20bbd06afe3fc9a83d0e06d2dcf74bc321d63f4e
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26
27 #include "ike_sa.h"
28
29 #include <library.h>
30 #include <daemon.h>
31 #include <utils/linked_list.h>
32 #include <utils/lexparser.h>
33 #include <crypto/diffie_hellman.h>
34 #include <crypto/prf_plus.h>
35 #include <crypto/crypters/crypter.h>
36 #include <crypto/hashers/hasher.h>
37 #include <encoding/payloads/sa_payload.h>
38 #include <encoding/payloads/nonce_payload.h>
39 #include <encoding/payloads/ke_payload.h>
40 #include <encoding/payloads/delete_payload.h>
41 #include <encoding/payloads/transform_substructure.h>
42 #include <encoding/payloads/transform_attribute.h>
43 #include <encoding/payloads/ts_payload.h>
44 #include <sa/task_manager.h>
45 #include <sa/tasks/ike_init.h>
46 #include <sa/tasks/ike_natd.h>
47 #include <sa/tasks/ike_mobike.h>
48 #include <sa/tasks/ike_auth.h>
49 #include <sa/tasks/ike_auth_lifetime.h>
50 #include <sa/tasks/ike_config.h>
51 #include <sa/tasks/ike_cert_pre.h>
52 #include <sa/tasks/ike_cert_post.h>
53 #include <sa/tasks/ike_rekey.h>
54 #include <sa/tasks/ike_reauth.h>
55 #include <sa/tasks/ike_delete.h>
56 #include <sa/tasks/ike_dpd.h>
57 #include <sa/tasks/child_create.h>
58 #include <sa/tasks/child_delete.h>
59 #include <sa/tasks/child_rekey.h>
60 #include <processing/jobs/retransmit_job.h>
61 #include <processing/jobs/delete_ike_sa_job.h>
62 #include <processing/jobs/send_dpd_job.h>
63 #include <processing/jobs/send_keepalive_job.h>
64 #include <processing/jobs/rekey_ike_sa_job.h>
65
66 #ifdef ME
67 #include <sa/tasks/ike_me.h>
68 #include <processing/jobs/initiate_mediation_job.h>
69 #endif
70
71 #ifndef RESOLV_CONF
72 #define RESOLV_CONF "/etc/resolv.conf"
73 #endif
74
75 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
76 "CREATED",
77 "CONNECTING",
78 "ESTABLISHED",
79 "REKEYING",
80 "DELETING",
81 );
82
83 typedef struct private_ike_sa_t private_ike_sa_t;
84
85 /**
86 * Private data of an ike_sa_t object.
87 */
88 struct private_ike_sa_t {
89
90 /**
91 * Public members
92 */
93 ike_sa_t public;
94
95 /**
96 * Identifier for the current IKE_SA.
97 */
98 ike_sa_id_t *ike_sa_id;
99
100 /**
101 * unique numerical ID for this IKE_SA.
102 */
103 u_int32_t unique_id;
104
105 /**
106 * Current state of the IKE_SA
107 */
108 ike_sa_state_t state;
109
110 /**
111 * IKE configuration used to set up this IKE_SA
112 */
113 ike_cfg_t *ike_cfg;
114
115 /**
116 * Peer and authentication information to establish IKE_SA.
117 */
118 peer_cfg_t *peer_cfg;
119
120 /**
121 * associated authentication/authorization info for local peer
122 */
123 auth_info_t *my_auth;
124
125 /**
126 * associated authentication/authorization info for remote peer
127 */
128 auth_info_t *other_auth;
129
130 /**
131 * Juggles tasks to process messages
132 */
133 task_manager_t *task_manager;
134
135 /**
136 * Address of local host
137 */
138 host_t *my_host;
139
140 /**
141 * Address of remote host
142 */
143 host_t *other_host;
144
145 #ifdef ME
146 /**
147 * Server reflexive host
148 */
149 host_t *server_reflexive_host;
150
151 /**
152 * Connect ID
153 */
154 chunk_t connect_id;
155 #endif /* ME */
156
157 /**
158 * Identification used for us
159 */
160 identification_t *my_id;
161
162 /**
163 * Identification used for other
164 */
165 identification_t *other_id;
166
167 /**
168 * set of extensions the peer supports
169 */
170 ike_extension_t extensions;
171
172 /**
173 * set of condition flags currently enabled for this IKE_SA
174 */
175 ike_condition_t conditions;
176
177 /**
178 * Linked List containing the child sa's of the current IKE_SA.
179 */
180 linked_list_t *child_sas;
181
182 /**
183 * crypter for inbound traffic
184 */
185 crypter_t *crypter_in;
186
187 /**
188 * crypter for outbound traffic
189 */
190 crypter_t *crypter_out;
191
192 /**
193 * Signer for inbound traffic
194 */
195 signer_t *signer_in;
196
197 /**
198 * Signer for outbound traffic
199 */
200 signer_t *signer_out;
201
202 /**
203 * Multi purpose prf, set key, use it, forget it
204 */
205 prf_t *prf;
206
207 /**
208 * Prf function for derivating keymat child SAs
209 */
210 prf_t *child_prf;
211
212 /**
213 * Key to build outging authentication data (SKp)
214 */
215 chunk_t skp_build;
216
217 /**
218 * Key to verify incoming authentication data (SKp)
219 */
220 chunk_t skp_verify;
221
222 /**
223 * Virtual IP on local host, if any
224 */
225 host_t *my_virtual_ip;
226
227 /**
228 * Virtual IP on remote host, if any
229 */
230 host_t *other_virtual_ip;
231
232 /**
233 * List of DNS servers installed by us
234 */
235 linked_list_t *dns_servers;
236
237 /**
238 * list of peers additional addresses, transmitted via MOBIKE
239 */
240 linked_list_t *additional_addresses;
241
242 /**
243 * number pending UPDATE_SA_ADDRESS (MOBIKE)
244 */
245 u_int32_t pending_updates;
246
247 /**
248 * Timestamps for this IKE_SA
249 */
250 struct {
251 /** last IKE message received */
252 u_int32_t inbound;
253 /** last IKE message sent */
254 u_int32_t outbound;
255 /** when IKE_SA became established */
256 u_int32_t established;
257 /** when IKE_SA gets rekeyed */
258 u_int32_t rekey;
259 /** when IKE_SA gets reauthenticated */
260 u_int32_t reauth;
261 /** when IKE_SA gets deleted */
262 u_int32_t delete;
263 } time;
264
265 /**
266 * how many times we have retried so far (keyingtries)
267 */
268 u_int32_t keyingtry;
269
270 /**
271 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
272 */
273 bool ike_initiator;
274 };
275
276 /**
277 * get the time of the latest traffic processed by the kernel
278 */
279 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
280 {
281 iterator_t *iterator;
282 child_sa_t *child_sa;
283 time_t latest = 0, use_time;
284
285 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
286 while (iterator->iterate(iterator, (void**)&child_sa))
287 {
288 if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
289 {
290 latest = max(latest, use_time);
291 }
292 }
293 iterator->destroy(iterator);
294
295 if (inbound)
296 {
297 return max(this->time.inbound, latest);
298 }
299 else
300 {
301 return max(this->time.outbound, latest);
302 }
303 }
304
305 /**
306 * Implementation of ike_sa_t.get_unique_id
307 */
308 static u_int32_t get_unique_id(private_ike_sa_t *this)
309 {
310 return this->unique_id;
311 }
312
313 /**
314 * Implementation of ike_sa_t.get_name.
315 */
316 static char *get_name(private_ike_sa_t *this)
317 {
318 if (this->peer_cfg)
319 {
320 return this->peer_cfg->get_name(this->peer_cfg);
321 }
322 return "(unnamed)";
323 }
324
325 /**
326 * Implementation of ike_sa_t.get_statistic.
327 */
328 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
329 {
330 time_t now = time(NULL);
331
332 switch (kind)
333 {
334 case STAT_REKEY_TIME:
335 if (this->time.rekey > now)
336 {
337 return this->time.rekey - now;
338 }
339 break;
340 case STAT_REAUTH_TIME:
341 if (this->time.reauth > now)
342 {
343 return this->time.reauth - now;
344 }
345 break;
346 default:
347 break;
348 }
349 return 0;
350 }
351
352 /**
353 * Implementation of ike_sa_t.get_my_host.
354 */
355 static host_t *get_my_host(private_ike_sa_t *this)
356 {
357 return this->my_host;
358 }
359
360 /**
361 * Implementation of ike_sa_t.set_my_host.
362 */
363 static void set_my_host(private_ike_sa_t *this, host_t *me)
364 {
365 DESTROY_IF(this->my_host);
366 this->my_host = me;
367 }
368
369 /**
370 * Implementation of ike_sa_t.get_other_host.
