moved AUTH_LIFETIME handling in its own task (cleaner separation, proper payload...
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Tobias Brunner
10 * Copyright (C) 2006 Daniel Roethlisberger
11 * Copyright (C) 2005-2006 Martin Willi
12 * Copyright (C) 2005 Jan Hutter
13 * Hochschule fuer Technik Rapperswil
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU General Public License as published by the
17 * Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
19 *
20 * This program is distributed in the hope that it will be useful, but
21 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
22 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 * for more details.
24 */
25
26 #include <sys/time.h>
27 #include <string.h>
28 #include <printf.h>
29 #include <sys/stat.h>
30 #include <errno.h>
31
32 #include "ike_sa.h"
33
34 #include <library.h>
35 #include <daemon.h>
36 #include <utils/linked_list.h>
37 #include <utils/lexparser.h>
38 #include <crypto/diffie_hellman.h>
39 #include <crypto/prf_plus.h>
40 #include <crypto/crypters/crypter.h>
41 #include <crypto/hashers/hasher.h>
42 #include <encoding/payloads/sa_payload.h>
43 #include <encoding/payloads/nonce_payload.h>
44 #include <encoding/payloads/ke_payload.h>
45 #include <encoding/payloads/delete_payload.h>
46 #include <encoding/payloads/transform_substructure.h>
47 #include <encoding/payloads/transform_attribute.h>
48 #include <encoding/payloads/ts_payload.h>
49 #include <sa/task_manager.h>
50 #include <sa/tasks/ike_init.h>
51 #include <sa/tasks/ike_natd.h>
52 #include <sa/tasks/ike_mobike.h>
53 #include <sa/tasks/ike_auth.h>
54 #include <sa/tasks/ike_auth_lifetime.h>
55 #include <sa/tasks/ike_config.h>
56 #include <sa/tasks/ike_cert.h>
57 #include <sa/tasks/ike_rekey.h>
58 #include <sa/tasks/ike_reauth.h>
59 #include <sa/tasks/ike_delete.h>
60 #include <sa/tasks/ike_dpd.h>
61 #include <sa/tasks/child_create.h>
62 #include <sa/tasks/child_delete.h>
63 #include <sa/tasks/child_rekey.h>
64 #include <processing/jobs/retransmit_job.h>
65 #include <processing/jobs/delete_ike_sa_job.h>
66 #include <processing/jobs/send_dpd_job.h>
67 #include <processing/jobs/send_keepalive_job.h>
68 #include <processing/jobs/rekey_ike_sa_job.h>
69
70 #ifdef P2P
71 #include <sa/tasks/ike_p2p.h>
72 #endif
73
74 #ifndef RESOLV_CONF
75 #define RESOLV_CONF "/etc/resolv.conf"
76 #endif
77
78 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
79 "CREATED",
80 "CONNECTING",
81 "ESTABLISHED",
82 "REKEYING",
83 "DELETING",
84 );
85
86 typedef struct private_ike_sa_t private_ike_sa_t;
87
88 /**
89 * Private data of an ike_sa_t object.
90 */
91 struct private_ike_sa_t {
92
93 /**
94 * Public members
95 */
96 ike_sa_t public;
97
98 /**
99 * Identifier for the current IKE_SA.
100 */
101 ike_sa_id_t *ike_sa_id;
102
103 /**
104 * unique numerical ID for this IKE_SA.
105 */
106 u_int32_t unique_id;
107
108 /**
109 * Current state of the IKE_SA
110 */
111 ike_sa_state_t state;
112
113 /**
114 * IKE configuration used to set up this IKE_SA
115 */
116 ike_cfg_t *ike_cfg;
117
118 /**
119 * Peer and authentication information to establish IKE_SA.
120 */
121 peer_cfg_t *peer_cfg;
122
123 /**
124 * Juggles tasks to process messages
125 */
126 task_manager_t *task_manager;
127
128 /**
129 * Address of local host
130 */
131 host_t *my_host;
132
133 /**
134 * Address of remote host
135 */
136 host_t *other_host;
137
138 #ifdef P2P
139 /**
140 * Server reflexive host
141 */
142 host_t *server_reflexive_host;
143 #endif /* P2P */
144
145 /**
146 * Identification used for us
147 */
148 identification_t *my_id;
149
150 /**
151 * Identification used for other
152 */
153 identification_t *other_id;
154
155 /**
156 * CA that issued the certificate of other
157 */
158 ca_info_t *other_ca;
159
160 /**
161 * set of extensions the peer supports
162 */
163 ike_extension_t extensions;
164
165 /**
166 * set of condition flags currently enabled for this IKE_SA
167 */
168 ike_condition_t conditions;
169
170 /**
171 * Linked List containing the child sa's of the current IKE_SA.
172 */
173 linked_list_t *child_sas;
174
175 /**
176 * crypter for inbound traffic
177 */
178 crypter_t *crypter_in;
179
180 /**
181 * crypter for outbound traffic
182 */
183 crypter_t *crypter_out;
184
185 /**
186 * Signer for inbound traffic
187 */
188 signer_t *signer_in;
189
190 /**
191 * Signer for outbound traffic
192 */
193 signer_t *signer_out;
194
195 /**
196 * Multi purpose prf, set key, use it, forget it
197 */
198 prf_t *prf;
199
200 /**
201 * Prf function for derivating keymat child SAs
202 */
203 prf_t *child_prf;
204
205 /**
206 * Key to build outging authentication data (SKp)
207 */
208 chunk_t skp_build;
209
210 /**
211 * Key to verify incoming authentication data (SKp)
212 */
213 chunk_t skp_verify;
214
215 /**
216 * Virtual IP on local host, if any
217 */
218 host_t *my_virtual_ip;
219
220 /**
221 * Virtual IP on remote host, if any
222 */
223 host_t *other_virtual_ip;
224
225 /**
226 * List of DNS servers installed by us
227 */
228 linked_list_t *dns_servers;
229
230 /**
231 * list of peers additional addresses, transmitted via MOBIKE
232 */
233 linked_list_t *additional_addresses;
234
235 /**
236 * number pending UPDATE_SA_ADDRESS (MOBIKE)
237 */
238 u_int32_t pending_updates;
239
240 /**
241 * Timestamps for this IKE_SA
242 */
243 struct {
244 /** last IKE message received */
245 u_int32_t inbound;
246 /** last IKE message sent */
247 u_int32_t outbound;
248 /** when IKE_SA became established */
249 u_int32_t established;
250 /** when IKE_SA gets rekeyed */
251 u_int32_t rekey;
252 /** when IKE_SA gets reauthenticated */
253 u_int32_t reauth;
254 /** when IKE_SA gets deleted */
255 u_int32_t delete;
256 } time;
257
258 /**
259 * how many times we have retried so far (keyingtries)
260 */
261 u_int32_t keyingtry;
262
263 /**
264 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
265 */
266 bool ike_initiator;
267 };
268
269 /**
270 * get the time of the latest traffic processed by the kernel
271 */
272 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
273 {
274 iterator_t *iterator;
275 child_sa_t *child_sa;
276 time_t latest = 0, use_time;
277
278 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
279 while (iterator->iterate(iterator, (void**)&child_sa))
280 {
281 if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
282 {
283 latest = max(latest, use_time);
284 }
285 }
286 iterator->destroy(iterator);
287
288 if (inbound)
289 {
290 return max(this->time.inbound, latest);
291 }
292 else
293 {
294 return max(this->time.outbound, latest);
295 }
296 }
297
298 /**
299 * Implementation of ike_sa_t.get_unique_id
300 */
301 static u_int32_t get_unique_id(private_ike_sa_t *this)
302 {
303 return this->unique_id;
304 }
305
306 /**
307 * Implementation of ike_sa_t.get_name.
308 */
309 static char *get_name(private_ike_sa_t *this)
310 {
311 if (this->peer_cfg)
312 {
313 return this->peer_cfg->get_name(this->peer_cfg);
314 }
315 return "(unnamed)";
316 }
317
318 /**
319 * Implementation of ike_sa_t.get_statistic.
320 */
321 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
322 {
323 time_t now = time(NULL);
324
325 switch (kind)
326 {
327 case STAT_REKEY_TIME:
328 if (this->time.rekey > now)
329 {
330 return this->time.rekey - now;
331 }
332 break;
333 case STAT_REAUTH_TIME:
334 if (this->time.reauth > now)
335 {
336 return this->time.reauth - now;
337 }
338 break;
339 default:
340 break;
341 }
342 return 0;
343 }
344
345 /**
346 * Implementation of ike_sa_t.get_my_host.
