/[pkg-openswan]/trunk/programs/pluto/state.c
ViewVC logotype

Contents of /trunk/programs/pluto/state.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 230 - (show annotations) (download)
Fri Feb 5 10:57:10 2010 UTC (3 years, 3 months ago) by harald-jenny-guest
File MIME type: text/plain
File size: 42506 byte(s) 
the new upstream release (hope I finally done it right...)
1 /* routines for state objects
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * Copyright (C) 2003-2008 Michael C Richardson <mcr@xelerance.com>
5 * Copyright (C) 2003-2009 Paul Wouters <paul@xelerance.com>
6 * Copyright (C) 2008-2009 David McCullough <david_mccullough@securecomputing.com>
7 * Copyright (C) 2009 Avesh Agarwal <avagarwa@redhat.com>
8 *
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 *
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
17 * for more details.
18 *
19 */
20
21 #include <stdio.h>
22 #include <stdlib.h>
23 #include <string.h>
24 #include <unistd.h>
25 #include <sys/types.h>
26 #include <sys/socket.h>
27 #include <netinet/in.h>
28 #include <arpa/inet.h>
29 #include <fcntl.h>
30
31 #include <openswan.h>
32
33 #include "sysdep.h"
34 #include "constants.h"
35 #include "defs.h"
36 #include "id.h"
37 #include "x509.h"
38 #include "pgp.h"
39 #include "certs.h"
40 #ifdef XAUTH_USEPAM
41 #include <security/pam_appl.h>
42 #endif
43 #include "connections.h" /* needs id.h */
44 #include "state.h"
45 #include "kernel.h" /* needs connections.h */
46 #include "log.h"
47 #include "packet.h" /* so we can calculate sizeof(struct isakmp_hdr) */
48 #include "keys.h" /* for free_public_key */
49 #include "rnd.h"
50 #include "timer.h"
51 #include "whack.h"
52 #include "demux.h" /* needs packet.h */
53 #include "pending.h"
54 #include "ipsec_doi.h" /* needs demux.h and state.h */
55
56 #include "sha1.h"
57 #include "md5.h"
58 #include "cookie.h"
59 #include "crypto.h" /* requires sha1.h and md5.h */
60 #include "spdb.h"
61
62 #ifdef HAVE_LIBNSS
63 # include <nss.h>
64 # include <pk11pub.h>
65 # include <keyhi.h>
66 #endif
67
68 /*
69 * Global variables: had to go somewhere, might as well be this file.
70 */
71
72 u_int16_t pluto_port = IKE_UDP_PORT; /* Pluto's port */
73
74 /*
75 * This file has the functions that handle the
76 * state hash table and the Message ID list.
77 */
78
79 /* Message-IDs
80 *
81 * A Message ID is contained in each IKE message header.
82 * For Phase 1 exchanges (Main and Aggressive), it will be zero.
83 * For other exchanges, which must be under the protection of an
84 * ISAKMP SA, the Message ID must be unique within that ISAKMP SA.
85 * Effectively, this labels the message as belonging to a particular
86 * exchange.
87 * BTW, we feel this uniqueness allows rekeying to be somewhat simpler
88 * than specified by draft-jenkins-ipsec-rekeying-06.txt.
89 *
90 * A MessageID is a 32 bit unsigned number. We represent the value
91 * internally in network order -- they are just blobs to us.
92 * They are unsigned numbers to make hashing and comparing easy.
93 *
94 * The following mechanism is used to allocate message IDs. This
95 * requires that we keep track of which numbers have already been used
96 * so that we don't allocate one in use.
97 */
98
99 struct msgid_list
100 {
101 msgid_t msgid; /* network order */
102 struct msgid_list *next;
103 };
104
105 bool
106 unique_msgid(struct state *isakmp_sa, msgid_t msgid)
107 {
108 struct msgid_list *p;
109
110 passert(msgid != MAINMODE_MSGID);
111 passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
112
113 for (p = isakmp_sa->st_used_msgids; p != NULL; p = p->next)
114 if (p->msgid == msgid)
115 return FALSE;
116
117 return TRUE;
118 }
119
120 void
121 reserve_msgid(struct state *isakmp_sa, msgid_t msgid)
122 {
123 struct msgid_list *p;
124
125 p = alloc_thing(struct msgid_list, "msgid");
126 p->msgid = msgid;
127 p->next = isakmp_sa->st_used_msgids;
128 isakmp_sa->st_used_msgids = p;
129 }
130
131 msgid_t
132 generate_msgid(struct state *isakmp_sa)
133 {
134 int timeout = 100; /* only try so hard for unique msgid */
135 msgid_t msgid;
136
137 passert(IS_ISAKMP_ENCRYPTED(isakmp_sa->st_state));
138
139 for (;;)
140 {
141 get_rnd_bytes((void *) &msgid, sizeof(msgid));
142 if (msgid != 0 && unique_msgid(isakmp_sa, msgid))
143 break;
144
145 if (--timeout == 0)
146 {
147 openswan_log("gave up looking for unique msgid; using 0x%08lx"
148 , (unsigned long) msgid);
149 break;
150 }
151 }
152 return msgid;
153 }
154
155
156 /* state table functions */
157
158 #define STATE_TABLE_SIZE 32
159
160 static struct state *statetable[STATE_TABLE_SIZE];
161
162 static struct state **
163 state_hash(const u_char *icookie, const u_char *rcookie, int *bucketp)
164 {
165 u_int i = 0, j;
166
167 if(bucketp) *bucketp = -1;
168
169 DBG(DBG_RAW | DBG_CONTROL,
170 DBG_dump("ICOOKIE:", icookie, COOKIE_SIZE);
171 DBG_dump("RCOOKIE:", rcookie, COOKIE_SIZE));
172
173 /* XXX the following hash is pretty pathetic */
174
175 for (j = 0; j < COOKIE_SIZE; j++)
176 i = i * 407 + icookie[j] + rcookie[j];
177
178 i = i % STATE_TABLE_SIZE;
179
180 DBG(DBG_CONTROL, DBG_log("state hash entry %d", i));
181 if(bucketp) *bucketp = i;
182
183 return &statetable[i];
184 }
185
186 /* Get a state object.
187 * Caller must schedule an event for this object so that it doesn't leak.
188 * Caller must insert_state().
189 */
190 struct state *
191 new_state(void)
192 {
193 static const struct state blank_state; /* initialized all to zero & NULL */
194 static so_serial_t next_so = SOS_FIRST;
195 struct state *st;
196
197 st = clone_thing(blank_state, "struct state in new_state()");
198 st->st_serialno = next_so++;
199 passert(next_so > SOS_FIRST); /* overflow can't happen! */
200 st->st_whack_sock = NULL_FD;
201
202 anyaddr(AF_INET, &st->hidden_variables.st_nat_oa);
203 anyaddr(AF_INET, &st->hidden_variables.st_natd);
204
205 DBG(DBG_CONTROL, DBG_log("creating state object #%lu at %p"
206 , st->st_serialno, (void *) st));
207 return st;
208 }
209
210 /*
211 * Initialize the state table (and mask*).