371 */
372 static host_t *get_other_host(private_ike_sa_t *this)
373 {
374 return this->other_host;
375 }
376
377 /**
378 * Implementation of ike_sa_t.set_other_host.
379 */
380 static void set_other_host(private_ike_sa_t *this, host_t *other)
381 {
382 DESTROY_IF(this->other_host);
383 this->other_host = other;
384 }
385
386 /**
387 * Implementation of ike_sa_t.get_peer_cfg
388 */
389 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
390 {
391 return this->peer_cfg;
392 }
393
394 /**
395 * Implementation of ike_sa_t.set_peer_cfg
396 */
397 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
398 {
399 DESTROY_IF(this->peer_cfg);
400 peer_cfg->get_ref(peer_cfg);
401 this->peer_cfg = peer_cfg;
402
403 if (this->ike_cfg == NULL)
404 {
405 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
406 this->ike_cfg->get_ref(this->ike_cfg);
407 }
408
409 /* apply values, so we are ready to initate/acquire */
410 if (this->my_host->is_anyaddr(this->my_host))
411 {
412 host_t *me = this->ike_cfg->get_my_host(this->ike_cfg);
413 set_my_host(this, me->clone(me));
414 }
415 if (this->other_host->is_anyaddr(this->other_host))
416 {
417 host_t *other = this->ike_cfg->get_other_host(this->ike_cfg);
418 set_other_host(this, other->clone(other));
419 }
420 /* apply IDs if they are not already set */
421 if (this->my_id->contains_wildcards(this->my_id))
422 {
423 DESTROY_IF(this->my_id);
424 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
425 this->my_id = this->my_id->clone(this->my_id);
426 }
427 if (this->other_id->contains_wildcards(this->other_id))
428 {
429 DESTROY_IF(this->other_id);
430 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
431 this->other_id = this->other_id->clone(this->other_id);
432 }
433 }
434
435 /**
436 * Implementation of ike_sa_t.get_my_auth.
437 */
438 static auth_info_t* get_my_auth(private_ike_sa_t *this)
439 {
440 return this->my_auth;
441 }
442
443 /**
444 * Implementation of ike_sa_t.get_other_auth.
445 */
446 static auth_info_t* get_other_auth(private_ike_sa_t *this)
447 {
448 return this->other_auth;
449 }
450
451 /**
452 * Implementation of ike_sa_t.send_keepalive
453 */
454 static void send_keepalive(private_ike_sa_t *this)
455 {
456 send_keepalive_job_t *job;
457 time_t last_out, now, diff;
458
459 if (!(this->conditions & COND_NAT_HERE))
460 { /* disable keep alives if we are not NATed anymore */
461 return;
462 }
463
464 last_out = get_use_time(this, FALSE);
465 now = time(NULL);
466
467 diff = now - last_out;
468
469 if (diff >= KEEPALIVE_INTERVAL)
470 {
471 packet_t *packet;
472 chunk_t data;
473
474 packet = packet_create();
475 packet->set_source(packet, this->my_host->clone(this->my_host));
476 packet->set_destination(packet, this->other_host->clone(this->other_host));
477 data.ptr = malloc(1);
478 data.ptr[0] = 0xFF;
479 data.len = 1;
480 packet->set_data(packet, data);
481 DBG1(DBG_IKE, "sending keep alive");
482 charon->sender->send(charon->sender, packet);
483 diff = 0;
484 }
485 job = send_keepalive_job_create(this->ike_sa_id);
486 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
487 (KEEPALIVE_INTERVAL - diff) * 1000);
488 }
489
490 /**
491 * Implementation of ike_sa_t.get_ike_cfg
492 */
493 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
494 {
495 return this->ike_cfg;
496 }
497
498 /**
499 * Implementation of ike_sa_t.set_ike_cfg
500 */
501 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
502 {
503 ike_cfg->get_ref(ike_cfg);
504 this->ike_cfg = ike_cfg;
505 }
506 /**
507 * Implementation of ike_sa_t.enable_extension.
508 */
509 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
510 {
511 this->extensions |= extension;
512 }
513
514 /**
515 * Implementation of ike_sa_t.has_extension.
516 */
517 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
518 {
519 return (this->extensions & extension) != FALSE;
520 }
521
522 /**
523 * Implementation of ike_sa_t.has_condition.
524 */
525 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
526 {
527 return (this->conditions & condition) != FALSE;
528 }
529
530 /**
531 * Implementation of ike_sa_t.enable_condition.
532 */
533 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
534 bool enable)
535 {
536 if (has_condition(this, condition) != enable)
537 {
538 if (enable)
539 {
540 this->conditions |= condition;
541 switch (condition)
542 {
543 case COND_NAT_HERE:
544 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
545 this->conditions |= COND_NAT_ANY;
546 send_keepalive(this);
547 break;
548 case COND_NAT_THERE:
549 DBG1(DBG_IKE, "remote host is behind NAT");
550 this->conditions |= COND_NAT_ANY;
551 break;
552 case COND_NAT_FAKE:
553 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
554 this->conditions |= COND_NAT_ANY;
555 break;
556 default:
557 break;
558 }
559 }
560 else
561 {
562 this->conditions &= ~condition;
563 switch (condition)
564 {
565 case COND_NAT_HERE:
566 case COND_NAT_FAKE:
567 case COND_NAT_THERE:
568 set_condition(this, COND_NAT_ANY,
569 has_condition(this, COND_NAT_HERE) ||
570 has_condition(this, COND_NAT_THERE) ||
571 has_condition(this, COND_NAT_FAKE));
572 break;
573 default:
574 break;
575 }
576 }
577 }
578 }
579
580 /**
581 * Implementation of ike_sa_t.send_dpd
582 */
583 static status_t send_dpd(private_ike_sa_t *this)
584 {
585 send_dpd_job_t *job;
586 time_t diff, delay;
587
588 delay = this->peer_cfg->get_dpd_delay(this->peer_cfg);
589
590 if (delay == 0)
591 {
592 /* DPD disabled */
593 return SUCCESS;
594 }
595
596 if (this->task_manager->busy(this->task_manager))
597 {
598 /* an exchange is in the air, no need to start a DPD check */
599 diff = 0;
600 }
601 else
602 {
603 /* check if there was any inbound traffic */
604 time_t last_in, now;
605 last_in = get_use_time(this, TRUE);
606 now = time(NULL);
607 diff = now - last_in;
608 if (diff >= delay)
609 {
610 /* to long ago, initiate dead peer detection */
611 task_t *task;
612
613 task = (task_t*)ike_dpd_create(TRUE);
614 diff = 0;
615 DBG1(DBG_IKE, "sending DPD request");
616
617 this->task_manager->queue_task(this->task_manager, task);
618 this->task_manager->initiate(this->task_manager);
619 }
620 }
621 /* recheck in "interval" seconds */
622 job = send_dpd_job_create(this->ike_sa_id);
623 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
624 (delay - diff) * 1000);
625 return SUCCESS;
626 }
627
628 /**
629 * Implementation of ike_sa_t.get_state.
630 */
631 static ike_sa_state_t get_state(private_ike_sa_t *this)
632 {
633 return this->state;
634 }
635
636 /**
637 * Implementation of ike_sa_t.set_state.