347 */
348 static host_t *get_my_host(private_ike_sa_t *this)
349 {
350 return this->my_host;
351 }
352
353 /**
354 * Implementation of ike_sa_t.set_my_host.
355 */
356 static void set_my_host(private_ike_sa_t *this, host_t *me)
357 {
358 DESTROY_IF(this->my_host);
359 this->my_host = me;
360 }
361
362 /**
363 * Implementation of ike_sa_t.get_other_host.
364 */
365 static host_t *get_other_host(private_ike_sa_t *this)
366 {
367 return this->other_host;
368 }
369
370 /**
371 * Implementation of ike_sa_t.set_other_host.
372 */
373 static void set_other_host(private_ike_sa_t *this, host_t *other)
374 {
375 DESTROY_IF(this->other_host);
376 this->other_host = other;
377 }
378
379 /**
380 * Implementation of ike_sa_t.get_peer_cfg
381 */
382 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
383 {
384 return this->peer_cfg;
385 }
386
387 /**
388 * Implementation of ike_sa_t.set_peer_cfg
389 */
390 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
391 {
392 peer_cfg->get_ref(peer_cfg);
393 this->peer_cfg = peer_cfg;
394
395 if (this->ike_cfg == NULL)
396 {
397 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
398 this->ike_cfg->get_ref(this->ike_cfg);
399 }
400
401 /* apply values, so we are ready to initate/acquire */
402 if (this->my_host->is_anyaddr(this->my_host))
403 {
404 host_t *me = this->ike_cfg->get_my_host(this->ike_cfg);
405 set_my_host(this, me->clone(me));
406 }
407 if (this->other_host->is_anyaddr(this->other_host))
408 {
409 host_t *other = this->ike_cfg->get_other_host(this->ike_cfg);
410 set_other_host(this, other->clone(other));
411 }
412 /* apply IDs if they are not already set */
413 if (this->my_id->contains_wildcards(this->my_id))
414 {
415 DESTROY_IF(this->my_id);
416 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
417 this->my_id = this->my_id->clone(this->my_id);
418 }
419 if (this->other_id->contains_wildcards(this->other_id))
420 {
421 DESTROY_IF(this->other_id);
422 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
423 this->other_id = this->other_id->clone(this->other_id);
424 }
425 }
426
427 /**
428 * Implementation of ike_sa_t.send_keepalive
429 */
430 static void send_keepalive(private_ike_sa_t *this)
431 {
432 send_keepalive_job_t *job;
433 time_t last_out, now, diff;
434
435 if (!(this->conditions & COND_NAT_HERE))
436 { /* disable keep alives if we are not NATed anymore */
437 return;
438 }
439
440 last_out = get_use_time(this, FALSE);
441 now = time(NULL);
442
443 diff = now - last_out;
444
445 if (diff >= KEEPALIVE_INTERVAL)
446 {
447 packet_t *packet;
448 chunk_t data;
449
450 packet = packet_create();
451 packet->set_source(packet, this->my_host->clone(this->my_host));
452 packet->set_destination(packet, this->other_host->clone(this->other_host));
453 data.ptr = malloc(1);
454 data.ptr[0] = 0xFF;
455 data.len = 1;
456 packet->set_data(packet, data);
457 DBG1(DBG_IKE, "sending keep alive");
458 charon->sender->send(charon->sender, packet);
459 diff = 0;
460 }
461 job = send_keepalive_job_create(this->ike_sa_id);
462 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
463 (KEEPALIVE_INTERVAL - diff) * 1000);
464 }
465
466 /**
467 * Implementation of ike_sa_t.get_ike_cfg
468 */
469 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
470 {
471 return this->ike_cfg;
472 }
473
474 /**
475 * Implementation of ike_sa_t.set_ike_cfg
476 */
477 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
478 {
479 ike_cfg->get_ref(ike_cfg);
480 this->ike_cfg = ike_cfg;
481 }
482 /**
483 * Implementation of ike_sa_t.enable_extension.
484 */
485 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
486 {
487 this->extensions |= extension;
488 }
489
490 /**
491 * Implementation of ike_sa_t.has_extension.
492 */
493 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
494 {
495 return (this->extensions & extension) != FALSE;
496 }
497
498 /**
499 * Implementation of ike_sa_t.has_condition.
500 */
501 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
502 {
503 return (this->conditions & condition) != FALSE;
504 }
505
506 /**
507 * Implementation of ike_sa_t.enable_condition.
508 */
509 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
510 bool enable)
511 {
512 if (has_condition(this, condition) != enable)
513 {
514 if (enable)
515 {
516 this->conditions |= condition;
517 switch (condition)
518 {
519 case COND_NAT_HERE:
520 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
521 this->conditions |= COND_NAT_ANY;
522 send_keepalive(this);
523 break;
524 case COND_NAT_THERE:
525 DBG1(DBG_IKE, "remote host is behind NAT");
526 this->conditions |= COND_NAT_ANY;
527 break;
528 case COND_NAT_FAKE:
529 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
530 this->conditions |= COND_NAT_ANY;
531 break;
532 default:
533 break;
534 }
535 }
536 else
537 {
538 this->conditions &= ~condition;
539 switch (condition)
540 {
541 case COND_NAT_HERE:
542 case COND_NAT_FAKE:
543 case COND_NAT_THERE:
544 set_condition(this, COND_NAT_ANY,
545 has_condition(this, COND_NAT_HERE) ||
546 has_condition(this, COND_NAT_THERE) ||
547 has_condition(this, COND_NAT_FAKE));
548 break;
549 default:
550 break;
551 }
552 }
553 }
554 }
555
556 /**
557 * Implementation of ike_sa_t.send_dpd
558 */
559 static status_t send_dpd(private_ike_sa_t *this)
560 {
561 send_dpd_job_t *job;
562 time_t diff, delay;
563
564 delay = this->peer_cfg->get_dpd_delay(this->peer_cfg);
565
566 if (delay == 0)
567 {
568 /* DPD disabled */
569 return SUCCESS;
570 }
571
572 if (this->task_manager->busy(this->task_manager))
573 {
574 /* an exchange is in the air, no need to start a DPD check */
575 diff = 0;
576 }
577 else
578 {
579 /* check if there was any inbound traffic */
580 time_t last_in, now;
581 last_in = get_use_time(this, TRUE);
582 now = time(NULL);
583 diff = now - last_in;
584 if (diff >= delay)
585 {
586 /* to long ago, initiate dead peer detection */
587 task_t *task;
588
589 task = (task_t*)ike_dpd_create(TRUE);
590 diff = 0;
591 DBG1(DBG_IKE, "sending DPD request");
592
593 this->task_manager->queue_task(this->task_manager, task);
594 this->task_manager->initiate(this->task_manager);
595 }
596 }
597 /* recheck in "interval" seconds */
598 job = send_dpd_job_create(this->ike_sa_id);
599 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
600 (delay - diff) * 1000);
601 return SUCCESS;
602 }
603
604 /**
605 * Implementation of ike_sa_t.get_state.
606 */
607 static ike_sa_state_t get_state(private_ike_sa_t *this)
608 {
609 return this->state;
610 }
611
612 /**
613 * Implementation of ike_sa_t.set_state.
