loading of subjectPublicKeyInfo wrapped keys using KEY_ANY (openssl format)
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26
27 #include "ike_sa.h"
28
29 #include <library.h>
30 #include <daemon.h>
31 #include <utils/linked_list.h>
32 #include <utils/lexparser.h>
33 #include <crypto/diffie_hellman.h>
34 #include <crypto/prf_plus.h>
35 #include <crypto/crypters/crypter.h>
36 #include <crypto/hashers/hasher.h>
37 #include <encoding/payloads/sa_payload.h>
38 #include <encoding/payloads/nonce_payload.h>
39 #include <encoding/payloads/ke_payload.h>
40 #include <encoding/payloads/delete_payload.h>
41 #include <encoding/payloads/transform_substructure.h>
42 #include <encoding/payloads/transform_attribute.h>
43 #include <encoding/payloads/ts_payload.h>
44 #include <sa/task_manager.h>
45 #include <sa/tasks/ike_init.h>
46 #include <sa/tasks/ike_natd.h>
47 #include <sa/tasks/ike_mobike.h>
48 #include <sa/tasks/ike_auth.h>
49 #include <sa/tasks/ike_auth_lifetime.h>
50 #include <sa/tasks/ike_config.h>
51 #include <sa/tasks/ike_cert_pre.h>
52 #include <sa/tasks/ike_cert_post.h>
53 #include <sa/tasks/ike_rekey.h>
54 #include <sa/tasks/ike_reauth.h>
55 #include <sa/tasks/ike_delete.h>
56 #include <sa/tasks/ike_dpd.h>
57 #include <sa/tasks/child_create.h>
58 #include <sa/tasks/child_delete.h>
59 #include <sa/tasks/child_rekey.h>
60 #include <processing/jobs/retransmit_job.h>
61 #include <processing/jobs/delete_ike_sa_job.h>
62 #include <processing/jobs/send_dpd_job.h>
63 #include <processing/jobs/send_keepalive_job.h>
64 #include <processing/jobs/rekey_ike_sa_job.h>
65
66 #ifdef ME
67 #include <sa/tasks/ike_me.h>
68 #include <processing/jobs/initiate_mediation_job.h>
69 #endif
70
71 #ifndef RESOLV_CONF
72 #define RESOLV_CONF "/etc/resolv.conf"
73 #endif
74
75 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
76 "CREATED",
77 "CONNECTING",
78 "ESTABLISHED",
79 "REKEYING",
80 "DELETING",
81 );
82
83 typedef struct private_ike_sa_t private_ike_sa_t;
84
85 /**
86 * Private data of an ike_sa_t object.
87 */
88 struct private_ike_sa_t {
89
90 /**
91 * Public members
92 */
93 ike_sa_t public;
94
95 /**
96 * Identifier for the current IKE_SA.
97 */
98 ike_sa_id_t *ike_sa_id;
99
100 /**
101 * unique numerical ID for this IKE_SA.
102 */
103 u_int32_t unique_id;
104
105 /**
106 * Current state of the IKE_SA
107 */
108 ike_sa_state_t state;
109
110 /**
111 * IKE configuration used to set up this IKE_SA
112 */
113 ike_cfg_t *ike_cfg;
114
115 /**
116 * Peer and authentication information to establish IKE_SA.
117 */
118 peer_cfg_t *peer_cfg;
119
120 /**
121 * associated authentication/authorization info for local peer
122 */
123 auth_info_t *my_auth;
124
125 /**
126 * associated authentication/authorization info for remote peer
127 */
128 auth_info_t *other_auth;
129
130 /**
131 * Juggles tasks to process messages
132 */
133 task_manager_t *task_manager;
134
135 /**
136 * Address of local host
137 */
138 host_t *my_host;
139
140 /**
141 * Address of remote host
142 */
143 host_t *other_host;
144
145 #ifdef ME
146 /**
147 * Server reflexive host
148 */
149 host_t *server_reflexive_host;
150
151 /**
152 * Connect ID
153 */
154 chunk_t connect_id;
155 #endif /* ME */
156
157 /**
158 * Identification used for us
159 */
160 identification_t *my_id;
161
162 /**
163 * Identification used for other
164 */
165 identification_t *other_id;
166
167 /**
168 * set of extensions the peer supports
169 */
170 ike_extension_t extensions;
171
172 /**
173 * set of condition flags currently enabled for this IKE_SA
174 */
175 ike_condition_t conditions;
176
177 /**
178 * Linked List containing the child sa's of the current IKE_SA.
179 */
180 linked_list_t *child_sas;
181
182 /**
183 * crypter for inbound traffic
184 */
185 crypter_t *crypter_in;
186
187 /**
188 * crypter for outbound traffic
189 */
190 crypter_t *crypter_out;
191
192 /**
193 * Signer for inbound traffic
194 */
195 signer_t *signer_in;
196
197 /**
198 * Signer for outbound traffic
199 */
200 signer_t *signer_out;
201
202 /**
203 * Multi purpose prf, set key, use it, forget it
204 */
205 prf_t *prf;
206
207 /**
208 * Prf function for derivating keymat child SAs
209 */
210 prf_t *child_prf;
211
212 /**
213 * Key to build outging authentication data (SKp)
214 */
215 chunk_t skp_build;
216
217 /**
218 * Key to verify incoming authentication data (SKp)
219 */
220 chunk_t skp_verify;
221
222 /**
223 * Virtual IP on local host, if any
224 */
225 host_t *my_virtual_ip;
226
227 /**
228 * Virtual IP on remote host, if any
229 */
230 host_t *other_virtual_ip;
231
232 /**
233 * List of DNS servers installed by us
234 */
235 linked_list_t *dns_servers;
236
237 /**
238 * list of peers additional addresses, transmitted via MOBIKE
239 */
240 linked_list_t *additional_addresses;
241
242 /**
243 * number pending UPDATE_SA_ADDRESS (MOBIKE)
244 */
245 u_int32_t pending_updates;
246
247 /**
248 * Timestamps for this IKE_SA
249 */
250 struct {
251 /** last IKE message received */
252 u_int32_t inbound;
253 /** last IKE message sent */
254 u_int32_t outbound;
255 /** when IKE_SA became established */
256 u_int32_t established;
257 /** when IKE_SA gets rekeyed */
258 u_int32_t rekey;
259 /** when IKE_SA gets reauthenticated */
260 u_int32_t reauth;
261 /** when IKE_SA gets deleted */
262 u_int32_t delete;
263 } time;
264
265 /**
266 * how many times we have retried so far (keyingtries)
267 */
268 u_int32_t keyingtry;
269
270 /**
271 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
272 */
273 bool ike_initiator;
274 };
275
276 /**
277 * get the time of the latest traffic processed by the kernel
278 */
279 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
280 {
281 iterator_t *iterator;
282 child_sa_t *child_sa;
283 time_t latest = 0, use_time;
284
285 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
286 while (iterator->iterate(iterator, (void**)&child_sa))
287 {
288 if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
289 {
290 latest = max(latest, use_time);
291 }
292 }
293 iterator->destroy(iterator);
294
295 if (inbound)
296 {
297 return max(this->time.inbound, latest);
298 }
299 else
300 {
301 return max(this->time.outbound, latest);
302 }
303 }
304
305 /**
306 * Implementation of ike_sa_t.get_unique_id
307 */
308 static u_int32_t get_unique_id(private_ike_sa_t *this)
309 {
310 return this->unique_id;
311 }
312
313 /**
314 * Implementation of ike_sa_t.get_name.
315 */
316 static char *get_name(private_ike_sa_t *this)
317 {
318 if (this->peer_cfg)
319 {
320 return this->peer_cfg->get_name(this->peer_cfg);
321 }
322 return "(unnamed)";
323 }
324
325 /**
326 * Implementation of ike_sa_t.get_statistic.
327 */
328 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
329 {
330 time_t now = time(NULL);
331
332 switch (kind)
333 {
334 case STAT_REKEY_TIME:
335 if (this->time.rekey > now)
336 {
337 return this->time.rekey - now;
338 }
339 break;
340 case STAT_REAUTH_TIME:
341 if (this->time.reauth > now)
342 {
343 return this->time.reauth - now;
344 }
345 break;
346 default:
347 break;
348 }
349 return 0;
350 }
351
352 /**
353 * Implementation of ike_sa_t.get_my_host.
354 */
355 static host_t *get_my_host(private_ike_sa_t *this)
356 {
357 return this->my_host;
358 }
359
360 /**
361 * Implementation of ike_sa_t.set_my_host.
362 */
363 static void set_my_host(private_ike_sa_t *this, host_t *me)
364 {
365 DESTROY_IF(this->my_host);
366 this->my_host = me;
367 }
368
369 /**
370 * Implementation of ike_sa_t.get_other_host.
