80e42d92454bc3f07b472f849082892c1cc553c9
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2008 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26 #include <time.h>
27
28 #include "ike_sa.h"
29
30 #include <library.h>
31 #include <daemon.h>
32 #include <utils/linked_list.h>
33 #include <utils/lexparser.h>
34 #include <crypto/diffie_hellman.h>
35 #include <crypto/prf_plus.h>
36 #include <crypto/crypters/crypter.h>
37 #include <crypto/hashers/hasher.h>
38 #include <encoding/payloads/sa_payload.h>
39 #include <encoding/payloads/nonce_payload.h>
40 #include <encoding/payloads/ke_payload.h>
41 #include <encoding/payloads/delete_payload.h>
42 #include <encoding/payloads/transform_substructure.h>
43 #include <encoding/payloads/transform_attribute.h>
44 #include <encoding/payloads/ts_payload.h>
45 #include <sa/task_manager.h>
46 #include <sa/tasks/ike_init.h>
47 #include <sa/tasks/ike_natd.h>
48 #include <sa/tasks/ike_mobike.h>
49 #include <sa/tasks/ike_auth.h>
50 #include <sa/tasks/ike_auth_lifetime.h>
51 #include <sa/tasks/ike_config.h>
52 #include <sa/tasks/ike_cert_pre.h>
53 #include <sa/tasks/ike_cert_post.h>
54 #include <sa/tasks/ike_rekey.h>
55 #include <sa/tasks/ike_reauth.h>
56 #include <sa/tasks/ike_delete.h>
57 #include <sa/tasks/ike_dpd.h>
58 #include <sa/tasks/child_create.h>
59 #include <sa/tasks/child_delete.h>
60 #include <sa/tasks/child_rekey.h>
61 #include <processing/jobs/retransmit_job.h>
62 #include <processing/jobs/delete_ike_sa_job.h>
63 #include <processing/jobs/send_dpd_job.h>
64 #include <processing/jobs/send_keepalive_job.h>
65 #include <processing/jobs/rekey_ike_sa_job.h>
66
67 #ifdef ME
68 #include <sa/tasks/ike_me.h>
69 #include <processing/jobs/initiate_mediation_job.h>
70 #endif
71
72 #ifndef RESOLV_CONF
73 #define RESOLV_CONF "/etc/resolv.conf"
74 #endif
75
76 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
77 "CREATED",
78 "CONNECTING",
79 "ESTABLISHED",
80 "REKEYING",
81 "DELETING",
82 "DESTROYING",
83 );
84
85 typedef struct private_ike_sa_t private_ike_sa_t;
86
87 /**
88 * Private data of an ike_sa_t object.
89 */
90 struct private_ike_sa_t {
91
92 /**
93 * Public members
94 */
95 ike_sa_t public;
96
97 /**
98 * Identifier for the current IKE_SA.
99 */
100 ike_sa_id_t *ike_sa_id;
101
102 /**
103 * unique numerical ID for this IKE_SA.
104 */
105 u_int32_t unique_id;
106
107 /**
108 * Current state of the IKE_SA
109 */
110 ike_sa_state_t state;
111
112 /**
113 * IKE configuration used to set up this IKE_SA
114 */
115 ike_cfg_t *ike_cfg;
116
117 /**
118 * Peer and authentication information to establish IKE_SA.
119 */
120 peer_cfg_t *peer_cfg;
121
122 /**
123 * associated authentication/authorization info for local peer
124 */
125 auth_info_t *my_auth;
126
127 /**
128 * associated authentication/authorization info for remote peer
129 */
130 auth_info_t *other_auth;
131
132 /**
133 * Selected IKE proposal
134 */
135 proposal_t *proposal;
136
137 /**
138 * Juggles tasks to process messages
139 */
140 task_manager_t *task_manager;
141
142 /**
143 * Address of local host
144 */
145 host_t *my_host;
146
147 /**
148 * Address of remote host
149 */
150 host_t *other_host;
151
152 #ifdef ME
153 /**
154 * Are we mediation server
155 */
156 bool is_mediation_server;
157
158 /**
159 * Server reflexive host
160 */
161 host_t *server_reflexive_host;
162
163 /**
164 * Connect ID
165 */
166 chunk_t connect_id;
167 #endif /* ME */
168
169 /**
170 * Identification used for us
171 */
172 identification_t *my_id;
173
174 /**
175 * Identification used for other
176 */
177 identification_t *other_id;
178
179 /**
180 * EAP Identity exchange in EAP-Identity method
181 */
182 identification_t *eap_identity;;
183
184 /**
185 * set of extensions the peer supports
186 */
187 ike_extension_t extensions;
188
189 /**
190 * set of condition flags currently enabled for this IKE_SA
191 */
192 ike_condition_t conditions;
193
194 /**
195 * Linked List containing the child sa's of the current IKE_SA.
196 */
197 linked_list_t *child_sas;
198
199 /**
200 * keymat of this IKE_SA
201 */
202 keymat_t *keymat;
203
204 /**
205 * Virtual IP on local host, if any
206 */
207 host_t *my_virtual_ip;
208
209 /**
210 * Virtual IP on remote host, if any
211 */
212 host_t *other_virtual_ip;
213
214 /**
215 * List of DNS servers installed by us
216 */
217 linked_list_t *dns_servers;
218
219 /**
220 * list of peers additional addresses, transmitted via MOBIKE
221 */
222 linked_list_t *additional_addresses;
223
224 /**
225 * previously value of received DESTINATION_IP hash
226 */
227 chunk_t nat_detection_dest;
228
229 /**
230 * number pending UPDATE_SA_ADDRESS (MOBIKE)
231 */
232 u_int32_t pending_updates;
233
234 /**
235 * NAT keep alive interval
236 */
237 u_int32_t keepalive_interval;
238
239 /**
240 * Timestamps for this IKE_SA
241 */
242 u_int32_t stats[STAT_MAX];
243
244 /**
245 * how many times we have retried so far (keyingtries)
246 */
247 u_int32_t keyingtry;
248
249 /**
250 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
251 */
252 bool ike_initiator;
253
254 /**
255 * local host address to be used for IKE, set via MIGRATE kernel message
256 */
257 host_t *local_host;
258
259 /**
260 * remote host address to be used for IKE, set via MIGRATE kernel message
261 */
262 host_t *remote_host;
263 };
264
265 /**
266 * get the time of the latest traffic processed by the kernel
267 */
268 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
269 {
270 enumerator_t *enumerator;
271 child_sa_t *child_sa;
272 time_t use_time;
273
274 if (inbound)
275 {
276 use_time = this->stats[STAT_INBOUND];
277 }
278 else
279 {
280 use_time = this->stats[STAT_OUTBOUND];
281 }
282 enumerator = this->child_sas->create_enumerator(this->child_sas);
283 while (enumerator->enumerate(enumerator, &child_sa))
284 {
285 use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
286 }
287 enumerator->destroy(enumerator);
288
289 return use_time;
290 }
291
292 /**
293 * Implementation of ike_sa_t.get_unique_id
294 */
295 static u_int32_t get_unique_id(private_ike_sa_t *this)
296 {
297 return this->unique_id;
298 }
299
300 /**
301 * Implementation of ike_sa_t.get_name.
302 */
303 static char *get_name(private_ike_sa_t *this)
304 {
305 if (this->peer_cfg)
306 {
307 return this->peer_cfg->get_name(this->peer_cfg);
308 }
309 return "(unnamed)";
310 }
311
312 /**
313 * Implementation of ike_sa_t.get_statistic.