614 */
615 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
616 {
617 DBG1(DBG_IKE, "IKE_SA '%s' state change: %N => %N",
618 get_name(this),
619 ike_sa_state_names, this->state,
620 ike_sa_state_names, state);
621
622 switch (state)
623 {
624 case IKE_ESTABLISHED:
625 {
626 if (this->state == IKE_CONNECTING)
627 {
628 job_t *job;
629 u_int32_t t;
630
631 /* calculate rekey, reauth and lifetime */
632 this->time.established = time(NULL);
633
634 /* schedule rekeying if we have a time which is smaller than
635 * an already scheduled rekeying */
636 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
637 if (t && (this->time.rekey == 0 ||
638 (this->time.rekey > t + this->time.established)))
639 {
640 this->time.rekey = t + this->time.established;
641 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
642 charon->scheduler->schedule_job(charon->scheduler,
643 job, t * 1000);
644 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
645 }
646 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
647 if (t && (this->time.reauth == 0 ||
648 (this->time.reauth > t + this->time.established)))
649 {
650 this->time.reauth = t + this->time.established;
651 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
652 charon->scheduler->schedule_job(charon->scheduler,
653 job, t * 1000);
654 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
655 }
656 t = this->peer_cfg->get_over_time(this->peer_cfg);
657 if (this->time.rekey || this->time.reauth)
658 {
659 if (this->time.reauth == 0)
660 {
661 this->time.delete = this->time.rekey;
662 }
663 else if (this->time.rekey == 0)
664 {
665 this->time.delete = this->time.reauth;
666 }
667 else
668 {
669 this->time.delete = min(this->time.rekey, this->time.reauth);
670 }
671 this->time.delete += t;
672 t = this->time.delete - this->time.established;
673 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
674 charon->scheduler->schedule_job(charon->scheduler, job,
675 t * 1000);
676 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
677 }
678
679 /* start DPD checks */
680 send_dpd(this);
681 }
682 break;
683 }
684 case IKE_DELETING:
685 {
686 /* delete may fail if a packet gets lost, so set a timeout */
687 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
688 charon->scheduler->schedule_job(charon->scheduler, job,
689 HALF_OPEN_IKE_SA_TIMEOUT);
690 break;
691 }
692 default:
693 break;
694 }
695
696 this->state = state;
697 }
698
699 /**
700 * Implementation of ike_sa_t.reset
701 */
702 static void reset(private_ike_sa_t *this)
703 {
704 /* the responder ID is reset, as peer may choose another one */
705 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
706 {
707 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
708 }
709
710 set_state(this, IKE_CREATED);
711
712 this->task_manager->reset(this->task_manager);
713 }
714
715 /**
716 * Implementation of ike_sa_t.set_virtual_ip
717 */
718 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
719 {
720 if (local)
721 {
722 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
723 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
724 this->my_host) == SUCCESS)
725 {
726 if (this->my_virtual_ip)
727 {
728 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
729 charon->kernel_interface->del_ip(charon->kernel_interface,
730 this->my_virtual_ip);
731 }
732 DESTROY_IF(this->my_virtual_ip);
733 this->my_virtual_ip = ip->clone(ip);
734 }
735 else
736 {
737 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
738 this->my_virtual_ip = NULL;
739 }
740 }
741 else
742 {
743 DESTROY_IF(this->other_virtual_ip);
744 this->other_virtual_ip = ip->clone(ip);
745 }
746 }
747
748 /**
749 * Implementation of ike_sa_t.get_virtual_ip
750 */
751 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
752 {
753 if (local)
754 {
755 return this->my_virtual_ip;
756 }
757 else
758 {
759 return this->other_virtual_ip;
760 }
761 }
762
763 /**
764 * Implementation of ike_sa_t.add_additional_address.
765 */
766 static void add_additional_address(private_ike_sa_t *this, host_t *host)
767 {
768 this->additional_addresses->insert_last(this->additional_addresses, host);
769 }
770
771 /**
772 * Implementation of ike_sa_t.create_additional_address_iterator.
773 */
774 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
775 {
776 return this->additional_addresses->create_iterator(
777 this->additional_addresses, TRUE);
778 }
779
780 /**
781 * Implementation of ike_sa_t.set_pending_updates.
782 */
783 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
784 {
785 this->pending_updates = updates;
786 }
787
788 /**
789 * Implementation of ike_sa_t.get_pending_updates.
790 */
791 static u_int32_t get_pending_updates(private_ike_sa_t *this)
792 {
793 return this->pending_updates;
794 }
795
796 /**
797 * Update hosts, as addresses may change (NAT)
798 */
799 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
800 {
801 bool update = FALSE;
802
803 if (supports_extension(this, EXT_MOBIKE))
804 { /* if peer speaks mobike, address updates are explicit only */
805 return;
806 }
807
808 if (me == NULL)
809 {
810 me = this->my_host;
811 }
812 if (other == NULL)
813 {
814 other = this->other_host;
815 }
816
817 /* apply hosts on first received message */
818 if (this->my_host->is_anyaddr(this->my_host) ||
819 this->other_host->is_anyaddr(this->other_host))
820 {
821 set_my_host(this, me->clone(me));
822 set_other_host(this, other->clone(other));
823 update = TRUE;
824 }
825 else
826 {
827 /* update our address in any case */
828 if (!me->equals(me, this->my_host))
829 {
830 set_my_host(this, me->clone(me));
831 update = TRUE;
832 }
833
834 if (!other->equals(other, this->other_host))
835 {
836 /* update others adress if we are NOT NATed,
837 * and allow port changes if we are NATed */
838 if (!has_condition(this, COND_NAT_HERE) ||
839 other->ip_equals(other, this->other_host))
840 {
841 set_other_host(this, other->clone(other));
842 update = TRUE;
843 }
844 }
845 }
846
847 /* update all associated CHILD_SAs, if required */
848 if (update)
849 {
850 iterator_t *iterator;
851 child_sa_t *child_sa;
852
853 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
854 while (iterator->iterate(iterator, (void**)&child_sa))
855 {
856 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
857 has_condition(this, COND_NAT_ANY));
858 }
859 iterator->destroy(iterator);
860 }
861 }
862
863 /**
864 * Implementation of ike_sa_t.generate
865 */
866 static status_t generate_message(private_ike_sa_t *this, message_t *message,
867 packet_t **packet)
868 {
869 this->time.outbound = time(NULL);
870 message->set_ike_sa_id(message, this->ike_sa_id);
871 return message->generate(message, this->crypter_out, this->signer_out, packet);
872 }
873
874 /**
875 * send a notify back to the sender
876 */
877 static void send_notify_response(private_ike_sa_t *this, message_t *request,
878 notify_type_t type)
879 {
880 message_t *response;
881 packet_t *packet;
882
883 response = message_create();
884 response->set_exchange_type(response, request->get_exchange_type(request));
885 response->set_request(response, FALSE);
886 response->set_message_id(response, request->get_message_id(request));
887 response->add_notify(response, FALSE, type, chunk_empty);
888 if (this->my_host->is_anyaddr(this->my_host))
889 {
890 this->my_host->destroy(this->my_host);
891 this->my_host = request->get_destination(request);
892 this->my_host = this->my_host->clone(this->my_host);
893 }
894 if (this->other_host->is_anyaddr(this->other_host))
895 {
896 this->other_host->destroy(this->other_host);
897 this->other_host = request->get_source(request);
898 this->other_host = this->other_host->clone(this->other_host);
899 }
900 response->set_source(response, this->my_host->clone(this->my_host));
901 response->set_destination(response, this->other_host->clone(this->other_host));
902 if (generate_message(this, response, &packet) == SUCCESS)
903 {
904 charon->sender->send(charon->sender, packet);
905 }
906 response->destroy(response);
907 }
908
909 #ifdef P2P
910 /**
911 * Implementation of ike_sa_t.get_server_reflexive_host.
912 */
913 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
914 {
915 return this->server_reflexive_host;
916 }
917
918 /**
919 * Implementation of ike_sa_t.set_server_reflexive_host.
920 */
921 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
922 {
923 DESTROY_IF(this->server_reflexive_host);
924 this->server_reflexive_host = host;
925 }
926
927 /**
928 * Implementation of ike_sa_t.respond
929 */
930 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
931 chunk_t session_id)
932 {
933 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
934 task->respond(task, peer_id, session_id);
935 this->task_manager->queue_task(this->task_manager, (task_t*)task);
936 return this->task_manager->initiate(this->task_manager);
937 }
938
939 /**
940 * Implementation of ike_sa_t.callback
941 */
942 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
943 {
944 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
945 task->callback(task, peer_id);
946 this->task_manager->queue_task(this->task_manager, (task_t*)task);
947 return this->task_manager->initiate(this->task_manager);
948 }
949
950 /**
951 * Implementation of ike_sa_t.relay
952 */
953 static status_t relay(private_ike_sa_t *this, identification_t *requester,
954 chunk_t session_id, chunk_t session_key, linked_list_t *endpoints, bool response)
955 {
956 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
957 task->relay(task, requester, session_id, session_key, endpoints, response);
958 this->task_manager->queue_task(this->task_manager, (task_t*)task);
959 return this->task_manager->initiate(this->task_manager);
960 }
961
962 /**
963 * Implementation of ike_sa_t.initiate_mediation
964 */
965 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
966 {
967 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
968 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
969 this->task_manager->queue_task(this->task_manager, (task_t*)task);
970 return this->task_manager->initiate(this->task_manager);
971 }
972
973 /**
974 * Implementation of ike_sa_t.initiate_mediated
975 */
976 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
977 linked_list_t *childs)
978 {
979 this->my_host = me->clone(me);
980 this->other_host = other->clone(other);
981
982 task_t *task;
983 child_cfg_t *child_cfg;
984 iterator_t *iterator = childs->create_iterator(childs, TRUE);
985 while (iterator->iterate(iterator, (void**)&child_cfg))
986 {
987 task = (task_t*)child_create_create(&this->public, child_cfg);
988 this->task_manager->queue_task(this->task_manager, task);
989 }
990 iterator->destroy(iterator);
991 return this->task_manager->initiate(this->task_manager);
992 }
993 #endif /* P2P */
994
995 /**
996 * Implementation of ike_sa_t.initiate.