371 */
372 static host_t *get_other_host(private_ike_sa_t *this)
373 {
374 return this->other_host;
375 }
376
377 /**
378 * Implementation of ike_sa_t.set_other_host.
379 */
380 static void set_other_host(private_ike_sa_t *this, host_t *other)
381 {
382 DESTROY_IF(this->other_host);
383 this->other_host = other;
384 }
385
386 /**
387 * Implementation of ike_sa_t.get_peer_cfg
388 */
389 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
390 {
391 return this->peer_cfg;
392 }
393
394 /**
395 * Implementation of ike_sa_t.set_peer_cfg
396 */
397 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
398 {
399 peer_cfg->get_ref(peer_cfg);
400 this->peer_cfg = peer_cfg;
401
402 if (this->ike_cfg == NULL)
403 {
404 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
405 this->ike_cfg->get_ref(this->ike_cfg);
406 }
407
408 /* apply values, so we are ready to initate/acquire */
409 if (this->my_host->is_anyaddr(this->my_host))
410 {
411 host_t *me = this->ike_cfg->get_my_host(this->ike_cfg);
412 set_my_host(this, me->clone(me));
413 }
414 if (this->other_host->is_anyaddr(this->other_host))
415 {
416 host_t *other = this->ike_cfg->get_other_host(this->ike_cfg);
417 set_other_host(this, other->clone(other));
418 }
419 /* apply IDs if they are not already set */
420 if (this->my_id->contains_wildcards(this->my_id))
421 {
422 DESTROY_IF(this->my_id);
423 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
424 this->my_id = this->my_id->clone(this->my_id);
425 }
426 if (this->other_id->contains_wildcards(this->other_id))
427 {
428 DESTROY_IF(this->other_id);
429 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
430 this->other_id = this->other_id->clone(this->other_id);
431 }
432 }
433
434 /**
435 * Implementation of ike_sa_t.get_my_auth.
436 */
437 static auth_info_t* get_my_auth(private_ike_sa_t *this)
438 {
439 return this->my_auth;
440 }
441
442 /**
443 * Implementation of ike_sa_t.get_other_auth.
444 */
445 static auth_info_t* get_other_auth(private_ike_sa_t *this)
446 {
447 return this->other_auth;
448 }
449
450 /**
451 * Implementation of ike_sa_t.send_keepalive
452 */
453 static void send_keepalive(private_ike_sa_t *this)
454 {
455 send_keepalive_job_t *job;
456 time_t last_out, now, diff;
457
458 if (!(this->conditions & COND_NAT_HERE))
459 { /* disable keep alives if we are not NATed anymore */
460 return;
461 }
462
463 last_out = get_use_time(this, FALSE);
464 now = time(NULL);
465
466 diff = now - last_out;
467
468 if (diff >= KEEPALIVE_INTERVAL)
469 {
470 packet_t *packet;
471 chunk_t data;
472
473 packet = packet_create();
474 packet->set_source(packet, this->my_host->clone(this->my_host));
475 packet->set_destination(packet, this->other_host->clone(this->other_host));
476 data.ptr = malloc(1);
477 data.ptr[0] = 0xFF;
478 data.len = 1;
479 packet->set_data(packet, data);
480 DBG1(DBG_IKE, "sending keep alive");
481 charon->sender->send(charon->sender, packet);
482 diff = 0;
483 }
484 job = send_keepalive_job_create(this->ike_sa_id);
485 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
486 (KEEPALIVE_INTERVAL - diff) * 1000);
487 }
488
489 /**
490 * Implementation of ike_sa_t.get_ike_cfg
491 */
492 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
493 {
494 return this->ike_cfg;
495 }
496
497 /**
498 * Implementation of ike_sa_t.set_ike_cfg
499 */
500 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
501 {
502 ike_cfg->get_ref(ike_cfg);
503 this->ike_cfg = ike_cfg;
504 }
505 /**
506 * Implementation of ike_sa_t.enable_extension.
507 */
508 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
509 {
510 this->extensions |= extension;
511 }
512
513 /**
514 * Implementation of ike_sa_t.has_extension.
515 */
516 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
517 {
518 return (this->extensions & extension) != FALSE;
519 }
520
521 /**
522 * Implementation of ike_sa_t.has_condition.
523 */
524 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
525 {
526 return (this->conditions & condition) != FALSE;
527 }
528
529 /**
530 * Implementation of ike_sa_t.enable_condition.
531 */
532 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
533 bool enable)
534 {
535 if (has_condition(this, condition) != enable)
536 {
537 if (enable)
538 {
539 this->conditions |= condition;
540 switch (condition)
541 {
542 case COND_NAT_HERE:
543 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
544 this->conditions |= COND_NAT_ANY;
545 send_keepalive(this);
546 break;
547 case COND_NAT_THERE:
548 DBG1(DBG_IKE, "remote host is behind NAT");
549 this->conditions |= COND_NAT_ANY;
550 break;
551 case COND_NAT_FAKE:
552 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
553 this->conditions |= COND_NAT_ANY;
554 break;
555 default:
556 break;
557 }
558 }
559 else
560 {
561 this->conditions &= ~condition;
562 switch (condition)
563 {
564 case COND_NAT_HERE:
565 case COND_NAT_FAKE:
566 case COND_NAT_THERE:
567 set_condition(this, COND_NAT_ANY,
568 has_condition(this, COND_NAT_HERE) ||
569 has_condition(this, COND_NAT_THERE) ||
570 has_condition(this, COND_NAT_FAKE));
571 break;
572 default:
573 break;
574 }
575 }
576 }
577 }
578
579 /**
580 * Implementation of ike_sa_t.send_dpd
581 */
582 static status_t send_dpd(private_ike_sa_t *this)
583 {
584 send_dpd_job_t *job;
585 time_t diff, delay;
586
587 delay = this->peer_cfg->get_dpd_delay(this->peer_cfg);
588
589 if (delay == 0)
590 {
591 /* DPD disabled */
592 return SUCCESS;
593 }
594
595 if (this->task_manager->busy(this->task_manager))
596 {
597 /* an exchange is in the air, no need to start a DPD check */
598 diff = 0;
599 }
600 else
601 {
602 /* check if there was any inbound traffic */
603 time_t last_in, now;
604 last_in = get_use_time(this, TRUE);
605 now = time(NULL);
606 diff = now - last_in;
607 if (diff >= delay)
608 {
609 /* to long ago, initiate dead peer detection */
610 task_t *task;
611
612 task = (task_t*)ike_dpd_create(TRUE);
613 diff = 0;
614 DBG1(DBG_IKE, "sending DPD request");
615
616 this->task_manager->queue_task(this->task_manager, task);
617 this->task_manager->initiate(this->task_manager);
618 }
619 }
620 /* recheck in "interval" seconds */
621 job = send_dpd_job_create(this->ike_sa_id);
622 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
623 (delay - diff) * 1000);
624 return SUCCESS;
625 }
626
627 /**
628 * Implementation of ike_sa_t.get_state.
629 */
630 static ike_sa_state_t get_state(private_ike_sa_t *this)
631 {
632 return this->state;
633 }
634
635 /**
636 * Implementation of ike_sa_t.set_state.
