%any is IP family neutral
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2008 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26
27 #include "ike_sa.h"
28
29 #include <library.h>
30 #include <daemon.h>
31 #include <utils/linked_list.h>
32 #include <utils/lexparser.h>
33 #include <crypto/diffie_hellman.h>
34 #include <crypto/prf_plus.h>
35 #include <crypto/crypters/crypter.h>
36 #include <crypto/hashers/hasher.h>
37 #include <encoding/payloads/sa_payload.h>
38 #include <encoding/payloads/nonce_payload.h>
39 #include <encoding/payloads/ke_payload.h>
40 #include <encoding/payloads/delete_payload.h>
41 #include <encoding/payloads/transform_substructure.h>
42 #include <encoding/payloads/transform_attribute.h>
43 #include <encoding/payloads/ts_payload.h>
44 #include <sa/task_manager.h>
45 #include <sa/tasks/ike_init.h>
46 #include <sa/tasks/ike_natd.h>
47 #include <sa/tasks/ike_mobike.h>
48 #include <sa/tasks/ike_auth.h>
49 #include <sa/tasks/ike_auth_lifetime.h>
50 #include <sa/tasks/ike_config.h>
51 #include <sa/tasks/ike_cert_pre.h>
52 #include <sa/tasks/ike_cert_post.h>
53 #include <sa/tasks/ike_rekey.h>
54 #include <sa/tasks/ike_reauth.h>
55 #include <sa/tasks/ike_delete.h>
56 #include <sa/tasks/ike_dpd.h>
57 #include <sa/tasks/child_create.h>
58 #include <sa/tasks/child_delete.h>
59 #include <sa/tasks/child_rekey.h>
60 #include <processing/jobs/retransmit_job.h>
61 #include <processing/jobs/delete_ike_sa_job.h>
62 #include <processing/jobs/send_dpd_job.h>
63 #include <processing/jobs/send_keepalive_job.h>
64 #include <processing/jobs/rekey_ike_sa_job.h>
65
66 #ifdef ME
67 #include <sa/tasks/ike_me.h>
68 #include <processing/jobs/initiate_mediation_job.h>
69 #endif
70
71 #ifndef RESOLV_CONF
72 #define RESOLV_CONF "/etc/resolv.conf"
73 #endif
74
75 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
76 "CREATED",
77 "CONNECTING",
78 "ESTABLISHED",
79 "REKEYING",
80 "DELETING",
81 "DESTROYING",
82 );
83
84 typedef struct private_ike_sa_t private_ike_sa_t;
85
86 /**
87 * Private data of an ike_sa_t object.
88 */
89 struct private_ike_sa_t {
90
91 /**
92 * Public members
93 */
94 ike_sa_t public;
95
96 /**
97 * Identifier for the current IKE_SA.
98 */
99 ike_sa_id_t *ike_sa_id;
100
101 /**
102 * unique numerical ID for this IKE_SA.
103 */
104 u_int32_t unique_id;
105
106 /**
107 * Current state of the IKE_SA
108 */
109 ike_sa_state_t state;
110
111 /**
112 * IKE configuration used to set up this IKE_SA
113 */
114 ike_cfg_t *ike_cfg;
115
116 /**
117 * Peer and authentication information to establish IKE_SA.
118 */
119 peer_cfg_t *peer_cfg;
120
121 /**
122 * associated authentication/authorization info for local peer
123 */
124 auth_info_t *my_auth;
125
126 /**
127 * associated authentication/authorization info for remote peer
128 */
129 auth_info_t *other_auth;
130
131 /**
132 * Selected IKE proposal
133 */
134 proposal_t *proposal;
135
136 /**
137 * Juggles tasks to process messages
138 */
139 task_manager_t *task_manager;
140
141 /**
142 * Address of local host
143 */
144 host_t *my_host;
145
146 /**
147 * Address of remote host
148 */
149 host_t *other_host;
150
151 #ifdef ME
152 /**
153 * Are we mediation server
154 */
155 bool is_mediation_server;
156
157 /**
158 * Server reflexive host
159 */
160 host_t *server_reflexive_host;
161
162 /**
163 * Connect ID
164 */
165 chunk_t connect_id;
166 #endif /* ME */
167
168 /**
169 * Identification used for us
170 */
171 identification_t *my_id;
172
173 /**
174 * Identification used for other
175 */
176 identification_t *other_id;
177
178 /**
179 * EAP Identity exchange in EAP-Identity method
180 */
181 identification_t *eap_identity;;
182
183 /**
184 * set of extensions the peer supports
185 */
186 ike_extension_t extensions;
187
188 /**
189 * set of condition flags currently enabled for this IKE_SA
190 */
191 ike_condition_t conditions;
192
193 /**
194 * Linked List containing the child sa's of the current IKE_SA.
195 */
196 linked_list_t *child_sas;
197
198 /**
199 * keymat of this IKE_SA
200 */
201 keymat_t *keymat;
202
203 /**
204 * Virtual IP on local host, if any
205 */
206 host_t *my_virtual_ip;
207
208 /**
209 * Virtual IP on remote host, if any
210 */
211 host_t *other_virtual_ip;
212
213 /**
214 * List of DNS servers installed by us
215 */
216 linked_list_t *dns_servers;
217
218 /**
219 * list of peers additional addresses, transmitted via MOBIKE
220 */
221 linked_list_t *additional_addresses;
222
223 /**
224 * previously value of received DESTINATION_IP hash
225 */
226 chunk_t nat_detection_dest;
227
228 /**
229 * number pending UPDATE_SA_ADDRESS (MOBIKE)
230 */
231 u_int32_t pending_updates;
232
233 /**
234 * NAT keep alive interval
235 */
236 u_int32_t keepalive_interval;
237
238 /**
239 * Timestamps for this IKE_SA
240 */
241 u_int32_t stats[STAT_MAX];
242
243 /**
244 * how many times we have retried so far (keyingtries)
245 */
246 u_int32_t keyingtry;
247
248 /**
249 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
250 */
251 bool ike_initiator;
252 };
253
254 /**
255 * get the time of the latest traffic processed by the kernel
256 */
257 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
258 {
259 enumerator_t *enumerator;
260 child_sa_t *child_sa;
261 time_t use_time;
262
263 if (inbound)
264 {
265 use_time = this->stats[STAT_INBOUND];
266 }
267 else
268 {
269 use_time = this->stats[STAT_OUTBOUND];
270 }
271 enumerator = this->child_sas->create_enumerator(this->child_sas);
272 while (enumerator->enumerate(enumerator, &child_sa))
273 {
274 use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
275 }
276 enumerator->destroy(enumerator);
277
278 return use_time;
279 }
280
281 /**
282 * Implementation of ike_sa_t.get_unique_id
283 */
284 static u_int32_t get_unique_id(private_ike_sa_t *this)
285 {
286 return this->unique_id;
287 }
288
289 /**
290 * Implementation of ike_sa_t.get_name.
291 */
292 static char *get_name(private_ike_sa_t *this)
293 {
294 if (this->peer_cfg)
295 {
296 return this->peer_cfg->get_name(this->peer_cfg);
297 }
298 return "(unnamed)";
299 }
300
301 /**
302 * Implementation of ike_sa_t.get_statistic.
303 */
304 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
305 {
306 if (kind < STAT_MAX)
307 {
308 return this->stats[kind];
309 }
310 return 0;
311 }
312
313 /**
314 * Implementation of ike_sa_t.get_my_host.
315 */
316 static host_t *get_my_host(private_ike_sa_t *this)
317 {
318 return this->my_host;
319 }
320
321 /**
322 * Implementation of ike_sa_t.set_my_host.
323 */
324 static void set_my_host(private_ike_sa_t *this, host_t *me)
325 {
326 DESTROY_IF(this->my_host);
327 this->my_host = me;
328 }
329
330 /**
331 * Implementation of ike_sa_t.get_other_host.
332 */
333 static host_t *get_other_host(private_ike_sa_t *this)
334 {
335 return this->other_host;
336 }
337
338 /**
339 * Implementation of ike_sa_t.set_other_host.