997 */
998 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
999 {
1000 task_t *task;
1001
1002 if (this->state == IKE_CREATED)
1003 {
1004 if (this->other_host->is_anyaddr(this->other_host)
1005 #ifdef P2P
1006 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1007 #endif /* P2P */
1008 )
1009 {
1010 child_cfg->destroy(child_cfg);
1011 SIG(IKE_UP_START, "initiating IKE_SA");
1012 SIG(IKE_UP_FAILED, "unable to initiate to %%any");
1013 return DESTROY_ME;
1014 }
1015
1016 this->ike_initiator = TRUE;
1017
1018 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1019 this->task_manager->queue_task(this->task_manager, task);
1020 task = (task_t*)ike_natd_create(&this->public, TRUE);
1021 this->task_manager->queue_task(this->task_manager, task);
1022 task = (task_t*)ike_cert_create(&this->public, TRUE);
1023 this->task_manager->queue_task(this->task_manager, task);
1024 task = (task_t*)ike_auth_create(&this->public, TRUE);
1025 this->task_manager->queue_task(this->task_manager, task);
1026 task = (task_t*)ike_config_create(&this->public, TRUE);
1027 this->task_manager->queue_task(this->task_manager, task);
1028 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1029 this->task_manager->queue_task(this->task_manager, task);
1030 if (this->peer_cfg->use_mobike(this->peer_cfg))
1031 {
1032 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1033 this->task_manager->queue_task(this->task_manager, task);
1034 }
1035 #ifdef P2P
1036 task = (task_t*)ike_p2p_create(&this->public, TRUE);
1037 this->task_manager->queue_task(this->task_manager, task);
1038 #endif /* P2P */
1039 }
1040
1041 #ifdef P2P
1042 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1043 {
1044 // mediated connection, initiate mediation process
1045 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id, child_cfg);
1046 child_cfg->destroy(child_cfg);
1047 charon->processor->queue_job(charon->processor, job);
1048 return SUCCESS;
1049 }
1050 else if (this->peer_cfg->is_mediation(this->peer_cfg))
1051 {
1052 if (this->state == IKE_ESTABLISHED)
1053 {// FIXME: we should try to find a better solution to this
1054 SIG(CHILD_UP_SUCCESS, "mediation connection is already up and running");
1055 }
1056 }
1057 else
1058 #endif /* P2P */
1059 {
1060 // normal IKE_SA with CHILD_SA
1061 task = (task_t*)child_create_create(&this->public, child_cfg);
1062 child_cfg->destroy(child_cfg);
1063 this->task_manager->queue_task(this->task_manager, task);
1064 }
1065
1066 return this->task_manager->initiate(this->task_manager);
1067 }
1068
1069 /**
1070 * Implementation of ike_sa_t.acquire.
1071 */
1072 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1073 {// FIXME: P2P-NAT-T
1074 child_cfg_t *child_cfg;
1075 iterator_t *iterator;
1076 child_sa_t *current, *child_sa = NULL;
1077 task_t *task;
1078 child_create_t *child_create;
1079
1080 if (this->state == IKE_DELETING)
1081 {
1082 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1083 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1084 "IKE_SA is deleting", reqid);
1085 return FAILED;
1086 }
1087
1088 /* find CHILD_SA */
1089 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1090 while (iterator->iterate(iterator, (void**)&current))
1091 {
1092 if (current->get_reqid(current) == reqid)
1093 {
1094 child_sa = current;
1095 break;
1096 }
1097 }
1098 iterator->destroy(iterator);
1099 if (!child_sa)
1100 {
1101 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1102 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1103 "CHILD_SA not found", reqid);
1104 return FAILED;
1105 }
1106
1107
1108 if (this->state == IKE_CREATED)
1109 {
1110 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1111 this->task_manager->queue_task(this->task_manager, task);
1112 task = (task_t*)ike_natd_create(&this->public, TRUE);
1113 this->task_manager->queue_task(this->task_manager, task);
1114 task = (task_t*)ike_cert_create(&this->public, TRUE);
1115 this->task_manager->queue_task(this->task_manager, task);
1116 task = (task_t*)ike_auth_create(&this->public, TRUE);
1117 this->task_manager->queue_task(this->task_manager, task);
1118 task = (task_t*)ike_config_create(&this->public, TRUE);
1119 this->task_manager->queue_task(this->task_manager, task);
1120 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1121 this->task_manager->queue_task(this->task_manager, task);
1122 if (this->peer_cfg->use_mobike(this->peer_cfg))
1123 {
1124 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1125 this->task_manager->queue_task(this->task_manager, task);
1126 }
1127 }
1128
1129 child_cfg = child_sa->get_config(child_sa);
1130 child_create = child_create_create(&this->public, child_cfg);
1131 child_create->use_reqid(child_create, reqid);
1132 this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
1133
1134 return this->task_manager->initiate(this->task_manager);
1135 }
1136
1137 /**
1138 * Implementation of ike_sa_t.route.
1139 */
1140 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1141 {
1142 child_sa_t *child_sa;
1143 iterator_t *iterator;
1144 linked_list_t *my_ts, *other_ts;
1145 host_t *me, *other;
1146 status_t status;
1147
1148 SIG(CHILD_ROUTE_START, "routing CHILD_SA");
1149
1150 /* check if not already routed*/
1151 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1152 while (iterator->iterate(iterator, (void**)&child_sa))
1153 {
1154 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1155 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1156 {
1157 iterator->destroy(iterator);
1158 SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed");
1159 return FAILED;
1160 }
1161 }
1162 iterator->destroy(iterator);
1163
1164 switch (this->state)
1165 {
1166 case IKE_DELETING:
1167 case IKE_REKEYING:
1168 SIG(CHILD_ROUTE_FAILED,
1169 "unable to route CHILD_SA, as its IKE_SA gets deleted");
1170 return FAILED;
1171 case IKE_CREATED:
1172 case IKE_CONNECTING:
1173 case IKE_ESTABLISHED:
1174 default:
1175 break;
1176 }
1177
1178 /* install kernel policies */
1179 child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
1180 this->other_id, child_cfg, FALSE, 0);
1181 me = this->my_host;
1182 if (this->my_virtual_ip)
1183 {
1184 me = this->my_virtual_ip;
1185 }
1186 other = this->other_host;
1187 if (this->other_virtual_ip)
1188 {
1189 other = this->other_virtual_ip;
1190 }
1191
1192 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1193 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1194 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1195 child_cfg->get_mode(child_cfg));
1196 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1197 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1198 if (status == SUCCESS)
1199 {
1200 this->child_sas->insert_last(this->child_sas, child_sa);
1201 SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
1202 }
1203 else
1204 {
1205 SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed");
1206 }
1207 return status;
1208 }
1209
1210 /**
1211 * Implementation of ike_sa_t.unroute.
1212 */
1213 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1214 {
1215 iterator_t *iterator;
1216 child_sa_t *child_sa;
1217 bool found = FALSE;
1218
1219 SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
1220
1221 /* find CHILD_SA in ROUTED state */
1222 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1223 while (iterator->iterate(iterator, (void**)&child_sa))
1224 {
1225 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1226 child_sa->get_reqid(child_sa) == reqid)
1227 {
1228 iterator->remove(iterator);
1229 SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
1230 child_sa->destroy(child_sa);
1231 found = TRUE;
1232 break;
1233 }
1234 }
1235 iterator->destroy(iterator);
1236
1237 if (!found)
1238 {
1239 SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
1240 return FAILED;
1241 }
1242 /* if we are not established, and we have no more routed childs, remove whole SA */
1243 if (this->state == IKE_CREATED &&
1244 this->child_sas->get_count(this->child_sas) == 0)
1245 {
1246 return DESTROY_ME;
1247 }
1248 return SUCCESS;
1249 }
1250 /**
1251 * Implementation of ike_sa_t.process_message.
