diff options
Diffstat (limited to 'src/charon/threads')
| -rw-r--r-- | src/charon/threads/kernel_interface.c | 1964 | ||||
| -rw-r--r-- | src/charon/threads/kernel_interface.h | 331 | ||||
| -rw-r--r-- | src/charon/threads/receiver.c | 372 | ||||
| -rw-r--r-- | src/charon/threads/receiver.h | 81 | ||||
| -rw-r--r-- | src/charon/threads/scheduler.c | 102 | ||||
| -rw-r--r-- | src/charon/threads/scheduler.h | 68 | ||||
| -rw-r--r-- | src/charon/threads/sender.c | 149 | ||||
| -rw-r--r-- | src/charon/threads/sender.h | 74 | ||||
| -rwxr-xr-x | src/charon/threads/stroke_interface.c | 1456 | ||||
| -rw-r--r-- | src/charon/threads/stroke_interface.h | 61 | ||||
| -rw-r--r-- | src/charon/threads/thread_pool.c | 181 | ||||
| -rw-r--r-- | src/charon/threads/thread_pool.h | 87 |
12 files changed, 0 insertions, 4926 deletions
diff --git a/src/charon/threads/kernel_interface.c b/src/charon/threads/kernel_interface.c deleted file mode 100644 index 4a70d2ecf..000000000 --- a/src/charon/threads/kernel_interface.c +++ /dev/null @@ -1,1964 +0,0 @@ -/** - * @file kernel_interface.c - * - * @brief Implementation of kernel_interface_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2006-2007 Tobias Brunner - * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser - * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * Copyright (C) 2003 Herbert Xu. - * - * Based on xfrm code from pluto. - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <linux/netlink.h> -#include <linux/rtnetlink.h> -#include <linux/xfrm.h> -#include <linux/udp.h> -#include <pthread.h> -#include <unistd.h> -#include <fcntl.h> -#include <errno.h> -#include <string.h> -#include <net/if.h> -#include <sys/ioctl.h> - -#include "kernel_interface.h" - -#include <daemon.h> -#include <utils/linked_list.h> -#include <queues/jobs/delete_child_sa_job.h> -#include <queues/jobs/rekey_child_sa_job.h> -#include <queues/jobs/acquire_job.h> - -/** kernel level protocol identifiers */ -#define KERNEL_ESP 50 -#define KERNEL_AH 51 - -/** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 - -#define BUFFER_SIZE 1024 - -/** - * returns a pointer to the first rtattr following the nlmsghdr *nlh and the - * 'usual' netlink data x like 'struct xfrm_usersa_info' - */ -#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) -/** - * returns a pointer to the next rtattr following rta. - * !!! do not use this to parse messages. use RTA_NEXT and RTA_OK instead !!! - */ -#define XFRM_RTA_NEXT(rta) ((struct rtattr*)(((char*)(rta)) + RTA_ALIGN((rta)->rta_len))) -/** - * returns the total size of attached rta data - * (after 'usual' netlink data x like 'struct xfrm_usersa_info') - */ -#define XFRM_PAYLOAD(nlh, x) NLMSG_PAYLOAD(nlh, sizeof(x)) - -typedef struct kernel_algorithm_t kernel_algorithm_t; - -/** - * Mapping from the algorithms defined in IKEv2 to - * kernel level algorithm names and their key length - */ -struct kernel_algorithm_t { - /** - * Identifier specified in IKEv2 - */ - int ikev2_id; - - /** - * Name of the algorithm, as used as kernel identifier - */ - char *name; - - /** - * Key length in bits, if fixed size - */ - u_int key_size; -}; -#define END_OF_LIST -1 - -/** - * Algorithms for encryption - */ -kernel_algorithm_t encryption_algs[] = { -/* {ENCR_DES_IV64, "***", 0}, */ - {ENCR_DES, "des", 64}, - {ENCR_3DES, "des3_ede", 192}, -/* {ENCR_RC5, "***", 0}, */ -/* {ENCR_IDEA, "***", 0}, */ - {ENCR_CAST, "cast128", 0}, - {ENCR_BLOWFISH, "blowfish", 0}, -/* {ENCR_3IDEA, "***", 0}, */ -/* {ENCR_DES_IV32, "***", 0}, */ - {ENCR_NULL, "cipher_null", 0}, - {ENCR_AES_CBC, "aes", 0}, -/* {ENCR_AES_CTR, "***", 0}, */ - {END_OF_LIST, NULL, 0}, -}; - -/** - * Algorithms for integrity protection - */ -kernel_algorithm_t integrity_algs[] = { - {AUTH_HMAC_MD5_96, "md5", 128}, - {AUTH_HMAC_SHA1_96, "sha1", 160}, - {AUTH_HMAC_SHA2_256_128, "sha256", 256}, - {AUTH_HMAC_SHA2_384_192, "sha384", 384}, - {AUTH_HMAC_SHA2_512_256, "sha512", 512}, -/* {AUTH_DES_MAC, "***", 0}, */ -/* {AUTH_KPDK_MD5, "***", 0}, */ -/* {AUTH_AES_XCBC_96, "***", 0}, */ - {END_OF_LIST, NULL, 0}, -}; - -/** - * Look up a kernel algorithm name and its key size - */ -char* lookup_algorithm(kernel_algorithm_t *kernel_algo, - algorithm_t *ikev2_algo, u_int *key_size) -{ - while (kernel_algo->ikev2_id != END_OF_LIST) - { - if (ikev2_algo->algorithm == kernel_algo->ikev2_id) - { - /* match, evaluate key length */ - if (ikev2_algo->key_size) - { /* variable length */ - *key_size = ikev2_algo->key_size; - } - else - { /* fixed length */ - *key_size = kernel_algo->key_size; - } - return kernel_algo->name; - } - kernel_algo++; - } - return NULL; -} - -typedef struct route_entry_t route_entry_t; - -/** - * installed routing entry - */ -struct route_entry_t { - - /** Index of the interface the route is bound to */ - int if_index; - - /** Source ip of the route */ - host_t *src_ip; - - /** Destination net */ - chunk_t dst_net; - - /** Destination net prefixlen */ - u_int8_t prefixlen; -}; - -/** - * destroy an route_entry_t object - */ -static void route_entry_destroy(route_entry_t *this) -{ - this->src_ip->destroy(this->src_ip); - chunk_free(&this->dst_net); - free(this); -} - -typedef struct policy_entry_t policy_entry_t; - -/** - * installed kernel policy. - */ -struct policy_entry_t { - - /** direction of this policy: in, out, forward */ - u_int8_t direction; - - /** reqid of the policy */ - u_int32_t reqid; - - /** parameters of installed policy */ - struct xfrm_selector sel; - - /** associated route installed for this policy */ - route_entry_t *route; - - /** by how many CHILD_SA's this policy is used */ - u_int refcount; -}; - -typedef struct vip_entry_t vip_entry_t; - -/** - * Installed virtual ip - */ -struct vip_entry_t { - /** Index of the interface the ip is bound to */ - u_int8_t if_index; - - /** The ip address */ - host_t *ip; - - /** Number of times this IP is used */ - u_int refcount; -}; - -/** - * destroy a vip_entry_t object - */ -static void vip_entry_destroy(vip_entry_t *this) -{ - this->ip->destroy(this->ip); - free(this); -} - -typedef struct address_entry_t address_entry_t; - -/** - * an address found on the system, containg address and interface info - */ -struct address_entry_t { - - /** address of this entry */ - host_t *host; - - /** interface index */ - int ifindex; - - /** name of the index */ - char ifname[IFNAMSIZ]; -}; - -/** - * destroy an address entry - */ -static void address_entry_destroy(address_entry_t *this) -{ - this->host->destroy(this->host); - free(this); -} - -typedef struct private_kernel_interface_t private_kernel_interface_t; - -/** - * Private variables and functions of kernel_interface class. - */ -struct private_kernel_interface_t { - /** - * Public part of the kernel_interface_t object. - */ - kernel_interface_t public; - - /** - * List of installed policies (kernel_entry_t) - */ - linked_list_t *policies; - - /** - * Mutex locks access to policies - */ - pthread_mutex_t policies_mutex; - - /** - * List of installed virtual IPs. (vip_entry_t) - */ - linked_list_t *vips; - - /** - * Mutex to lock access to vips. - */ - pthread_mutex_t vips_mutex; - - /** - * netlink xfrm socket to receive acquire and expire events - */ - int socket_xfrm_events; - - /** - * Netlink xfrm socket (IPsec) - */ - int socket_xfrm; - - /** - * Netlink rt socket (routing) - */ - int socket_rt; - - /** - * Thread receiving events from kernel - */ - pthread_t event_thread; -}; - -/** - * convert a host_t to a struct xfrm_address - */ -static void host2xfrm(host_t *host, xfrm_address_t *xfrm) -{ - chunk_t chunk = host->get_address(host); - memcpy(xfrm, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); -} - -/** - * convert a traffic selector address range to subnet and its mask. - */ -static void ts2subnet(traffic_selector_t* ts, - xfrm_address_t *net, u_int8_t *mask) -{ - /* there is no way to do this cleanly, as the address range may - * be anything else but a subnet. We use from_addr as subnet - * and try to calculate a usable subnet mask. - */ - int byte, bit; - bool found = FALSE; - chunk_t from, to; - size_t size = (ts->get_type(ts) == TS_IPV4_ADDR_RANGE) ? 4 : 16; - - from = ts->get_from_address(ts); - to = ts->get_to_address(ts); - - *mask = (size * 8); - /* go trough all bits of the addresses, beginning in the front. - * as long as they are equal, the subnet gets larger - */ - for (byte = 0; byte < size; byte++) - { - for (bit = 7; bit >= 0; bit--) - { - if ((1<<bit & from.ptr[byte]) != (1<<bit & to.ptr[byte])) - { - *mask = ((7 - bit) + (byte * 8)); - found = TRUE; - break; - } - } - if (found) - { - break; - } - } - memcpy(net, from.ptr, from.len); - chunk_free(&from); - chunk_free(&to); -} - -/** - * convert a traffic selector port range to port/portmask - */ -static void ts2ports(traffic_selector_t* ts, - u_int16_t *port, u_int16_t *mask) -{ - /* linux does not seem to accept complex portmasks. Only - * any or a specific port is allowed. We set to any, if we have - * a port range, or to a specific, if we have one port only. - */ - u_int16_t from, to; - - from = ts->get_from_port(ts); - to = ts->get_to_port(ts); - - if (from == to) - { - *port = htons(from); - *mask = ~0; - } - else - { - *port = 0; - *mask = 0; - } -} - -/** - * convert a pair of traffic_selectors to a xfrm_selector - */ -static struct xfrm_selector ts2selector(traffic_selector_t *src, - traffic_selector_t *dst) -{ - struct xfrm_selector sel; - - memset(&sel, 0, sizeof(sel)); - sel.family = src->get_type(src) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; - /* src or dest proto may be "any" (0), use more restrictive one */ - sel.proto = max(src->get_protocol(src), dst->get_protocol(dst)); - ts2subnet(dst, &sel.daddr, &sel.prefixlen_d); - ts2subnet(src, &sel.saddr, &sel.prefixlen_s); - ts2ports(dst, &sel.dport, &sel.dport_mask); - ts2ports(src, &sel.sport, &sel.sport_mask); - sel.ifindex = 0; - sel.user = 0; - - return sel; -} - -/** - * Creates an rtattr and adds it to the netlink message - */ -static void add_attribute(struct nlmsghdr *hdr, int rta_type, chunk_t data, - size_t buflen) -{ - struct rtattr *rta; - - if (NLMSG_ALIGN(hdr->nlmsg_len) + RTA_ALIGN(data.len) > buflen) - { - DBG1(DBG_KNL, "unable to add attribute, buffer too small"); - return; - } - - rta = (struct rtattr*)(((char*)hdr) + NLMSG_ALIGN(hdr->nlmsg_len)); - rta->rta_type = rta_type; - rta->rta_len = RTA_LENGTH(data.len); - memcpy(RTA_DATA(rta), data.ptr, data.len); - hdr->nlmsg_len = NLMSG_ALIGN(hdr->nlmsg_len) + rta->rta_len; -} - -/** - * Receives events from kernel - */ -static void receive_events(private_kernel_interface_t *this) -{ - while(TRUE) - { - unsigned char response[512]; - struct nlmsghdr *hdr; - struct sockaddr_nl addr; - socklen_t addr_len = sizeof(addr); - int len; - - hdr = (struct nlmsghdr*)response; - len = recvfrom(this->socket_xfrm_events, response, sizeof(response), - 0, (struct sockaddr*)&addr, &addr_len); - if (len < 0) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - charon->kill(charon, "unable to receive netlink events"); - } - - if (!NLMSG_OK(hdr, len)) - { - /* bad netlink message */ - continue; - } - - if (addr.nl_pid != 0) - { - /* not from kernel. not interested, try another one */ - continue; - } - - /* we handle ACQUIRE and EXPIRE messages directly */ - if (hdr->nlmsg_type == XFRM_MSG_ACQUIRE) - { - u_int32_t reqid = 0; - job_t *job; - struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_user_acquire); - size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_user_tmpl); - if (RTA_OK(rtattr, rtsize)) - { - if (rtattr->rta_type == XFRMA_TMPL) - { - struct xfrm_user_tmpl* tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rtattr); - reqid = tmpl->reqid; - } - } - if (reqid == 0) - { - DBG1(DBG_KNL, "received a XFRM_MSG_ACQUIRE, but no reqid found"); - } - else - { - DBG2(DBG_KNL, "received a XFRM_MSG_ACQUIRE"); - DBG1(DBG_KNL, "creating acquire job for CHILD_SA with reqid %d", - reqid); - job = (job_t*)acquire_job_create(reqid); - charon->job_queue->add(charon->job_queue, job); - } - } - else if (hdr->nlmsg_type == XFRM_MSG_EXPIRE) - { - job_t *job; - protocol_id_t protocol; - u_int32_t spi, reqid; - struct xfrm_user_expire *expire; - - expire = (struct xfrm_user_expire*)NLMSG_DATA(hdr); - protocol = expire->state.id.proto == KERNEL_ESP ? - PROTO_ESP : PROTO_AH; - spi = expire->state.id.spi; - reqid = expire->state.reqid; - - DBG2(DBG_KNL, "received a XFRM_MSG_EXPIRE"); - DBG1(DBG_KNL, "creating %s job for %N CHILD_SA 0x%x (reqid %d)", - expire->hard ? "delete" : "rekey", protocol_id_names, - protocol, ntohl(spi), reqid); - if (expire->hard) - { - job = (job_t*)delete_child_sa_job_create(reqid, protocol, spi); - } - else - { - job = (job_t*)rekey_child_sa_job_create(reqid, protocol, spi); - } - charon->job_queue->add(charon->job_queue, job); - } - } -} - -/** - * send a netlink message and wait for a reply - */ -static status_t netlink_send(int socket, struct nlmsghdr *in, - struct nlmsghdr **out, size_t *out_len) -{ - int len, addr_len; - struct sockaddr_nl addr; - chunk_t result = chunk_empty, tmp; - struct nlmsghdr *msg, peek; - - static int seq = 200; - static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER; - - - pthread_mutex_lock(&mutex); - - in->nlmsg_seq = ++seq; - in->nlmsg_pid = getpid(); - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = 0; - addr.nl_groups = 0; - - while (TRUE) - { - len = sendto(socket, in, in->nlmsg_len, 0, - (struct sockaddr*)&addr, sizeof(addr)); - - if (len != in->nlmsg_len) - { - if (errno == EINTR) - { - /* interrupted, try again */ - continue; - } - pthread_mutex_unlock(&mutex); - DBG1(DBG_KNL, "error sending to netlink socket: %m"); - return FAILED; - } - break; - } - - while (TRUE) - { - char buf[1024]; - tmp.len = sizeof(buf); - tmp.ptr = buf; - msg = (struct nlmsghdr*)tmp.ptr; - - memset(&addr, 0, sizeof(addr)); - addr.nl_family = AF_NETLINK; - addr.nl_pid = getpid(); - addr.nl_groups = 0; - addr_len = sizeof(addr); - - len = recvfrom(socket, tmp.ptr, tmp.len, 0, - (struct sockaddr*)&addr, &addr_len); - - if (len < 0) - { - if (errno == EINTR) - { - DBG1(DBG_IKE, "got interrupted"); - /* interrupted, try again */ - continue; - } - DBG1(DBG_IKE, "error reading from netlink socket: %m"); - pthread_mutex_unlock(&mutex); - return FAILED; - } - if (!NLMSG_OK(msg, len)) - { - DBG1(DBG_IKE, "received corrupted netlink message"); - pthread_mutex_unlock(&mutex); - return FAILED; - } - if (msg->nlmsg_seq != seq) - { - DBG1(DBG_IKE, "received invalid netlink sequence number"); - if (msg->nlmsg_seq < seq) - { - continue; - } - pthread_mutex_unlock(&mutex); - return FAILED; - } - - tmp.len = len; - result = chunk_cata("cc", result, tmp); - - /* NLM_F_MULTI flag does not seem to be set correctly, we use sequence - * numbers to detect multi header messages */ - len = recvfrom(socket, &peek, sizeof(peek), MSG_PEEK | MSG_DONTWAIT, - (struct