340 */
341 static void set_other_host(private_ike_sa_t *this, host_t *other)
342 {
343 DESTROY_IF(this->other_host);
344 this->other_host = other;
345 }
346
347 /**
348 * Implementation of ike_sa_t.get_peer_cfg
349 */
350 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
351 {
352 return this->peer_cfg;
353 }
354
355 /**
356 * Implementation of ike_sa_t.set_peer_cfg
357 */
358 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
359 {
360 DESTROY_IF(this->peer_cfg);
361 peer_cfg->get_ref(peer_cfg);
362 this->peer_cfg = peer_cfg;
363
364 if (this->ike_cfg == NULL)
365 {
366 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
367 this->ike_cfg->get_ref(this->ike_cfg);
368 }
369 /* apply IDs if they are not already set */
370 if (this->my_id->contains_wildcards(this->my_id))
371 {
372 DESTROY_IF(this->my_id);
373 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
374 this->my_id = this->my_id->clone(this->my_id);
375 }
376 if (this->other_id->contains_wildcards(this->other_id))
377 {
378 DESTROY_IF(this->other_id);
379 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
380 this->other_id = this->other_id->clone(this->other_id);
381 }
382 }
383
384 /**
385 * Implementation of ike_sa_t.get_my_auth.
386 */
387 static auth_info_t* get_my_auth(private_ike_sa_t *this)
388 {
389 return this->my_auth;
390 }
391
392 /**
393 * Implementation of ike_sa_t.get_other_auth.
394 */
395 static auth_info_t* get_other_auth(private_ike_sa_t *this)
396 {
397 return this->other_auth;
398 }
399
400 /**
401 * Implementation of ike_sa_t.get_proposal
402 */
403 static proposal_t* get_proposal(private_ike_sa_t *this)
404 {
405 return this->proposal;
406 }
407
408 /**
409 * Implementation of ike_sa_t.set_proposal
410 */
411 static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
412 {
413 DESTROY_IF(this->proposal);
414 this->proposal = proposal->clone(proposal);
415 }
416
417 /**
418 * Implementation of ike_sa_t.send_keepalive
419 */
420 static void send_keepalive(private_ike_sa_t *this)
421 {
422 send_keepalive_job_t *job;
423 time_t last_out, now, diff;
424
425 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
426 { /* disable keep alives if we are not NATed anymore */
427 return;
428 }
429
430 last_out = get_use_time(this, FALSE);
431 now = time(NULL);
432
433 diff = now - last_out;
434
435 if (diff >= this->keepalive_interval)
436 {
437 packet_t *packet;
438 chunk_t data;
439
440 packet = packet_create();
441 packet->set_source(packet, this->my_host->clone(this->my_host));
442 packet->set_destination(packet, this->other_host->clone(this->other_host));
443 data.ptr = malloc(1);
444 data.ptr[0] = 0xFF;
445 data.len = 1;
446 packet->set_data(packet, data);
447 DBG1(DBG_IKE, "sending keep alive");
448 charon->sender->send(charon->sender, packet);
449 diff = 0;
450 }
451 job = send_keepalive_job_create(this->ike_sa_id);
452 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
453 (this->keepalive_interval - diff) * 1000);
454 }
455
456 /**
457 * Implementation of ike_sa_t.get_ike_cfg
458 */
459 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
460 {
461 return this->ike_cfg;
462 }
463
464 /**
465 * Implementation of ike_sa_t.set_ike_cfg
466 */
467 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
468 {
469 ike_cfg->get_ref(ike_cfg);
470 this->ike_cfg = ike_cfg;
471 }
472
473 /**
474 * Implementation of ike_sa_t.is_ike_initiator
475 */
476 static bool is_ike_initiator(private_ike_sa_t *this)
477 {
478 return this->ike_initiator;
479 }
480
481 /**
482 * Implementation of ike_sa_t.enable_extension.
483 */
484 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
485 {
486 this->extensions |= extension;
487 }
488
489 /**
490 * Implementation of ike_sa_t.has_extension.
491 */
492 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
493 {
494 return (this->extensions & extension) != FALSE;
495 }
496
497 /**
498 * Implementation of ike_sa_t.has_condition.
499 */
500 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
501 {
502 return (this->conditions & condition) != FALSE;
503 }
504
505 /**
506 * Implementation of ike_sa_t.enable_condition.
507 */
508 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
509 bool enable)
510 {
511 if (has_condition(this, condition) != enable)
512 {
513 if (enable)
514 {
515 this->conditions |= condition;
516 switch (condition)
517 {
518 case COND_NAT_HERE:
519 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
520 this->conditions |= COND_NAT_ANY;
521 send_keepalive(this);
522 break;
523 case COND_NAT_THERE:
524 DBG1(DBG_IKE, "remote host is behind NAT");
525 this->conditions |= COND_NAT_ANY;
526 break;
527 case COND_NAT_FAKE:
528 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
529 this->conditions |= COND_NAT_ANY;
530 break;
531 default:
532 break;
533 }
534 }
535 else
536 {
537 this->conditions &= ~condition;
538 switch (condition)
539 {
540 case COND_NAT_HERE:
541 case COND_NAT_FAKE:
542 case COND_NAT_THERE:
543 set_condition(this, COND_NAT_ANY,
544 has_condition(this, COND_NAT_HERE) ||
545 has_condition(this, COND_NAT_THERE) ||
546 has_condition(this, COND_NAT_FAKE));
547 break;
548 default:
549 break;
550 }
551 }
552 }
553 }
554
555 /**
556 * Implementation of ike_sa_t.send_dpd
557 */
558 static status_t send_dpd(private_ike_sa_t *this)
559 {
560 send_dpd_job_t *job;
561 time_t diff, delay;
562
563 delay = this->peer_cfg->get_dpd(this->peer_cfg);
564
565 if (delay == 0)
566 {
567 /* DPD disabled */
568 return SUCCESS;
569 }
570
571 if (this->task_manager->busy(this->task_manager))
572 {
573 /* an exchange is in the air, no need to start a DPD check */
574 diff = 0;
575 }
576 else
577 {
578 /* check if there was any inbound traffic */
579 time_t last_in, now;
580 last_in = get_use_time(this, TRUE);
581 now = time(NULL);
582 diff = now - last_in;
583 if (diff >= delay)
584 {
585 /* to long ago, initiate dead peer detection */
586 task_t *task;
587 ike_mobike_t *mobike;
588
589 if (supports_extension(this, EXT_MOBIKE) &&
590 has_condition(this, COND_NAT_HERE))
591 {
592 /* use mobike enabled DPD to detect NAT mapping changes */
593 mobike = ike_mobike_create(&this->public, TRUE);
594 mobike->dpd(mobike);
595 task = &mobike->task;
596 }
597 else
598 {
599 task = (task_t*)ike_dpd_create(TRUE);
600 }
601 diff = 0;
602 DBG1(DBG_IKE, "sending DPD request");
603
604 this->task_manager->queue_task(this->task_manager, task);
605 this->task_manager->initiate(this->task_manager);
606 }
607 }
608 /* recheck in "interval" seconds */
609 job = send_dpd_job_create(this->ike_sa_id);
610 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
611 (delay - diff) * 1000);
612 return SUCCESS;
613 }
614
615 /**
616 * Implementation of ike_sa_t.get_state.
617 */
618 static ike_sa_state_t get_state(private_ike_sa_t *this)
619 {
620 return this->state;
621 }
622
623 /**
624 * Implementation of ike_sa_t.set_state.
