3cf52fc365ff51ea364164103a854126b77f0133
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2006 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26
27 #include "ike_sa.h"
28
29 #include <library.h>
30 #include <daemon.h>
31 #include <utils/linked_list.h>
32 #include <utils/lexparser.h>
33 #include <crypto/diffie_hellman.h>
34 #include <crypto/prf_plus.h>
35 #include <crypto/crypters/crypter.h>
36 #include <crypto/hashers/hasher.h>
37 #include <encoding/payloads/sa_payload.h>
38 #include <encoding/payloads/nonce_payload.h>
39 #include <encoding/payloads/ke_payload.h>
40 #include <encoding/payloads/delete_payload.h>
41 #include <encoding/payloads/transform_substructure.h>
42 #include <encoding/payloads/transform_attribute.h>
43 #include <encoding/payloads/ts_payload.h>
44 #include <sa/task_manager.h>
45 #include <sa/tasks/ike_init.h>
46 #include <sa/tasks/ike_natd.h>
47 #include <sa/tasks/ike_mobike.h>
48 #include <sa/tasks/ike_auth.h>
49 #include <sa/tasks/ike_auth_lifetime.h>
50 #include <sa/tasks/ike_config.h>
51 #include <sa/tasks/ike_cert_pre.h>
52 #include <sa/tasks/ike_cert_post.h>
53 #include <sa/tasks/ike_rekey.h>
54 #include <sa/tasks/ike_reauth.h>
55 #include <sa/tasks/ike_delete.h>
56 #include <sa/tasks/ike_dpd.h>
57 #include <sa/tasks/child_create.h>
58 #include <sa/tasks/child_delete.h>
59 #include <sa/tasks/child_rekey.h>
60 #include <processing/jobs/retransmit_job.h>
61 #include <processing/jobs/delete_ike_sa_job.h>
62 #include <processing/jobs/send_dpd_job.h>
63 #include <processing/jobs/send_keepalive_job.h>
64 #include <processing/jobs/rekey_ike_sa_job.h>
65
66 #ifdef ME
67 #include <sa/tasks/ike_me.h>
68 #include <processing/jobs/initiate_mediation_job.h>
69 #endif
70
71 #ifndef RESOLV_CONF
72 #define RESOLV_CONF "/etc/resolv.conf"
73 #endif
74
75 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
76 "CREATED",
77 "CONNECTING",
78 "ESTABLISHED",
79 "REKEYING",
80 "DELETING",
81 );
82
83 typedef struct private_ike_sa_t private_ike_sa_t;
84
85 /**
86 * Private data of an ike_sa_t object.
87 */
88 struct private_ike_sa_t {
89
90 /**
91 * Public members
92 */
93 ike_sa_t public;
94
95 /**
96 * Identifier for the current IKE_SA.
97 */
98 ike_sa_id_t *ike_sa_id;
99
100 /**
101 * unique numerical ID for this IKE_SA.
102 */
103 u_int32_t unique_id;
104
105 /**
106 * Current state of the IKE_SA
107 */
108 ike_sa_state_t state;
109
110 /**
111 * IKE configuration used to set up this IKE_SA
112 */
113 ike_cfg_t *ike_cfg;
114
115 /**
116 * Peer and authentication information to establish IKE_SA.
117 */
118 peer_cfg_t *peer_cfg;
119
120 /**
121 * associated authentication/authorization info for local peer
122 */
123 auth_info_t *my_auth;
124
125 /**
126 * associated authentication/authorization info for remote peer
127 */
128 auth_info_t *other_auth;
129
130 /**
131 * Juggles tasks to process messages
132 */
133 task_manager_t *task_manager;
134
135 /**
136 * Address of local host
137 */
138 host_t *my_host;
139
140 /**
141 * Address of remote host
142 */
143 host_t *other_host;
144
145 #ifdef ME
146 /**
147 * Are we mediation server
148 */
149 bool is_mediation_server;
150
151 /**
152 * Server reflexive host
153 */
154 host_t *server_reflexive_host;
155
156 /**
157 * Connect ID
158 */
159 chunk_t connect_id;
160 #endif /* ME */
161
162 /**
163 * Identification used for us
164 */
165 identification_t *my_id;
166
167 /**
168 * Identification used for other
169 */
170 identification_t *other_id;
171
172 /**
173 * EAP Identity exchange in EAP-Identity method
174 */
175 identification_t *eap_identity;;
176
177 /**
178 * set of extensions the peer supports
179 */
180 ike_extension_t extensions;
181
182 /**
183 * set of condition flags currently enabled for this IKE_SA
184 */
185 ike_condition_t conditions;
186
187 /**
188 * Linked List containing the child sa's of the current IKE_SA.
189 */
190 linked_list_t *child_sas;
191
192 /**
193 * String describing the selected IKE proposal
194 */
195 char *selected_proposal;
196
197 /**
198 * crypter for inbound traffic
199 */
200 crypter_t *crypter_in;
201
202 /**
203 * crypter for outbound traffic
204 */
205 crypter_t *crypter_out;
206
207 /**
208 * Signer for inbound traffic
209 */
210 signer_t *signer_in;
211
212 /**
213 * Signer for outbound traffic
214 */
215 signer_t *signer_out;
216
217 /**
218 * Multi purpose prf, set key, use it, forget it
219 */
220 prf_t *prf;
221
222 /**
223 * Prf function for derivating keymat child SAs
224 */
225 prf_t *child_prf;
226
227 /**
228 * Key to build outging authentication data (SKp)
229 */
230 chunk_t skp_build;
231
232 /**
233 * Key to verify incoming authentication data (SKp)
234 */
235 chunk_t skp_verify;
236
237 /**
238 * Virtual IP on local host, if any
239 */
240 host_t *my_virtual_ip;
241
242 /**
243 * Virtual IP on remote host, if any
244 */
245 host_t *other_virtual_ip;
246
247 /**
248 * List of DNS servers installed by us
249 */
250 linked_list_t *dns_servers;
251
252 /**
253 * list of peers additional addresses, transmitted via MOBIKE
254 */
255 linked_list_t *additional_addresses;
256
257 /**
258 * number pending UPDATE_SA_ADDRESS (MOBIKE)
259 */
260 u_int32_t pending_updates;
261
262 /**
263 * NAT keep alive interval
264 */
265 u_int32_t keepalive_interval;
266
267 /**
268 * Timestamps for this IKE_SA
269 */
270 struct {
271 /** last IKE message received */
272 u_int32_t inbound;
273 /** last IKE message sent */
274 u_int32_t outbound;
275 /** when IKE_SA became established */
276 u_int32_t established;
277 /** when IKE_SA gets rekeyed */
278 u_int32_t rekey;
279 /** when IKE_SA gets reauthenticated */
280 u_int32_t reauth;
281 /** when IKE_SA gets deleted */
282 u_int32_t delete;
283 } time;
284
285 /**
286 * how many times we have retried so far (keyingtries)
287 */
288 u_int32_t keyingtry;
289
290 /**
291 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
292 */
293 bool ike_initiator;
294 };
295
296 /**
297 * get the time of the latest traffic processed by the kernel
298 */
299 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
300 {
301 iterator_t *iterator;
302 child_sa_t *child_sa;
303 time_t latest = 0, use_time;
304
305 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
306 while (iterator->iterate(iterator, (void**)&child_sa))
307 {
308 if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
309 {
310 latest = max(latest, use_time);
311 }
312 }
313 iterator->destroy(iterator);
314
315 if (inbound)
316 {
317 return max(this->time.inbound, latest);
318 }
319 else
320 {
321 return max(this->time.outbound, latest);
322 }
323 }
324
325 /**
326 * Implementation of ike_sa_t.get_unique_id
327 */
328 static u_int32_t get_unique_id(private_ike_sa_t *this)
329 {
330 return this->unique_id;
331 }
332
333 /**
334 * Implementation of ike_sa_t.get_name.
335 */
336 static char *get_name(private_ike_sa_t *this)
337 {
338 if (this->peer_cfg)
339 {
340 return this->peer_cfg->get_name(this->peer_cfg);
341 }
342 return "(unnamed)";
343 }
344
345 /**
346 * Implementation of ike_sa_t.get_statistic.
347 */
348 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
349 {
350 time_t now = time(NULL);
351
352 switch (kind)
353 {
354 case STAT_REKEY_TIME:
355 if (this->time.rekey > now)
356 {
357 return this->time.rekey - now;
358 }
359 break;
360 case STAT_REAUTH_TIME:
361 if (this->time.reauth > now)
362 {
363 return this->time.reauth - now;
364 }
365 break;
366 default:
367 break;
368 }
369 return 0;
370 }
371
372 /**
373 * Implementation of ike_sa_t.get_my_host.
374 */
375 static host_t *get_my_host(private_ike_sa_t *this)
376 {
377 return this->my_host;
378 }
379
380 /**
381 * Implementation of ike_sa_t.set_my_host.
382 */
383 static void set_my_host(private_ike_sa_t *this, host_t *me)
384 {
385 DESTROY_IF(this->my_host);
386 this->my_host = me;
387 }
388
389 /**
390 * Implementation of ike_sa_t.get_other_host.
391 */
392 static host_t *get_other_host(private_ike_sa_t *this)
393 {
394 return this->other_host;
395 }
396
397 /**
398 * Implementation of ike_sa_t.set_other_host.