212 */
213 void
214 init_states(void)
215 {
216 int i;
217
218 for (i = 0; i < STATE_TABLE_SIZE; i++)
219 statetable[i] = (struct state *) NULL;
220 }
221
222 /* Find the state object with this serial number.
223 * This allows state object references that don't turn into dangerous
224 * dangling pointers: reference a state by its serial number.
225 * Returns NULL if there is no such state.
226 * If this turns out to be a significant CPU hog, it could be
227 * improved to use a hash table rather than sequential seartch.
228 */
229 struct state *
230 state_with_serialno(so_serial_t sn)
231 {
232 if (sn >= SOS_FIRST)
233 {
234 struct state *st;
235 int i;
236
237 for (i = 0; i < STATE_TABLE_SIZE; i++)
238 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
239 if (st->st_serialno == sn)
240 return st;
241 }
242 return NULL;
243 }
244
245 /* Insert a state object in the hash table. The object is inserted
246 * at the begining of list.
247 * Needs cookies, connection, and msgid.
248 */
249 void
250 insert_state(struct state *st)
251 {
252 int bucketno;
253 struct state **p = state_hash(st->st_icookie, st->st_rcookie, &bucketno);
254
255 passert(st->st_hashchain_prev == NULL && st->st_hashchain_next == NULL);
256
257 DBG(DBG_CONTROL
258 , DBG_log("inserting state object #%lu on chain %u"
259 , st->st_serialno, bucketno));
260
261 if (*p != NULL)
262 {
263 passert((*p)->st_hashchain_prev == NULL);
264 (*p)->st_hashchain_prev = st;
265 }
266 st->st_hashchain_next = *p;
267 *p = st;
268
269 /* Ensure that somebody is in charge of killing this state:
270 * if no event is scheduled for it, schedule one to discard the state.
271 * If nothing goes wrong, this event will be replaced by
272 * a more appropriate one.
273 */
274 if (st->st_event == NULL)
275 event_schedule(EVENT_SO_DISCARD, 0, st);
276
277 refresh_state(st);
278 }
279
280 /*
281 * unlink a state object from the hash table that had a zero
282 * rcookie before, and rehash it into the right place
283 */
284 void
285 rehash_state(struct state *st)
286 {
287 /* unlink from forward chain */
288 int bucketno = -1;
289 struct state **p = st->st_hashchain_prev == NULL
290 ? state_hash(st->st_icookie, zero_cookie, &bucketno)
291 : &st->st_hashchain_prev->st_hashchain_next;
292
293 DBG(DBG_CONTROL
294 , DBG_log("rehashing state object #%lu, removed from chain %d"
295 , st->st_serialno, bucketno));
296
297 /* unlink from forward chain */
298 passert(*p == st);
299 *p = st->st_hashchain_next;
300
301 /* unlink from backward chain */
302 if (st->st_hashchain_next != NULL)
303 {
304 passert(st->st_hashchain_next->st_hashchain_prev == st);
305 st->st_hashchain_next->st_hashchain_prev = st->st_hashchain_prev;
306 }
307
308 st->st_hashchain_next = st->st_hashchain_prev = NULL;
309
310 /* now, re-insert */
311 insert_state(st);
312 }
313
314 /* unlink a state object from the hash table, but don't free it
315 */
316 void
317 unhash_state(struct state *st)
318 {
319 /* unlink from forward chain */
320 struct state **p;
321
322 if(st->st_hashchain_prev == NULL) {
323 p = state_hash(st->st_icookie, st->st_rcookie, NULL);
324 if(*p != st) {
325 p = state_hash(st->st_icookie, zero_cookie, NULL);
326 }
327 } else {
328 p = &st->st_hashchain_prev->st_hashchain_next;
329 }
330
331 /* unlink from forward chain */
332 passert(*p == st);
333 *p = st->st_hashchain_next;
334
335 /* unlink from backward chain */
336 if (st->st_hashchain_next != NULL)
337 {
338 passert(st->st_hashchain_next->st_hashchain_prev == st);
339 st->st_hashchain_next->st_hashchain_prev = st->st_hashchain_prev;
340 }
341
342 st->st_hashchain_next = st->st_hashchain_prev = NULL;
343 }
344
345 /* Free the Whack socket file descriptor.
346 * This has the side effect of telling Whack that we're done.
347 */
348 void
349 release_whack(struct state *st)
350 {
351 close_any(st->st_whack_sock);
352 }
353
354 /* delete a state object */
355 void
356 delete_state(struct state *st)
357 {
358 struct connection *const c = st->st_connection;
359 struct state *old_cur_state = cur_state == st? NULL : cur_state;
360
361 DBG(DBG_CONTROL, DBG_log("deleting state #%lu", st->st_serialno));
362
363
364 /* If DPD is enabled on this state object, clear any pending events */
365 if(st->st_dpd_event != NULL)
366 delete_dpd_event(st);
367
368 /* if there is a suspended state transition, disconnect us */
369 if (st->st_suspended_md != NULL)
370 {
371 passert(st->st_suspended_md->st == st);
372 DBG(DBG_CONTROL, DBG_log("disconnecting state #%lu from md",
373 st->st_serialno));
374 st->st_suspended_md->st = NULL;
375 }
376
377 /* tell the other side of any IPSEC SAs that are going down */
378 if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
379 || IS_ISAKMP_SA_ESTABLISHED(st->st_state))
380 send_delete(st);
381
382 delete_event(st); /* delete any pending timer event */
383
384 /* Ditch anything pending on ISAKMP SA being established.
385 * Note: this must be done before the unhash_state to prevent
386 * flush_pending_by_state inadvertently and prematurely
387 * deleting our connection.
388 */
389 flush_pending_by_state(st);
390
391 /* if there is anything in the cryptographic queue, then remove this
392 * state from it.
393 */
394 delete_cryptographic_continuation(st);
395
396 /* effectively, this deletes any ISAKMP SA that this state represents */
397 unhash_state(st);
398
399 /* tell kernel to delete any IPSEC SA
400 * ??? we ought to tell peer to delete IPSEC SAs
401 */
402 if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
403 || IS_CHILD_SA_ESTABLISHED(st))
404 delete_ipsec_sa(st, FALSE);
405 else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
406 delete_ipsec_sa(st, TRUE);
407
408 if (c->newest_ipsec_sa == st->st_serialno)
409 c->newest_ipsec_sa = SOS_NOBODY;
410
411 if (c->newest_isakmp_sa == st->st_serialno)
412 c->newest_isakmp_sa = SOS_NOBODY;
413
414 /*
415 * fake a state change here while we are still associated with a
416 * connection. Without this the state logging (when enabled) cannot
417 * work out what happened.