314 */
315 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
316 {
317 if (kind < STAT_MAX)
318 {
319 return this->stats[kind];
320 }
321 return 0;
322 }
323
324 /**
325 * Implementation of ike_sa_t.get_my_host.
326 */
327 static host_t *get_my_host(private_ike_sa_t *this)
328 {
329 return this->my_host;
330 }
331
332 /**
333 * Implementation of ike_sa_t.set_my_host.
334 */
335 static void set_my_host(private_ike_sa_t *this, host_t *me)
336 {
337 DESTROY_IF(this->my_host);
338 this->my_host = me;
339 }
340
341 /**
342 * Implementation of ike_sa_t.get_other_host.
343 */
344 static host_t *get_other_host(private_ike_sa_t *this)
345 {
346 return this->other_host;
347 }
348
349 /**
350 * Implementation of ike_sa_t.set_other_host.
351 */
352 static void set_other_host(private_ike_sa_t *this, host_t *other)
353 {
354 DESTROY_IF(this->other_host);
355 this->other_host = other;
356 }
357
358 /**
359 * Implementation of ike_sa_t.get_peer_cfg
360 */
361 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
362 {
363 return this->peer_cfg;
364 }
365
366 /**
367 * Implementation of ike_sa_t.set_peer_cfg
368 */
369 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
370 {
371 DESTROY_IF(this->peer_cfg);
372 peer_cfg->get_ref(peer_cfg);
373 this->peer_cfg = peer_cfg;
374
375 if (this->ike_cfg == NULL)
376 {
377 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
378 this->ike_cfg->get_ref(this->ike_cfg);
379 }
380 /* apply IDs if they are not already set */
381 if (this->my_id->contains_wildcards(this->my_id))
382 {
383 DESTROY_IF(this->my_id);
384 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
385 this->my_id = this->my_id->clone(this->my_id);
386 }
387 if (this->other_id->contains_wildcards(this->other_id))
388 {
389 DESTROY_IF(this->other_id);
390 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
391 this->other_id = this->other_id->clone(this->other_id);
392 }
393 }
394
395 /**
396 * Implementation of ike_sa_t.get_my_auth.
397 */
398 static auth_info_t* get_my_auth(private_ike_sa_t *this)
399 {
400 return this->my_auth;
401 }
402
403 /**
404 * Implementation of ike_sa_t.get_other_auth.
405 */
406 static auth_info_t* get_other_auth(private_ike_sa_t *this)
407 {
408 return this->other_auth;
409 }
410
411 /**
412 * Implementation of ike_sa_t.get_proposal
413 */
414 static proposal_t* get_proposal(private_ike_sa_t *this)
415 {
416 return this->proposal;
417 }
418
419 /**
420 * Implementation of ike_sa_t.set_proposal
421 */
422 static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
423 {
424 DESTROY_IF(this->proposal);
425 this->proposal = proposal->clone(proposal);
426 }
427
428 /**
429 * Implementation of ike_sa_t.send_keepalive
430 */
431 static void send_keepalive(private_ike_sa_t *this)
432 {
433 send_keepalive_job_t *job;
434 time_t last_out, now, diff;
435
436 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
437 { /* disable keep alives if we are not NATed anymore */
438 return;
439 }
440
441 last_out = get_use_time(this, FALSE);
442 now = time(NULL);
443
444 diff = now - last_out;
445
446 if (diff >= this->keepalive_interval)
447 {
448 packet_t *packet;
449 chunk_t data;
450
451 packet = packet_create();
452 packet->set_source(packet, this->my_host->clone(this->my_host));
453 packet->set_destination(packet, this->other_host->clone(this->other_host));
454 data.ptr = malloc(1);
455 data.ptr[0] = 0xFF;
456 data.len = 1;
457 packet->set_data(packet, data);
458 DBG1(DBG_IKE, "sending keep alive");
459 charon->sender->send(charon->sender, packet);
460 diff = 0;
461 }
462 job = send_keepalive_job_create(this->ike_sa_id);
463 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
464 (this->keepalive_interval - diff) * 1000);
465 }
466
467 /**
468 * Implementation of ike_sa_t.get_ike_cfg
469 */
470 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
471 {
472 return this->ike_cfg;
473 }
474
475 /**
476 * Implementation of ike_sa_t.set_ike_cfg
477 */
478 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
479 {
480 ike_cfg->get_ref(ike_cfg);
481 this->ike_cfg = ike_cfg;
482 }
483
484 /**
485 * Implementation of ike_sa_t.is_ike_initiator
486 */
487 static bool is_ike_initiator(private_ike_sa_t *this)
488 {
489 return this->ike_initiator;
490 }
491
492 /**
493 * Implementation of ike_sa_t.enable_extension.
494 */
495 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
496 {
497 this->extensions |= extension;
498 }
499
500 /**
501 * Implementation of ike_sa_t.has_extension.
502 */
503 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
504 {
505 return (this->extensions & extension) != FALSE;
506 }
507
508 /**
509 * Implementation of ike_sa_t.has_condition.
510 */
511 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
512 {
513 return (this->conditions & condition) != FALSE;
514 }
515
516 /**
517 * Implementation of ike_sa_t.enable_condition.
518 */
519 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
520 bool enable)
521 {
522 if (has_condition(this, condition) != enable)
523 {
524 if (enable)
525 {
526 this->conditions |= condition;
527 switch (condition)
528 {
529 case COND_NAT_HERE:
530 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
531 this->conditions |= COND_NAT_ANY;
532 send_keepalive(this);
533 break;
534 case COND_NAT_THERE:
535 DBG1(DBG_IKE, "remote host is behind NAT");
536 this->conditions |= COND_NAT_ANY;
537 break;
538 case COND_NAT_FAKE:
539 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
540 this->conditions |= COND_NAT_ANY;
541 break;
542 default:
543 break;
544 }
545 }
546 else
547 {
548 this->conditions &= ~condition;
549 switch (condition)
550 {
551 case COND_NAT_HERE:
552 case COND_NAT_FAKE:
553 case COND_NAT_THERE:
554 set_condition(this, COND_NAT_ANY,
555 has_condition(this, COND_NAT_HERE) ||
556 has_condition(this, COND_NAT_THERE) ||
557 has_condition(this, COND_NAT_FAKE));
558 break;
559 default:
560 break;
561 }
562 }
563 }
564 }
565
566 /**
567 * Implementation of ike_sa_t.send_dpd
568 */
569 static status_t send_dpd(private_ike_sa_t *this)
570 {
571 send_dpd_job_t *job;
572 time_t diff, delay;
573
574 delay = this->peer_cfg->get_dpd(this->peer_cfg);
575
576 if (delay == 0)
577 {
578 /* DPD disabled */
579 return SUCCESS;
580 }
581
582 if (this->task_manager->busy(this->task_manager))
583 {
584 /* an exchange is in the air, no need to start a DPD check */
585 diff = 0;
586 }
587 else
588 {
589 /* check if there was any inbound traffic */
590 time_t last_in, now;
591 last_in = get_use_time(this, TRUE);
592 now = time(NULL);
593 diff = now - last_in;
594 if (diff >= delay)
595 {
596 /* to long ago, initiate dead peer detection */
597 task_t *task;
598 ike_mobike_t *mobike;
599
600 if (supports_extension(this, EXT_MOBIKE) &&
601 has_condition(this, COND_NAT_HERE))
602 {
603 /* use mobike enabled DPD to detect NAT mapping changes */
604 mobike = ike_mobike_create(&this->public, TRUE);
605 mobike->dpd(mobike);
606 task = &mobike->task;
607 }
608 else
609 {
610 task = (task_t*)ike_dpd_create(TRUE);
611 }
612 diff = 0;
613 DBG1(DBG_IKE, "sending DPD request");
614
615 this->task_manager->queue_task(this->task_manager, task);
616 this->task_manager->initiate(this->task_manager);
617 }
618 }
619 /* recheck in "interval" seconds */
620 job = send_dpd_job_create(this->ike_sa_id);
621 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
622 (delay - diff) * 1000);
623 return SUCCESS;
624 }
625
626 /**
627 * Implementation of ike_sa_t.get_state.