399 */
400 static void set_other_host(private_ike_sa_t *this, host_t *other)
401 {
402 DESTROY_IF(this->other_host);
403 this->other_host = other;
404 }
405
406 /**
407 * Implementation of ike_sa_t.get_peer_cfg
408 */
409 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
410 {
411 return this->peer_cfg;
412 }
413
414 /**
415 * Implementation of ike_sa_t.set_peer_cfg
416 */
417 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
418 {
419 DESTROY_IF(this->peer_cfg);
420 peer_cfg->get_ref(peer_cfg);
421 this->peer_cfg = peer_cfg;
422
423 if (this->ike_cfg == NULL)
424 {
425 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
426 this->ike_cfg->get_ref(this->ike_cfg);
427 }
428 /* apply IDs if they are not already set */
429 if (this->my_id->contains_wildcards(this->my_id))
430 {
431 DESTROY_IF(this->my_id);
432 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
433 this->my_id = this->my_id->clone(this->my_id);
434 }
435 if (this->other_id->contains_wildcards(this->other_id))
436 {
437 DESTROY_IF(this->other_id);
438 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
439 this->other_id = this->other_id->clone(this->other_id);
440 }
441 }
442
443 /**
444 * Implementation of ike_sa_t.get_my_auth.
445 */
446 static auth_info_t* get_my_auth(private_ike_sa_t *this)
447 {
448 return this->my_auth;
449 }
450
451 /**
452 * Implementation of ike_sa_t.get_other_auth.
453 */
454 static auth_info_t* get_other_auth(private_ike_sa_t *this)
455 {
456 return this->other_auth;
457 }
458
459 /**
460 * Implementation of ike_sa_t.send_keepalive
461 */
462 static void send_keepalive(private_ike_sa_t *this)
463 {
464 send_keepalive_job_t *job;
465 time_t last_out, now, diff;
466
467 if (!(this->conditions & COND_NAT_HERE))
468 { /* disable keep alives if we are not NATed anymore */
469 return;
470 }
471
472 last_out = get_use_time(this, FALSE);
473 now = time(NULL);
474
475 diff = now - last_out;
476
477 if (diff >= this->keepalive_interval)
478 {
479 packet_t *packet;
480 chunk_t data;
481
482 packet = packet_create();
483 packet->set_source(packet, this->my_host->clone(this->my_host));
484 packet->set_destination(packet, this->other_host->clone(this->other_host));
485 data.ptr = malloc(1);
486 data.ptr[0] = 0xFF;
487 data.len = 1;
488 packet->set_data(packet, data);
489 DBG1(DBG_IKE, "sending keep alive");
490 charon->sender->send(charon->sender, packet);
491 diff = 0;
492 }
493 job = send_keepalive_job_create(this->ike_sa_id);
494 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
495 (this->keepalive_interval - diff) * 1000);
496 }
497
498 /**
499 * Implementation of ike_sa_t.get_ike_cfg
500 */
501 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
502 {
503 return this->ike_cfg;
504 }
505
506 /**
507 * Implementation of ike_sa_t.set_ike_cfg
508 */
509 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
510 {
511 ike_cfg->get_ref(ike_cfg);
512 this->ike_cfg = ike_cfg;
513 }
514
515 /**
516 * Implementation of ike_sa_t.is_ike_initiator
517 */
518 static bool is_ike_initiator(private_ike_sa_t *this)
519 {
520 return this->ike_initiator;
521 }
522
523 /**
524 * Implementation of ike_sa_t.enable_extension.
525 */
526 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
527 {
528 this->extensions |= extension;
529 }
530
531 /**
532 * Implementation of ike_sa_t.has_extension.
533 */
534 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
535 {
536 return (this->extensions & extension) != FALSE;
537 }
538
539 /**
540 * Implementation of ike_sa_t.has_condition.
541 */
542 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
543 {
544 return (this->conditions & condition) != FALSE;
545 }
546
547 /**
548 * Implementation of ike_sa_t.enable_condition.
549 */
550 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
551 bool enable)
552 {
553 if (has_condition(this, condition) != enable)
554 {
555 if (enable)
556 {
557 this->conditions |= condition;
558 switch (condition)
559 {
560 case COND_NAT_HERE:
561 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
562 this->conditions |= COND_NAT_ANY;
563 send_keepalive(this);
564 break;
565 case COND_NAT_THERE:
566 DBG1(DBG_IKE, "remote host is behind NAT");
567 this->conditions |= COND_NAT_ANY;
568 break;
569 case COND_NAT_FAKE:
570 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
571 this->conditions |= COND_NAT_ANY;
572 break;
573 default:
574 break;
575 }
576 }
577 else
578 {
579 this->conditions &= ~condition;
580 switch (condition)
581 {
582 case COND_NAT_HERE:
583 case COND_NAT_FAKE:
584 case COND_NAT_THERE:
585 set_condition(this, COND_NAT_ANY,
586 has_condition(this, COND_NAT_HERE) ||
587 has_condition(this, COND_NAT_THERE) ||
588 has_condition(this, COND_NAT_FAKE));
589 break;
590 default:
591 break;
592 }
593 }
594 }
595 }
596
597 /**
598 * Implementation of ike_sa_t.send_dpd
599 */
600 static status_t send_dpd(private_ike_sa_t *this)
601 {
602 send_dpd_job_t *job;
603 time_t diff, delay;
604
605 delay = this->peer_cfg->get_dpd(this->peer_cfg);
606
607 if (delay == 0)
608 {
609 /* DPD disabled */
610 return SUCCESS;
611 }
612
613 if (this->task_manager->busy(this->task_manager))
614 {
615 /* an exchange is in the air, no need to start a DPD check */
616 diff = 0;
617 }
618 else
619 {
620 /* check if there was any inbound traffic */
621 time_t last_in, now;
622 last_in = get_use_time(this, TRUE);
623 now = time(NULL);
624 diff = now - last_in;
625 if (diff >= delay)
626 {
627 /* to long ago, initiate dead peer detection */
628 task_t *task;
629
630 task = (task_t*)ike_dpd_create(TRUE);
631 diff = 0;
632 DBG1(DBG_IKE, "sending DPD request");
633
634 this->task_manager->queue_task(this->task_manager, task);
635 this->task_manager->initiate(this->task_manager);
636 }
637 }
638 /* recheck in "interval" seconds */
639 job = send_dpd_job_create(this->ike_sa_id);
640 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
641 (delay - diff) * 1000);
642 return SUCCESS;
643 }
644
645 /**
646 * Implementation of ike_sa_t.get_state.
647 */
648 static ike_sa_state_t get_state(private_ike_sa_t *this)
649 {
650 return this->state;
651 }
652
653 /**
654 * Implementation of ike_sa_t.set_state.
655 */
656 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
657 {
658 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
659 get_name(this), this->unique_id,
660 ike_sa_state_names, this->state,
661 ike_sa_state_names, state);
662
663 switch (state)
664 {
665 case IKE_ESTABLISHED:
666 {
667 if (this->state == IKE_CONNECTING)
668 {
669 job_t *job;
670 u_int32_t t;
671
672 /* calculate rekey, reauth and lifetime */
673 this->time.established = time(NULL);
674
675 /* schedule rekeying if we have a time which is smaller than
676 * an already scheduled rekeying */
677 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
678 if (t && (this->time.rekey == 0 ||
679 (this->time.rekey > t + this->time.established)))
680 {
681 this->time.rekey = t + this->time.established;
682 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
683 charon->scheduler->schedule_job(charon->scheduler,
684 job, t * 1000);
685 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
686 }
687 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
688 if (t && (this->time.reauth == 0 ||
689 (this->time.reauth > t + this->time.established)))
690 {
691 this->time.reauth = t + this->time.established;
692 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
693 charon->scheduler->schedule_job(charon->scheduler,
694 job, t * 1000);
695 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
696 }
697 t = this->peer_cfg->get_over_time(this->peer_cfg);
698 if (this->time.rekey || this->time.reauth)
699 {
700 if (this->time.reauth == 0)
701 {
702 this->time.delete = this->time.rekey;
703 }
704 else if (this->time.rekey == 0)
705 {
706 this->time.delete = this->time.reauth;
707 }
708 else
709 {
710 this->time.delete = min(this->time.rekey, this->time.reauth);
711 }
712 this->time.delete += t;
713 t = this->time.delete - this->time.established;
714 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
715 charon->scheduler->schedule_job(charon->scheduler, job,
716 t * 1000);
717 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
718 }
719
720 /* start DPD checks */
721 send_dpd(this);
722 }
723 break;
724 }
725 case IKE_DELETING:
726 {
727 /* delete may fail if a packet gets lost, so set a timeout */
728 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
729 charon->scheduler->schedule_job(charon->scheduler, job,
730 HALF_OPEN_IKE_SA_TIMEOUT);
731 break;
732 }
733 default:
734 break;
735 }
736
737 this->state = state;
738 }
739
740 /**
741 * Implementation of ike_sa_t.reset
742 */
743 static void reset(private_ike_sa_t *this)
744 {
745 /* the responder ID is reset, as peer may choose another one */
746 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
747 {
748 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
749 }
750
751 set_state(this, IKE_CREATED);
752
753 this->task_manager->reset(this->task_manager);
754 }
755
756 /**
757 * Implementation of ike_sa_t.set_virtual_ip
758 */
759 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
760 {
761 if (local)
762 {
763 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
764 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
765 this->my_host) == SUCCESS)
766 {
767 if (this->my_virtual_ip)
768 {
769 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
770 charon->kernel_interface->del_ip(charon->kernel_interface,
771 this->my_virtual_ip);
772 }
773 DESTROY_IF(this->my_virtual_ip);
774 this->my_virtual_ip = ip->clone(ip);
775 }
776 else
777 {
778 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
779 this->my_virtual_ip = NULL;
780 }
781 }
782 else
783 {
784 DESTROY_IF(this->other_virtual_ip);
785 this->other_virtual_ip = ip->clone(ip);
786 }
787 }
788
789 /**
790 * Implementation of ike_sa_t.get_virtual_ip
791 */
792 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
793 {
794 if (local)
795 {
796 return this->my_virtual_ip;
797 }
798 else
799 {
800 return this->other_virtual_ip;
801 }
802 }
803
804 /**
805 * Implementation of ike_sa_t.add_additional_address.
