diff options
| author | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-26 16:59:25 +0000 |
|---|---|---|
| committer | Mike Belopuhov <mikeb@cvs.openbsd.org> | 2011-01-26 16:59:25 +0000 |
| commit | 25a989a96a2690f4420caa3a87206cd093207499 (patch) | |
| tree | 096773da6e87033c3229bb05b92c2ae4610521de /sbin/iked | |
| parent | 8209b1916479af05e249e45f22b0525e2ee12cc2 (diff) | |
get rid of acquire flows completely, as they tend to pass traffic
when there's no sa established (as pointed out by reyk). instead
use require mode feature to send acquires from the kernel. this
allows us to get rid of the code that changes flow mode to acquire
and keep all installed flows in the tree and save up on some code
that deals with renegotiation. also several entities were renamed
(iked_acqflows -> iked_activeflows, iked_ipsecsas -> iked_activesas,
ikev2_acquire -> ikev2_acquire_sa). ok reyk
Diffstat (limited to 'sbin/iked')
| -rw-r--r-- | sbin/iked/config.c | 6 | ||||
| -rw-r--r-- | sbin/iked/iked.h | 23 | ||||
| -rw-r--r-- | sbin/iked/ikev2.c | 87 | ||||
| -rw-r--r-- | sbin/iked/ikev2_pld.c | 8 | ||||
| -rw-r--r-- | sbin/iked/pfkey.c | 12 | ||||
| -rw-r--r-- | sbin/iked/policy.c | 10 |
6 files changed, 56 insertions, 90 deletions
diff --git a/sbin/iked/config.c b/sbin/iked/config.c index 608c4ab9a24..1fda90ac58c 100644 --- a/sbin/iked/config.c +++ b/sbin/iked/config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: config.c,v 1.8 2011/01/21 11:56:00 reyk Exp $ */ +/* $OpenBSD: config.c,v 1.9 2011/01/26 16:59:23 mikeb Exp $ */ /* $vantronix: config.c,v 1.30 2010/05/28 15:34:35 reyk Exp $ */ /* @@ -224,6 +224,8 @@ config_free_flows(struct iked *env, struct iked_flows *head) log_debug("%s: free %p", __func__, flow); + if (flow->flow_loaded) + RB_REMOVE(iked_activeflows, &env->sc_activeflows, flow); TAILQ_REMOVE(head, flow, flow_entry); (void)pfkey_flow_delete(env->sc_pfkey, flow); flow_free(flow); @@ -256,7 +258,7 @@ config_free_childsas(struct iked *env, struct iked_childsas *head, TAILQ_REMOVE(head, csa, csa_entry); if (csa->csa_loaded) { - RB_REMOVE(iked_ipsecsas, &env->sc_ipsecsas, csa); + RB_REMOVE(iked_activesas, &env->sc_activesas, csa); (void)pfkey_sa_delete(env->sc_pfkey, csa); } childsa_free(csa); diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h index 0078045943e..d043e7097b5 100644 --- a/sbin/iked/iked.h +++ b/sbin/iked/iked.h @@ -1,4 +1,4 @@ -/* $OpenBSD: iked.h,v 1.33 2011/01/21 17:01:33 reyk Exp $ */ +/* $OpenBSD: iked.h,v 1.34 2011/01/26 16:59:23 mikeb Exp $ */ /* $vantronix: iked.h,v 1.61 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -130,7 +130,6 @@ struct iked_flow { u_int flow_dir; /* in/out */ u_int flow_loaded; /* pfkey done */ - u_int flow_acquire; u_int8_t flow_saproto; u_int8_t flow_ipproto; @@ -142,10 +141,10 @@ struct iked_flow { struct iked_addr *flow_peer; /* outer dest */ struct iked_sa *flow_ikesa; /* parent SA */ - RB_ENTRY(iked_flow) flow_acq_entry; + RB_ENTRY(iked_flow) flow_node; TAILQ_ENTRY(iked_flow) flow_entry; }; -RB_HEAD(iked_acqflows, iked_flow); +RB_HEAD(iked_activeflows, iked_flow); TAILQ_HEAD(iked_flows, iked_flow); struct iked_childsa { @@ -175,10 +174,10 @@ struct iked_childsa { struct iked_childsa *csa_peersa; /* peer */ - RB_ENTRY(iked_childsa) csa_ipsec_entry; + RB_ENTRY(iked_childsa) csa_node; TAILQ_ENTRY(iked_childsa) csa_entry; }; -RB_HEAD(iked_ipsecsas, iked_childsa); +RB_HEAD(iked_activesas, iked_childsa); TAILQ_HEAD(iked_childsas, iked_childsa); @@ -460,8 +459,8 @@ struct iked { struct iked_policy *sc_defaultcon; struct iked_sas sc_sas; - struct iked_ipsecsas sc_ipsecsas; - struct iked_acqflows sc_acqflows; + struct iked_activesas sc_activesas; + struct iked_activeflows sc_activeflows; struct iked_users sc_users; void *sc_priv; /* per-process */ @@ -580,8 +579,8 @@ struct iked_user * RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); RB_PROTOTYPE(iked_sapeers, iked_sa, sa_peer_entry, sa_peer_cmp); RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); -RB_PROTOTYPE(iked_ipsecsas, iked_childsa, csa_ipsec_entry, childsa_cmp); -RB_PROTOTYPE(iked_acqflows, iked_flow, flow_acq_entry, acquire_flow_cmp); +RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); +RB_PROTOTYPE(iked_activeflows, iked_flow, flow_node, flow_cmp); /* crypto.c */ struct iked_hash * @@ -640,7 +639,7 @@ int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); int ikev2_childsa_enable(struct iked *, struct iked_sa *); int ikev2_childsa_delete(struct iked *, struct iked_sa *, u_int8_t, u_int64_t, u_int64_t *, int); -int ikev2_flows_delete(struct iked *, struct iked_sa *, u_int8_t, int); +int ikev2_flows_delete(struct iked *, struct iked_sa *, u_int8_t); struct ibuf * ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, @@ -658,7 +657,7 @@ struct ikev2_payload * ikev2_add_payload(struct ibuf *); int ikev2_next_payload(struct ikev2_payload *, size_t, u_int8_t); -void ikev2_acquire(struct iked *, struct iked_flow *); +void ikev2_acquire_sa(struct iked *, struct iked_flow *); void ikev2_disable_rekeying(struct iked *, struct iked_sa *); void ikev2_rekey_sa(struct iked *, struct iked_spi *); void ikev2_drop_sa(struct iked *, struct iked_spi *); diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c index 0068b7ee3e2..c109d1fc610 100644 --- a/sbin/iked/ikev2.c +++ b/sbin/iked/ikev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2.c,v 1.44 2011/01/26 16:35:17 mikeb Exp $ */ +/* $OpenBSD: ikev2.c,v 1.45 2011/01/26 16:59:24 mikeb Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -3551,7 +3551,7 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) return (-1); } - RB_INSERT(iked_ipsecsas, &env->sc_ipsecsas, csa); + RB_INSERT(iked_activesas, &env->sc_activesas, csa); log_debug("%s: loaded CHILD SA spi %s", __func__, print_spi(csa->csa_spi.spi, csa->csa_spi.spi_size)); @@ -3566,6 +3566,8 @@ ikev2_childsa_enable(struct iked *env, struct iked_sa *sa) return (-1); } + RB_INSERT(iked_activeflows, &env->sc_activeflows, flow); + log_debug("%s: loaded flow %p", __func__, flow); } @@ -3576,7 +3578,7 @@ int ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, u_int64_t spi, u_int64_t *spiptr, int cleanup) { - struct iked_childsa *csa, key, *nextcsa = NULL; + struct iked_childsa *csa, *nextcsa = NULL; u_int64_t peerspi = 0; int found = 0; @@ -3589,6 +3591,9 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, (cleanup && csa->csa_loaded)) continue; + if (csa->csa_loaded) + RB_REMOVE(iked_activesas, &env->sc_activesas, csa); + if (pfkey_sa_delete(env->sc_pfkey, csa) != 0) log_debug("%s: failed to delete CHILD SA spi %s", __func__, print_spi(csa->csa_spi.spi, @@ -3602,9 +3607,6 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, if (spi && csa->csa_spi.spi == spi) peerspi = csa->csa_peerspi; - key.csa_spi = csa->csa_spi; - if (RB_FIND(iked_ipsecsas, &env->sc_ipsecsas, &key)) - RB_REMOVE(iked_ipsecsas, &env->sc_ipsecsas, csa); TAILQ_REMOVE(&sa->sa_childsas, csa, csa_entry); childsa_free(csa); } @@ -3616,8 +3618,7 @@ ikev2_childsa_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, } int -ikev2_flows_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, - int acquire) +ikev2_flows_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto) { struct iked_flow *flow, *nextflow; int found = 0; @@ -3628,42 +3629,17 @@ ikev2_flows_delete(struct iked *env, struct iked_sa *sa, u_int8_t saproto, if (saproto && flow->flow_saproto != saproto) continue; - /* - * If we're asked to put a flow into acquire mode for - * the first time then remove it and add back with an - * appropriate configuration, otherwise there's nothing - * to do. - */ - if (!acquire) { - if (flow->flow_acquire) - RB_REMOVE(iked_acqflows, &env->sc_acqflows, - flow); - if (pfkey_flow_delete(env->sc_pfkey, flow) != 0) - log_debug("%s: failed to delete flow %p", - __func__, flow); - else - log_debug("%s: deleted flow %p", - __func__, flow); - TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry); - flow_free(flow); - } else if (!flow->flow_acquire) { - if (pfkey_flow_delete(env->sc_pfkey, flow) != 0) - log_debug("%s: failed to delete flow %p", - __func__, flow); - else - log_debug("%s: deleted flow %p", - __func__, flow); - flow->flow_acquire = 1; - if (pfkey_flow_add(env->sc_pfkey, flow) != 0) - log_debug("%s: failed to load acquire flow", - __func__); - else { - RB_INSERT(iked_acqflows, &env->sc_acqflows, - flow); - log_debug("%s: loaded acquire flow %p", - __func__, flow); - } - } + if (flow->flow_loaded) + RB_REMOVE(iked_activeflows, &env->sc_activeflows, flow); + + if (pfkey_flow_delete(env->sc_pfkey, flow) != 0) + log_debug("%s: failed to delete flow %p", __func__, + flow); + else + log_debug("%s: deleted flow %p", __func__, flow); + + TAILQ_REMOVE(&sa->sa_flows, flow, flow_entry); + flow_free(flow); found++; } @@ -3715,13 +3691,13 @@ ikev2_valid_proposal(struct iked_proposal *prop, } void -ikev2_acquire(struct iked *env, struct iked_flow *acquire) +ikev2_acquire_sa(struct iked *env, struct iked_flow *acquire) { struct iked_flow *flow; struct iked_sa *sa; - if ((flow = RB_FIND(iked_acqflows, &env->sc_acqflows, - acquire)) == NULL) { + flow = RB_FIND(iked_activeflows, &env->sc_activeflows, acquire); + if (!flow) { log_warnx("%s: flow wasn't found", __func__); return; } @@ -3743,8 +3719,6 @@ ikev2_disable_rekeying(struct iked *env, struct iked_sa *sa) TAILQ_FOREACH(csa, &sa->sa_childsas, csa_entry) { csa->csa_persistent = 1; - if (csa->csa_rekey) - (void)pfkey_sa_add(env->sc_pfkey, csa, NULL); csa->csa_rekey = 0; } @@ -3758,7 +3732,8 @@ ikev2_rekey_sa(struct iked *env, struct iked_spi *rekey) struct iked_sa *sa; key.csa_spi = *rekey; - if ((csa = RB_FIND(iked_ipsecsas, &env->sc_ipsecsas, &key)) == NULL) + csa = RB_FIND(iked_activesas, &env->sc_activesas, &key); + if (!csa) return; if (csa->csa_rekey) /* See if it's already taken care of */ @@ -3792,12 +3767,10 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop) int nprop = 0; key.csa_spi = *drop; - if ((csa = RB_FIND(iked_ipsecsas, &env->sc_ipsecsas, &key)) == NULL) { - log_debug("%s: failed to find CHILD SA %s", __func__, - print_spi(drop->spi, drop->spi_size)); + csa = RB_FIND(iked_activesas, &env->sc_activesas, &key); + if (!csa || csa->csa_rekey) return; - } - RB_REMOVE(iked_ipsecsas, &env->sc_ipsecsas, csa); + RB_REMOVE(iked_activesas, &env->sc_activesas, csa); csa->csa_loaded = 0; if ((sa = csa->csa_ikesa) == NULL) { log_debug("%s: failed to find a parent SA", __func__); @@ -3841,10 +3814,6 @@ ikev2_drop_sa(struct iked *env, struct iked_spi *drop) log_debug("%s: failed to delete CHILD SA %s", __func__, print_spi(csa->csa_peerspi, drop->spi_size)); - /* delete