418 */
419 fake_state(st, STATE_UNDEFINED);
420
421 st->st_connection = NULL; /* we might be about to free it */
422 cur_state = old_cur_state; /* without st_connection, st isn't complete */
423 connection_discard(c);
424
425 change_state(st, STATE_UNDEFINED);
426
427 release_whack(st);
428
429 /* from here on we are just freeing RAM */
430
431 {
432 struct msgid_list *p = st->st_used_msgids;
433
434 while (p != NULL)
435 {
436 struct msgid_list *q = p;
437 p = p->next;
438 pfree(q);
439 }
440 }
441
442 unreference_key(&st->st_peer_pubkey);
443
444 free_sa(st->st_sadb);
445 st->st_sadb=NULL;
446
447 if (st->st_sec_in_use) {
448 #ifdef HAVE_LIBNSS
449 SECKEYPrivateKey *privk;
450 SECKEYPublicKey *pubk;
451 memcpy(&pubk,st->pubk.ptr,st->pubk.len);
452 SECKEY_DestroyPublicKey(pubk);
453 freeanychunk(st->pubk);
454 memcpy(&privk,st->st_sec_chunk.ptr,st->st_sec_chunk.len);
455 SECKEY_DestroyPrivateKey(privk);
456 #else
457 mpz_clear(&(st->st_sec));
458 #endif
459 pfreeany(st->st_sec_chunk.ptr);
460 }
461
462 freeanychunk(st->st_firstpacket_me);
463 freeanychunk(st->st_firstpacket_him);
464 freeanychunk(st->st_tpacket);
465 freeanychunk(st->st_rpacket);
466 freeanychunk(st->st_p1isa);
467 freeanychunk(st->st_gi);
468 freeanychunk(st->st_gr);
469 freeanychunk(st->st_shared);
470 freeanychunk(st->st_ni);
471 freeanychunk(st->st_nr);
472 #ifdef HAVE_LIBNSS
473 free_osw_nss_symkey(st->st_skeyid);
474 free_osw_nss_symkey(st->st_skey_d);
475 free_osw_nss_symkey(st->st_skey_ai);
476 free_osw_nss_symkey(st->st_skey_ar);
477 free_osw_nss_symkey(st->st_skey_ei);
478 free_osw_nss_symkey(st->st_skey_er);
479 free_osw_nss_symkey(st->st_skey_pi);
480 free_osw_nss_symkey(st->st_skey_pr);
481 free_osw_nss_symkey(st->st_enc_key);
482
483 if(st->st_ah.our_keymat!=NULL)
484 memset(st->st_ah.our_keymat, 0, st->st_ah.keymat_len);
485
486 if(st->st_ah.peer_keymat!=NULL)
487 memset(st->st_ah.peer_keymat, 0, st->st_ah.keymat_len);
488
489 if(st->st_esp.our_keymat!=NULL)
490 memset(st->st_esp.our_keymat, 0, st->st_esp.keymat_len);
491
492 if(st->st_esp.peer_keymat!=NULL)
493 memset(st->st_esp.peer_keymat, 0, st->st_esp.keymat_len);
494 #endif
495 freeanychunk(st->st_skeyid);
496 freeanychunk(st->st_skey_d);
497 freeanychunk(st->st_skey_ai);
498 freeanychunk(st->st_skey_ar);
499 freeanychunk(st->st_skey_ei);
500 freeanychunk(st->st_skey_er);
501 freeanychunk(st->st_skey_pi);
502 freeanychunk(st->st_skey_pr);
503 freeanychunk(st->st_enc_key);
504 pfreeany(st->st_ah.our_keymat);
505 pfreeany(st->st_ah.peer_keymat);
506 pfreeany(st->st_esp.our_keymat);
507 pfreeany(st->st_esp.peer_keymat);
508 freeanychunk(st->st_xauth_password);
509 pfree(st);
510 }
511
512 /*
513 * Is a connection in use by some state?
514 */
515 bool
516 states_use_connection(struct connection *c)
517 {
518 /* are there any states still using it? */
519 struct state *st = NULL;
520 int i;
521
522 for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
523 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
524 if (st->st_connection == c)
525 return TRUE;
526
527 return FALSE;
528 }
529
530 /*
531 * delete all states that were created for a given connection,
532 * additionally delete any states for which func(st, arg)
533 * returns true.
534 */
535 static void
536 foreach_states_by_connection_func(struct connection *c
537 , bool (*comparefunc)(struct state *st, struct connection *c, void *arg, int pass)
538 , void (*successfunc)(struct state *st, struct connection *c, void *arg)
539 , void *arg)
540 {
541 int pass;
542 /* this kludge avoids an n^2 algorithm */
543
544 /* We take two passes so that we delete any ISAKMP SAs last.
545 * This allows Delete Notifications to be sent.
546 * ?? We could probably double the performance by caching any
547 * ISAKMP SA states found in the first pass, avoiding a second.
548 */
549 for (pass = 0; pass != 2; pass++)
550 {
551 int i;
552
553 /* For each hash chain... */
554 for (i = 0; i < STATE_TABLE_SIZE; i++)
555 {
556 struct state *st;
557
558 /* For each state in the hash chain... */
559 for (st = statetable[i]; st != NULL; )
560 {
561 struct state *this = st;
562
563 st = st->st_hashchain_next; /* before this is deleted */
564
565 /* on pass 2, ignore phase2 states */
566 if(pass == 1 && IS_ISAKMP_SA_ESTABLISHED(this->st_state)) {
567 continue;
568 }
569
570 /* call comparison function */
571 if ((*comparefunc)(this, c, arg, pass))
572 {
573 struct state *old_cur_state
574 = cur_state == this? NULL : cur_state;
575 #ifdef DEBUG
576 lset_t old_cur_debugging = cur_debugging;
577 #endif
578
579 set_cur_state(this);
580 (*successfunc)(this, c, arg);
581
582 cur_state = old_cur_state;
583 #ifdef DEBUG
584 set_debugging(old_cur_debugging);
585 #endif
586 }
587 }
588 }
589 }
590 }
591
592 static void delete_state_function(struct state *this
593 , struct connection *c UNUSED
594 , void *arg UNUSED)
595 {
596 openswan_log("deleting state (%s)"
597 , enum_show(&state_names, this->st_state));
598
599 if(this->st_event != NULL) delete_event(this);
600 delete_state(this);
601 }
602
603 /*
604 * delete all states that were created for a given connection.
605 * if relations == TRUE, then also delete states that share
606 * the same phase 1 SA.