638 */
639 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
640 {
641 DBG1(DBG_IKE, "IKE_SA '%s' state change: %N => %N",
642 get_name(this),
643 ike_sa_state_names, this->state,
644 ike_sa_state_names, state);
645
646 switch (state)
647 {
648 case IKE_ESTABLISHED:
649 {
650 if (this->state == IKE_CONNECTING)
651 {
652 job_t *job;
653 u_int32_t t;
654
655 /* calculate rekey, reauth and lifetime */
656 this->time.established = time(NULL);
657
658 /* schedule rekeying if we have a time which is smaller than
659 * an already scheduled rekeying */
660 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
661 if (t && (this->time.rekey == 0 ||
662 (this->time.rekey > t + this->time.established)))
663 {
664 this->time.rekey = t + this->time.established;
665 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
666 charon->scheduler->schedule_job(charon->scheduler,
667 job, t * 1000);
668 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
669 }
670 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
671 if (t && (this->time.reauth == 0 ||
672 (this->time.reauth > t + this->time.established)))
673 {
674 this->time.reauth = t + this->time.established;
675 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
676 charon->scheduler->schedule_job(charon->scheduler,
677 job, t * 1000);
678 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
679 }
680 t = this->peer_cfg->get_over_time(this->peer_cfg);
681 if (this->time.rekey || this->time.reauth)
682 {
683 if (this->time.reauth == 0)
684 {
685 this->time.delete = this->time.rekey;
686 }
687 else if (this->time.rekey == 0)
688 {
689 this->time.delete = this->time.reauth;
690 }
691 else
692 {
693 this->time.delete = min(this->time.rekey, this->time.reauth);
694 }
695 this->time.delete += t;
696 t = this->time.delete - this->time.established;
697 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
698 charon->scheduler->schedule_job(charon->scheduler, job,
699 t * 1000);
700 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
701 }
702
703 /* start DPD checks */
704 send_dpd(this);
705 }
706 break;
707 }
708 case IKE_DELETING:
709 {
710 /* delete may fail if a packet gets lost, so set a timeout */
711 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
712 charon->scheduler->schedule_job(charon->scheduler, job,
713 HALF_OPEN_IKE_SA_TIMEOUT);
714 break;
715 }
716 default:
717 break;
718 }
719
720 this->state = state;
721 }
722
723 /**
724 * Implementation of ike_sa_t.reset
725 */
726 static void reset(private_ike_sa_t *this)
727 {
728 /* the responder ID is reset, as peer may choose another one */
729 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
730 {
731 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
732 }
733
734 set_state(this, IKE_CREATED);
735
736 this->task_manager->reset(this->task_manager);
737 }
738
739 /**
740 * Implementation of ike_sa_t.set_virtual_ip
741 */
742 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
743 {
744 if (local)
745 {
746 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
747 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
748 this->my_host) == SUCCESS)
749 {
750 if (this->my_virtual_ip)
751 {
752 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
753 charon->kernel_interface->del_ip(charon->kernel_interface,
754 this->my_virtual_ip);
755 }
756 DESTROY_IF(this->my_virtual_ip);
757 this->my_virtual_ip = ip->clone(ip);
758 }
759 else
760 {
761 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
762 this->my_virtual_ip = NULL;
763 }
764 }
765 else
766 {
767 DESTROY_IF(this->other_virtual_ip);
768 this->other_virtual_ip = ip->clone(ip);
769 }
770 }
771
772 /**
773 * Implementation of ike_sa_t.get_virtual_ip
774 */
775 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
776 {
777 if (local)
778 {
779 return this->my_virtual_ip;
780 }
781 else
782 {
783 return this->other_virtual_ip;
784 }
785 }
786
787 /**
788 * Implementation of ike_sa_t.add_additional_address.
789 */
790 static void add_additional_address(private_ike_sa_t *this, host_t *host)
791 {
792 this->additional_addresses->insert_last(this->additional_addresses, host);
793 }
794
795 /**
796 * Implementation of ike_sa_t.create_additional_address_iterator.
797 */
798 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
799 {
800 return this->additional_addresses->create_iterator(
801 this->additional_addresses, TRUE);
802 }
803
804 /**
805 * Implementation of ike_sa_t.set_pending_updates.
806 */
807 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
808 {
809 this->pending_updates = updates;
810 }
811
812 /**
813 * Implementation of ike_sa_t.get_pending_updates.
814 */
815 static u_int32_t get_pending_updates(private_ike_sa_t *this)
816 {
817 return this->pending_updates;
818 }
819
820 /**
821 * Update hosts, as addresses may change (NAT)
822 */
823 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
824 {
825 bool update = FALSE;
826
827 if (supports_extension(this, EXT_MOBIKE))
828 { /* if peer speaks mobike, address updates are explicit only */
829 return;
830 }
831
832 if (me == NULL)
833 {
834 me = this->my_host;
835 }
836 if (other == NULL)
837 {
838 other = this->other_host;
839 }
840
841 /* apply hosts on first received message */
842 if (this->my_host->is_anyaddr(this->my_host) ||
843 this->other_host->is_anyaddr(this->other_host))
844 {
845 set_my_host(this, me->clone(me));
846 set_other_host(this, other->clone(other));
847 update = TRUE;
848 }
849 else
850 {
851 /* update our address in any case */
852 if (!me->equals(me, this->my_host))
853 {
854 set_my_host(this, me->clone(me));
855 update = TRUE;
856 }
857
858 if (!other->equals(other, this->other_host))
859 {
860 /* update others adress if we are NOT NATed,
861 * and allow port changes if we are NATed */
862 if (!has_condition(this, COND_NAT_HERE) ||
863 other->ip_equals(other, this->other_host))
864 {
865 set_other_host(this, other->clone(other));
866 update = TRUE;
867 }
868 }
869 }
870
871 /* update all associated CHILD_SAs, if required */
872 if (update)
873 {
874 iterator_t *iterator;
875 child_sa_t *child_sa;
876
877 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
878 while (iterator->iterate(iterator, (void**)&child_sa))
879 {
880 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
881 has_condition(this, COND_NAT_ANY));
882 }
883 iterator->destroy(iterator);
884 }
885 }
886
887 /**
888 * Implementation of ike_sa_t.generate
889 */
890 static status_t generate_message(private_ike_sa_t *this, message_t *message,
891 packet_t **packet)
892 {
893 this->time.outbound = time(NULL);
894 message->set_ike_sa_id(message, this->ike_sa_id);
895 return message->generate(message, this->crypter_out, this->signer_out, packet);
896 }
897
898 /**
899 * send a notify back to the sender
900 */
901 static void send_notify_response(private_ike_sa_t *this, message_t *request,
902 notify_type_t type)
903 {
904 message_t *response;
905 packet_t *packet;
906
907 response = message_create();
908 response->set_exchange_type(response, request->get_exchange_type(request));
909 response->set_request(response, FALSE);
910 response->set_message_id(response, request->get_message_id(request));
911 response->add_notify(response, FALSE, type, chunk_empty);
912 if (this->my_host->is_anyaddr(this->my_host))
913 {
914 this->my_host->destroy(this->my_host);
915 this->my_host = request->get_destination(request);
916 this->my_host = this->my_host->clone(this->my_host);
917 }
918 if (this->other_host->is_anyaddr(this->other_host))
919 {
920 this->other_host->destroy(this->other_host);
921 this->other_host = request->get_source(request);
922 this->other_host = this->other_host->clone(this->other_host);
923 }
924 response->set_source(response, this->my_host->clone(this->my_host));
925 response->set_destination(response, this->other_host->clone(this->other_host));
926 if (generate_message(this, response, &packet) == SUCCESS)
927 {
928 charon->sender->send(charon->sender, packet);
929 }
930 response->destroy(response);
931 }
932
933 #ifdef ME
934 /**
935 * Implementation of ike_sa_t.get_server_reflexive_host.
936 */
937 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
938 {
939 return this->server_reflexive_host;
940 }
941
942 /**
943 * Implementation of ike_sa_t.set_server_reflexive_host.
944 */
945 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
946 {
947 DESTROY_IF(this->server_reflexive_host);
948 this->server_reflexive_host = host;
949 }
950
951 /**
952 * Implementation of ike_sa_t.get_connect_id.
953 */
954 static chunk_t get_connect_id(private_ike_sa_t *this)
955 {
956 return this->connect_id;
957 }
958
959 /**
960 * Implementation of ike_sa_t.respond
961 */
962 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
963 chunk_t connect_id)
964 {
965 ike_me_t *task = ike_me_create(&this->public, TRUE);
966 task->respond(task, peer_id, connect_id);
967 this->task_manager->queue_task(this->task_manager, (task_t*)task);
968 return this->task_manager->initiate(this->task_manager);
969 }
970
971 /**
972 * Implementation of ike_sa_t.callback
973 */
974 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
975 {
976 ike_me_t *task = ike_me_create(&this->public, TRUE);
977 task->callback(task, peer_id);
978 this->task_manager->queue_task(this->task_manager, (task_t*)task);
979 return this->task_manager->initiate(this->task_manager);
980 }
981
982 /**
983 * Implementation of ike_sa_t.relay
984 */
985 static status_t relay(private_ike_sa_t *this, identification_t *requester,
986 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
987 {
988 ike_me_t *task = ike_me_create(&this->public, TRUE);
989 task->relay(task, requester, connect_id, connect_key, endpoints, response);
990 this->task_manager->queue_task(this->task_manager, (task_t*)task);
991 return this->task_manager->initiate(this->task_manager);
992 }
993
994 /**
995 * Implementation of ike_sa_t.initiate_mediation
996 */
997 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
998 {
999 ike_me_t *task = ike_me_create(&this->public, TRUE);
1000 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1001 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1002 return this->task_manager->initiate(this->task_manager);
1003 }
1004
1005 /**
1006 * Implementation of ike_sa_t.initiate_mediated
1007 */
1008 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1009 linked_list_t *childs, chunk_t connect_id)
1010 {
1011 set_my_host(this, me->clone(me));
1012 set_other_host(this, other->clone(other));
1013 this->connect_id = chunk_clone(connect_id);
1014
1015 task_t *task;
1016 child_cfg_t *child_cfg;
1017 iterator_t *iterator = childs->create_iterator(childs, TRUE);
1018 while (iterator->iterate(iterator, (void**)&child_cfg))
1019 {
1020 task = (task_t*)child_create_create(&this->public, child_cfg);
1021 this->task_manager->queue_task(this->task_manager, task);
1022 }
1023 iterator->destroy(iterator);
1024 return this->task_manager->initiate(this->task_manager);
1025 }
1026 #endif /* ME */
1027
1028 /**
1029 * Implementation of ike_sa_t.initiate.