sockaddr*)&addr, &addr_len); - - if (len == sizeof(peek) && peek.nlmsg_seq == seq) - { - /* seems to be multipart */ - continue; - } - break; - } - - *out_len = result.len; - *out = (struct nlmsghdr*)clalloc(result.ptr, result.len); - - pthread_mutex_unlock(&mutex); - - return SUCCESS; -} - -/** - * send a netlink message and wait for its acknowlegde - */ -static status_t netlink_send_ack(int socket, struct nlmsghdr *in) -{ - struct nlmsghdr *out, *hdr; - size_t len; - - if (netlink_send(socket, in, &out, &len) != SUCCESS) - { - return FAILED; - } - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case NLMSG_ERROR: - { - struct nlmsgerr* err = (struct nlmsgerr*)NLMSG_DATA(hdr); - - if (err->error) - { - DBG1(DBG_KNL, "received netlink error: %s (%d)", - strerror(-err->error), -err->error); - free(out); - return FAILED; - } - free(out); - return SUCCESS; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - DBG1(DBG_KNL, "netlink request not acknowlegded"); - free(out); - return FAILED; -} - -/** - * Create a list of local addresses. - */ -static linked_list_t *create_address_list(private_kernel_interface_t *this) -{ - char request[BUFFER_SIZE]; - struct nlmsghdr *out, *hdr; - struct rtgenmsg *msg; - size_t len; - linked_list_t *list; - - DBG2(DBG_IKE, "getting local address list"); - - list = linked_list_create(); - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)&request; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtgenmsg)); - hdr->nlmsg_type = RTM_GETADDR; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_MATCH | NLM_F_ROOT; - msg = (struct rtgenmsg*)NLMSG_DATA(hdr); - msg->rtgen_family = AF_UNSPEC; - - if (netlink_send(this->socket_rt, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case RTM_NEWADDR: - { - struct ifaddrmsg* msg = (struct ifaddrmsg*)(NLMSG_DATA(hdr)); - struct rtattr *rta = IFA_RTA(msg); - size_t rtasize = IFA_PAYLOAD (hdr); - host_t *host = NULL; - char *name = NULL; - chunk_t local = chunk_empty, address = chunk_empty; - - while(RTA_OK(rta, rtasize)) - { - switch (rta->rta_type) - { - case IFA_LOCAL: - local.ptr = RTA_DATA(rta); - local.len = RTA_PAYLOAD(rta); - break; - case IFA_ADDRESS: - address.ptr = RTA_DATA(rta); - address.len = RTA_PAYLOAD(rta); - break; - case IFA_LABEL: - name = RTA_DATA(rta); - break; - } - rta = RTA_NEXT(rta, rtasize); - } - - /* For PPP interfaces, we need the IFA_LOCAL address, - * IFA_ADDRESS is the peers address. But IFA_LOCAL is - * not included in all cases, so fallback to IFA_ADDRESS. */ - if (local.ptr) - { - host = host_create_from_chunk(msg->ifa_family, local, 0); - } - else if (address.ptr) - { - host = host_create_from_chunk(msg->ifa_family, address, 0); - } - - if (host) - { - address_entry_t *entry; - - entry = malloc_thing(address_entry_t); - entry->host = host; - entry->ifindex = msg->ifa_index; - if (name) - { - memcpy(entry->ifname, name, IFNAMSIZ); - } - else - { - strcpy(entry->ifname, "(unknown)"); - } - list->insert_last(list, entry); - } - hdr = NLMSG_NEXT(hdr, len); - continue; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - free(out); - } - else - { - DBG1(DBG_IKE, "unable to get local address list"); - } - - return list; -} - -/** - * Implements kernel_interface_t.create_address_list. - */ -static linked_list_t *create_address_list_public(private_kernel_interface_t *this) -{ - linked_list_t *result, *list; - address_entry_t *entry; - - result = linked_list_create(); - list = create_address_list(this); - while (list->remove_last(list, (void**)&entry) == SUCCESS) - { - result->insert_last(result, entry->host); - free(entry); - } - list->destroy(list); - - return result; -} - -/** - * implementation of kernel_interface_t.get_interface_name - */ -static char *get_interface_name(private_kernel_interface_t *this, host_t* ip) -{ - linked_list_t *list; - address_entry_t *entry; - char *name = NULL; - - DBG2(DBG_IKE, "getting interface name for %H", ip); - - list = create_address_list(this); - while (!name && list->remove_last(list, (void**)&entry) == SUCCESS) - { - if (ip->ip_equals(ip, entry->host)) - { - name = strdup(entry->ifname); - } - address_entry_destroy(entry); - } - list->destroy_function(list, (void*)address_entry_destroy); - - if (name) - { - DBG2(DBG_IKE, "%H is on interface %s", ip, name); - } - else - { - DBG2(DBG_IKE, "%H is not a local address", ip); - } - return name; -} - -/** - * Tries to find an ip address of a local interface that is included in the - * supplied traffic selector. - */ -static status_t get_address_by_ts(private_kernel_interface_t *this, - traffic_selector_t *ts, host_t **ip) -{ - address_entry_t *entry; - host_t *host; - int family; - linked_list_t *list; - bool found = FALSE; - - DBG2(DBG_IKE, "getting a local address in traffic selector %R", ts); - - /* if we have a family which includes localhost, we do not - * search for an IP, we use the default */ - family = ts->get_type(ts) == TS_IPV4_ADDR_RANGE ? AF_INET : AF_INET6; - - if (family == AF_INET) - { - host = host_create_from_string("127.0.0.1", 0); - } - else - { - host = host_create_from_string("::1", 0); - } - - if (ts->includes(ts, host)) - { - *ip = host_create_any(family); - host->destroy(host); - DBG2(DBG_IKE, "using host %H", *ip); - return SUCCESS; - } - host->destroy(host); - - list = create_address_list(this); - while (!found && list->remove_last(list, (void**)&entry) == SUCCESS) - { - if (ts->includes(ts, entry->host)) - { - found = TRUE; - *ip = entry->host->clone(entry->host); - } - address_entry_destroy(entry); - } - list->destroy_function(list, (void*)address_entry_destroy); - - if (!found) - { - DBG1(DBG_IKE, "no local address found in traffic selector %R", ts); - return FAILED; - } - DBG2(DBG_IKE, "using host %H", *ip); - return SUCCESS; -} - -/** - * get the interface of a local address - */ -static int get_interface_index(private_kernel_interface_t *this, host_t* ip) -{ - linked_list_t *list; - address_entry_t *entry; - int ifindex = 0; - - DBG2(DBG_IKE, "getting iface for %H", ip); - - list = create_address_list(this); - while (!ifindex && list->remove_last(list, (void**)&entry) == SUCCESS) - { - if (ip->ip_equals(ip, entry->host)) - { - ifindex = entry->ifindex; - } - address_entry_destroy(entry); - } - list->destroy_function(list, (void*)address_entry_destroy); - - if (ifindex == 0) - { - DBG1(DBG_IKE, "unable to get interface for %H", ip); - } - return ifindex; -} - -/** - * Manages the creation and deletion of ip addresses on an interface. - * By setting the appropriate nlmsg_type, the ip will be set or unset. - */ -static status_t manage_ipaddr(private_kernel_interface_t *this, int nlmsg_type, - int flags, int if_index, host_t *ip) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct ifaddrmsg *msg; - chunk_t chunk; - - memset(&request, 0, sizeof(request)); - - chunk = ip->get_address(ip); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct ifaddrmsg)); - - msg = (struct ifaddrmsg*)NLMSG_DATA(hdr); - msg->ifa_family = ip->get_family(ip); - msg->ifa_flags = 0; - msg->ifa_prefixlen = 8 * chunk.len; - msg->ifa_scope = RT_SCOPE_UNIVERSE; - msg->ifa_index = if_index; - - add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request)); - - return netlink_send_ack(this->socket_rt, hdr); -} - -/** - * Manages source routes in the routing table. - * By setting the appropriate nlmsg_type, the route added or r. - */ -static status_t manage_srcroute(private_kernel_interface_t *this, int nlmsg_type, - int flags, route_entry_t *route) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct rtmsg *msg; - chunk_t chunk; - - /* if route is 0.0.0.0/0, we can't install it, as it would - * overwrite the default route. Instead, we add two routes: - * 0.0.0.0/1 and 128.0.0.0/1 - * TODO: use metrics instead */ - if (route->prefixlen == 0) - { - route_entry_t half; - status_t status; - - half.dst_net = chunk_alloca(route->dst_net.len); - memset(half.dst_net.ptr, 0, half.dst_net.len); - half.src_ip = route->src_ip; - half.if_index = route->if_index; - half.prefixlen = 1; - - status = manage_srcroute(this, nlmsg_type, flags, &half); - half.dst_net.ptr[0] |= 0x80; - status = manage_srcroute(this, nlmsg_type, flags, &half); - return status; - } - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | flags; - hdr->nlmsg_type = nlmsg_type; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg)); - - msg = (struct rtmsg*)NLMSG_DATA(hdr); - msg->rtm_family = route->src_ip->get_family(route->src_ip); - msg->rtm_dst_len = route->prefixlen; - msg->rtm_table = RT_TABLE_MAIN; - msg->rtm_protocol = RTPROT_STATIC; - msg->rtm_type = RTN_UNICAST; - msg->rtm_scope = RT_SCOPE_UNIVERSE; - - add_attribute(hdr, RTA_DST, route->dst_net, sizeof(request)); - chunk = route->src_ip->get_address(route->src_ip); - add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request)); - chunk.ptr = (char*)&route->if_index; - chunk.len = sizeof(route->if_index); - add_attribute(hdr, RTA_OIF, chunk, sizeof(request)); - - return netlink_send_ack(this->socket_rt, hdr); -} - - -/** - * Implementation of kernel_interface_t.add_ip. - */ -static status_t add_ip(private_kernel_interface_t *this, - host_t *virtual_ip, host_t *iface_ip) -{ - int targetif; - vip_entry_t *listed; - iterator_t *iterator; - - DBG2(DBG_KNL, "adding virtual IP %H", virtual_ip); - - targetif = get_interface_index(this, iface_ip); - if (targetif == 0) - { - DBG1(DBG_KNL, "unable to add virtual IP %H, no iface found for %H", - virtual_ip, iface_ip); - return FAILED; - } - - /* beware of deadlocks (e.g. send/receive packets while holding the lock) */ - iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex)); - while (iterator->iterate(iterator, (void**)&listed)) - { - if (listed->if_index == targetif && - virtual_ip->ip_equals(virtual_ip, listed->ip)) - { - listed->refcount++; - iterator->destroy(iterator); - DBG2(DBG_KNL, "virtual IP %H already added to iface %d reusing it", - virtual_ip, targetif); - return SUCCESS; - } - } - iterator->destroy(iterator); - - if (manage_ipaddr(this, RTM_NEWADDR, NLM_F_CREATE | NLM_F_EXCL, - targetif, virtual_ip) == SUCCESS) - { - listed = malloc_thing(vip_entry_t); - listed->ip = virtual_ip->clone(virtual_ip); - listed->if_index = targetif; - listed->refcount = 1; - this->vips->insert_last(this->vips, listed); - DBG2(DBG_KNL, "virtual IP %H added to iface %d", - virtual_ip, targetif); - return SUCCESS; - } - - DBG2(DBG_KNL, "unable to add virtual IP %H to iface %d", - virtual_ip, targetif); - return FAILED; -} - -/** - * Implementation of kernel_interface_t.del_ip. - */ -static status_t del_ip(private_kernel_interface_t *this, - host_t *virtual_ip, host_t *iface_ip) -{ - int targetif; - vip_entry_t *listed; - iterator_t *iterator; - - DBG2(DBG_KNL, "deleting virtual IP %H", virtual_ip); - - targetif = get_interface_index(this, iface_ip); - if (targetif == 0) - { - DBG1(DBG_KNL, "unable to delete virtual IP %H, no iface found for %H", - virtual_ip, iface_ip); - return FAILED; - } - - /* beware of deadlocks (e.g. send/receive packets while holding the lock) */ - iterator = this->vips->create_iterator_locked(this->vips, &(this->vips_mutex)); - while (iterator->iterate(iterator, (void**)&listed)) - { - if (listed->if_index == targetif && - virtual_ip->ip_equals(virtual_ip, listed->ip)) - { - listed->refcount--; - if (listed->refcount == 0) - { - iterator->remove(iterator); - vip_entry_destroy(listed); - iterator->destroy(iterator); - return manage_ipaddr(this, RTM_DELADDR, 0, targetif, virtual_ip); - } - iterator->destroy(iterator); - DBG2(DBG_KNL, "virtual IP %H used by other SAs, not deleting", - virtual_ip); - return SUCCESS; - } - } - iterator->destroy(iterator); - - DBG2(DBG_KNL, "virtual IP %H not cached, unable to delete", virtual_ip); - return FAILED; -} - -/** - * Implementation of kernel_interface_t.get_spi. - */ -static status_t get_spi(private_kernel_interface_t *this, - host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, - u_int32_t *spi) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr, *out; - struct xfrm_userspi_info *userspi; - u_int32_t received_spi = 0; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "getting SPI for reqid %d", reqid); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_ALLOCSPI; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userspi_info)); - - userspi = (struct xfrm_userspi_info*)NLMSG_DATA(hdr); - host2xfrm(src, &userspi->info.saddr); - host2xfrm(dst, &userspi->info.id.daddr); - userspi->info.id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - userspi->info.mode = TRUE; /* tunnel mode */ - userspi->info.reqid = reqid; - userspi->info.family = src->get_family(src); - userspi->min = 0xc0000000; - userspi->max = 0xcFFFFFFF; - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - struct xfrm_usersa_info* usersa = NLMSG_DATA(hdr); - received_spi = usersa->id.spi; - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - - DBG1(DBG_KNL, "allocating SPI failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - free(out); - } - - if (received_spi == 0) - { - DBG1(DBG_KNL, "unable to get SPI for reqid %d", reqid); - return FAILED; - } - - DBG2(DBG_KNL, "got SPI 0x%x for reqid %d", received_spi, reqid); - - *spi = received_spi; - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.add_sa. - */ -static status_t add_sa(private_kernel_interface_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - u_int64_t expire_soft, u_int64_t expire_hard, - algorithm_t *enc_alg, algorithm_t *int_alg, - prf_plus_t *prf_plus, natt_conf_t *natt, mode_t mode, - bool replace) -{ - unsigned char request[BUFFER_SIZE]; - char *alg_name; - u_int key_size; - struct nlmsghdr *hdr; - struct xfrm_usersa_info *sa; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "adding SAD entry with SPI 0x%x", spi); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = replace ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - - sa = (struct xfrm_usersa_info*)NLMSG_DATA(hdr); - host2xfrm(src, &sa->saddr); - host2xfrm(dst, &sa->id.daddr); - sa->id.spi = spi; - sa->id.proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa->family = src->get_family(src); - sa->mode = mode; - sa->replay_window = 32; - sa->reqid = reqid; - /* we currently do not expire SAs by volume/packet count */ - sa->lft.soft_byte_limit = XFRM_INF; - sa->lft.hard_byte_limit = XFRM_INF; - sa->lft.soft_packet_limit = XFRM_INF; - sa->lft.hard_packet_limit = XFRM_INF; - /* we use lifetimes since added, not since used */ - sa->lft.soft_add_expires_seconds = expire_soft; - sa->lft.hard_add_expires_seconds = expire_hard; - sa->lft.soft_use_expires_seconds = 0; - sa->lft.hard_use_expires_seconds = 0; - - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_info); - - if (enc_alg->algorithm != ENCR_UNDEFINED) - { - rthdr->rta_type = XFRMA_ALG_CRYPT; - alg_name = lookup_algorithm(encryption_algs, enc_alg, &key_size); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - encryption_algorithm_names, enc_alg->algorithm); - return