607 */
608 static bool same_phase1_sa_relations(struct state *this
609 , struct connection *c, void *arg
610 , int pass UNUSED)
611 {
612 so_serial_t *pparent_sa = (so_serial_t *)arg;
613 so_serial_t parent_sa = *pparent_sa;
614
615 return (this->st_connection == c
616 || (parent_sa != SOS_NOBODY
617 && this->st_clonedfrom == parent_sa));
618 }
619
620 /*
621 * Delete all states that have somehow not ben deleted yet
622 * but using interfaces that are going down
623 */
624
625 void delete_states_dead_interfaces(void)
626 {
627 struct state *st = NULL;
628 int i;
629
630 for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
631 for (st = statetable[i]; st != NULL;){
632 struct state *this = st;
633 st = st->st_hashchain_next; /* before this is deleted */
634 if (this->st_interface && this->st_interface->change == IFN_DELETE )
635 {
636 openswan_log("deleting lasting state #%lu on interface (%s) which is shutting down",
637 this->st_serialno,
638 this->st_interface->ip_dev->id_vname);
639 delete_state(this);
640 }
641 }
642 }
643
644 /*
645 * delete all states that were created for a given connection.
646 * if relations == TRUE, then also delete states that share
647 * the same phase 1 SA.
648 */
649 static bool same_phase1_sa(struct state *this,
650 struct connection *c
651 , void *arg UNUSED
652 , int pass UNUSED)
653 {
654 return (this->st_connection == c);
655 }
656
657 void
658 delete_states_by_connection(struct connection *c, bool relations)
659 {
660 so_serial_t parent_sa = c->newest_isakmp_sa;
661 enum connection_kind ck = c->kind;
662 struct spd_route *sr;
663
664 /* save this connection's isakmp SA,
665 * since it will get set to later SOS_NOBODY */
666 if (ck == CK_INSTANCE)
667 c->kind = CK_GOING_AWAY;
668
669 if(relations) {
670 foreach_states_by_connection_func(c, same_phase1_sa_relations
671 , delete_state_function
672 , &parent_sa);
673 } else {
674 foreach_states_by_connection_func(c, same_phase1_sa
675 , delete_state_function
676 , &parent_sa);
677 }
678
679 /*
680 * Seems to dump here because 1 of the states is NULL. Removing the Assert
681 * makes things work. We should fix this eventually.
682 *
683 * passert(c->newest_ipsec_sa == SOS_NOBODY
684 * && c->newest_isakmp_sa == SOS_NOBODY);
685 *
686 */
687
688 sr = &c->spd;
689 while (sr != NULL)
690 {
691 passert(sr->eroute_owner == SOS_NOBODY);
692 passert(sr->routing != RT_ROUTED_TUNNEL);
693 sr = sr->next;
694 }
695
696 if (ck == CK_INSTANCE)
697 {
698 c->kind = ck;
699 delete_connection(c, relations);
700 }
701 }
702
703 /*
704 * delete_p2states_by_connection - deletes only the phase 2 of conn
705 *
706 * @c - the connection whose states need to be removed.
707 *
708 * This is like delete_states_by_connection with relations=TRUE,
709 * but it only deletes phase 2 states.
710 */
711 static bool same_phase1_no_phase2(struct state *this
712 , struct connection *c
713 , void *arg
714 , int pass)
715 {
716 if(pass == 2) return FALSE;
717
718 if(IS_ISAKMP_SA_ESTABLISHED(this->st_state)) {
719 return FALSE;
720 } else {
721 return same_phase1_sa_relations(this, c, arg, pass);
722 }
723 }
724
725 void
726 delete_p2states_by_connection(struct connection *c)
727 {
728 so_serial_t parent_sa = c->newest_isakmp_sa;
729 enum connection_kind ck = c->kind;
730
731 /* save this connection's isakmp SA,
732 * since it will get set to later SOS_NOBODY */
733 if (ck == CK_INSTANCE)
734 c->kind = CK_GOING_AWAY;
735
736 foreach_states_by_connection_func(c, same_phase1_no_phase2
737 , delete_state_function
738 , &parent_sa);
739 if (ck == CK_INSTANCE)
740 {
741 c->kind = ck;
742 delete_connection(c, TRUE);
743 }
744 }
745
746 /*
747 * rekey_p2states_by_connection - rekeys all the phase 2 of conn
748 *
749 * @c - the connection whose states need to be rekeyed
750 *
751 * This is like delete_states_by_connection with relations=TRUE,
752 * but instead of removing the states, is scheduled them for rekey.
753 */
754 static void rekey_state_function(struct state *this
755 , struct connection *c UNUSED
756 , void *arg UNUSED)
757 {
758 openswan_log("rekeying state (%s)"
759 , enum_show(&state_names, this->st_state));
760
761 delete_event(this);
762 delete_dpd_event(this);
763 event_schedule(EVENT_SA_REPLACE, 0, this);
764
765 /*
766 * but, remove the actual phase2 SA from the kernel, replacing
767 * with a %trap.
768 */
769 delete_ipsec_sa(this, FALSE);
770 }
771
772 void
773 rekey_p2states_by_connection(struct connection *c)
774 {
775 so_serial_t parent_sa = c->newest_isakmp_sa;
776 enum connection_kind ck = c->kind;
777
778 /* save this connection's isakmp SA,
779 * since it will get set to later SOS_NOBODY */
780 if (ck == CK_INSTANCE)
781 c->kind = CK_GOING_AWAY;
782
783 foreach_states_by_connection_func(c, same_phase1_no_phase2
784 , rekey_state_function
785 , &parent_sa);
786 if (ck == CK_INSTANCE)
787 {
788 c->kind = ck;
789 delete_connection(c, TRUE);
790 }
791 }
792
793
794 /*
795 * Walk through the state table, and delete each state whose phase 1 (IKE)
796 * peer is among those given.
797 * TODO: This function is only called for ipsec whack --crash peer, but
798 * it currently does not work for IKEv2, since IS_PHASE1() only works on IKEv1
799 * Filed as bug http://bugs.xelerance.com/view.php?id=971
800 */
801 void
802 delete_states_by_peer(ip_address *peer)
803 {
804 char peerstr[ADDRTOT_BUF];
805 int i, ph1;
806
807 addrtot(peer, 0, peerstr, sizeof(peerstr));
808
809 whack_log(RC_COMMENT, "restarting peer %s\n", peerstr);
810
811 /* first restart the phase1s */
812 for(ph1=0; ph1 < 2; ph1++) {
813 /* For each hash chain... */
814 for (i = 0; i < STATE_TABLE_SIZE; i++) {
815 struct state *st;
816
817 /* For each state in the hash chain... */
818 for (st = statetable[i]; st != NULL; ) {
819 struct state *this = st;
820 struct connection *c = this->st_connection;
821 char ra[ADDRTOT_BUF];
822
823 st = st->st_hashchain_next; /* before this is deleted */
824
825 addrtot(&this->st_remoteaddr, 0, ra, sizeof(ra));
826 DBG_log("comparing %s to %s\n", ra, peerstr);
827
828 if(sameaddr(&this->st_remoteaddr, peer)) {
829 if(ph1==0 && IS_PHASE1(this->st_state)) {
830
831 whack_log(RC_COMMENT
832 , "peer %s for connection %s crashed, replacing"
833 , peerstr
834 , c->name);
835 ipsecdoi_replace(this, LEMPTY, LEMPTY, 1);
836 } else {
837 delete_event(this);
838 event_schedule(EVENT_SA_REPLACE, 0, this);
839 }
840 }
841 }
842 }
843 }
844 }
845
846 /* Duplicate a Phase 1 state object, to create a Phase 2 object.
