/* * Only schedule a new timeout if there isn't one currently, * or if it would be sooner than the current timeout. */ static void dpd_sched_timeout(struct state *p1st, monotime_t nw, deltatime_t timeout) { passert(deltasecs(timeout) > 0); if (p1st->st_dpd_event == NULL || monobefore(monotimesum(nw, timeout), p1st->st_dpd_event->ev_time)) { DBG(DBG_DPD, DBG_log("DPD: scheduling timeout to %ld", (long)deltasecs(timeout))); if (p1st->st_dpd_event != NULL) delete_dpd_event(p1st); event_schedule(EVENT_DPD_TIMEOUT, deltasecs(timeout), p1st); } }
void show_setup_plutomain(void) { whack_log(RC_COMMENT, "config setup options:"); /* spacer */ whack_log(RC_COMMENT, " "); /* spacer */ whack_log(RC_COMMENT, "configdir=%s, configfile=%s, secrets=%s, ipsecdir=%s, nssdir=%s, dumpdir=%s, statsbin=%s", oco->confdir, oco->conffile, oco->secretsfile, oco->confddir, oco->nssdb, coredir, pluto_stats_binary == NULL ? "unset" : pluto_stats_binary); whack_log(RC_COMMENT, "sbindir=%s, libexecdir=%s", IPSEC_SBINDIR, IPSEC_EXECDIR); whack_log(RC_COMMENT, "pluto_version=%s, pluto_vendorid=%s", ipsec_version_code(), pluto_vendorid); whack_log(RC_COMMENT, "nhelpers=%d, uniqueids=%s, perpeerlog=%s, shuntlifetime=%lus, xfrmlifetime=%ds", nhelpers, uniqueIDs ? "yes" : "no", !log_to_perpeer ? "no" : base_perpeer_logdir, deltasecs(pluto_shunt_lifetime), pluto_xfrmlifetime ); whack_log(RC_COMMENT, "ddos-cookies-threshold=%d, ddos-max-halfopen=%d, ddos-mode=%s", pluto_max_halfopen, pluto_ddos_threshold, (pluto_ddos_mode == DDOS_AUTO) ? "auto" : (pluto_ddos_mode == DDOS_FORCE_BUSY) ? "busy" : "unlimited"); whack_log(RC_COMMENT, "ikeport=%d, strictcrlpolicy=%s, crlcheckinterval=%lu, listen=%s, nflog-all=%d", pluto_port, strict_crl_policy ? "yes" : "no", deltasecs(crl_check_interval), pluto_listen != NULL ? pluto_listen : "<any>", pluto_nflog_group ); #ifdef HAVE_LABELED_IPSEC whack_log(RC_COMMENT, "secctx-attr-type=%d", secctx_attr_type); #else whack_log(RC_COMMENT, "secctx-attr-type=<unsupported>"); #endif }
/* * check if any crls are about to expire */ void check_crls(void) { x509crl_t *crl; lock_crl_list("check_crls"); crl = x509crls; while (crl != NULL) { deltatime_t time_left = realtimediff(crl->nextUpdate, realnow()); char buf[ASN1_BUF_LEN]; DBG(DBG_X509, { dntoa(buf, ASN1_BUF_LEN, crl->issuer); DBG_log("issuer: '%s'", buf); if (crl->authKeyID.ptr != NULL) { datatot(crl->authKeyID.ptr, crl->authKeyID.len, ':', buf, ASN1_BUF_LEN); DBG_log("authkey: %s", buf); } DBG_log("%ld seconds left", (long)deltasecs(time_left)); }); if (deltaless(time_left, deltatimescale(2, 1, crl_check_interval))) add_crl_fetch_request(crl->issuer, crl->distributionPoints); crl = crl->next; }
stf_status dpd_init(struct state *st) { /** * Used to store the 1st state */ #ifdef HAVE_LABELED_IPSEC if (st->st_connection->loopback) { libreswan_log( "dpd is not required for ipsec connections over loopback"); return STF_OK; } #endif struct state *p1st; /* find the related Phase 1 state */ p1st = find_state_ikev1(st->st_icookie, st->st_rcookie, 0); if (p1st == NULL) { loglog(RC_LOG_SERIOUS, "could not find phase 1 state for DPD"); /* * if the phase 1 state has gone away, it really should have * deleted all of its children. * Why would this happen? because a quick mode SA can take * some time to create (DNS lookups for instance), and the phase 1 * might have been taken down for some reason in the meantime. * We really cannot do anything here --- attempting to invoke * the DPD action would be a good idea, but we really should * do that outside this function. */ return STF_FAIL; } /* if it was enabled, and we haven't turned it on already */ if (p1st->hidden_variables.st_peer_supports_dpd) { libreswan_log("Dead Peer Detection (RFC 3706): enabled"); if (st->st_dpd_event == NULL || monobefore(monotimesum(mononow(), st->st_connection->dpd_delay), st->st_dpd_event->ev_time)) { if (st->st_dpd_event != NULL) delete_dpd_event(st); event_schedule(EVENT_DPD, deltasecs(st->st_connection->dpd_delay), st); } } else { libreswan_log( "Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it"); } if (p1st != st) { /* st was not a phase 1 SA, so kill the DPD_EVENT on the phase 1 */ if (p1st->st_dpd_event != NULL && p1st->st_dpd_event->ev_type == EVENT_DPD) delete_dpd_event(p1st); } return STF_OK; }
