/*
* Only schedule a new timeout if there isn't one currently,
* or if it would be sooner than the current timeout.
*/
static void dpd_sched_timeout(struct state *p1st, monotime_t nw, deltatime_t timeout)
{
passert(deltasecs(timeout) > 0);
if (p1st->st_dpd_event == NULL ||
monobefore(monotimesum(nw, timeout), p1st->st_dpd_event->ev_time)) {
DBG(DBG_DPD, DBG_log("DPD: scheduling timeout to %ld",
(long)deltasecs(timeout)));
if (p1st->st_dpd_event != NULL)
delete_dpd_event(p1st);
event_schedule(EVENT_DPD_TIMEOUT, deltasecs(timeout), p1st);
}
}
void show_setup_plutomain(void)
{
whack_log(RC_COMMENT, "config setup options:"); /* spacer */
whack_log(RC_COMMENT, " "); /* spacer */
whack_log(RC_COMMENT,
"configdir=%s, configfile=%s, secrets=%s, ipsecdir=%s, nssdir=%s, dumpdir=%s, statsbin=%s",
oco->confdir,
oco->conffile,
oco->secretsfile,
oco->confddir,
oco->nssdb,
coredir,
pluto_stats_binary == NULL ? "unset" : pluto_stats_binary);
whack_log(RC_COMMENT, "sbindir=%s, libexecdir=%s",
IPSEC_SBINDIR,
IPSEC_EXECDIR);
whack_log(RC_COMMENT, "pluto_version=%s, pluto_vendorid=%s",
ipsec_version_code(),
pluto_vendorid);
whack_log(RC_COMMENT,
"nhelpers=%d, uniqueids=%s, perpeerlog=%s, shuntlifetime=%lus, xfrmlifetime=%ds",
nhelpers,
uniqueIDs ? "yes" : "no",
!log_to_perpeer ? "no" : base_perpeer_logdir,
deltasecs(pluto_shunt_lifetime),
pluto_xfrmlifetime
);
whack_log(RC_COMMENT,
"ddos-cookies-threshold=%d, ddos-max-halfopen=%d, ddos-mode=%s",
pluto_max_halfopen,
pluto_ddos_threshold,
(pluto_ddos_mode == DDOS_AUTO) ? "auto" :
(pluto_ddos_mode == DDOS_FORCE_BUSY) ? "busy" : "unlimited");
whack_log(RC_COMMENT,
"ikeport=%d, strictcrlpolicy=%s, crlcheckinterval=%lu, listen=%s, nflog-all=%d",
pluto_port,
strict_crl_policy ? "yes" : "no",
deltasecs(crl_check_interval),
pluto_listen != NULL ? pluto_listen : "<any>",
pluto_nflog_group
);
#ifdef HAVE_LABELED_IPSEC
whack_log(RC_COMMENT, "secctx-attr-type=%d", secctx_attr_type);
#else
whack_log(RC_COMMENT, "secctx-attr-type=<unsupported>");
#endif
}
/*
* check if any crls are about to expire
*/
void check_crls(void)
{
x509crl_t *crl;
lock_crl_list("check_crls");
crl = x509crls;
while (crl != NULL) {
deltatime_t time_left = realtimediff(crl->nextUpdate, realnow());
char buf[ASN1_BUF_LEN];
DBG(DBG_X509, {
dntoa(buf, ASN1_BUF_LEN, crl->issuer);
DBG_log("issuer: '%s'", buf);
if (crl->authKeyID.ptr != NULL) {
datatot(crl->authKeyID.ptr,
crl->authKeyID.len, ':',
buf, ASN1_BUF_LEN);
DBG_log("authkey: %s", buf);
}
DBG_log("%ld seconds left", (long)deltasecs(time_left));
});
if (deltaless(time_left, deltatimescale(2, 1, crl_check_interval)))
add_crl_fetch_request(crl->issuer,
crl->distributionPoints);
crl = crl->next;
}
stf_status dpd_init(struct state *st)
{
/**
* Used to store the 1st state
*/
#ifdef HAVE_LABELED_IPSEC
if (st->st_connection->loopback) {
libreswan_log(
"dpd is not required for ipsec connections over loopback");
return STF_OK;
}
#endif
struct state *p1st;
/* find the related Phase 1 state */
p1st = find_state_ikev1(st->st_icookie, st->st_rcookie, 0);
if (p1st == NULL) {
loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD");
/*
* if the phase 1 state has gone away, it really should have
* deleted all of its children.
* Why would this happen? because a quick mode SA can take
* some time to create (DNS lookups for instance), and the phase 1
* might have been taken down for some reason in the meantime.
* We really cannot do anything here --- attempting to invoke
* the DPD action would be a good idea, but we really should
* do that outside this function.