1030 */
1031 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1032 {
1033 task_t *task;
1034
1035 if (this->state == IKE_CREATED)
1036 {
1037 if (this->other_host->is_anyaddr(this->other_host)
1038 #ifdef ME
1039 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1040 #endif /* ME */
1041 )
1042 {
1043 child_cfg->destroy(child_cfg);
1044 SIG(IKE_UP_START, "initiating IKE_SA");
1045 SIG(IKE_UP_FAILED, "unable to initiate to %%any");
1046 return DESTROY_ME;
1047 }
1048
1049 this->ike_initiator = TRUE;
1050
1051 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1052 this->task_manager->queue_task(this->task_manager, task);
1053 task = (task_t*)ike_natd_create(&this->public, TRUE);
1054 this->task_manager->queue_task(this->task_manager, task);
1055 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1056 this->task_manager->queue_task(this->task_manager, task);
1057 task = (task_t*)ike_auth_create(&this->public, TRUE);
1058 this->task_manager->queue_task(this->task_manager, task);
1059 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1060 this->task_manager->queue_task(this->task_manager, task);
1061 task = (task_t*)ike_config_create(&this->public, TRUE);
1062 this->task_manager->queue_task(this->task_manager, task);
1063 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1064 this->task_manager->queue_task(this->task_manager, task);
1065 if (this->peer_cfg->use_mobike(this->peer_cfg))
1066 {
1067 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1068 this->task_manager->queue_task(this->task_manager, task);
1069 }
1070 #ifdef ME
1071 task = (task_t*)ike_me_create(&this->public, TRUE);
1072 this->task_manager->queue_task(this->task_manager, task);
1073 #endif /* ME */
1074 }
1075
1076 #ifdef ME
1077 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1078 {
1079 /* mediated connection, initiate mediation process */
1080 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id, child_cfg);
1081 child_cfg->destroy(child_cfg);
1082 charon->processor->queue_job(charon->processor, job);
1083 return SUCCESS;
1084 }
1085 else if (this->peer_cfg->is_mediation(this->peer_cfg))
1086 {
1087 if (this->state == IKE_ESTABLISHED)
1088 { /* FIXME: we should try to find a better solution to this */
1089 SIG(CHILD_UP_SUCCESS, "mediation connection is already up and running");
1090 }
1091 DESTROY_IF(child_cfg);
1092 }
1093 else
1094 #endif /* ME */
1095 {
1096 /* normal IKE_SA with CHILD_SA */
1097 task = (task_t*)child_create_create(&this->public, child_cfg);
1098 child_cfg->destroy(child_cfg);
1099 this->task_manager->queue_task(this->task_manager, task);
1100 }
1101
1102 return this->task_manager->initiate(this->task_manager);
1103 }
1104
1105 /**
1106 * Implementation of ike_sa_t.acquire.
1107 */
1108 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1109 { /* FIXME: IKE-ME */
1110 child_cfg_t *child_cfg;
1111 iterator_t *iterator;
1112 child_sa_t *current, *child_sa = NULL;
1113 task_t *task;
1114 child_create_t *child_create;
1115
1116 if (this->state == IKE_DELETING)
1117 {
1118 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1119 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1120 "IKE_SA is deleting", reqid);
1121 return FAILED;
1122 }
1123
1124 /* find CHILD_SA */
1125 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1126 while (iterator->iterate(iterator, (void**)&current))
1127 {
1128 if (current->get_reqid(current) == reqid)
1129 {
1130 child_sa = current;
1131 break;
1132 }
1133 }
1134 iterator->destroy(iterator);
1135 if (!child_sa)
1136 {
1137 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1138 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1139 "CHILD_SA not found", reqid);
1140 return FAILED;
1141 }
1142
1143
1144 if (this->state == IKE_CREATED)
1145 {
1146 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1147 this->task_manager->queue_task(this->task_manager, task);
1148 task = (task_t*)ike_natd_create(&this->public, TRUE);
1149 this->task_manager->queue_task(this->task_manager, task);
1150 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1151 this->task_manager->queue_task(this->task_manager, task);
1152 task = (task_t*)ike_auth_create(&this->public, TRUE);
1153 this->task_manager->queue_task(this->task_manager, task);
1154 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1155 this->task_manager->queue_task(this->task_manager, task);
1156 task = (task_t*)ike_config_create(&this->public, TRUE);
1157 this->task_manager->queue_task(this->task_manager, task);
1158 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1159 this->task_manager->queue_task(this->task_manager, task);
1160 if (this->peer_cfg->use_mobike(this->peer_cfg))
1161 {
1162 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1163 this->task_manager->queue_task(this->task_manager, task);
1164 }
1165 }
1166
1167 child_cfg = child_sa->get_config(child_sa);
1168 child_create = child_create_create(&this->public, child_cfg);
1169 child_create->use_reqid(child_create, reqid);
1170 this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
1171
1172 return this->task_manager->initiate(this->task_manager);
1173 }
1174
1175 /**
1176 * Implementation of ike_sa_t.route.
1177 */
1178 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1179 {
1180 child_sa_t *child_sa;
1181 iterator_t *iterator;
1182 linked_list_t *my_ts, *other_ts;
1183 host_t *me, *other;
1184 status_t status;
1185
1186 SIG(CHILD_ROUTE_START, "routing CHILD_SA");
1187
1188 /* check if not already routed*/
1189 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1190 while (iterator->iterate(iterator, (void**)&child_sa))
1191 {
1192 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1193 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1194 {
1195 iterator->destroy(iterator);
1196 SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed");
1197 return FAILED;
1198 }
1199 }
1200 iterator->destroy(iterator);
1201
1202 switch (this->state)
1203 {
1204 case IKE_DELETING:
1205 case IKE_REKEYING:
1206 SIG(CHILD_ROUTE_FAILED,
1207 "unable to route CHILD_SA, as its IKE_SA gets deleted");
1208 return FAILED;
1209 case IKE_CREATED:
1210 case IKE_CONNECTING:
1211 case IKE_ESTABLISHED:
1212 default:
1213 break;
1214 }
1215
1216 /* install kernel policies */
1217 child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
1218 this->other_id, child_cfg, FALSE, 0);
1219 me = this->my_host;
1220 if (this->my_virtual_ip)
1221 {
1222 me = this->my_virtual_ip;
1223 }
1224 other = this->other_host;
1225 if (this->other_virtual_ip)
1226 {
1227 other = this->other_virtual_ip;
1228 }
1229
1230 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1231 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1232 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1233 child_cfg->get_mode(child_cfg));
1234 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1235 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1236 if (status == SUCCESS)
1237 {
1238 this->child_sas->insert_last(this->child_sas, child_sa);
1239 SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
1240 }
1241 else
1242 {
1243 SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed");
1244 }
1245 return status;
1246 }
1247
1248 /**
1249 * Implementation of ike_sa_t.unroute.
1250 */
1251 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1252 {
1253 iterator_t *iterator;
1254 child_sa_t *child_sa;
1255 bool found = FALSE;
1256
1257 SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
1258
1259 /* find CHILD_SA in ROUTED state */
1260 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1261 while (iterator->iterate(iterator, (void**)&child_sa))
1262 {
1263 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1264 child_sa->get_reqid(child_sa) == reqid)
1265 {
1266 iterator->remove(iterator);
1267 SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
1268 child_sa->destroy(child_sa);
1269 found = TRUE;
1270 break;
1271 }
1272 }
1273 iterator->destroy(iterator);
1274
1275 if (!found)
1276 {
1277 SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
1278 return FAILED;
1279 }
1280 /* if we are not established, and we have no more routed childs, remove whole SA */
1281 if (this->state == IKE_CREATED &&
1282 this->child_sas->get_count(this->child_sas) == 0)
1283 {
1284 return DESTROY_ME;
1285 }
1286 return SUCCESS;
1287 }
1288 /**
1289 * Implementation of ike_sa_t.process_message.