806 */
807 static void add_additional_address(private_ike_sa_t *this, host_t *host)
808 {
809 this->additional_addresses->insert_last(this->additional_addresses, host);
810 }
811
812 /**
813 * Implementation of ike_sa_t.create_additional_address_iterator.
814 */
815 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
816 {
817 return this->additional_addresses->create_iterator(
818 this->additional_addresses, TRUE);
819 }
820
821 /**
822 * Implementation of ike_sa_t.set_pending_updates.
823 */
824 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
825 {
826 this->pending_updates = updates;
827 }
828
829 /**
830 * Implementation of ike_sa_t.get_pending_updates.
831 */
832 static u_int32_t get_pending_updates(private_ike_sa_t *this)
833 {
834 return this->pending_updates;
835 }
836
837 /**
838 * Update hosts, as addresses may change (NAT)
839 */
840 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
841 {
842 bool update = FALSE;
843
844 if (supports_extension(this, EXT_MOBIKE))
845 { /* if peer speaks mobike, address updates are explicit only */
846 return;
847 }
848
849 if (me == NULL)
850 {
851 me = this->my_host;
852 }
853 if (other == NULL)
854 {
855 other = this->other_host;
856 }
857
858 /* apply hosts on first received message */
859 if (this->my_host->is_anyaddr(this->my_host) ||
860 this->other_host->is_anyaddr(this->other_host))
861 {
862 set_my_host(this, me->clone(me));
863 set_other_host(this, other->clone(other));
864 update = TRUE;
865 }
866 else
867 {
868 /* update our address in any case */
869 if (!me->equals(me, this->my_host))
870 {
871 set_my_host(this, me->clone(me));
872 update = TRUE;
873 }
874
875 if (!other->equals(other, this->other_host))
876 {
877 /* update others adress if we are NOT NATed,
878 * and allow port changes if we are NATed */
879 if (!has_condition(this, COND_NAT_HERE) ||
880 other->ip_equals(other, this->other_host))
881 {
882 set_other_host(this, other->clone(other));
883 update = TRUE;
884 }
885 }
886 }
887
888 /* update all associated CHILD_SAs, if required */
889 if (update)
890 {
891 iterator_t *iterator;
892 child_sa_t *child_sa;
893
894 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
895 while (iterator->iterate(iterator, (void**)&child_sa))
896 {
897 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
898 has_condition(this, COND_NAT_ANY));
899 }
900 iterator->destroy(iterator);
901 }
902 }
903
904 /**
905 * Implementation of ike_sa_t.generate
906 */
907 static status_t generate_message(private_ike_sa_t *this, message_t *message,
908 packet_t **packet)
909 {
910 this->time.outbound = time(NULL);
911 message->set_ike_sa_id(message, this->ike_sa_id);
912 return message->generate(message, this->crypter_out, this->signer_out, packet);
913 }
914
915 /**
916 * send a notify back to the sender
917 */
918 static void send_notify_response(private_ike_sa_t *this, message_t *request,
919 notify_type_t type)
920 {
921 message_t *response;
922 packet_t *packet;
923
924 response = message_create();
925 response->set_exchange_type(response, request->get_exchange_type(request));
926 response->set_request(response, FALSE);
927 response->set_message_id(response, request->get_message_id(request));
928 response->add_notify(response, FALSE, type, chunk_empty);
929 if (this->my_host->is_anyaddr(this->my_host))
930 {
931 this->my_host->destroy(this->my_host);
932 this->my_host = request->get_destination(request);
933 this->my_host = this->my_host->clone(this->my_host);
934 }
935 if (this->other_host->is_anyaddr(this->other_host))
936 {
937 this->other_host->destroy(this->other_host);
938 this->other_host = request->get_source(request);
939 this->other_host = this->other_host->clone(this->other_host);
940 }
941 response->set_source(response, this->my_host->clone(this->my_host));
942 response->set_destination(response, this->other_host->clone(this->other_host));
943 if (generate_message(this, response, &packet) == SUCCESS)
944 {
945 charon->sender->send(charon->sender, packet);
946 }
947 response->destroy(response);
948 }
949
950 #ifdef ME
951 /**
952 * Implementation of ike_sa_t.act_as_mediation_server.
953 */
954 static void act_as_mediation_server(private_ike_sa_t *this)
955 {
956 charon->mediation_manager->update_sa_id(charon->mediation_manager,
957 this->other_id, this->ike_sa_id);
958 this->is_mediation_server = TRUE;
959 }
960
961 /**
962 * Implementation of ike_sa_t.get_server_reflexive_host.
963 */
964 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
965 {
966 return this->server_reflexive_host;
967 }
968
969 /**
970 * Implementation of ike_sa_t.set_server_reflexive_host.
971 */
972 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
973 {
974 DESTROY_IF(this->server_reflexive_host);
975 this->server_reflexive_host = host;
976 }
977
978 /**
979 * Implementation of ike_sa_t.get_connect_id.
980 */
981 static chunk_t get_connect_id(private_ike_sa_t *this)
982 {
983 return this->connect_id;
984 }
985
986 /**
987 * Implementation of ike_sa_t.respond
988 */
989 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
990 chunk_t connect_id)
991 {
992 ike_me_t *task = ike_me_create(&this->public, TRUE);
993 task->respond(task, peer_id, connect_id);
994 this->task_manager->queue_task(this->task_manager, (task_t*)task);
995 return this->task_manager->initiate(this->task_manager);
996 }
997
998 /**
999 * Implementation of ike_sa_t.callback
1000 */
1001 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
1002 {
1003 ike_me_t *task = ike_me_create(&this->public, TRUE);
1004 task->callback(task, peer_id);
1005 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1006 return this->task_manager->initiate(this->task_manager);
1007 }
1008
1009 /**
1010 * Implementation of ike_sa_t.relay
1011 */
1012 static status_t relay(private_ike_sa_t *this, identification_t *requester,
1013 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
1014 {
1015 ike_me_t *task = ike_me_create(&this->public, TRUE);
1016 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1017 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1018 return this->task_manager->initiate(this->task_manager);
1019 }
1020
1021 /**
1022 * Implementation of ike_sa_t.initiate_mediation
1023 */
1024 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1025 {
1026 ike_me_t *task = ike_me_create(&this->public, TRUE);
1027 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1028 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1029 return this->task_manager->initiate(this->task_manager);
1030 }
1031
1032 /**
1033 * Implementation of ike_sa_t.initiate_mediated
1034 */
1035 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1036 chunk_t connect_id)
1037 {
1038 set_my_host(this, me->clone(me));
1039 set_other_host(this, other->clone(other));
1040 chunk_free(&this->connect_id);
1041 this->connect_id = chunk_clone(connect_id);
1042
1043 return this->task_manager->initiate(this->task_manager);
1044 }
1045 #endif /* ME */
1046
1047 /**
1048 * Resolve DNS host in configuration
1049 */
1050 static void resolve_hosts(private_ike_sa_t *this)
1051 {
1052 host_t *host;
1053
1054 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1055 0, IKEV2_UDP_PORT);
1056 if (host)
1057 {
1058 set_other_host(this, host);
1059 }
1060
1061 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1062 this->my_host->get_family(this->my_host),
1063 IKEV2_UDP_PORT);
1064
1065 if (host && host->is_anyaddr(host) &&
1066 !this->other_host->is_anyaddr(this->other_host))
1067 {
1068 host->destroy(host);
1069 host = charon->kernel_interface->get_source_addr(
1070 charon->kernel_interface, this->other_host);
1071 if (host)
1072 {
1073 host->set_port(host, IKEV2_UDP_PORT);
1074 }
1075 }
1076 if (host)
1077 {
1078 set_my_host(this, host);
1079 }
1080 }
1081
1082 /**
1083 * Initiates a CHILD_SA using the appropriate reqid
1084 */
1085 static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
1086 {
1087 task_t *task;
1088
1089 if (this->state == IKE_CREATED)
1090 {
1091 resolve_hosts(this);
1092
1093 if (this->other_host->is_anyaddr(this->other_host)
1094 #ifdef ME
1095 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1096 #endif /* ME */
1097 )
1098 {
1099 child_cfg->destroy(child_cfg);
1100 SIG_IKE(UP_START, "initiating IKE_SA");
1101 SIG_IKE(UP_FAILED, "unable to initiate to %%any");
1102 return DESTROY_ME;
1103 }
1104
1105 this->ike_initiator = TRUE;
1106
1107 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1108 this->task_manager->queue_task(this->task_manager, task);
1109 task = (task_t*)ike_natd_create(&this->public, TRUE);
1110 this->task_manager->queue_task(this->task_manager, task);
1111 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1112 this->task_manager->queue_task(this->task_manager, task);
1113 task = (task_t*)ike_auth_create(&this->public, TRUE);
1114 this->task_manager->queue_task(this->task_manager, task);
1115 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1116 this->task_manager->queue_task(this->task_manager, task);
1117 task = (task_t*)ike_config_create(&this->public, TRUE);
1118 this->task_manager->queue_task(this->task_manager, task);
1119 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1120 this->task_manager->queue_task(this->task_manager, task);
1121 if (this->peer_cfg->use_mobike(this->peer_cfg))
1122 {
1123 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1124 this->task_manager->queue_task(this->task_manager, task);
1125 }
1126 #ifdef ME
1127 task = (task_t*)ike_me_create(&this->public, TRUE);
1128 this->task_manager->queue_task(this->task_manager, task);
1129 #endif /* ME */
1130 }
1131
1132 #ifdef ME
1133 if (this->peer_cfg->is_mediation(this->peer_cfg))
1134 {
1135 /* mediation connection */
1136 if (this->state == IKE_ESTABLISHED)
1137 { /* FIXME: we should try to find a better solution to this */
1138 SIG_CHD(UP_SUCCESS, NULL, "mediation connection is already up and running");
1139 }
1140 DESTROY_IF(child_cfg);
1141 }
1142 else
1143 #endif /* ME */
1144 {
1145 /* normal IKE_SA with CHILD_SA */
1146 task = (task_t*)child_create_create(&this->public, child_cfg);
1147 child_cfg->destroy(child_cfg);
1148 if (reqid)
1149 {
1150 child_create_t *child_create = (child_create_t*)task;
1151 child_create->use_reqid(child_create, reqid);
1152 }
1153 this->task_manager->queue_task(this->task_manager, task);
1154
1155 #ifdef ME
1156 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1157 {
1158 /* mediated connection, initiate mediation process */
1159 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1160 charon->processor->queue_job(charon->processor, job);
1161 return SUCCESS;
1162 }
1163 #endif /* ME */
1164 }
1165
1166 return this->task_manager->initiate(this->task_manager);
1167 }
1168
1169 /**
1170 * Implementation of ike_sa_t.initiate.