637 */
638 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
639 {
640 DBG1(DBG_IKE, "IKE_SA '%s' state change: %N => %N",
641 get_name(this),
642 ike_sa_state_names, this->state,
643 ike_sa_state_names, state);
644
645 switch (state)
646 {
647 case IKE_ESTABLISHED:
648 {
649 if (this->state == IKE_CONNECTING)
650 {
651 job_t *job;
652 u_int32_t t;
653
654 /* calculate rekey, reauth and lifetime */
655 this->time.established = time(NULL);
656
657 /* schedule rekeying if we have a time which is smaller than
658 * an already scheduled rekeying */
659 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
660 if (t && (this->time.rekey == 0 ||
661 (this->time.rekey > t + this->time.established)))
662 {
663 this->time.rekey = t + this->time.established;
664 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
665 charon->scheduler->schedule_job(charon->scheduler,
666 job, t * 1000);
667 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
668 }
669 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
670 if (t && (this->time.reauth == 0 ||
671 (this->time.reauth > t + this->time.established)))
672 {
673 this->time.reauth = t + this->time.established;
674 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
675 charon->scheduler->schedule_job(charon->scheduler,
676 job, t * 1000);
677 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
678 }
679 t = this->peer_cfg->get_over_time(this->peer_cfg);
680 if (this->time.rekey || this->time.reauth)
681 {
682 if (this->time.reauth == 0)
683 {
684 this->time.delete = this->time.rekey;
685 }
686 else if (this->time.rekey == 0)
687 {
688 this->time.delete = this->time.reauth;
689 }
690 else
691 {
692 this->time.delete = min(this->time.rekey, this->time.reauth);
693 }
694 this->time.delete += t;
695 t = this->time.delete - this->time.established;
696 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
697 charon->scheduler->schedule_job(charon->scheduler, job,
698 t * 1000);
699 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
700 }
701
702 /* start DPD checks */
703 send_dpd(this);
704 }
705 break;
706 }
707 case IKE_DELETING:
708 {
709 /* delete may fail if a packet gets lost, so set a timeout */
710 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
711 charon->scheduler->schedule_job(charon->scheduler, job,
712 HALF_OPEN_IKE_SA_TIMEOUT);
713 break;
714 }
715 default:
716 break;
717 }
718
719 this->state = state;
720 }
721
722 /**
723 * Implementation of ike_sa_t.reset
724 */
725 static void reset(private_ike_sa_t *this)
726 {
727 /* the responder ID is reset, as peer may choose another one */
728 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
729 {
730 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
731 }
732
733 set_state(this, IKE_CREATED);
734
735 this->task_manager->reset(this->task_manager);
736 }
737
738 /**
739 * Implementation of ike_sa_t.set_virtual_ip
740 */
741 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
742 {
743 if (local)
744 {
745 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
746 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
747 this->my_host) == SUCCESS)
748 {
749 if (this->my_virtual_ip)
750 {
751 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
752 charon->kernel_interface->del_ip(charon->kernel_interface,
753 this->my_virtual_ip);
754 }
755 DESTROY_IF(this->my_virtual_ip);
756 this->my_virtual_ip = ip->clone(ip);
757 }
758 else
759 {
760 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
761 this->my_virtual_ip = NULL;
762 }
763 }
764 else
765 {
766 DESTROY_IF(this->other_virtual_ip);
767 this->other_virtual_ip = ip->clone(ip);
768 }
769 }
770
771 /**
772 * Implementation of ike_sa_t.get_virtual_ip
773 */
774 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
775 {
776 if (local)
777 {
778 return this->my_virtual_ip;
779 }
780 else
781 {
782 return this->other_virtual_ip;
783 }
784 }
785
786 /**
787 * Implementation of ike_sa_t.add_additional_address.
788 */
789 static void add_additional_address(private_ike_sa_t *this, host_t *host)
790 {
791 this->additional_addresses->insert_last(this->additional_addresses, host);
792 }
793
794 /**
795 * Implementation of ike_sa_t.create_additional_address_iterator.
796 */
797 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
798 {
799 return this->additional_addresses->create_iterator(
800 this->additional_addresses, TRUE);
801 }
802
803 /**
804 * Implementation of ike_sa_t.set_pending_updates.
805 */
806 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
807 {
808 this->pending_updates = updates;
809 }
810
811 /**
812 * Implementation of ike_sa_t.get_pending_updates.
813 */
814 static u_int32_t get_pending_updates(private_ike_sa_t *this)
815 {
816 return this->pending_updates;
817 }
818
819 /**
820 * Update hosts, as addresses may change (NAT)
821 */
822 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
823 {
824 bool update = FALSE;
825
826 if (supports_extension(this, EXT_MOBIKE))
827 { /* if peer speaks mobike, address updates are explicit only */
828 return;
829 }
830
831 if (me == NULL)
832 {
833 me = this->my_host;
834 }
835 if (other == NULL)
836 {
837 other = this->other_host;
838 }
839
840 /* apply hosts on first received message */
841 if (this->my_host->is_anyaddr(this->my_host) ||
842 this->other_host->is_anyaddr(this->other_host))
843 {
844 set_my_host(this, me->clone(me));
845 set_other_host(this, other->clone(other));
846 update = TRUE;
847 }
848 else
849 {
850 /* update our address in any case */
851 if (!me->equals(me, this->my_host))
852 {
853 set_my_host(this, me->clone(me));
854 update = TRUE;
855 }
856
857 if (!other->equals(other, this->other_host))
858 {
859 /* update others adress if we are NOT NATed,
860 * and allow port changes if we are NATed */
861 if (!has_condition(this, COND_NAT_HERE) ||
862 other->ip_equals(other, this->other_host))
863 {
864 set_other_host(this, other->clone(other));
865 update = TRUE;
866 }
867 }
868 }
869
870 /* update all associated CHILD_SAs, if required */
871 if (update)
872 {
873 iterator_t *iterator;
874 child_sa_t *child_sa;
875
876 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
877 while (iterator->iterate(iterator, (void**)&child_sa))
878 {
879 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
880 has_condition(this, COND_NAT_ANY));
881 }
882 iterator->destroy(iterator);
883 }
884 }
885
886 /**
887 * Implementation of ike_sa_t.generate
888 */
889 static status_t generate_message(private_ike_sa_t *this, message_t *message,
890 packet_t **packet)
891 {
892 this->time.outbound = time(NULL);
893 message->set_ike_sa_id(message, this->ike_sa_id);
894 return message->generate(message, this->crypter_out, this->signer_out, packet);
895 }
896
897 /**
898 * send a notify back to the sender
899 */
900 static void send_notify_response(private_ike_sa_t *this, message_t *request,
901 notify_type_t type)
902 {
903 message_t *response;
904 packet_t *packet;
905
906 response = message_create();
907 response->set_exchange_type(response, request->get_exchange_type(request));
908 response->set_request(response, FALSE);
909 response->set_message_id(response, request->get_message_id(request));
910 response->add_notify(response, FALSE, type, chunk_empty);
911 if (this->my_host->is_anyaddr(this->my_host))
912 {
913 this->my_host->destroy(this->my_host);
914 this->my_host = request->get_destination(request);
915 this->my_host = this->my_host->clone(this->my_host);
916 }
917 if (this->other_host->is_anyaddr(this->other_host))
918 {
919 this->other_host->destroy(this->other_host);
920 this->other_host = request->get_source(request);
921 this->other_host = this->other_host->clone(this->other_host);
922 }
923 response->set_source(response, this->my_host->clone(this->my_host));
924 response->set_destination(response, this->other_host->clone(this->other_host));
925 if (generate_message(this, response, &packet) == SUCCESS)
926 {
927 charon->sender->send(charon->sender, packet);
928 }
929 response->destroy(response);
930 }
931
932 #ifdef ME
933 /**
934 * Implementation of ike_sa_t.get_server_reflexive_host.
935 */
936 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
937 {
938 return this->server_reflexive_host;
939 }
940
941 /**
942 * Implementation of ike_sa_t.set_server_reflexive_host.
943 */
944 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
945 {
946 DESTROY_IF(this->server_reflexive_host);
947 this->server_reflexive_host = host;
948 }
949
950 /**
951 * Implementation of ike_sa_t.get_connect_id.
952 */
953 static chunk_t get_connect_id(private_ike_sa_t *this)
954 {
955 return this->connect_id;
956 }
957
958 /**
959 * Implementation of ike_sa_t.respond
960 */
961 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
962 chunk_t connect_id)
963 {
964 ike_me_t *task = ike_me_create(&this->public, TRUE);
965 task->respond(task, peer_id, connect_id);
966 this->task_manager->queue_task(this->task_manager, (task_t*)task);
967 return this->task_manager->initiate(this->task_manager);
968 }
969
970 /**
971 * Implementation of ike_sa_t.callback
972 */
973 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
974 {
975 ike_me_t *task = ike_me_create(&this->public, TRUE);
976 task->callback(task, peer_id);
977 this->task_manager->queue_task(this->task_manager, (task_t*)task);
978 return this->task_manager->initiate(this->task_manager);
979 }
980
981 /**
982 * Implementation of ike_sa_t.relay
983 */
984 static status_t relay(private_ike_sa_t *this, identification_t *requester,
985 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
986 {
987 ike_me_t *task = ike_me_create(&this->public, TRUE);
988 task->relay(task, requester, connect_id, connect_key, endpoints, response);
989 this->task_manager->queue_task(this->task_manager, (task_t*)task);
990 return this->task_manager->initiate(this->task_manager);
991 }
992
993 /**
994 * Implementation of ike_sa_t.initiate_mediation
995 */
996 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
997 {
998 ike_me_t *task = ike_me_create(&this->public, TRUE);
999 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1000 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1001 return this->task_manager->initiate(this->task_manager);
1002 }
1003
1004 /**
1005 * Implementation of ike_sa_t.initiate_mediated
1006 */
1007 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1008 linked_list_t *childs, chunk_t connect_id)
1009 {
1010 this->my_host = me->clone(me);
1011 this->other_host = other->clone(other);
1012 this->connect_id = chunk_clone(connect_id);
1013
1014 task_t *task;
1015 child_cfg_t *child_cfg;
1016 iterator_t *iterator = childs->create_iterator(childs, TRUE);
1017 while (iterator->iterate(iterator, (void**)&child_cfg))
1018 {
1019 task = (task_t*)child_create_create(&this->public, child_cfg);
1020 this->task_manager->queue_task(this->task_manager, task);
1021 }
1022 iterator->destroy(iterator);
1023 return this->task_manager->initiate(this->task_manager);
1024 }
1025 #endif /* ME */
1026
1027 /**
1028 * Implementation of ike_sa_t.initiate.
