fixing mediation extension
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2008 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26 #include <time.h>
27
28 #include "ike_sa.h"
29
30 #include <library.h>
31 #include <daemon.h>
32 #include <utils/linked_list.h>
33 #include <utils/lexparser.h>
34 #include <crypto/diffie_hellman.h>
35 #include <crypto/prf_plus.h>
36 #include <crypto/crypters/crypter.h>
37 #include <crypto/hashers/hasher.h>
38 #include <encoding/payloads/sa_payload.h>
39 #include <encoding/payloads/nonce_payload.h>
40 #include <encoding/payloads/ke_payload.h>
41 #include <encoding/payloads/delete_payload.h>
42 #include <encoding/payloads/transform_substructure.h>
43 #include <encoding/payloads/transform_attribute.h>
44 #include <encoding/payloads/ts_payload.h>
45 #include <sa/task_manager.h>
46 #include <sa/tasks/ike_init.h>
47 #include <sa/tasks/ike_natd.h>
48 #include <sa/tasks/ike_mobike.h>
49 #include <sa/tasks/ike_auth.h>
50 #include <sa/tasks/ike_auth_lifetime.h>
51 #include <sa/tasks/ike_config.h>
52 #include <sa/tasks/ike_cert_pre.h>
53 #include <sa/tasks/ike_cert_post.h>
54 #include <sa/tasks/ike_rekey.h>
55 #include <sa/tasks/ike_reauth.h>
56 #include <sa/tasks/ike_delete.h>
57 #include <sa/tasks/ike_dpd.h>
58 #include <sa/tasks/child_create.h>
59 #include <sa/tasks/child_delete.h>
60 #include <sa/tasks/child_rekey.h>
61 #include <processing/jobs/retransmit_job.h>
62 #include <processing/jobs/delete_ike_sa_job.h>
63 #include <processing/jobs/send_dpd_job.h>
64 #include <processing/jobs/send_keepalive_job.h>
65 #include <processing/jobs/rekey_ike_sa_job.h>
66
67 #ifdef ME
68 #include <sa/tasks/ike_me.h>
69 #include <processing/jobs/initiate_mediation_job.h>
70 #endif
71
72 #ifndef RESOLV_CONF
73 #define RESOLV_CONF "/etc/resolv.conf"
74 #endif
75
76 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
77 "CREATED",
78 "CONNECTING",
79 "ESTABLISHED",
80 "REKEYING",
81 "DELETING",
82 "DESTROYING",
83 );
84
85 typedef struct private_ike_sa_t private_ike_sa_t;
86
87 /**
88 * Private data of an ike_sa_t object.
89 */
90 struct private_ike_sa_t {
91
92 /**
93 * Public members
94 */
95 ike_sa_t public;
96
97 /**
98 * Identifier for the current IKE_SA.
99 */
100 ike_sa_id_t *ike_sa_id;
101
102 /**
103 * unique numerical ID for this IKE_SA.
104 */
105 u_int32_t unique_id;
106
107 /**
108 * Current state of the IKE_SA
109 */
110 ike_sa_state_t state;
111
112 /**
113 * IKE configuration used to set up this IKE_SA
114 */
115 ike_cfg_t *ike_cfg;
116
117 /**
118 * Peer and authentication information to establish IKE_SA.
119 */
120 peer_cfg_t *peer_cfg;
121
122 /**
123 * associated authentication/authorization info for local peer
124 */
125 auth_info_t *my_auth;
126
127 /**
128 * associated authentication/authorization info for remote peer
129 */
130 auth_info_t *other_auth;
131
132 /**
133 * Selected IKE proposal
134 */
135 proposal_t *proposal;
136
137 /**
138 * Juggles tasks to process messages
139 */
140 task_manager_t *task_manager;
141
142 /**
143 * Address of local host
144 */
145 host_t *my_host;
146
147 /**
148 * Address of remote host
149 */
150 host_t *other_host;
151
152 #ifdef ME
153 /**
154 * Are we mediation server
155 */
156 bool is_mediation_server;
157
158 /**
159 * Server reflexive host
160 */
161 host_t *server_reflexive_host;
162
163 /**
164 * Connect ID
165 */
166 chunk_t connect_id;
167 #endif /* ME */
168
169 /**
170 * Identification used for us
171 */
172 identification_t *my_id;
173
174 /**
175 * Identification used for other
176 */
177 identification_t *other_id;
178
179 /**
180 * EAP Identity exchange in EAP-Identity method
181 */
182 identification_t *eap_identity;;
183
184 /**
185 * set of extensions the peer supports
186 */
187 ike_extension_t extensions;
188
189 /**
190 * set of condition flags currently enabled for this IKE_SA
191 */
192 ike_condition_t conditions;
193
194 /**
195 * Linked List containing the child sa's of the current IKE_SA.
196 */
197 linked_list_t *child_sas;
198
199 /**
200 * keymat of this IKE_SA
201 */
202 keymat_t *keymat;
203
204 /**
205 * Virtual IP on local host, if any
206 */
207 host_t *my_virtual_ip;
208
209 /**
210 * Virtual IP on remote host, if any
211 */
212 host_t *other_virtual_ip;
213
214 /**
215 * List of DNS servers installed by us
216 */
217 linked_list_t *dns_servers;
218
219 /**
220 * list of peers additional addresses, transmitted via MOBIKE
221 */
222 linked_list_t *additional_addresses;
223
224 /**
225 * previously value of received DESTINATION_IP hash
226 */
227 chunk_t nat_detection_dest;
228
229 /**
230 * number pending UPDATE_SA_ADDRESS (MOBIKE)
231 */
232 u_int32_t pending_updates;
233
234 /**
235 * NAT keep alive interval
236 */
237 u_int32_t keepalive_interval;
238
239 /**
240 * Timestamps for this IKE_SA
241 */
242 u_int32_t stats[STAT_MAX];
243
244 /**
245 * how many times we have retried so far (keyingtries)
246 */
247 u_int32_t keyingtry;
248
249 /**
250 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
251 */
252 bool ike_initiator;
253
254 /**
255 * local host address to be used for IKE, set via MIGRATE kernel message
256 */
257 host_t *local_host;
258
259 /**
260 * remote host address to be used for IKE, set via MIGRATE kernel message
261 */
262 host_t *remote_host;
263 };
264
265 /**
266 * get the time of the latest traffic processed by the kernel
267 */
268 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
269 {
270 enumerator_t *enumerator;
271 child_sa_t *child_sa;
272 time_t use_time;
273
274 if (inbound)
275 {
276 use_time = this->stats[STAT_INBOUND];
277 }
278 else
279 {
280 use_time = this->stats[STAT_OUTBOUND];
281 }
282 enumerator = this->child_sas->create_enumerator(this->child_sas);
283 while (enumerator->enumerate(enumerator, &child_sa))
284 {
285 use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
286 }
287 enumerator->destroy(enumerator);
288
289 return use_time;
290 }
291
292 /**
293 * Implementation of ike_sa_t.get_unique_id
294 */
295 static u_int32_t get_unique_id(private_ike_sa_t *this)
296 {
297 return this->unique_id;
298 }
299
300 /**
301 * Implementation of ike_sa_t.get_name.
302 */
303 static char *get_name(private_ike_sa_t *this)
304 {
305 if (this->peer_cfg)
306 {
307 return this->peer_cfg->get_name(this->peer_cfg);
308 }
309 return "(unnamed)";
310 }
311
312 /**
313 * Implementation of ike_sa_t.get_statistic.
314 */
315 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
316 {
317 if (kind < STAT_MAX)
318 {
319 return this->stats[kind];
320 }
321 return 0;
322 }
323
324 /**
325 * Implementation of ike_sa_t.get_my_host.
326 */
327 static host_t *get_my_host(private_ike_sa_t *this)
328 {
329 return this->my_host;
330 }
331
332 /**
333 * Implementation of ike_sa_t.set_my_host.
334 */
335 static void set_my_host(private_ike_sa_t *this, host_t *me)
336 {
337 DESTROY_IF(this->my_host);
338 this->my_host = me;
339 }
340
341 /**
342 * Implementation of ike_sa_t.get_other_host.