625 */
626 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
627 {
628 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
629 get_name(this), this->unique_id,
630 ike_sa_state_names, this->state,
631 ike_sa_state_names, state);
632
633 switch (state)
634 {
635 case IKE_ESTABLISHED:
636 {
637 if (this->state == IKE_CONNECTING)
638 {
639 job_t *job;
640 u_int32_t t;
641
642 /* calculate rekey, reauth and lifetime */
643 this->stats[STAT_ESTABLISHED] = time(NULL);
644
645 /* schedule rekeying if we have a time which is smaller than
646 * an already scheduled rekeying */
647 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
648 if (t && (this->stats[STAT_REKEY] == 0 ||
649 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
650 {
651 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
652 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
653 charon->scheduler->schedule_job(charon->scheduler,
654 job, t * 1000);
655 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
656 }
657 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
658 if (t && (this->stats[STAT_REAUTH] == 0 ||
659 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
660 {
661 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
662 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
663 charon->scheduler->schedule_job(charon->scheduler,
664 job, t * 1000);
665 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
666 }
667 t = this->peer_cfg->get_over_time(this->peer_cfg);
668 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
669 {
670 if (this->stats[STAT_REAUTH] == 0)
671 {
672 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
673 }
674 else if (this->stats[STAT_REKEY] == 0)
675 {
676 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
677 }
678 else
679 {
680 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
681 this->stats[STAT_REAUTH]);
682 }
683 this->stats[STAT_DELETE] += t;
684 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
685 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
686 charon->scheduler->schedule_job(charon->scheduler, job,
687 t * 1000);
688 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
689 }
690
691 /* start DPD checks */
692 send_dpd(this);
693 }
694 break;
695 }
696 case IKE_DELETING:
697 {
698 /* delete may fail if a packet gets lost, so set a timeout */
699 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
700 charon->scheduler->schedule_job(charon->scheduler, job,
701 HALF_OPEN_IKE_SA_TIMEOUT);
702 break;
703 }
704 default:
705 break;
706 }
707 charon->bus->ike_state_change(charon->bus, &this->public, state);
708 this->state = state;
709 }
710
711 /**
712 * Implementation of ike_sa_t.reset
713 */
714 static void reset(private_ike_sa_t *this)
715 {
716 /* the responder ID is reset, as peer may choose another one */
717 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
718 {
719 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
720 }
721
722 set_state(this, IKE_CREATED);
723
724 this->task_manager->reset(this->task_manager);
725 }
726
727 /**
728 * Implementation of ike_sa_t.get_keymat
729 */
730 static keymat_t* get_keymat(private_ike_sa_t *this)
731 {
732 return this->keymat;
733 }
734
735 /**
736 * Implementation of ike_sa_t.set_virtual_ip
737 */
738 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
739 {
740 if (local)
741 {
742 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
743 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
744 this->my_host) == SUCCESS)
745 {
746 if (this->my_virtual_ip)
747 {
748 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
749 charon->kernel_interface->del_ip(charon->kernel_interface,
750 this->my_virtual_ip);
751 }
752 DESTROY_IF(this->my_virtual_ip);
753 this->my_virtual_ip = ip->clone(ip);
754 }
755 else
756 {
757 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
758 this->my_virtual_ip = NULL;
759 }
760 }
761 else
762 {
763 DESTROY_IF(this->other_virtual_ip);
764 this->other_virtual_ip = ip->clone(ip);
765 }
766 }
767
768 /**
769 * Implementation of ike_sa_t.get_virtual_ip
770 */
771 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
772 {
773 if (local)
774 {
775 return this->my_virtual_ip;
776 }
777 else
778 {
779 return this->other_virtual_ip;
780 }
781 }
782
783 /**
784 * Implementation of ike_sa_t.add_additional_address.
785 */
786 static void add_additional_address(private_ike_sa_t *this, host_t *host)
787 {
788 this->additional_addresses->insert_last(this->additional_addresses, host);
789 }
790
791 /**
792 * Implementation of ike_sa_t.create_additional_address_iterator.
793 */
794 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
795 {
796 return this->additional_addresses->create_iterator(
797 this->additional_addresses, TRUE);
798 }
799
800 /**
801 * Implementation of ike_sa_t.has_mapping_changed
802 */
803 static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
804 {
805 if (this->nat_detection_dest.ptr == NULL)
806 {
807 this->nat_detection_dest = chunk_clone(hash);
808 return FALSE;
809 }
810 if (chunk_equals(hash, this->nat_detection_dest))
811 {
812 return FALSE;
813 }
814 free(this->nat_detection_dest.ptr);
815 this->nat_detection_dest = chunk_clone(hash);
816 return TRUE;
817 }
818
819 /**
820 * Implementation of ike_sa_t.set_pending_updates.
821 */
822 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
823 {
824 this->pending_updates = updates;
825 }
826
827 /**
828 * Implementation of ike_sa_t.get_pending_updates.
829 */
830 static u_int32_t get_pending_updates(private_ike_sa_t *this)
831 {
832 return this->pending_updates;
833 }
834
835 /**
836 * Update hosts, as addresses may change (NAT)
837 */
838 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
839 {
840 bool update = FALSE;
841
842 if (me == NULL)
843 {
844 me = this->my_host;
845 }
846 if (other == NULL)
847 {
848 other = this->other_host;
849 }
850
851 /* apply hosts on first received message */
852 if (this->my_host->is_anyaddr(this->my_host) ||
853 this->other_host->is_anyaddr(this->other_host))
854 {
855 set_my_host(this, me->clone(me));
856 set_other_host(this, other->clone(other));
857 update = TRUE;
858 }
859 else
860 {
861 /* update our address in any case */
862 if (!me->equals(me, this->my_host))
863 {
864 set_my_host(this, me->clone(me));
865 update = TRUE;
866 }
867
868 if (!other->equals(other, this->other_host))
869 {
870 /* update others adress if we are NOT NATed,
871 * and allow port changes if we are NATed */
872 if (!has_condition(this, COND_NAT_HERE) ||
873 other->ip_equals(other, this->other_host))
874 {
875 set_other_host(this, other->clone(other));
876 update = TRUE;
877 }
878 }
879 }
880
881 /* update all associated CHILD_SAs, if required */
882 if (update)
883 {
884 iterator_t *iterator;
885 child_sa_t *child_sa;
886
887 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
888 while (iterator->iterate(iterator, (void**)&child_sa))
889 {
890 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
891 this->my_virtual_ip, has_condition(this, COND_NAT_ANY));
892 }
893 iterator->destroy(iterator);
894 }
895 }
896
897 /**
898 * Implementation of ike_sa_t.generate
899 */
900 static status_t generate_message(private_ike_sa_t *this, message_t *message,
901 packet_t **packet)
902 {
903 this->stats[STAT_OUTBOUND] = time(NULL);
904 message->set_ike_sa_id(message, this->ike_sa_id);
905 return message->generate(message,
906 this->keymat->get_crypter(this->keymat, FALSE),
907 this->keymat->get_signer(this->keymat, FALSE), packet);
908 }
909
910 /**
911 * send a notify back to the sender
912 */
913 static void send_notify_response(private_ike_sa_t *this, message_t *request,
914 notify_type_t type)
915 {
916 message_t *response;
917 packet_t *packet;
918
919 response = message_create();
920 response->set_exchange_type(response, request->get_exchange_type(request));
921 response->set_request(response, FALSE);
922 response->set_message_id(response, request->get_message_id(request));
923 response->add_notify(response, FALSE, type, chunk_empty);
924 if (this->my_host->is_anyaddr(this->my_host))
925 {
926 this->my_host->destroy(this->my_host);
927 this->my_host = request->get_destination(request);
928 this->my_host = this->my_host->clone(this->my_host);
929 }
930 if (this->other_host->is_anyaddr(this->other_host))
931 {
932 this->other_host->destroy(this->other_host);
933 this->other_host = request->get_source(request);
934 this->other_host = this->other_host->clone(this->other_host);
935 }
936 response->set_source(response, this->my_host->clone(this->my_host));
937 response->set_destination(response, this->other_host->clone(this->other_host));
938 if (generate_message(this, response, &packet) == SUCCESS)
939 {
940 charon->sender->send(charon->sender, packet);
941 }
942 response->destroy(response);
943 }
944
945 #ifdef ME
946 /**
947 * Implementation of ike_sa_t.act_as_mediation_server.