1029 */
1030 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1031 {
1032 task_t *task;
1033
1034 if (this->state == IKE_CREATED)
1035 {
1036 if (this->other_host->is_anyaddr(this->other_host)
1037 #ifdef ME
1038 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1039 #endif /* ME */
1040 )
1041 {
1042 child_cfg->destroy(child_cfg);
1043 SIG(IKE_UP_START, "initiating IKE_SA");
1044 SIG(IKE_UP_FAILED, "unable to initiate to %%any");
1045 return DESTROY_ME;
1046 }
1047
1048 this->ike_initiator = TRUE;
1049
1050 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1051 this->task_manager->queue_task(this->task_manager, task);
1052 task = (task_t*)ike_natd_create(&this->public, TRUE);
1053 this->task_manager->queue_task(this->task_manager, task);
1054 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1055 this->task_manager->queue_task(this->task_manager, task);
1056 task = (task_t*)ike_auth_create(&this->public, TRUE);
1057 this->task_manager->queue_task(this->task_manager, task);
1058 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1059 this->task_manager->queue_task(this->task_manager, task);
1060 task = (task_t*)ike_config_create(&this->public, TRUE);
1061 this->task_manager->queue_task(this->task_manager, task);
1062 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1063 this->task_manager->queue_task(this->task_manager, task);
1064 if (this->peer_cfg->use_mobike(this->peer_cfg))
1065 {
1066 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1067 this->task_manager->queue_task(this->task_manager, task);
1068 }
1069 #ifdef ME
1070 task = (task_t*)ike_me_create(&this->public, TRUE);
1071 this->task_manager->queue_task(this->task_manager, task);
1072 #endif /* ME */
1073 }
1074
1075 #ifdef ME
1076 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1077 {
1078 /* mediated connection, initiate mediation process */
1079 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id, child_cfg);
1080 child_cfg->destroy(child_cfg);
1081 charon->processor->queue_job(charon->processor, job);
1082 return SUCCESS;
1083 }
1084 else if (this->peer_cfg->is_mediation(this->peer_cfg))
1085 {
1086 if (this->state == IKE_ESTABLISHED)
1087 { /* FIXME: we should try to find a better solution to this */
1088 SIG(CHILD_UP_SUCCESS, "mediation connection is already up and running");
1089 }
1090 }
1091 else
1092 #endif /* ME */
1093 {
1094 /* normal IKE_SA with CHILD_SA */
1095 task = (task_t*)child_create_create(&this->public, child_cfg);
1096 child_cfg->destroy(child_cfg);
1097 this->task_manager->queue_task(this->task_manager, task);
1098 }
1099
1100 return this->task_manager->initiate(this->task_manager);
1101 }
1102
1103 /**
1104 * Implementation of ike_sa_t.acquire.
1105 */
1106 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1107 { /* FIXME: IKE-ME */
1108 child_cfg_t *child_cfg;
1109 iterator_t *iterator;
1110 child_sa_t *current, *child_sa = NULL;
1111 task_t *task;
1112 child_create_t *child_create;
1113
1114 if (this->state == IKE_DELETING)
1115 {
1116 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1117 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1118 "IKE_SA is deleting", reqid);
1119 return FAILED;
1120 }
1121
1122 /* find CHILD_SA */
1123 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1124 while (iterator->iterate(iterator, (void**)&current))
1125 {
1126 if (current->get_reqid(current) == reqid)
1127 {
1128 child_sa = current;
1129 break;
1130 }
1131 }
1132 iterator->destroy(iterator);
1133 if (!child_sa)
1134 {
1135 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1136 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1137 "CHILD_SA not found", reqid);
1138 return FAILED;
1139 }
1140
1141
1142 if (this->state == IKE_CREATED)
1143 {
1144 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1145 this->task_manager->queue_task(this->task_manager, task);
1146 task = (task_t*)ike_natd_create(&this->public, TRUE);
1147 this->task_manager->queue_task(this->task_manager, task);
1148 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1149 this->task_manager->queue_task(this->task_manager, task);
1150 task = (task_t*)ike_auth_create(&this->public, TRUE);
1151 this->task_manager->queue_task(this->task_manager, task);
1152 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1153 this->task_manager->queue_task(this->task_manager, task);
1154 task = (task_t*)ike_config_create(&this->public, TRUE);
1155 this->task_manager->queue_task(this->task_manager, task);
1156 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1157 this->task_manager->queue_task(this->task_manager, task);
1158 if (this->peer_cfg->use_mobike(this->peer_cfg))
1159 {
1160 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1161 this->task_manager->queue_task(this->task_manager, task);
1162 }
1163 }
1164
1165 child_cfg = child_sa->get_config(child_sa);
1166 child_create = child_create_create(&this->public, child_cfg);
1167 child_create->use_reqid(child_create, reqid);
1168 this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
1169
1170 return this->task_manager->initiate(this->task_manager);
1171 }
1172
1173 /**
1174 * Implementation of ike_sa_t.route.
1175 */
1176 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1177 {
1178 child_sa_t *child_sa;
1179 iterator_t *iterator;
1180 linked_list_t *my_ts, *other_ts;
1181 host_t *me, *other;
1182 status_t status;
1183
1184 SIG(CHILD_ROUTE_START, "routing CHILD_SA");
1185
1186 /* check if not already routed*/
1187 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1188 while (iterator->iterate(iterator, (void**)&child_sa))
1189 {
1190 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1191 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1192 {
1193 iterator->destroy(iterator);
1194 SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed");
1195 return FAILED;
1196 }
1197 }
1198 iterator->destroy(iterator);
1199
1200 switch (this->state)
1201 {
1202 case IKE_DELETING:
1203 case IKE_REKEYING:
1204 SIG(CHILD_ROUTE_FAILED,
1205 "unable to route CHILD_SA, as its IKE_SA gets deleted");
1206 return FAILED;
1207 case IKE_CREATED:
1208 case IKE_CONNECTING:
1209 case IKE_ESTABLISHED:
1210 default:
1211 break;
1212 }
1213
1214 /* install kernel policies */
1215 child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
1216 this->other_id, child_cfg, FALSE, 0);
1217 me = this->my_host;
1218 if (this->my_virtual_ip)
1219 {
1220 me = this->my_virtual_ip;
1221 }
1222 other = this->other_host;
1223 if (this->other_virtual_ip)
1224 {
1225 other = this->other_virtual_ip;
1226 }
1227
1228 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1229 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1230 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1231 child_cfg->get_mode(child_cfg));
1232 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1233 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1234 if (status == SUCCESS)
1235 {
1236 this->child_sas->insert_last(this->child_sas, child_sa);
1237 SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
1238 }
1239 else
1240 {
1241 SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed");
1242 }
1243 return status;
1244 }
1245
1246 /**
1247 * Implementation of ike_sa_t.unroute.
1248 */
1249 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1250 {
1251 iterator_t *iterator;
1252 child_sa_t *child_sa;
1253 bool found = FALSE;
1254
1255 SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
1256
1257 /* find CHILD_SA in ROUTED state */
1258 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1259 while (iterator->iterate(iterator, (void**)&child_sa))
1260 {
1261 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1262 child_sa->get_reqid(child_sa) == reqid)
1263 {
1264 iterator->remove(iterator);
1265 SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
1266 child_sa->destroy(child_sa);
1267 found = TRUE;
1268 break;
1269 }
1270 }
1271 iterator->destroy(iterator);
1272
1273 if (!found)
1274 {
1275 SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
1276 return FAILED;
1277 }
1278 /* if we are not established, and we have no more routed childs, remove whole SA */
1279 if (this->state == IKE_CREATED &&
1280 this->child_sas->get_count(this->child_sas) == 0)
1281 {
1282 return DESTROY_ME;
1283 }
1284 return SUCCESS;
1285 }
1286 /**
1287 * Implementation of ike_sa_t.process_message.