343 */
344 static host_t *get_other_host(private_ike_sa_t *this)
345 {
346 return this->other_host;
347 }
348
349 /**
350 * Implementation of ike_sa_t.set_other_host.
351 */
352 static void set_other_host(private_ike_sa_t *this, host_t *other)
353 {
354 DESTROY_IF(this->other_host);
355 this->other_host = other;
356 }
357
358 /**
359 * Implementation of ike_sa_t.get_peer_cfg
360 */
361 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
362 {
363 return this->peer_cfg;
364 }
365
366 /**
367 * Implementation of ike_sa_t.set_peer_cfg
368 */
369 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
370 {
371 DESTROY_IF(this->peer_cfg);
372 peer_cfg->get_ref(peer_cfg);
373 this->peer_cfg = peer_cfg;
374
375 if (this->ike_cfg == NULL)
376 {
377 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
378 this->ike_cfg->get_ref(this->ike_cfg);
379 }
380 /* apply IDs if they are not already set */
381 if (this->my_id->contains_wildcards(this->my_id))
382 {
383 DESTROY_IF(this->my_id);
384 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
385 this->my_id = this->my_id->clone(this->my_id);
386 }
387 if (this->other_id->contains_wildcards(this->other_id))
388 {
389 DESTROY_IF(this->other_id);
390 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
391 this->other_id = this->other_id->clone(this->other_id);
392 }
393 }
394
395 /**
396 * Implementation of ike_sa_t.get_my_auth.
397 */
398 static auth_info_t* get_my_auth(private_ike_sa_t *this)
399 {
400 return this->my_auth;
401 }
402
403 /**
404 * Implementation of ike_sa_t.get_other_auth.
405 */
406 static auth_info_t* get_other_auth(private_ike_sa_t *this)
407 {
408 return this->other_auth;
409 }
410
411 /**
412 * Implementation of ike_sa_t.get_proposal
413 */
414 static proposal_t* get_proposal(private_ike_sa_t *this)
415 {
416 return this->proposal;
417 }
418
419 /**
420 * Implementation of ike_sa_t.set_proposal
421 */
422 static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
423 {
424 DESTROY_IF(this->proposal);
425 this->proposal = proposal->clone(proposal);
426 }
427
428 /**
429 * Implementation of ike_sa_t.send_keepalive
430 */
431 static void send_keepalive(private_ike_sa_t *this)
432 {
433 send_keepalive_job_t *job;
434 time_t last_out, now, diff;
435
436 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
437 { /* disable keep alives if we are not NATed anymore */
438 return;
439 }
440
441 last_out = get_use_time(this, FALSE);
442 now = time(NULL);
443
444 diff = now - last_out;
445
446 if (diff >= this->keepalive_interval)
447 {
448 packet_t *packet;
449 chunk_t data;
450
451 packet = packet_create();
452 packet->set_source(packet, this->my_host->clone(this->my_host));
453 packet->set_destination(packet, this->other_host->clone(this->other_host));
454 data.ptr = malloc(1);
455 data.ptr[0] = 0xFF;
456 data.len = 1;
457 packet->set_data(packet, data);
458 DBG1(DBG_IKE, "sending keep alive");
459 charon->sender->send(charon->sender, packet);
460 diff = 0;
461 }
462 job = send_keepalive_job_create(this->ike_sa_id);
463 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
464 (this->keepalive_interval - diff) * 1000);
465 }
466
467 /**
468 * Implementation of ike_sa_t.get_ike_cfg
469 */
470 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
471 {
472 return this->ike_cfg;
473 }
474
475 /**
476 * Implementation of ike_sa_t.set_ike_cfg
477 */
478 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
479 {
480 ike_cfg->get_ref(ike_cfg);
481 this->ike_cfg = ike_cfg;
482 }
483
484 /**
485 * Implementation of ike_sa_t.is_ike_initiator
486 */
487 static bool is_ike_initiator(private_ike_sa_t *this)
488 {
489 return this->ike_initiator;
490 }
491
492 /**
493 * Implementation of ike_sa_t.enable_extension.
494 */
495 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
496 {
497 this->extensions |= extension;
498 }
499
500 /**
501 * Implementation of ike_sa_t.has_extension.
502 */
503 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
504 {
505 return (this->extensions & extension) != FALSE;
506 }
507
508 /**
509 * Implementation of ike_sa_t.has_condition.
510 */
511 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
512 {
513 return (this->conditions & condition) != FALSE;
514 }
515
516 /**
517 * Implementation of ike_sa_t.enable_condition.
518 */
519 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
520 bool enable)
521 {
522 if (has_condition(this, condition) != enable)
523 {
524 if (enable)
525 {
526 this->conditions |= condition;
527 switch (condition)
528 {
529 case COND_NAT_HERE:
530 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
531 this->conditions |= COND_NAT_ANY;
532 send_keepalive(this);
533 break;
534 case COND_NAT_THERE:
535 DBG1(DBG_IKE, "remote host is behind NAT");
536 this->conditions |= COND_NAT_ANY;
537 break;
538 case COND_NAT_FAKE:
539 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
540 this->conditions |= COND_NAT_ANY;
541 break;
542 default:
543 break;
544 }
545 }
546 else
547 {
548 this->conditions &= ~condition;
549 switch (condition)
550 {
551 case COND_NAT_HERE:
552 case COND_NAT_FAKE:
553 case COND_NAT_THERE:
554 set_condition(this, COND_NAT_ANY,
555 has_condition(this, COND_NAT_HERE) ||
556 has_condition(this, COND_NAT_THERE) ||
557 has_condition(this, COND_NAT_FAKE));
558 break;
559 default:
560 break;
561 }
562 }
563 }
564 }
565
566 /**
567 * Implementation of ike_sa_t.send_dpd
568 */
569 static status_t send_dpd(private_ike_sa_t *this)
570 {
571 send_dpd_job_t *job;
572 time_t diff, delay;
573
574 delay = this->peer_cfg->get_dpd(this->peer_cfg);
575
576 if (delay == 0)
577 {
578 /* DPD disabled */
579 return SUCCESS;
580 }
581
582 if (this->task_manager->busy(this->task_manager))
583 {
584 /* an exchange is in the air, no need to start a DPD check */
585 diff = 0;
586 }
587 else
588 {
589 /* check if there was any inbound traffic */
590 time_t last_in, now;
591 last_in = get_use_time(this, TRUE);
592 now = time(NULL);
593 diff = now - last_in;
594 if (diff >= delay)
595 {
596 /* to long ago, initiate dead peer detection */
597 task_t *task;
598 ike_mobike_t *mobike;
599
600 if (supports_extension(this, EXT_MOBIKE) &&
601 has_condition(this, COND_NAT_HERE))
602 {
603 /* use mobike enabled DPD to detect NAT mapping changes */
604 mobike = ike_mobike_create(&this->public, TRUE);
605 mobike->dpd(mobike);
606 task = &mobike->task;
607 }
608 else
609 {
610 task = (task_t*)ike_dpd_create(TRUE);
611 }
612 diff = 0;
613 DBG1(DBG_IKE, "sending DPD request");
614
615 this->task_manager->queue_task(this->task_manager, task);
616 this->task_manager->initiate(this->task_manager);
617 }
618 }
619 /* recheck in "interval" seconds */
620 job = send_dpd_job_create(this->ike_sa_id);
621 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
622 (delay - diff) * 1000);
623 return SUCCESS;
624 }
625
626 /**
627 * Implementation of ike_sa_t.get_state.
628 */
629 static ike_sa_state_t get_state(private_ike_sa_t *this)
630 {
631 return this->state;
632 }
633
634 /**
635 * Implementation of ike_sa_t.set_state.