948 */
949 static void act_as_mediation_server(private_ike_sa_t *this)
950 {
951 charon->mediation_manager->update_sa_id(charon->mediation_manager,
952 this->other_id, this->ike_sa_id);
953 this->is_mediation_server = TRUE;
954 }
955
956 /**
957 * Implementation of ike_sa_t.get_server_reflexive_host.
958 */
959 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
960 {
961 return this->server_reflexive_host;
962 }
963
964 /**
965 * Implementation of ike_sa_t.set_server_reflexive_host.
966 */
967 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
968 {
969 DESTROY_IF(this->server_reflexive_host);
970 this->server_reflexive_host = host;
971 }
972
973 /**
974 * Implementation of ike_sa_t.get_connect_id.
975 */
976 static chunk_t get_connect_id(private_ike_sa_t *this)
977 {
978 return this->connect_id;
979 }
980
981 /**
982 * Implementation of ike_sa_t.respond
983 */
984 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
985 chunk_t connect_id)
986 {
987 ike_me_t *task = ike_me_create(&this->public, TRUE);
988 task->respond(task, peer_id, connect_id);
989 this->task_manager->queue_task(this->task_manager, (task_t*)task);
990 return this->task_manager->initiate(this->task_manager);
991 }
992
993 /**
994 * Implementation of ike_sa_t.callback
995 */
996 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
997 {
998 ike_me_t *task = ike_me_create(&this->public, TRUE);
999 task->callback(task, peer_id);
1000 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1001 return this->task_manager->initiate(this->task_manager);
1002 }
1003
1004 /**
1005 * Implementation of ike_sa_t.relay
1006 */
1007 static status_t relay(private_ike_sa_t *this, identification_t *requester,
1008 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
1009 {
1010 ike_me_t *task = ike_me_create(&this->public, TRUE);
1011 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1012 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1013 return this->task_manager->initiate(this->task_manager);
1014 }
1015
1016 /**
1017 * Implementation of ike_sa_t.initiate_mediation
1018 */
1019 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1020 {
1021 ike_me_t *task = ike_me_create(&this->public, TRUE);
1022 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1023 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1024 return this->task_manager->initiate(this->task_manager);
1025 }
1026
1027 /**
1028 * Implementation of ike_sa_t.initiate_mediated
1029 */
1030 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1031 chunk_t connect_id)
1032 {
1033 set_my_host(this, me->clone(me));
1034 set_other_host(this, other->clone(other));
1035 chunk_free(&this->connect_id);
1036 this->connect_id = chunk_clone(connect_id);
1037
1038 return this->task_manager->initiate(this->task_manager);
1039 }
1040 #endif /* ME */
1041
1042 /**
1043 * Resolve DNS host in configuration
1044 */
1045 static void resolve_hosts(private_ike_sa_t *this)
1046 {
1047 host_t *host;
1048
1049 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1050 0, IKEV2_UDP_PORT);
1051 if (host)
1052 {
1053 set_other_host(this, host);
1054 }
1055
1056 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1057 this->my_host->get_family(this->my_host),
1058 IKEV2_UDP_PORT);
1059
1060 if (host && host->is_anyaddr(host) &&
1061 !this->other_host->is_anyaddr(this->other_host))
1062 {
1063 host->destroy(host);
1064 host = charon->kernel_interface->get_source_addr(
1065 charon->kernel_interface, this->other_host, NULL);
1066 if (host)
1067 {
1068 host->set_port(host, IKEV2_UDP_PORT);
1069 }
1070 }
1071 if (host)
1072 {
1073 set_my_host(this, host);
1074 }
1075 }
1076
1077 /**
1078 * Initiates a CHILD_SA using the appropriate reqid
1079 */
1080 static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
1081 {
1082 task_t *task;
1083
1084 if (this->state == IKE_CREATED)
1085 {
1086 resolve_hosts(this);
1087
1088 if (this->other_host->is_anyaddr(this->other_host)
1089 #ifdef ME
1090 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1091 #endif /* ME */
1092 )
1093 {
1094 child_cfg->destroy(child_cfg);
1095 DBG1(DBG_IKE, "unable to initiate to %%any");
1096 return DESTROY_ME;
1097 }
1098
1099 this->ike_initiator = TRUE;
1100
1101 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1102 this->task_manager->queue_task(this->task_manager, task);
1103 task = (task_t*)ike_natd_create(&this->public, TRUE);
1104 this->task_manager->queue_task(this->task_manager, task);
1105 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1106 this->task_manager->queue_task(this->task_manager, task);
1107 task = (task_t*)ike_auth_create(&this->public, TRUE);
1108 this->task_manager->queue_task(this->task_manager, task);
1109 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1110 this->task_manager->queue_task(this->task_manager, task);
1111 task = (task_t*)ike_config_create(&this->public, TRUE);
1112 this->task_manager->queue_task(this->task_manager, task);
1113 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1114 this->task_manager->queue_task(this->task_manager, task);
1115 if (this->peer_cfg->use_mobike(this->peer_cfg))
1116 {
1117 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1118 this->task_manager->queue_task(this->task_manager, task);
1119 }
1120 #ifdef ME
1121 task = (task_t*)ike_me_create(&this->public, TRUE);
1122 this->task_manager->queue_task(this->task_manager, task);
1123 #endif /* ME */
1124 }
1125
1126 #ifdef ME
1127 if (this->peer_cfg->is_mediation(this->peer_cfg))
1128 { /* mediation connection is already established, retrigger state change
1129 * to notify bus listeners */
1130 DBG1(DBG_IKE, "mediation connection is already up");
1131 set_state(this, IKE_ESTABLISHED);
1132 DESTROY_IF(child_cfg);
1133 }
1134 else
1135 #endif /* ME */
1136 {
1137 /* normal IKE_SA with CHILD_SA */
1138 task = (task_t*)child_create_create(&this->public, child_cfg);
1139 child_cfg->destroy(child_cfg);
1140 if (reqid)
1141 {
1142 child_create_t *child_create = (child_create_t*)task;
1143 child_create->use_reqid(child_create, reqid);
1144 }
1145 this->task_manager->queue_task(this->task_manager, task);
1146
1147 #ifdef ME
1148 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1149 {
1150 /* mediated connection, initiate mediation process */
1151 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1152 charon->processor->queue_job(charon->processor, job);
1153 return SUCCESS;
1154 }
1155 #endif /* ME */
1156 }
1157
1158 return this->task_manager->initiate(this->task_manager);
1159 }
1160
1161 /**
1162 * Implementation of ike_sa_t.initiate.
1163 */
1164 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1165 {
1166 return initiate_with_reqid(this, child_cfg, 0);
1167 }
1168
1169 /**
1170 * Implementation of ike_sa_t.acquire.
1171 */
1172 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1173 {
1174 child_cfg_t *child_cfg;
1175 iterator_t *iterator;
1176 child_sa_t *current, *child_sa = NULL;
1177
1178 if (this->state == IKE_DELETING)
1179 {
1180 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1181 "IKE_SA is deleting", reqid);
1182 return FAILED;
1183 }
1184
1185 /* find CHILD_SA */
1186 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1187 while (iterator->iterate(iterator, (void**)&current))
1188 {
1189 if (current->get_reqid(current) == reqid)
1190 {
1191 child_sa = current;
1192 break;
1193 }
1194 }
1195 iterator->destroy(iterator);
1196 if (!child_sa)
1197 {
1198 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1199 "CHILD_SA not found", reqid);
1200 return FAILED;
1201 }
1202
1203 child_cfg = child_sa->get_config(child_sa);
1204 child_cfg->get_ref(child_cfg);
1205
1206 return initiate_with_reqid(this, child_cfg, reqid);
1207 }
1208
1209 /**
1210 * Implementation of ike_sa_t.route.