1288 */
1289 static status_t process_message(private_ike_sa_t *this, message_t *message)
1290 {
1291 status_t status;
1292 bool is_request;
1293
1294 is_request = message->get_request(message);
1295
1296 status = message->parse_body(message, this->crypter_in, this->signer_in);
1297 if (status != SUCCESS)
1298 {
1299
1300 if (is_request)
1301 {
1302 switch (status)
1303 {
1304 case NOT_SUPPORTED:
1305 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1306 if (is_request)
1307 {
1308 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1309 }
1310 break;
1311 case PARSE_ERROR:
1312 DBG1(DBG_IKE, "message parsing failed");
1313 if (is_request)
1314 {
1315 send_notify_response(this, message, INVALID_SYNTAX);
1316 }
1317 break;
1318 case VERIFY_ERROR:
1319 DBG1(DBG_IKE, "message verification failed");
1320 if (is_request)
1321 {
1322 send_notify_response(this, message, INVALID_SYNTAX);
1323 }
1324 break;
1325 case FAILED:
1326 DBG1(DBG_IKE, "integrity check failed");
1327 /* ignored */
1328 break;
1329 case INVALID_STATE:
1330 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1331 if (is_request)
1332 {
1333 send_notify_response(this, message, INVALID_SYNTAX);
1334 }
1335 default:
1336 break;
1337 }
1338 }
1339 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1340 exchange_type_names, message->get_exchange_type(message),
1341 message->get_request(message) ? "request" : "response",
1342 message->get_message_id(message));
1343 return status;
1344 }
1345 else
1346 {
1347 host_t *me, *other;
1348 private_ike_sa_t *new;
1349 iterator_t *iterator;
1350 child_sa_t *child;
1351 bool has_routed = FALSE;
1352
1353 me = message->get_destination(message);
1354 other = message->get_source(message);
1355
1356 /* if this IKE_SA is virgin, we check for a config */
1357 if (this->ike_cfg == NULL)
1358 {
1359 job_t *job;
1360 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1361 me, other);
1362 if (this->ike_cfg == NULL)
1363 {
1364 /* no config found for these hosts, destroy */
1365 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1366 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1367 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1368 return DESTROY_ME;
1369 }
1370 /* add a timeout if peer does not establish it completely */
1371 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1372 charon->scheduler->schedule_job(charon->scheduler, job,
1373 HALF_OPEN_IKE_SA_TIMEOUT);
1374 }
1375
1376 /* check if message is trustworthy, and update host information */
1377 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1378 message->get_exchange_type(message) != IKE_SA_INIT)
1379 {
1380 update_hosts(this, me, other);
1381 this->time.inbound = time(NULL);
1382 }
1383 status = this->task_manager->process_message(this->task_manager, message);
1384 if (status != DESTROY_ME)
1385 {
1386 return status;
1387 }
1388 /* if IKE_SA gets closed for any reasons, reroute routed children */
1389 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1390 while (iterator->iterate(iterator, (void**)&child))
1391 {
1392 if (child->get_state(child) == CHILD_ROUTED)
1393 {
1394 has_routed = TRUE;
1395 break;
1396 }
1397 }
1398 iterator->destroy(iterator);
1399 if (!has_routed)
1400 {
1401 return status;
1402 }
1403 /* move routed children to a new IKE_SA, apply connection info */
1404 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1405 charon->ike_sa_manager, TRUE);
1406 set_peer_cfg(new, this->peer_cfg);
1407 new->other_host->destroy(new->other_host);
1408 new->other_host = this->other_host->clone(this->other_host);
1409 if (!has_condition(this, COND_NAT_THERE))
1410 {
1411 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1412 }
1413 if (this->my_virtual_ip)
1414 {
1415 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1416 }
1417 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1418 while (iterator->iterate(iterator, (void**)&child))
1419 {
1420 if (child->get_state(child) == CHILD_ROUTED)
1421 {
1422 route(new, child->get_config(child));
1423 }
1424 }
1425 iterator->destroy(iterator);
1426 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1427 return status;
1428 }
1429 }
1430
1431 /**
1432 * Implementation of ike_sa_t.retransmit.
1433 */
1434 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1435 { /* FIXME: IKE-ME */
1436 this->time.outbound = time(NULL);
1437 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1438 {
1439 child_cfg_t *child_cfg;
1440 child_sa_t* child_sa;
1441 linked_list_t *to_route, *to_restart;
1442 iterator_t *iterator;
1443
1444 /* send a proper signal to brief interested bus listeners */
1445 switch (this->state)
1446 {
1447 case IKE_CONNECTING:
1448 {
1449 /* retry IKE_SA_INIT if we have multiple keyingtries */
1450 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1451 this->keyingtry++;
1452 if (tries == 0 || tries > this->keyingtry)
1453 {
1454 SIG(IKE_UP_FAILED, "peer not responding, trying again "
1455 "(%d/%d) in background ", this->keyingtry + 1, tries);
1456 reset(this);
1457 return this->task_manager->initiate(this->task_manager);
1458 }
1459 SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
1460 break;
1461 }
1462 case IKE_REKEYING:
1463 SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
1464 break;
1465 case IKE_DELETING:
1466 SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
1467 break;
1468 default:
1469 break;
1470 }
1471
1472 /* summarize how we have to handle each child */
1473 to_route = linked_list_create();
1474 to_restart = linked_list_create();
1475 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1476 while (iterator->iterate(iterator, (void**)&child_sa))
1477 {
1478 child_cfg = child_sa->get_config(child_sa);
1479
1480 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
1481 {
1482 /* reroute routed CHILD_SAs */
1483 to_route->insert_last(to_route, child_cfg);
1484 }
1485 else
1486 {
1487 /* use DPD action for established CHILD_SAs */
1488 switch (this->peer_cfg->get_dpd_action(this->peer_cfg))
1489 {
1490 case DPD_ROUTE:
1491 to_route->insert_last(to_route, child_cfg);
1492 break;
1493 case DPD_RESTART:
1494 to_restart->insert_last(to_restart, child_cfg);
1495 break;
1496 default:
1497 break;
1498 }
1499 }
1500 }
1501 iterator->destroy(iterator);
1502
1503 /* create a new IKE_SA if we have to route or to restart */
1504 if (to_route->get_count(to_route) || to_restart->get_count(to_restart))
1505 {
1506 private_ike_sa_t *new;
1507 task_t *task;
1508
1509 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1510 charon->ike_sa_manager, TRUE);
1511
1512 set_peer_cfg(new, this->peer_cfg);
1513 /* use actual used host, not the wildcarded one in config */
1514 new->other_host->destroy(new->other_host);
1515 new->other_host = this->other_host->clone(this->other_host);
1516 /* reset port to 500, but only if peer is not NATed */
1517 if (!has_condition(this, COND_NAT_THERE))
1518 {
1519 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1520 }
1521 /* take over virtual ip, as we need it for a proper route */
1522 if (this->my_virtual_ip)
1523 {
1524 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1525 }
1526
1527 /* install routes */
1528 while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS)
1529 {
1530 route(new, child_cfg);
1531 }
1532
1533 /* restart children */
1534 if (to_restart->get_count(to_restart))
1535 {
1536 task = (task_t*)ike_init_create(&new->public, TRUE, NULL);
1537 new->task_manager->queue_task(new->task_manager, task);
1538 task = (task_t*)ike_natd_create(&new->public, TRUE);
1539 new->task_manager->queue_task(new->task_manager, task);
1540 task = (task_t*)ike_cert_pre_create(&new->public, TRUE);
1541 new->task_manager->queue_task(new->task_manager, task);
1542 task = (task_t*)ike_config_create(&new->public, TRUE);
1543 new->task_manager->queue_task(new->task_manager, task);
1544 task = (task_t*)ike_auth_create(&new->public, TRUE);
1545 new->task_manager->queue_task(new->task_manager, task);
1546 task = (task_t*)ike_cert_post_create(&new->public, TRUE);
1547 new->task_manager->queue_task(new->task_manager, task);
1548
1549 while (to_restart->remove_last(to_restart, (void**)&child_cfg) == SUCCESS)
1550 {
1551 task = (task_t*)child_create_create(&new->public, child_cfg);
1552 new->task_manager->queue_task(new->task_manager, task);
1553 }
1554 task = (task_t*)ike_auth_lifetime_create(&new->public, TRUE);
1555 new->task_manager->queue_task(new->task_manager, task);
1556 if (this->peer_cfg->use_mobike(this->peer_cfg))
1557 {
1558 task = (task_t*)ike_mobike_create(&new->public, TRUE);
1559 new->task_manager->queue_task(new->task_manager, task);
1560 }
1561 new->task_manager->initiate(new->task_manager);
1562 }
1563 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1564 }
1565 to_route->destroy(to_route);
1566 to_restart->destroy(to_restart);
1567 return DESTROY_ME;
1568 }
1569 return SUCCESS;
1570 }
1571
1572 /**
1573 * Implementation of ike_sa_t.get_prf.