628 */
629 static ike_sa_state_t get_state(private_ike_sa_t *this)
630 {
631 return this->state;
632 }
633
634 /**
635 * Implementation of ike_sa_t.set_state.
636 */
637 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
638 {
639 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
640 get_name(this), this->unique_id,
641 ike_sa_state_names, this->state,
642 ike_sa_state_names, state);
643
644 switch (state)
645 {
646 case IKE_ESTABLISHED:
647 {
648 if (this->state == IKE_CONNECTING)
649 {
650 job_t *job;
651 u_int32_t t;
652
653 /* calculate rekey, reauth and lifetime */
654 this->stats[STAT_ESTABLISHED] = time(NULL);
655
656 /* schedule rekeying if we have a time which is smaller than
657 * an already scheduled rekeying */
658 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
659 if (t && (this->stats[STAT_REKEY] == 0 ||
660 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
661 {
662 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
663 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
664 charon->scheduler->schedule_job(charon->scheduler,
665 job, t * 1000);
666 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
667 }
668 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
669 if (t && (this->stats[STAT_REAUTH] == 0 ||
670 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
671 {
672 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
673 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
674 charon->scheduler->schedule_job(charon->scheduler,
675 job, t * 1000);
676 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
677 }
678 t = this->peer_cfg->get_over_time(this->peer_cfg);
679 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
680 {
681 if (this->stats[STAT_REAUTH] == 0)
682 {
683 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
684 }
685 else if (this->stats[STAT_REKEY] == 0)
686 {
687 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
688 }
689 else
690 {
691 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
692 this->stats[STAT_REAUTH]);
693 }
694 this->stats[STAT_DELETE] += t;
695 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
696 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
697 charon->scheduler->schedule_job(charon->scheduler, job,
698 t * 1000);
699 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
700 }
701
702 /* start DPD checks */
703 send_dpd(this);
704 }
705 break;
706 }
707 case IKE_DELETING:
708 {
709 /* delete may fail if a packet gets lost, so set a timeout */
710 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
711 charon->scheduler->schedule_job(charon->scheduler, job,
712 HALF_OPEN_IKE_SA_TIMEOUT);
713 break;
714 }
715 default:
716 break;
717 }
718 charon->bus->ike_state_change(charon->bus, &this->public, state);
719 this->state = state;
720 }
721
722 /**
723 * Implementation of ike_sa_t.reset
724 */
725 static void reset(private_ike_sa_t *this)
726 {
727 /* the responder ID is reset, as peer may choose another one */
728 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
729 {
730 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
731 }
732
733 set_state(this, IKE_CREATED);
734
735 this->task_manager->reset(this->task_manager);
736 }
737
738 /**
739 * Implementation of ike_sa_t.get_keymat
740 */
741 static keymat_t* get_keymat(private_ike_sa_t *this)
742 {
743 return this->keymat;
744 }
745
746 /**
747 * Implementation of ike_sa_t.set_virtual_ip
748 */
749 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
750 {
751 if (local)
752 {
753 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
754 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
755 this->my_host) == SUCCESS)
756 {
757 if (this->my_virtual_ip)
758 {
759 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
760 charon->kernel_interface->del_ip(charon->kernel_interface,
761 this->my_virtual_ip);
762 }
763 DESTROY_IF(this->my_virtual_ip);
764 this->my_virtual_ip = ip->clone(ip);
765 }
766 else
767 {
768 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
769 this->my_virtual_ip = NULL;
770 }
771 }
772 else
773 {
774 DESTROY_IF(this->other_virtual_ip);
775 this->other_virtual_ip = ip->clone(ip);
776 }
777 }
778
779 /**
780 * Implementation of ike_sa_t.get_virtual_ip
781 */
782 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
783 {
784 if (local)
785 {
786 return this->my_virtual_ip;
787 }
788 else
789 {
790 return this->other_virtual_ip;
791 }
792 }
793
794 /**
795 * Implementation of ike_sa_t.add_additional_address.
796 */
797 static void add_additional_address(private_ike_sa_t *this, host_t *host)
798 {
799 this->additional_addresses->insert_last(this->additional_addresses, host);
800 }
801
802 /**
803 * Implementation of ike_sa_t.create_additional_address_iterator.
804 */
805 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
806 {
807 return this->additional_addresses->create_iterator(
808 this->additional_addresses, TRUE);
809 }
810
811 /**
812 * Implementation of ike_sa_t.has_mapping_changed
813 */
814 static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
815 {
816 if (this->nat_detection_dest.ptr == NULL)
817 {
818 this->nat_detection_dest = chunk_clone(hash);
819 return FALSE;
820 }
821 if (chunk_equals(hash, this->nat_detection_dest))
822 {
823 return FALSE;
824 }
825 free(this->nat_detection_dest.ptr);
826 this->nat_detection_dest = chunk_clone(hash);
827 return TRUE;
828 }
829
830 /**
831 * Implementation of ike_sa_t.set_pending_updates.
832 */
833 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
834 {
835 this->pending_updates = updates;
836 }
837
838 /**
839 * Implementation of ike_sa_t.get_pending_updates.