636 */
637 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
638 {
639 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
640 get_name(this), this->unique_id,
641 ike_sa_state_names, this->state,
642 ike_sa_state_names, state);
643
644 switch (state)
645 {
646 case IKE_ESTABLISHED:
647 {
648 if (this->state == IKE_CONNECTING)
649 {
650 job_t *job;
651 u_int32_t t;
652
653 /* calculate rekey, reauth and lifetime */
654 this->stats[STAT_ESTABLISHED] = time(NULL);
655
656 /* schedule rekeying if we have a time which is smaller than
657 * an already scheduled rekeying */
658 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
659 if (t && (this->stats[STAT_REKEY] == 0 ||
660 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
661 {
662 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
663 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
664 charon->scheduler->schedule_job(charon->scheduler,
665 job, t * 1000);
666 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
667 }
668 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
669 if (t && (this->stats[STAT_REAUTH] == 0 ||
670 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
671 {
672 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
673 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
674 charon->scheduler->schedule_job(charon->scheduler,
675 job, t * 1000);
676 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
677 }
678 t = this->peer_cfg->get_over_time(this->peer_cfg);
679 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
680 {
681 if (this->stats[STAT_REAUTH] == 0)
682 {
683 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
684 }
685 else if (this->stats[STAT_REKEY] == 0)
686 {
687 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
688 }
689 else
690 {
691 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
692 this->stats[STAT_REAUTH]);
693 }
694 this->stats[STAT_DELETE] += t;
695 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
696 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
697 charon->scheduler->schedule_job(charon->scheduler, job,
698 t * 1000);
699 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
700 }
701
702 /* start DPD checks */
703 send_dpd(this);
704 }
705 break;
706 }
707 case IKE_DELETING:
708 {
709 /* delete may fail if a packet gets lost, so set a timeout */
710 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
711 charon->scheduler->schedule_job(charon->scheduler, job,
712 HALF_OPEN_IKE_SA_TIMEOUT);
713 break;
714 }
715 default:
716 break;
717 }
718 charon->bus->ike_state_change(charon->bus, &this->public, state);
719 this->state = state;
720 }
721
722 /**
723 * Implementation of ike_sa_t.reset
724 */
725 static void reset(private_ike_sa_t *this)
726 {
727 /* the responder ID is reset, as peer may choose another one */
728 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
729 {
730 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
731 }
732
733 set_state(this, IKE_CREATED);
734
735 this->task_manager->reset(this->task_manager);
736 }
737
738 /**
739 * Implementation of ike_sa_t.get_keymat
740 */
741 static keymat_t* get_keymat(private_ike_sa_t *this)
742 {
743 return this->keymat;
744 }
745
746 /**
747 * Implementation of ike_sa_t.set_virtual_ip
748 */
749 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
750 {
751 if (local)
752 {
753 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
754 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
755 this->my_host) == SUCCESS)
756 {
757 if (this->my_virtual_ip)
758 {
759 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
760 charon->kernel_interface->del_ip(charon->kernel_interface,
761 this->my_virtual_ip);
762 }
763 DESTROY_IF(this->my_virtual_ip);
764 this->my_virtual_ip = ip->clone(ip);
765 }
766 else
767 {
768 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
769 this->my_virtual_ip = NULL;
770 }
771 }
772 else
773 {
774 DESTROY_IF(this->other_virtual_ip);
775 this->other_virtual_ip = ip->clone(ip);
776 }
777 }
778
779 /**
780 * Implementation of ike_sa_t.get_virtual_ip
781 */
782 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
783 {
784 if (local)
785 {
786 return this->my_virtual_ip;
787 }
788 else
789 {
790 return this->other_virtual_ip;
791 }
792 }
793
794 /**
795 * Implementation of ike_sa_t.add_additional_address.
796 */
797 static void add_additional_address(private_ike_sa_t *this, host_t *host)
798 {
799 this->additional_addresses->insert_last(this->additional_addresses, host);
800 }
801
802 /**
803 * Implementation of ike_sa_t.create_additional_address_iterator.
804 */
805 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
806 {
807 return this->additional_addresses->create_iterator(
808 this->additional_addresses, TRUE);
809 }
810
811 /**
812 * Implementation of ike_sa_t.has_mapping_changed
813 */
814 static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
815 {
816 if (this->nat_detection_dest.ptr == NULL)
817 {
818 this->nat_detection_dest = chunk_clone(hash);
819 return FALSE;
820 }
821 if (chunk_equals(hash, this->nat_detection_dest))
822 {
823 return FALSE;
824 }
825 free(this->nat_detection_dest.ptr);
826 this->nat_detection_dest = chunk_clone(hash);
827 return TRUE;
828 }
829
830 /**
831 * Implementation of ike_sa_t.set_pending_updates.
832 */
833 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
834 {
835 this->pending_updates = updates;
836 }
837
838 /**
839 * Implementation of ike_sa_t.get_pending_updates.
840 */
841 static u_int32_t get_pending_updates(private_ike_sa_t *this)
842 {
843 return this->pending_updates;
844 }
845
846 /**
847 * Update hosts, as addresses may change (NAT)
848 */
849 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
850 {
851 bool update = FALSE;
852
853 if (me == NULL)
854 {
855 me = this->my_host;
856 }
857 if (other == NULL)
858 {
859 other = this->other_host;
860 }
861
862 /* apply hosts on first received message */
863 if (this->my_host->is_anyaddr(this->my_host) ||
864 this->other_host->is_anyaddr(this->other_host))
865 {
866 set_my_host(this, me->clone(me));
867 set_other_host(this, other->clone(other));
868 update = TRUE;
869 }
870 else
871 {
872 /* update our address in any case */
873 if (!me->equals(me, this->my_host))
874 {
875 set_my_host(this, me->clone(me));
876 update = TRUE;
877 }
878
879 if (!other->equals(other, this->other_host))
880 {
881 /* update others adress if we are NOT NATed,
882 * and allow port changes if we are NATed */
883 if (!has_condition(this, COND_NAT_HERE) ||
884 other->ip_equals(other, this->other_host))
885 {
886 set_other_host(this, other->clone(other));
887 update = TRUE;
888 }
889 }
890 }
891
892 /* update all associated CHILD_SAs, if required */
893 if (update)
894 {
895 iterator_t *iterator;
896 child_sa_t *child_sa;
897
898 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
899 while (iterator->iterate(iterator, (void**)&child_sa))
900 {
901 if (child_sa->update_hosts(child_sa, this->my_host,
902 this->other_host, this->my_virtual_ip,
903 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
904 {
905 this->public.rekey_child_sa(&this->public,
906 child_sa->get_protocol(child_sa),
907 child_sa->get_spi(child_sa, TRUE));
908 }
909 }
910 iterator->destroy(iterator);
911 }
912 }
913
914 /**
915 * Implementation of ike_sa_t.generate
916 */
917 static status_t generate_message(private_ike_sa_t *this, message_t *message,
918 packet_t **packet)
919 {
920 this->stats[STAT_OUTBOUND] = time(NULL);
921 message->set_ike_sa_id(message, this->ike_sa_id);
922 return message->generate(message,
923 this->keymat->get_crypter(this->keymat, FALSE),
924 this->keymat->get_signer(this->keymat, FALSE), packet);
925 }
926
927 /**
928 * send a notify back to the sender
929 */
930 static void send_notify_response(private_ike_sa_t *this, message_t *request,
931 notify_type_t type)
932 {
933 message_t *response;
934 packet_t *packet;
935
936 response = message_create();
937 response->set_exchange_type(response, request->get_exchange_type(request));
938 response->set_request(response, FALSE);
939 response->set_message_id(response, request->get_message_id(request));
940 response->add_notify(response, FALSE, type, chunk_empty);
941 if (this->my_host->is_anyaddr(this->my_host))
942 {
943 this->my_host->destroy(this->my_host);
944 this->my_host = request->get_destination(request);
945 this->my_host = this->my_host->clone(this->my_host);
946 }
947 if (this->other_host->is_anyaddr(this->other_host))
948 {
949 this->other_host->destroy(this->other_host);
950 this->other_host = request->get_source(request);
951 this->other_host = this->other_host->clone(this->other_host);
952 }
953 response->set_source(response, this->my_host->clone(this->my_host));
954 response->set_destination(response, this->other_host->clone(this->other_host));
955 if (generate_message(this, response, &packet) == SUCCESS)
956 {
957 charon->sender->send(charon->sender, packet);
958 }
959 response->destroy(response);
960 }
961
962 /**
963 * Implementation of ike_sa_t.set_kmaddress.