1211 */
1212 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1213 {
1214 child_sa_t *child_sa;
1215 iterator_t *iterator;
1216 linked_list_t *my_ts, *other_ts;
1217 host_t *me, *other;
1218 status_t status;
1219
1220 /* check if not already routed*/
1221 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1222 while (iterator->iterate(iterator, (void**)&child_sa))
1223 {
1224 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1225 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1226 {
1227 iterator->destroy(iterator);
1228 DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
1229 return FAILED;
1230 }
1231 }
1232 iterator->destroy(iterator);
1233
1234 switch (this->state)
1235 {
1236 case IKE_DELETING:
1237 case IKE_REKEYING:
1238 DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
1239 ike_sa_state_names, this->state);
1240 return FAILED;
1241 case IKE_CREATED:
1242 case IKE_CONNECTING:
1243 case IKE_ESTABLISHED:
1244 default:
1245 break;
1246 }
1247
1248 resolve_hosts(this);
1249
1250 /* install kernel policies */
1251 child_sa = child_sa_create(this->my_host, this->other_host,
1252 child_cfg, 0, FALSE);
1253 me = this->my_host;
1254 if (this->my_virtual_ip)
1255 {
1256 me = this->my_virtual_ip;
1257 }
1258 other = this->other_host;
1259 if (this->other_virtual_ip)
1260 {
1261 other = this->other_virtual_ip;
1262 }
1263
1264 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1265 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1266 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1267 child_cfg->get_mode(child_cfg), PROTO_NONE);
1268 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1269 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1270 if (status == SUCCESS)
1271 {
1272 this->child_sas->insert_last(this->child_sas, child_sa);
1273 DBG1(DBG_IKE, "CHILD_SA routed");
1274 }
1275 else
1276 {
1277 DBG1(DBG_IKE, "routing CHILD_SA failed");
1278 }
1279 return status;
1280 }
1281
1282 /**
1283 * Implementation of ike_sa_t.unroute.
1284 */
1285 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1286 {
1287 iterator_t *iterator;
1288 child_sa_t *child_sa;
1289 bool found = FALSE;
1290
1291 /* find CHILD_SA in ROUTED state */
1292 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1293 while (iterator->iterate(iterator, (void**)&child_sa))
1294 {
1295 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1296 child_sa->get_reqid(child_sa) == reqid)
1297 {
1298 iterator->remove(iterator);
1299 DBG1(DBG_IKE, "CHILD_SA unrouted");
1300 child_sa->destroy(child_sa);
1301 found = TRUE;
1302 break;
1303 }
1304 }
1305 iterator->destroy(iterator);
1306
1307 if (!found)
1308 {
1309 DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
1310 return FAILED;
1311 }
1312 /* if we are not established, and we have no more routed childs, remove whole SA */
1313 if (this->state == IKE_CREATED &&
1314 this->child_sas->get_count(this->child_sas) == 0)
1315 {
1316 return DESTROY_ME;
1317 }
1318 return SUCCESS;
1319 }
1320 /**
1321 * Implementation of ike_sa_t.process_message.
1322 */
1323 static status_t process_message(private_ike_sa_t *this, message_t *message)
1324 {
1325 status_t status;
1326 bool is_request;
1327
1328 is_request = message->get_request(message);
1329
1330 status = message->parse_body(message,
1331 this->keymat->get_crypter(this->keymat, TRUE),
1332 this->keymat->get_signer(this->keymat, TRUE));
1333 if (status != SUCCESS)
1334 {
1335
1336 if (is_request)
1337 {
1338 switch (status)
1339 {
1340 case NOT_SUPPORTED:
1341 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1342 if (is_request)
1343 {
1344 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1345 }
1346 break;
1347 case PARSE_ERROR:
1348 DBG1(DBG_IKE, "message parsing failed");
1349 if (is_request)
1350 {
1351 send_notify_response(this, message, INVALID_SYNTAX);
1352 }
1353 break;
1354 case VERIFY_ERROR:
1355 DBG1(DBG_IKE, "message verification failed");
1356 if (is_request)
1357 {
1358 send_notify_response(this, message, INVALID_SYNTAX);
1359 }
1360 break;
1361 case FAILED:
1362 DBG1(DBG_IKE, "integrity check failed");
1363 /* ignored */
1364 break;
1365 case INVALID_STATE:
1366 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1367 if (is_request)
1368 {
1369 send_notify_response(this, message, INVALID_SYNTAX);
1370 }
1371 default:
1372 break;
1373 }
1374 }
1375 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1376 exchange_type_names, message->get_exchange_type(message),
1377 message->get_request(message) ? "request" : "response",
1378 message->get_message_id(message));
1379 return status;
1380 }
1381 else
1382 {
1383 host_t *me, *other;
1384 private_ike_sa_t *new;
1385 iterator_t *iterator;
1386 child_sa_t *child;
1387 bool has_routed = FALSE;
1388
1389 me = message->get_destination(message);
1390 other = message->get_source(message);
1391
1392 /* if this IKE_SA is virgin, we check for a config */
1393 if (this->ike_cfg == NULL)
1394 {
1395 job_t *job;
1396 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1397 me, other);
1398 if (this->ike_cfg == NULL)
1399 {
1400 /* no config found for these hosts, destroy */
1401 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1402 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1403 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1404 return DESTROY_ME;
1405 }
1406 /* add a timeout if peer does not establish it completely */
1407 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1408 charon->scheduler->schedule_job(charon->scheduler, job,
1409 HALF_OPEN_IKE_SA_TIMEOUT);
1410 }
1411 this->stats[STAT_INBOUND] = time(NULL);
1412 /* check if message is trustworthy, and update host information */
1413 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1414 message->get_exchange_type(message) != IKE_SA_INIT)
1415 {
1416 if (!supports_extension(this, EXT_MOBIKE))
1417 { /* with MOBIKE, we do no implicit updates */
1418 update_hosts(this, me, other);
1419 }
1420 }
1421 status = this->task_manager->process_message(this->task_manager, message);
1422 if (status != DESTROY_ME)
1423 {
1424 return status;
1425 }
1426 /* if IKE_SA gets closed for any reasons, reroute routed children */
1427 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1428 while (iterator->iterate(iterator, (void**)&child))
1429 {
1430 if (child->get_state(child) == CHILD_ROUTED)
1431 {
1432 has_routed = TRUE;
1433 break;
1434 }
1435 }
1436 iterator->destroy(iterator);
1437 if (!has_routed)
1438 {
1439 return status;
1440 }
1441 /* move routed children to a new IKE_SA, apply connection info */
1442 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1443 charon->ike_sa_manager, TRUE);
1444 set_peer_cfg(new, this->peer_cfg);
1445 new->other_host->destroy(new->other_host);
1446 new->other_host = this->other_host->clone(this->other_host);
1447 if (!has_condition(this, COND_NAT_THERE))
1448 {
1449 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1450 }
1451 if (this->my_virtual_ip)
1452 {
1453 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1454 }
1455 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1456 while (iterator->iterate(iterator, (void**)&child))
1457 {
1458 if (child->get_state(child) == CHILD_ROUTED)
1459 {
1460 route(new, child->get_config(child));
1461 }
1462 }
1463 iterator->destroy(iterator);
1464 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1465 return status;
1466 }
1467 }
1468
1469 /**
1470 * Implementation of ike_sa_t.get_id.
1471 */
1472 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1473 {
1474 return this->ike_sa_id;
1475 }
1476
1477 /**
1478 * Implementation of ike_sa_t.get_my_id.
1479 */
1480 static identification_t* get_my_id(private_ike_sa_t *this)
1481 {
1482 return this->my_id;
1483 }
1484
1485 /**
1486 * Implementation of ike_sa_t.set_my_id.
1487 */
1488 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1489 {
1490 DESTROY_IF(this->my_id);
1491 this->my_id = me;
1492 }
1493
1494 /**
1495 * Implementation of ike_sa_t.get_other_id.
1496 */
1497 static identification_t* get_other_id(private_ike_sa_t *this)
1498 {
1499 return this->other_id;
1500 }
1501
1502 /**
1503 * Implementation of ike_sa_t.set_other_id.