847 * Caller must schedule an event for this object so that it doesn't leak.
848 * Caller must insert_state().
849 */
850 struct state *
851 duplicate_state(struct state *st)
852 {
853 struct state *nst;
854
855 DBG(DBG_CONTROL, DBG_log("duplicating state object #%lu",
856 st->st_serialno));
857
858 /* record use of the Phase 1 state */
859 st->st_outbound_count++;
860 st->st_outbound_time = now();
861
862 nst = new_state();
863
864 memcpy(nst->st_icookie, st->st_icookie, COOKIE_SIZE);
865 memcpy(nst->st_rcookie, st->st_rcookie, COOKIE_SIZE);
866 nst->st_connection = st->st_connection;
867
868 nst->st_doi = st->st_doi;
869 nst->st_situation = st->st_situation;
870 nst->quirks = st->quirks;
871 nst->hidden_variables = st->hidden_variables;
872 nst->st_remoteaddr = st->st_remoteaddr;
873 nst->st_remoteport = st->st_remoteport;
874 nst->st_localaddr = st->st_localaddr;
875 nst->st_localport = st->st_localport;
876 nst->st_interface = st->st_interface;
877 nst->st_clonedfrom = st->st_serialno;
878 nst->st_import = st->st_import;
879 nst->st_ikev2 = st->st_ikev2;
880 nst->st_event = NULL;
881
882 # define clone_chunk(ch, name) \
883 clonetochunk(nst->ch, st->ch.ptr, st->ch.len, name)
884
885 #if 0
886 clone_chunk(st_skeyid_d, "st_skeyid_d in duplicate_state");
887 clone_chunk(st_skeyid_a, "st_skeyid_a in duplicate_state");
888 clone_chunk(st_skeyid_e, "st_skeyid_e in duplicate_state");
889 #endif
890
891 #ifdef HAVE_LIBNSS
892 dup_osw_nss_symkey(st->st_skeyseed);
893 dup_osw_nss_symkey(st->st_skey_d);
894 dup_osw_nss_symkey(st->st_skey_ai);
895 dup_osw_nss_symkey(st->st_skey_ar);
896 dup_osw_nss_symkey(st->st_skey_ei);
897 dup_osw_nss_symkey(st->st_skey_er);
898 dup_osw_nss_symkey(st->st_skey_pi);
899 dup_osw_nss_symkey(st->st_skey_pr);
900 dup_osw_nss_symkey(st->st_enc_key);
901 #endif
902
903 clone_chunk(st_enc_key, "st_enc_key in duplicate_state");
904
905 /* v2 duplication of state */
906 clone_chunk(st_skeyseed, "st_skeyseed in duplicate_state");
907 clone_chunk(st_skey_d, "st_skey_d in duplicate_state");
908 clone_chunk(st_skey_ai, "st_skey_ai in duplicate_state");
909 clone_chunk(st_skey_ar, "st_skey_ar in duplicate_state");
910 clone_chunk(st_skey_ei, "st_skey_ei in duplicate_state");
911 clone_chunk(st_skey_er, "st_skey_er in duplicate_state");
912 clone_chunk(st_skey_pi, "st_skey_pi in duplicate_state");
913 clone_chunk(st_skey_pr, "st_skey_pr in duplicate_state");
914 clone_chunk(st_ni, "st_ni in duplicate_state");
915 clone_chunk(st_nr, "st_nr in duplicate_state");
916
917 # undef clone_chunk
918
919 nst->st_oakley = st->st_oakley;
920
921 return nst;
922 }
923
924 #if 1
925 void for_each_state(void *(f)(struct state *, void *data), void *data)
926 {
927 struct state *st, *ocs = cur_state;
928 int i;
929 for (i=0; i<STATE_TABLE_SIZE; i++) {
930 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) {
931 set_cur_state(st);
932 f(st, data);
933 }
934 }
935 cur_state = ocs;
936 }
937 #endif
938
939 /*
940 * Find a state object for an IKEv1 state
941 */
942 struct state *
943 find_state_ikev1(const u_char *icookie
944 , const u_char *rcookie
945 , const ip_address *peer UNUSED
946 , msgid_t /*network order*/ msgid)
947 {
948 struct state *st = *state_hash(icookie, rcookie, NULL);
949
950 while (st != (struct state *) NULL)
951 {
952 if (memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
953 && memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0
954 && st->st_ikev2 == FALSE)
955 {
956 DBG(DBG_CONTROL,
957 DBG_log("v1 peer and cookies match on #%ld, provided msgid %08lx vs %08lx"
958 , st->st_serialno
959 , (long unsigned)ntohl(msgid)
960 , (long unsigned)ntohl(st->st_msgid)));
961 if(msgid == st->st_msgid)
962 break;
963 }
964 st = st->st_hashchain_next;
965 }
966
967 DBG(DBG_CONTROL,
968 if (st == NULL)
969 DBG_log("v1 state object not found");
970 else
971 DBG_log("v1 state object #%lu found, in %s"
972 , st->st_serialno
973 , enum_show(&state_names, st->st_state)));
974
975 return st;
976 }
977
978 /*
979 * Find a state object for an IKEv2 state.
980 * Note: only finds parent states.
981 */
982 struct state *
983 find_state_ikev2_parent(const u_char *icookie
984 , const u_char *rcookie)
985 {
986 struct state *st = *state_hash(icookie, rcookie, NULL);
987
988 while (st != (struct state *) NULL)
989 {
990 if (memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
991 && memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0
992 && st->st_ikev2 == TRUE
993 && st->st_clonedfrom == 0)
994 {
995 DBG(DBG_CONTROL,
996 DBG_log("v2 peer and cookies match on #%ld"
997 , st->st_serialno));
998 break;
999 }
1000 st = st->st_hashchain_next;
1001 }
1002
1003 DBG(DBG_CONTROL,
1004 if (st == NULL)
1005 DBG_log("v2 state object not found");
1006 else
1007 DBG_log("v2 state object #%lu found, in %s"
1008 , st->st_serialno
1009 , enum_show(&state_names, st->st_state)));
1010
1011 return st;
1012 }
1013
1014 /*
1015 * Find a state object for an IKEv2 state, looking by icookie only.
1016 * Note: only finds parent states.