1171 */
1172 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1173 {
1174 return initiate_with_reqid(this, child_cfg, 0);
1175 }
1176
1177 /**
1178 * Implementation of ike_sa_t.acquire.
1179 */
1180 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1181 {
1182 child_cfg_t *child_cfg;
1183 iterator_t *iterator;
1184 child_sa_t *current, *child_sa = NULL;
1185
1186 if (this->state == IKE_DELETING)
1187 {
1188 SIG_CHD(UP_START, NULL, "acquiring CHILD_SA on kernel request");
1189 SIG_CHD(UP_FAILED, NULL, "acquiring CHILD_SA {reqid %d} failed: "
1190 "IKE_SA is deleting", reqid);
1191 return FAILED;
1192 }
1193
1194 /* find CHILD_SA */
1195 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1196 while (iterator->iterate(iterator, (void**)&current))
1197 {
1198 if (current->get_reqid(current) == reqid)
1199 {
1200 child_sa = current;
1201 break;
1202 }
1203 }
1204 iterator->destroy(iterator);
1205 if (!child_sa)
1206 {
1207 SIG_CHD(UP_START, NULL, "acquiring CHILD_SA on kernel request");
1208 SIG_CHD(UP_FAILED, NULL, "acquiring CHILD_SA {reqid %d} failed: "
1209 "CHILD_SA not found", reqid);
1210 return FAILED;
1211 }
1212
1213 child_cfg = child_sa->get_config(child_sa);
1214 child_cfg->get_ref(child_cfg);
1215
1216 return initiate_with_reqid(this, child_cfg, reqid);
1217 }
1218
1219 /**
1220 * Implementation of ike_sa_t.route.
1221 */
1222 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1223 {
1224 child_sa_t *child_sa;
1225 iterator_t *iterator;
1226 linked_list_t *my_ts, *other_ts;
1227 host_t *me, *other;
1228 status_t status;
1229
1230 SIG_CHD(ROUTE_START, NULL, "routing CHILD_SA");
1231
1232 /* check if not already routed*/
1233 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1234 while (iterator->iterate(iterator, (void**)&child_sa))
1235 {
1236 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1237 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1238 {
1239 iterator->destroy(iterator);
1240 SIG_CHD(ROUTE_FAILED, child_sa, "CHILD_SA with such a config already routed");
1241 return FAILED;
1242 }
1243 }
1244 iterator->destroy(iterator);
1245
1246 switch (this->state)
1247 {
1248 case IKE_DELETING:
1249 case IKE_REKEYING:
1250 SIG_CHD(ROUTE_FAILED, NULL,
1251 "unable to route CHILD_SA, as its IKE_SA gets deleted");
1252 return FAILED;
1253 case IKE_CREATED:
1254 case IKE_CONNECTING:
1255 case IKE_ESTABLISHED:
1256 default:
1257 break;
1258 }
1259
1260 resolve_hosts(this);
1261
1262 /* install kernel policies */
1263 child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
1264 this->other_id, child_cfg, 0, FALSE);
1265 me = this->my_host;
1266 if (this->my_virtual_ip)
1267 {
1268 me = this->my_virtual_ip;
1269 }
1270 other = this->other_host;
1271 if (this->other_virtual_ip)
1272 {
1273 other = this->other_virtual_ip;
1274 }
1275
1276 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1277 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1278 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1279 child_cfg->get_mode(child_cfg), PROTO_NONE);
1280 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1281 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1282 if (status == SUCCESS)
1283 {
1284 this->child_sas->insert_last(this->child_sas, child_sa);
1285 SIG_CHD(ROUTE_SUCCESS, child_sa, "CHILD_SA routed");
1286 }
1287 else
1288 {
1289 SIG_CHD(ROUTE_FAILED, child_sa, "routing CHILD_SA failed");
1290 }
1291 return status;
1292 }
1293
1294 /**
1295 * Implementation of ike_sa_t.unroute.
1296 */
1297 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1298 {
1299 iterator_t *iterator;
1300 child_sa_t *child_sa;
1301 bool found = FALSE;
1302
1303 SIG_CHD(UNROUTE_START, NULL, "unrouting CHILD_SA");
1304
1305 /* find CHILD_SA in ROUTED state */
1306 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1307 while (iterator->iterate(iterator, (void**)&child_sa))
1308 {
1309 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1310 child_sa->get_reqid(child_sa) == reqid)
1311 {
1312 iterator->remove(iterator);
1313 SIG_CHD(UNROUTE_SUCCESS, child_sa, "CHILD_SA unrouted");
1314 child_sa->destroy(child_sa);
1315 found = TRUE;
1316 break;
1317 }
1318 }
1319 iterator->destroy(iterator);
1320
1321 if (!found)
1322 {
1323 SIG_CHD(UNROUTE_FAILED, NULL, "CHILD_SA to unroute not found");
1324 return FAILED;
1325 }
1326 /* if we are not established, and we have no more routed childs, remove whole SA */
1327 if (this->state == IKE_CREATED &&
1328 this->child_sas->get_count(this->child_sas) == 0)
1329 {
1330 return DESTROY_ME;
1331 }
1332 return SUCCESS;
1333 }
1334 /**
1335 * Implementation of ike_sa_t.process_message.