1504 */
1505 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1506 {
1507 DESTROY_IF(this->other_id);
1508 this->other_id = other;
1509 }
1510
1511 /**
1512 * Implementation of ike_sa_t.get_eap_identity.
1513 */
1514 static identification_t* get_eap_identity(private_ike_sa_t *this)
1515 {
1516 return this->eap_identity;
1517 }
1518
1519 /**
1520 * Implementation of ike_sa_t.set_eap_identity.
1521 */
1522 static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
1523 {
1524 DESTROY_IF(this->eap_identity);
1525 this->eap_identity = id;
1526 }
1527
1528 /**
1529 * Implementation of ike_sa_t.add_child_sa.
1530 */
1531 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1532 {
1533 this->child_sas->insert_last(this->child_sas, child_sa);
1534 }
1535
1536 /**
1537 * Implementation of ike_sa_t.get_child_sa.
1538 */
1539 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1540 u_int32_t spi, bool inbound)
1541 {
1542 iterator_t *iterator;
1543 child_sa_t *current, *found = NULL;
1544
1545 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1546 while (iterator->iterate(iterator, (void**)&current))
1547 {
1548 if (current->get_spi(current, inbound) == spi &&
1549 current->get_protocol(current) == protocol)
1550 {
1551 found = current;
1552 }
1553 }
1554 iterator->destroy(iterator);
1555 return found;
1556 }
1557
1558 /**
1559 * Implementation of ike_sa_t.create_child_sa_iterator.
1560 */
1561 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1562 {
1563 return this->child_sas->create_iterator(this->child_sas, TRUE);
1564 }
1565
1566 /**
1567 * Implementation of ike_sa_t.rekey_child_sa.
1568 */
1569 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1570 {
1571 child_sa_t *child_sa;
1572 child_rekey_t *child_rekey;
1573
1574 child_sa = get_child_sa(this, protocol, spi, TRUE);
1575 if (child_sa)
1576 {
1577 child_rekey = child_rekey_create(&this->public, child_sa);
1578 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1579 return this->task_manager->initiate(this->task_manager);
1580 }
1581 return FAILED;
1582 }
1583
1584 /**
1585 * Implementation of ike_sa_t.delete_child_sa.
1586 */
1587 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1588 {
1589 child_sa_t *child_sa;
1590 child_delete_t *child_delete;
1591
1592 child_sa = get_child_sa(this, protocol, spi, TRUE);
1593 if (child_sa)
1594 {
1595 child_delete = child_delete_create(&this->public, child_sa);
1596 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1597 return this->task_manager->initiate(this->task_manager);
1598 }
1599 return FAILED;
1600 }
1601
1602 /**
1603 * Implementation of ike_sa_t.destroy_child_sa.
1604 */
1605 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1606 u_int32_t spi)
1607 {
1608 iterator_t *iterator;
1609 child_sa_t *child_sa;
1610 status_t status = NOT_FOUND;
1611
1612 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1613 while (iterator->iterate(iterator, (void**)&child_sa))
1614 {
1615 if (child_sa->get_protocol(child_sa) == protocol &&
1616 child_sa->get_spi(child_sa, TRUE) == spi)
1617 {
1618 child_sa->destroy(child_sa);
1619 iterator->remove(iterator);
1620 status = SUCCESS;
1621 break;
1622 }
1623 }
1624 iterator->destroy(iterator);
1625 return status;
1626 }
1627
1628 /**
1629 * Implementation of public_ike_sa_t.delete.
1630 */
1631 static status_t delete_(private_ike_sa_t *this)
1632 {
1633 ike_delete_t *ike_delete;
1634
1635 switch (this->state)
1636 {
1637 case IKE_ESTABLISHED:
1638 case IKE_REKEYING:
1639 ike_delete = ike_delete_create(&this->public, TRUE);
1640 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1641 return this->task_manager->initiate(this->task_manager);
1642 case IKE_CREATED:
1643 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1644 break;
1645 default:
1646 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1647 "without notification", ike_sa_state_names, this->state);
1648 break;
1649 }
1650 return DESTROY_ME;
1651 }
1652
1653 /**
1654 * Implementation of ike_sa_t.rekey.
1655 */
1656 static status_t rekey(private_ike_sa_t *this)
1657 {
1658 ike_rekey_t *ike_rekey;
1659
1660 ike_rekey = ike_rekey_create(&this->public, TRUE);
1661
1662 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1663 return this->task_manager->initiate(this->task_manager);
1664 }
1665
1666 /**
1667 * Implementation of ike_sa_t.reauth
1668 */
1669 static status_t reauth(private_ike_sa_t *this)
1670 {
1671 task_t *task;
1672
1673 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1674 * If the peer does not support RFC4478, there is no way to keep the
1675 * IKE_SA up. */
1676 if (!this->ike_initiator)
1677 {
1678 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1679 if (this->other_virtual_ip != NULL ||
1680 has_condition(this, COND_EAP_AUTHENTICATED)
1681 #ifdef ME
1682 /* if we are mediation server we too cannot reauth the IKE_SA */
1683 || this->is_mediation_server
1684 #endif /* ME */
1685 )
1686 {
1687 time_t now = time(NULL);
1688
1689 DBG1(DBG_IKE, "IKE_SA will timeout in %#V",
1690 &now, &this->stats[STAT_DELETE]);
1691 return FAILED;
1692 }
1693 else
1694 {
1695 DBG1(DBG_IKE, "reauthenticating actively");
1696 }
1697 }
1698 task = (task_t*)ike_reauth_create(&this->public);
1699 this->task_manager->queue_task(this->task_manager, task);
1700
1701 return this->task_manager->initiate(this->task_manager);
1702 }
1703
1704 /**
1705 * Implementation of ike_sa_t.reestablish
1706 */
1707 static status_t reestablish(private_ike_sa_t *this)
1708 {
1709 ike_sa_t *new;
1710 host_t *host;
1711 action_t action;
1712 iterator_t *iterator;
1713 child_sa_t *child_sa;
1714 child_cfg_t *child_cfg;
1715 bool required = FALSE;
1716 status_t status = FAILED;
1717
1718 /* check if we have children to keep up at all*/
1719 iterator = create_child_sa_iterator(this);
1720 while (iterator->iterate(iterator, (void**)&child_sa))
1721 {
1722 child_cfg = child_sa->get_config(child_sa);
1723 if (this->state == IKE_DELETING)
1724 {
1725 action = child_cfg->get_close_action(child_cfg);
1726 }
1727 else
1728 {
1729 action = child_cfg->get_dpd_action(child_cfg);
1730 }
1731 switch (action)
1732 {
1733 case ACTION_RESTART:
1734 case ACTION_ROUTE:
1735 required = TRUE;
1736 default:
1737 break;
1738 }
1739 }
1740 iterator->destroy(iterator);
1741 #ifdef ME
1742 /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
1743 if (this->peer_cfg->is_mediation(this->peer_cfg))
1744 {
1745 required = TRUE;
1746 }
1747 #endif /* ME */
1748 if (!required)
1749 {
1750 return FAILED;
1751 }
1752
1753 /* check if we are able to reestablish this IKE_SA */
1754 if (!this->ike_initiator &&
1755 (this->other_virtual_ip != NULL ||
1756 has_condition(this, COND_EAP_AUTHENTICATED)
1757 #ifdef ME
1758 || this->is_mediation_server
1759 #endif /* ME */
1760 ))
1761 {
1762 DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
1763 return FAILED;
1764 }
1765
1766 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
1767 new->set_peer_cfg(new, this->peer_cfg);
1768 host = this->other_host;
1769 new->set_other_host(new, host->clone(host));
1770 host = this->my_host;
1771 new->set_my_host(new, host->clone(host));
1772 /* if we already have a virtual IP, we reuse it */
1773 host = this->my_virtual_ip;
1774 if (host)
1775 {
1776 new->set_virtual_ip(new, TRUE, host);
1777 }
1778
1779 #ifdef ME
1780 if (this->peer_cfg->is_mediation(this->peer_cfg))
1781 {
1782 status = new->initiate(new, NULL);
1783 }
1784 else
1785 #endif /* ME */
1786 {
1787 iterator = create_child_sa_iterator(this);
1788 while (iterator->iterate(iterator, (void**)&child_sa))
1789 {
1790 child_cfg = child_sa->get_config(child_sa);
1791 if (this->state == IKE_DELETING)
1792 {
1793 action = child_cfg->get_close_action(child_cfg);
1794 }
1795 else
1796 {
1797 action = child_cfg->get_dpd_action(child_cfg);
1798 }
1799 switch (action)
1800 {
1801 case ACTION_RESTART:
1802 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1803 child_cfg->get_name(child_cfg));
1804 child_cfg->get_ref(child_cfg);
1805 status = new->initiate(new, child_cfg);
1806 break;
1807 case ACTION_ROUTE:
1808 status = new->route(new, child_cfg);
1809 break;
1810 default:
1811 continue;
1812 }
1813 if (status == DESTROY_ME)
1814 {
1815 break;
1816 }
1817 }
1818 iterator->destroy(iterator);
1819 }
1820
1821 if (status == DESTROY_ME)
1822 {
1823 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1824 return FAILED;
1825 }
1826 else
1827 {
1828 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1829 return SUCCESS;
1830 }
1831 }
1832
1833 /**
1834 * Implementation of ike_sa_t.retransmit.