964 */
965 static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
966 {
967 DESTROY_IF(this->local_host);
968 DESTROY_IF(this->remote_host);
969 this->local_host = local->clone(local);
970 this->remote_host = remote->clone(remote);
971 }
972
973 #ifdef ME
974 /**
975 * Implementation of ike_sa_t.act_as_mediation_server.
976 */
977 static void act_as_mediation_server(private_ike_sa_t *this)
978 {
979 charon->mediation_manager->update_sa_id(charon->mediation_manager,
980 this->other_id, this->ike_sa_id);
981 this->is_mediation_server = TRUE;
982 }
983
984 /**
985 * Implementation of ike_sa_t.get_server_reflexive_host.
986 */
987 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
988 {
989 return this->server_reflexive_host;
990 }
991
992 /**
993 * Implementation of ike_sa_t.set_server_reflexive_host.
994 */
995 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
996 {
997 DESTROY_IF(this->server_reflexive_host);
998 this->server_reflexive_host = host;
999 }
1000
1001 /**
1002 * Implementation of ike_sa_t.get_connect_id.
1003 */
1004 static chunk_t get_connect_id(private_ike_sa_t *this)
1005 {
1006 return this->connect_id;
1007 }
1008
1009 /**
1010 * Implementation of ike_sa_t.respond
1011 */
1012 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
1013 chunk_t connect_id)
1014 {
1015 ike_me_t *task = ike_me_create(&this->public, TRUE);
1016 task->respond(task, peer_id, connect_id);
1017 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1018 return this->task_manager->initiate(this->task_manager);
1019 }
1020
1021 /**
1022 * Implementation of ike_sa_t.callback
1023 */
1024 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
1025 {
1026 ike_me_t *task = ike_me_create(&this->public, TRUE);
1027 task->callback(task, peer_id);
1028 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1029 return this->task_manager->initiate(this->task_manager);
1030 }
1031
1032 /**
1033 * Implementation of ike_sa_t.relay
1034 */
1035 static status_t relay(private_ike_sa_t *this, identification_t *requester,
1036 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
1037 {
1038 ike_me_t *task = ike_me_create(&this->public, TRUE);
1039 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1040 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1041 return this->task_manager->initiate(this->task_manager);
1042 }
1043
1044 /**
1045 * Implementation of ike_sa_t.initiate_mediation
1046 */
1047 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1048 {
1049 ike_me_t *task = ike_me_create(&this->public, TRUE);
1050 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1051 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1052 return this->task_manager->initiate(this->task_manager);
1053 }
1054
1055 /**
1056 * Implementation of ike_sa_t.initiate_mediated
1057 */
1058 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1059 chunk_t connect_id)
1060 {
1061 set_my_host(this, me->clone(me));
1062 set_other_host(this, other->clone(other));
1063 chunk_free(&this->connect_id);
1064 this->connect_id = chunk_clone(connect_id);
1065
1066 return this->task_manager->initiate(this->task_manager);
1067 }
1068 #endif /* ME */
1069
1070 /**
1071 * Resolve DNS host in configuration
1072 */
1073 static void resolve_hosts(private_ike_sa_t *this)
1074 {
1075 host_t *host;
1076
1077 if (this->remote_host)
1078 {
1079 host = this->remote_host->clone(this->remote_host);
1080 host->set_port(host, IKEV2_UDP_PORT);
1081 }
1082 else
1083 {
1084 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1085 0, IKEV2_UDP_PORT);
1086 }
1087 if (host)
1088 {
1089 set_other_host(this, host);
1090 }
1091
1092 if (this->local_host)
1093 {
1094 host = this->local_host->clone(this->local_host);
1095 host->set_port(host, IKEV2_UDP_PORT);
1096 }
1097 else
1098 {
1099 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1100 this->my_host->get_family(this->my_host),
1101 IKEV2_UDP_PORT);
1102
1103 if (host && host->is_anyaddr(host) &&
1104 !this->other_host->is_anyaddr(this->other_host))
1105 {
1106 host->destroy(host);
1107 host = charon->kernel_interface->get_source_addr(
1108 charon->kernel_interface, this->other_host, NULL);
1109 if (host)
1110 {
1111 host->set_port(host, IKEV2_UDP_PORT);
1112 }
1113 }
1114 }
1115 if (host)
1116 {
1117 set_my_host(this, host);
1118 }
1119 }
1120
1121 /**
1122 * Initiates a CHILD_SA using the appropriate reqid
1123 */
1124 static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
1125 {
1126 task_t *task;
1127
1128 if (this->state == IKE_CREATED)
1129 {
1130 resolve_hosts(this);
1131
1132 if (this->other_host->is_anyaddr(this->other_host)
1133 #ifdef ME
1134 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1135 #endif /* ME */
1136 )
1137 {
1138 child_cfg->destroy(child_cfg);
1139 DBG1(DBG_IKE, "unable to initiate to %%any");
1140 return DESTROY_ME;
1141 }
1142
1143 this->ike_initiator = TRUE;
1144
1145 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1146 this->task_manager->queue_task(this->task_manager, task);
1147 task = (task_t*)ike_natd_create(&this->public, TRUE);
1148 this->task_manager->queue_task(this->task_manager, task);
1149 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1150 this->task_manager->queue_task(this->task_manager, task);
1151 task = (task_t*)ike_auth_create(&this->public, TRUE);
1152 this->task_manager->queue_task(this->task_manager, task);
1153 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1154 this->task_manager->queue_task(this->task_manager, task);
1155 task = (task_t*)ike_config_create(&this->public, TRUE);
1156 this->task_manager->queue_task(this->task_manager, task);
1157 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1158 this->task_manager->queue_task(this->task_manager, task);
1159 if (this->peer_cfg->use_mobike(this->peer_cfg))
1160 {
1161 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1162 this->task_manager->queue_task(this->task_manager, task);
1163 }
1164 #ifdef ME
1165 task = (task_t*)ike_me_create(&this->public, TRUE);
1166 this->task_manager->queue_task(this->task_manager, task);
1167 #endif /* ME */
1168 }
1169
1170 #ifdef ME
1171 if (this->peer_cfg->is_mediation(this->peer_cfg))
1172 {
1173 if (this->state == IKE_ESTABLISHED)
1174 {
1175 /* mediation connection is already established, retrigger state change
1176 * to notify bus listeners */
1177 DBG1(DBG_IKE, "mediation connection is already up");
1178 set_state(this, IKE_ESTABLISHED);
1179 }
1180 DESTROY_IF(child_cfg);
1181 }
1182 else
1183 #endif /* ME */
1184 {
1185 /* normal IKE_SA with CHILD_SA */
1186 task = (task_t*)child_create_create(&this->public, child_cfg);
1187 child_cfg->destroy(child_cfg);
1188 if (reqid)
1189 {
1190 child_create_t *child_create = (child_create_t*)task;
1191 child_create->use_reqid(child_create, reqid);
1192 }
1193 this->task_manager->queue_task(this->task_manager, task);
1194
1195 #ifdef ME
1196 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1197 {
1198 /* mediated connection, initiate mediation process */
1199 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1200 charon->processor->queue_job(charon->processor, job);
1201 return SUCCESS;
1202 }
1203 #endif /* ME */
1204 }
1205
1206 return this->task_manager->initiate(this->task_manager);
1207 }
1208
1209 /**
1210 * Implementation of ike_sa_t.initiate.
1211 */
1212 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1213 {
1214 return initiate_with_reqid(this, child_cfg, 0);
1215 }
1216
1217 /**
1218 * Implementation of ike_sa_t.acquire.
1219 */
1220 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1221 {
1222 child_cfg_t *child_cfg;
1223 iterator_t *iterator;
1224 child_sa_t *current, *child_sa = NULL;
1225
1226 if (this->state == IKE_DELETING)
1227 {
1228 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1229 "IKE_SA is deleting", reqid);
1230 return FAILED;
1231 }
1232
1233 /* find CHILD_SA */
1234 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1235 while (iterator->iterate(iterator, (void**)&current))
1236 {
1237 if (current->get_reqid(current) == reqid)
1238 {
1239 child_sa = current;
1240 break;
1241 }
1242 }
1243 iterator->destroy(iterator);
1244 if (!child_sa)
1245 {
1246 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1247 "CHILD_SA not found", reqid);
1248 return FAILED;
1249 }
1250
1251 child_cfg = child_sa->get_config(child_sa);
1252 child_cfg->get_ref(child_cfg);
1253
1254 return initiate_with_reqid(this, child_cfg, reqid);
1255 }
1256
1257 /**
1258 * Implementation of ike_sa_t.route.