1574 */
1575 static prf_t *get_prf(private_ike_sa_t *this)
1576 {
1577 return this->prf;
1578 }
1579
1580 /**
1581 * Implementation of ike_sa_t.get_prf.
1582 */
1583 static prf_t *get_child_prf(private_ike_sa_t *this)
1584 {
1585 return this->child_prf;
1586 }
1587
1588 /**
1589 * Implementation of ike_sa_t.get_skp_bild
1590 */
1591 static chunk_t get_skp_build(private_ike_sa_t *this)
1592 {
1593 return this->skp_build;
1594 }
1595
1596 /**
1597 * Implementation of ike_sa_t.get_skp_verify
1598 */
1599 static chunk_t get_skp_verify(private_ike_sa_t *this)
1600 {
1601 return this->skp_verify;
1602 }
1603
1604 /**
1605 * Implementation of ike_sa_t.get_id.
1606 */
1607 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1608 {
1609 return this->ike_sa_id;
1610 }
1611
1612 /**
1613 * Implementation of ike_sa_t.get_my_id.
1614 */
1615 static identification_t* get_my_id(private_ike_sa_t *this)
1616 {
1617 return this->my_id;
1618 }
1619
1620 /**
1621 * Implementation of ike_sa_t.set_my_id.
1622 */
1623 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1624 {
1625 DESTROY_IF(this->my_id);
1626 this->my_id = me;
1627 }
1628
1629 /**
1630 * Implementation of ike_sa_t.get_other_id.
1631 */
1632 static identification_t* get_other_id(private_ike_sa_t *this)
1633 {
1634 return this->other_id;
1635 }
1636
1637 /**
1638 * Implementation of ike_sa_t.set_other_id.
1639 */
1640 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1641 {
1642 DESTROY_IF(this->other_id);
1643 this->other_id = other;
1644 }
1645
1646 /**
1647 * Implementation of ike_sa_t.derive_keys.
1648 */
1649 static status_t derive_keys(private_ike_sa_t *this,
1650 proposal_t *proposal, chunk_t secret,
1651 chunk_t nonce_i, chunk_t nonce_r,
1652 bool initiator, prf_t *child_prf, prf_t *old_prf)
1653 {
1654 prf_plus_t *prf_plus;
1655 chunk_t skeyseed, key, nonces, prf_plus_seed;
1656 u_int16_t alg, key_size;
1657 crypter_t *crypter_i, *crypter_r;
1658 signer_t *signer_i, *signer_r;
1659 u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
1660 chunk_t spi_i = chunk_from_buf(spi_i_buf);
1661 chunk_t spi_r = chunk_from_buf(spi_r_buf);
1662
1663 /* Create SAs general purpose PRF first, we may use it here */
1664 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
1665 {
1666 DBG1(DBG_IKE, "no %N selected",
1667 transform_type_names, PSEUDO_RANDOM_FUNCTION);
1668 return FAILED;
1669 }
1670 this->prf = lib->crypto->create_prf(lib->crypto, alg);
1671 if (this->prf == NULL)
1672 {
1673 DBG1(DBG_IKE, "%N %N not supported!",
1674 transform_type_names, PSEUDO_RANDOM_FUNCTION,
1675 pseudo_random_function_names, alg);
1676 return FAILED;
1677 }
1678
1679 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
1680 nonces = chunk_cat("cc", nonce_i, nonce_r);
1681 *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
1682 *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
1683 prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
1684
1685 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
1686 *
1687 * if we are rekeying, SKEYSEED is built on another way
1688 */
1689 if (child_prf == NULL) /* not rekeying */
1690 {
1691 /* SKEYSEED = prf(Ni | Nr, g^ir) */
1692 this->prf->set_key(this->prf, nonces);
1693 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
1694 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1695 this->prf->set_key(this->prf, skeyseed);
1696 chunk_free(&skeyseed);
1697 chunk_free(&secret);
1698 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
1699 }
1700 else
1701 {
1702 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
1703 * use OLD SAs PRF functions for both prf_plus and prf */
1704 secret = chunk_cat("mc", secret, nonces);
1705 child_prf->allocate_bytes(child_prf, secret, &skeyseed);
1706 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1707 old_prf->set_key(old_prf, skeyseed);
1708 chunk_free(&skeyseed);
1709 chunk_free(&secret);
1710 prf_plus = prf_plus_create(old_prf, prf_plus_seed);
1711 }
1712 chunk_free(&nonces);
1713 chunk_free(&prf_plus_seed);
1714
1715 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
1716
1717 /* SK_d is used for generating CHILD_SA key mat => child_prf */
1718 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL);
1719 this->child_prf = lib->crypto->create_prf(lib->crypto, alg);
1720 key_size = this->child_prf->get_key_size(this->child_prf);
1721 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1722 DBG4(DBG_IKE, "Sk_d secret %B", &key);
1723 this->child_prf->set_key(this->child_prf, key);
1724 chunk_free(&key);
1725
1726 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
1727 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
1728 {
1729 DBG1(DBG_IKE, "no %N selected",
1730 transform_type_names, INTEGRITY_ALGORITHM);
1731 return FAILED;
1732 }
1733 signer_i = lib->crypto->create_signer(lib->crypto, alg);
1734 signer_r = lib->crypto->create_signer(lib->crypto, alg);
1735 if (signer_i == NULL || signer_r == NULL)
1736 {
1737 DBG1(DBG_IKE, "%N %N not supported!",
1738 transform_type_names, INTEGRITY_ALGORITHM,
1739 integrity_algorithm_names ,alg);
1740 prf_plus->destroy(prf_plus);
1741 return FAILED;
1742 }
1743 key_size = signer_i->get_key_size(signer_i);
1744
1745 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1746 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
1747 signer_i->set_key(signer_i, key);
1748 chunk_free(&key);
1749
1750 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1751 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
1752 signer_r->set_key(signer_r, key);
1753 chunk_free(&key);
1754
1755 if (initiator)
1756 {
1757 this->signer_in = signer_r;
1758 this->signer_out = signer_i;
1759 }
1760 else
1761 {
1762 this->signer_in = signer_i;
1763 this->signer_out = signer_r;
1764 }
1765
1766 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
1767 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
1768 {
1769 DBG1(DBG_IKE, "no %N selected",
1770 transform_type_names, ENCRYPTION_ALGORITHM);
1771 prf_plus->destroy(prf_plus);
1772 return FAILED;
1773 }
1774 crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
1775 crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
1776 if (crypter_i == NULL || crypter_r == NULL)
1777 {
1778 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
1779 transform_type_names, ENCRYPTION_ALGORITHM,
1780 encryption_algorithm_names, alg, key_size);
1781 prf_plus->destroy(prf_plus);
1782 return FAILED;
1783 }
1784 key_size = crypter_i->get_key_size(crypter_i);
1785
1786 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1787 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
1788 crypter_i->set_key(crypter_i, key);
1789 chunk_free(&key);
1790
1791 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1792 DBG4(DBG_IKE, "Sk_er secret %B", &key);
1793 crypter_r->set_key(crypter_r, key);
1794 chunk_free(&key);
1795
1796 if (initiator)
1797 {
1798 this->crypter_in = crypter_r;
1799 this->crypter_out = crypter_i;
1800 }
1801 else
1802 {
1803 this->crypter_in = crypter_i;
1804 this->crypter_out = crypter_r;
1805 }
1806
1807 /* SK_pi/SK_pr used for authentication => stored for later */
1808 key_size = this->prf->get_key_size(this->prf);
1809 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1810 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
1811 if (initiator)
1812 {
1813 this->skp_build = key;
1814 }
1815 else
1816 {
1817 this->skp_verify = key;
1818 }
1819 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1820 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
1821 if (initiator)
1822 {
1823 this->skp_verify = key;
1824 }
1825 else
1826 {
1827 this->skp_build = key;
1828 }
1829
1830 /* all done, prf_plus not needed anymore */
1831 prf_plus->destroy(prf_plus);
1832
1833 return SUCCESS;
1834 }
1835
1836 /**
1837 * Implementation of ike_sa_t.add_child_sa.
1838 */
1839 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1840 {
1841 this->child_sas->insert_last(this->child_sas, child_sa);
1842 }
1843
1844 /**
1845 * Implementation of ike_sa_t.get_child_sa.