1017 */
1018 struct state *
1019 find_state_ikev2_parent_init(const u_char *icookie)
1020 {
1021 struct state *st = *state_hash(icookie, zero_cookie, NULL);
1022
1023 while (st != (struct state *) NULL)
1024 {
1025 if (memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
1026 && st->st_ikev2 == TRUE
1027 && st->st_clonedfrom == 0)
1028 {
1029 DBG(DBG_CONTROL,
1030 DBG_log("v2 peer and cookies match on #%ld"
1031 , st->st_serialno));
1032 break;
1033 }
1034 st = st->st_hashchain_next;
1035 }
1036
1037 DBG(DBG_CONTROL,
1038 if (st == NULL)
1039 DBG_log("v2 state object not found");
1040 else
1041 DBG_log("v2 state object #%lu found, in %s"
1042 , st->st_serialno
1043 , enum_show(&state_names, st->st_state)));
1044
1045 return st;
1046 }
1047
1048 /*
1049 * Find a state object for an IKEv2 state, a response that includes a msgid.
1050 */
1051 struct state *
1052 find_state_ikev2_child(const u_char *icookie
1053 , const u_char *rcookie
1054 , msgid_t msgid)
1055 {
1056 struct state *st = *state_hash(icookie, rcookie, NULL);
1057
1058 while (st != (struct state *) NULL)
1059 {
1060 if (memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
1061 && memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0
1062 && st->st_ikev2 == TRUE
1063 && st->st_msgid == msgid)
1064 {
1065 DBG(DBG_CONTROL,
1066 DBG_log("v2 peer, cookies and msgid match on #%ld"
1067 , st->st_serialno));
1068 break;
1069 }
1070 st = st->st_hashchain_next;
1071 }
1072
1073 DBG(DBG_CONTROL,
1074 if (st == NULL)
1075 DBG_log("v2 state object not found");
1076 else
1077 DBG_log("v2 state object #%lu found, in %s"
1078 , st->st_serialno
1079 , enum_show(&state_names, st->st_state)));
1080
1081 return st;
1082 }
1083
1084 /*
1085 * Find a state object.
1086 */
1087 struct state *
1088 find_info_state(const u_char *icookie
1089 , const u_char *rcookie
1090 , const ip_address *peer UNUSED
1091 , msgid_t /*network order*/ msgid)
1092 {
1093 struct state *st = *state_hash(icookie, rcookie, NULL);
1094
1095 while (st != (struct state *) NULL)
1096 {
1097 if (memcmp(icookie, st->st_icookie, COOKIE_SIZE) == 0
1098 && memcmp(rcookie, st->st_rcookie, COOKIE_SIZE) == 0)
1099 {
1100 DBG(DBG_CONTROL,
1101 DBG_log("peer and cookies match on #%ld, provided msgid %08lx vs %08lx/%08lx"
1102 , st->st_serialno
1103 , (long unsigned)ntohl(msgid)
1104 , (long unsigned)ntohl(st->st_msgid)
1105 , (long unsigned)ntohl(st->st_msgid_phase15)));
1106 if((st->st_msgid_phase15!=0 && msgid == st->st_msgid_phase15)
1107 || msgid == st->st_msgid)
1108 break;
1109 }
1110 st = st->st_hashchain_next;
1111 }
1112
1113 DBG(DBG_CONTROL,
1114 if (st == NULL)
1115 DBG_log("p15 state object not found");
1116 else
1117 DBG_log("p15 state object #%lu found, in %s"
1118 , st->st_serialno
1119 , enum_show(&state_names, st->st_state)));
1120
1121 return st;
1122 }
1123
1124
1125 /* Find the state that sent a packet
1126 * ??? this could be expensive -- it should be rate-limited to avoid DoS
1127 */
1128 struct state *
1129 find_sender(size_t packet_len, u_char *packet)
1130 {
1131 int i;
1132 struct state *st;
1133
1134 if (packet_len >= sizeof(struct isakmp_hdr))
1135 for (i = 0; i < STATE_TABLE_SIZE; i++)
1136 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1137 if (st->st_tpacket.ptr != NULL
1138 && st->st_tpacket.len == packet_len
1139 && memcmp(st->st_tpacket.ptr, packet, packet_len) == 0)
1140 return st;
1141
1142 return NULL;
1143 }
1144
1145 struct state *
1146 find_phase2_state_to_delete(const struct state *p1st
1147 , u_int8_t protoid
1148 , ipsec_spi_t spi
1149 , bool *bogus)
1150 {
1151 struct state *st;
1152 int i;
1153
1154 *bogus = FALSE;
1155 for (i = 0; i < STATE_TABLE_SIZE; i++)
1156 {
1157 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1158 {
1159 if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
1160 && p1st->st_connection->host_pair == st->st_connection->host_pair
1161 && same_peer_ids(p1st->st_connection, st->st_connection, NULL))
1162 {
1163 struct ipsec_proto_info *pr = protoid == PROTO_IPSEC_AH
1164 ? &st->st_ah : &st->st_esp;
1165
1166 if (pr->present)
1167 {
1168 if (pr->attrs.spi == spi)
1169 return st;
1170 if (pr->our_spi == spi)
1171 *bogus = TRUE;
1172 }
1173 }
1174 }
1175 }
1176 return NULL;
1177 }
1178
1179 /* Find newest Phase 1 negotiation state object for suitable for connection c
1180 */
1181 struct state *
1182 find_phase1_state(const struct connection *c, lset_t ok_states)
1183 {
1184 struct state
1185 *st,
1186 *best = NULL;
1187 int i;
1188
1189 for (i = 0; i < STATE_TABLE_SIZE; i++) {
1190 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next) {
1191 if (LHAS(ok_states, st->st_state)
1192 && c->host_pair == st->st_connection->host_pair
1193 && same_peer_ids(c, st->st_connection, NULL)
1194 && (best == NULL
1195 || best->st_serialno < st->st_serialno))
1196 {
1197 best = st;
1198 }
1199 }
1200 }
1201
1202 return best;
1203 }
1204
1205 void
1206 state_eroute_usage(ip_subnet *ours, ip_subnet *his
1207 , unsigned long count, time_t nw)
1208 {
1209 struct state *st;
1210 int i;
1211
1212 for (i = 0; i < STATE_TABLE_SIZE; i++)
1213 {
1214 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1215 {
1216 struct connection *c = st->st_connection;
1217
1218 /* XXX spd-enum */
1219 if (IS_IPSEC_SA_ESTABLISHED(st->st_state)
1220 && c->spd.eroute_owner == st->st_serialno
1221 && c->spd.routing == RT_ROUTED_TUNNEL
1222 && samesubnet(&c->spd.this.client, ours)
1223 && samesubnet(&c->spd.that.client, his))
1224 {
1225 if (st->st_outbound_count != count)
1226 {
1227 st->st_outbound_count = count;
1228 st->st_outbound_time = nw;
1229 }
1230 return;
1231 }
1232 }
1233 }
1234 DBG(DBG_CONTROL,
1235 {
1236 char ourst[SUBNETTOT_BUF];
1237 char hist[SUBNETTOT_BUF];
1238
1239 subnettot(ours, 0, ourst, sizeof(ourst));
1240 subnettot(his, 0, hist, sizeof(hist));
1241 DBG_log("unknown tunnel eroute %s -> %s found in scan"
1242 , ourst, hist);
1243 });
1244 }
1245
1246 void fmt_state(struct state *st, time_t n
1247 , char *state_buf, size_t state_buf_len
1248 , char *state_buf2, size_t state_buf2_len)
1249 {
1250 /* what the heck is interesting about a state? */
1251 const struct connection *c = st->st_connection;
1252 long delta;
1253 char inst[CONN_INST_BUF];
1254 char dpdbuf[128];
1255 const char *np1 = c->newest_isakmp_sa == st->st_serialno