1336 */
1337 static status_t process_message(private_ike_sa_t *this, message_t *message)
1338 {
1339 status_t status;
1340 bool is_request;
1341
1342 is_request = message->get_request(message);
1343
1344 status = message->parse_body(message, this->crypter_in, this->signer_in);
1345 if (status != SUCCESS)
1346 {
1347
1348 if (is_request)
1349 {
1350 switch (status)
1351 {
1352 case NOT_SUPPORTED:
1353 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1354 if (is_request)
1355 {
1356 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1357 }
1358 break;
1359 case PARSE_ERROR:
1360 DBG1(DBG_IKE, "message parsing failed");
1361 if (is_request)
1362 {
1363 send_notify_response(this, message, INVALID_SYNTAX);
1364 }
1365 break;
1366 case VERIFY_ERROR:
1367 DBG1(DBG_IKE, "message verification failed");
1368 if (is_request)
1369 {
1370 send_notify_response(this, message, INVALID_SYNTAX);
1371 }
1372 break;
1373 case FAILED:
1374 DBG1(DBG_IKE, "integrity check failed");
1375 /* ignored */
1376 break;
1377 case INVALID_STATE:
1378 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1379 if (is_request)
1380 {
1381 send_notify_response(this, message, INVALID_SYNTAX);
1382 }
1383 default:
1384 break;
1385 }
1386 }
1387 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1388 exchange_type_names, message->get_exchange_type(message),
1389 message->get_request(message) ? "request" : "response",
1390 message->get_message_id(message));
1391 return status;
1392 }
1393 else
1394 {
1395 host_t *me, *other;
1396 private_ike_sa_t *new;
1397 iterator_t *iterator;
1398 child_sa_t *child;
1399 bool has_routed = FALSE;
1400
1401 me = message->get_destination(message);
1402 other = message->get_source(message);
1403
1404 /* if this IKE_SA is virgin, we check for a config */
1405 if (this->ike_cfg == NULL)
1406 {
1407 job_t *job;
1408 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1409 me, other);
1410 if (this->ike_cfg == NULL)
1411 {
1412 /* no config found for these hosts, destroy */
1413 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1414 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1415 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1416 return DESTROY_ME;
1417 }
1418 /* add a timeout if peer does not establish it completely */
1419 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1420 charon->scheduler->schedule_job(charon->scheduler, job,
1421 HALF_OPEN_IKE_SA_TIMEOUT);
1422 }
1423
1424 /* check if message is trustworthy, and update host information */
1425 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1426 message->get_exchange_type(message) != IKE_SA_INIT)
1427 {
1428 update_hosts(this, me, other);
1429 this->time.inbound = time(NULL);
1430 }
1431 status = this->task_manager->process_message(this->task_manager, message);
1432 if (status != DESTROY_ME)
1433 {
1434 return status;
1435 }
1436 /* if IKE_SA gets closed for any reasons, reroute routed children */
1437 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1438 while (iterator->iterate(iterator, (void**)&child))
1439 {
1440 if (child->get_state(child) == CHILD_ROUTED)
1441 {
1442 has_routed = TRUE;
1443 break;
1444 }
1445 }
1446 iterator->destroy(iterator);
1447 if (!has_routed)
1448 {
1449 return status;
1450 }
1451 /* move routed children to a new IKE_SA, apply connection info */
1452 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1453 charon->ike_sa_manager, TRUE);
1454 set_peer_cfg(new, this->peer_cfg);
1455 new->other_host->destroy(new->other_host);
1456 new->other_host = this->other_host->clone(this->other_host);
1457 if (!has_condition(this, COND_NAT_THERE))
1458 {
1459 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1460 }
1461 if (this->my_virtual_ip)
1462 {
1463 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1464 }
1465 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1466 while (iterator->iterate(iterator, (void**)&child))
1467 {
1468 if (child->get_state(child) == CHILD_ROUTED)
1469 {
1470 route(new, child->get_config(child));
1471 }
1472 }
1473 iterator->destroy(iterator);
1474 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1475 return status;
1476 }
1477 }
1478
1479 /**
1480 * Implementation of ike_sa_t.get_prf.
1481 */
1482 static prf_t *get_prf(private_ike_sa_t *this)
1483 {
1484 return this->prf;
1485 }
1486
1487 /**
1488 * Implementation of ike_sa_t.get_prf.
1489 */
1490 static prf_t *get_child_prf(private_ike_sa_t *this)
1491 {
1492 return this->child_prf;
1493 }
1494
1495 /**
1496 * Implementation of ike_sa_t.get_skp_bild
1497 */
1498 static chunk_t get_skp_build(private_ike_sa_t *this)
1499 {
1500 return this->skp_build;
1501 }
1502
1503 /**
1504 * Implementation of ike_sa_t.get_skp_verify
1505 */
1506 static chunk_t get_skp_verify(private_ike_sa_t *this)
1507 {
1508 return this->skp_verify;
1509 }
1510
1511 /**
1512 * Implementation of ike_sa_t.get_id.
1513 */
1514 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1515 {
1516 return this->ike_sa_id;
1517 }
1518
1519 /**
1520 * Implementation of ike_sa_t.get_my_id.
1521 */
1522 static identification_t* get_my_id(private_ike_sa_t *this)
1523 {
1524 return this->my_id;
1525 }
1526
1527 /**
1528 * Implementation of ike_sa_t.set_my_id.
1529 */
1530 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1531 {
1532 DESTROY_IF(this->my_id);
1533 this->my_id = me;
1534 }
1535
1536 /**
1537 * Implementation of ike_sa_t.get_other_id.
1538 */
1539 static identification_t* get_other_id(private_ike_sa_t *this)
1540 {
1541 return this->other_id;
1542 }
1543
1544 /**
1545 * Implementation of ike_sa_t.set_other_id.
1546 */
1547 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1548 {
1549 DESTROY_IF(this->other_id);
1550 this->other_id = other;
1551 }
1552
1553 /**
1554 * Implementation of ike_sa_t.get_eap_identity.
1555 */
1556 static identification_t* get_eap_identity(private_ike_sa_t *this)
1557 {
1558 return this->eap_identity;
1559 }
1560
1561 /**
1562 * Implementation of ike_sa_t.set_eap_identity.
1563 */
1564 static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
1565 {
1566 DESTROY_IF(this->eap_identity);
1567 this->eap_identity = id;
1568 }
1569
1570 /**
1571 * Implementation of ike_sa_t.derive_keys.
1572 */
1573 static status_t derive_keys(private_ike_sa_t *this,
1574 proposal_t *proposal, chunk_t secret,
1575 chunk_t nonce_i, chunk_t nonce_r,
1576 bool initiator, prf_t *child_prf, prf_t *old_prf)
1577 {
1578 prf_plus_t *prf_plus;
1579 chunk_t skeyseed, key, full_nonce, fixed_nonce, prf_plus_seed;
1580 u_int16_t alg, key_size;
1581 crypter_t *crypter_i, *crypter_r;
1582 signer_t *signer_i, *signer_r;
1583 u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
1584 chunk_t spi_i = chunk_from_buf(spi_i_buf);
1585 chunk_t spi_r = chunk_from_buf(spi_r_buf);
1586
1587 /* Create SAs general purpose PRF first, we may use it here */
1588 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
1589 {
1590 DBG1(DBG_IKE, "no %N selected",
1591 transform_type_names, PSEUDO_RANDOM_FUNCTION);
1592 return FAILED;
1593 }
1594 this->prf = lib->crypto->create_prf(lib->crypto, alg);
1595 if (this->prf == NULL)
1596 {
1597 DBG1(DBG_IKE, "%N %N not supported!",
1598 transform_type_names, PSEUDO_RANDOM_FUNCTION,
1599 pseudo_random_function_names, alg);
1600 return FAILED;
1601 }
1602 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
1603 /* full nonce is used as seed for PRF+ ... */
1604 full_nonce = chunk_cat("cc", nonce_i, nonce_r);
1605 /* but the PRF may need a fixed key which only uses the first bytes of
1606 * the nonces. */
1607 switch (alg)
1608 {
1609 case PRF_AES128_XCBC:
1610 /* while rfc4434 defines variable keys for AES-XCBC, rfc3664 does
1611 * not and therefore fixed key semantics apply to XCBC for key
1612 * derivation. */
1613 nonce_i.len = min(nonce_i.len, this->prf->get_key_size(this->prf)/2);
1614 nonce_r.len = min(nonce_r.len, this->prf->get_key_size(this->prf)/2);
1615 break;
1616 default:
1617 /* all other algorithms use variable key length, full nonce */
1618 break;
1619 }
1620 fixed_nonce = chunk_cat("cc", nonce_i, nonce_r);
1621 *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
1622 *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
1623 prf_plus_seed = chunk_cat("ccc", full_nonce, spi_i, spi_r);
1624
1625 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
1626 *
1627 * if we are rekeying, SKEYSEED is built on another way
1628 */
1629 if (child_prf == NULL) /* not rekeying */
1630 {
1631 /* SKEYSEED = prf(Ni | Nr, g^ir) */