1259 */
1260 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1261 {
1262 child_sa_t *child_sa;
1263 iterator_t *iterator;
1264 linked_list_t *my_ts, *other_ts;
1265 host_t *me, *other;
1266 status_t status;
1267
1268 /* check if not already routed*/
1269 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1270 while (iterator->iterate(iterator, (void**)&child_sa))
1271 {
1272 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1273 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1274 {
1275 iterator->destroy(iterator);
1276 DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
1277 return FAILED;
1278 }
1279 }
1280 iterator->destroy(iterator);
1281
1282 switch (this->state)
1283 {
1284 case IKE_DELETING:
1285 case IKE_REKEYING:
1286 DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
1287 ike_sa_state_names, this->state);
1288 return FAILED;
1289 case IKE_CREATED:
1290 case IKE_CONNECTING:
1291 case IKE_ESTABLISHED:
1292 default:
1293 break;
1294 }
1295
1296 resolve_hosts(this);
1297
1298 /* install kernel policies */
1299 child_sa = child_sa_create(this->my_host, this->other_host,
1300 child_cfg, 0, FALSE);
1301 me = this->my_host;
1302 if (this->my_virtual_ip)
1303 {
1304 me = this->my_virtual_ip;
1305 }
1306 other = this->other_host;
1307 if (this->other_virtual_ip)
1308 {
1309 other = this->other_virtual_ip;
1310 }
1311
1312 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1313 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1314
1315 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1316 child_cfg->get_mode(child_cfg), PROTO_NONE);
1317
1318 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1319 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1320 if (status == SUCCESS)
1321 {
1322 this->child_sas->insert_last(this->child_sas, child_sa);
1323 DBG1(DBG_IKE, "CHILD_SA routed");
1324 }
1325 else
1326 {
1327 child_sa->destroy(child_sa);
1328 DBG1(DBG_IKE, "routing CHILD_SA failed");
1329 }
1330 return status;
1331 }
1332
1333 /**
1334 * Implementation of ike_sa_t.unroute.
1335 */
1336 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1337 {
1338 iterator_t *iterator;
1339 child_sa_t *child_sa;
1340 bool found = FALSE;
1341
1342 /* find CHILD_SA in ROUTED state */
1343 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1344 while (iterator->iterate(iterator, (void**)&child_sa))
1345 {
1346 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1347 child_sa->get_reqid(child_sa) == reqid)
1348 {
1349 iterator->remove(iterator);
1350 DBG1(DBG_IKE, "CHILD_SA unrouted");
1351 child_sa->destroy(child_sa);
1352 found = TRUE;
1353 break;
1354 }
1355 }
1356 iterator->destroy(iterator);
1357
1358 if (!found)
1359 {
1360 DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
1361 return FAILED;
1362 }
1363 /* if we are not established, and we have no more routed childs, remove whole SA */
1364 if (this->state == IKE_CREATED &&
1365 this->child_sas->get_count(this->child_sas) == 0)
1366 {
1367 return DESTROY_ME;
1368 }
1369 return SUCCESS;
1370 }
1371
1372 /**
1373 * Implementation of ike_sa_t.process_message.
1374 */
1375 static status_t process_message(private_ike_sa_t *this, message_t *message)
1376 {
1377 status_t status;
1378 bool is_request;
1379
1380 is_request = message->get_request(message);
1381
1382 status = message->parse_body(message,
1383 this->keymat->get_crypter(this->keymat, TRUE),
1384 this->keymat->get_signer(this->keymat, TRUE));
1385 if (status != SUCCESS)
1386 {
1387
1388 if (is_request)
1389 {
1390 switch (status)
1391 {
1392 case NOT_SUPPORTED:
1393 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1394 if (is_request)
1395 {
1396 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1397 }
1398 break;
1399 case PARSE_ERROR:
1400 DBG1(DBG_IKE, "message parsing failed");
1401 if (is_request)
1402 {
1403 send_notify_response(this, message, INVALID_SYNTAX);
1404 }
1405 break;
1406 case VERIFY_ERROR:
1407 DBG1(DBG_IKE, "message verification failed");
1408 if (is_request)
1409 {
1410 send_notify_response(this, message, INVALID_SYNTAX);
1411 }
1412 break;
1413 case FAILED:
1414 DBG1(DBG_IKE, "integrity check failed");
1415 /* ignored */
1416 break;
1417 case INVALID_STATE:
1418 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1419 if (is_request)
1420 {
1421 send_notify_response(this, message, INVALID_SYNTAX);
1422 }
1423 default:
1424 break;
1425 }
1426 }
1427 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1428 exchange_type_names, message->get_exchange_type(message),
1429 message->get_request(message) ? "request" : "response",
1430 message->get_message_id(message));
1431 return status;
1432 }
1433 else
1434 {
1435 host_t *me, *other;
1436 private_ike_sa_t *new;
1437 iterator_t *iterator;
1438 child_sa_t *child;
1439 bool has_routed = FALSE;
1440
1441 me = message->get_destination(message);
1442 other = message->get_source(message);
1443
1444 /* if this IKE_SA is virgin, we check for a config */
1445 if (this->ike_cfg == NULL)
1446 {
1447 job_t *job;
1448 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1449 me, other);
1450 if (this->ike_cfg == NULL)
1451 {
1452 /* no config found for these hosts, destroy */
1453 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1454 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1455 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1456 return DESTROY_ME;
1457 }
1458 /* add a timeout if peer does not establish it completely */
1459 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1460 charon->scheduler->schedule_job(charon->scheduler, job,
1461 HALF_OPEN_IKE_SA_TIMEOUT);
1462 }
1463 this->stats[STAT_INBOUND] = time(NULL);
1464 /* check if message is trustworthy, and update host information */
1465 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1466 message->get_exchange_type(message) != IKE_SA_INIT)
1467 {
1468 if (!supports_extension(this, EXT_MOBIKE))
1469 { /* with MOBIKE, we do no implicit updates */
1470 update_hosts(this, me, other);
1471 }
1472 }
1473 status = this->task_manager->process_message(this->task_manager, message);
1474 if (status != DESTROY_ME)
1475 {
1476 return status;
1477 }
1478 /* if IKE_SA gets closed for any reasons, reroute routed children */
1479 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1480 while (iterator->iterate(iterator, (void**)&child))
1481 {
1482 if (child->get_state(child) == CHILD_ROUTED)
1483 {
1484 has_routed = TRUE;
1485 break;
1486 }
1487 }
1488 iterator->destroy(iterator);
1489 if (!has_routed)
1490 {
1491 return status;
1492 }
1493 /* move routed children to a new IKE_SA, apply connection info */
1494 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1495 charon->ike_sa_manager, TRUE);
1496 set_peer_cfg(new, this->peer_cfg);
1497 new->other_host->destroy(new->other_host);
1498 new->other_host = this->other_host->clone(this->other_host);
1499 if (!has_condition(this, COND_NAT_THERE))
1500 {
1501 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1502 }
1503 if (this->my_virtual_ip)
1504 {
1505 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1506 }
1507 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1508 while (iterator->iterate(iterator, (void**)&child))
1509 {
1510 if (child->get_state(child) == CHILD_ROUTED)
1511 {
1512 route(new, child->get_config(child));
1513 }
1514 }
1515 iterator->destroy(iterator);
1516 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1517 return status;
1518 }
1519 }
1520
1521 /**
1522 * Implementation of ike_sa_t.get_id.
1523 */
1524 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1525 {
1526 return this->ike_sa_id;
1527 }
1528
1529 /**
1530 * Implementation of ike_sa_t.get_my_id.
1531 */
1532 static identification_t* get_my_id(private_ike_sa_t *this)
1533 {
1534 return this->my_id;
1535 }
1536
1537 /**
1538 * Implementation of ike_sa_t.set_my_id.