1256 ? "; newest ISAKMP" : "";
1257 const char *np2 = c->newest_ipsec_sa == st->st_serialno
1258 ? "; newest IPSEC" : "";
1259 /* XXX spd-enum */
1260 const char *eo = c->spd.eroute_owner == st->st_serialno
1261 ? "; eroute owner" : "";
1262 const char *idlestr;
1263
1264 fmt_conn_instance(c, inst);
1265
1266 if(st->st_event) {
1267 delta = st->st_event->ev_time >= n
1268 ? (long)(st->st_event->ev_time - n)
1269 : -(long)(n - st->st_event->ev_time);
1270 } else {
1271 delta = -1;
1272 }
1273
1274 if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
1275 {
1276 dpdbuf[0]='\0';
1277 snprintf(dpdbuf, sizeof(dpdbuf), "; isakmp#%lu", (unsigned long)st->st_clonedfrom);
1278 } else {
1279 if(st->hidden_variables.st_dpd) {
1280 time_t tn = time(NULL);
1281 snprintf(dpdbuf, sizeof(dpdbuf), "; lastdpd=%lds(seq in:%u out:%u)"
1282 , st->st_last_dpd !=0 ? tn - st->st_last_dpd : (long)-1
1283 , st->st_dpd_seqno
1284 , st->st_dpd_expectseqno);
1285 } else {
1286 snprintf(dpdbuf, sizeof(dpdbuf), "; nodpd");
1287 }
1288 }
1289
1290 if(st->st_calculating) {
1291 idlestr = "crypto_calculating";
1292 } else if(st->st_suspended_md) {
1293 idlestr = "crypto/dns-lookup";
1294 } else {
1295 idlestr = "idle";
1296 }
1297
1298 snprintf(state_buf, state_buf_len
1299 , "#%lu: \"%s\"%s:%u %s (%s); %s in %lds%s%s%s%s; %s; %s"
1300 , st->st_serialno
1301 , c->name, inst
1302 , st->st_remoteport
1303 , enum_name(&state_names, st->st_state)
1304 , state_story[st->st_state - STATE_MAIN_R0]
1305 , st->st_event ? enum_name(&timer_event_names, st->st_event->ev_type) : "none"
1306 , delta
1307 , np1, np2, eo, dpdbuf
1308 , idlestr
1309 , enum_name(&pluto_cryptoimportance_names, st->st_import));
1310
1311 /* print out SPIs if SAs are established */
1312 if (state_buf2_len != 0)
1313 state_buf2[0] = '\0'; /* default to empty */
1314 if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
1315 {
1316 char lastused[40]; /* should be plenty long enough */
1317 char buf[SATOT_BUF*6 + 1];
1318 char *p = buf;
1319
1320 # define add_said(adst, aspi, aproto) { \
1321 ip_said s; \
1322 \
1323 initsaid(adst, aspi, aproto, &s); \
1324 if (p < &buf[sizeof(buf)-1]) \
1325 { \
1326 *p++ = ' '; \
1327 p += satot(&s, 0, p, &buf[sizeof(buf)] - p) - 1; \
1328 } \
1329 }
1330
1331 /* XXX - mcr last used is really an attribute of the connection */
1332 lastused[0] = '\0';
1333 if (c->spd.eroute_owner == st->st_serialno
1334 && st->st_outbound_count != 0)
1335 {
1336 snprintf(lastused, sizeof(lastused)
1337 , " used %lus ago;"
1338 , (unsigned long) (now() - st->st_outbound_time));
1339 }
1340
1341 *p = '\0';
1342 if (st->st_ah.present)
1343 {
1344 add_said(&c->spd.that.host_addr, st->st_ah.attrs.spi, SA_AH);
1345 add_said(&c->spd.this.host_addr, st->st_ah.our_spi, SA_AH);
1346 }
1347 if (st->st_esp.present)
1348 {
1349 time_t ago;
1350
1351 add_said(&c->spd.that.host_addr, st->st_esp.attrs.spi, SA_ESP);
1352 /* needs proper fix, via kernel_ops? */
1353 #if defined(linux) && defined(NETKEY_SUPPORT)
1354 if (get_sa_info(st, FALSE, &ago))
1355 {
1356 snprintf(state_buf2, state_buf2_len,
1357 " (%'u bytes)" , st->st_esp.peer_bytes);
1358 }
1359 #endif
1360 add_said(&c->spd.this.host_addr, st->st_esp.our_spi, SA_ESP);
1361 #if defined(linux) && defined(NETKEY_SUPPORT)
1362 if (get_sa_info(st, TRUE, &ago))
1363 {
1364 snprintf(state_buf2, state_buf2_len,
1365 " (%'u bytes)" , st->st_esp.our_bytes);
1366 }
1367 #endif
1368
1369 }
1370 if (st->st_ipcomp.present)
1371 {
1372 add_said(&c->spd.that.host_addr, st->st_ipcomp.attrs.spi, SA_COMP);
1373 add_said(&c->spd.this.host_addr, st->st_ipcomp.our_spi, SA_COMP);
1374 }
1375 #ifdef KLIPS
1376 if (st->st_ah.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
1377 || st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL
1378 || st->st_ipcomp.attrs.encapsulation == ENCAPSULATION_MODE_TUNNEL)
1379 {
1380 add_said(&c->spd.that.host_addr, st->st_tunnel_out_spi, SA_IPIP);
1381 add_said(&c->spd.this.host_addr, st->st_tunnel_in_spi, SA_IPIP);
1382 }
1383 #endif
1384 snprintf(state_buf2, state_buf2_len
1385 , "#%lu: \"%s\"%s%s%s ref=%lu refhim=%lu"
1386 , st->st_serialno
1387 , c->name, inst
1388 , lastused
1389 , buf
1390 , (unsigned long)st->st_ref, (unsigned long)st->st_refhim);
1391
1392 # undef add_said
1393 }
1394 }
1395
1396 /*
1397 * sorting logic is:
1398 *
1399 * name
1400 * type
1401 * instance#
1402 * isakmp_sa (XXX probably wrong)
1403 *
1404 */
1405 static int
1406 state_compare(const void *a, const void *b)
1407 {
1408 const struct state *sap = *(const struct state *const *)a;
1409 struct connection *ca = sap->st_connection;
1410 const struct state *sbp = *(const struct state *const *)b;
1411 struct connection *cb = sbp->st_connection;
1412
1413 /* DBG_log("comparing %s to %s", ca->name, cb->name); */
1414
1415 return connection_compare(ca, cb);
1416 }
1417
1418 void
1419 show_states_status(void)
1420 {
1421 time_t n = now();
1422 int i;
1423 char state_buf[LOG_WIDTH];
1424 char state_buf2[LOG_WIDTH];
1425 int count;
1426 struct state **array;
1427
1428 /* make count of states */
1429 count = 0;
1430 for (i = 0; i < STATE_TABLE_SIZE; i++)
1431 {
1432 struct state *st;
1433
1434 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1435 {
1436 count++;
1437 }
1438 }
1439
1440 if (count != 0)
1441 {
1442 /* build the array */
1443 array = alloc_bytes(sizeof(struct state *)*count, "state array");
1444 count = 0;
1445 for (i = 0; i < STATE_TABLE_SIZE; i++)
1446 {
1447 struct state *st;
1448
1449 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1450 {
1451 array[count++]=st;
1452 }
1453 }
1454
1455 /* sort it! */
1456 qsort(array, count, sizeof(struct state *), state_compare);
1457
1458 /* now print sorted results */
1459 for (i = 0; i < count; i++)
1460 {
1461 struct state *st;
1462 st = array[i];
1463 fmt_state(st, n, state_buf, sizeof(state_buf)
1464 , state_buf2, sizeof(state_buf2));
1465 whack_log(RC_COMMENT, state_buf);
1466 if (state_buf2[0] != '\0')
1467 whack_log(RC_COMMENT, state_buf2);
1468
1469 /* show any associated pending Phase 2s */
1470 if (IS_PHASE1(st->st_state))
1471 show_pending_phase2(st->st_connection, st);
1472 }
1473
1474 /* free the array */
1475 pfree(array);
1476 }
1477 }
1478
1479 /* Given that we've used up a range of unused CPI's,
1480 * search for a new range of currently unused ones.