FAILED; - } - DBG2(DBG_KNL, " using encryption algorithm %N with key size %d", - encryption_algorithm_names, enc_alg->algorithm, key_size); - - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = key_size; - strcpy(algo->alg_name, alg_name); - prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key); - - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (int_alg->algorithm != AUTH_UNDEFINED) - { - rthdr->rta_type = XFRMA_ALG_AUTH; - alg_name = lookup_algorithm(integrity_algs, int_alg, &key_size); - if (alg_name == NULL) - { - DBG1(DBG_KNL, "algorithm %N not supported by kernel!", - integrity_algorithm_names, int_alg->algorithm); - return FAILED; - } - DBG2(DBG_KNL, " using integrity algorithm %N with key size %d", - integrity_algorithm_names, int_alg->algorithm, key_size); - - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_algo) + key_size); - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_algo* algo = (struct xfrm_algo*)RTA_DATA(rthdr); - algo->alg_key_len = key_size; - strcpy(algo->alg_name, alg_name); - prf_plus->get_bytes(prf_plus, key_size / 8, algo->alg_key); - - rthdr = XFRM_RTA_NEXT(rthdr); - } - - /* TODO: add IPComp here */ - - if (natt) - { - rthdr->rta_type = XFRMA_ENCAP; - rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_encap_tmpl* encap = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); - encap->encap_type = UDP_ENCAP_ESPINUDP; - encap->encap_sport = htons(natt->sport); - encap->encap_dport = htons(natt->dport); - memset(&encap->encap_oa, 0, sizeof (xfrm_address_t)); - /* encap_oa could probably be derived from the - * traffic selectors [rfc4306, p39]. In the netlink kernel implementation - * pluto does the same as we do here but it uses encap_oa in the - * pfkey implementation. BUT as /usr/src/linux/net/key/af_key.c indicates - * the kernel ignores it anyway - * -> does that mean that NAT-T encap doesn't work in transport mode? - * No. The reason the kernel ignores NAT-OA is that it recomputes - * (or, rather, just ignores) the checksum. If packets pass - * the IPsec checks it marks them "checksum ok" so OA isn't needed. */ - rthdr = XFRM_RTA_NEXT(rthdr); - } - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unalbe to add SAD entry with SPI 0x%x", spi); - return FAILED; - } - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.update_sa. - */ -static status_t update_sa(private_kernel_interface_t *this, - host_t *src, host_t *dst, - host_t *new_src, host_t *new_dst, - host_diff_t src_changes, host_diff_t dst_changes, - u_int32_t spi, protocol_id_t protocol) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr, *out = NULL; - struct xfrm_usersa_id *sa_id; - struct xfrm_usersa_info *sa = NULL; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa_id->family = dst->get_family(dst); - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - sa = NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - if (sa == NULL) - { - DBG1(DBG_KNL, "unable to update SAD entry with SPI 0x%x", spi); - free(out); - return FAILED; - } - - DBG2(DBG_KNL, "updating SAD entry with SPI 0x%x", spi); - - hdr = out; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_UPDSA; - - if (src_changes & HOST_DIFF_ADDR) - { - host2xfrm(new_src, &sa->saddr); - } - - if (dst_changes & HOST_DIFF_ADDR) - { - hdr->nlmsg_type = XFRM_MSG_NEWSA; - host2xfrm(new_dst, &sa->id.daddr); - } - - if (src_changes & HOST_DIFF_PORT || dst_changes & HOST_DIFF_PORT) - { - struct rtattr *rtattr = XFRM_RTA(hdr, struct xfrm_usersa_info); - size_t rtsize = XFRM_PAYLOAD(hdr, struct xfrm_usersa_info); - while (RTA_OK(rtattr, rtsize)) - { - if (rtattr->rta_type == XFRMA_ENCAP) - { - struct xfrm_encap_tmpl* encap; - encap = (struct xfrm_encap_tmpl*)RTA_DATA(rtattr); - encap->encap_sport = ntohs(new_src->get_port(new_src)); - encap->encap_dport = ntohs(new_dst->get_port(new_dst)); - break; - } - rtattr = RTA_NEXT(rtattr, rtsize); - } - } - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unalbe to update SAD entry with SPI 0x%x", spi); - free(out); - return FAILED; - } - free(out); - - if (dst_changes & HOST_DIFF_ADDR) - { - return this->public.del_sa(&this->public, dst, spi, protocol); - } - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.query_sa. - */ -static status_t query_sa(private_kernel_interface_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol, - u_int32_t *use_time) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *out = NULL, *hdr; - struct xfrm_usersa_id *sa_id; - struct xfrm_usersa_info *sa = NULL; - size_t len; - - DBG2(DBG_KNL, "querying SAD entry with SPI 0x%x", spi); - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_info)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa_id->family = dst->get_family(dst); - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWSA: - { - sa = NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (sa == NULL) - { - DBG1(DBG_KNL, "unable to query SAD entry with SPI 0x%x", spi); - free(out); - return FAILED; - } - - *use_time = sa->curlft.use_time; - free (out); - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.del_sa. - */ -static status_t del_sa(private_kernel_interface_t *this, host_t *dst, - u_int32_t spi, protocol_id_t protocol) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct xfrm_usersa_id *sa_id; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "deleting SAD entry with SPI 0x%x", spi); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_DELSA; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_usersa_id)); - - sa_id = (struct xfrm_usersa_id*)NLMSG_DATA(hdr); - host2xfrm(dst, &sa_id->daddr); - sa_id->spi = spi; - sa_id->proto = (protocol == PROTO_ESP) ? KERNEL_ESP : KERNEL_AH; - sa_id->family = dst->get_family(dst); - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unalbe to delete SAD entry with SPI 0x%x", spi); - return FAILED; - } - DBG2(DBG_KNL, "deleted SAD entry with SPI 0x%x", spi); - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.add_policy. - */ -static status_t add_policy(private_kernel_interface_t *this, - host_t *src, host_t *dst, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, protocol_id_t protocol, - u_int32_t reqid, bool high_prio, mode_t mode, - bool update) -{ - iterator_t *iterator; - policy_entry_t *current, *policy; - bool found = FALSE; - unsigned char request[BUFFER_SIZE]; - struct xfrm_userpolicy_info *policy_info; - struct nlmsghdr *hdr; - - /* create a policy */ - policy = malloc_thing(policy_entry_t); - memset(policy, 0, sizeof(policy_entry_t)); - policy->sel = ts2selector(src_ts, dst_ts); - policy->direction = direction; - - /* find the policy, which matches EXACTLY */ - pthread_mutex_lock(&this->policies_mutex); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (memcmp(¤t->sel, &policy->sel, sizeof(struct xfrm_selector)) == 0 && - policy->direction == current->direction) - { - /* use existing policy */ - if (!update) - { - current->refcount++; - DBG2(DBG_KNL, "policy %R===%R already exists, increasing ", - "refcount", src_ts, dst_ts); - } - free(policy); - policy = current; - found = TRUE; - break; - } - } - iterator->destroy(iterator); - if (!found) - { /* apply the new one, if we have no such policy */ - this->policies->insert_last(this->policies, policy); - policy->refcount = 1; - } - - DBG2(DBG_KNL, "adding policy %R===%R", src_ts, dst_ts); - - memset(&request, 0, sizeof(request)); - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_UPDPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_info)); - - policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); - policy_info->sel = policy->sel; - policy_info->dir = policy->direction; - /* calculate priority based on source selector size, small size = high prio */ - policy_info->priority = high_prio ? PRIO_HIGH : PRIO_LOW; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; - policy_info->action = XFRM_POLICY_ALLOW; - policy_info->share = XFRM_SHARE_ANY; - pthread_mutex_unlock(&this->policies_mutex); - - /* policies don't expire */ - policy_info->lft.soft_byte_limit = XFRM_INF; - policy_info->lft.soft_packet_limit = XFRM_INF; - policy_info->lft.hard_byte_limit = XFRM_INF; - policy_info->lft.hard_packet_limit = XFRM_INF; - policy_info->lft.soft_add_expires_seconds = 0; - policy_info->lft.hard_add_expires_seconds = 0; - policy_info->lft.soft_use_expires_seconds = 0; - policy_info->lft.hard_use_expires_seconds = 0; - - struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_info); - rthdr->rta_type = XFRMA_TMPL; - - rthdr->rta_len = sizeof(struct xfrm_user_tmpl); - rthdr->rta_len = RTA_LENGTH(rthdr->rta_len); - - hdr->nlmsg_len += rthdr->rta_len; - if (hdr->nlmsg_len > sizeof(request)) - { - return FAILED; - } - - struct xfrm_user_tmpl *tmpl = (struct xfrm_user_tmpl*)RTA_DATA(rthdr); - tmpl->reqid = reqid; - tmpl->id.proto = (protocol == PROTO_AH) ? KERNEL_AH : KERNEL_ESP; - tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; - tmpl->mode = mode; - tmpl->family = src->get_family(src); - - host2xfrm(src, &tmpl->saddr); - host2xfrm(dst, &tmpl->id.daddr); - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unable to add policy %R===%R", src_ts, dst_ts); - return FAILED; - } - - /* install a route, if: - * - we are NOT updating a policy - * - this is a forward policy (to just get one for each child) - * - we are in tunnel mode - * - we are not using IPv6 (does not work correctly yet!) - */ - if (policy->route == NULL && direction == POLICY_FWD && - mode != MODE_TRANSPORT && src->get_family(src) != AF_INET6) - { - policy->route = malloc_thing(route_entry_t); - if (get_address_by_ts(this, dst_ts, &policy->route->src_ip) == SUCCESS) - { - policy->route->if_index = get_interface_index(this, dst); - policy->route->dst_net = chunk_alloc(policy->sel.family == AF_INET ? 4 : 16); - memcpy(policy->route->dst_net.ptr, &policy->sel.saddr, policy->route->dst_net.len); - policy->route->prefixlen = policy->sel.prefixlen_s; - - if (manage_srcroute(this, RTM_NEWROUTE, NLM_F_CREATE | NLM_F_EXCL, - policy->route) != SUCCESS) - { - DBG1(DBG_KNL, "unable to install source route for %H", - policy->route->src_ip); - route_entry_destroy(policy->route); - policy->route = NULL; - } - } - else - { - free(policy->route); - policy->route = NULL; - } - } - - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.query_policy. - */ -static status_t query_policy(private_kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time) -{ - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *out = NULL, *hdr; - struct xfrm_userpolicy_id *policy_id; - struct xfrm_userpolicy_info *policy = NULL; - size_t len; - - memset(&request, 0, sizeof(request)); - - DBG2(DBG_KNL, "querying policy %R===%R", src_ts, dst_ts); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST; - hdr->nlmsg_type = XFRM_MSG_GETPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - policy_id->sel = ts2selector(src_ts, dst_ts); - policy_id->dir = direction; - - if (netlink_send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) - { - hdr = out; - while (NLMSG_OK(hdr, len)) - { - switch (hdr->nlmsg_type) - { - case XFRM_MSG_NEWPOLICY: - { - policy = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); - break; - } - case NLMSG_ERROR: - { - struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying policy failed: %s (%d)", - strerror(-err->error), -err->error); - break; - } - default: - hdr = NLMSG_NEXT(hdr, len); - continue; - case NLMSG_DONE: - break; - } - break; - } - } - - if (policy == NULL) - { - DBG2(DBG_KNL, "unable to query policy %R===%R", src_ts, dst_ts); - free(out); - return FAILED; - } - *use_time = (time_t)policy->curlft.use_time; - - free(out); - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.del_policy. - */ -static status_t del_policy(private_kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction) -{ - policy_entry_t *current, policy, *to_delete = NULL; - route_entry_t *route; - unsigned char request[BUFFER_SIZE]; - struct nlmsghdr *hdr; - struct xfrm_userpolicy_id *policy_id; - iterator_t *iterator; - - DBG2(DBG_KNL, "deleting policy %R===%R", src_ts, dst_ts); - - /* create a policy */ - memset(&policy, 0, sizeof(policy_entry_t)); - policy.sel = ts2selector(src_ts, dst_ts); - policy.direction = direction; - - /* find the policy */ - pthread_mutex_lock(&this->policies_mutex); - iterator = this->policies->create_iterator(this->policies, TRUE); - while (iterator->iterate(iterator, (void**)¤t)) - { - if (memcmp(¤t->sel, &policy.sel, sizeof(struct xfrm_selector)) == 0 && - policy.direction == current->direction) - { - to_delete = current; - if (--to_delete->refcount > 0) - { - /* is used by more SAs, keep in kernel */ - DBG2(DBG_KNL, "policy still used by another CHILD_SA, not removed"); - iterator->destroy(iterator); - pthread_mutex_unlock(&this->policies_mutex); - return SUCCESS; - } - /* remove if last reference */ - iterator->remove(iterator); - break; - } - } - iterator->destroy(iterator); - pthread_mutex_unlock(&this->policies_mutex); - if (!to_delete) - { - DBG1(DBG_KNL, "deleting policy %R===%R failed, not found", src_ts, dst_ts); - return NOT_FOUND; - } - - memset(&request, 0, sizeof(request)); - - hdr = (struct nlmsghdr*)request; - hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; - hdr->nlmsg_type = XFRM_MSG_DELPOLICY; - hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_id)); - - policy_id = (struct xfrm_userpolicy_id*)NLMSG_DATA(hdr); - policy_id->sel = to_delete->sel; - policy_id->dir = direction; - - route = to_delete->route; - free(to_delete); - - if (netlink_send_ack(this->socket_xfrm, hdr) != SUCCESS) - { - DBG1(DBG_KNL, "unable to delete policy %R===%R", src_ts, dst_ts); - return FAILED; - } - - if (route) - { - if (manage_srcroute(this, RTM_DELROUTE, 0, route) != SUCCESS) - { - DBG1(DBG_KNL, "error uninstalling route installed with " - "policy %R===%R", src_ts, dst_ts); - } - route_entry_destroy(route); - } - return SUCCESS; -} - -/** - * Implementation of kernel_interface_t.destroy. - */ -static void destroy(private_kernel_interface_t *this) -{ - pthread_cancel(this->event_thread); - pthread_join(this->event_thread, NULL); - close(this->socket_xfrm_events); - close(this->socket_xfrm); - close(this->socket_rt); - this->vips->destroy(this->vips); - this->policies->destroy(this->policies); - free(this); -} - -/* - * Described in header. - */ -kernel_interface_t *kernel_interface_create() -{ - private_kernel_interface_t *this = malloc_thing(private_kernel_interface_t); - struct sockaddr_nl addr; - - /* public functions */ - this->public.get_spi = (status_t(*)(kernel_interface_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; - this->public.add_sa = (status_t(*)(kernel_interface_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,u_int64_t,u_int64_t,algorithm_t*,algorithm_t*,prf_plus_t*,natt_conf_t*,mode_t,bool))add_sa; - this->public.update_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,host_t*,host_t*,host_diff_t,host_diff_t))update_sa; - this->public.query_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t*))query_sa; - this->public.del_sa = (status_t(*)(kernel_interface_t*,host_t*,u_int32_t,protocol_id_t))del_sa; - this->public.add_policy = (status_t(*)(kernel_interface_t*,host_t*,host_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,protocol_id_t,u_int32_t,bool,mode_t,bool))add_policy; - this->public.query_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; - this->public.del_policy = (status_t(*)(kernel_interface_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t))del_policy; - - this->public.get_interface = (char*(*)(kernel_interface_t*,host_t*))get_interface_name; - this->public.create_address_list = (linked_list_t*(*)(kernel_interface_t*))create_address_list_public; - this->public.add_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) add_ip; - this->public.del_ip = (status_t(*)(kernel_interface_t*,host_t*,host_t*)) del_ip; - this->public.destroy = (void(*)(kernel_interface_t*)) destroy; - - /* private members */ - this->vips = linked_list_create(); - this->policies = linked_list_create(); - pthread_mutex_init(&this->policies_mutex,NULL); - pthread_mutex_init(&this->vips_mutex,NULL); - - addr.nl_family = AF_NETLINK; - addr.nl_pid = 0; - addr.nl_groups = 0; - - /* create and bind XFRM socket */ - this->socket_xfrm = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); - if (this->socket_xfrm <= 0) - { - charon->kill(charon, "unable to create XFRM netlink socket"); - } - - if (bind(this->socket_xfrm, (struct sockaddr*)&addr, sizeof(addr))) - { - charon->kill(charon, "unable to bind XFRM netlink socket"); - } - - /* create and bind RT socket */ - this->socket_rt = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - if (this->socket_rt <= 0) - { - charon->kill(charon, "unable to create RT netlink socket"); - } - - if (bind(this->socket_rt, (struct sockaddr*)&addr, sizeof(addr))) - { - charon->kill(charon, "unable to bind RT netlink socket"); - } - - /* create and bind XFRM socket for ACQUIRE & EXPIRE */ - addr.nl_groups = XFRMGRP_ACQUIRE | XFRMGRP_EXPIRE; - this->socket_xfrm_events = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); - if (this->socket_xfrm_events <= 0) - { - charon->kill(charon, "unable to create XFRM event socket"); - } - - if (bind(this->socket_xfrm_events, (struct sockaddr*)&addr, sizeof(addr))) - { - charon->kill(charon, "unable to bind XFRM event socket"); - } - - /* create a thread receiving ACQUIRE & EXPIRE events */ - if (pthread_create(&this->event_thread, NULL, - (void*(*)(void*))receive_events, this)) - { - charon->kill(charon, "unable to create xfrm event dispatcher thread"); - } - - return &this->public; -} - -/* vim: set ts=4 sw=4 noet: */ diff --git a/src/charon/threads/kernel_interface.h b/src/charon/threads/kernel_interface.h deleted file mode 100644 index 34b06f594..000000000 --- a/src/charon/threads/kernel_interface.h +++ /dev/null @@ -1,331 +0,0 @@ -/** - * @file kernel_interface.h - * - * @brief Interface of kernel_interface_t. - * - */ - -/* - * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef KERNEL_INTERFACE_H_ -#define KERNEL_INTERFACE_H_ - -typedef struct natt_conf_t natt_conf_t; -typedef enum policy_dir_t policy_dir_t; -typedef struct kernel_interface_t kernel_interface_t; - -#include <utils/host.h> -#include <crypto/prf_plus.h> -#include <encoding/payloads/proposal_substructure.h> - -/** - * Configuration for NAT-T - */ -struct natt_conf_t { - /** source port to use for UDP-encapsulated packets */ - u_int16_t sport; - /** dest port to use for UDP-encapsulated packets */ - u_int16_t dport; -}; - -/** - * Direction of a policy. These are equal to those - * defined in xfrm.h, but we want to stay implementation - * neutral here. - */ -enum policy_dir_t { - /** Policy for inbound traffic */ - POLICY_IN = 0, - /** Policy for outbound traffic */ - POLICY_OUT = 1, - /** Policy for forwarded traffic */ - POLICY_FWD = 2, -}; - -/** - * @brief Interface to the kernel. - * - * The kernel interface handles the communication with the kernel - * for SA and policy management. It allows setup of these, and provides - * further the handling of kernel events. - * Policy information are cached in the interface. This is necessary to do - * reference counting. The Linux kernel does not allow the same policy - * installed twice, but we need this as CHILD_SA exist multiple times - * when rekeying. Thats why we do reference counting of policies. - * - * @b Constructors: - * - kernel_interface_create() - * - * @ingroup threads - */ -struct kernel_interface_t { - - /** - * @brief Get a SPI from the kernel. - * - * @warning get_spi() implicitely creates an SA with - * the allocated SPI, therefore the replace flag - * in add_sa() must be set when installing this SA. - * - * @param this calling object - * @param src source address of SA - * @param dst destination address of SA - * @param protocol protocol for SA (ESP/AH) - * @param reqid unique ID for this SA - * @param[out] spi allocated spi - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*get_spi)(kernel_interface_t *this, host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); - - /** - * @brief Add an SA to the SAD. - * - * add_sa() may update an already allocated - * SPI (via get_spi). In this case, the replace - * flag must be set. - * This function does install a single SA for a - * single protocol in one direction. The kernel-interface - * gets the keys itself from the PRF, as we don't know - * his algorithms and key sizes. - * - * @param this calling object - * @param src source address for this SA - * @param dst destination address for this SA - * @param spi SPI allocated by us or remote peer - * @param protocol protocol for this SA (ESP/AH) - * @param reqid unique ID for this SA - * @param expire_soft lifetime in seconds before rekeying - * @param expire_hard lieftime in seconds before delete - * @param enc_alg Algorithm to use for encryption (ESP only) - * @param int_alg Algorithm to use for integrity protection - * @param prf_plus PRF to derive keys from - * @param natt NAT-T Configuration, or NULL of no NAT-T used - * @param mode mode of the SA (tunnel, transport) - * @param replace Should an already installed SA be updated? - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*add_sa) (kernel_interface_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - u_int64_t expire_soft, u_int64_t expire_hard, - algorithm_t *enc_alg, algorithm_t *int_alg, - prf_plus_t *prf_plus, natt_conf_t *natt, - mode_t mode, bool update); - - /** - * @brief Update the hosts on an installed SA. - * - * We cannot directly update the destination address as the kernel - * requires the spi, the protocol AND the destination address (and family) - * to identify SAs. Therefore if the destination address changed we - * create a new SA and delete the old one. - * - * @param this calling object - * @param dst destination address for this SA - * @param spi SPI of the SA - * @param protocol protocol for this SA (ESP/AH) - * @param new_src new source address for this SA - * @param new_dst new destination address for this SA - * @param src_changes changes in src - * @param dst_changes changes in dst - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*update_sa)(kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, - host_t *new_src, host_t *new_dst, - host_diff_t src_changes, host_diff_t dst_changes); - - /** - * @brief Query the use time of an SA. - * - * The use time of an SA is not the time of the last usage, but - * the time of the first usage of the SA. - * - * @param this calling object - * @param dst destination address for this SA - * @param spi SPI allocated by us or remote peer - * @param protocol protocol for this SA (ESP/AH) - * @param[out] use_time the time of this SA's last use - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*query_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t *use_time); - - /** - * @brief Delete a previusly installed SA from the SAD. - * - * @param this calling object - * @param dst destination address for this SA - * @param spi SPI allocated by us or remote peer - * @param protocol protocol for this SA (ESP/AH) - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, - protocol_id_t protocol); - - /** - * @brief Add a policy to the SPD. - * - * A policy is always associated to an SA. Traffic which matches a - * policy is handled by the SA with the same reqid. - * If the update flag is set, the policy is updated with the new - * src/dst addresses. - * If the update flag is not set, but a such policy is already in the - * kernel, the reference count to this policy is increased. - * - * @param this calling object - * @param src source address of SA - * @param dst dest address of SA - * @param src_ts traffic selector to match traffic source - * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @param protocol protocol to use to protect traffic (AH/ESP) - * @param reqid uniqe ID of an SA to use to enforce policy - * @param high_prio if TRUE, uses a higher priority than any with FALSE - * @param mode mode of SA (tunnel, transport) - * @param update update an existing policy, if TRUE - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*add_policy) (kernel_interface_t *this, - host_t *src, host_t *dst, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, protocol_id_t protocol, - u_int32_t reqid, bool high_prio, - mode_t mode, bool update); - - /** - * @brief Query the use time of a policy. - * - * The use time of a policy is the time the policy was used - * for the last time. - * - * @param this calling object - * @param src_ts traffic selector to match traffic source - * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @param[out] use_time the time of this SA's last use - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*query_policy) (kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time); - - /** - * @brief Remove a policy from the SPD. - * - * The kernel interface implements reference counting for policies. - * If the same policy is installed multiple times (in the case of rekeying), - * the reference counter is increased. del_policy() decreases the ref counter - * and removes the policy only when no more references are available. - * - * @param this calling object - * @param src_ts traffic selector to match traffic source - * @param dst_ts traffic selector to match traffic dest - * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*del_policy) (kernel_interface_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction); - - /** - * @brief Get the interface name of a local address. - * - * @param this calling object - * @param host address to get interface name from - * @return allocated interface name, or NULL if not found - */ - char* (*get_interface) (kernel_interface_t *this, host_t *host); - - /** - * @brief Creates a list of all local addresses. - * - * @param this calling object - * @return allocated list with host_t objects - */ - linked_list_t *(*create_address_list) (kernel_interface_t *this); - - /** - * @brief Add a virtual IP to an interface. - * - * Virtual IPs are attached to an interface. If an IP is added multiple - * times, the IP is refcounted and not removed until del_ip() was called - * as many times as add_ip(). - * The virtual IP is attached to the interface where the iface_ip is found. - * - * @param this calling object - * @param virtual_ip virtual ip address to assign - * @param iface_ip IP of an interface to attach virtual IP - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*add_ip) (kernel_interface_t *this, host_t *virtual_ip, - host_t *iface_ip); - - /** - * @brief Remove a virtual IP from an interface. - * - * The kernel interface uses refcounting, see add_ip(). - * - * @param this calling object - * @param virtual_ip virtual ip address to assign - * @param iface_ip IP of an interface to remove virtual IP from - * @return - * - SUCCESS - * - FAILED if kernel comm failed - */ - status_t (*del_ip) (kernel_interface_t *this, host_t *virtual_ip, - host_t *iface_ip); - - /** - * @brief Destroys a kernel_interface object. - * - * @param kernel_interface_t calling object - */ - void (*destroy) (kernel_interface_t *kernel_interface); -}; - -/** - * @brief Creates an object of type kernel_interface_t. - * - * @ingroup threads - */ -kernel_interface_t *kernel_interface_create(void); - -#endif /*KERNEL_INTERFACE_H_*/ diff --git a/src/charon/threads/receiver.c b/src/charon/threads/receiver.c deleted file mode 100644 index 7195c162d..000000000 --- a/src/charon/threads/receiver.c +++ /dev/null @@ -1,372 +0,0 @@ -/** - * @file receiver.c - * - * @brief Implementation of receiver_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <pthread.h> - -#include "receiver.h" - -#include <daemon.h> -#include <network/socket.h> -#include <network/packet.h> -#include <queues/job_queue.h> -#include <queues/jobs/job.h> -#include <queues/jobs/process_message_job.h> - -/** length of the full cookie, including time (u_int32_t + SHA1()) */ -#define COOKIE_LENGTH 24 -/** lifetime of a cookie, in seconds */ -#define COOKIE_LIFETIME 10 -/** how many times to reuse the secret */ -#define COOKIE_REUSE 10000 -/** require cookies after half open IKE_SAs */ -#define COOKIE_TRESHOLD 10 -/** how many half open IKE_SAs per peer before blocking */ -#define BLOCK_TRESHOLD 5 -/** length of the secret to use for cookie calculation */ -#define SECRET_LENGTH 16 - -typedef struct private_receiver_t private_receiver_t; - -/** - * Private data of a receiver_t object. - */ -struct private_receiver_t { - /** - * Public part of a receiver_t object. - */ - receiver_t public; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; - - /** - * current secret to use for cookie calculation - */ - char secret[SECRET_LENGTH]; - - /** - * previous secret used to verify older cookies - */ - char secret_old[SECRET_LENGTH]; - - /** - * how many times we have used "secret" so far - */ - u_int32_t secret_used; - - /** - * time we did the cookie switch - */ - u_int32_t secret_switch; - - /** - * time offset to use, hides our system time - */ - u_int32_t secret_offset; - - /** - * the randomizer to use for secret generation - */ - randomizer_t *randomizer; - - /** - * hasher to use for cookie calculation - */ - hasher_t *hasher; -}; - -/** - * send a notify back to the sender - */ -static void send_notify(message_t *request, notify_type_t type, chunk_t data) -{ - if (request->get_request(request) && - request->get_exchange_type(request) == IKE_SA_INIT) - { - message_t *response; - host_t *src, *dst; - packet_t *packet; - ike_sa_id_t *ike_sa_id; - - response = message_create(); - dst = request->get_source(request); - src = request->get_destination(request); - response->set_source(response, src->clone(src)); - response->set_destination(response, dst->clone(dst)); - response->set_exchange_type(response, request->get_exchange_type(request)); - response->set_request(response, FALSE); - response->set_message_id(response, 0); - ike_sa_id = request->get_ike_sa_id(request); - ike_sa_id->switch_initiator(ike_sa_id); - response->set_ike_sa_id(response, ike_sa_id); - response->add_notify(response, FALSE, type, data); - if (response->generate(response, NULL, NULL, &packet) == SUCCESS) - { - charon->sender->send(charon->sender, packet); - response->destroy(response); - } - } -} - -/** - * build a cookie - */ -static chunk_t cookie_build(private_receiver_t *this, message_t *message, - u_int32_t t, chunk_t secret) -{ - u_int64_t spi = message->get_initiator_spi(message); - host_t *ip = message->get_source(message); - chunk_t input, hash = chunk_alloca(this->hasher->get_hash_size(this->hasher)); - - /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */ - input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi), - chunk_from_thing(t), secret); - this->hasher->get_hash(this->hasher, input, hash.ptr); - return chunk_cat("cc", chunk_from_thing(t), hash); -} - -/** - * verify a received cookie - */ -static bool cookie_verify(private_receiver_t *this, message_t *message, - chunk_t cookie) -{ - u_int32_t t, now; - chunk_t reference; - chunk_t secret; - - now = time(NULL); - t = *(u_int32_t*)cookie.ptr; - - if (cookie.len != COOKIE_LENGTH || - t < now - this->secret_offset - COOKIE_LIFETIME) - { - DBG2(DBG_NET, "received cookie lifetime expired, rejecting"); - return FALSE; - } - - /* check if cookie is derived from old_secret */ - if (t + this->secret_offset > this->secret_switch) - { - secret = chunk_from_thing(this->secret); - } - else - { - secret = chunk_from_thing(this->secret_old); - } - - /* compare own calculation against received */ - reference = cookie_build(this, message, t, secret); - if (chunk_equals(reference, cookie)) - { - chunk_free(&reference); - return TRUE; - } - chunk_free(&reference); - return FALSE; -} - -/** - * check if cookies are required, and if so, a valid cookie is included - */ -static bool cookie_required(private_receiver_t *this, message_t *message) -{ - bool failed = FALSE; - - if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, - NULL) >= COOKIE_TRESHOLD) - { - /* check for a cookie. We don't use our parser here and do it - * quick and dirty for performance reasons. - * we assume to cookie is the first payload (which is a MUST), and - * the cookies SPI length is zero. */ - packet_t *packet = message->get_packet(message); - chunk_t data = packet->get_data(packet); - if (data.len < - IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH + COOKIE_LENGTH || - *(data.ptr + 16) != NOTIFY || - *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE)) - { - /* no cookie found */ - failed = TRUE; - } - else - { - data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH; - data.len = COOKIE_LENGTH; - if (!cookie_verify(this, message, data)) - { - DBG2(DBG_NET, "found cookie, but content invalid"); - failed = TRUE; - } - } - packet->destroy(packet); - } - return failed; -} - -/** - * check if peer has to many half open IKE_SAs - */ -static bool peer_to_aggressive(private_receiver_t *this, message_t *message) -{ - if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, - message->get_source(message)) >= BLOCK_TRESHOLD) - { - return TRUE; - } - return FALSE; -} - -/** - * Implementation of receiver_t.receive_packets. - */ -static void receive_packets(private_receiver_t *this) -{ - packet_t *packet; - message_t *message; - job_t *job; - - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(DBG_NET, "receiver thread running, thread_ID: %06u", - (int)pthread_self()); - - while (TRUE) - { - /* read in a packet */ - if (charon->socket->receive(charon->socket, &packet) != SUCCESS) - { - DBG1(DBG_NET, "receiving from socket failed!"); - continue; - } - - /* parse message header */ - message = message_create_from_packet(packet); - if (message->parse_header(message) != SUCCESS) - { - DBG1(DBG_NET, "received invalid IKE header from %H, ignored", - packet->get_source(packet)); - message->destroy(message); - continue; - } - - /* check IKE major version */ - if (message->get_major_version(message) != IKE_MAJOR_VERSION) - { - DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, " - "sending INVALID_MAJOR_VERSION", message->get_major_version(message), - message->get_minor_version(message), packet->get_source(packet)); - send_notify(message, INVALID_MAJOR_VERSION, chunk_empty); - message->destroy(message); - continue; - } - - if (message->get_request(message) && - message->get_exchange_type(message) == IKE_SA_INIT) - { - /* check for cookies */ - if (cookie_required(this, message)) - { - u_int32_t now = time(NULL); - chunk_t cookie = cookie_build(this, message, now - this->secret_offset, - chunk_from_thing(this->secret)); - - DBG2(DBG_NET, "received packet from: %#H to %#H", - message->get_source(message), - message->get_destination(message)); - DBG2(DBG_NET, "sending COOKIE notify to %H", - message->get_source(message)); - send_notify(message, COOKIE, cookie); - chunk_free(&cookie); - if (++this->secret_used > COOKIE_REUSE) - { - /* create new cookie */ - DBG1(DBG_NET, "generating new cookie secret after %d uses", - this->secret_used); - memcpy(this->secret_old, this->secret, SECRET_LENGTH); - this->randomizer->get_pseudo_random_bytes(this->randomizer, - SECRET_LENGTH, this->secret); - this->secret_switch = now; - this->secret_used = 0; - } - message->destroy(message); - continue; - } - - /* check if peer has not too many IKE_SAs half open */ - if (peer_to_aggressive(this, message)) - { - DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " - "peer to aggressive", message->get_source(message)); - message->destroy(message); - continue; - } - } - job = (job_t *)process_message_job_create(message); - charon->job_queue->add(charon->job_queue, job); - } -} - -/** - * Implementation of receiver_t.destroy. - */ -static void destroy(private_receiver_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - this->randomizer->destroy(this->randomizer); - this->hasher->destroy(this->hasher); - free(this); -} - -/* - * Described in header. - */ -receiver_t *receiver_create() -{ - private_receiver_t *this = malloc_thing(private_receiver_t); - u_int32_t now = time(NULL); - - this->public.destroy = (void(*)(receiver_t*)) destroy; - - this->randomizer = randomizer_create(); - this->hasher = hasher_create(HASH_SHA1); - this->secret_switch = now; - this->secret_offset = random() % now; - this->secret_used = 0; - this->randomizer->get_pseudo_random_bytes(this->randomizer, SECRET_LENGTH, - this->secret); - memcpy(this->secret_old, this->secret, SECRET_LENGTH); - - if (pthread_create(&this->assigned_thread, NULL, - (void*)receive_packets, this) != 0) - { - free(this); - charon->kill(charon, "unable to create receiver thread"); - } - - return &this->public; -} diff --git a/src/charon/threads/receiver.h b/src/charon/threads/receiver.h deleted file mode 100644 index 68d9136c0..000000000 --- a/src/charon/threads/receiver.h +++ /dev/null @@ -1,81 +0,0 @@ -/** - * @file receiver.h - * - * @brief Interface of receiver_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef RECEIVER_H_ -#define RECEIVER_H_ - -typedef struct receiver_t receiver_t; - -#include <library.h> -#include <utils/host.h> - -/** - * @brief Receives packets from the socket and adds them to the job queue. - * - * The receiver starts a thread, wich reads on the blocking socket. A received - * packet is preparsed and a process_message_job is queued in the job queue. - * - * To endure DoS attacks, cookies are enabled when to many IKE_SAs are half - * open. The calculation of cookies is slightly different from the proposed - * method in RFC4306. We do not include a nonce, because we think the advantage - * we gain does not justify the overhead to parse the whole message. - * Instead of VersionIdOfSecret, we include a timestamp. This allows us to - * find out wich key was used for cookie creation. Further, we can set a - * lifetime for the cookie, which allows us to reuse the secret for a longer - * time. - * COOKIE = time | sha1( IPi | SPIi | time | secret ) - * - * The secret is changed after a certain amount of cookies sent. The old - * secret is stored to allow a clean migration between secret changes. - * - * Further, the number of half-initiated IKE_SAs is limited per peer. This - * mades it impossible for a peer to flood the server with its real IP address. - * - * @b Constructors: - * - receiver_create() - * - * @ingroup threads - */ -struct receiver_t { - - /** - * @brief Destroys a receiver_t object. - * - * @param receiver receiver object - */ - void (*destroy) (receiver_t *receiver); -}; - -/** - * @brief Create a receiver_t object. - * - * The receiver thread will start working, get data - * from the socket and add those packets to the job queue. - * - * @return receiver_t object - * - * @ingroup threads - */ -receiver_t * receiver_create(void); - -#endif /*RECEIVER_H_*/ diff --git a/src/charon/threads/scheduler.c b/src/charon/threads/scheduler.c deleted file mode 100644 index 74091e3a3..000000000 --- a/src/charon/threads/scheduler.c +++ /dev/null @@ -1,102 +0,0 @@ -/** - * @file scheduler.c - * - * @brief Implementation of scheduler_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <pthread.h> - -#include "scheduler.h" - -#include <daemon.h> -#include <queues/job_queue.h> - - -typedef struct private_scheduler_t private_scheduler_t; - -/** - * Private data of a scheduler_t object. - */ -struct private_scheduler_t { - /** - * Public part of a scheduler_t object. - */ - scheduler_t public; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; -}; - -/** - * Implementation of private_scheduler_t.get_events. - */ -static void get_events(private_scheduler_t * this) -{ - job_t *current_job; - - /* cancellation disabled by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - - DBG1(DBG_JOB, "scheduler thread running, thread_ID: %06u", - (int)pthread_self()); - - while (TRUE) - { - DBG2(DBG_JOB, "waiting for next event..."); - /* get a job, this block until one is available */ - current_job = charon->event_queue->get(charon->event_queue); - /* queue the job in the job queue, workers will eat them */ - DBG2(DBG_JOB, "got event, adding job %N to job-queue", - job_type_names, current_job->get_type(current_job)); - charon->job_queue->add(charon->job_queue, current_job); - } -} - -/** - * Implementation of scheduler_t.destroy. - */ -static void destroy(private_scheduler_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - free(this); -} - -/* - * Described in header. - */ -scheduler_t * scheduler_create() -{ - private_scheduler_t *this = malloc_thing(private_scheduler_t); - - this->public.destroy = (void(*)(scheduler_t*)) destroy; - - if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))get_events, this) != 0) - { - /* thread could not be created */ - free(this); - charon->kill(charon, "unable to create scheduler thread"); - } - - return &(this->public); -} diff --git a/src/charon/threads/scheduler.h b/src/charon/threads/scheduler.h deleted file mode 100644 index daecce3c6..000000000 --- a/src/charon/threads/scheduler.h +++ /dev/null @@ -1,68 +0,0 @@ -/** - * @file scheduler.h - * - * @brief Interface of scheduler_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef SCHEDULER_H_ -#define SCHEDULER_H_ - -typedef struct scheduler_t scheduler_t; - -#include <library.h> - -/** - * @brief The scheduler thread is responsible for timed events. - * - * The scheduler thread takes out jobs from the event-queue and adds them - * to the job-queue. - * - * Starts a thread which does the work, since event-queue is blocking. - * - * @b Constructors: - * - scheduler_create() - * - * @ingroup threads - */ -struct scheduler_t { - - /** - * @brief Destroys a scheduler object. - * - * @param scheduler calling object - */ - void (*destroy) (scheduler_t *scheduler); -}; - -/** - * @brief Create a scheduler with its associated thread. - * - * The thread will start to get jobs form the event queue - * and adds them to the job queue. - * - * @return - * - scheduler_t object - * - NULL if thread could not be started - * - * @ingroup threads - */ -scheduler_t * scheduler_create(void); - -#endif /*SCHEDULER_H_*/ diff --git a/src/charon/threads/sender.c b/src/charon/threads/sender.c deleted file mode 100644 index c1cd0a68c..000000000 --- a/src/charon/threads/sender.c +++ /dev/null @@ -1,149 +0,0 @@ -/** - * @file sender.c - * - * @brief Implementation of sender_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <pthread.h> - -#include "sender.h" - -#include <daemon.h> -#include <network/socket.h> - - -typedef struct private_sender_t private_sender_t; - -/** - * Private data of a sender_t object. - */ -struct private_sender_t { - /** - * Public part of a sender_t object. - */ - sender_t public; - - /** - * Assigned thread. - */ - pthread_t assigned_thread; - - /** - * The packets are stored in a linked list - */ - linked_list_t *list; - - /** - * mutex to synchronize access to list - */ - pthread_mutex_t mutex; - - /** - * condvar to signal for packets in list - */ - pthread_cond_t condvar; -}; - -/** - * implements sender_t.send - */ -static void send_(private_sender_t *this, packet_t *packet) -{ - host_t *src, *dst; - - src = packet->get_source(packet); - dst = packet->get_destination(packet); - DBG1(DBG_NET, "sending packet: from %#H to %#H", src, dst); - - pthread_mutex_lock(&this->mutex); - this->list->insert_last(this->list, packet); - pthread_mutex_unlock(&this->mutex); - pthread_cond_signal(&this->condvar); -} - -/** - * Implementation of private_sender_t.send_packets. - */ -static void send_packets(private_sender_t * this) -{ - - /* cancellation disabled by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - DBG1(DBG_NET, "sender thread running, thread_ID: %06u", (int)pthread_self()); - - while (TRUE) - { - packet_t *packet; - int oldstate; - - pthread_mutex_lock(&this->mutex); - /* go to wait while no packets available */ - while (this->list->get_count(this->list) == 0) - { - /* add cleanup handler, wait for packet, remove cleanup handler */ - pthread_cleanup_push((void(*)(void*))pthread_mutex_unlock, (void*)&this->mutex); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - pthread_cond_wait(&this->condvar, &this->mutex); - - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(0); - } - this->list->remove_first(this->list, (void**)&packet); - pthread_mutex_unlock(&this->mutex); - - charon->socket->send(charon->socket, packet); - packet->destroy(packet); - } -} - -/** - * Implementation of sender_t.destroy. - */ -static void destroy(private_sender_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - this->list->destroy_offset(this->list, offsetof(packet_t, destroy)); - free(this); -} - -/* - * Described