t, } /* check if we want a virtual IP, but don't have one */ + list = linked_list_create(); peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); - enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg); - if (!this->reqid && enumerator->enumerate(enumerator, &vip)) + if (!this->reqid) { - /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */ - vip = host_create_any(vip->get_family(vip)); - this->tsi = this->config->get_traffic_selectors(this->config, TRUE, - NULL, vip); - vip->destroy(vip); + enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg); + while (enumerator->enumerate(enumerator, &vip)) + { + /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */ + vip = host_create_any(vip->get_family(vip)); + list->insert_last(list, vip); + } + enumerator->destroy(enumerator); } - else - { /* but narrow it for host2host / if we already have a vip */ - this->tsi = this->config->get_traffic_selectors(this->config, TRUE, NULL, - get_dynamic_host(this->ike_sa, TRUE)); + if (list->get_count(list)) + { + this->tsi = this->config->get_traffic_selectors(this->config, + TRUE, NULL, list); + list->destroy_offset(list, offsetof(host_t, destroy)); } - enumerator->destroy(enumerator); - this->tsr = this->config->get_traffic_selectors(this->config, FALSE, NULL, - get_dynamic_host(this->ike_sa, FALSE)); + else + { /* no virtual IPs configured */ + list->destroy(list); + list = get_dynamic_hosts(this->ike_sa, TRUE); + this->tsi = this->config->get_traffic_selectors(this->config, + TRUE, NULL, list); + list->destroy(list); + } + list = get_dynamic_hosts(this->ike_sa, FALSE); + this->tsr = this->config->get_traffic_selectors(this->config, + FALSE, NULL, list); + list->destroy(list); if (this->packet_tsi) { @@ -1008,10 +1026,14 @@ METHOD(task_t, build_r, status_t, peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); if (!this->config && peer_cfg && this->tsi && this->tsr) { + linked_list_t *listr, *listi; + + listr = get_dynamic_hosts(this->ike_sa, TRUE); + listi = get_dynamic_hosts(this->ike_sa, FALSE); this->config = peer_cfg->select_child_cfg(peer_cfg, - this->tsr, this->tsi, - get_dynamic_host(this->ike_sa, TRUE), - get_dynamic_host(this->ike_sa, FALSE)); + this->tsr, this->tsi, listr, listi); + listr->destroy(listr); + listi->destroy(listi); } if (this->config == NULL) diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index b3d9e1597..fdcfa0a20 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -98,7 +98,7 @@ METHOD(trap_manager_t, install, u_int32_t, ike_cfg_t *ike_cfg; child_sa_t *child_sa; host_t *me, *other; - linked_list_t *my_ts, *other_ts; + linked_list_t *my_ts, *other_ts, *list; enumerator_t *enumerator; bool found = FALSE; status_t status; @@ -152,10 +152,14 @@ METHOD(trap_manager_t, install, u_int32_t, /* create and route CHILD_SA */ child_sa = child_sa_create(me, other, child, 0, FALSE); - my_ts = child->get_traffic_selectors(child, TRUE, NULL, me); - other_ts = child->get_traffic_selectors(child, FALSE, NULL, other); - me->destroy(me); - other->destroy(other); + + list = linked_list_create_with_items(me, NULL); + my_ts = child->get_traffic_selectors(child, TRUE, NULL, list); + list->destroy_offset(list, offsetof(host_t, destroy)); + + list = linked_list_create_with_items(other, NULL); + other_ts = child->get_traffic_selectors(child, FALSE, NULL, list); + list->destroy_offset(list, offsetof(host_t, destroy)); /* while we don't know the finally negotiated protocol (ESP|AH), we * could iterate all proposals for a best guess (TODO). But as we |