diff options
Diffstat (limited to 'src/libcharon/sa/ike_sa_manager.c')
-rw-r--r-- | src/libcharon/sa/ike_sa_manager.c | 84 |
1 files changed, 69 insertions, 15 deletions
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 37d69874d..4625df5b8 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -394,9 +394,17 @@ struct private_ike_sa_manager_t { rng_t *rng; /** - * Lock to access the RNG instance + * Registered callback for IKE SPIs */ - rwlock_t *rng_lock; + struct { + spi_cb_t cb; + void *data; + } spi_cb; + + /** + * Lock to access the RNG instance and the callback + */ + rwlock_t *spi_lock; /** * reuse existing IKE_SAs in checkout_by_config @@ -971,13 +979,17 @@ static u_int64_t get_spi(private_ike_sa_manager_t *this) { u_int64_t spi; - this->rng_lock->read_lock(this->rng_lock); - if (!this->rng || - !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) + this->spi_lock->read_lock(this->spi_lock); + if (this->spi_cb.cb) + { + spi = this->spi_cb.cb(this->spi_cb.data); + } + else if (!this->rng || + !this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi)) { spi = 0; } - this->rng_lock->unlock(this->rng_lock); + this->spi_lock->unlock(this->spi_lock); return spi; } @@ -1188,11 +1200,15 @@ METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, */ static u_int32_t get_message_id_or_hash(message_t *message) { - /* Use the message ID, or the message hash in IKEv1 Main/Aggressive mode */ - if (message->get_major_version(message) == IKEV1_MAJOR_VERSION && - message->get_message_id(message) == 0) + if (message->get_major_version(message) == IKEV1_MAJOR_VERSION) { - return chunk_hash(message->get_packet_data(message)); + /* Use a hash for IKEv1 Phase 1, where we don't have a MID, and Quick + * Mode, where all three messages use the same message ID */ + if (message->get_message_id(message) == 0 || + message->get_exchange_type(message) == QUICK_MODE) + { + return chunk_hash(message->get_packet_data(message)); + } } return message->get_message_id(message); } @@ -1384,7 +1400,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, continue; } if (entry->ike_sa->get_state(entry->ike_sa) == IKE_DELETING) - { /* skip IKE_SAs which are not usable */ + { /* skip IKE_SAs which are not usable, wake other waiting threads */ + entry->condvar->signal(entry->condvar); continue; } @@ -1402,6 +1419,8 @@ METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, break; } } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } enumerator->destroy(enumerator); @@ -1434,6 +1453,8 @@ METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, entry->checked_out = TRUE; break; } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } } enumerator->destroy(enumerator); @@ -1490,6 +1511,8 @@ METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } + /* other threads might be waiting for this entry */ + entry->condvar->signal(entry->condvar); } } enumerator->destroy(enumerator); @@ -1628,8 +1651,27 @@ METHOD(ike_sa_manager_t, checkin, void, * delete any existing IKE_SAs with that peer. */ if (ike_sa->has_condition(ike_sa, COND_INIT_CONTACT_SEEN)) { + /* We can't hold the segment locked while checking the + * uniqueness as this could lead to deadlocks. We mark the + * entry as checked out while we release the lock so no other + * thread can acquire it. Since it is not yet in the list of + * connected peers that will not cause a deadlock as no other + * caller of check_unqiueness() will try to check out this SA */ + entry->checked_out = TRUE; + unlock_single_segment(this, segment); + this->public.check_uniqueness(&this->public, ike_sa, TRUE); ike_sa->set_condition(ike_sa, COND_INIT_CONTACT_SEEN, FALSE); + + /* The entry could have been modified in the mean time, e.g. + * because another SA was added/removed next to it or another + * thread is waiting, but it should still exist, so there is no + * need for a lookup via get_entry_by... */ + lock_single_segment(this, segment); + entry->checked_out = FALSE; + /* We already signaled waiting threads above, we have to do that + * again after checking the SA out and back in again. */ + entry->condvar->signal(entry->condvar); } } @@ -2010,6 +2052,15 @@ METHOD(ike_sa_manager_t, get_half_open_count, u_int, return count; } +METHOD(ike_sa_manager_t, set_spi_cb, void, + private_ike_sa_manager_t *this, spi_cb_t callback, void *data) +{ + this->spi_lock->write_lock(this->spi_lock); + this->spi_cb.cb = callback; + this->spi_cb.data = data; + this->spi_lock->unlock(this->spi_lock); +} + METHOD(ike_sa_manager_t, flush, void, private_ike_sa_manager_t *this) { @@ -2092,10 +2143,12 @@ METHOD(ike_sa_manager_t, flush, void, charon->bus->set_sa(charon->bus, NULL); unlock_all_segments(this); - this->rng_lock->write_lock(this->rng_lock); + this->spi_lock->write_lock(this->spi_lock); this->rng->destroy(this->rng); this->rng = NULL; - this->rng_lock->unlock(this->rng_lock); + this->spi_cb.cb = NULL; + this->spi_cb.data = NULL; + this->spi_lock->unlock(this->spi_lock); } METHOD(ike_sa_manager_t, destroy, void, @@ -2120,7 +2173,7 @@ METHOD(ike_sa_manager_t, destroy, void, free(this->connected_peers_segments); free(this->init_hashes_segments); - this->rng_lock->destroy(this->rng_lock); + this->spi_lock->destroy(this->spi_lock); free(this); } @@ -2167,6 +2220,7 @@ ike_sa_manager_t *ike_sa_manager_create() .get_count = _get_count, .get_half_open_count = _get_half_open_count, .flush = _flush, + .set_spi_cb = _set_spi_cb, .destroy = _destroy, }, ); @@ -2178,7 +2232,7 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } - this->rng_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + this->spi_lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->ikesa_limit = lib->settings->get_int(lib->settings, "%s.ikesa_limit", 0, lib->ns); |