1252 */
1253 static status_t process_message(private_ike_sa_t *this, message_t *message)
1254 {
1255 status_t status;
1256 bool is_request;
1257
1258 is_request = message->get_request(message);
1259
1260 status = message->parse_body(message, this->crypter_in, this->signer_in);
1261 if (status != SUCCESS)
1262 {
1263
1264 if (is_request)
1265 {
1266 switch (status)
1267 {
1268 case NOT_SUPPORTED:
1269 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1270 if (is_request)
1271 {
1272 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1273 }
1274 break;
1275 case PARSE_ERROR:
1276 DBG1(DBG_IKE, "message parsing failed");
1277 if (is_request)
1278 {
1279 send_notify_response(this, message, INVALID_SYNTAX);
1280 }
1281 break;
1282 case VERIFY_ERROR:
1283 DBG1(DBG_IKE, "message verification failed");
1284 if (is_request)
1285 {
1286 send_notify_response(this, message, INVALID_SYNTAX);
1287 }
1288 break;
1289 case FAILED:
1290 DBG1(DBG_IKE, "integrity check failed");
1291 /* ignored */
1292 break;
1293 case INVALID_STATE:
1294 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1295 if (is_request)
1296 {
1297 send_notify_response(this, message, INVALID_SYNTAX);
1298 }
1299 default:
1300 break;
1301 }
1302 }
1303 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1304 exchange_type_names, message->get_exchange_type(message),
1305 message->get_request(message) ? "request" : "response",
1306 message->get_message_id(message));
1307 return status;
1308 }
1309 else
1310 {
1311 host_t *me, *other;
1312 private_ike_sa_t *new;
1313 iterator_t *iterator;
1314 child_sa_t *child;
1315 bool has_routed = FALSE;
1316
1317 me = message->get_destination(message);
1318 other = message->get_source(message);
1319
1320 /* if this IKE_SA is virgin, we check for a config */
1321 if (this->ike_cfg == NULL)
1322 {
1323 job_t *job;
1324 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1325 me, other);
1326 if (this->ike_cfg == NULL)
1327 {
1328 /* no config found for these hosts, destroy */
1329 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1330 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1331 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1332 return DESTROY_ME;
1333 }
1334 /* add a timeout if peer does not establish it completely */
1335 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1336 charon->scheduler->schedule_job(charon->scheduler, job,
1337 HALF_OPEN_IKE_SA_TIMEOUT);
1338 }
1339
1340 /* check if message is trustworthy, and update host information */
1341 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1342 message->get_exchange_type(message) != IKE_SA_INIT)
1343 {
1344 update_hosts(this, me, other);
1345 this->time.inbound = time(NULL);
1346 }
1347 status = this->task_manager->process_message(this->task_manager, message);
1348 if (status != DESTROY_ME)
1349 {
1350 return status;
1351 }
1352 /* if IKE_SA gets closed for any reasons, reroute routed children */
1353 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1354 while (iterator->iterate(iterator, (void**)&child))
1355 {
1356 if (child->get_state(child) == CHILD_ROUTED)
1357 {
1358 has_routed = TRUE;
1359 break;
1360 }
1361 }
1362 iterator->destroy(iterator);
1363 if (!has_routed)
1364 {
1365 return status;
1366 }
1367 /* move routed children to a new IKE_SA, apply connection info */
1368 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1369 charon->ike_sa_manager, TRUE);
1370 set_peer_cfg(new, this->peer_cfg);
1371 new->other_host->destroy(new->other_host);
1372 new->other_host = this->other_host->clone(this->other_host);
1373 if (!has_condition(this, COND_NAT_THERE))
1374 {
1375 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1376 }
1377 if (this->my_virtual_ip)
1378 {
1379 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1380 }
1381 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1382 while (iterator->iterate(iterator, (void**)&child))
1383 {
1384 if (child->get_state(child) == CHILD_ROUTED)
1385 {
1386 route(new, child->get_config(child));
1387 }
1388 }
1389 iterator->destroy(iterator);
1390 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1391 return status;
1392 }
1393 }
1394
1395 /**
1396 * Implementation of ike_sa_t.retransmit.
1397 */
1398 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1399 {// FIXME: P2P-NAT-T
1400 this->time.outbound = time(NULL);
1401 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1402 {
1403 child_cfg_t *child_cfg;
1404 child_sa_t* child_sa;
1405 linked_list_t *to_route, *to_restart;
1406 iterator_t *iterator;
1407
1408 /* send a proper signal to brief interested bus listeners */
1409 switch (this->state)
1410 {
1411 case IKE_CONNECTING:
1412 {
1413 /* retry IKE_SA_INIT if we have multiple keyingtries */
1414 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1415 this->keyingtry++;
1416 if (tries == 0 || tries > this->keyingtry)
1417 {
1418 SIG(IKE_UP_FAILED, "peer not responding, trying again "
1419 "(%d/%d) in background ", this->keyingtry + 1, tries);
1420 reset(this);
1421 return this->task_manager->initiate(this->task_manager);
1422 }
1423 SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
1424 break;
1425 }
1426 case IKE_REKEYING:
1427 SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
1428 break;
1429 case IKE_DELETING:
1430 SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
1431 break;
1432 default:
1433 break;
1434 }
1435
1436 /* summarize how we have to handle each child */
1437 to_route = linked_list_create();
1438 to_restart = linked_list_create();
1439 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1440 while (iterator->iterate(iterator, (void**)&child_sa))
1441 {
1442 child_cfg = child_sa->get_config(child_sa);
1443
1444 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
1445 {
1446 /* reroute routed CHILD_SAs */
1447 to_route->insert_last(to_route, child_cfg);
1448 }
1449 else
1450 {
1451 /* use DPD action for established CHILD_SAs */
1452 switch (this->peer_cfg->get_dpd_action(this->peer_cfg))
1453 {
1454 case DPD_ROUTE:
1455 to_route->insert_last(to_route, child_cfg);
1456 break;
1457 case DPD_RESTART:
1458 to_restart->insert_last(to_restart, child_cfg);
1459 break;
1460 default:
1461 break;
1462 }
1463 }
1464 }
1465 iterator->destroy(iterator);
1466
1467 /* create a new IKE_SA if we have to route or to restart */
1468 if (to_route->get_count(to_route) || to_restart->get_count(to_restart))
1469 {
1470 private_ike_sa_t *new;
1471 task_t *task;
1472
1473 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1474 charon->ike_sa_manager, TRUE);
1475
1476 set_peer_cfg(new, this->peer_cfg);
1477 /* use actual used host, not the wildcarded one in config */
1478 new->other_host->destroy(new->other_host);
1479 new->other_host = this->other_host->clone(this->other_host);
1480 /* reset port to 500, but only if peer is not NATed */
1481 if (!has_condition(this, COND_NAT_THERE))
1482 {
1483 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1484 }
1485 /* take over virtual ip, as we need it for a proper route */
1486 if (this->my_virtual_ip)
1487 {
1488 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1489 }
1490
1491 /* install routes */
1492 while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS)
1493 {
1494 route(new, child_cfg);
1495 }
1496
1497 /* restart children */
1498 if (to_restart->get_count(to_restart))
1499 {
1500 task = (task_t*)ike_init_create(&new->public, TRUE, NULL);
1501 new->task_manager->queue_task(new->task_manager, task);
1502 task = (task_t*)ike_natd_create(&new->public, TRUE);
1503 new->task_manager->queue_task(new->task_manager, task);
1504 task = (task_t*)ike_cert_create(&new->public, TRUE);
1505 new->task_manager->queue_task(new->task_manager, task);
1506 task = (task_t*)ike_config_create(&new->public, TRUE);
1507 new->task_manager->queue_task(new->task_manager, task);
1508 task = (task_t*)ike_auth_create(&new->public, TRUE);
1509 new->task_manager->queue_task(new->task_manager, task);
1510
1511 while (to_restart->remove_last(to_restart, (void**)&child_cfg) == SUCCESS)
1512 {
1513 task = (task_t*)child_create_create(&new->public, child_cfg);
1514 new->task_manager->queue_task(new->task_manager, task);
1515 }
1516 task = (task_t*)ike_auth_lifetime_create(&new->public, TRUE);
1517 new->task_manager->queue_task(new->task_manager, task);
1518 if (this->peer_cfg->use_mobike(this->peer_cfg))
1519 {
1520 task = (task_t*)ike_mobike_create(&new->public, TRUE);
1521 new->task_manager->queue_task(new->task_manager, task);
1522 }
1523 new->task_manager->initiate(new->task_manager);
1524 }
1525 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1526 }
1527 to_route->destroy(to_route);
1528 to_restart->destroy(to_restart);
1529 return DESTROY_ME;
1530 }
1531 return SUCCESS;
1532 }
1533
1534 /**
1535 * Implementation of ike_sa_t.get_prf.