*/
return STF_FAIL;
}
/* if it was enabled, and we haven't turned it on already */
if (p1st->hidden_variables.st_peer_supports_dpd) {
libreswan_log("Dead Peer Detection (RFC 3706): enabled");
if (st->st_dpd_event == NULL ||
monobefore(monotimesum(mononow(), st->st_connection->dpd_delay),
st->st_dpd_event->ev_time)) {
if (st->st_dpd_event != NULL)
delete_dpd_event(st);
event_schedule(EVENT_DPD, deltasecs(st->st_connection->dpd_delay),
st);
}
} else {
libreswan_log(
"Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it");
}
if (p1st != st) {
/* st was not a phase 1 SA, so kill the DPD_EVENT on the phase 1 */
if (p1st->st_dpd_event != NULL &&
p1st->st_dpd_event->ev_type == EVENT_DPD)
delete_dpd_event(p1st);
}
return STF_OK;
}
/*
* wakes up the sleeping fetch thread
*/
void wake_fetch_thread(const char *who)
{
if (deltasecs(crl_check_interval) > 0) {
DBG(DBG_CONTROLMORE,
DBG_log("fetch thread wake call by '%s'", who));
pthread_mutex_lock(&fetch_wake_mutex);
pthread_cond_signal(&fetch_wake_cond);
pthread_mutex_unlock(&fetch_wake_mutex);
}
}
/**
* DPD Out Initiator
*
* @param p2st A state struct that is already in phase2
* @return void
*/
static void dpd_outI(struct state *p1st, struct state *st, bool eroute_care,
deltatime_t delay, deltatime_t timeout)
{
monotime_t nw;
monotime_t last;
deltatime_t nextdelay;
u_int32_t seqno;
DBG(DBG_DPD,
DBG_log("DPD: processing for state #%lu (\"%s\")",
st->st_serialno,
st->st_connection->name));
/* If no DPD, then get out of here */
if (!st->hidden_variables.st_peer_supports_dpd) {
DBG(DBG_DPD,
DBG_log("DPD: peer does not support dpd"));
return;
}
/* If there is no state, there can be no DPD */
if (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)) {
DBG(DBG_DPD,
DBG_log("DPD: no phase1 state, so no DPD"));
return;
}
/* find out when now is */
nw = mononow();
/*
* pick least recent activity value, since with multiple phase 2s,
* it may well be that one phase 2 is very active, while the other
* for some reason, gets stomped upon by some network screw up.
*
* (this would only happen if the network was sensitive to different
* SPI#, since for NAT-T, all traffic should be on the same UDP port.
* At worst, this means that we send a bit more traffic then we need
* to when there are multiple SAs and one is much less active.
*
* ??? the code actually picks the most recent. So much for comments.
*/
last = !monobefore(p1st->st_last_dpd, st->st_last_dpd) ?
p1st->st_last_dpd : st->st_last_dpd;
nextdelay = monotimediff(monotimesum(last, delay), nw);
/* has there been enough activity of late? */
if (deltasecs(nextdelay) > 0) {
/* Yes, just reschedule "phase 2" */
DBG(DBG_DPD,
DBG_log("DPD: not yet time for dpd event: %ld < %ld",
(long)nw.mono_secs,
(long)(last.mono_secs + deltasecs(delay))));
event_schedule(EVENT_DPD, deltasecs(nextdelay), st);
return;
}
/* now plan next check time */
/* ??? this test is nuts: it will always succeed! */
if (deltasecs(nextdelay) < 1)
nextdelay = delay;
/*
* check the phase 2, if we are supposed to,
* and return if it is active recently
*/
if (eroute_care && st->hidden_variables.st_nat_traversal == LEMPTY &&
!was_eroute_idle(st, delay)) {
DBG(DBG_DPD,
DBG_log("DPD: out event not sent, phase 2 active"));
/* update phase 2 time stamp only */
st->st_last_dpd = nw;
/*
* Since there was activity, kill any EVENT_DPD_TIMEOUT that might
* be waiting. This can happen when a R_U_THERE_ACK is lost, and
* subsequently traffic started flowing over the SA again, and no
* more DPD packets are sent to cancel the outstanding DPD timer.
*/
if (p1st->st_dpd_event != NULL &&
p1st->st_dpd_event->ev_type == EVENT_DPD_TIMEOUT) {
DBG(DBG_DPD,
DBG_log("DPD: deleting p1st DPD event"));
delete_dpd_event(p1st);
}
event_schedule(EVENT_DPD, deltasecs(nextdelay), st);
return;
}
if (st != p1st) {
/*
* reschedule next event, since we cannot do it from the activity
* routine.
*/
event_schedule(EVENT_DPD, deltasecs(nextdelay), st);
}
if (p1st->st_dpd_seqno == 0) {
/* Get a non-zero random value that has room to grow */
get_rnd_bytes((u_char *)&p1st->st_dpd_seqno,
sizeof(p1st->st_dpd_seqno));
p1st->st_dpd_seqno &= 0x7fff;
p1st->st_dpd_seqno++;
}
seqno = htonl(p1st->st_dpd_seqno);
/* make sure that the timeout occurs. We do this before the send,
* because the send may fail due to network issues, etc, and
* the timeout has to occur anyway
*/
dpd_sched_timeout(p1st, nw, timeout);
DBG(DBG_DPD, {
ipstr_buf b;
DBG_log("DPD: sending R_U_THERE %u to %s:%d (state #%lu)",
p1st->st_dpd_seqno,
ipstr(&p1st->st_remoteaddr, &b),
p1st->st_remoteport,
p1st->st_serialno);
});