1290 */
1291 static status_t process_message(private_ike_sa_t *this, message_t *message)
1292 {
1293 status_t status;
1294 bool is_request;
1295
1296 is_request = message->get_request(message);
1297
1298 status = message->parse_body(message, this->crypter_in, this->signer_in);
1299 if (status != SUCCESS)
1300 {
1301
1302 if (is_request)
1303 {
1304 switch (status)
1305 {
1306 case NOT_SUPPORTED:
1307 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1308 if (is_request)
1309 {
1310 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1311 }
1312 break;
1313 case PARSE_ERROR:
1314 DBG1(DBG_IKE, "message parsing failed");
1315 if (is_request)
1316 {
1317 send_notify_response(this, message, INVALID_SYNTAX);
1318 }
1319 break;
1320 case VERIFY_ERROR:
1321 DBG1(DBG_IKE, "message verification failed");
1322 if (is_request)
1323 {
1324 send_notify_response(this, message, INVALID_SYNTAX);
1325 }
1326 break;
1327 case FAILED:
1328 DBG1(DBG_IKE, "integrity check failed");
1329 /* ignored */
1330 break;
1331 case INVALID_STATE:
1332 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1333 if (is_request)
1334 {
1335 send_notify_response(this, message, INVALID_SYNTAX);
1336 }
1337 default:
1338 break;
1339 }
1340 }
1341 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1342 exchange_type_names, message->get_exchange_type(message),
1343 message->get_request(message) ? "request" : "response",
1344 message->get_message_id(message));
1345 return status;
1346 }
1347 else
1348 {
1349 host_t *me, *other;
1350 private_ike_sa_t *new;
1351 iterator_t *iterator;
1352 child_sa_t *child;
1353 bool has_routed = FALSE;
1354
1355 me = message->get_destination(message);
1356 other = message->get_source(message);
1357
1358 /* if this IKE_SA is virgin, we check for a config */
1359 if (this->ike_cfg == NULL)
1360 {
1361 job_t *job;
1362 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1363 me, other);
1364 if (this->ike_cfg == NULL)
1365 {
1366 /* no config found for these hosts, destroy */
1367 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1368 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1369 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1370 return DESTROY_ME;
1371 }
1372 /* add a timeout if peer does not establish it completely */
1373 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1374 charon->scheduler->schedule_job(charon->scheduler, job,
1375 HALF_OPEN_IKE_SA_TIMEOUT);
1376 }
1377
1378 /* check if message is trustworthy, and update host information */
1379 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1380 message->get_exchange_type(message) != IKE_SA_INIT)
1381 {
1382 update_hosts(this, me, other);
1383 this->time.inbound = time(NULL);
1384 }
1385 status = this->task_manager->process_message(this->task_manager, message);
1386 if (status != DESTROY_ME)
1387 {
1388 return status;
1389 }
1390 /* if IKE_SA gets closed for any reasons, reroute routed children */
1391 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1392 while (iterator->iterate(iterator, (void**)&child))
1393 {
1394 if (child->get_state(child) == CHILD_ROUTED)
1395 {
1396 has_routed = TRUE;
1397 break;
1398 }
1399 }
1400 iterator->destroy(iterator);
1401 if (!has_routed)
1402 {
1403 return status;
1404 }
1405 /* move routed children to a new IKE_SA, apply connection info */
1406 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1407 charon->ike_sa_manager, TRUE);
1408 set_peer_cfg(new, this->peer_cfg);
1409 new->other_host->destroy(new->other_host);
1410 new->other_host = this->other_host->clone(this->other_host);
1411 if (!has_condition(this, COND_NAT_THERE))
1412 {
1413 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1414 }
1415 if (this->my_virtual_ip)
1416 {
1417 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1418 }
1419 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1420 while (iterator->iterate(iterator, (void**)&child))
1421 {
1422 if (child->get_state(child) == CHILD_ROUTED)
1423 {
1424 route(new, child->get_config(child));
1425 }
1426 }
1427 iterator->destroy(iterator);
1428 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1429 return status;
1430 }
1431 }
1432
1433 /**
1434 * Implementation of ike_sa_t.retransmit.
1435 */
1436 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1437 { /* FIXME: IKE-ME */
1438 this->time.outbound = time(NULL);
1439 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1440 {
1441 child_cfg_t *child_cfg;
1442 child_sa_t* child_sa;
1443 linked_list_t *to_route, *to_restart;
1444 iterator_t *iterator;
1445
1446 /* send a proper signal to brief interested bus listeners */
1447 switch (this->state)
1448 {
1449 case IKE_CONNECTING:
1450 {
1451 /* retry IKE_SA_INIT if we have multiple keyingtries */
1452 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1453 this->keyingtry++;
1454 if (tries == 0 || tries > this->keyingtry)
1455 {
1456 SIG(IKE_UP_FAILED, "peer not responding, trying again "
1457 "(%d/%d) in background ", this->keyingtry + 1, tries);
1458 reset(this);
1459 return this->task_manager->initiate(this->task_manager);
1460 }
1461 SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
1462 break;
1463 }
1464 case IKE_REKEYING:
1465 SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
1466 break;
1467 case IKE_DELETING:
1468 SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
1469 break;
1470 default:
1471 break;
1472 }
1473
1474 /* summarize how we have to handle each child */
1475 to_route = linked_list_create();
1476 to_restart = linked_list_create();
1477 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1478 while (iterator->iterate(iterator, (void**)&child_sa))
1479 {
1480 child_cfg = child_sa->get_config(child_sa);
1481
1482 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
1483 {
1484 /* reroute routed CHILD_SAs */
1485 to_route->insert_last(to_route, child_cfg);
1486 }
1487 else
1488 {
1489 /* use DPD action for established CHILD_SAs */
1490 switch (this->peer_cfg->get_dpd_action(this->peer_cfg))
1491 {
1492 case DPD_ROUTE:
1493 to_route->insert_last(to_route, child_cfg);
1494 break;
1495 case DPD_RESTART:
1496 to_restart->insert_last(to_restart, child_cfg);
1497 break;
1498 default:
1499 break;
1500 }
1501 }
1502 }
1503 iterator->destroy(iterator);
1504
1505 /* create a new IKE_SA if we have to route or to restart */
1506 if (to_route->get_count(to_route) || to_restart->get_count(to_restart))
1507 {
1508 private_ike_sa_t *new;
1509 task_t *task;
1510
1511 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1512 charon->ike_sa_manager, TRUE);
1513
1514 set_peer_cfg(new, this->peer_cfg);
1515 /* use actual used host, not the wildcarded one in config */
1516 new->other_host->destroy(new->other_host);
1517 new->other_host = this->other_host->clone(this->other_host);
1518 /* reset port to 500, but only if peer is not NATed */
1519 if (!has_condition(this, COND_NAT_THERE))
1520 {
1521 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1522 }
1523 /* take over virtual ip, as we need it for a proper route */
1524 if (this->my_virtual_ip)
1525 {
1526 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1527 }
1528
1529 /* install routes */
1530 while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS)
1531 {
1532 route(new, child_cfg);
1533 }
1534
1535 /* restart children */
1536 if (to_restart->get_count(to_restart))
1537 {
1538 task = (task_t*)ike_init_create(&new->public, TRUE, NULL);
1539 new->task_manager->queue_task(new->task_manager, task);
1540 task = (task_t*)ike_natd_create(&new->public, TRUE);
1541 new->task_manager->queue_task(new->task_manager, task);
1542 task = (task_t*)ike_cert_pre_create(&new->public, TRUE);
1543 new->task_manager->queue_task(new->task_manager, task);
1544 task = (task_t*)ike_config_create(&new->public, TRUE);
1545 new->task_manager->queue_task(new->task_manager, task);
1546 task = (task_t*)ike_auth_create(&new->public, TRUE);
1547 new->task_manager->queue_task(new->task_manager, task);
1548 task = (task_t*)ike_cert_post_create(&new->public, TRUE);
1549 new->task_manager->queue_task(new->task_manager, task);
1550
1551 while (to_restart->remove_last(to_restart, (void**)&child_cfg) == SUCCESS)
1552 {
1553 task = (task_t*)child_create_create(&new->public, child_cfg);
1554 new->task_manager->queue_task(new->task_manager, task);
1555 }
1556 task = (task_t*)ike_auth_lifetime_create(&new->public, TRUE);
1557 new->task_manager->queue_task(new->task_manager, task);
1558 if (this->peer_cfg->use_mobike(this->peer_cfg))
1559 {
1560 task = (task_t*)ike_mobike_create(&new->public, TRUE);
1561 new->task_manager->queue_task(new->task_manager, task);
1562 }
1563 new->task_manager->initiate(new->task_manager);
1564 }
1565 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1566 }
1567 to_route->destroy(to_route);
1568 to_restart->destroy(to_restart);
1569 return DESTROY_ME;
1570 }
1571 return SUCCESS;
1572 }
1573
1574 /**
1575 * Implementation of ike_sa_t.get_prf.