flows for the specified protocol */ - if (ikev2_flows_delete(env, sa, csa->csa_saproto, 0)) - log_debug("%s: failed to delete flows", __func__); - /* Send PAYLOAD_DELETE */ if ((buf = ibuf_static()) == NULL) diff --git a/sbin/iked/ikev2_pld.c b/sbin/iked/ikev2_pld.c index fd323c462ea..98ca90b9d07 100644 --- a/sbin/iked/ikev2_pld.c +++ b/sbin/iked/ikev2_pld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ikev2_pld.c,v 1.20 2011/01/17 18:49:35 mikeb Exp $ */ +/* $OpenBSD: ikev2_pld.c,v 1.21 2011/01/26 16:59:24 mikeb Exp $ */ /* $vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -853,11 +853,9 @@ ikev2_pld_delete(struct iked *env, struct ikev2_payload *pld, found++; /* - * Change flows to acquire mode so that it would be possible - * to negotiate a new Child SA quickly + * Flows are left in the require mode so that it would be + * possible to quickly negotiate a new Child SA */ - if (!peersas[i]->csa_rekey) - ikev2_flows_delete(env, sa, del->del_protoid, 1); } /* Parsed outgoing message? */ diff --git a/sbin/iked/pfkey.c b/sbin/iked/pfkey.c index b37e421932b..f034af4caf4 100644 --- a/sbin/iked/pfkey.c +++ b/sbin/iked/pfkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pfkey.c,v 1.13 2011/01/21 11:37:02 reyk Exp $ */ +/* $OpenBSD: pfkey.c,v 1.14 2011/01/26 16:59:24 mikeb Exp $ */ /* $vantronix: pfkey.c,v 1.11 2010/06/03 07:57:33 reyk Exp $ */ /* @@ -267,11 +267,9 @@ pfkey_flow(int sd, u_int8_t satype, u_int8_t action, struct iked_flow *flow) sa_flowtype.sadb_protocol_exttype = SADB_X_EXT_FLOW_TYPE; sa_flowtype.sadb_protocol_len = sizeof(sa_flowtype) / 8; sa_flowtype.sadb_protocol_direction = flow->flow_dir; - if (flow->flow_dir == IPSP_DIRECTION_IN) - sa_flowtype.sadb_protocol_proto = SADB_X_FLOW_TYPE_USE; - else - sa_flowtype.sadb_protocol_proto = flow->flow_acquire ? - SADB_X_FLOW_TYPE_ACQUIRE : SADB_X_FLOW_TYPE_REQUIRE; + sa_flowtype.sadb_protocol_proto = + flow->flow_dir == IPSP_DIRECTION_IN ? + SADB_X_FLOW_TYPE_USE : SADB_X_FLOW_TYPE_REQUIRE; bzero(&sa_protocol, sizeof(sa_protocol)); sa_protocol.sadb_protocol_exttype = SADB_X_EXT_PROTOCOL; @@ -1496,7 +1494,7 @@ pfkey_process(struct iked *env, struct pfkey_message *pm) print_host(sdst, NULL, 0), print_host(dmask, NULL, 0), print_host(speer, NULL, 0)); - ikev2_acquire(env, &flow); + ikev2_acquire_sa(env, &flow); out: if (errmsg) diff --git a/sbin/iked/policy.c b/sbin/iked/policy.c index e7ebda6192c..580904af98e 100644 --- a/sbin/iked/policy.c +++ b/sbin/iked/policy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: policy.c,v 1.15 2011/01/21 11:56:00 reyk Exp $ */ +/* $OpenBSD: policy.c,v 1.16 2011/01/26 16:59:24 mikeb Exp $ */ /* $vantronix: policy.c,v 1.29 2010/05/28 15:34:35 reyk Exp $ */ /* @@ -58,8 +58,8 @@ policy_init(struct iked *env) TAILQ_INIT(&env->sc_policies); RB_INIT(&env->sc_users); RB_INIT(&env->sc_sas); - RB_INIT(&env->sc_ipsecsas); - RB_INIT(&env->sc_acqflows); + RB_INIT(&env->sc_activesas); + RB_INIT(&env->sc_activeflows); } int @@ -486,7 +486,7 @@ childsa_cmp(struct iked_childsa *a, struct iked_childsa *b) return (0); } -RB_GENERATE(iked_ipsecsas, iked_childsa, csa_ipsec_entry, childsa_cmp); +RB_GENERATE(iked_activesas, iked_childsa, csa_node, childsa_cmp); static __inline int addr_cmp(struct iked_addr *a, struct iked_addr *b, int useports) @@ -519,4 +519,4 @@ flow_cmp(struct iked_flow *a, struct iked_flow *b) return (diff); } -RB_GENERATE(iked_acqflows, iked_flow, flow_acq_entry, flow_cmp); +RB_GENERATE(iked_activeflows, iked_flow, flow_node, flow_cmp); |