1835 */
1836 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1837 {
1838 this->stats[STAT_OUTBOUND] = time(NULL);
1839 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1840 {
1841 /* send a proper signal to brief interested bus listeners */
1842 switch (this->state)
1843 {
1844 case IKE_CONNECTING:
1845 {
1846 /* retry IKE_SA_INIT if we have multiple keyingtries */
1847 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1848 this->keyingtry++;
1849 if (tries == 0 || tries > this->keyingtry)
1850 {
1851 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1852 this->keyingtry + 1, tries);
1853 reset(this);
1854 return this->task_manager->initiate(this->task_manager);
1855 }
1856 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1857 break;
1858 }
1859 case IKE_DELETING:
1860 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1861 break;
1862 case IKE_REKEYING:
1863 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1864 /* FALL */
1865 default:
1866 reestablish(this);
1867 break;
1868 }
1869 return DESTROY_ME;
1870 }
1871 return SUCCESS;
1872 }
1873
1874 /**
1875 * Implementation of ike_sa_t.set_auth_lifetime.
1876 */
1877 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1878 {
1879 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1880 u_int32_t reauth_time = time(NULL) + lifetime - reduction;
1881
1882 if (lifetime < reduction)
1883 {
1884 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1885 lifetime);
1886 charon->processor->queue_job(charon->processor,
1887 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1888 }
1889 else if (this->stats[STAT_REAUTH] == 0 ||
1890 this->stats[STAT_REAUTH] > reauth_time)
1891 {
1892 this->stats[STAT_REAUTH] = reauth_time;
1893 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1894 " in %ds", lifetime, lifetime - reduction);
1895 charon->scheduler->schedule_job(charon->scheduler,
1896 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1897 (lifetime - reduction) * 1000);
1898 }
1899 else
1900 {
1901 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
1902 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
1903 }
1904 }
1905
1906 /**
1907 * Implementation of ike_sa_t.roam.
1908 */
1909 static status_t roam(private_ike_sa_t *this, bool address)
1910 {
1911 host_t *src;
1912 ike_mobike_t *mobike;
1913
1914 switch (this->state)
1915 {
1916 case IKE_CREATED:
1917 case IKE_DELETING:
1918 return SUCCESS;
1919 default:
1920 break;
1921 }
1922 /* responder just updates the peer about changed address config */
1923 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
1924 {
1925 if (supports_extension(this, EXT_MOBIKE) && address)
1926 {
1927 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1928 mobike = ike_mobike_create(&this->public, TRUE);
1929 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1930 return this->task_manager->initiate(this->task_manager);
1931 }
1932 return SUCCESS;
1933 }
1934
1935 /* keep existing path if possible */
1936 src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
1937 this->other_host, this->my_host);
1938 if (src)
1939 {
1940 if (src->ip_equals(src, this->my_host))
1941 {
1942 DBG2(DBG_IKE, "keeping connection path %H - %H",
1943 src, this->other_host);
1944 src->destroy(src);
1945 return SUCCESS;
1946 }
1947 src->destroy(src);
1948 }
1949
1950 /* update addresses with mobike, if supported ... */
1951 if (supports_extension(this, EXT_MOBIKE))
1952 {
1953 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1954 mobike = ike_mobike_create(&this->public, TRUE);
1955 mobike->roam(mobike, address);
1956 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1957 return this->task_manager->initiate(this->task_manager);
1958 }
1959 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1960 /* ... reauth if not */
1961 return reauth(this);
1962 }
1963
1964 /**
1965 * Implementation of ike_sa_t.inherit.
1966 */
1967 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
1968 {
1969 child_sa_t *child_sa;
1970 host_t *ip;
1971
1972 /* apply hosts and ids */
1973 this->my_host->destroy(this->my_host);
1974 this->other_host->destroy(this->other_host);
1975 this->my_id->destroy(this->my_id);
1976 this->other_id->destroy(this->other_id);
1977 this->my_host = other->my_host->clone(other->my_host);
1978 this->other_host = other->other_host->clone(other->other_host);
1979 this->my_id = other->my_id->clone(other->my_id);
1980 this->other_id = other->other_id->clone(other->other_id);
1981 this->ike_initiator = other->ike_initiator;
1982
1983 /* apply virtual assigned IPs... */
1984 if (other->my_virtual_ip)
1985 {
1986 this->my_virtual_ip = other->my_virtual_ip;
1987 other->my_virtual_ip = NULL;
1988 }
1989 if (other->other_virtual_ip)
1990 {
1991 this->other_virtual_ip = other->other_virtual_ip;
1992 other->other_virtual_ip = NULL;
1993 }
1994
1995 /* ... and DNS servers */
1996 while (other->dns_servers->remove_last(other->dns_servers,
1997 (void**)&ip) == SUCCESS)
1998 {
1999 this->dns_servers->insert_first(this->dns_servers, ip);
2000 }
2001
2002 /* inherit NAT-T conditions */
2003 this->conditions = other->conditions;
2004 if (this->conditions & COND_NAT_HERE)
2005 {
2006 send_keepalive(this);
2007 }
2008
2009 #ifdef ME
2010 if (other->is_mediation_server)
2011 {
2012 act_as_mediation_server(this);
2013 }
2014 else if (other->server_reflexive_host)
2015 {
2016 this->server_reflexive_host = other->server_reflexive_host->clone(
2017 other->server_reflexive_host);
2018 }
2019 #endif /* ME */
2020
2021 /* adopt all children */
2022 while (other->child_sas->remove_last(other->child_sas,
2023 (void**)&child_sa) == SUCCESS)
2024 {
2025 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2026 }
2027
2028 /* move pending tasks to the new IKE_SA */
2029 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2030
2031 /* reauthentication timeout survives a rekeying */
2032 if (other->stats[STAT_REAUTH])
2033 {
2034 time_t reauth, delete, now = time(NULL);
2035
2036 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2037 reauth = this->stats[STAT_REAUTH] - now;
2038 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2039 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2040 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2041 "lifetime reduced to %ds", reauth, delete);
2042 charon->scheduler->schedule_job(charon->scheduler,
2043 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2044 reauth * 1000);
2045 charon->scheduler->schedule_job(charon->scheduler,
2046 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2047 delete * 1000);
2048 }
2049 /* we have to initate here, there may be new tasks to handle */
2050 return this->task_manager->initiate(this->task_manager);
2051 }
2052
2053 /**
2054 * Implementation of ike_sa_t.remove_dns_server
2055 */
2056 static void remove_dns_servers(private_ike_sa_t *this)
2057 {
2058 FILE *file;
2059 struct stat stats;
2060 chunk_t contents, line, orig_line, token;
2061 char string[INET6_ADDRSTRLEN];
2062 host_t *ip;
2063 iterator_t *iterator;
2064
2065 if (this->dns_servers->get_count(this->dns_servers) == 0)
2066 {
2067 /* don't touch anything if we have no nameservers installed */
2068 return;
2069 }
2070
2071 file = fopen(RESOLV_CONF, "r");
2072 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2073 {
2074 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2075 RESOLV_CONF, strerror(errno));
2076 return;
2077 }
2078
2079 contents = chunk_alloca((size_t)stats.st_size);
2080
2081 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2082 {
2083 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2084 fclose(file);
2085 return;
2086 }
2087
2088 fclose(file);
2089 file = fopen(RESOLV_CONF, "w");
2090 if (file == NULL)
2091 {
2092 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2093 RESOLV_CONF, strerror(errno));
2094 return;
2095 }
2096
2097 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2098 while (fetchline(&contents, &line))
2099 {
2100 bool found = FALSE;
2101 orig_line = line;
2102 if (extract_token(&token, ' ', &line) &&
2103 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2104 {
2105 if (!extract_token(&token, ' ', &line))
2106 {
2107 token = line;
2108 }
2109 iterator->reset(iterator);
2110 while (iterator->iterate(iterator, (void**)&ip))
2111 {
2112 snprintf(string, sizeof(string), "%H", ip);
2113 if (strlen(string) == token.len &&
2114 strncmp(token.ptr, string, token.len) == 0)
2115 {
2116 iterator->remove(iterator);
2117 ip->destroy(ip);
2118 found = TRUE;
2119 break;
2120 }
2121 }
2122 }
2123
2124 if (!found)
2125 {
2126 /* write line untouched back to file */
2127 fwrite(orig_line.ptr, orig_line.len, 1, file);
2128 fprintf(file, "\n");
2129 }
2130 }
2131 iterator->destroy(iterator);
2132 fclose(file);
2133 }
2134
2135 /**
2136 * Implementation of ike_sa_t.add_dns_server
2137 */
2138 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2139 {
2140 FILE *file;
2141 struct stat stats;
2142 chunk_t contents;
2143