1576 */
1577 static prf_t *get_prf(private_ike_sa_t *this)
1578 {
1579 return this->prf;
1580 }
1581
1582 /**
1583 * Implementation of ike_sa_t.get_prf.
1584 */
1585 static prf_t *get_child_prf(private_ike_sa_t *this)
1586 {
1587 return this->child_prf;
1588 }
1589
1590 /**
1591 * Implementation of ike_sa_t.get_skp_bild
1592 */
1593 static chunk_t get_skp_build(private_ike_sa_t *this)
1594 {
1595 return this->skp_build;
1596 }
1597
1598 /**
1599 * Implementation of ike_sa_t.get_skp_verify
1600 */
1601 static chunk_t get_skp_verify(private_ike_sa_t *this)
1602 {
1603 return this->skp_verify;
1604 }
1605
1606 /**
1607 * Implementation of ike_sa_t.get_id.
1608 */
1609 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1610 {
1611 return this->ike_sa_id;
1612 }
1613
1614 /**
1615 * Implementation of ike_sa_t.get_my_id.
1616 */
1617 static identification_t* get_my_id(private_ike_sa_t *this)
1618 {
1619 return this->my_id;
1620 }
1621
1622 /**
1623 * Implementation of ike_sa_t.set_my_id.
1624 */
1625 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1626 {
1627 DESTROY_IF(this->my_id);
1628 this->my_id = me;
1629 }
1630
1631 /**
1632 * Implementation of ike_sa_t.get_other_id.
1633 */
1634 static identification_t* get_other_id(private_ike_sa_t *this)
1635 {
1636 return this->other_id;
1637 }
1638
1639 /**
1640 * Implementation of ike_sa_t.set_other_id.
1641 */
1642 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1643 {
1644 DESTROY_IF(this->other_id);
1645 this->other_id = other;
1646 }
1647
1648 /**
1649 * Implementation of ike_sa_t.derive_keys.
1650 */
1651 static status_t derive_keys(private_ike_sa_t *this,
1652 proposal_t *proposal, chunk_t secret,
1653 chunk_t nonce_i, chunk_t nonce_r,
1654 bool initiator, prf_t *child_prf, prf_t *old_prf)
1655 {
1656 prf_plus_t *prf_plus;
1657 chunk_t skeyseed, key, nonces, prf_plus_seed;
1658 u_int16_t alg, key_size;
1659 crypter_t *crypter_i, *crypter_r;
1660 signer_t *signer_i, *signer_r;
1661 u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
1662 chunk_t spi_i = chunk_from_buf(spi_i_buf);
1663 chunk_t spi_r = chunk_from_buf(spi_r_buf);
1664
1665 /* Create SAs general purpose PRF first, we may use it here */
1666 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
1667 {
1668 DBG1(DBG_IKE, "no %N selected",
1669 transform_type_names, PSEUDO_RANDOM_FUNCTION);
1670 return FAILED;
1671 }
1672 this->prf = lib->crypto->create_prf(lib->crypto, alg);
1673 if (this->prf == NULL)
1674 {
1675 DBG1(DBG_IKE, "%N %N not supported!",
1676 transform_type_names, PSEUDO_RANDOM_FUNCTION,
1677 pseudo_random_function_names, alg);
1678 return FAILED;
1679 }
1680
1681 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
1682 nonces = chunk_cat("cc", nonce_i, nonce_r);
1683 *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
1684 *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
1685 prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
1686
1687 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
1688 *
1689 * if we are rekeying, SKEYSEED is built on another way
1690 */
1691 if (child_prf == NULL) /* not rekeying */
1692 {
1693 /* SKEYSEED = prf(Ni | Nr, g^ir) */
1694 this->prf->set_key(this->prf, nonces);
1695 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
1696 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1697 this->prf->set_key(this->prf, skeyseed);
1698 chunk_free(&skeyseed);
1699 chunk_free(&secret);
1700 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
1701 }
1702 else
1703 {
1704 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
1705 * use OLD SAs PRF functions for both prf_plus and prf */
1706 secret = chunk_cat("mc", secret, nonces);
1707 child_prf->allocate_bytes(child_prf, secret, &skeyseed);
1708 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1709 old_prf->set_key(old_prf, skeyseed);
1710 chunk_free(&skeyseed);
1711 chunk_free(&secret);
1712 prf_plus = prf_plus_create(old_prf, prf_plus_seed);
1713 }
1714 chunk_free(&nonces);
1715 chunk_free(&prf_plus_seed);
1716
1717 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
1718
1719 /* SK_d is used for generating CHILD_SA key mat => child_prf */
1720 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL);
1721 this->child_prf = lib->crypto->create_prf(lib->crypto, alg);
1722 key_size = this->child_prf->get_key_size(this->child_prf);
1723 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1724 DBG4(DBG_IKE, "Sk_d secret %B", &key);
1725 this->child_prf->set_key(this->child_prf, key);
1726 chunk_free(&key);
1727
1728 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
1729 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
1730 {
1731 DBG1(DBG_IKE, "no %N selected",
1732 transform_type_names, INTEGRITY_ALGORITHM);
1733 return FAILED;
1734 }
1735 signer_i = lib->crypto->create_signer(lib->crypto, alg);
1736 signer_r = lib->crypto->create_signer(lib->crypto, alg);
1737 if (signer_i == NULL || signer_r == NULL)
1738 {
1739 DBG1(DBG_IKE, "%N %N not supported!",
1740 transform_type_names, INTEGRITY_ALGORITHM,
1741 integrity_algorithm_names ,alg);
1742 prf_plus->destroy(prf_plus);
1743 return FAILED;
1744 }
1745 key_size = signer_i->get_key_size(signer_i);
1746
1747 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1748 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
1749 signer_i->set_key(signer_i, key);
1750 chunk_free(&key);
1751
1752 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1753 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
1754 signer_r->set_key(signer_r, key);
1755 chunk_free(&key);
1756
1757 if (initiator)
1758 {
1759 this->signer_in = signer_r;
1760 this->signer_out = signer_i;
1761 }
1762 else
1763 {
1764 this->signer_in = signer_i;
1765 this->signer_out = signer_r;
1766 }
1767
1768 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
1769 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
1770 {
1771 DBG1(DBG_IKE, "no %N selected",
1772 transform_type_names, ENCRYPTION_ALGORITHM);
1773 prf_plus->destroy(prf_plus);
1774 return FAILED;
1775 }
1776 crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
1777 crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
1778 if (crypter_i == NULL || crypter_r == NULL)
1779 {
1780 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
1781 transform_type_names, ENCRYPTION_ALGORITHM,
1782 encryption_algorithm_names, alg, key_size);
1783 prf_plus->destroy(prf_plus);
1784 return FAILED;
1785 }
1786 key_size = crypter_i->get_key_size(crypter_i);
1787
1788 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1789 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
1790 crypter_i->set_key(crypter_i, key);
1791 chunk_free(&key);
1792
1793 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1794 DBG4(DBG_IKE, "Sk_er secret %B", &key);
1795 crypter_r->set_key(crypter_r, key);
1796 chunk_free(&key);
1797
1798 if (initiator)
1799 {
1800 this->crypter_in = crypter_r;
1801 this->crypter_out = crypter_i;
1802 }
1803 else
1804 {
1805 this->crypter_in = crypter_i;
1806 this->crypter_out = crypter_r;
1807 }
1808
1809 /* SK_pi/SK_pr used for authentication => stored for later */
1810 key_size = this->prf->get_key_size(this->prf);
1811 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1812 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
1813 if (initiator)
1814 {
1815 this->skp_build = key;
1816 }
1817 else
1818 {
1819 this->skp_verify = key;
1820 }
1821 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1822 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
1823 if (initiator)
1824 {
1825 this->skp_verify = key;
1826 }
1827 else
1828 {
1829 this->skp_build = key;
1830 }
1831
1832 /* all done, prf_plus not needed anymore */
1833 prf_plus->destroy(prf_plus);
1834
1835 return SUCCESS;
1836 }
1837
1838 /**
1839 * Implementation of ike_sa_t.add_child_sa.
1840 */
1841 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1842 {
1843 this->child_sas->insert_last(this->child_sas, child_sa);
1844 }
1845
1846 /**
1847 * Implementation of ike_sa_t.get_child_sa.
1848 */
1849 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1850 u_int32_t spi, bool inbound)
1851 {
1852 iterator_t *iterator;
1853 child_sa_t *current, *found = NULL;
1854
1855 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1856 while (iterator->iterate(iterator, (void**)&current))
1857 {
1858 if (current->get_spi(current, inbound) == spi &&
1859 current->get_protocol(current) == protocol)
1860 {
1861 found = current;
1862 }
1863 }
1864 iterator->destroy(iterator);
1865 return found;
1866 }
1867
1868 /**
1869 * Implementation of ike_sa_t.create_child_sa_iterator.