1632 this->prf->set_key(this->prf, fixed_nonce);
1633 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
1634 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1635 this->prf->set_key(this->prf, skeyseed);
1636 chunk_free(&skeyseed);
1637 chunk_free(&secret);
1638 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
1639 }
1640 else
1641 {
1642 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
1643 * use OLD SAs PRF functions for both prf_plus and prf */
1644 secret = chunk_cat("mc", secret, full_nonce);
1645 child_prf->allocate_bytes(child_prf, secret, &skeyseed);
1646 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1647 old_prf->set_key(old_prf, skeyseed);
1648 chunk_free(&skeyseed);
1649 chunk_free(&secret);
1650 prf_plus = prf_plus_create(old_prf, prf_plus_seed);
1651 }
1652 chunk_free(&full_nonce);
1653 chunk_free(&fixed_nonce);
1654 chunk_free(&prf_plus_seed);
1655
1656 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
1657
1658 /* SK_d is used for generating CHILD_SA key mat => child_prf */
1659 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL);
1660 this->child_prf = lib->crypto->create_prf(lib->crypto, alg);
1661 key_size = this->child_prf->get_key_size(this->child_prf);
1662 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1663 DBG4(DBG_IKE, "Sk_d secret %B", &key);
1664 this->child_prf->set_key(this->child_prf, key);
1665 chunk_free(&key);
1666
1667 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
1668 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
1669 {
1670 DBG1(DBG_IKE, "no %N selected",
1671 transform_type_names, INTEGRITY_ALGORITHM);
1672 return FAILED;
1673 }
1674 signer_i = lib->crypto->create_signer(lib->crypto, alg);
1675 signer_r = lib->crypto->create_signer(lib->crypto, alg);
1676 if (signer_i == NULL || signer_r == NULL)
1677 {
1678 DBG1(DBG_IKE, "%N %N not supported!",
1679 transform_type_names, INTEGRITY_ALGORITHM,
1680 integrity_algorithm_names ,alg);
1681 prf_plus->destroy(prf_plus);
1682 return FAILED;
1683 }
1684 key_size = signer_i->get_key_size(signer_i);
1685
1686 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1687 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
1688 signer_i->set_key(signer_i, key);
1689 chunk_free(&key);
1690
1691 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1692 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
1693 signer_r->set_key(signer_r, key);
1694 chunk_free(&key);
1695
1696 if (initiator)
1697 {
1698 this->signer_in = signer_r;
1699 this->signer_out = signer_i;
1700 }
1701 else
1702 {
1703 this->signer_in = signer_i;
1704 this->signer_out = signer_r;
1705 }
1706
1707 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
1708 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &key_size))
1709 {
1710 DBG1(DBG_IKE, "no %N selected",
1711 transform_type_names, ENCRYPTION_ALGORITHM);
1712 prf_plus->destroy(prf_plus);
1713 return FAILED;
1714 }
1715 crypter_i = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
1716 crypter_r = lib->crypto->create_crypter(lib->crypto, alg, key_size / 8);
1717 if (crypter_i == NULL || crypter_r == NULL)
1718 {
1719 DBG1(DBG_IKE, "%N %N (key size %d) not supported!",
1720 transform_type_names, ENCRYPTION_ALGORITHM,
1721 encryption_algorithm_names, alg, key_size);
1722 prf_plus->destroy(prf_plus);
1723 return FAILED;
1724 }
1725 key_size = crypter_i->get_key_size(crypter_i);
1726
1727 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1728 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
1729 crypter_i->set_key(crypter_i, key);
1730 chunk_free(&key);
1731
1732 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1733 DBG4(DBG_IKE, "Sk_er secret %B", &key);
1734 crypter_r->set_key(crypter_r, key);
1735 chunk_free(&key);
1736
1737 if (initiator)
1738 {
1739 this->crypter_in = crypter_r;
1740 this->crypter_out = crypter_i;
1741 }
1742 else
1743 {
1744 this->crypter_in = crypter_i;
1745 this->crypter_out = crypter_r;
1746 }
1747
1748 /* SK_pi/SK_pr used for authentication => stored for later */
1749 key_size = this->prf->get_key_size(this->prf);
1750 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1751 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
1752 if (initiator)
1753 {
1754 this->skp_build = key;
1755 }
1756 else
1757 {
1758 this->skp_verify = key;
1759 }
1760 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1761 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
1762 if (initiator)
1763 {
1764 this->skp_verify = key;
1765 }
1766 else
1767 {
1768 this->skp_build = key;
1769 }
1770
1771 /* all done, prf_plus not needed anymore */
1772 prf_plus->destroy(prf_plus);
1773
1774 return SUCCESS;
1775 }
1776
1777 /**
1778 * Implementation of ike_sa_t.get_proposal.
1779 */
1780 static char* get_proposal(private_ike_sa_t *this)
1781 {
1782 return this->selected_proposal;
1783 }
1784
1785 /**
1786 * Implementation of ike_sa_t.set_proposal.
1787 */
1788 static void set_proposal(private_ike_sa_t *this, char *proposal)
1789 {
1790 free(this->selected_proposal);
1791 this->selected_proposal = strdup(proposal);
1792 }
1793
1794 /**
1795 * Implementation of ike_sa_t.add_child_sa.
1796 */
1797 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1798 {
1799 this->child_sas->insert_last(this->child_sas, child_sa);
1800 }
1801
1802 /**
1803 * Implementation of ike_sa_t.get_child_sa.
1804 */
1805 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1806 u_int32_t spi, bool inbound)
1807 {
1808 iterator_t *iterator;
1809 child_sa_t *current, *found = NULL;
1810
1811 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1812 while (iterator->iterate(iterator, (void**)&current))
1813 {
1814 if (current->get_spi(current, inbound) == spi &&
1815 current->get_protocol(current) == protocol)
1816 {
1817 found = current;
1818 }
1819 }
1820 iterator->destroy(iterator);
1821 return found;
1822 }
1823
1824 /**
1825 * Implementation of ike_sa_t.create_child_sa_iterator.
1826 */
1827 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1828 {
1829 return this->child_sas->create_iterator(this->child_sas, TRUE);
1830 }
1831
1832 /**
1833 * Implementation of ike_sa_t.rekey_child_sa.
1834 */
1835 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1836 {
1837 child_sa_t *child_sa;
1838 child_rekey_t *child_rekey;
1839
1840 child_sa = get_child_sa(this, protocol, spi, TRUE);
1841 if (child_sa)
1842 {
1843 child_rekey = child_rekey_create(&this->public, child_sa);
1844 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1845 return this->task_manager->initiate(this->task_manager);
1846 }
1847 return FAILED;
1848 }
1849
1850 /**
1851 * Implementation of ike_sa_t.delete_child_sa.
1852 */
1853 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1854 {
1855 child_sa_t *child_sa;
1856 child_delete_t *child_delete;
1857
1858 child_sa = get_child_sa(this, protocol, spi, TRUE);
1859 if (child_sa)
1860 {
1861 child_delete = child_delete_create(&this->public, child_sa);
1862 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1863 return this->task_manager->initiate(this->task_manager);
1864 }
1865 return FAILED;
1866 }
1867
1868 /**
1869 * Implementation of ike_sa_t.destroy_child_sa.
1870 */
1871 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1872 u_int32_t spi)
1873 {
1874 iterator_t *iterator;
1875 child_sa_t *child_sa;
1876 status_t status = NOT_FOUND;
1877
1878 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1879 while (iterator->iterate(iterator, (void**)&child_sa))
1880 {
1881 if (child_sa->get_protocol(child_sa) == protocol &&
1882 child_sa->get_spi(child_sa, TRUE) == spi)
1883 {
1884 child_sa->destroy(child_sa);
1885 iterator->remove(iterator);
1886 status = SUCCESS;
1887 break;
1888 }
1889 }
1890 iterator->destroy(iterator);
1891 return status;
1892 }
1893
1894 /**
1895 * Implementation of public_ike_sa_t.delete.
1896 */
1897 static status_t delete_(private_ike_sa_t *this)
1898 {
1899 ike_delete_t *ike_delete;
1900
1901 switch (this->state)
1902 {
1903 case IKE_ESTABLISHED:
1904 case IKE_REKEYING:
1905 ike_delete = ike_delete_create(&this->public, TRUE);
1906 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1907 return this->task_manager->initiate(this->task_manager);
1908 case IKE_CREATED:
1909 SIG_IKE(DOWN_SUCCESS, "deleting unestablished IKE_SA");
1910 break;
1911 default:
1912 SIG_IKE(DOWN_SUCCESS, "destroying IKE_SA in state %N "
1913 "without notification", ike_sa_state_names, this->state);
1914 break;
1915 }
1916 return DESTROY_ME;
1917 }
1918
1919 /**
1920 * Implementation of ike_sa_t.rekey.