840 */
841 static u_int32_t get_pending_updates(private_ike_sa_t *this)
842 {
843 return this->pending_updates;
844 }
845
846 /**
847 * Update hosts, as addresses may change (NAT)
848 */
849 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
850 {
851 bool update = FALSE;
852
853 if (me == NULL)
854 {
855 me = this->my_host;
856 }
857 if (other == NULL)
858 {
859 other = this->other_host;
860 }
861
862 /* apply hosts on first received message */
863 if (this->my_host->is_anyaddr(this->my_host) ||
864 this->other_host->is_anyaddr(this->other_host))
865 {
866 set_my_host(this, me->clone(me));
867 set_other_host(this, other->clone(other));
868 update = TRUE;
869 }
870 else
871 {
872 /* update our address in any case */
873 if (!me->equals(me, this->my_host))
874 {
875 set_my_host(this, me->clone(me));
876 update = TRUE;
877 }
878
879 if (!other->equals(other, this->other_host))
880 {
881 /* update others adress if we are NOT NATed,
882 * and allow port changes if we are NATed */
883 if (!has_condition(this, COND_NAT_HERE) ||
884 other->ip_equals(other, this->other_host))
885 {
886 set_other_host(this, other->clone(other));
887 update = TRUE;
888 }
889 }
890 }
891
892 /* update all associated CHILD_SAs, if required */
893 if (update)
894 {
895 iterator_t *iterator;
896 child_sa_t *child_sa;
897
898 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
899 while (iterator->iterate(iterator, (void**)&child_sa))
900 {
901 if (child_sa->update_hosts(child_sa, this->my_host,
902 this->other_host, this->my_virtual_ip,
903 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
904 {
905 this->public.rekey_child_sa(&this->public,
906 child_sa->get_protocol(child_sa),
907 child_sa->get_spi(child_sa, TRUE));
908 }
909 }
910 iterator->destroy(iterator);
911 }
912 }
913
914 /**
915 * Implementation of ike_sa_t.generate
916 */
917 static status_t generate_message(private_ike_sa_t *this, message_t *message,
918 packet_t **packet)
919 {
920 this->stats[STAT_OUTBOUND] = time(NULL);
921 message->set_ike_sa_id(message, this->ike_sa_id);
922 return message->generate(message,
923 this->keymat->get_crypter(this->keymat, FALSE),
924 this->keymat->get_signer(this->keymat, FALSE), packet);
925 }
926
927 /**
928 * send a notify back to the sender
929 */
930 static void send_notify_response(private_ike_sa_t *this, message_t *request,
931 notify_type_t type)
932 {
933 message_t *response;
934 packet_t *packet;
935
936 response = message_create();
937 response->set_exchange_type(response, request->get_exchange_type(request));
938 response->set_request(response, FALSE);
939 response->set_message_id(response, request->get_message_id(request));
940 response->add_notify(response, FALSE, type, chunk_empty);
941 if (this->my_host->is_anyaddr(this->my_host))
942 {
943 this->my_host->destroy(this->my_host);
944 this->my_host = request->get_destination(request);
945 this->my_host = this->my_host->clone(this->my_host);
946 }
947 if (this->other_host->is_anyaddr(this->other_host))
948 {
949 this->other_host->destroy(this->other_host);
950 this->other_host = request->get_source(request);
951 this->other_host = this->other_host->clone(this->other_host);
952 }
953 response->set_source(response, this->my_host->clone(this->my_host));
954 response->set_destination(response, this->other_host->clone(this->other_host));
955 if (generate_message(this, response, &packet) == SUCCESS)
956 {
957 charon->sender->send(charon->sender, packet);
958 }
959 response->destroy(response);
960 }
961
962 /**
963 * Implementation of ike_sa_t.set_kmaddress.
964 */
965 static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
966 {
967 DESTROY_IF(this->local_host);
968 DESTROY_IF(this->remote_host);
969 this->local_host = local->clone(local);
970 this->remote_host = remote->clone(remote);
971 }
972
973 #ifdef ME
974 /**
975 * Implementation of ike_sa_t.act_as_mediation_server.
976 */
977 static void act_as_mediation_server(private_ike_sa_t *this)
978 {
979 charon->mediation_manager->update_sa_id(charon->mediation_manager,
980 this->other_id, this->ike_sa_id);
981 this->is_mediation_server = TRUE;
982 }
983
984 /**
985 * Implementation of ike_sa_t.get_server_reflexive_host.
986 */
987 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
988 {
989 return this->server_reflexive_host;
990 }
991
992 /**
993 * Implementation of ike_sa_t.set_server_reflexive_host.
994 */
995 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
996 {
997 DESTROY_IF(this->server_reflexive_host);
998 this->server_reflexive_host = host;
999 }
1000
1001 /**
1002 * Implementation of ike_sa_t.get_connect_id.
1003 */
1004 static chunk_t get_connect_id(private_ike_sa_t *this)
1005 {
1006 return this->connect_id;
1007 }
1008
1009 /**
1010 * Implementation of ike_sa_t.respond
1011 */
1012 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
1013 chunk_t connect_id)
1014 {
1015 ike_me_t *task = ike_me_create(&this->public, TRUE);
1016 task->respond(task, peer_id, connect_id);
1017 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1018 return this->task_manager->initiate(this->task_manager);
1019 }
1020
1021 /**
1022 * Implementation of ike_sa_t.callback
1023 */
1024 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
1025 {
1026 ike_me_t *task = ike_me_create(&this->public, TRUE);
1027 task->callback(task, peer_id);
1028 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1029 return this->task_manager->initiate(this->task_manager);
1030 }
1031
1032 /**
1033 * Implementation of ike_sa_t.relay
1034 */
1035 static status_t relay(private_ike_sa_t *this, identification_t *requester,
1036 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
1037 {
1038 ike_me_t *task = ike_me_create(&this->public, TRUE);
1039 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1040 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1041 return this->task_manager->initiate(this->task_manager);
1042 }
1043
1044 /**
1045 * Implementation of ike_sa_t.initiate_mediation
1046 */
1047 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1048 {
1049 ike_me_t *task = ike_me_create(&this->public, TRUE);
1050 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1051 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1052 return this->task_manager->initiate(this->task_manager);
1053 }
1054
1055 /**
1056 * Implementation of ike_sa_t.initiate_mediated
1057 */
1058 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1059 chunk_t connect_id)
1060 {
1061 set_my_host(this, me->clone(me));
1062 set_other_host(this, other->clone(other));
1063 chunk_free(&this->connect_id);
1064 this->connect_id = chunk_clone(connect_id);
1065
1066 return this->task_manager->initiate(this->task_manager);
1067 }
1068 #endif /* ME */
1069
1070 /**
1071 * Resolve DNS host in configuration
1072 */
1073 static void resolve_hosts(private_ike_sa_t *this)
1074 {
1075 host_t *host;
1076
1077 if (this->remote_host)
1078 {
1079 host = this->remote_host->clone(this->remote_host);
1080 host->set_port(host, IKEV2_UDP_PORT);
1081 }
1082 else
1083 {
1084 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1085 0, IKEV2_UDP_PORT);
1086 }
1087 if (host)
1088 {
1089 set_other_host(this, host);
1090 }
1091
1092 if (this->local_host)
1093 {
1094 host = this->local_host->clone(this->local_host);
1095 host->set_port(host, IKEV2_UDP_PORT);
1096 }
1097 else
1098 {
1099 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1100 this->my_host->get_family(this->my_host),
1101 IKEV2_UDP_PORT);
1102
1103 if (host && host->is_anyaddr(host) &&
1104 !this->other_host->is_anyaddr(this->other_host))
1105 {
1106 host->destroy(host);
1107 host = charon->kernel_interface->get_source_addr(
1108 charon->kernel_interface, this->other_host, NULL);
1109 if (host)
1110 {
1111 host->set_port(host, IKEV2_UDP_PORT);
1112 }
1113 }
1114 }
1115 if (host)
1116 {
1117 set_my_host(this, host);
1118 }
1119 }
1120
1121 /**
1122 * Initiates a CHILD_SA using the appropriate reqid
1123 */
1124 static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
1125 {
1126 task_t *task;
1127
1128 if (this->state == IKE_CREATED)
1129 {
1130 resolve_hosts(this);
1131
1132 if (this->other_host->is_anyaddr(this->other_host)
1133 #ifdef ME
1134 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1135 #endif /* ME */
1136 )
1137 {
1138 child_cfg->destroy(child_cfg);
1139 DBG1(DBG_IKE, "unable to initiate to %%any");
1140 return DESTROY_ME;
1141 }
1142
1143 this->ike_initiator = TRUE;
1144
1145 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1146 this->task_manager->queue_task(this->task_manager, task);
1147 task = (task_t*)ike_natd_create(&this->public, TRUE);
1148 this->task_manager->queue_task(this->task_manager, task);
1149 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1150 this->task_manager->queue_task(this->task_manager, task);
1151 task = (task_t*)ike_auth_create(&this->public, TRUE);
1152 this->task_manager->queue_task(this->task_manager, task);
1153 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1154 this->task_manager->queue_task(this->task_manager, task);
1155 task = (task_t*)ike_config_create(&this->public, TRUE);
1156 this->task_manager->queue_task(this->task_manager, task);
1157 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1158 this->task_manager->queue_task(this->task_manager, task);
1159 if (this->peer_cfg->use_mobike(this->peer_cfg))
1160 {
1161 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1162 this->task_manager->queue_task(this->task_manager, task);
1163 }
1164 #ifdef ME
1165 task = (task_t*)ike_me_create(&this->public, TRUE);
1166 this->task_manager->queue_task(this->task_manager, task);
1167 #endif /* ME */
1168 }
1169
1170 #ifdef ME
1171 if (this->peer_cfg->is_mediation(this->peer_cfg))
1172 { /* mediation connection is already established, retrigger state change
1173 * to notify bus listeners */
1174 DBG1(DBG_IKE, "mediation connection is already up");
1175 set_state(this, IKE_ESTABLISHED);
1176 DESTROY_IF(child_cfg);
1177 }
1178 else
1179 #endif /* ME */
1180 {
1181 /* normal IKE_SA with CHILD_SA */
1182 task = (task_t*)child_create_create(&this->public, child_cfg);
1183 child_cfg->destroy(child_cfg);
1184 if (reqid)
1185 {
1186 child_create_t *child_create = (child_create_t*)task;
1187 child_create->use_reqid(child_create, reqid);
1188 }
1189 this->task_manager->queue_task(this->task_manager, task);
1190
1191 #ifdef ME
1192 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1193 {
1194 /* mediated connection, initiate mediation process */
1195 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1196 charon->processor->queue_job(charon->processor, job);
1197 return SUCCESS;
1198 }
1199 #endif /* ME */
1200 }
1201
1202 return this->task_manager->initiate(this->task_manager);
1203 }
1204
1205 /**
1206 * Implementation of ike_sa_t.initiate.