1846 */
1847 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1848 u_int32_t spi, bool inbound)
1849 {
1850 iterator_t *iterator;
1851 child_sa_t *current, *found = NULL;
1852
1853 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1854 while (iterator->iterate(iterator, (void**)&current))
1855 {
1856 if (current->get_spi(current, inbound) == spi &&
1857 current->get_protocol(current) == protocol)
1858 {
1859 found = current;
1860 }
1861 }
1862 iterator->destroy(iterator);
1863 return found;
1864 }
1865
1866 /**
1867 * Implementation of ike_sa_t.create_child_sa_iterator.
1868 */
1869 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1870 {
1871 return this->child_sas->create_iterator(this->child_sas, TRUE);
1872 }
1873
1874 /**
1875 * Implementation of ike_sa_t.rekey_child_sa.
1876 */
1877 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1878 {
1879 child_sa_t *child_sa;
1880 child_rekey_t *child_rekey;
1881
1882 child_sa = get_child_sa(this, protocol, spi, TRUE);
1883 if (child_sa)
1884 {
1885 child_rekey = child_rekey_create(&this->public, child_sa);
1886 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1887 return this->task_manager->initiate(this->task_manager);
1888 }
1889 return FAILED;
1890 }
1891
1892 /**
1893 * Implementation of ike_sa_t.delete_child_sa.
1894 */
1895 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1896 {
1897 child_sa_t *child_sa;
1898 child_delete_t *child_delete;
1899
1900 child_sa = get_child_sa(this, protocol, spi, TRUE);
1901 if (child_sa)
1902 {
1903 child_delete = child_delete_create(&this->public, child_sa);
1904 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1905 return this->task_manager->initiate(this->task_manager);
1906 }
1907 return FAILED;
1908 }
1909
1910 /**
1911 * Implementation of ike_sa_t.destroy_child_sa.
1912 */
1913 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1914 u_int32_t spi)
1915 {
1916 iterator_t *iterator;
1917 child_sa_t *child_sa;
1918 status_t status = NOT_FOUND;
1919
1920 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1921 while (iterator->iterate(iterator, (void**)&child_sa))
1922 {
1923 if (child_sa->get_protocol(child_sa) == protocol &&
1924 child_sa->get_spi(child_sa, TRUE) == spi)
1925 {
1926 child_sa->destroy(child_sa);
1927 iterator->remove(iterator);
1928 status = SUCCESS;
1929 break;
1930 }
1931 }
1932 iterator->destroy(iterator);
1933 return status;
1934 }
1935
1936 /**
1937 * Implementation of public_ike_sa_t.delete.
1938 */
1939 static status_t delete_(private_ike_sa_t *this)
1940 {
1941 ike_delete_t *ike_delete;
1942
1943 switch (this->state)
1944 {
1945 case IKE_ESTABLISHED:
1946 case IKE_REKEYING:
1947 ike_delete = ike_delete_create(&this->public, TRUE);
1948 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1949 return this->task_manager->initiate(this->task_manager);
1950 case IKE_CREATED:
1951 SIG(IKE_DOWN_SUCCESS, "deleting unestablished IKE_SA");
1952 break;
1953 default:
1954 SIG(IKE_DOWN_SUCCESS, "destroying IKE_SA in state %N "
1955 "without notification", ike_sa_state_names, this->state);
1956 break;
1957 }
1958 return DESTROY_ME;
1959 }
1960
1961 /**
1962 * Implementation of ike_sa_t.rekey.
1963 */
1964 static status_t rekey(private_ike_sa_t *this)
1965 {
1966 ike_rekey_t *ike_rekey;
1967
1968 ike_rekey = ike_rekey_create(&this->public, TRUE);
1969
1970 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1971 return this->task_manager->initiate(this->task_manager);
1972 }
1973
1974 /**
1975 * Implementation of ike_sa_t.reestablish
1976 */
1977 static status_t reestablish(private_ike_sa_t *this)
1978 {
1979 task_t *task;
1980
1981 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1982 * If the peer does not support RFC4478, there is no way to keep the
1983 * IKE_SA up. */
1984 if (!this->ike_initiator)
1985 {
1986 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1987 if (this->other_virtual_ip != NULL ||
1988 has_condition(this, COND_EAP_AUTHENTICATED))
1989 {
1990 time_t now = time(NULL);
1991
1992 DBG1(DBG_IKE, "IKE_SA will timeout in %#V", &now, &this->time.delete);
1993 return FAILED;
1994 }
1995 else
1996 {
1997 DBG1(DBG_IKE, "reauthenticating actively");
1998 }
1999 }
2000 task = (task_t*)ike_reauth_create(&this->public);
2001 this->task_manager->queue_task(this->task_manager, task);
2002
2003 return this->task_manager->initiate(this->task_manager);
2004 }
2005
2006 /**
2007 * Implementation of ike_sa_t.set_auth_lifetime.
2008 */
2009 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
2010 {
2011 job_t *job;
2012 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
2013
2014 this->time.reauth = time(NULL) + lifetime - reduction;
2015 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
2016
2017 if (lifetime < reduction)
2018 {
2019 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
2020 lifetime);
2021 charon->processor->queue_job(charon->processor, job);
2022 }
2023 else
2024 {
2025 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
2026 " in %ds", lifetime, lifetime - reduction);
2027 charon->scheduler->schedule_job(charon->scheduler, job,
2028 (lifetime - reduction) * 1000);
2029 }
2030 }
2031
2032 /**
2033 * Implementation of ike_sa_t.roam.
2034 */
2035 static status_t roam(private_ike_sa_t *this, bool address)
2036 {
2037 host_t *me, *other;
2038 ike_mobike_t *mobike;
2039
2040 /* responder just updates the peer about changed address config */
2041 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
2042 {
2043 if (supports_extension(this, EXT_MOBIKE) && address)
2044 {
2045 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2046 mobike = ike_mobike_create(&this->public, TRUE);
2047 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2048 return this->task_manager->initiate(this->task_manager);
2049 }
2050 return SUCCESS;
2051 }
2052
2053 /* get best address pair to use */
2054 other = this->other_host;
2055 me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
2056 other);
2057
2058 if (me)
2059 {
2060 if (me->ip_equals(me, this->my_host) &&
2061 other->ip_equals(other, this->other_host))
2062 {
2063 DBG2(DBG_IKE, "keeping connection path %H - %H", this->other_host, me);
2064 me->destroy(me);
2065 return SUCCESS;
2066 }
2067 me->destroy(me);
2068 }
2069
2070 /* update addresses with mobike, if supported ... */
2071 if (supports_extension(this, EXT_MOBIKE))
2072 {
2073 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2074 mobike = ike_mobike_create(&this->public, TRUE);
2075 mobike->roam(mobike, address);
2076 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2077 return this->task_manager->initiate(this->task_manager);
2078 }
2079 DBG1(DBG_IKE, "reestablishing IKE_SA due address change");
2080 /* ... reestablish if not */
2081 return reestablish(this);
2082 }
2083
2084 /**
2085 * Implementation of ike_sa_t.inherit.