1921 */
1922 static status_t rekey(private_ike_sa_t *this)
1923 {
1924 ike_rekey_t *ike_rekey;
1925
1926 ike_rekey = ike_rekey_create(&this->public, TRUE);
1927
1928 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1929 return this->task_manager->initiate(this->task_manager);
1930 }
1931
1932 /**
1933 * Implementation of ike_sa_t.reauth
1934 */
1935 static status_t reauth(private_ike_sa_t *this)
1936 {
1937 task_t *task;
1938
1939 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1940 * If the peer does not support RFC4478, there is no way to keep the
1941 * IKE_SA up. */
1942 if (!this->ike_initiator)
1943 {
1944 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1945 if (this->other_virtual_ip != NULL ||
1946 has_condition(this, COND_EAP_AUTHENTICATED)
1947 #ifdef ME
1948 /* if we are mediation server we too cannot reauth the IKE_SA */
1949 || this->is_mediation_server
1950 #endif /* ME */
1951 )
1952 {
1953 time_t now = time(NULL);
1954
1955 DBG1(DBG_IKE, "IKE_SA will timeout in %#V", &now, &this->time.delete);
1956 return FAILED;
1957 }
1958 else
1959 {
1960 DBG1(DBG_IKE, "reauthenticating actively");
1961 }
1962 }
1963 task = (task_t*)ike_reauth_create(&this->public);
1964 this->task_manager->queue_task(this->task_manager, task);
1965
1966 return this->task_manager->initiate(this->task_manager);
1967 }
1968
1969 /**
1970 * Implementation of ike_sa_t.reestablish
1971 */
1972 static status_t reestablish(private_ike_sa_t *this)
1973 {
1974 ike_sa_t *new;
1975 host_t *host;
1976 action_t action;
1977 iterator_t *iterator;
1978 child_sa_t *child_sa;
1979 child_cfg_t *child_cfg;
1980 bool required = FALSE;
1981 status_t status = FAILED;
1982
1983 /* check if we have children to keep up at all*/
1984 iterator = create_child_sa_iterator(this);
1985 while (iterator->iterate(iterator, (void**)&child_sa))
1986 {
1987 child_cfg = child_sa->get_config(child_sa);
1988 if (this->state == IKE_DELETING)
1989 {
1990 action = child_cfg->get_close_action(child_cfg);
1991 }
1992 else
1993 {
1994 action = child_cfg->get_dpd_action(child_cfg);
1995 }
1996 switch (action)
1997 {
1998 case ACTION_RESTART:
1999 case ACTION_ROUTE:
2000 required = TRUE;
2001 default:
2002 break;
2003 }
2004 }
2005 iterator->destroy(iterator);
2006 #ifdef ME
2007 /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
2008 if (this->peer_cfg->is_mediation(this->peer_cfg))
2009 {
2010 required = TRUE;
2011 }
2012 #endif /* ME */
2013 if (!required)
2014 {
2015 return FAILED;
2016 }
2017
2018 /* check if we are able to reestablish this IKE_SA */
2019 if (!this->ike_initiator &&
2020 (this->other_virtual_ip != NULL ||
2021 has_condition(this, COND_EAP_AUTHENTICATED)
2022 #ifdef ME
2023 || this->is_mediation_server
2024 #endif /* ME */
2025 ))
2026 {
2027 DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
2028 return FAILED;
2029 }
2030
2031 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
2032 new->set_peer_cfg(new, this->peer_cfg);
2033 host = this->other_host;
2034 new->set_other_host(new, host->clone(host));
2035 host = this->my_host;
2036 new->set_my_host(new, host->clone(host));
2037 /* if we already have a virtual IP, we reuse it */
2038 host = this->my_virtual_ip;
2039 if (host)
2040 {
2041 new->set_virtual_ip(new, TRUE, host);
2042 }
2043
2044 #ifdef ME
2045 if (this->peer_cfg->is_mediation(this->peer_cfg))
2046 {
2047 status = new->initiate(new, NULL);
2048 }
2049 else
2050 #endif /* ME */
2051 {
2052 iterator = create_child_sa_iterator(this);
2053 while (iterator->iterate(iterator, (void**)&child_sa))
2054 {
2055 child_cfg = child_sa->get_config(child_sa);
2056 if (this->state == IKE_DELETING)
2057 {
2058 action = child_cfg->get_close_action(child_cfg);
2059 }
2060 else
2061 {
2062 action = child_cfg->get_dpd_action(child_cfg);
2063 }
2064 switch (action)
2065 {
2066 case ACTION_RESTART:
2067 DBG1(DBG_IKE, "restarting CHILD_SA %s",
2068 child_cfg->get_name(child_cfg));
2069 child_cfg->get_ref(child_cfg);
2070 status = new->initiate(new, child_cfg);
2071 break;
2072 case ACTION_ROUTE:
2073 status = new->route(new, child_cfg);
2074 break;
2075 default:
2076 continue;
2077 }
2078 if (status == DESTROY_ME)
2079 {
2080 break;
2081 }
2082 }
2083 iterator->destroy(iterator);
2084 }
2085
2086 if (status == DESTROY_ME)
2087 {
2088 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2089 return FAILED;
2090 }
2091 else
2092 {
2093 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2094 return SUCCESS;
2095 }
2096 }
2097
2098 /**
2099 * Implementation of ike_sa_t.retransmit.
2100 */
2101 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
2102 {
2103 this->time.outbound = time(NULL);
2104 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
2105 {
2106 /* send a proper signal to brief interested bus listeners */
2107 switch (this->state)
2108 {
2109 case IKE_CONNECTING:
2110 {
2111 /* retry IKE_SA_INIT if we have multiple keyingtries */
2112 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2113 this->keyingtry++;
2114 if (tries == 0 || tries > this->keyingtry)
2115 {
2116 SIG_IKE(UP_FAILED, "peer not responding, trying again "
2117 "(%d/%d) in background ", this->keyingtry + 1, tries);
2118 reset(this);
2119 return this->task_manager->initiate(this->task_manager);
2120 }
2121 SIG_IKE(UP_FAILED, "establishing IKE_SA failed, peer not responding");
2122 break;
2123 }
2124 case IKE_DELETING:
2125 SIG_IKE(DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
2126 break;
2127 case IKE_REKEYING:
2128 SIG_IKE(REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
2129 /* FALL */
2130 default:
2131 reestablish(this);
2132 break;
2133 }
2134 return DESTROY_ME;
2135 }
2136 return SUCCESS;
2137 }
2138
2139 /**
2140 * Implementation of ike_sa_t.set_auth_lifetime.
2141 */
2142 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
2143 {
2144 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
2145 u_int32_t reauth_time = time(NULL) + lifetime - reduction;
2146
2147 if (lifetime < reduction)
2148 {
2149 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
2150 lifetime);
2151 charon->processor->queue_job(charon->processor,
2152 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2153 }
2154 else if (this->time.reauth == 0 || this->time.reauth > reauth_time)
2155 {
2156 this->time.reauth = reauth_time;
2157 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
2158 " in %ds", lifetime, lifetime - reduction);
2159 charon->scheduler->schedule_job(charon->scheduler,
2160 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2161 (lifetime - reduction) * 1000);
2162 }
2163 else
2164 {
2165 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
2166 "scheduled in %ds", lifetime, this->time.reauth - time(NULL));
2167 }
2168 }
2169
2170 /**
2171 * Implementation of ike_sa_t.roam.
2172 */
2173 static status_t roam(private_ike_sa_t *this, bool address)
2174 {
2175 host_t *me, *other;
2176 ike_mobike_t *mobike;
2177
2178 switch (this->state)
2179 {
2180 case IKE_CREATED:
2181 case IKE_DELETING:
2182 return SUCCESS;
2183 default:
2184 break;
2185 }
2186 /* responder just updates the peer about changed address config */
2187 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
2188 {
2189 if (supports_extension(this, EXT_MOBIKE) && address)
2190 {
2191 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2192 mobike = ike_mobike_create(&this->public, TRUE);
2193 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2194 return this->task_manager->initiate(this->task_manager);
2195 }
2196 return SUCCESS;
2197 }
2198
2199 /* get best address pair to use */
2200 other = this->other_host;
2201 me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
2202 other);
2203
2204 if (me)
2205 {
2206 if (me->ip_equals(me, this->my_host) &&
2207 other->ip_equals(other, this->other_host))
2208 {
2209 DBG2(DBG_IKE, "keeping connection path %H - %H", this->other_host, me);
2210 me->destroy(me);
2211 return SUCCESS;
2212 }
2213 me->destroy(me);
2214 }
2215
2216 /* update addresses with mobike, if supported ... */
2217 if (supports_extension(this, EXT_MOBIKE))
2218 {
2219 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2220 mobike = ike_mobike_create(&this->public, TRUE);
2221 mobike->roam(mobike, address);
2222 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2223 return this->task_manager->initiate(this->task_manager);
2224 }
2225 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2226 /* ... reauth if not */
2227 return reauth(this);
2228 }
2229
2230 /**
2231 * Implementation of ike_sa_t.inherit.