1539 */
1540 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1541 {
1542 DESTROY_IF(this->my_id);
1543 this->my_id = me;
1544 }
1545
1546 /**
1547 * Implementation of ike_sa_t.get_other_id.
1548 */
1549 static identification_t* get_other_id(private_ike_sa_t *this)
1550 {
1551 return this->other_id;
1552 }
1553
1554 /**
1555 * Implementation of ike_sa_t.set_other_id.
1556 */
1557 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1558 {
1559 DESTROY_IF(this->other_id);
1560 this->other_id = other;
1561 }
1562
1563 /**
1564 * Implementation of ike_sa_t.get_eap_identity.
1565 */
1566 static identification_t* get_eap_identity(private_ike_sa_t *this)
1567 {
1568 return this->eap_identity;
1569 }
1570
1571 /**
1572 * Implementation of ike_sa_t.set_eap_identity.
1573 */
1574 static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
1575 {
1576 DESTROY_IF(this->eap_identity);
1577 this->eap_identity = id;
1578 }
1579
1580 /**
1581 * Implementation of ike_sa_t.add_child_sa.
1582 */
1583 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1584 {
1585 this->child_sas->insert_last(this->child_sas, child_sa);
1586 }
1587
1588 /**
1589 * Implementation of ike_sa_t.get_child_sa.
1590 */
1591 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1592 u_int32_t spi, bool inbound)
1593 {
1594 iterator_t *iterator;
1595 child_sa_t *current, *found = NULL;
1596
1597 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1598 while (iterator->iterate(iterator, (void**)&current))
1599 {
1600 if (current->get_spi(current, inbound) == spi &&
1601 current->get_protocol(current) == protocol)
1602 {
1603 found = current;
1604 }
1605 }
1606 iterator->destroy(iterator);
1607 return found;
1608 }
1609
1610 /**
1611 * Implementation of ike_sa_t.create_child_sa_iterator.
1612 */
1613 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1614 {
1615 return this->child_sas->create_iterator(this->child_sas, TRUE);
1616 }
1617
1618 /**
1619 * Implementation of ike_sa_t.rekey_child_sa.
1620 */
1621 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1622 {
1623 child_sa_t *child_sa;
1624 child_rekey_t *child_rekey;
1625
1626 child_sa = get_child_sa(this, protocol, spi, TRUE);
1627 if (child_sa)
1628 {
1629 child_rekey = child_rekey_create(&this->public, child_sa);
1630 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1631 return this->task_manager->initiate(this->task_manager);
1632 }
1633 return FAILED;
1634 }
1635
1636 /**
1637 * Implementation of ike_sa_t.delete_child_sa.
1638 */
1639 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1640 {
1641 child_sa_t *child_sa;
1642 child_delete_t *child_delete;
1643
1644 child_sa = get_child_sa(this, protocol, spi, TRUE);
1645 if (child_sa)
1646 {
1647 child_delete = child_delete_create(&this->public, child_sa);
1648 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1649 return this->task_manager->initiate(this->task_manager);
1650 }
1651 return FAILED;
1652 }
1653
1654 /**
1655 * Implementation of ike_sa_t.destroy_child_sa.
1656 */
1657 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1658 u_int32_t spi)
1659 {
1660 iterator_t *iterator;
1661 child_sa_t *child_sa;
1662 status_t status = NOT_FOUND;
1663
1664 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1665 while (iterator->iterate(iterator, (void**)&child_sa))
1666 {
1667 if (child_sa->get_protocol(child_sa) == protocol &&
1668 child_sa->get_spi(child_sa, TRUE) == spi)
1669 {
1670 child_sa->destroy(child_sa);
1671 iterator->remove(iterator);
1672 status = SUCCESS;
1673 break;
1674 }
1675 }
1676 iterator->destroy(iterator);
1677 return status;
1678 }
1679
1680 /**
1681 * Implementation of public_ike_sa_t.delete.
1682 */
1683 static status_t delete_(private_ike_sa_t *this)
1684 {
1685 ike_delete_t *ike_delete;
1686
1687 switch (this->state)
1688 {
1689 case IKE_ESTABLISHED:
1690 case IKE_REKEYING:
1691 ike_delete = ike_delete_create(&this->public, TRUE);
1692 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1693 return this->task_manager->initiate(this->task_manager);
1694 case IKE_CREATED:
1695 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1696 break;
1697 default:
1698 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1699 "without notification", ike_sa_state_names, this->state);
1700 break;
1701 }
1702 return DESTROY_ME;
1703 }
1704
1705 /**
1706 * Implementation of ike_sa_t.rekey.
1707 */
1708 static status_t rekey(private_ike_sa_t *this)
1709 {
1710 ike_rekey_t *ike_rekey;
1711
1712 ike_rekey = ike_rekey_create(&this->public, TRUE);
1713
1714 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1715 return this->task_manager->initiate(this->task_manager);
1716 }
1717
1718 /**
1719 * Implementation of ike_sa_t.reauth
1720 */
1721 static status_t reauth(private_ike_sa_t *this)
1722 {
1723 task_t *task;
1724
1725 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1726 * If the peer does not support RFC4478, there is no way to keep the
1727 * IKE_SA up. */
1728 if (!this->ike_initiator)
1729 {
1730 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1731 if (this->other_virtual_ip != NULL ||
1732 has_condition(this, COND_EAP_AUTHENTICATED)
1733 #ifdef ME
1734 /* if we are mediation server we too cannot reauth the IKE_SA */
1735 || this->is_mediation_server
1736 #endif /* ME */
1737 )
1738 {
1739 time_t now = time(NULL);
1740
1741 DBG1(DBG_IKE, "IKE_SA will timeout in %#V",
1742 &now, &this->stats[STAT_DELETE]);
1743 return FAILED;
1744 }
1745 else
1746 {
1747 DBG1(DBG_IKE, "reauthenticating actively");
1748 }
1749 }
1750 task = (task_t*)ike_reauth_create(&this->public);
1751 this->task_manager->queue_task(this->task_manager, task);
1752
1753 return this->task_manager->initiate(this->task_manager);
1754 }
1755
1756 /**
1757 * Implementation of ike_sa_t.reestablish
1758 */
1759 static status_t reestablish(private_ike_sa_t *this)
1760 {
1761 ike_sa_t *new;
1762 host_t *host;
1763 action_t action;
1764 iterator_t *iterator;
1765 child_sa_t *child_sa;
1766 child_cfg_t *child_cfg;
1767 bool required = FALSE;
1768 status_t status = FAILED;
1769
1770 /* check if we have children to keep up at all*/
1771 iterator = create_child_sa_iterator(this);
1772 while (iterator->iterate(iterator, (void**)&child_sa))
1773 {
1774 child_cfg = child_sa->get_config(child_sa);
1775 if (this->state == IKE_DELETING)
1776 {
1777 action = child_cfg->get_close_action(child_cfg);
1778 }
1779 else
1780 {
1781 action = child_cfg->get_dpd_action(child_cfg);
1782 }
1783 switch (action)
1784 {
1785 case ACTION_RESTART:
1786 case ACTION_ROUTE:
1787 required = TRUE;
1788 default:
1789 break;
1790 }
1791 }
1792 iterator->destroy(iterator);
1793 #ifdef ME
1794 /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
1795 if (this->peer_cfg->is_mediation(this->peer_cfg))
1796 {
1797 required = TRUE;
1798 }
1799 #endif /* ME */
1800 if (!required)
1801 {
1802 return FAILED;
1803 }
1804
1805 /* check if we are able to reestablish this IKE_SA */
1806 if (!this->ike_initiator &&
1807 (this->other_virtual_ip != NULL ||
1808 has_condition(this, COND_EAP_AUTHENTICATED)
1809 #ifdef ME
1810 || this->is_mediation_server
1811 #endif /* ME */
1812 ))
1813 {
1814 DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
1815 return FAILED;
1816 }
1817
1818 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
1819 new->set_peer_cfg(new, this->peer_cfg);
1820 host = this->other_host;
1821 new->set_other_host(new, host->clone(host));
1822 host = this->my_host;
1823 new->set_my_host(new, host->clone(host));
1824 /* if we already have a virtual IP, we reuse it */
1825 host = this->my_virtual_ip;
1826 if (host)
1827 {
1828 new->set_virtual_ip(new, TRUE, host);
1829 }
1830
1831 #ifdef ME
1832 if (this->peer_cfg->is_mediation(this->peer_cfg))
1833 {
1834 status = new->initiate(new, NULL);
1835 }
1836 else
1837 #endif /* ME */
1838 {
1839 iterator = create_child_sa_iterator(this);
1840 while (iterator->iterate(iterator, (void**)&child_sa))
1841 {
1842 child_cfg = child_sa->get_config(child_sa);
1843 if (this->state == IKE_DELETING)
1844 {
1845 action = child_cfg->get_close_action(child_cfg);
1846 }
1847 else
1848 {
1849 action = child_cfg->get_dpd_action(child_cfg);
1850 }
1851 switch (action)
1852 {
1853 case ACTION_RESTART:
1854 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1855 child_cfg->get_name(child_cfg));
1856 child_cfg->get_ref(child_cfg);
1857 status = new->initiate(new, child_cfg);
1858 break;
1859 case ACTION_ROUTE:
1860 status = new->route(new, child_cfg);
1861 break;
1862 default:
1863 continue;
1864 }
1865 if (status == DESTROY_ME)
1866 {
1867 break;
1868 }
1869 }
1870 iterator->destroy(iterator);
1871 }
1872
1873 if (status == DESTROY_ME)
1874 {
1875 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1876 return FAILED;
1877 }
1878 else
1879 {
1880 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1881 return SUCCESS;
1882 }
1883 }
1884
1885 /**
1886 * Implementation of ike_sa_t.retransmit.