1207 */
1208 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1209 {
1210 return initiate_with_reqid(this, child_cfg, 0);
1211 }
1212
1213 /**
1214 * Implementation of ike_sa_t.acquire.
1215 */
1216 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1217 {
1218 child_cfg_t *child_cfg;
1219 iterator_t *iterator;
1220 child_sa_t *current, *child_sa = NULL;
1221
1222 if (this->state == IKE_DELETING)
1223 {
1224 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1225 "IKE_SA is deleting", reqid);
1226 return FAILED;
1227 }
1228
1229 /* find CHILD_SA */
1230 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1231 while (iterator->iterate(iterator, (void**)&current))
1232 {
1233 if (current->get_reqid(current) == reqid)
1234 {
1235 child_sa = current;
1236 break;
1237 }
1238 }
1239 iterator->destroy(iterator);
1240 if (!child_sa)
1241 {
1242 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1243 "CHILD_SA not found", reqid);
1244 return FAILED;
1245 }
1246
1247 child_cfg = child_sa->get_config(child_sa);
1248 child_cfg->get_ref(child_cfg);
1249
1250 return initiate_with_reqid(this, child_cfg, reqid);
1251 }
1252
1253 /**
1254 * Implementation of ike_sa_t.route.
1255 */
1256 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1257 {
1258 child_sa_t *child_sa;
1259 iterator_t *iterator;
1260 linked_list_t *my_ts, *other_ts;
1261 host_t *me, *other;
1262 status_t status;
1263
1264 /* check if not already routed*/
1265 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1266 while (iterator->iterate(iterator, (void**)&child_sa))
1267 {
1268 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1269 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1270 {
1271 iterator->destroy(iterator);
1272 DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
1273 return FAILED;
1274 }
1275 }
1276 iterator->destroy(iterator);
1277
1278 switch (this->state)
1279 {
1280 case IKE_DELETING:
1281 case IKE_REKEYING:
1282 DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
1283 ike_sa_state_names, this->state);
1284 return FAILED;
1285 case IKE_CREATED:
1286 case IKE_CONNECTING:
1287 case IKE_ESTABLISHED:
1288 default:
1289 break;
1290 }
1291
1292 resolve_hosts(this);
1293
1294 /* install kernel policies */
1295 child_sa = child_sa_create(this->my_host, this->other_host,
1296 child_cfg, 0, FALSE);
1297 me = this->my_host;
1298 if (this->my_virtual_ip)
1299 {
1300 me = this->my_virtual_ip;
1301 }
1302 other = this->other_host;
1303 if (this->other_virtual_ip)
1304 {
1305 other = this->other_virtual_ip;
1306 }
1307
1308 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1309 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1310
1311 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1312 child_cfg->get_mode(child_cfg), PROTO_NONE);
1313
1314 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1315 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1316 if (status == SUCCESS)
1317 {
1318 this->child_sas->insert_last(this->child_sas, child_sa);
1319 DBG1(DBG_IKE, "CHILD_SA routed");
1320 }
1321 else
1322 {
1323 child_sa->destroy(child_sa);
1324 DBG1(DBG_IKE, "routing CHILD_SA failed");
1325 }
1326 return status;
1327 }
1328
1329 /**
1330 * Implementation of ike_sa_t.unroute.
1331 */
1332 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1333 {
1334 iterator_t *iterator;
1335 child_sa_t *child_sa;
1336 bool found = FALSE;
1337
1338 /* find CHILD_SA in ROUTED state */
1339 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1340 while (iterator->iterate(iterator, (void**)&child_sa))
1341 {
1342 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1343 child_sa->get_reqid(child_sa) == reqid)
1344 {
1345 iterator->remove(iterator);
1346 DBG1(DBG_IKE, "CHILD_SA unrouted");
1347 child_sa->destroy(child_sa);
1348 found = TRUE;
1349 break;
1350 }
1351 }
1352 iterator->destroy(iterator);
1353
1354 if (!found)
1355 {
1356 DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
1357 return FAILED;
1358 }
1359 /* if we are not established, and we have no more routed childs, remove whole SA */
1360 if (this->state == IKE_CREATED &&
1361 this->child_sas->get_count(this->child_sas) == 0)
1362 {
1363 return DESTROY_ME;
1364 }
1365 return SUCCESS;
1366 }
1367
1368 /**
1369 * Implementation of ike_sa_t.process_message.