1870 */
1871 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1872 {
1873 return this->child_sas->create_iterator(this->child_sas, TRUE);
1874 }
1875
1876 /**
1877 * Implementation of ike_sa_t.rekey_child_sa.
1878 */
1879 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1880 {
1881 child_sa_t *child_sa;
1882 child_rekey_t *child_rekey;
1883
1884 child_sa = get_child_sa(this, protocol, spi, TRUE);
1885 if (child_sa)
1886 {
1887 child_rekey = child_rekey_create(&this->public, child_sa);
1888 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1889 return this->task_manager->initiate(this->task_manager);
1890 }
1891 return FAILED;
1892 }
1893
1894 /**
1895 * Implementation of ike_sa_t.delete_child_sa.
1896 */
1897 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1898 {
1899 child_sa_t *child_sa;
1900 child_delete_t *child_delete;
1901
1902 child_sa = get_child_sa(this, protocol, spi, TRUE);
1903 if (child_sa)
1904 {
1905 child_delete = child_delete_create(&this->public, child_sa);
1906 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1907 return this->task_manager->initiate(this->task_manager);
1908 }
1909 return FAILED;
1910 }
1911
1912 /**
1913 * Implementation of ike_sa_t.destroy_child_sa.
1914 */
1915 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1916 u_int32_t spi)
1917 {
1918 iterator_t *iterator;
1919 child_sa_t *child_sa;
1920 status_t status = NOT_FOUND;
1921
1922 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1923 while (iterator->iterate(iterator, (void**)&child_sa))
1924 {
1925 if (child_sa->get_protocol(child_sa) == protocol &&
1926 child_sa->get_spi(child_sa, TRUE) == spi)
1927 {
1928 child_sa->destroy(child_sa);
1929 iterator->remove(iterator);
1930 status = SUCCESS;
1931 break;
1932 }
1933 }
1934 iterator->destroy(iterator);
1935 return status;
1936 }
1937
1938 /**
1939 * Implementation of public_ike_sa_t.delete.
1940 */
1941 static status_t delete_(private_ike_sa_t *this)
1942 {
1943 ike_delete_t *ike_delete;
1944
1945 switch (this->state)
1946 {
1947 case IKE_ESTABLISHED:
1948 case IKE_REKEYING:
1949 ike_delete = ike_delete_create(&this->public, TRUE);
1950 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1951 return this->task_manager->initiate(this->task_manager);
1952 case IKE_CREATED:
1953 SIG(IKE_DOWN_SUCCESS, "deleting unestablished IKE_SA");
1954 break;
1955 default:
1956 SIG(IKE_DOWN_SUCCESS, "destroying IKE_SA in state %N "
1957 "without notification", ike_sa_state_names, this->state);
1958 break;
1959 }
1960 return DESTROY_ME;
1961 }
1962
1963 /**
1964 * Implementation of ike_sa_t.rekey.
1965 */
1966 static status_t rekey(private_ike_sa_t *this)
1967 {
1968 ike_rekey_t *ike_rekey;
1969
1970 ike_rekey = ike_rekey_create(&this->public, TRUE);
1971
1972 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1973 return this->task_manager->initiate(this->task_manager);
1974 }
1975
1976 /**
1977 * Implementation of ike_sa_t.reestablish
1978 */
1979 static status_t reestablish(private_ike_sa_t *this)
1980 {
1981 task_t *task;
1982
1983 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1984 * If the peer does not support RFC4478, there is no way to keep the
1985 * IKE_SA up. */
1986 if (!this->ike_initiator)
1987 {
1988 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1989 if (this->other_virtual_ip != NULL ||
1990 has_condition(this, COND_EAP_AUTHENTICATED))
1991 {
1992 time_t now = time(NULL);
1993
1994 DBG1(DBG_IKE, "IKE_SA will timeout in %#V", &now, &this->time.delete);
1995 return FAILED;
1996 }
1997 else
1998 {
1999 DBG1(DBG_IKE, "reauthenticating actively");
2000 }
2001 }
2002 task = (task_t*)ike_reauth_create(&this->public);
2003 this->task_manager->queue_task(this->task_manager, task);
2004
2005 return this->task_manager->initiate(this->task_manager);
2006 }
2007
2008 /**
2009 * Implementation of ike_sa_t.set_auth_lifetime.
2010 */
2011 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
2012 {
2013 job_t *job;
2014 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
2015
2016 this->time.reauth = time(NULL) + lifetime - reduction;
2017 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
2018
2019 if (lifetime < reduction)
2020 {
2021 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
2022 lifetime);
2023 charon->processor->queue_job(charon->processor, job);
2024 }
2025 else
2026 {
2027 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
2028 " in %ds", lifetime, lifetime - reduction);
2029 charon->scheduler->schedule_job(charon->scheduler, job,
2030 (lifetime - reduction) * 1000);
2031 }
2032 }
2033
2034 /**
2035 * Implementation of ike_sa_t.roam.
2036 */
2037 static status_t roam(private_ike_sa_t *this, bool address)
2038 {
2039 host_t *me, *other;
2040 ike_mobike_t *mobike;
2041
2042 /* responder just updates the peer about changed address config */
2043 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
2044 {
2045 if (supports_extension(this, EXT_MOBIKE) && address)
2046 {
2047 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2048 mobike = ike_mobike_create(&this->public, TRUE);
2049 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2050 return this->task_manager->initiate(this->task_manager);
2051 }
2052 return SUCCESS;
2053 }
2054
2055 /* get best address pair to use */
2056 other = this->other_host;
2057 me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
2058 other);
2059
2060 if (me)
2061 {
2062 if (me->ip_equals(me, this->my_host) &&
2063 other->ip_equals(other, this->other_host))
2064 {
2065 DBG2(DBG_IKE, "keeping connection path %H - %H", this->other_host, me);
2066 me->destroy(me);
2067 return SUCCESS;
2068 }
2069 me->destroy(me);
2070 }
2071
2072 /* update addresses with mobike, if supported ... */
2073 if (supports_extension(this, EXT_MOBIKE))
2074 {
2075 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2076 mobike = ike_mobike_create(&this->public, TRUE);
2077 mobike->roam(mobike, address);
2078 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2079 return this->task_manager->initiate(this->task_manager);
2080 }
2081 DBG1(DBG_IKE, "reestablishing IKE_SA due address change");
2082 /* ... reestablish if not */
2083 return reestablish(this);
2084 }
2085
2086 /**
2087 * Implementation of ike_sa_t.inherit.