1887 */
1888 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1889 {
1890 this->stats[STAT_OUTBOUND] = time(NULL);
1891 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1892 {
1893 /* send a proper signal to brief interested bus listeners */
1894 switch (this->state)
1895 {
1896 case IKE_CONNECTING:
1897 {
1898 /* retry IKE_SA_INIT if we have multiple keyingtries */
1899 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1900 this->keyingtry++;
1901 if (tries == 0 || tries > this->keyingtry)
1902 {
1903 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1904 this->keyingtry + 1, tries);
1905 reset(this);
1906 return this->task_manager->initiate(this->task_manager);
1907 }
1908 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1909 break;
1910 }
1911 case IKE_DELETING:
1912 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1913 break;
1914 case IKE_REKEYING:
1915 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1916 /* FALL */
1917 default:
1918 reestablish(this);
1919 break;
1920 }
1921 return DESTROY_ME;
1922 }
1923 return SUCCESS;
1924 }
1925
1926 /**
1927 * Implementation of ike_sa_t.set_auth_lifetime.
1928 */
1929 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1930 {
1931 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1932 u_int32_t reauth_time = time(NULL) + lifetime - reduction;
1933
1934 if (lifetime < reduction)
1935 {
1936 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1937 lifetime);
1938 charon->processor->queue_job(charon->processor,
1939 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1940 }
1941 else if (this->stats[STAT_REAUTH] == 0 ||
1942 this->stats[STAT_REAUTH] > reauth_time)
1943 {
1944 this->stats[STAT_REAUTH] = reauth_time;
1945 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1946 " in %ds", lifetime, lifetime - reduction);
1947 charon->scheduler->schedule_job(charon->scheduler,
1948 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1949 (lifetime - reduction) * 1000);
1950 }
1951 else
1952 {
1953 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
1954 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
1955 }
1956 }
1957
1958 /**
1959 * Implementation of ike_sa_t.roam.
1960 */
1961 static status_t roam(private_ike_sa_t *this, bool address)
1962 {
1963 host_t *src;
1964 ike_mobike_t *mobike;
1965
1966 switch (this->state)
1967 {
1968 case IKE_CREATED:
1969 case IKE_DELETING:
1970 return SUCCESS;
1971 default:
1972 break;
1973 }
1974 /* responder just updates the peer about changed address config */
1975 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
1976 {
1977 if (supports_extension(this, EXT_MOBIKE) && address)
1978 {
1979 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1980 mobike = ike_mobike_create(&this->public, TRUE);
1981 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1982 return this->task_manager->initiate(this->task_manager);
1983 }
1984 return SUCCESS;
1985 }
1986
1987 /* keep existing path if possible */
1988 src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
1989 this->other_host, this->my_host);
1990 if (src)
1991 {
1992 if (src->ip_equals(src, this->my_host))
1993 {
1994 DBG2(DBG_IKE, "keeping connection path %H - %H",
1995 src, this->other_host);
1996 src->destroy(src);
1997 return SUCCESS;
1998 }
1999 src->destroy(src);
2000 }
2001
2002 /* update addresses with mobike, if supported ... */
2003 if (supports_extension(this, EXT_MOBIKE))
2004 {
2005 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2006 mobike = ike_mobike_create(&this->public, TRUE);
2007 mobike->roam(mobike, address);
2008 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2009 return this->task_manager->initiate(this->task_manager);
2010 }
2011 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2012 /* ... reauth if not */
2013 return reauth(this);
2014 }
2015
2016 /**
2017 * Implementation of ike_sa_t.inherit.
2018 */
2019 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2020 {
2021 child_sa_t *child_sa;
2022 host_t *ip;
2023
2024 /* apply hosts and ids */
2025 this->my_host->destroy(this->my_host);
2026 this->other_host->destroy(this->other_host);
2027 this->my_id->destroy(this->my_id);
2028 this->other_id->destroy(this->other_id);
2029 this->my_host = other->my_host->clone(other->my_host);
2030 this->other_host = other->other_host->clone(other->other_host);
2031 this->my_id = other->my_id->clone(other->my_id);
2032 this->other_id = other->other_id->clone(other->other_id);
2033 this->ike_initiator = other->ike_initiator;
2034
2035 /* apply virtual assigned IPs... */
2036 if (other->my_virtual_ip)
2037 {
2038 this->my_virtual_ip = other->my_virtual_ip;
2039 other->my_virtual_ip = NULL;
2040 }
2041 if (other->other_virtual_ip)
2042 {
2043 this->other_virtual_ip = other->other_virtual_ip;
2044 other->other_virtual_ip = NULL;
2045 }
2046
2047 /* ... and DNS servers */
2048 while (other->dns_servers->remove_last(other->dns_servers,
2049 (void**)&ip) == SUCCESS)
2050 {
2051 this->dns_servers->insert_first(this->dns_servers, ip);
2052 }
2053
2054 /* inherit NAT-T conditions */
2055 this->conditions = other->conditions;
2056 if (this->conditions & COND_NAT_HERE)
2057 {
2058 send_keepalive(this);
2059 }
2060
2061 #ifdef ME
2062 if (other->is_mediation_server)
2063 {
2064 act_as_mediation_server(this);
2065 }
2066 else if (other->server_reflexive_host)
2067 {
2068 this->server_reflexive_host = other->server_reflexive_host->clone(
2069 other->server_reflexive_host);
2070 }
2071 #endif /* ME */
2072
2073 /* adopt all children */
2074 while (other->child_sas->remove_last(other->child_sas,
2075 (void**)&child_sa) == SUCCESS)
2076 {
2077 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2078 }
2079
2080 /* move pending tasks to the new IKE_SA */
2081 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2082
2083 /* reauthentication timeout survives a rekeying */
2084 if (other->stats[STAT_REAUTH])
2085 {
2086 time_t reauth, delete, now = time(NULL);
2087
2088 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2089 reauth = this->stats[STAT_REAUTH] - now;
2090 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2091 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2092 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2093 "lifetime reduced to %ds", reauth, delete);
2094 charon->scheduler->schedule_job(charon->scheduler,
2095 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2096 reauth * 1000);
2097 charon->scheduler->schedule_job(charon->scheduler,
2098 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2099 delete * 1000);
2100 }
2101 /* we have to initate here, there may be new tasks to handle */
2102 return this->task_manager->initiate(this->task_manager);
2103 }
2104
2105 /**
2106 * Implementation of ike_sa_t.remove_dns_server
2107 */
2108 static void remove_dns_servers(private_ike_sa_t *this)
2109 {
2110 FILE *file;
2111 struct stat stats;
2112 chunk_t contents, line, orig_line, token;
2113 char string[INET6_ADDRSTRLEN];
2114 host_t *ip;
2115 iterator_t *iterator;
2116
2117 if (this->dns_servers->get_count(this->dns_servers) == 0)
2118 {
2119 /* don't touch anything if we have no nameservers installed */
2120 return;
2121 }
2122
2123 file = fopen(RESOLV_CONF, "r");
2124 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2125 {
2126 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2127 RESOLV_CONF, strerror(errno));
2128 return;
2129 }
2130
2131 contents = chunk_alloca((size_t)stats.st_size);
2132
2133 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2134 {
2135 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2136 fclose(file);
2137 return;
2138 }
2139
2140 fclose(file);
2141 file = fopen(RESOLV_CONF, "w");
2142 if (file == NULL)
2143 {
2144 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2145 RESOLV_CONF, strerror(errno));
2146 return;
2147 }
2148
2149 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2150 while (fetchline(&contents, &line))
2151 {
2152 bool found = FALSE;
2153 orig_line = line;
2154 if (extract_token(&token, ' ', &line) &&
2155 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2156 {
2157 if (!extract_token(&token, ' ', &line))
2158 {
2159 token = line;
2160 }
2161 iterator->reset(iterator);
2162 while (iterator->iterate(iterator, (void**)&ip))
2163 {
2164 snprintf(string, sizeof(string), "%H", ip);
2165 if (strlen(string) == token.len &&
2166 strncmp(token.ptr, string, token.len) == 0)
2167 {
2168 iterator->remove(iterator);
2169 ip->destroy(ip);
2170 found = TRUE;
2171 break;
2172 }
2173 }
2174 }
2175
2176 if (!found)
2177 {
2178 /* write line untouched back to file */
2179 fwrite(orig_line.ptr, orig_line.len, 1, file);
2180 fprintf(file, "\n");
2181 }
2182 }
2183 iterator->destroy(iterator);
2184 fclose(file);
2185 }
2186
2187 /**
2188 * Implementation of ike_sa_t.add_dns_server
2189 */
2190 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2191 {
2192 FILE *file;
2193 struct stat stats;
2194 chunk_t contents;
2195
2196 DBG1(DBG_IKE, "installing DNS server %H", dns);
2197
2198 file = fopen(RESOLV_CONF, "a+");