2144 DBG1(DBG_IKE, "installing DNS server %H", dns);
2145
2146 file = fopen(RESOLV_CONF, "a+");
2147 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2148 {
2149 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2150 RESOLV_CONF, strerror(errno));
2151 return;
2152 }
2153
2154 contents = chunk_alloca(stats.st_size);
2155
2156 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2157 {
2158 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2159 fclose(file);
2160 return;
2161 }
2162
2163 fclose(file);
2164 file = fopen(RESOLV_CONF, "w");
2165 if (file == NULL)
2166 {
2167 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2168 RESOLV_CONF, strerror(errno));
2169 return;
2170 }
2171
2172 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2173 dns, this->other_id) < 0)
2174 {
2175 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2176 }
2177 else
2178 {
2179 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2180 }
2181 fwrite(contents.ptr, contents.len, 1, file);
2182
2183 fclose(file);
2184 }
2185
2186 /**
2187 * Implementation of ike_sa_t.destroy.
2188 */
2189 static void destroy(private_ike_sa_t *this)
2190 {
2191 set_state(this, IKE_DESTROYING);
2192
2193 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2194
2195 /* unset SA after here to avoid usage by the listeners */
2196 charon->bus->set_sa(charon->bus, NULL);
2197
2198 this->task_manager->destroy(this->task_manager);
2199 this->keymat->destroy(this->keymat);
2200
2201 if (this->my_virtual_ip)
2202 {
2203 charon->kernel_interface->del_ip(charon->kernel_interface,
2204 this->my_virtual_ip);
2205 this->my_virtual_ip->destroy(this->my_virtual_ip);
2206 }
2207 if (this->other_virtual_ip)
2208 {
2209 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2210 {
2211 charon->attributes->release_address(charon->attributes,
2212 this->peer_cfg->get_pool(this->peer_cfg),
2213 this->other_virtual_ip);
2214 }
2215 this->other_virtual_ip->destroy(this->other_virtual_ip);
2216 }
2217
2218 remove_dns_servers(this);
2219 this->dns_servers->destroy_offset(this->dns_servers,
2220 offsetof(host_t, destroy));
2221 this->additional_addresses->destroy_offset(this->additional_addresses,
2222 offsetof(host_t, destroy));
2223 #ifdef ME
2224 if (this->is_mediation_server)
2225 {
2226 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2227 }
2228 DESTROY_IF(this->server_reflexive_host);
2229 chunk_free(&this->connect_id);
2230 #endif /* ME */
2231 free(this->nat_detection_dest.ptr);
2232
2233 DESTROY_IF(this->my_host);
2234 DESTROY_IF(this->other_host);
2235 DESTROY_IF(this->my_id);
2236 DESTROY_IF(this->other_id);
2237 DESTROY_IF(this->eap_identity);
2238
2239 DESTROY_IF(this->ike_cfg);
2240 DESTROY_IF(this->peer_cfg);
2241 DESTROY_IF(this->my_auth);
2242 DESTROY_IF(this->other_auth);
2243 DESTROY_IF(this->proposal);
2244
2245 this->ike_sa_id->destroy(this->ike_sa_id);
2246 free(this);
2247 }
2248
2249 /*
2250 * Described in header.
2251 */
2252 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2253 {
2254 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2255 static u_int32_t unique_id = 0;
2256
2257 /* Public functions */
2258 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2259 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2260 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2261 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2262 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2263 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2264 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2265 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2266 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2267 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2268 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2269 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2270 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2271 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2272 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2273 this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
2274 this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
2275 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2276 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2277 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2278 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2279 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2280 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2281 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2282 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2283 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2284 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2285 this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
2286 this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
2287 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2288 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2289 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2290 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2291 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2292 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2293 this->public.is_ike_initiator = (bool (*)(ike_sa_t*))is_ike_initiator;
2294 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2295 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2296 this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
2297 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2298 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2299 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2300 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2301 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2302 this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
2303 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2304 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2305 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2306 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2307 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2308 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2309 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2310 this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
2311 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2312 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2313 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2314 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2315 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2316 this->public.reset = (void (*)(ike_sa_t*))reset;
2317 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2318 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2319 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2320 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2321 #ifdef ME
2322 this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
2323 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2324 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2325 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2326 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2327 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
2328 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2329 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2330 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2331 #endif /* ME */
2332
2333 /* initialize private fields */
2334 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2335 this->child_sas = linked_list_create();
2336 this->my_host = host_create_from_string("%any", IKEV2_UDP_PORT);
2337 this->other_host = host_create_from_string("%any", IKEV2_UDP_PORT);
2338 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2339 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2340 this->eap_identity = NULL;
2341 this->extensions = 0;
2342 this->conditions = 0;
2343 this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
2344 this->state = IKE_CREATED;
2345 this->keepalive_interval = lib->settings->get_time(lib->settings,
2346 "charon.keep_alive", KEEPALIVE_INTERVAL);
2347 memset(this->stats, 0, sizeof(this->stats));
2348 this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
2349 this->ike_cfg = NULL;
2350 this->peer_cfg = NULL;
2351 this->my_auth = auth_info_create();
2352 this->other_auth = auth_info_create();
2353 this->proposal = NULL;
2354 this->task_manager = task_manager_create(&this->public);
2355 this->unique_id = ++unique_id;
2356 this->my_virtual_ip = NULL;
2357 this->other_virtual_ip = NULL;
2358 this->dns_servers = linked_list_create();
2359 this->additional_addresses = linked_list_create();
2360 this->nat_detection_dest = chunk_empty;
2361 this->pending_updates = 0;
2362 this->keyingtry = 0;
2363 this->ike_initiator = FALSE;
2364 #ifdef ME
2365 this->is_mediation_server = FALSE;
2366 this->server_reflexive_host = NULL;
2367 this->connect_id = chunk_empty;
2368 #endif /* ME */
2369
2370 return &this->public;
2371 }