1536 */
1537 static prf_t *get_prf(private_ike_sa_t *this)
1538 {
1539 return this->prf;
1540 }
1541
1542 /**
1543 * Implementation of ike_sa_t.get_prf.
1544 */
1545 static prf_t *get_child_prf(private_ike_sa_t *this)
1546 {
1547 return this->child_prf;
1548 }
1549
1550 /**
1551 * Implementation of ike_sa_t.get_skp_bild
1552 */
1553 static chunk_t get_skp_build(private_ike_sa_t *this)
1554 {
1555 return this->skp_build;
1556 }
1557
1558 /**
1559 * Implementation of ike_sa_t.get_skp_verify
1560 */
1561 static chunk_t get_skp_verify(private_ike_sa_t *this)
1562 {
1563 return this->skp_verify;
1564 }
1565
1566 /**
1567 * Implementation of ike_sa_t.get_id.
1568 */
1569 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1570 {
1571 return this->ike_sa_id;
1572 }
1573
1574 /**
1575 * Implementation of ike_sa_t.get_my_id.
1576 */
1577 static identification_t* get_my_id(private_ike_sa_t *this)
1578 {
1579 return this->my_id;
1580 }
1581
1582 /**
1583 * Implementation of ike_sa_t.set_my_id.
1584 */
1585 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1586 {
1587 DESTROY_IF(this->my_id);
1588 this->my_id = me;
1589 }
1590
1591 /**
1592 * Implementation of ike_sa_t.get_other_id.
1593 */
1594 static identification_t* get_other_id(private_ike_sa_t *this)
1595 {
1596 return this->other_id;
1597 }
1598
1599 /**
1600 * Implementation of ike_sa_t.set_other_id.
1601 */
1602 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1603 {
1604 DESTROY_IF(this->other_id);
1605 this->other_id = other;
1606 }
1607
1608 /**
1609 * Implementation of ike_sa_t.get_other_ca.
1610 */
1611 static ca_info_t* get_other_ca(private_ike_sa_t *this)
1612 {
1613 return this->other_ca;
1614 }
1615
1616 /**
1617 * Implementation of ike_sa_t.set_other_ca.
1618 */
1619 static void set_other_ca(private_ike_sa_t *this, ca_info_t *other_ca)
1620 {
1621 this->other_ca = other_ca;
1622 }
1623
1624 /**
1625 * Implementation of ike_sa_t.derive_keys.
1626 */
1627 static status_t derive_keys(private_ike_sa_t *this,
1628 proposal_t *proposal, chunk_t secret,
1629 chunk_t nonce_i, chunk_t nonce_r,
1630 bool initiator, prf_t *child_prf, prf_t *old_prf)
1631 {
1632 prf_plus_t *prf_plus;
1633 chunk_t skeyseed, key, nonces, prf_plus_seed;
1634 algorithm_t *algo;
1635 size_t key_size;
1636 crypter_t *crypter_i, *crypter_r;
1637 signer_t *signer_i, *signer_r;
1638 u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
1639 chunk_t spi_i = chunk_from_buf(spi_i_buf);
1640 chunk_t spi_r = chunk_from_buf(spi_r_buf);
1641
1642 /* Create SAs general purpose PRF first, we may use it here */
1643 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
1644 {
1645 DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
1646 return FAILED;
1647 }
1648 this->prf = prf_create(algo->algorithm);
1649 if (this->prf == NULL)
1650 {
1651 DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
1652 "%N not supported!", pseudo_random_function_names, algo->algorithm);
1653 return FAILED;
1654 }
1655
1656 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
1657 nonces = chunk_cat("cc", nonce_i, nonce_r);
1658 *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
1659 *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
1660 prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
1661
1662 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
1663 *
1664 * if we are rekeying, SKEYSEED is built on another way
1665 */
1666 if (child_prf == NULL) /* not rekeying */
1667 {
1668 /* SKEYSEED = prf(Ni | Nr, g^ir) */
1669 this->prf->set_key(this->prf, nonces);
1670 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
1671 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1672 this->prf->set_key(this->prf, skeyseed);
1673 chunk_free(&skeyseed);
1674 chunk_free(&secret);
1675 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
1676 }
1677 else
1678 {
1679 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
1680 * use OLD SAs PRF functions for both prf_plus and prf */
1681 secret = chunk_cat("mc", secret, nonces);
1682 child_prf->allocate_bytes(child_prf, secret, &skeyseed);
1683 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1684 old_prf->set_key(old_prf, skeyseed);
1685 chunk_free(&skeyseed);
1686 chunk_free(&secret);
1687 prf_plus = prf_plus_create(old_prf, prf_plus_seed);
1688 }
1689 chunk_free(&nonces);
1690 chunk_free(&prf_plus_seed);
1691
1692 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
1693
1694 /* SK_d is used for generating CHILD_SA key mat => child_prf */
1695 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
1696 this->child_prf = prf_create(algo->algorithm);
1697 key_size = this->child_prf->get_key_size(this->child_prf);
1698 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1699 DBG4(DBG_IKE, "Sk_d secret %B", &key);
1700 this->child_prf->set_key(this->child_prf, key);
1701 chunk_free(&key);
1702
1703 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
1704 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
1705 {
1706 DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
1707 return FAILED;
1708 }
1709 signer_i = signer_create(algo->algorithm);
1710 signer_r = signer_create(algo->algorithm);
1711 if (signer_i == NULL || signer_r == NULL)
1712 {
1713 DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
1714 "%N not supported!", integrity_algorithm_names ,algo->algorithm);
1715 return FAILED;
1716 }
1717 key_size = signer_i->get_key_size(signer_i);
1718
1719 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1720 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
1721 signer_i->set_key(signer_i, key);
1722 chunk_free(&key);
1723
1724 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1725 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
1726 signer_r->set_key(signer_r, key);
1727 chunk_free(&key);
1728
1729 if (initiator)
1730 {
1731 this->signer_in = signer_r;
1732 this->signer_out = signer_i;
1733 }
1734 else
1735 {
1736 this->signer_in = signer_i;
1737 this->signer_out = signer_r;
1738 }
1739
1740 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
1741 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
1742 {
1743 DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
1744 return FAILED;
1745 }
1746 crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
1747 crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
1748 if (crypter_i == NULL || crypter_r == NULL)
1749 {
1750 DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
1751 "%N (key size %d) not supported!",
1752 encryption_algorithm_names, algo->algorithm, algo->key_size);
1753 return FAILED;
1754 }
1755 key_size = crypter_i->get_key_size(crypter_i);
1756
1757 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1758 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
1759 crypter_i->set_key(crypter_i, key);
1760 chunk_free(&key);
1761
1762 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1763 DBG4(DBG_IKE, "Sk_er secret %B", &key);
1764 crypter_r->set_key(crypter_r, key);
1765 chunk_free(&key);
1766
1767 if (initiator)
1768 {
1769 this->crypter_in = crypter_r;
1770 this->crypter_out = crypter_i;
1771 }
1772 else
1773 {
1774 this->crypter_in = crypter_i;
1775 this->crypter_out = crypter_r;
1776 }
1777
1778 /* SK_pi/SK_pr used for authentication => stored for later */
1779 key_size = this->prf->get_key_size(this->prf);
1780 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1781 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
1782 if (initiator)
1783 {
1784 this->skp_build = key;
1785 }
1786 else
1787 {
1788 this->skp_verify = key;
1789 }
1790 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1791 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
1792 if (initiator)
1793 {
1794 this->skp_verify = key;
1795 }
1796 else
1797 {
1798 this->skp_build = key;
1799 }
1800
1801 /* all done, prf_plus not needed anymore */
1802 prf_plus->destroy(prf_plus);
1803
1804 return SUCCESS;
1805 }
1806
1807 /**
1808 * Implementation of ike_sa_t.add_child_sa.
1809 */
1810 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1811 {
1812 this->child_sas->insert_last(this->child_sas, child_sa);
1813 }
1814
1815 /**
1816 * Implementation of ike_sa_t.get_child_sa.
1817 */
1818 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1819 u_int32_t spi, bool inbound)
1820 {
1821 iterator_t *iterator;
1822 child_sa_t *current, *found = NULL;
1823
1824 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1825 while (iterator->iterate(iterator, (void**)&current))
1826 {
1827 if (current->get_spi(current, inbound) == spi &&
1828 current->get_protocol(current) == protocol)
1829 {
1830 found = current;
1831 }
1832 }
1833 iterator->destroy(iterator);
1834 return found;
1835 }
1836
1837 /**
1838 * Implementation of ike_sa_t.create_child_sa_iterator.