2086 */
2087 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2088 {
2089 child_sa_t *child_sa;
2090 host_t *ip;
2091
2092 /* apply hosts and ids */
2093 this->my_host->destroy(this->my_host);
2094 this->other_host->destroy(this->other_host);
2095 this->my_id->destroy(this->my_id);
2096 this->other_id->destroy(this->other_id);
2097 this->my_host = other->my_host->clone(other->my_host);
2098 this->other_host = other->other_host->clone(other->other_host);
2099 this->my_id = other->my_id->clone(other->my_id);
2100 this->other_id = other->other_id->clone(other->other_id);
2101 this->ike_initiator = other->ike_initiator;
2102
2103 /* apply virtual assigned IPs... */
2104 if (other->my_virtual_ip)
2105 {
2106 this->my_virtual_ip = other->my_virtual_ip;
2107 other->my_virtual_ip = NULL;
2108 }
2109 if (other->other_virtual_ip)
2110 {
2111 this->other_virtual_ip = other->other_virtual_ip;
2112 other->other_virtual_ip = NULL;
2113 }
2114
2115 /* ... and DNS servers */
2116 while (other->dns_servers->remove_last(other->dns_servers,
2117 (void**)&ip) == SUCCESS)
2118 {
2119 this->dns_servers->insert_first(this->dns_servers, ip);
2120 }
2121
2122 /* inherit NAT-T conditions */
2123 this->conditions = other->conditions;
2124 if (this->conditions & COND_NAT_HERE)
2125 {
2126 send_keepalive(this);
2127 }
2128
2129 /* adopt all children */
2130 while (other->child_sas->remove_last(other->child_sas,
2131 (void**)&child_sa) == SUCCESS)
2132 {
2133 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2134 }
2135
2136 /* move pending tasks to the new IKE_SA */
2137 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2138
2139 /* reauthentication timeout survives a rekeying */
2140 if (other->time.reauth)
2141 {
2142 time_t reauth, delete, now = time(NULL);
2143
2144 this->time.reauth = other->time.reauth;
2145 reauth = this->time.reauth - now;
2146 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2147 this->time.delete = this->time.reauth + delete;
2148 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2149 "lifetime reduced to %ds", reauth, delete);
2150 charon->scheduler->schedule_job(charon->scheduler,
2151 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2152 reauth * 1000);
2153 charon->scheduler->schedule_job(charon->scheduler,
2154 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2155 delete * 1000);
2156 }
2157 /* we have to initate here, there may be new tasks to handle */
2158 return this->task_manager->initiate(this->task_manager);
2159 }
2160
2161 /**
2162 * Implementation of ike_sa_t.remove_dns_server
2163 */
2164 static void remove_dns_servers(private_ike_sa_t *this)
2165 {
2166 FILE *file;
2167 struct stat stats;
2168 chunk_t contents, line, orig_line, token;
2169 char string[INET6_ADDRSTRLEN];
2170 host_t *ip;
2171 iterator_t *iterator;
2172
2173 if (this->dns_servers->get_count(this->dns_servers) == 0)
2174 {
2175 /* don't touch anything if we have no nameservers installed */
2176 return;
2177 }
2178
2179 file = fopen(RESOLV_CONF, "r");
2180 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2181 {
2182 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2183 RESOLV_CONF, strerror(errno));
2184 return;
2185 }
2186
2187 contents = chunk_alloca((size_t)stats.st_size);
2188
2189 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2190 {
2191 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2192 fclose(file);
2193 return;
2194 }
2195
2196 fclose(file);
2197 file = fopen(RESOLV_CONF, "w");
2198 if (file == NULL)
2199 {
2200 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2201 RESOLV_CONF, strerror(errno));
2202 return;
2203 }
2204
2205 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2206 while (fetchline(&contents, &line))
2207 {
2208 bool found = FALSE;
2209 orig_line = line;
2210 if (extract_token(&token, ' ', &line) &&
2211 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2212 {
2213 if (!extract_token(&token, ' ', &line))
2214 {
2215 token = line;
2216 }
2217 iterator->reset(iterator);
2218 while (iterator->iterate(iterator, (void**)&ip))
2219 {
2220 snprintf(string, sizeof(string), "%H", ip);
2221 if (strlen(string) == token.len &&
2222 strncmp(token.ptr, string, token.len) == 0)
2223 {
2224 iterator->remove(iterator);
2225 ip->destroy(ip);
2226 found = TRUE;
2227 break;
2228 }
2229 }
2230 }
2231
2232 if (!found)
2233 {
2234 /* write line untouched back to file */
2235 fwrite(orig_line.ptr, orig_line.len, 1, file);
2236 fprintf(file, "\n");
2237 }
2238 }
2239 iterator->destroy(iterator);
2240 fclose(file);
2241 }
2242
2243 /**
2244 * Implementation of ike_sa_t.add_dns_server
2245 */
2246 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2247 {
2248 FILE *file;
2249 struct stat stats;
2250 chunk_t contents;
2251
2252 DBG1(DBG_IKE, "installing DNS server %H", dns);
2253
2254 file = fopen(RESOLV_CONF, "a+");
2255 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2256 {
2257 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2258 RESOLV_CONF, strerror(errno));
2259 return;
2260 }
2261
2262 contents = chunk_alloca(stats.st_size);
2263
2264 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2265 {
2266 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2267 fclose(file);
2268 return;
2269 }
2270
2271 fclose(file);
2272 file = fopen(RESOLV_CONF, "w");
2273 if (file == NULL)
2274 {
2275 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2276 RESOLV_CONF, strerror(errno));
2277 return;
2278 }
2279
2280 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2281 dns, this->other_id) < 0)
2282 {
2283 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2284 }
2285 else
2286 {
2287 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2288 }
2289 fwrite(contents.ptr, contents.len, 1, file);
2290
2291 fclose(file);
2292 }
2293
2294 /**
2295 * Implementation of ike_sa_t.destroy.
2296 */
2297 static void destroy(private_ike_sa_t *this)
2298 {
2299 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2300
2301 DESTROY_IF(this->crypter_in);
2302 DESTROY_IF(this->crypter_out);
2303 DESTROY_IF(this->signer_in);
2304 DESTROY_IF(this->signer_out);
2305 DESTROY_IF(this->prf);
2306 DESTROY_IF(this->child_prf);
2307 chunk_free(&this->skp_verify);
2308 chunk_free(&this->skp_build);
2309
2310 if (this->my_virtual_ip)
2311 {
2312 charon->kernel_interface->del_ip(charon->kernel_interface,
2313 this->my_virtual_ip);
2314 this->my_virtual_ip->destroy(this->my_virtual_ip);
2315 }
2316 DESTROY_IF(this->other_virtual_ip);
2317
2318 remove_dns_servers(this);
2319 this->dns_servers->destroy_offset(this->dns_servers,
2320 offsetof(host_t, destroy));
2321 this->additional_addresses->destroy_offset(this->additional_addresses,
2322 offsetof(host_t, destroy));
2323 #ifdef ME
2324 if (this->peer_cfg && this->peer_cfg->is_mediation(this->peer_cfg) &&
2325 !this->ike_sa_id->is_initiator(this->ike_sa_id))
2326 {
2327 /* mediation server */
2328 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2329 }
2330 DESTROY_IF(this->server_reflexive_host);
2331 chunk_free(&this->connect_id);
2332 #endif /* ME */
2333
2334 DESTROY_IF(this->my_host);
2335 DESTROY_IF(this->other_host);
2336 DESTROY_IF(this->my_id);
2337 DESTROY_IF(this->other_id);
2338
2339 DESTROY_IF(this->ike_cfg);
2340 DESTROY_IF(this->peer_cfg);
2341 DESTROY_IF(this->my_auth);
2342 DESTROY_IF(this->other_auth);
2343
2344 this->ike_sa_id->destroy(this->ike_sa_id);
2345 this->task_manager->destroy(this->task_manager);
2346 free(this);
2347 }
2348
2349 /*
2350 * Described in header.
2351 */
2352 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2353 {
2354 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2355 static u_int32_t unique_id = 0;
2356
2357 /* Public functions */
2358 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2359 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2360 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2361 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2362 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2363 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2364 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2365 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2366 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2367 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2368 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2369 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2370 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2371 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2372 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2373 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2374 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2375 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2376 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2377 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2378 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2379 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2380 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2381 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2382 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2383 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2384 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2385 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2386 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2387 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2388 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2389 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2390 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2391 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2392 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2393 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2394 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2395 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2396 this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
2397 this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
2398 this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
2399 this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
2400 this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
2401 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2402 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2403 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2404 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2405 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2406 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2407 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2408 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2409 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2410 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2411 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2412 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2413 this->public.reset = (void (*)(ike_sa_t*))reset;
2414 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2415 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2416 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2417 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2418 #ifdef ME
2419 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2420 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2421 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2422 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2423 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,linked_list_t*,chunk_t)) initiate_mediated;
2424 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2425 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2426 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2427 #endif /* ME */
2428
2429 /* initialize private fields */
2430 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2431 this->child_sas = linked_list_create();
2432 this->my_host = host_create_any(AF_INET);
2433 this->other_host = host_create_any(AF_INET);
2434 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2435 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2436 this->extensions = 0;
2437 this->conditions = 0;
2438 this->crypter_in = NULL;
2439 this->crypter_out = NULL;
2440 this->signer_in = NULL;
2441 this->signer_out = NULL;
2442 this->prf = NULL;
2443 this->skp_verify = chunk_empty;
2444 this->skp_build = chunk_empty;
2445 this->child_prf = NULL;
2446 this->state = IKE_CREATED;
2447 this->time.inbound = this->time.outbound = time(NULL);
2448 this->time.established = 0;
2449 this->time.rekey = 0;
2450 this->time.reauth = 0;
2451 this->time.delete = 0;
2452 this->ike_cfg = NULL;
2453 this->peer_cfg = NULL;
2454 this->my_auth = auth_info_create();
2455 this->other_auth = auth_info_create();
2456 this->task_manager = task_manager_create(&this->public);
2457 this->unique_id = ++unique_id;
2458 this->my_virtual_ip = NULL;
2459 this->other_virtual_ip = NULL;
2460 this->dns_servers = linked_list_create();
2461 this->additional_addresses = linked_list_create();
2462 this->pending_updates = 0;
2463 this->keyingtry = 0;
2464 this->ike_initiator = FALSE;
2465 #ifdef ME
2466 this->server_reflexive_host = NULL;
2467 this->connect_id = chunk_empty;
2468 #endif /* ME */
2469
2470 return &this->public;
2471 }