2088 */
2089 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2090 {
2091 child_sa_t *child_sa;
2092 host_t *ip;
2093
2094 /* apply hosts and ids */
2095 this->my_host->destroy(this->my_host);
2096 this->other_host->destroy(this->other_host);
2097 this->my_id->destroy(this->my_id);
2098 this->other_id->destroy(this->other_id);
2099 this->my_host = other->my_host->clone(other->my_host);
2100 this->other_host = other->other_host->clone(other->other_host);
2101 this->my_id = other->my_id->clone(other->my_id);
2102 this->other_id = other->other_id->clone(other->other_id);
2103 this->ike_initiator = other->ike_initiator;
2104
2105 /* apply virtual assigned IPs... */
2106 if (other->my_virtual_ip)
2107 {
2108 this->my_virtual_ip = other->my_virtual_ip;
2109 other->my_virtual_ip = NULL;
2110 }
2111 if (other->other_virtual_ip)
2112 {
2113 this->other_virtual_ip = other->other_virtual_ip;
2114 other->other_virtual_ip = NULL;
2115 }
2116
2117 /* ... and DNS servers */
2118 while (other->dns_servers->remove_last(other->dns_servers,
2119 (void**)&ip) == SUCCESS)
2120 {
2121 this->dns_servers->insert_first(this->dns_servers, ip);
2122 }
2123
2124 /* inherit NAT-T conditions */
2125 this->conditions = other->conditions;
2126 if (this->conditions & COND_NAT_HERE)
2127 {
2128 send_keepalive(this);
2129 }
2130
2131 /* adopt all children */
2132 while (other->child_sas->remove_last(other->child_sas,
2133 (void**)&child_sa) == SUCCESS)
2134 {
2135 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2136 }
2137
2138 /* move pending tasks to the new IKE_SA */
2139 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2140
2141 /* reauthentication timeout survives a rekeying */
2142 if (other->time.reauth)
2143 {
2144 time_t reauth, delete, now = time(NULL);
2145
2146 this->time.reauth = other->time.reauth;
2147 reauth = this->time.reauth - now;
2148 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2149 this->time.delete = this->time.reauth + delete;
2150 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2151 "lifetime reduced to %ds", reauth, delete);
2152 charon->scheduler->schedule_job(charon->scheduler,
2153 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2154 reauth * 1000);
2155 charon->scheduler->schedule_job(charon->scheduler,
2156 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2157 delete * 1000);
2158 }
2159 /* we have to initate here, there may be new tasks to handle */
2160 return this->task_manager->initiate(this->task_manager);
2161 }
2162
2163 /**
2164 * Implementation of ike_sa_t.remove_dns_server
2165 */
2166 static void remove_dns_servers(private_ike_sa_t *this)
2167 {
2168 FILE *file;
2169 struct stat stats;
2170 chunk_t contents, line, orig_line, token;
2171 char string[INET6_ADDRSTRLEN];
2172 host_t *ip;
2173 iterator_t *iterator;
2174
2175 if (this->dns_servers->get_count(this->dns_servers) == 0)
2176 {
2177 /* don't touch anything if we have no nameservers installed */
2178 return;
2179 }
2180
2181 file = fopen(RESOLV_CONF, "r");
2182 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2183 {
2184 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2185 RESOLV_CONF, strerror(errno));
2186 return;
2187 }
2188
2189 contents = chunk_alloca((size_t)stats.st_size);
2190
2191 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2192 {
2193 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2194 fclose(file);
2195 return;
2196 }
2197
2198 fclose(file);
2199 file = fopen(RESOLV_CONF, "w");
2200 if (file == NULL)
2201 {
2202 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2203 RESOLV_CONF, strerror(errno));
2204 return;
2205 }
2206
2207 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2208 while (fetchline(&contents, &line))
2209 {
2210 bool found = FALSE;
2211 orig_line = line;
2212 if (extract_token(&token, ' ', &line) &&
2213 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2214 {
2215 if (!extract_token(&token, ' ', &line))
2216 {
2217 token = line;
2218 }
2219 iterator->reset(iterator);
2220 while (iterator->iterate(iterator, (void**)&ip))
2221 {
2222 snprintf(string, sizeof(string), "%H", ip);
2223 if (strlen(string) == token.len &&
2224 strncmp(token.ptr, string, token.len) == 0)
2225 {
2226 iterator->remove(iterator);
2227 ip->destroy(ip);
2228 found = TRUE;
2229 break;
2230 }
2231 }
2232 }
2233
2234 if (!found)
2235 {
2236 /* write line untouched back to file */
2237 fwrite(orig_line.ptr, orig_line.len, 1, file);
2238 fprintf(file, "\n");
2239 }
2240 }
2241 iterator->destroy(iterator);
2242 fclose(file);
2243 }
2244
2245 /**
2246 * Implementation of ike_sa_t.add_dns_server
2247 */
2248 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2249 {
2250 FILE *file;
2251 struct stat stats;
2252 chunk_t contents;
2253
2254 DBG1(DBG_IKE, "installing DNS server %H", dns);
2255
2256 file = fopen(RESOLV_CONF, "a+");
2257 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2258 {
2259 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2260 RESOLV_CONF, strerror(errno));
2261 return;
2262 }
2263
2264 contents = chunk_alloca(stats.st_size);
2265
2266 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2267 {
2268 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2269 fclose(file);
2270 return;
2271 }
2272
2273 fclose(file);
2274 file = fopen(RESOLV_CONF, "w");
2275 if (file == NULL)
2276 {
2277 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2278 RESOLV_CONF, strerror(errno));
2279 return;
2280 }
2281
2282 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2283 dns, this->other_id) < 0)
2284 {
2285 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2286 }
2287 else
2288 {
2289 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2290 }
2291 fwrite(contents.ptr, contents.len, 1, file);
2292
2293 fclose(file);
2294 }
2295
2296 /**
2297 * Implementation of ike_sa_t.destroy.
2298 */
2299 static void destroy(private_ike_sa_t *this)
2300 {
2301 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2302
2303 DESTROY_IF(this->crypter_in);
2304 DESTROY_IF(this->crypter_out);
2305 DESTROY_IF(this->signer_in);
2306 DESTROY_IF(this->signer_out);
2307 DESTROY_IF(this->prf);
2308 DESTROY_IF(this->child_prf);
2309 chunk_free(&this->skp_verify);
2310 chunk_free(&this->skp_build);
2311
2312 if (this->my_virtual_ip)
2313 {
2314 charon->kernel_interface->del_ip(charon->kernel_interface,
2315 this->my_virtual_ip);
2316 this->my_virtual_ip->destroy(this->my_virtual_ip);
2317 }
2318 if (this->other_virtual_ip)
2319 {
2320 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2321 {
2322 charon->attributes->release_address(charon->attributes,
2323 this->peer_cfg->get_pool(this->peer_cfg),
2324 this->other_virtual_ip);
2325 }
2326 this->other_virtual_ip->destroy(this->other_virtual_ip);
2327 }
2328
2329 remove_dns_servers(this);
2330 this->dns_servers->destroy_offset(this->dns_servers,
2331 offsetof(host_t, destroy));
2332 this->additional_addresses->destroy_offset(this->additional_addresses,
2333 offsetof(host_t, destroy));
2334 #ifdef ME
2335 if (this->peer_cfg && this->peer_cfg->is_mediation(this->peer_cfg) &&
2336 !this->ike_sa_id->is_initiator(this->ike_sa_id))
2337 {
2338 /* mediation server */
2339 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2340 }
2341 DESTROY_IF(this->server_reflexive_host);
2342 chunk_free(&this->connect_id);
2343 #endif /* ME */
2344
2345 DESTROY_IF(this->my_host);
2346 DESTROY_IF(this->other_host);
2347 DESTROY_IF(this->my_id);
2348 DESTROY_IF(this->other_id);
2349
2350 DESTROY_IF(this->ike_cfg);
2351 DESTROY_IF(this->peer_cfg);
2352 DESTROY_IF(this->my_auth);
2353 DESTROY_IF(this->other_auth);
2354
2355 this->ike_sa_id->destroy(this->ike_sa_id);
2356 this->task_manager->destroy(this->task_manager);
2357 free(this);
2358 }
2359
2360 /*
2361 * Described in header.
2362 */
2363 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2364 {
2365 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2366 static u_int32_t unique_id = 0;
2367
2368 /* Public functions */
2369 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2370 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2371 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2372 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2373 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2374 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2375 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2376 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2377 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2378 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2379 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2380 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2381 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2382 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2383 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2384 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2385 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2386 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2387 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2388 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2389 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2390 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2391 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2392 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2393 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2394 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2395 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2396 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2397 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2398 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2399 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2400 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2401 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2402 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2403 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2404 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2405 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2406 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2407 this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
2408 this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
2409 this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
2410 this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
2411 this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
2412 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2413 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2414 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2415 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2416 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2417 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2418 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2419 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2420 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2421 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2422 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2423 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2424 this->public.reset = (void (*)(ike_sa_t*))reset;
2425 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2426 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2427 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2428 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2429 #ifdef ME
2430 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2431 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2432 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2433 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2434 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,linked_list_t*,chunk_t)) initiate_mediated;
2435 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2436 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2437 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2438 #endif /* ME */
2439
2440 /* initialize private fields */
2441 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2442 this->child_sas = linked_list_create();
2443 this->my_host = host_create_any(AF_INET);
2444 this->other_host = host_create_any(AF_INET);
2445 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2446 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2447 this->extensions = 0;
2448 this->conditions = 0;
2449 this->crypter_in = NULL;
2450 this->crypter_out = NULL;
2451 this->signer_in = NULL;
2452 this->signer_out = NULL;
2453 this->prf = NULL;
2454 this->skp_verify = chunk_empty;
2455 this->skp_build = chunk_empty;
2456 this->child_prf = NULL;
2457 this->state = IKE_CREATED;
2458 this->time.inbound = this->time.outbound = time(NULL);
2459 this->time.established = 0;
2460 this->time.rekey = 0;
2461 this->time.reauth = 0;
2462 this->time.delete = 0;
2463 this->ike_cfg = NULL;
2464 this->peer_cfg = NULL;
2465 this->my_auth = auth_info_create();
2466 this->other_auth = auth_info_create();
2467 this->task_manager = task_manager_create(&this->public);
2468 this->unique_id = ++unique_id;
2469 this->my_virtual_ip = NULL;
2470 this->other_virtual_ip = NULL;
2471 this->dns_servers = linked_list_create();
2472 this->additional_addresses = linked_list_create();
2473 this->pending_updates = 0;
2474 this->keyingtry = 0;
2475 this->ike_initiator = FALSE;
2476 #ifdef ME
2477 this->server_reflexive_host = NULL;
2478 this->connect_id = chunk_empty;
2479 #endif /* ME */
2480
2481 return &this->public;
2482 }