1370 */
1371 static status_t process_message(private_ike_sa_t *this, message_t *message)
1372 {
1373 status_t status;
1374 bool is_request;
1375
1376 is_request = message->get_request(message);
1377
1378 status = message->parse_body(message,
1379 this->keymat->get_crypter(this->keymat, TRUE),
1380 this->keymat->get_signer(this->keymat, TRUE));
1381 if (status != SUCCESS)
1382 {
1383
1384 if (is_request)
1385 {
1386 switch (status)
1387 {
1388 case NOT_SUPPORTED:
1389 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1390 if (is_request)
1391 {
1392 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1393 }
1394 break;
1395 case PARSE_ERROR:
1396 DBG1(DBG_IKE, "message parsing failed");
1397 if (is_request)
1398 {
1399 send_notify_response(this, message, INVALID_SYNTAX);
1400 }
1401 break;
1402 case VERIFY_ERROR:
1403 DBG1(DBG_IKE, "message verification failed");
1404 if (is_request)
1405 {
1406 send_notify_response(this, message, INVALID_SYNTAX);
1407 }
1408 break;
1409 case FAILED:
1410 DBG1(DBG_IKE, "integrity check failed");
1411 /* ignored */
1412 break;
1413 case INVALID_STATE:
1414 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1415 if (is_request)
1416 {
1417 send_notify_response(this, message, INVALID_SYNTAX);
1418 }
1419 default:
1420 break;
1421 }
1422 }
1423 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1424 exchange_type_names, message->get_exchange_type(message),
1425 message->get_request(message) ? "request" : "response",
1426 message->get_message_id(message));
1427 return status;
1428 }
1429 else
1430 {
1431 host_t *me, *other;
1432 private_ike_sa_t *new;
1433 iterator_t *iterator;
1434 child_sa_t *child;
1435 bool has_routed = FALSE;
1436
1437 me = message->get_destination(message);
1438 other = message->get_source(message);
1439
1440 /* if this IKE_SA is virgin, we check for a config */
1441 if (this->ike_cfg == NULL)
1442 {
1443 job_t *job;
1444 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1445 me, other);
1446 if (this->ike_cfg == NULL)
1447 {
1448 /* no config found for these hosts, destroy */
1449 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1450 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1451 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1452 return DESTROY_ME;
1453 }
1454 /* add a timeout if peer does not establish it completely */
1455 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1456 charon->scheduler->schedule_job(charon->scheduler, job,
1457 HALF_OPEN_IKE_SA_TIMEOUT);
1458 }
1459 this->stats[STAT_INBOUND] = time(NULL);
1460 /* check if message is trustworthy, and update host information */
1461 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1462 message->get_exchange_type(message) != IKE_SA_INIT)
1463 {
1464 if (!supports_extension(this, EXT_MOBIKE))
1465 { /* with MOBIKE, we do no implicit updates */
1466 update_hosts(this, me, other);
1467 }
1468 }
1469 status = this->task_manager->process_message(this->task_manager, message);
1470 if (status != DESTROY_ME)
1471 {
1472 return status;
1473 }
1474 /* if IKE_SA gets closed for any reasons, reroute routed children */
1475 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1476 while (iterator->iterate(iterator, (void**)&child))
1477 {
1478 if (child->get_state(child) == CHILD_ROUTED)
1479 {
1480 has_routed = TRUE;
1481 break;
1482 }
1483 }
1484 iterator->destroy(iterator);
1485 if (!has_routed)
1486 {
1487 return status;
1488 }
1489 /* move routed children to a new IKE_SA, apply connection info */
1490 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1491 charon->ike_sa_manager, TRUE);
1492 set_peer_cfg(new, this->peer_cfg);
1493 new->other_host->destroy(new->other_host);
1494 new->other_host = this->other_host->clone(this->other_host);
1495 if (!has_condition(this, COND_NAT_THERE))
1496 {
1497 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1498 }
1499 if (this->my_virtual_ip)
1500 {
1501 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1502 }
1503 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1504 while (iterator->iterate(iterator, (void**)&child))
1505 {
1506 if (child->get_state(child) == CHILD_ROUTED)
1507 {
1508 route(new, child->get_config(child));
1509 }
1510 }
1511 iterator->destroy(iterator);
1512 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1513 return status;
1514 }
1515 }
1516
1517 /**
1518 * Implementation of ike_sa_t.get_id.
1519 */
1520 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1521 {
1522 return this->ike_sa_id;
1523 }
1524
1525 /**
1526 * Implementation of ike_sa_t.get_my_id.
1527 */
1528 static identification_t* get_my_id(private_ike_sa_t *this)
1529 {
1530 return this->my_id;
1531 }
1532
1533 /**
1534 * Implementation of ike_sa_t.set_my_id.
1535 */
1536 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1537 {
1538 DESTROY_IF(this->my_id);
1539 this->my_id = me;
1540 }
1541
1542 /**
1543 * Implementation of ike_sa_t.get_other_id.
1544 */
1545 static identification_t* get_other_id(private_ike_sa_t *this)
1546 {
1547 return this->other_id;
1548 }
1549
1550 /**
1551 * Implementation of ike_sa_t.set_other_id.
1552 */
1553 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1554 {
1555 DESTROY_IF(this->other_id);
1556 this->other_id = other;
1557 }
1558
1559 /**
1560 * Implementation of ike_sa_t.get_eap_identity.
1561 */
1562 static identification_t* get_eap_identity(private_ike_sa_t *this)
1563 {
1564 return this->eap_identity;
1565 }
1566
1567 /**
1568 * Implementation of ike_sa_t.set_eap_identity.
1569 */
1570 static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
1571 {
1572 DESTROY_IF(this->eap_identity);
1573 this->eap_identity = id;
1574 }
1575
1576 /**
1577 * Implementation of ike_sa_t.add_child_sa.
1578 */
1579 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1580 {
1581 this->child_sas->insert_last(this->child_sas, child_sa);
1582 }
1583
1584 /**
1585 * Implementation of ike_sa_t.get_child_sa.
1586 */
1587 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1588 u_int32_t spi, bool inbound)
1589 {
1590 iterator_t *iterator;
1591 child_sa_t *current, *found = NULL;
1592
1593 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1594 while (iterator->iterate(iterator, (void**)&current))
1595 {
1596 if (current->get_spi(current, inbound) == spi &&
1597 current->get_protocol(current) == protocol)
1598 {
1599 found = current;
1600 }
1601 }
1602 iterator->destroy(iterator);
1603 return found;
1604 }
1605
1606 /**
1607 * Implementation of ike_sa_t.create_child_sa_iterator.
1608 */
1609 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1610 {
1611 return this->child_sas->create_iterator(this->child_sas, TRUE);
1612 }
1613
1614 /**
1615 * Implementation of ike_sa_t.rekey_child_sa.
1616 */
1617 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1618 {
1619 child_sa_t *child_sa;
1620 child_rekey_t *child_rekey;
1621
1622 child_sa = get_child_sa(this, protocol, spi, TRUE);
1623 if (child_sa)
1624 {
1625 child_rekey = child_rekey_create(&this->public, child_sa);
1626 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1627 return this->task_manager->initiate(this->task_manager);
1628 }
1629 return FAILED;
1630 }
1631
1632 /**
1633 * Implementation of ike_sa_t.delete_child_sa.
1634 */
1635 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1636 {
1637 child_sa_t *child_sa;
1638 child_delete_t *child_delete;
1639
1640 child_sa = get_child_sa(this, protocol, spi, TRUE);
1641 if (child_sa)
1642 {
1643 child_delete = child_delete_create(&this->public, child_sa);
1644 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1645 return this->task_manager->initiate(this->task_manager);
1646 }
1647 return FAILED;
1648 }
1649
1650 /**
1651 * Implementation of ike_sa_t.destroy_child_sa.
1652 */
1653 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1654 u_int32_t spi)
1655 {
1656 iterator_t *iterator;
1657 child_sa_t *child_sa;
1658 status_t status = NOT_FOUND;
1659
1660 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1661 while (iterator->iterate(iterator, (void**)&child_sa))
1662 {
1663 if (child_sa->get_protocol(child_sa) == protocol &&
1664 child_sa->get_spi(child_sa, TRUE) == spi)
1665 {
1666 child_sa->destroy(child_sa);
1667 iterator->remove(iterator);
1668 status = SUCCESS;
1669 break;
1670 }
1671 }
1672 iterator->destroy(iterator);
1673 return status;
1674 }
1675
1676 /**
1677 * Implementation of public_ike_sa_t.delete.