1481 * Note: this is very expensive when not trivial!
1482 * If we can't find one easily, choose 0 (a bad SPI,
1483 * no matter what order) indicating failure.
1484 */
1485 void
1486 find_my_cpi_gap(cpi_t *latest_cpi, cpi_t *first_busy_cpi)
1487 {
1488 int tries = 0;
1489 cpi_t base = *latest_cpi;
1490 cpi_t closest;
1491 int i;
1492
1493 startover:
1494 closest = ~0; /* not close at all */
1495 for (i = 0; i < STATE_TABLE_SIZE; i++)
1496 {
1497 struct state *st;
1498
1499 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1500 {
1501 if (st->st_ipcomp.present)
1502 {
1503 cpi_t c = ntohl(st->st_ipcomp.our_spi) - base;
1504
1505 if (c < closest)
1506 {
1507 if (c == 0)
1508 {
1509 /* oops: next spot is occupied; start over */
1510 if (++tries == 20)
1511 {
1512 /* FAILURE */
1513 *latest_cpi = *first_busy_cpi = 0;
1514 return;
1515 }
1516 base++;
1517 if (base > IPCOMP_LAST_NEGOTIATED)
1518 base = IPCOMP_FIRST_NEGOTIATED;
1519 goto startover; /* really a tail call */
1520 }
1521 closest = c;
1522 }
1523 }
1524 }
1525 }
1526 *latest_cpi = base; /* base is first in next free range */
1527 *first_busy_cpi = closest + base; /* and this is the roof */
1528 }
1529
1530 /* Muck with high-order 16 bits of this SPI in order to make
1531 * the corresponding SAID unique.
1532 * Its low-order 16 bits hold a well-known IPCOMP CPI.
1533 * Oh, and remember that SPIs are stored in network order.
1534 * Kludge!!! So I name it with the non-English word "uniquify".
1535 * If we can't find one easily, return 0 (a bad SPI,
1536 * no matter what order) indicating failure.
1537 */
1538 ipsec_spi_t
1539 uniquify_his_cpi(ipsec_spi_t cpi, struct state *st)
1540 {
1541 int tries = 0;
1542 int i;
1543
1544 startover:
1545
1546 /* network order makes first two bytes our target */
1547 get_rnd_bytes((u_char *)&cpi, 2);
1548
1549 /* Make sure that the result is unique.
1550 * Hard work. If there is no unique value, we'll loop forever!
1551 */
1552 for (i = 0; i < STATE_TABLE_SIZE; i++)
1553 {
1554 struct state *s;
1555
1556 for (s = statetable[i]; s != NULL; s = s->st_hashchain_next)
1557 {
1558 if (s->st_ipcomp.present
1559 && sameaddr(&s->st_connection->spd.that.host_addr
1560 , &st->st_connection->spd.that.host_addr)
1561 && cpi == s->st_ipcomp.attrs.spi)
1562 {
1563 if (++tries == 20)
1564 return 0; /* FAILURE */
1565 goto startover;
1566 }
1567 }
1568 }
1569 return cpi;
1570 }
1571
1572
1573 /*
1574 * Immediately schedule a replace event for all states for a peer.
1575 */
1576 void replace_states_by_peer(ip_address *peer)
1577 {
1578 struct state *st = NULL;
1579 int i;
1580 /* struct event *ev; currently unused */
1581
1582 for (i = 0; st == NULL && i < STATE_TABLE_SIZE; i++)
1583 for (st = statetable[i]; st != NULL; st = st->st_hashchain_next)
1584 /* Only replace if it already has a replace event. */
1585 if (sameaddr(&st->st_connection->spd.that.host_addr, peer)
1586 && (IS_ISAKMP_SA_ESTABLISHED(st->st_state) || IS_IPSEC_SA_ESTABLISHED(st->st_state))
1587 && st->st_event->ev_type == EVENT_SA_REPLACE)
1588 {
1589 delete_event(st);
1590 delete_dpd_event(st);
1591 event_schedule(EVENT_SA_REPLACE, 0, st);
1592 }
1593 }
1594
1595 void copy_quirks(struct isakmp_quirks *dq
1596 , struct isakmp_quirks *sq)
1597 {
1598 dq->xauth_ack_msgid |= sq->xauth_ack_msgid;
1599 dq->modecfg_pull_mode |= sq->modecfg_pull_mode;
1600 dq->nat_traversal_vid |= sq->nat_traversal_vid;
1601 }
1602
1603 void set_state_ike_endpoints(struct state *st
1604 , struct connection *c)
1605 {
1606 /* reset our choice of interface */
1607 c->interface = NULL;
1608 orient(c);
1609
1610 st->st_localaddr = c->spd.this.host_addr;
1611 st->st_localport = c->spd.this.host_port;
1612 st->st_remoteaddr = c->spd.that.host_addr;
1613 st->st_remoteport = c->spd.that.host_port;
1614
1615 st->st_interface = c->interface;
1616 }
1617
1618 /*
1619 * Local Variables:
1620 * c-basic-offset:4
1621 * End:
1622 */
  ViewVC Help
Powered by ViewVC 1.1.5