2199 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2200 {
2201 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2202 RESOLV_CONF, strerror(errno));
2203 return;
2204 }
2205
2206 contents = chunk_alloca(stats.st_size);
2207
2208 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2209 {
2210 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2211 fclose(file);
2212 return;
2213 }
2214
2215 fclose(file);
2216 file = fopen(RESOLV_CONF, "w");
2217 if (file == NULL)
2218 {
2219 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2220 RESOLV_CONF, strerror(errno));
2221 return;
2222 }
2223
2224 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2225 dns, this->other_id) < 0)
2226 {
2227 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2228 }
2229 else
2230 {
2231 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2232 }
2233 fwrite(contents.ptr, contents.len, 1, file);
2234
2235 fclose(file);
2236 }
2237
2238 /**
2239 * Implementation of ike_sa_t.destroy.
2240 */
2241 static void destroy(private_ike_sa_t *this)
2242 {
2243 set_state(this, IKE_DESTROYING);
2244
2245 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2246
2247 /* unset SA after here to avoid usage by the listeners */
2248 charon->bus->set_sa(charon->bus, NULL);
2249
2250 this->task_manager->destroy(this->task_manager);
2251 this->keymat->destroy(this->keymat);
2252
2253 if (this->my_virtual_ip)
2254 {
2255 charon->kernel_interface->del_ip(charon->kernel_interface,
2256 this->my_virtual_ip);
2257 this->my_virtual_ip->destroy(this->my_virtual_ip);
2258 }
2259 if (this->other_virtual_ip)
2260 {
2261 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2262 {
2263 charon->attributes->release_address(charon->attributes,
2264 this->peer_cfg->get_pool(this->peer_cfg),
2265 this->other_virtual_ip);
2266 }
2267 this->other_virtual_ip->destroy(this->other_virtual_ip);
2268 }
2269
2270 remove_dns_servers(this);
2271 this->dns_servers->destroy_offset(this->dns_servers,
2272 offsetof(host_t, destroy));
2273 this->additional_addresses->destroy_offset(this->additional_addresses,
2274 offsetof(host_t, destroy));
2275 #ifdef ME
2276 if (this->is_mediation_server)
2277 {
2278 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2279 }
2280 DESTROY_IF(this->server_reflexive_host);
2281 chunk_free(&this->connect_id);
2282 #endif /* ME */
2283 free(this->nat_detection_dest.ptr);
2284
2285 DESTROY_IF(this->my_host);
2286 DESTROY_IF(this->other_host);
2287 DESTROY_IF(this->my_id);
2288 DESTROY_IF(this->other_id);
2289 DESTROY_IF(this->local_host);
2290 DESTROY_IF(this->remote_host);
2291 DESTROY_IF(this->eap_identity);
2292
2293 DESTROY_IF(this->ike_cfg);
2294 DESTROY_IF(this->peer_cfg);
2295 DESTROY_IF(this->my_auth);
2296 DESTROY_IF(this->other_auth);
2297 DESTROY_IF(this->proposal);
2298
2299 this->ike_sa_id->destroy(this->ike_sa_id);
2300 free(this);
2301 }
2302
2303 /*
2304 * Described in header.
2305 */
2306 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2307 {
2308 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2309 static u_int32_t unique_id = 0;
2310
2311 /* Public functions */
2312 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2313 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2314 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2315 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2316 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2317 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2318 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2319 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2320 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2321 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2322 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2323 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2324 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2325 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2326 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2327 this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
2328 this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
2329 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2330 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2331 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2332 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2333 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2334 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2335 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2336 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2337 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2338 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2339 this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
2340 this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
2341 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2342 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2343 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2344 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2345 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2346 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2347 this->public.is_ike_initiator = (bool (*)(ike_sa_t*))is_ike_initiator;
2348 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2349 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2350 this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
2351 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2352 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2353 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2354 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2355 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2356 this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
2357 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2358 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2359 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2360 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2361 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2362 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2363 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2364 this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
2365 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2366 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2367 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2368 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2369 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2370 this->public.reset = (void (*)(ike_sa_t*))reset;
2371 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2372 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2373 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2374 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2375 this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
2376 #ifdef ME
2377 this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
2378 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2379 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2380 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2381 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2382 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
2383 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2384 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2385 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2386 #endif /* ME */
2387
2388 /* initialize private fields */
2389 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2390 this->child_sas = linked_list_create();
2391 this->my_host = host_create_any(AF_INET);
2392 this->other_host = host_create_any(AF_INET);
2393 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2394 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2395 this->eap_identity = NULL;
2396 this->extensions = 0;
2397 this->conditions = 0;
2398 this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
2399 this->state = IKE_CREATED;
2400 this->keepalive_interval = lib->settings->get_time(lib->settings,
2401 "charon.keep_alive", KEEPALIVE_INTERVAL);
2402 memset(this->stats, 0, sizeof(this->stats));
2403 this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
2404 this->ike_cfg = NULL;
2405 this->peer_cfg = NULL;
2406 this->my_auth = auth_info_create();
2407 this->other_auth = auth_info_create();
2408 this->proposal = NULL;
2409 this->task_manager = task_manager_create(&this->public);
2410 this->unique_id = ++unique_id;
2411 this->my_virtual_ip = NULL;
2412 this->other_virtual_ip = NULL;
2413 this->dns_servers = linked_list_create();
2414 this->additional_addresses = linked_list_create();
2415 this->nat_detection_dest = chunk_empty;
2416 this->pending_updates = 0;
2417 this->keyingtry = 0;
2418 this->ike_initiator = FALSE;
2419 this->local_host = NULL;
2420 this->remote_host = NULL;
2421 #ifdef ME
2422 this->is_mediation_server = FALSE;
2423 this->server_reflexive_host = NULL;
2424 this->connect_id = chunk_empty;
2425 #endif /* ME */
2426
2427 return &this->public;
2428 }