1839 */
1840 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1841 {
1842 return this->child_sas->create_iterator(this->child_sas, TRUE);
1843 }
1844
1845 /**
1846 * Implementation of ike_sa_t.rekey_child_sa.
1847 */
1848 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1849 {
1850 child_sa_t *child_sa;
1851 child_rekey_t *child_rekey;
1852
1853 child_sa = get_child_sa(this, protocol, spi, TRUE);
1854 if (child_sa)
1855 {
1856 child_rekey = child_rekey_create(&this->public, child_sa);
1857 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1858 return this->task_manager->initiate(this->task_manager);
1859 }
1860 return FAILED;
1861 }
1862
1863 /**
1864 * Implementation of ike_sa_t.delete_child_sa.
1865 */
1866 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1867 {
1868 child_sa_t *child_sa;
1869 child_delete_t *child_delete;
1870
1871 child_sa = get_child_sa(this, protocol, spi, TRUE);
1872 if (child_sa)
1873 {
1874 child_delete = child_delete_create(&this->public, child_sa);
1875 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1876 return this->task_manager->initiate(this->task_manager);
1877 }
1878 return FAILED;
1879 }
1880
1881 /**
1882 * Implementation of ike_sa_t.destroy_child_sa.
1883 */
1884 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1885 u_int32_t spi)
1886 {
1887 iterator_t *iterator;
1888 child_sa_t *child_sa;
1889 status_t status = NOT_FOUND;
1890
1891 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1892 while (iterator->iterate(iterator, (void**)&child_sa))
1893 {
1894 if (child_sa->get_protocol(child_sa) == protocol &&
1895 child_sa->get_spi(child_sa, TRUE) == spi)
1896 {
1897 child_sa->destroy(child_sa);
1898 iterator->remove(iterator);
1899 status = SUCCESS;
1900 break;
1901 }
1902 }
1903 iterator->destroy(iterator);
1904 return status;
1905 }
1906
1907 /**
1908 * Implementation of public_ike_sa_t.delete.
1909 */
1910 static status_t delete_(private_ike_sa_t *this)
1911 {
1912 ike_delete_t *ike_delete;
1913
1914 switch (this->state)
1915 {
1916 case IKE_ESTABLISHED:
1917 case IKE_REKEYING:
1918 ike_delete = ike_delete_create(&this->public, TRUE);
1919 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1920 return this->task_manager->initiate(this->task_manager);
1921 case IKE_CREATED:
1922 SIG(IKE_DOWN_SUCCESS, "deleting unestablished IKE_SA");
1923 break;
1924 default:
1925 SIG(IKE_DOWN_SUCCESS, "destroying IKE_SA in state %N "
1926 "without notification", ike_sa_state_names, this->state);
1927 break;
1928 }
1929 return DESTROY_ME;
1930 }
1931
1932 /**
1933 * Implementation of ike_sa_t.rekey.
1934 */
1935 static status_t rekey(private_ike_sa_t *this)
1936 {
1937 ike_rekey_t *ike_rekey;
1938
1939 ike_rekey = ike_rekey_create(&this->public, TRUE);
1940
1941 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1942 return this->task_manager->initiate(this->task_manager);
1943 }
1944
1945 /**
1946 * Implementation of ike_sa_t.reestablish
1947 */
1948 static status_t reestablish(private_ike_sa_t *this)
1949 {
1950 task_t *task;
1951
1952 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1953 * If the peer does not support RFC4478, there is no way to keep the
1954 * IKE_SA up. */
1955 if (!this->ike_initiator)
1956 {
1957 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1958 if (this->other_virtual_ip != NULL ||
1959 has_condition(this, COND_EAP_AUTHENTICATED))
1960 {
1961 time_t now = time(NULL);
1962
1963 DBG1(DBG_IKE, "IKE_SA will timeout in %#V", &now, &this->time.delete);
1964 return FAILED;
1965 }
1966 else
1967 {
1968 DBG1(DBG_IKE, "reauthenticating actively");
1969 }
1970 }
1971 task = (task_t*)ike_reauth_create(&this->public);
1972 this->task_manager->queue_task(this->task_manager, task);
1973
1974 return this->task_manager->initiate(this->task_manager);
1975 }
1976
1977 /**
1978 * Implementation of ike_sa_t.set_auth_lifetime.
1979 */
1980 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1981 {
1982 job_t *job;
1983 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1984
1985 this->time.reauth = time(NULL) + lifetime - reduction;
1986 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
1987
1988 if (lifetime < reduction)
1989 {
1990 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1991 lifetime);
1992 charon->processor->queue_job(charon->processor, job);
1993 }
1994 else
1995 {
1996 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1997 " in %ds", lifetime, lifetime - reduction);
1998 charon->scheduler->schedule_job(charon->scheduler, job,
1999 (lifetime - reduction) * 1000);
2000 }
2001 }
2002
2003 /**
2004 * Implementation of ike_sa_t.roam.
2005 */
2006 static status_t roam(private_ike_sa_t *this, bool address)
2007 {
2008 host_t *me, *other;
2009 ike_mobike_t *mobike;
2010
2011 /* responder just updates the peer about changed address config */
2012 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
2013 {
2014 if (supports_extension(this, EXT_MOBIKE) && address)
2015 {
2016 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2017 mobike = ike_mobike_create(&this->public, TRUE);
2018 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2019 return this->task_manager->initiate(this->task_manager);
2020 }
2021 return SUCCESS;
2022 }
2023
2024 /* get best address pair to use */
2025 other = this->other_host;
2026 me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
2027 other);
2028
2029 if (me)
2030 {
2031 if (me->ip_equals(me, this->my_host) &&
2032 other->ip_equals(other, this->other_host))
2033 {
2034 DBG2(DBG_IKE, "keeping connection path %H - %H", this->other_host, me);
2035 me->destroy(me);
2036 return SUCCESS;
2037 }
2038 me->destroy(me);
2039 }
2040
2041 /* update addresses with mobike, if supported ... */
2042 if (supports_extension(this, EXT_MOBIKE))
2043 {
2044 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2045 mobike = ike_mobike_create(&this->public, TRUE);
2046 mobike->roam(mobike, address);
2047 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2048 return this->task_manager->initiate(this->task_manager);
2049 }
2050 DBG1(DBG_IKE, "reestablishing IKE_SA due address change");
2051 /* ... reestablish if not */
2052 return reestablish(this);
2053 }
2054
2055 /**
2056 * Implementation of ike_sa_t.inherit.