1678 */
1679 static status_t delete_(private_ike_sa_t *this)
1680 {
1681 ike_delete_t *ike_delete;
1682
1683 switch (this->state)
1684 {
1685 case IKE_ESTABLISHED:
1686 case IKE_REKEYING:
1687 ike_delete = ike_delete_create(&this->public, TRUE);
1688 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1689 return this->task_manager->initiate(this->task_manager);
1690 case IKE_CREATED:
1691 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1692 break;
1693 default:
1694 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1695 "without notification", ike_sa_state_names, this->state);
1696 break;
1697 }
1698 return DESTROY_ME;
1699 }
1700
1701 /**
1702 * Implementation of ike_sa_t.rekey.
1703 */
1704 static status_t rekey(private_ike_sa_t *this)
1705 {
1706 ike_rekey_t *ike_rekey;
1707
1708 ike_rekey = ike_rekey_create(&this->public, TRUE);
1709
1710 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1711 return this->task_manager->initiate(this->task_manager);
1712 }
1713
1714 /**
1715 * Implementation of ike_sa_t.reauth
1716 */
1717 static status_t reauth(private_ike_sa_t *this)
1718 {
1719 task_t *task;
1720
1721 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1722 * If the peer does not support RFC4478, there is no way to keep the
1723 * IKE_SA up. */
1724 if (!this->ike_initiator)
1725 {
1726 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1727 if (this->other_virtual_ip != NULL ||
1728 has_condition(this, COND_EAP_AUTHENTICATED)
1729 #ifdef ME
1730 /* if we are mediation server we too cannot reauth the IKE_SA */
1731 || this->is_mediation_server
1732 #endif /* ME */
1733 )
1734 {
1735 time_t now = time(NULL);
1736
1737 DBG1(DBG_IKE, "IKE_SA will timeout in %#V",
1738 &now, &this->stats[STAT_DELETE]);
1739 return FAILED;
1740 }
1741 else
1742 {
1743 DBG1(DBG_IKE, "reauthenticating actively");
1744 }
1745 }
1746 task = (task_t*)ike_reauth_create(&this->public);
1747 this->task_manager->queue_task(this->task_manager, task);
1748
1749 return this->task_manager->initiate(this->task_manager);
1750 }
1751
1752 /**
1753 * Implementation of ike_sa_t.reestablish
1754 */
1755 static status_t reestablish(private_ike_sa_t *this)
1756 {
1757 ike_sa_t *new;
1758 host_t *host;
1759 action_t action;
1760 iterator_t *iterator;
1761 child_sa_t *child_sa;
1762 child_cfg_t *child_cfg;
1763 bool required = FALSE;
1764 status_t status = FAILED;
1765
1766 /* check if we have children to keep up at all*/
1767 iterator = create_child_sa_iterator(this);
1768 while (iterator->iterate(iterator, (void**)&child_sa))
1769 {
1770 child_cfg = child_sa->get_config(child_sa);
1771 if (this->state == IKE_DELETING)
1772 {
1773 action = child_cfg->get_close_action(child_cfg);
1774 }
1775 else
1776 {
1777 action = child_cfg->get_dpd_action(child_cfg);
1778 }
1779 switch (action)
1780 {
1781 case ACTION_RESTART:
1782 case ACTION_ROUTE:
1783 required = TRUE;
1784 default:
1785 break;
1786 }
1787 }
1788 iterator->destroy(iterator);
1789 #ifdef ME
1790 /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
1791 if (this->peer_cfg->is_mediation(this->peer_cfg))
1792 {
1793 required = TRUE;
1794 }
1795 #endif /* ME */
1796 if (!required)
1797 {
1798 return FAILED;
1799 }
1800
1801 /* check if we are able to reestablish this IKE_SA */
1802 if (!this->ike_initiator &&
1803 (this->other_virtual_ip != NULL ||
1804 has_condition(this, COND_EAP_AUTHENTICATED)
1805 #ifdef ME
1806 || this->is_mediation_server
1807 #endif /* ME */
1808 ))
1809 {
1810 DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
1811 return FAILED;
1812 }
1813
1814 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
1815 new->set_peer_cfg(new, this->peer_cfg);
1816 host = this->other_host;
1817 new->set_other_host(new, host->clone(host));
1818 host = this->my_host;
1819 new->set_my_host(new, host->clone(host));
1820 /* if we already have a virtual IP, we reuse it */
1821 host = this->my_virtual_ip;
1822 if (host)
1823 {
1824 new->set_virtual_ip(new, TRUE, host);
1825 }
1826
1827 #ifdef ME
1828 if (this->peer_cfg->is_mediation(this->peer_cfg))
1829 {
1830 status = new->initiate(new, NULL);
1831 }
1832 else
1833 #endif /* ME */
1834 {
1835 iterator = create_child_sa_iterator(this);
1836 while (iterator->iterate(iterator, (void**)&child_sa))
1837 {
1838 child_cfg = child_sa->get_config(child_sa);
1839 if (this->state == IKE_DELETING)
1840 {
1841 action = child_cfg->get_close_action(child_cfg);
1842 }
1843 else
1844 {
1845 action = child_cfg->get_dpd_action(child_cfg);
1846 }
1847 switch (action)
1848 {
1849 case ACTION_RESTART:
1850 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1851 child_cfg->get_name(child_cfg));
1852 child_cfg->get_ref(child_cfg);
1853 status = new->initiate(new, child_cfg);
1854 break;
1855 case ACTION_ROUTE:
1856 status = new->route(new, child_cfg);
1857 break;
1858 default:
1859 continue;
1860 }
1861 if (status == DESTROY_ME)
1862 {
1863 break;
1864 }
1865 }
1866 iterator->destroy(iterator);
1867 }
1868
1869 if (status == DESTROY_ME)
1870 {
1871 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1872 return FAILED;
1873 }
1874 else
1875 {
1876 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1877 return SUCCESS;
1878 }
1879 }
1880
1881 /**
1882 * Implementation of ike_sa_t.retransmit.
1883 */
1884 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1885 {
1886 this->stats[STAT_OUTBOUND] = time(NULL);
1887 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1888 {
1889 /* send a proper signal to brief interested bus listeners */
1890 switch (this->state)
1891 {
1892 case IKE_CONNECTING:
1893 {
1894 /* retry IKE_SA_INIT if we have multiple keyingtries */
1895 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1896 this->keyingtry++;
1897 if (tries == 0 || tries > this->keyingtry)
1898 {
1899 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1900 this->keyingtry + 1, tries);
1901 reset(this);
1902 return this->task_manager->initiate(this->task_manager);
1903 }
1904 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1905 break;
1906 }
1907 case IKE_DELETING:
1908 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1909 break;
1910 case IKE_REKEYING:
1911 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1912 /* FALL */
1913 default:
1914 reestablish(this);
1915 break;
1916 }
1917 return DESTROY_ME;
1918 }
1919 return SUCCESS;
1920 }
1921
1922 /**
1923 * Implementation of ike_sa_t.set_auth_lifetime.
1924 */
1925 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1926 {
1927 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1928 u_int32_t reauth_time = time(NULL) + lifetime - reduction;
1929
1930 if (lifetime < reduction)
1931 {
1932 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1933 lifetime);
1934 charon->processor->queue_job(charon->processor,
1935 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1936 }
1937 else if (this->stats[STAT_REAUTH] == 0 ||
1938 this->stats[STAT_REAUTH] > reauth_time)
1939 {
1940 this->stats[STAT_REAUTH] = reauth_time;
1941 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1942 " in %ds", lifetime, lifetime - reduction);
1943 charon->scheduler->schedule_job(charon->scheduler,
1944 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1945 (lifetime - reduction) * 1000);
1946 }
1947 else
1948 {
1949 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
1950 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
1951 }
1952 }
1953
1954 /**
1955 * Implementation of ike_sa_t.roam.