/* * wakes up the sleeping fetch thread */ void wake_fetch_thread(const char *who) { if (deltasecs(crl_check_interval) > 0) { DBG(DBG_CONTROLMORE, DBG_log("fetch thread wake call by '%s'", who)); pthread_mutex_lock(&fetch_wake_mutex); pthread_cond_signal(&fetch_wake_cond); pthread_mutex_unlock(&fetch_wake_mutex); } }
/** * DPD Out Initiator * * @param p2st A state struct that is already in phase2 * @return void */ static void dpd_outI(struct state *p1st, struct state *st, bool eroute_care, deltatime_t delay, deltatime_t timeout) { monotime_t nw; monotime_t last; deltatime_t nextdelay; u_int32_t seqno; DBG(DBG_DPD, DBG_log("DPD: processing for state #%lu (\"%s\")", st->st_serialno, st->st_connection->name)); /* If no DPD, then get out of here */ if (!st->hidden_variables.st_peer_supports_dpd) { DBG(DBG_DPD, DBG_log("DPD: peer does not support dpd")); return; } /* If there is no state, there can be no DPD */ if (!IS_ISAKMP_SA_ESTABLISHED(p1st->st_state)) { DBG(DBG_DPD, DBG_log("DPD: no phase1 state, so no DPD")); return; } /* find out when now is */ nw = mononow(); /* * pick least recent activity value, since with multiple phase 2s, * it may well be that one phase 2 is very active, while the other * for some reason, gets stomped upon by some network screw up. * * (this would only happen if the network was sensitive to different * SPI#, since for NAT-T, all traffic should be on the same UDP port. * At worst, this means that we send a bit more traffic then we need * to when there are multiple SAs and one is much less active. * * ??? the code actually picks the most recent. So much for comments. */ last = !monobefore(p1st->st_last_dpd, st->st_last_dpd) ? p1st->st_last_dpd : st->st_last_dpd; nextdelay = monotimediff(monotimesum(last, delay), nw); /* has there been enough activity of late? */ if (deltasecs(nextdelay) > 0) { /* Yes, just reschedule "phase 2" */ DBG(DBG_DPD, DBG_log("DPD: not yet time for dpd event: %ld < %ld", (long)nw.mono_secs, (long)(last.mono_secs + deltasecs(delay)))); event_schedule(EVENT_DPD, deltasecs(nextdelay), st); return; } /* now plan next check time */ /* ??? this test is nuts: it will always succeed! */ if (deltasecs(nextdelay) < 1) nextdelay = delay; /* * check the phase 2, if we are supposed to, * and return if it is active recently */ if (eroute_care && st->hidden_variables.st_nat_traversal == LEMPTY && !was_eroute_idle(st, delay)) { DBG(DBG_DPD, DBG_log("DPD: out event not sent, phase 2 active")); /* update phase 2 time stamp only */ st->st_last_dpd = nw; /* * Since there was activity, kill any EVENT_DPD_TIMEOUT that might * be waiting. This can happen when a R_U_THERE_ACK is lost, and * subsequently traffic started flowing over the SA again, and no * more DPD packets are sent to cancel the outstanding DPD timer. */ if (p1st->st_dpd_event != NULL && p1st->st_dpd_event->ev_type == EVENT_DPD_TIMEOUT) { DBG(DBG_DPD, DBG_log("DPD: deleting p1st DPD event")); delete_dpd_event(p1st); } event_schedule(EVENT_DPD, deltasecs(nextdelay), st); return; } if (st != p1st) { /* * reschedule next event, since we cannot do it from the activity * routine. */ event_schedule(EVENT_DPD, deltasecs(nextdelay), st); } if (p1st->st_dpd_seqno == 0) { /* Get a non-zero random value that has room to grow */ get_rnd_bytes((u_char *)&p1st->st_dpd_seqno, sizeof(p1st->st_dpd_seqno)); p1st->st_dpd_seqno &= 0x7fff; p1st->st_dpd_seqno++; } seqno = htonl(p1st->st_dpd_seqno); /* make sure that the timeout occurs. We do this before the send, * because the send may fail due to network issues, etc, and * the timeout has to occur anyway */ dpd_sched_timeout(p1st, nw, timeout); DBG(DBG_DPD, { ipstr_buf b; DBG_log("DPD: sending R_U_THERE %u to %s:%d (state #%lu)", p1st->st_dpd_seqno, ipstr(&p1st->st_remoteaddr, &b), p1st->st_remoteport, p1st->st_serialno); });