in header. - */ -sender_t * sender_create() -{ - private_sender_t *this = malloc_thing(private_sender_t); - - this->public.send = (void(*)(sender_t*,packet_t*))send_; - this->public.destroy = (void(*)(sender_t*)) destroy; - - this->list = linked_list_create(); - pthread_mutex_init(&this->mutex, NULL); - pthread_cond_init(&this->condvar, NULL); - - if (pthread_create(&this->assigned_thread, NULL, - (void*)send_packets, this) != 0) - { - charon->kill(charon, "unable to create sender thread"); - } - - return &(this->public); -} diff --git a/src/charon/threads/sender.h b/src/charon/threads/sender.h deleted file mode 100644 index 4f42f6f9e..000000000 --- a/src/charon/threads/sender.h +++ /dev/null @@ -1,74 +0,0 @@ -/** - * @file sender.h - * - * @brief Interface of sender_t. - * - */ - -/* - * Copyright (C) 2005-2007 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef SENDER_H_ -#define SENDER_H_ - -typedef struct sender_t sender_t; - -#include <library.h> -#include <network/packet.h> - -/** - * @brief Thread responsible for sending packets over the socket. - * - * @b Constructors: - * - sender_create() - * - * @ingroup threads - */ -struct sender_t { - - /** - * @brief Send a packet over the network. - * - * This function is non blocking and adds the packet to a queue. - * Whenever the sender thread things it's good to send the packet, - * it'll do so. - * - * @param this calling object - * @param packet packet to send - */ - void (*send) (sender_t *this, packet_t *packet); - - /** - * @brief Destroys a sender object. - * - * @param this calling object - */ - void (*destroy) (sender_t *this); -}; - -/** - * @brief Create the sender thread. - * - * The thread will start to work, getting packets - * from its queue and sends them out. - * - * @return created sender object - * - * @ingroup threads - */ -sender_t * sender_create(void); - -#endif /*SENDER_H_*/ diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c deleted file mode 100755 index a9074debb..000000000 --- a/src/charon/threads/stroke_interface.c +++ /dev/null @@ -1,1456 +0,0 @@ -/** - * @file stroke.c - * - * @brief Implementation of stroke_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <sys/types.h> -#include <sys/stat.h> -#include <sys/socket.h> -#include <sys/un.h> -#include <sys/fcntl.h> -#include <unistd.h> -#include <dirent.h> -#include <errno.h> -#include <pthread.h> -#include <signal.h> - -#include "stroke_interface.h" - -#include <library.h> -#include <stroke.h> -#include <daemon.h> -#include <crypto/x509.h> -#include <crypto/ca.h> -#include <crypto/crl.h> -#include <queues/jobs/initiate_job.h> -#include <queues/jobs/route_job.h> -#include <utils/leak_detective.h> - -#define IKE_PORT 500 -#define PATH_BUF 256 - - -struct sockaddr_un socket_addr = { AF_UNIX, STROKE_SOCKET}; - - -typedef struct private_stroke_t private_stroke_t; - -/** - * Private data of an stroke_t object. - */ -struct private_stroke_t { - - /** - * Public part of stroke_t object. - */ - stroke_t public; - - /** - * Output stream (stroke console) - */ - FILE *out; - - /** - * Unix socket to listen for strokes - */ - int socket; - - /** - * Thread which reads from the Socket - */ - pthread_t assigned_thread; -}; - -/** - * Helper function which corrects the string pointers - * in a stroke_msg_t. Strings in a stroke_msg sent over "wire" - * contains RELATIVE addresses (relative to the beginning of the - * stroke_msg). They must be corrected if they reach our address - * space... - */ -static void pop_string(stroke_msg_t *msg, char **string) -{ - if (*string == NULL) - return; - - /* check for sanity of string pointer and string */ - if (string < (char**)msg - || string > (char**)msg + sizeof(stroke_msg_t) - || (unsigned long)*string < (unsigned long)((char*)msg->buffer - (char*)msg) - || (unsigned long)*string > msg->length) - { - *string = "(invalid pointer in stroke msg)"; - } - else - { - *string = (char*)msg + (unsigned long)*string; - } -} - -/** - * Load end entitity certificate - */ -static x509_t* load_end_certificate(const char *filename, identification_t **idp) -{ - char path[PATH_BUF]; - x509_t *cert; - - if (*filename == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%s", filename); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%s", CERTIFICATE_DIR, filename); - } - - cert = x509_create_from_file(path, "end entity"); - - if (cert) - { - identification_t *id = *idp; - identification_t *subject = cert->get_subject(cert); - - err_t ugh = cert->is_valid(cert, NULL); - - if (ugh != NULL) - { - DBG1(DBG_CFG, "warning: certificate %s", ugh); - } - if (!id->equals(id, subject) && !cert->equals_subjectAltName(cert, id)) - { - id->destroy(id); - id = subject; - *idp = id->clone(id); - } - return charon->credentials->add_end_certificate(charon->credentials, cert); - } - return NULL; -} - -/** - * Load ca certificate - */ -static x509_t* load_ca_certificate(const char *filename) -{ - char path[PATH_BUF]; - x509_t *cert; - - if (*filename == '/') - { - /* absolute path name */ - snprintf(path, sizeof(path), "%s", filename); - } - else - { - /* relative path name */ - snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); - } - - cert = x509_create_from_file(path, "ca"); - - if (cert) - { - if (cert->is_ca(cert)) - { - return charon->credentials->add_auth_certificate(charon->credentials, cert, AUTH_CA); - } - else - { - DBG1(DBG_CFG, " CA basic constraints flag not set, cert discarded"); - cert->destroy(cert); - } - } - return NULL; -} - -/** - * Add a connection to the configuration list - */ -static void stroke_add_conn(stroke_msg_t *msg, FILE *out) -{ - connection_t *connection; - policy_t *policy; - identification_t *my_id, *other_id; - identification_t *my_ca = NULL; - identification_t *other_ca = NULL; - bool my_ca_same = FALSE; - bool other_ca_same =FALSE; - host_t *my_host, *other_host, *my_subnet, *other_subnet; - host_t *my_vip = NULL, *other_vip = NULL; - proposal_t *proposal; - traffic_selector_t *my_ts, *other_ts; - char *interface; - - pop_string(msg, &msg->add_conn.name); - pop_string(msg, &msg->add_conn.me.address); - pop_string(msg, &msg->add_conn.other.address); - pop_string(msg, &msg->add_conn.me.subnet); - pop_string(msg, &msg->add_conn.other.subnet); - pop_string(msg, &msg->add_conn.me.sourceip); - pop_string(msg, &msg->add_conn.other.sourceip); - pop_string(msg, &msg->add_conn.me.id); - pop_string(msg, &msg->add_conn.other.id); - pop_string(msg, &msg->add_conn.me.cert); - pop_string(msg, &msg->add_conn.other.cert); - pop_string(msg, &msg->add_conn.me.ca); - pop_string(msg, &msg->add_conn.other.ca); - pop_string(msg, &msg->add_conn.me.updown); - pop_string(msg, &msg->add_conn.other.updown); - pop_string(msg, &msg->add_conn.algorithms.ike); - pop_string(msg, &msg->add_conn.algorithms.esp); - - DBG1(DBG_CFG, "received stroke: add connection '%s'", msg->add_conn.name); - - DBG2(DBG_CFG, "conn %s", msg->add_conn.name); - DBG2(DBG_CFG, " left=%s", msg->add_conn.me.address); - DBG2(DBG_CFG, " right=%s", msg->add_conn.other.address); - DBG2(DBG_CFG, " leftsubnet=%s", msg->add_conn.me.subnet); - DBG2(DBG_CFG, " rightsubnet=%s", msg->add_conn.other.subnet); - DBG2(DBG_CFG, " leftsourceip=%s", msg->add_conn.me.sourceip); - DBG2(DBG_CFG, " rightsourceip=%s", msg->add_conn.other.sourceip); - DBG2(DBG_CFG, " leftid=%s", msg->add_conn.me.id); - DBG2(DBG_CFG, " rightid=%s", msg->add_conn.other.id); - DBG2(DBG_CFG, " leftcert=%s", msg->add_conn.me.cert); - DBG2(DBG_CFG, " rightcert=%s", msg->add_conn.other.cert); - DBG2(DBG_CFG, " leftca=%s", msg->add_conn.me.ca); - DBG2(DBG_CFG, " rightca=%s", msg->add_conn.other.ca); - DBG2(DBG_CFG, " ike=%s", msg->add_conn.algorithms.ike); - DBG2(DBG_CFG, " esp=%s", msg->add_conn.algorithms.esp); - - my_host = msg->add_conn.me.address? - host_create_from_string(msg->add_conn.me.address, IKE_PORT) : NULL; - if (my_host == NULL) - { - DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.me.address); - return; - } - - other_host = msg->add_conn.other.address ? - host_create_from_string(msg->add_conn.other.address, IKE_PORT) : NULL; - if (other_host == NULL) - { - DBG1(DBG_CFG, "invalid host: %s\n", msg->add_conn.other.address); - my_host->destroy(my_host); - return; - } - - interface = charon->kernel_interface->get_interface(charon->kernel_interface, - other_host); - if (interface) - { - stroke_end_t tmp_end; - host_t *tmp_host; - - DBG2(DBG_CFG, "left is other host, swapping ends\n"); - - tmp_host = my_host; - my_host = other_host; - other_host = tmp_host; - - tmp_end = msg->add_conn.me; - msg->add_conn.me = msg->add_conn.other; - msg->add_conn.other = tmp_end; - free(interface); - } - if (!interface) - { - interface = charon->kernel_interface->get_interface( - charon->kernel_interface, my_host); - if (!interface) - { - DBG1(DBG_CFG, "left nor right host is our side, aborting\n"); - goto destroy_hosts; - } - free(interface); - } - - my_id = identification_create_from_string(msg->add_conn.me.id ? - msg->add_conn.me.id : msg->add_conn.me.address); - if (my_id == NULL) - { - DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.me.id); - goto destroy_hosts; - } - - other_id = identification_create_from_string(msg->add_conn.other.id ? - msg->add_conn.other.id : msg->add_conn.other.address); - if (other_id == NULL) - { - DBG1(DBG_CFG, "invalid ID: %s\n", msg->add_conn.other.id); - my_id->destroy(my_id); - goto destroy_hosts; - } - - my_subnet = host_create_from_string(msg->add_conn.me.subnet ? - msg->add_conn.me.subnet : msg->add_conn.me.address, IKE_PORT); - if (my_subnet == NULL) - { - DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); - goto destroy_ids; - } - - other_subnet = host_create_from_string(msg->add_conn.other.subnet ? - msg->add_conn.other.subnet : msg->add_conn.other.address, IKE_PORT); - if (other_subnet == NULL) - { - DBG1(DBG_CFG, "invalid subnet: %s\n", msg->add_conn.me.subnet); - my_subnet->destroy(my_subnet); - goto destroy_ids; - } - - if (msg->add_conn.me.virtual_ip) - { - my_vip = host_create_from_string(msg->add_conn.me.sourceip, 0); - } - other_vip = host_create_from_string(msg->add_conn.other.sourceip, 0); - - if (msg->add_conn.me.tohost) - { - my_ts = traffic_selector_create_dynamic(msg->add_conn.me.protocol, - my_host->get_family(my_host) == AF_INET ? - TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE, - msg->add_conn.me.port ? msg->add_conn.me.port : 0, - msg->add_conn.me.port ? msg->add_conn.me.port : 65535); - } - else - { - my_ts = traffic_selector_create_from_subnet(my_subnet, - msg->add_conn.me.subnet ? msg->add_conn.me.subnet_mask : 0, - msg->add_conn.me.protocol, msg->add_conn.me.port); - } - my_subnet->destroy(my_subnet); - - if (msg->add_conn.other.tohost) - { - other_ts = traffic_selector_create_dynamic(msg->add_conn.other.protocol, - other_host->get_family(other_host) == AF_INET ? - TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE, - msg->add_conn.other.port ? msg->add_conn.other.port : 0, - msg->add_conn.other.port ? msg->add_conn.other.port : 65535); - } - else - { - other_ts = traffic_selector_create_from_subnet(other_subnet, - msg->add_conn.other.subnet ? msg->add_conn.other.subnet_mask : 0, - msg->add_conn.other.protocol, msg->add_conn.other.port); - } - other_subnet->destroy(other_subnet); - - if (msg->add_conn.me.ca) - { - if (streq(msg->add_conn.me.ca, "%same")) - { - my_ca_same = TRUE; - } - else - { - my_ca = identification_create_from_string(msg->add_conn.me.ca); - } - } - if (msg->add_conn.other.ca) - { - if (streq(msg->add_conn.other.ca, "%same")) - { - other_ca_same = TRUE; - } - else - { - other_ca = identification_create_from_string(msg->add_conn.other.ca); - } - } - if (msg->add_conn.me.cert) - { - x509_t *cert = load_end_certificate(msg->add_conn.me.cert, &my_id); - - if (my_ca == NULL && !my_ca_same && cert) - { - identification_t *issuer = cert->get_issuer(cert); - - my_ca = issuer->clone(issuer); - } - } - if (msg->add_conn.other.cert) - { - x509_t *cert = load_end_certificate(msg->add_conn.other.cert, &other_id); - - if (other_ca == NULL && !other_ca_same && cert) - { - identification_t *issuer = cert->get_issuer(cert); - - other_ca = issuer->clone(issuer); - } - } - if (other_ca_same && my_ca) - { - other_ca = my_ca->clone(my_ca); - } - else if (my_ca_same && other_ca) - { - my_ca = other_ca->clone(other_ca); - } - if (my_ca == NULL) - { - my_ca = identification_create_from_string("%any"); - } - if (other_ca == NULL) - { - other_ca = identification_create_from_string("%any"); - } - DBG2(DBG_CFG, " my ca: '%D'", my_ca); - DBG2(DBG_CFG, " other ca:'%D'", other_ca); - DBG2(DBG_CFG, " updown: '%s'", msg->add_conn.me.updown); - - connection = connection_create(msg->add_conn.name, - msg->add_conn.ikev2, - msg->add_conn.me.sendcert, - msg->add_conn.other.sendcert, - my_host, other_host, - msg->add_conn.dpd.delay, - msg->add_conn.rekey.reauth, - msg->add_conn.rekey.tries, - msg->add_conn.rekey.ike_lifetime, - msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin, - msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100); - - if (msg->add_conn.algorithms.ike) - { - char *proposal_string; - char *strict = msg->add_conn.algorithms.ike + strlen(msg->add_conn.algorithms.ike) - 1; - - if (*strict == '!') - *strict = '\0'; - else - strict = NULL; - - while ((proposal_string = strsep(&msg->add_conn.algorithms.ike, ","))) - { - proposal = proposal_create_from_string(PROTO_IKE, proposal_string); - if (proposal == NULL) - { - DBG1(DBG_CFG, "invalid IKE proposal string: %s", proposal_string); - my_id->destroy(my_id); - other_id->destroy(other_id); - my_ts->destroy(my_ts); - other_ts->destroy(other_ts); - my_ca->destroy(my_ca); - other_ca->destroy(other_ca); - connection->destroy(connection); - return; - } - connection->add_proposal(connection, proposal); - } - if (!strict) - { - proposal = proposal_create_default(PROTO_IKE); - connection->add_proposal(connection, proposal); - } - } - else - { - proposal = proposal_create_default(PROTO_IKE); - connection->add_proposal(connection, proposal); - } - - policy = policy_create(msg->add_conn.name, my_id, other_id, my_vip, other_vip, - msg->add_conn.auth_method, msg->add_conn.eap_type, - msg->add_conn.rekey.ipsec_lifetime, - msg->add_conn.rekey.ipsec_lifetime - msg->add_conn.rekey.margin, - msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100, - msg->add_conn.me.updown, msg->add_conn.me.hostaccess, - msg->add_conn.mode, msg->add_conn.dpd.action); - policy->add_my_traffic_selector(policy, my_ts); - policy->add_other_traffic_selector(policy, other_ts); - policy->add_authorities(policy, my_ca, other_ca); - - if (msg->add_conn.algorithms.esp) - { - char *proposal_string; - char *strict = msg->add_conn.algorithms.esp + strlen(msg->add_conn.algorithms.esp) - 1; - - if (*strict == '!') - *strict = '\0'; - else - strict = NULL; - - while ((proposal_string = strsep(&msg->add_conn.algorithms.esp, ","))) - { - proposal = proposal_create_from_string(PROTO_ESP, proposal_string); - if (proposal == NULL) - { - DBG1(DBG_CFG, "invalid ESP proposal string: %s", proposal_string); - policy->destroy(policy); - connection->destroy(connection); - return; - } - policy->add_proposal(policy, proposal); - } - if (!strict) - { - proposal = proposal_create_default(PROTO_ESP); - policy->add_proposal(policy, proposal); - } - } - else - { - proposal = proposal_create_default(PROTO_ESP); - policy->add_proposal(policy, proposal); - } - - /* add to global connection list */ - charon->connections->add_connection(charon->connections, connection); - DBG1(DBG_CFG, "added connection '%s': %H[%D]...