2057 */
2058 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2059 {
2060 child_sa_t *child_sa;
2061 host_t *ip;
2062
2063 /* apply hosts and ids */
2064 this->my_host->destroy(this->my_host);
2065 this->other_host->destroy(this->other_host);
2066 this->my_id->destroy(this->my_id);
2067 this->other_id->destroy(this->other_id);
2068 this->my_host = other->my_host->clone(other->my_host);
2069 this->other_host = other->other_host->clone(other->other_host);
2070 this->my_id = other->my_id->clone(other->my_id);
2071 this->other_id = other->other_id->clone(other->other_id);
2072 this->ike_initiator = other->ike_initiator;
2073
2074 /* apply virtual assigned IPs... */
2075 if (other->my_virtual_ip)
2076 {
2077 this->my_virtual_ip = other->my_virtual_ip;
2078 other->my_virtual_ip = NULL;
2079 }
2080 if (other->other_virtual_ip)
2081 {
2082 this->other_virtual_ip = other->other_virtual_ip;
2083 other->other_virtual_ip = NULL;
2084 }
2085
2086 /* ... and DNS servers */
2087 while (other->dns_servers->remove_last(other->dns_servers,
2088 (void**)&ip) == SUCCESS)
2089 {
2090 this->dns_servers->insert_first(this->dns_servers, ip);
2091 }
2092
2093 /* adopt all children */
2094 while (other->child_sas->remove_last(other->child_sas,
2095 (void**)&child_sa) == SUCCESS)
2096 {
2097 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2098 }
2099
2100 /* move pending tasks to the new IKE_SA */
2101 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2102
2103 /* reauthentication timeout survives a rekeying */
2104 if (other->time.reauth)
2105 {
2106 time_t reauth, delete, now = time(NULL);
2107
2108 this->time.reauth = other->time.reauth;
2109 reauth = this->time.reauth - now;
2110 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2111 this->time.delete = this->time.reauth + delete;
2112 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2113 "lifetime reduced to %ds", reauth, delete);
2114 charon->scheduler->schedule_job(charon->scheduler,
2115 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2116 reauth * 1000);
2117 charon->scheduler->schedule_job(charon->scheduler,
2118 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2119 delete * 1000);
2120 }
2121 /* we have to initate here, there may be new tasks to handle */
2122 return this->task_manager->initiate(this->task_manager);
2123 }
2124
2125 /**
2126 * Implementation of ike_sa_t.remove_dns_server
2127 */
2128 static void remove_dns_servers(private_ike_sa_t *this)
2129 {
2130 FILE *file;
2131 struct stat stats;
2132 chunk_t contents, line, orig_line, token;
2133 char string[INET6_ADDRSTRLEN];
2134 host_t *ip;
2135 iterator_t *iterator;
2136
2137 if (this->dns_servers->get_count(this->dns_servers) == 0)
2138 {
2139 /* don't touch anything if we have no nameservers installed */
2140 return;
2141 }
2142
2143 file = fopen(RESOLV_CONF, "r");
2144 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2145 {
2146 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2147 RESOLV_CONF, strerror(errno));
2148 return;
2149 }
2150
2151 contents = chunk_alloca((size_t)stats.st_size);
2152
2153 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2154 {
2155 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2156 fclose(file);
2157 return;
2158 }
2159
2160 fclose(file);
2161 file = fopen(RESOLV_CONF, "w");
2162 if (file == NULL)
2163 {
2164 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2165 RESOLV_CONF, strerror(errno));
2166 return;
2167 }
2168
2169 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2170 while (fetchline(&contents, &line))
2171 {
2172 bool found = FALSE;
2173 orig_line = line;
2174 if (extract_token(&token, ' ', &line) &&
2175 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2176 {
2177 if (!extract_token(&token, ' ', &line))
2178 {
2179 token = line;
2180 }
2181 iterator->reset(iterator);
2182 while (iterator->iterate(iterator, (void**)&ip))
2183 {
2184 snprintf(string, sizeof(string), "%H", ip);
2185 if (strlen(string) == token.len &&
2186 strncmp(token.ptr, string, token.len) == 0)
2187 {
2188 iterator->remove(iterator);
2189 ip->destroy(ip);
2190 found = TRUE;
2191 break;
2192 }
2193 }
2194 }
2195
2196 if (!found)
2197 {
2198 /* write line untouched back to file */
2199 fwrite(orig_line.ptr, orig_line.len, 1, file);
2200 fprintf(file, "\n");
2201 }
2202 }
2203 iterator->destroy(iterator);
2204 fclose(file);
2205 }
2206
2207 /**
2208 * Implementation of ike_sa_t.add_dns_server
2209 */
2210 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2211 {
2212 FILE *file;
2213 struct stat stats;
2214 chunk_t contents;
2215
2216 DBG1(DBG_IKE, "installing DNS server %H", dns);
2217
2218 file = fopen(RESOLV_CONF, "a+");
2219 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2220 {
2221 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2222 RESOLV_CONF, strerror(errno));
2223 return;
2224 }
2225
2226 contents = chunk_alloca(stats.st_size);
2227
2228 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2229 {
2230 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2231 fclose(file);
2232 return;
2233 }
2234
2235 fclose(file);
2236 file = fopen(RESOLV_CONF, "w");
2237 if (file == NULL)
2238 {
2239 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2240 RESOLV_CONF, strerror(errno));
2241 return;
2242 }
2243
2244 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2245 dns, this->other_id) < 0)
2246 {
2247 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2248 }
2249 else
2250 {
2251 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2252 }
2253 fwrite(contents.ptr, contents.len, 1, file);
2254
2255 fclose(file);
2256 }
2257
2258 /**
2259 * Implementation of ike_sa_t.destroy.
2260 */
2261 static void destroy(private_ike_sa_t *this)
2262 {
2263 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2264
2265 DESTROY_IF(this->crypter_in);
2266 DESTROY_IF(this->crypter_out);
2267 DESTROY_IF(this->signer_in);
2268 DESTROY_IF(this->signer_out);
2269 DESTROY_IF(this->prf);
2270 DESTROY_IF(this->child_prf);
2271 chunk_free(&this->skp_verify);
2272 chunk_free(&this->skp_build);
2273
2274 if (this->my_virtual_ip)
2275 {
2276 charon->kernel_interface->del_ip(charon->kernel_interface,
2277 this->my_virtual_ip);
2278 this->my_virtual_ip->destroy(this->my_virtual_ip);
2279 }
2280 DESTROY_IF(this->other_virtual_ip);
2281
2282 remove_dns_servers(this);
2283 this->dns_servers->destroy_offset(this->dns_servers,
2284 offsetof(host_t, destroy));
2285 this->additional_addresses->destroy_offset(this->additional_addresses,
2286 offsetof(host_t, destroy));
2287 #ifdef P2P
2288 if (this->peer_cfg && this->peer_cfg->is_mediation(this->peer_cfg) &&
2289 !this->ike_sa_id->is_initiator(this->ike_sa_id))
2290 {
2291 // mediation server
2292 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2293 }
2294 DESTROY_IF(this->server_reflexive_host);
2295 #endif /* P2P */
2296
2297 DESTROY_IF(this->my_host);
2298 DESTROY_IF(this->other_host);
2299 DESTROY_IF(this->my_id);
2300 DESTROY_IF(this->other_id);
2301
2302 DESTROY_IF(this->ike_cfg);
2303 DESTROY_IF(this->peer_cfg);
2304
2305 this->ike_sa_id->destroy(this->ike_sa_id);
2306 this->task_manager->destroy(this->task_manager);
2307 free(this);
2308 }
2309
2310 /*
2311 * Described in header.
2312 */
2313 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2314 {
2315 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2316 static u_int32_t unique_id = 0;
2317
2318 /* Public functions */
2319 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2320 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2321 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2322 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2323 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2324 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2325 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2326 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2327 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2328 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2329 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2330 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2331 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2332 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2333 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2334 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2335 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2336 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2337 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2338 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2339 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2340 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2341 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2342 this->public.get_other_ca = (ca_info_t* (*)(ike_sa_t*)) get_other_ca;
2343 this->public.set_other_ca = (void (*)(ike_sa_t*,ca_info_t*)) set_other_ca;
2344 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2345 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2346 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2347 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2348 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2349 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2350 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2351 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2352 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2353 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2354 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2355 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2356 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2357 this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
2358 this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
2359 this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
2360 this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
2361 this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
2362 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2363 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2364 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2365 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2366 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2367 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2368 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2369 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2370 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2371 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2372 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2373 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2374 this->public.reset = (void (*)(ike_sa_t*))reset;
2375 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2376 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2377 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2378 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2379 #ifdef P2P
2380 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2381 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2382 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2383 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,linked_list_t*)) initiate_mediated;
2384 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2385 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2386 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2387 #endif /* P2P */
2388
2389 /* initialize private fields */
2390 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2391 this->child_sas = linked_list_create();
2392 this->my_host = host_create_any(AF_INET);
2393 this->other_host = host_create_any(AF_INET);
2394 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2395 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2396 this->other_ca = NULL;
2397 this->extensions = 0;
2398 this->conditions = 0;
2399 this->crypter_in = NULL;
2400 this->crypter_out = NULL;
2401 this->signer_in = NULL;
2402 this->signer_out = NULL;
2403 this->prf = NULL;
2404 this->skp_verify = chunk_empty;
2405 this->skp_build = chunk_empty;
2406 this->child_prf = NULL;
2407 this->state = IKE_CREATED;
2408 this->time.inbound = this->time.outbound = time(NULL);
2409 this->time.established = 0;
2410 this->time.rekey = 0;
2411 this->time.reauth = 0;
2412 this->time.delete = 0;
2413 this->ike_cfg = NULL;
2414 this->peer_cfg = NULL;
2415 this->task_manager = task_manager_create(&this->public);
2416 this->unique_id = ++unique_id;
2417 this->my_virtual_ip = NULL;
2418 this->other_virtual_ip = NULL;
2419 this->dns_servers = linked_list_create();
2420 this->additional_addresses = linked_list_create();
2421 this->pending_updates = 0;
2422 this->keyingtry = 0;
2423 this->ike_initiator = FALSE;
2424 #ifdef P2P
2425 this->server_reflexive_host = NULL;
2426 #endif /* P2P */
2427
2428 return &this->public;
2429 }