2232 */
2233 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2234 {
2235 child_sa_t *child_sa;
2236 host_t *ip;
2237
2238 /* apply hosts and ids */
2239 this->my_host->destroy(this->my_host);
2240 this->other_host->destroy(this->other_host);
2241 this->my_id->destroy(this->my_id);
2242 this->other_id->destroy(this->other_id);
2243 this->my_host = other->my_host->clone(other->my_host);
2244 this->other_host = other->other_host->clone(other->other_host);
2245 this->my_id = other->my_id->clone(other->my_id);
2246 this->other_id = other->other_id->clone(other->other_id);
2247 this->ike_initiator = other->ike_initiator;
2248
2249 /* apply virtual assigned IPs... */
2250 if (other->my_virtual_ip)
2251 {
2252 this->my_virtual_ip = other->my_virtual_ip;
2253 other->my_virtual_ip = NULL;
2254 }
2255 if (other->other_virtual_ip)
2256 {
2257 this->other_virtual_ip = other->other_virtual_ip;
2258 other->other_virtual_ip = NULL;
2259 }
2260
2261 /* ... and DNS servers */
2262 while (other->dns_servers->remove_last(other->dns_servers,
2263 (void**)&ip) == SUCCESS)
2264 {
2265 this->dns_servers->insert_first(this->dns_servers, ip);
2266 }
2267
2268 /* inherit NAT-T conditions */
2269 this->conditions = other->conditions;
2270 if (this->conditions & COND_NAT_HERE)
2271 {
2272 send_keepalive(this);
2273 }
2274
2275 #ifdef ME
2276 if (other->is_mediation_server)
2277 {
2278 act_as_mediation_server(this);
2279 }
2280 else if (other->server_reflexive_host)
2281 {
2282 this->server_reflexive_host = other->server_reflexive_host->clone(
2283 other->server_reflexive_host);
2284 }
2285 #endif /* ME */
2286
2287 /* adopt all children */
2288 while (other->child_sas->remove_last(other->child_sas,
2289 (void**)&child_sa) == SUCCESS)
2290 {
2291 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2292 }
2293
2294 /* move pending tasks to the new IKE_SA */
2295 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2296
2297 /* reauthentication timeout survives a rekeying */
2298 if (other->time.reauth)
2299 {
2300 time_t reauth, delete, now = time(NULL);
2301
2302 this->time.reauth = other->time.reauth;
2303 reauth = this->time.reauth - now;
2304 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2305 this->time.delete = this->time.reauth + delete;
2306 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2307 "lifetime reduced to %ds", reauth, delete);
2308 charon->scheduler->schedule_job(charon->scheduler,
2309 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2310 reauth * 1000);
2311 charon->scheduler->schedule_job(charon->scheduler,
2312 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2313 delete * 1000);
2314 }
2315 /* we have to initate here, there may be new tasks to handle */
2316 return this->task_manager->initiate(this->task_manager);
2317 }
2318
2319 /**
2320 * Implementation of ike_sa_t.remove_dns_server
2321 */
2322 static void remove_dns_servers(private_ike_sa_t *this)
2323 {
2324 FILE *file;
2325 struct stat stats;
2326 chunk_t contents, line, orig_line, token;
2327 char string[INET6_ADDRSTRLEN];
2328 host_t *ip;
2329 iterator_t *iterator;
2330
2331 if (this->dns_servers->get_count(this->dns_servers) == 0)
2332 {
2333 /* don't touch anything if we have no nameservers installed */
2334 return;
2335 }
2336
2337 file = fopen(RESOLV_CONF, "r");
2338 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2339 {
2340 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2341 RESOLV_CONF, strerror(errno));
2342 return;
2343 }
2344
2345 contents = chunk_alloca((size_t)stats.st_size);
2346
2347 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2348 {
2349 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2350 fclose(file);
2351 return;
2352 }
2353
2354 fclose(file);
2355 file = fopen(RESOLV_CONF, "w");
2356 if (file == NULL)
2357 {
2358 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2359 RESOLV_CONF, strerror(errno));
2360 return;
2361 }
2362
2363 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2364 while (fetchline(&contents, &line))
2365 {
2366 bool found = FALSE;
2367 orig_line = line;
2368 if (extract_token(&token, ' ', &line) &&
2369 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2370 {
2371 if (!extract_token(&token, ' ', &line))
2372 {
2373 token = line;
2374 }
2375 iterator->reset(iterator);
2376 while (iterator->iterate(iterator, (void**)&ip))
2377 {
2378 snprintf(string, sizeof(string), "%H", ip);
2379 if (strlen(string) == token.len &&
2380 strncmp(token.ptr, string, token.len) == 0)
2381 {
2382 iterator->remove(iterator);
2383 ip->destroy(ip);
2384 found = TRUE;
2385 break;
2386 }
2387 }
2388 }
2389
2390 if (!found)
2391 {
2392 /* write line untouched back to file */
2393 fwrite(orig_line.ptr, orig_line.len, 1, file);
2394 fprintf(file, "\n");
2395 }
2396 }
2397 iterator->destroy(iterator);
2398 fclose(file);
2399 }
2400
2401 /**
2402 * Implementation of ike_sa_t.add_dns_server
2403 */
2404 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2405 {
2406 FILE *file;
2407 struct stat stats;
2408 chunk_t contents;
2409
2410 DBG1(DBG_IKE, "installing DNS server %H", dns);
2411
2412 file = fopen(RESOLV_CONF, "a+");
2413 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2414 {
2415 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2416 RESOLV_CONF, strerror(errno));
2417 return;
2418 }
2419
2420 contents = chunk_alloca(stats.st_size);
2421
2422 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2423 {
2424 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2425 fclose(file);
2426 return;
2427 }
2428
2429 fclose(file);
2430 file = fopen(RESOLV_CONF, "w");
2431 if (file == NULL)
2432 {
2433 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2434 RESOLV_CONF, strerror(errno));
2435 return;
2436 }
2437
2438 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2439 dns, this->other_id) < 0)
2440 {
2441 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2442 }
2443 else
2444 {
2445 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2446 }
2447 fwrite(contents.ptr, contents.len, 1, file);
2448
2449 fclose(file);
2450 }
2451
2452 /**
2453 * Implementation of ike_sa_t.destroy.
2454 */
2455 static void destroy(private_ike_sa_t *this)
2456 {
2457 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2458
2459 this->task_manager->destroy(this->task_manager);
2460
2461 DESTROY_IF(this->crypter_in);
2462 DESTROY_IF(this->crypter_out);
2463 DESTROY_IF(this->signer_in);
2464 DESTROY_IF(this->signer_out);
2465 DESTROY_IF(this->prf);
2466 DESTROY_IF(this->child_prf);
2467 chunk_free(&this->skp_verify);
2468 chunk_free(&this->skp_build);
2469 free(this->selected_proposal);
2470
2471 if (this->my_virtual_ip)
2472 {
2473 charon->kernel_interface->del_ip(charon->kernel_interface,
2474 this->my_virtual_ip);
2475 this->my_virtual_ip->destroy(this->my_virtual_ip);
2476 }
2477 if (this->other_virtual_ip)
2478 {
2479 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2480 {
2481 charon->attributes->release_address(charon->attributes,
2482 this->peer_cfg->get_pool(this->peer_cfg),
2483 this->other_virtual_ip);
2484 }
2485 this->other_virtual_ip->destroy(this->other_virtual_ip);
2486 }
2487
2488 remove_dns_servers(this);
2489 this->dns_servers->destroy_offset(this->dns_servers,
2490 offsetof(host_t, destroy));
2491 this->additional_addresses->destroy_offset(this->additional_addresses,
2492 offsetof(host_t, destroy));
2493 #ifdef ME
2494 if (this->is_mediation_server)
2495 {
2496 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2497 }
2498 DESTROY_IF(this->server_reflexive_host);
2499 chunk_free(&this->connect_id);
2500 #endif /* ME */
2501
2502 DESTROY_IF(this->my_host);
2503 DESTROY_IF(this->other_host);
2504 DESTROY_IF(this->my_id);
2505 DESTROY_IF(this->other_id);
2506 DESTROY_IF(this->eap_identity);
2507
2508 DESTROY_IF(this->ike_cfg);
2509 DESTROY_IF(this->peer_cfg);
2510 DESTROY_IF(this->my_auth);
2511 DESTROY_IF(this->other_auth);
2512
2513 this->ike_sa_id->destroy(this->ike_sa_id);
2514 free(this);
2515 }
2516
2517 /*
2518 * Described in header.
2519 */
2520 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2521 {
2522 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2523 static u_int32_t unique_id = 0;
2524
2525 /* Public functions */
2526 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2527 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2528 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2529 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2530 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2531 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2532 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2533 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2534 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2535 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2536 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2537 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2538 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2539 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2540 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2541 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2542 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2543 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2544 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2545 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2546 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2547 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2548 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2549 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2550 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2551 this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
2552 this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
2553 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2554 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2555 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2556 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2557 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2558 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2559 this->public.is_ike_initiator = (bool (*)(ike_sa_t*))is_ike_initiator;
2560 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2561 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2562 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2563 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2564 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2565 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2566 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2567 this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
2568 this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
2569 this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
2570 this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
2571 this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
2572 this->public.get_proposal = (char* (*)(ike_sa_t*)) get_proposal;
2573 this->public.set_proposal = (void (*)(ike_sa_t*,char*)) set_proposal;
2574 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2575 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2576 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2577 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2578 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2579 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2580 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2581 this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
2582 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2583 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2584 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2585 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2586 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2587 this->public.reset = (void (*)(ike_sa_t*))reset;
2588 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2589 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2590 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2591 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2592 #ifdef ME
2593 this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
2594 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2595 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2596 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2597 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2598 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
2599 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2600 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2601 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2602 #endif /* ME */
2603
2604 /* initialize private fields */
2605 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2606 this->child_sas = linked_list_create();
2607 this->my_host = host_create_from_string("0.0.0.0", IKEV2_UDP_PORT);
2608 this->other_host = host_create_from_string("0.0.0.0", IKEV2_UDP_PORT);
2609 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2610 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2611 this->eap_identity = NULL;
2612 this->extensions = 0;
2613 this->conditions = 0;
2614 this->selected_proposal = NULL;
2615 this->crypter_in = NULL;
2616 this->crypter_out = NULL;
2617 this->signer_in = NULL;
2618 this->signer_out = NULL;
2619 this->prf = NULL;
2620 this->skp_verify = chunk_empty;
2621 this->skp_build = chunk_empty;
2622 this->child_prf = NULL;
2623 this->state = IKE_CREATED;
2624 this->keepalive_interval = lib->settings->get_int(lib->settings,
2625 "charon.keep_alive", KEEPALIVE_INTERVAL);
2626 this->time.inbound = this->time.outbound = time(NULL);
2627 this->time.established = 0;
2628 this->time.rekey = 0;
2629 this->time.reauth = 0;
2630 this->time.delete = 0;
2631 this->ike_cfg = NULL;
2632 this->peer_cfg = NULL;
2633 this->my_auth = auth_info_create();
2634 this->other_auth = auth_info_create();
2635 this->task_manager = task_manager_create(&this->public);
2636 this->unique_id = ++unique_id;
2637 this->my_virtual_ip = NULL;
2638 this->other_virtual_ip = NULL;
2639 this->dns_servers = linked_list_create();
2640 this->additional_addresses = linked_list_create();
2641 this->pending_updates = 0;
2642 this->keyingtry = 0;
2643 this->ike_initiator = FALSE;
2644 #ifdef ME
2645 this->is_mediation_server = FALSE;
2646 this->server_reflexive_host = NULL;
2647 this->connect_id = chunk_empty;
2648 #endif /* ME */
2649
2650 return &this->public;
2651 }