%H[%D]", - msg->add_conn.name, my_host, my_id, other_host, other_id); - /* add to global policy list */ - charon->policies->add_policy(charon->policies, policy); - - return; - - /* mopping up after parsing errors */ - -destroy_ids: - my_id->destroy(my_id); - other_id->destroy(other_id); - -destroy_hosts: - my_host->destroy(my_host); - other_host->destroy(other_host); -} - -/** - * Delete a connection from the list - */ -static void stroke_del_conn(stroke_msg_t *msg, FILE *out) -{ - status_t status; - - pop_string(msg, &(msg->del_conn.name)); - DBG1(DBG_CFG, "received stroke: delete connection '%s'", msg->del_conn.name); - - status = charon->connections->delete_connection(charon->connections, - msg->del_conn.name); - charon->policies->delete_policy(charon->policies, msg->del_conn.name); - if (status == SUCCESS) - { - fprintf(out, "deleted connection '%s'\n", msg->del_conn.name); - } - else - { - fprintf(out, "no connection named '%s'\n", msg->del_conn.name); - } -} - -/** - * initiate a connection by name - */ -static void stroke_initiate(stroke_msg_t *msg, FILE *out) -{ - initiate_job_t *job; - connection_t *connection; - policy_t *policy; - ike_sa_t *init_ike_sa = NULL; - signal_t signal; - - pop_string(msg, &(msg->initiate.name)); - DBG1(DBG_CFG, "received stroke: initiate '%s'", msg->initiate.name); - - connection = charon->connections->get_connection_by_name(charon->connections, - msg->initiate.name); - if (connection == NULL) - { - if (msg->output_verbosity >= 0) - { - fprintf(out, "no connection named '%s'\n", msg->initiate.name); - } - return; - } - if (!connection->is_ikev2(connection)) - { - connection->destroy(connection); - return; - } - - policy = charon->policies->get_policy_by_name(charon->policies, - msg->initiate.name); - if (policy == NULL) - { - if (msg->output_verbosity >= 0) - { - fprintf(out, "no policy named '%s'\n", msg->initiate.name); - } - connection->destroy(connection); - return; - } - - job = initiate_job_create(connection, policy); - charon->bus->set_listen_state(charon->bus, TRUE); - charon->job_queue->add(charon->job_queue, (job_t*)job); - while (TRUE) - { - level_t level; - int thread; - ike_sa_t *ike_sa; - char* format; - va_list args; - - signal = charon->bus->listen(charon->bus, &level, &thread, &ike_sa, &format, &args); - - if ((init_ike_sa == NULL || ike_sa == init_ike_sa) && - level <= msg->output_verbosity) - { - if (vfprintf(out, format, args) < 0 || - fprintf(out, "\n") < 0 || - fflush(out)) - { - charon->bus->set_listen_state(charon->bus, FALSE); - break; - } - } - - switch (signal) - { - case CHILD_UP_SUCCESS: - case CHILD_UP_FAILED: - case IKE_UP_FAILED: - if (ike_sa == init_ike_sa) - { - charon->bus->set_listen_state(charon->bus, FALSE); - return; - } - continue; - case CHILD_UP_START: - case IKE_UP_START: - if (init_ike_sa == NULL) - { - init_ike_sa = ike_sa; - } - continue; - default: - continue; - } - } -} - -/** - * route/unroute a policy (install SPD entries) - */ -static void stroke_route(stroke_msg_t *msg, FILE *out, bool route) -{ - route_job_t *job; - connection_t *connection; - policy_t *policy; - - pop_string(msg, &(msg->route.name)); - DBG1(DBG_CFG, "received stroke: %s '%s'", - route ? "route" : "unroute", msg->route.name); - - /* we wouldn't need a connection, but we only want to route policies - * whose connections are keyexchange=ikev2. */ - connection = charon->connections->get_connection_by_name(charon->connections, - msg->route.name); - if (connection == NULL) - { - fprintf(out, "no connection named '%s'\n", msg->route.name); - return; - } - if (!connection->is_ikev2(connection)) - { - connection->destroy(connection); - return; - } - - policy = charon->policies->get_policy_by_name(charon->policies, - msg->route.name); - if (policy == NULL) - { - fprintf(out, "no policy named '%s'\n", msg->route.name); - connection->destroy(connection); - return; - } - fprintf(out, "%s policy '%s'\n", - route ? "routing" : "unrouting", msg->route.name); - job = route_job_create(connection, policy, route); - charon->job_queue->add(charon->job_queue, (job_t*)job); -} - -/** - * terminate a connection by name - */ -static void stroke_terminate(stroke_msg_t *msg, FILE *out) -{ - char *string, *pos = NULL, *name = NULL; - u_int32_t id = 0; - bool child; - int len; - status_t status = SUCCESS;; - ike_sa_t *ike_sa; - - pop_string(msg, &(msg->terminate.name)); - string = msg->terminate.name; - DBG1(DBG_CFG, "received stroke: terminate '%s'", string); - - len = strlen(string); - if (len < 1) - { - DBG1(DBG_CFG, "error parsing string"); - return; - } - switch (string[len-1]) - { - case '}': - child = TRUE; - pos = strchr(string, '{'); - break; - case ']': - child = FALSE; - pos = strchr(string, '['); - break; - default: - name = string; - child = FALSE; - break; - } - - if (name) - { /* must be a single name */ - DBG1(DBG_CFG, "check out by single name '%s'", name); - ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, - name, child); - } - else if (pos == string + len - 2) - { /* must be name[] or name{} */ - string[len-2] = '\0'; - DBG1(DBG_CFG, "check out by name '%s'", string); - ike_sa = charon->ike_sa_manager->checkout_by_name(charon->ike_sa_manager, - string, child); - } - else - { /* must be name[123] or name{23} */ - string[len-1] = '\0'; - id = atoi(pos + 1); - if (id == 0) - { - DBG1(DBG_CFG, "error parsing string"); - return; - } - DBG1(DBG_CFG, "check out by id '%d'", id); - ike_sa = charon->ike_sa_manager->checkout_by_id(charon->ike_sa_manager, - id, child); - } - if (ike_sa == NULL) - { - DBG1(DBG_CFG, "no such IKE_SA found"); - return; - } - - if (!child) - { - status = ike_sa->delete(ike_sa); - } - else - { - child_sa_t *child_sa; - iterator_t *iterator = ike_sa->create_child_sa_iterator(ike_sa); - while (iterator->iterate(iterator, (void**)&child_sa)) - { - if ((id && id == child_sa->get_reqid(child_sa)) || - (string && streq(string, child_sa->get_name(child_sa)))) - { - u_int32_t spi = child_sa->get_spi(child_sa, TRUE); - protocol_id_t proto = child_sa->get_protocol(child_sa); - - status = ike_sa->delete_child_sa(ike_sa, proto, spi); - break; - } - } - iterator->destroy(iterator); - } - if (status == DESTROY_ME) - { - charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, - ike_sa); - return; - } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); -} - -/** - * Add a ca information record to the cainfo list - */ -static void stroke_add_ca(stroke_msg_t *msg, FILE *out) -{ - x509_t *cacert; - ca_info_t *ca_info; - - pop_string(msg, &msg->add_ca.name); - pop_string(msg, &msg->add_ca.cacert); - pop_string(msg, &msg->add_ca.crluri); - pop_string(msg, &msg->add_ca.crluri2); - pop_string(msg, &msg->add_ca.ocspuri); - pop_string(msg, &msg->add_ca.ocspuri2); - - DBG1(DBG_CFG, "received stroke: add ca '%s'", msg->add_ca.name); - - DBG2(DBG_CFG, "ca %s", msg->add_ca.name); - DBG2(DBG_CFG, " cacert=%s", msg->add_ca.cacert); - DBG2(DBG_CFG, " crluri=%s", msg->add_ca.crluri); - DBG2(DBG_CFG, " crluri2=%s", msg->add_ca.crluri2); - DBG2(DBG_CFG, " ocspuri=%s", msg->add_ca.ocspuri); - DBG2(DBG_CFG, " ocspuri2=%s", msg->add_ca.ocspuri2); - - if (msg->add_ca.cacert == NULL) - { - DBG1(DBG_CFG, "missing cacert parameter\n"); - return; - } - - cacert = load_ca_certificate(msg->add_ca.cacert); - - if (cacert == NULL) - { - return; - } - ca_info = ca_info_create(msg->add_ca.name, cacert); - - if (msg->add_ca.crluri) - { - chunk_t uri = { msg->add_ca.crluri, strlen(msg->add_ca.crluri) }; - - ca_info->add_crluri(ca_info, uri); - } - if (msg->add_ca.crluri2) - { - chunk_t uri = { msg->add_ca.crluri2, strlen(msg->add_ca.crluri2) }; - - ca_info->add_crluri(ca_info, uri); - } - if (msg->add_ca.ocspuri) - { - chunk_t uri = { msg->add_ca.ocspuri, strlen(msg->add_ca.ocspuri) }; - - ca_info->add_ocspuri(ca_info, uri); - } - if (msg->add_ca.ocspuri2) - { - chunk_t uri = { msg->add_ca.ocspuri2, strlen(msg->add_ca.ocspuri2) }; - - ca_info->add_ocspuri(ca_info, uri); - } - charon->credentials->add_ca_info(charon->credentials, ca_info); - DBG1(DBG_CFG, "added ca '%s'", msg->add_ca.name); - -} - -/** - * Delete a ca information record from the cainfo list - */ -static void stroke_del_ca(stroke_msg_t *msg, FILE *out) -{ - status_t status; - - pop_string(msg, &(msg->del_ca.name)); - DBG1(DBG_CFG, "received stroke: delete ca '%s'", msg->del_ca.name); - - status = charon->credentials->release_ca_info(charon->credentials, - msg->del_ca.name); - - if (status == SUCCESS) - { - fprintf(out, "deleted ca '%s'\n", msg->del_ca.name); - } - else - { - fprintf(out, "no ca named '%s'\n", msg->del_ca.name); - } -} - -/** - * show status of daemon - */ -static void stroke_statusall(stroke_msg_t *msg, FILE *out) -{ - iterator_t *iterator; - linked_list_t *list; - host_t *host; - connection_t *connection; - policy_t *policy; - ike_sa_t *ike_sa; - char *name = NULL; - - leak_detective_status(out); - - fprintf(out, "Performance:\n"); - fprintf(out, " worker threads: %d idle of %d,", - charon->thread_pool->get_idle_threads(charon->thread_pool), - charon->thread_pool->get_pool_size(charon->thread_pool)); - fprintf(out, " job queue load: %d,", - charon->job_queue->get_count(charon->job_queue)); - fprintf(out, " scheduled events: %d\n", - charon->event_queue->get_count(charon->event_queue)); - list = charon->kernel_interface->create_address_list(charon->kernel_interface); - - fprintf(out, "Listening on %d IP addresses:\n", list->get_count(list)); - while (list->remove_first(list, (void**)&host) == SUCCESS) - { - fprintf(out, " %H\n", host); - host->destroy(host); - } - list->destroy(list); - - if (msg->status.name) - { - pop_string(msg, &(msg->status.name)); - name = msg->status.name; - } - - iterator = charon->connections->create_iterator(charon->connections); - if (iterator->get_count(iterator) > 0) - { - fprintf(out, "Connections:\n"); - } - while (iterator->iterate(iterator, (void**)&connection)) - { - if (connection->is_ikev2(connection) - && (name == NULL || streq(name, connection->get_name(connection)))) - { - fprintf(out, "%12s: %H...%H\n", - connection->get_name(connection), - connection->get_my_host(connection), - connection->get_other_host(connection)); - } - } - iterator->destroy(iterator); - - iterator = charon->policies->create_iterator(charon->policies); - if (iterator->get_count(iterator) > 0) - { - fprintf(out, "Policies:\n"); - } - while (iterator->iterate(iterator, (void**)&policy)) - { - if (name == NULL || streq(name, policy->get_name(policy))) - { - fprintf(out, "%12s: '%D'...'%D'\n", - policy->get_name(policy), - policy->get_my_id(policy), - policy->get_other_id(policy)); - } - } - iterator->destroy(iterator); - - iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager); - if (iterator->get_count(iterator) > 0) - { - fprintf(out, "Security Associations:\n"); - } - while (iterator->iterate(iterator, (void**)&ike_sa)) - { - bool ike_sa_printed = FALSE; - child_sa_t *child_sa; - iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); - - /* print IKE_SA */ - if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0) - { - fprintf(out, "%#K\n", ike_sa); - ike_sa_printed = TRUE; - } - - while (children->iterate(children, (void**)&child_sa)) - { - bool child_sa_match = name == NULL || - strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0; - - /* print IKE_SA if its name differs from the CHILD_SA's name */ - if (!ike_sa_printed && child_sa_match) - { - fprintf(out, "%#K\n", ike_sa); - ike_sa_printed = TRUE; - } - - /* print CHILD_SA */ - if (child_sa_match) - { - fprintf(out, "%#P\n", child_sa); - } - } - children->destroy(children); - } - iterator->destroy(iterator); -} - -/** - * show status of daemon - */ -static void stroke_status(stroke_msg_t *msg, FILE *out) -{ - iterator_t *iterator; - ike_sa_t *ike_sa; - char *name = NULL; - - if (msg->status.name) - { - pop_string(msg, &(msg->status.name)); - name = msg->status.name; - } - - iterator = charon->ike_sa_manager->create_iterator(charon->ike_sa_manager); - while (iterator->iterate(iterator, (void**)&ike_sa)) - { - bool ike_sa_printed = FALSE; - child_sa_t *child_sa; - iterator_t *children = ike_sa->create_child_sa_iterator(ike_sa); - - /* print IKE_SA */ - if (name == NULL || strncmp(name, ike_sa->get_name(ike_sa), strlen(name)) == 0) - { - fprintf(out, "%K\n", ike_sa); - ike_sa_printed = TRUE; - } - - while (children->iterate(children, (void**)&child_sa)) - { - bool child_sa_match = name == NULL || - strncmp(name, child_sa->get_name(child_sa), strlen(name)) == 0; - - /* print IKE_SA if its name differs from the CHILD_SA's name */ - if (!ike_sa_printed && child_sa_match) - { - fprintf(out, "%K\n", ike_sa); - ike_sa_printed = TRUE; - } - - /* print CHILD_SA */ - if (child_sa_match) - { - fprintf(out, "%P\n", child_sa); - } - } - children->destroy(children); - } - iterator->destroy(iterator); -} - -/** - * list all authority certificates matching a specified flag - */ -static void list_auth_certificates(u_int flag, const char *label, bool utc, FILE *out) -{ - bool first = TRUE; - x509_t *cert; - - iterator_t *iterator = charon->credentials->create_auth_cert_iterator(charon->credentials); - - while (iterator->iterate(iterator, (void**)&cert)) - { - if (cert->has_authority_flag(cert, flag)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 %s Certificates:\n", label); - fprintf(out, "\n"); - first = FALSE; - } - fprintf(out, "%#Q\n", cert, utc); - } - } - iterator->destroy(iterator); -} - -/** - * list various information - */ -static void stroke_list(stroke_msg_t *msg, FILE *out) -{ - iterator_t *iterator; - - if (msg->list.flags & LIST_CERTS) - { - x509_t *cert; - - iterator = charon->credentials->create_cert_iterator(charon->credentials); - if (iterator->get_count(iterator)) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 End Entity Certificates:\n"); - fprintf(out, "\n"); - } - while (iterator->iterate(iterator, (void**)&cert)) - { - fprintf(out, "%#Q", cert, msg->list.utc); - if (charon->credentials->has_rsa_private_key( - charon->credentials, cert->get_public_key(cert))) - { - fprintf(out, ", has private key"); - } - fprintf(out, "\n"); - - } - iterator->destroy(iterator); - } - if (msg->list.flags & LIST_CACERTS) - { - list_auth_certificates(AUTH_CA, "CA", msg->list.utc, out); - } - if (msg->list.flags & LIST_CAINFOS) - { - ca_info_t *ca_info; - - iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - if (iterator->get_count(iterator)) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CA Information Records:\n"); - fprintf(out, "\n"); - } - while (iterator->iterate(iterator, (void**)&ca_info)) - { - fprintf(out, "%#W", ca_info, msg->list.utc); - } - iterator->destroy(iterator); - } - if (msg->list.flags & LIST_CRLS) - { - ca_info_t *ca_info; - bool first = TRUE; - - iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - - while (iterator->iterate(iterator, (void **)&ca_info)) - { - if (ca_info->has_crl(ca_info)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of X.509 CRLs:\n"); - fprintf(out, "\n"); - first = FALSE; - } - ca_info->list_crl(ca_info, out, msg->list.utc); - } - } - iterator->destroy(iterator); - } - if (msg->list.flags & LIST_OCSPCERTS) - { - list_auth_certificates(AUTH_OCSP, "OCSP", msg->list.utc, out); - } - if (msg->list.flags & LIST_OCSP) - { - ca_info_t *ca_info; - bool first = TRUE; - - iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - - while (iterator->iterate(iterator, (void **)&ca_info)) - { - if (ca_info->has_certinfos(ca_info)) - { - if (first) - { - fprintf(out, "\n"); - fprintf(out, "List of OCSP responses:\n"); - first = FALSE; - } - fprintf(out, "\n"); - ca_info->list_certinfos(ca_info, out, msg->list.utc); - } - } - iterator->destroy(iterator); - } -} - -/** - * reread various information - */ -static void stroke_reread(stroke_msg_t *msg, FILE *out) -{ - if (msg->reread.flags & REREAD_CACERTS) - { - charon->credentials->load_ca_certificates(charon->credentials); - } - if (msg->reread.flags & REREAD_OCSPCERTS) - { - charon->credentials->load_ocsp_certificates(charon->credentials); - } - if (msg->reread.flags & REREAD_CRLS) - { - charon->credentials->load_crls(charon->credentials); - } -} - -/** - * purge various information - */ -static void stroke_purge(stroke_msg_t *msg, FILE *out) -{ - if (msg->purge.flags & PURGE_OCSP) - { - iterator_t *iterator = charon->credentials->create_cainfo_iterator(charon->credentials); - ca_info_t *ca_info; - - while (iterator->iterate(iterator, (void**)&ca_info)) - { - ca_info->purge_ocsp(ca_info); - } - iterator->destroy(iterator); - } -} - -signal_t get_signal_from_logtype(char *type) -{ - if (strcasecmp(type, "any") == 0) return SIG_ANY; - else if (strcasecmp(type, "mgr") == 0) return DBG_MGR; - else if (strcasecmp(type, "ike") == 0) return DBG_IKE; - else if (strcasecmp(type, "chd") == 0) return DBG_CHD; - else if (strcasecmp(type, "job") == 0) return DBG_JOB; - else if (strcasecmp(type, "cfg") == 0) return DBG_CFG; - else if (strcasecmp(type, "knl") == 0) return DBG_KNL; - else if (strcasecmp(type, "net") == 0) return DBG_NET; - else if (strcasecmp(type, "enc") == 0) return DBG_ENC; - else if (strcasecmp(type, "lib") == 0) return DBG_LIB; - else return -1; -} - -/** - * set the verbosity debug output - */ -static void stroke_loglevel(stroke_msg_t *msg, FILE *out) -{ - signal_t signal; - - pop_string(msg, &(msg->loglevel.type)); - DBG1(DBG_CFG, "received stroke: loglevel %d for %s", - msg->loglevel.level, msg->loglevel.type); - - signal = get_signal_from_logtype(msg->loglevel.type); - if (signal < 0) - { - fprintf(out, "invalid type (%s)!\n", msg->loglevel.type); - return; - } - - charon->outlog->set_level(charon->outlog, signal, msg->loglevel.level); - charon->syslog->set_level(charon->syslog, signal, msg->loglevel.level); -} - -/** - * process a stroke request from the socket pointed by "fd" - */ -static void stroke_process(int *fd) -{ - stroke_msg_t *msg; - u_int16_t msg_length; - ssize_t bytes_read; - FILE *out; - int strokefd = *fd; - - /* peek the length */ - bytes_read = recv(strokefd, &msg_length, sizeof(msg_length), MSG_PEEK); - if (bytes_read != sizeof(msg_length)) - { - DBG1(DBG_CFG, "reading length of stroke message failed"); - close(strokefd); - return; - } - - /* read message */ - msg = malloc(msg_length); - bytes_read = recv(strokefd, msg, msg_length, 0); - if (bytes_read != msg_length) - { - DBG1(DBG_CFG, "reading stroke message failed: %m"); - close(strokefd); - return; - } - - out = fdopen(dup(strokefd), "w"); - if (out == NULL) - { - DBG1(DBG_CFG, "opening stroke output channel failed: %m"); - close(strokefd); - free(msg); - return; - } - - DBG3(DBG_CFG, "stroke message %b", (void*)msg, msg_length); - - switch (msg->type) - { - case STR_INITIATE: - stroke_initiate(msg, out); - break; - case STR_ROUTE: - stroke_route(msg, out, TRUE); - break; - case STR_UNROUTE: - stroke_route(msg, out, FALSE); - break; - case STR_TERMINATE: - stroke_terminate(msg, out); - break; - case STR_STATUS: - stroke_status(msg, out); - break; - case STR_STATUS_ALL: - stroke_statusall(msg, out); - break; - case STR_ADD_CONN: - stroke_add_conn(msg, out); - break; - case STR_DEL_CONN: - stroke_del_conn(msg, out); - break; - case STR_ADD_CA: - stroke_add_ca(msg, out); - break; - case STR_DEL_CA: - stroke_del_ca(msg, out); - break; - case STR_LOGLEVEL: - stroke_loglevel(msg, out); - break; - case STR_LIST: - stroke_list(msg, out); - break; - case STR_REREAD: - stroke_reread(msg, out); - break; - case STR_PURGE: - stroke_purge(msg, out); - break; - default: - DBG1(DBG_CFG, "received unknown stroke"); - } - fclose(out); - close(strokefd); - free(msg); -} - -/** - * Implementation of private_stroke_t.stroke_receive. - */ -static void stroke_receive(private_stroke_t *this) -{ - struct sockaddr_un strokeaddr; - int strokeaddrlen = sizeof(strokeaddr); - int strokefd; - int oldstate; - pthread_t thread; - - /* ignore sigpipe. writing over the pipe back to the console - * only fails if SIGPIPE is ignored. */ - signal(SIGPIPE, SIG_IGN); - - /* disable cancellation by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - - while (TRUE) - { - /* wait for connections, but allow thread to terminate */ - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); - strokefd = accept(this->socket, (struct sockaddr *)&strokeaddr, &strokeaddrlen); - pthread_setcancelstate(oldstate, NULL); - - if (strokefd < 0) - { - DBG1(DBG_CFG, "accepting stroke connection failed: %m"); - continue; - } - - /* handle request asynchronously */ - if (pthread_create(&thread, NULL, (void*(*)(void*))stroke_process, (void*)&strokefd) != 0) - { - DBG1(DBG_CFG, "failed to spawn stroke thread: %m"); - } - /* detach so the thread terminates cleanly */ - pthread_detach(thread); - } -} - -/** - * Implementation of stroke_t.destroy. - */ -static void destroy(private_stroke_t *this) -{ - pthread_cancel(this->assigned_thread); - pthread_join(this->assigned_thread, NULL); - - close(this->socket); - unlink(socket_addr.sun_path); - free(this); -} - -/* - * Described in header-file - */ -stroke_t *stroke_create() -{ - private_stroke_t *this = malloc_thing(private_stroke_t); - mode_t old; - - /* public functions */ - this->public.destroy = (void (*)(stroke_t*))destroy; - - /* set up unix socket */ - this->socket = socket(AF_UNIX, SOCK_STREAM, 0); - if (this->socket == -1) - { - DBG1(DBG_CFG, "could not create whack socket"); - free(this); - return NULL; - } - - old = umask(~S_IRWXU); - if (bind(this->socket, (struct sockaddr *)&socket_addr, sizeof(socket_addr)) < 0) - { - DBG1(DBG_CFG, "could not bind stroke socket: %m"); - close(this->socket); - free(this); - return NULL; - } - umask(old); - - if (listen(this->socket, 0) < 0) - { - DBG1(DBG_CFG, "could not listen on stroke socket: %m"); - close(this->socket); - unlink(socket_addr.sun_path); - free(this); - return NULL; - } - - /* start a thread reading from the socket */ - if (pthread_create(&(this->assigned_thread), NULL, (void*(*)(void*))stroke_receive, this) != 0) - { - DBG1(DBG_CFG, "could not spawn stroke thread"); - close(this->socket); - unlink(socket_addr.sun_path); - free(this); - return NULL; - } - - return (&this->public); -} diff --git a/src/charon/threads/stroke_interface.h b/src/charon/threads/stroke_interface.h deleted file mode 100644 index 0def5167e..000000000 --- a/src/charon/threads/stroke_interface.h +++ /dev/null @@ -1,61 +0,0 @@ -/** - * @file stroke.h - * - * @brief Interface of stroke_t. - * - */ - -/* - * Copyright (C) 2006 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef STROKE_INTERFACE_H_ -#define STROKE_INTERFACE_H_ - -typedef struct stroke_t stroke_t; - -/** - * @brief Stroke is a configuration and control interface which - * allows other processes to modify charons behavior. - * - * stroke_t allows config manipulation (as whack in pluto). - * Messages of type stroke_msg_t's are sent over a unix socket - * (/var/run/charon.ctl). - * - * @b Constructors: - * - stroke_create() - * - * @ingroup threads - */ -struct stroke_t { - - /** - * @brief Destroy a stroke_t instance. - * - * @param this stroke_t objec to destroy - */ - void (*destroy) (stroke_t *this); -}; - - -/** - * @brief Create the stroke interface and listen on the socket. - * - * @return stroke_t object - * - * @ingroup threads - */ -stroke_t *stroke_create(void); - -#endif /* STROKE_INTERFACE_H_ */ diff --git a/src/charon/threads/thread_pool.c b/src/charon/threads/thread_pool.c deleted file mode 100644 index 052b5aab9..000000000 --- a/src/charon/threads/thread_pool.c +++ /dev/null @@ -1,181 +0,0 @@ -/** - * @file thread_pool.c - * - * @brief Implementation of thread_pool_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdlib.h> -#include <pthread.h> -#include <string.h> -#include <errno.h> - -#include "thread_pool.h" - -#include <daemon.h> -#include <queues/job_queue.h> - - -typedef struct private_thread_pool_t private_thread_pool_t; - -/** - * @brief Private data of thread_pool_t class. - */ -struct private_thread_pool_t { - /** - * Public thread_pool_t interface. - */ - thread_pool_t public; - - /** - * Number of running threads. - */ - u_int pool_size; - - /** - * Number of threads waiting for work - */ - u_int idle_threads; - - /** - * Array of thread ids. - */ - pthread_t *threads; -} ; - -/** - * Implementation of private_thread_pool_t.process_jobs. - */ -static void process_jobs(private_thread_pool_t *this) -{ - job_t *job; - status_t status; - - /* cancellation disabled by default */ - pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL); - - DBG1(DBG_JOB, "worker thread running, thread_ID: %06u", - (int)pthread_self()); - - while (TRUE) - { - /* TODO: should be atomic, but is not mission critical */ - this->idle_threads++; - job = charon->job_queue->get(charon->job_queue); - this->idle_threads--; - - status = job->execute(job); - - if (status == DESTROY_ME) - { - job->destroy(job); - } - } -} - -/** - * Implementation of thread_pool_t.get_pool_size. - */ -static u_int get_pool_size(private_thread_pool_t *this) -{ - return this->pool_size; -} - -/** - * Implementation of thread_pool_t.get_idle_threads. - */ -static u_int get_idle_threads(private_thread_pool_t *this) -{ - return this->idle_threads; -} - -/** - * Implementation of thread_pool_t.destroy. - */ -static void destroy(private_thread_pool_t *this) -{ - int current; - /* flag thread for termination */ - for (current = 0; current < this->pool_size; current++) - { - DBG1(DBG_JOB, "cancelling worker thread #%d", current+1); - pthread_cancel(this->threads[current]); - } - - /* wait for all threads */ - for (current = 0; current < this->pool_size; current++) { - if (pthread_join(this->threads[current], NULL) == 0) - { - DBG1(DBG_JOB, "worker thread #%d terminated", current+1); - } - else - { - DBG1(DBG_JOB, "could not terminate worker thread #%d", current+1); - } - } - - /* free mem */ - free(this->threads); - free(this); -} - -/* - * Described in header. - */ -thread_pool_t *thread_pool_create(size_t pool_size) -{ - int current; - private_thread_pool_t *this = malloc_thing(private_thread_pool_t); - - /* fill in public fields */ - this->public.destroy = (void(*)(thread_pool_t*))destroy; - this->public.get_pool_size = (u_int(*)(thread_pool_t*))get_pool_size; - this->public.get_idle_threads = (u_int(*)(thread_pool_t*))get_idle_threads; - - /* initialize member */ - this->pool_size = pool_size; - this->idle_threads = 0; - this->threads = malloc(sizeof(pthread_t) * pool_size); - - /* try to create as many threads as possible, up to pool_size */ - for (current = 0; current < pool_size; current++) - { - if (pthread_create(&(this->threads[current]), NULL, - (void*(*)(void*))process_jobs, this) == 0) - { - DBG1(DBG_JOB, "created worker thread #%d", current+1); - } - else - { - /* creation failed, is it the first one? */ - if (current == 0) - { - free(this->threads); - free(this); - charon->kill(charon, "could not create any worker threads"); - } - /* not all threads could be created, but at least one :-/ */ - DBG1(DBG_JOB, "could only create %d from requested %d threads!", - current, pool_size); - this->pool_size = current; - break; - } - } - return (thread_pool_t*)this; -} diff --git a/src/charon/threads/thread_pool.h b/src/charon/threads/thread_pool.h deleted file mode 100644 index 8e1989bda..000000000 --- a/src/charon/threads/thread_pool.h +++ /dev/null @@ -1,87 +0,0 @@ -/** - * @file thread_pool.h - * - * @brief Interface of thread_pool_t. - * - */ - -/* - * Copyright (C) 2005-2006 Martin Willi - * Copyright (C) 2005 Jan Hutter - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef THREAD_POOL_H_ -#define THREAD_POOL_H_ - -typedef struct thread_pool_t thread_pool_t; - -#include <stdlib.h> - -#include <library.h> - -/** - * @brief A thread_pool consists of a pool of threads processing jobs from the job queue. - * - * Current implementation uses as many threads as specified in constructor. - * A more improved version would dynamically increase thread count if necessary. - * - * @b Constructors: - * - thread_pool_create() - * - * @todo Add support for dynamic thread handling - * - * @ingroup threads - */ -struct thread_pool_t { - - /** - * @brief Return currently instanciated thread count. - * - * @param thread_pool calling object - * @return size of thread pool - */ - u_int (*get_pool_size) (thread_pool_t *thread_pool); - - /** - * @brief Get the number of threads currently waiting for work. - * - * @param thread_pool calling object - * @return number of idle threads - */ - u_int (*get_idle_threads) (thread_pool_t *thread_pool); - - /** - * @brief Destroy a thread_pool_t object. - * - * Sends cancellation request to all threads and AWAITS their termination. - * - * @param thread_pool calling object - */ - void (*destroy) (thread_pool_t *thread_pool); -}; - -/** - * @brief Create the thread pool using using pool_size of threads. - * - * @param pool_size desired pool size - * @return - * - thread_pool_t object if one ore more threads could be started, or - * - NULL if no threads could be created - * - * @ingroup threads - */ -thread_pool_t *thread_pool_create(size_t pool_size); - - -#endif /*THREAD_POOL_H_*/ |