1956 */
1957 static status_t roam(private_ike_sa_t *this, bool address)
1958 {
1959 host_t *src;
1960 ike_mobike_t *mobike;
1961
1962 switch (this->state)
1963 {
1964 case IKE_CREATED:
1965 case IKE_DELETING:
1966 return SUCCESS;
1967 default:
1968 break;
1969 }
1970 /* responder just updates the peer about changed address config */
1971 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
1972 {
1973 if (supports_extension(this, EXT_MOBIKE) && address)
1974 {
1975 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1976 mobike = ike_mobike_create(&this->public, TRUE);
1977 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1978 return this->task_manager->initiate(this->task_manager);
1979 }
1980 return SUCCESS;
1981 }
1982
1983 /* keep existing path if possible */
1984 src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
1985 this->other_host, this->my_host);
1986 if (src)
1987 {
1988 if (src->ip_equals(src, this->my_host))
1989 {
1990 DBG2(DBG_IKE, "keeping connection path %H - %H",
1991 src, this->other_host);
1992 src->destroy(src);
1993 return SUCCESS;
1994 }
1995 src->destroy(src);
1996 }
1997
1998 /* update addresses with mobike, if supported ... */
1999 if (supports_extension(this, EXT_MOBIKE))
2000 {
2001 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2002 mobike = ike_mobike_create(&this->public, TRUE);
2003 mobike->roam(mobike, address);
2004 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2005 return this->task_manager->initiate(this->task_manager);
2006 }
2007 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2008 /* ... reauth if not */
2009 return reauth(this);
2010 }
2011
2012 /**
2013 * Implementation of ike_sa_t.inherit.
2014 */
2015 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2016 {
2017 child_sa_t *child_sa;
2018 host_t *ip;
2019
2020 /* apply hosts and ids */
2021 this->my_host->destroy(this->my_host);
2022 this->other_host->destroy(this->other_host);
2023 this->my_id->destroy(this->my_id);
2024 this->other_id->destroy(this->other_id);
2025 this->my_host = other->my_host->clone(other->my_host);
2026 this->other_host = other->other_host->clone(other->other_host);
2027 this->my_id = other->my_id->clone(other->my_id);
2028 this->other_id = other->other_id->clone(other->other_id);
2029 this->ike_initiator = other->ike_initiator;
2030
2031 /* apply virtual assigned IPs... */
2032 if (other->my_virtual_ip)
2033 {
2034 this->my_virtual_ip = other->my_virtual_ip;
2035 other->my_virtual_ip = NULL;
2036 }
2037 if (other->other_virtual_ip)
2038 {
2039 this->other_virtual_ip = other->other_virtual_ip;
2040 other->other_virtual_ip = NULL;
2041 }
2042
2043 /* ... and DNS servers */
2044 while (other->dns_servers->remove_last(other->dns_servers,
2045 (void**)&ip) == SUCCESS)
2046 {
2047 this->dns_servers->insert_first(this->dns_servers, ip);
2048 }
2049
2050 /* inherit NAT-T conditions */
2051 this->conditions = other->conditions;
2052 if (this->conditions & COND_NAT_HERE)
2053 {
2054 send_keepalive(this);
2055 }
2056
2057 #ifdef ME
2058 if (other->is_mediation_server)
2059 {
2060 act_as_mediation_server(this);
2061 }
2062 else if (other->server_reflexive_host)
2063 {
2064 this->server_reflexive_host = other->server_reflexive_host->clone(
2065 other->server_reflexive_host);
2066 }
2067 #endif /* ME */
2068
2069 /* adopt all children */
2070 while (other->child_sas->remove_last(other->child_sas,
2071 (void**)&child_sa) == SUCCESS)
2072 {
2073 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2074 }
2075
2076 /* move pending tasks to the new IKE_SA */
2077 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2078
2079 /* reauthentication timeout survives a rekeying */
2080 if (other->stats[STAT_REAUTH])
2081 {
2082 time_t reauth, delete, now = time(NULL);
2083
2084 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2085 reauth = this->stats[STAT_REAUTH] - now;
2086 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2087 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2088 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2089 "lifetime reduced to %ds", reauth, delete);
2090 charon->scheduler->schedule_job(charon->scheduler,
2091 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2092 reauth * 1000);
2093 charon->scheduler->schedule_job(charon->scheduler,
2094 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2095 delete * 1000);
2096 }
2097 /* we have to initate here, there may be new tasks to handle */
2098 return this->task_manager->initiate(this->task_manager);
2099 }
2100
2101 /**
2102 * Implementation of ike_sa_t.remove_dns_server
2103 */
2104 static void remove_dns_servers(private_ike_sa_t *this)
2105 {
2106 FILE *file;
2107 struct stat stats;
2108 chunk_t contents, line, orig_line, token;
2109 char string[INET6_ADDRSTRLEN];
2110 host_t *ip;
2111 iterator_t *iterator;
2112
2113 if (this->dns_servers->get_count(this->dns_servers) == 0)
2114 {
2115 /* don't touch anything if we have no nameservers installed */
2116 return;
2117 }
2118
2119 file = fopen(RESOLV_CONF, "r");
2120 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2121 {
2122 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2123 RESOLV_CONF, strerror(errno));
2124 return;
2125 }
2126
2127 contents = chunk_alloca((size_t)stats.st_size);
2128
2129 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2130 {
2131 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2132 fclose(file);
2133 return;
2134 }
2135
2136 fclose(file);
2137 file = fopen(RESOLV_CONF, "w");
2138 if (file == NULL)
2139 {
2140 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2141 RESOLV_CONF, strerror(errno));
2142 return;
2143 }
2144
2145 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2146 while (fetchline(&contents, &line))
2147 {
2148 bool found = FALSE;
2149 orig_line = line;
2150 if (extract_token(&token, ' ', &line) &&
2151 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2152 {
2153 if (!extract_token(&token, ' ', &line))
2154 {
2155 token = line;
2156 }
2157 iterator->reset(iterator);
2158 while (iterator->iterate(iterator, (void**)&ip))
2159 {
2160 snprintf(string, sizeof(string), "%H", ip);
2161 if (strlen(string) == token.len &&
2162 strncmp(token.ptr, string, token.len) == 0)
2163 {
2164 iterator->remove(iterator);
2165 ip->destroy(ip);
2166 found = TRUE;
2167 break;
2168 }
2169 }
2170 }
2171
2172 if (!found)
2173 {
2174 /* write line untouched back to file */
2175 fwrite(orig_line.ptr, orig_line.len, 1, file);
2176 fprintf(file, "\n");
2177 }
2178 }
2179 iterator->destroy(iterator);
2180 fclose(file);
2181 }
2182
2183 /**
2184 * Implementation of ike_sa_t.add_dns_server
2185 */
2186 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2187 {
2188 FILE *file;
2189 struct stat stats;
2190 chunk_t contents;
2191
2192 DBG1(DBG_IKE, "installing DNS server %H", dns);
2193
2194 file = fopen(RESOLV_CONF, "a+");
2195 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2196 {
2197 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2198 RESOLV_CONF, strerror(errno));
2199 return;
2200 }
2201
2202 contents = chunk_alloca(stats.st_size);
2203
2204 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2205 {
2206 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2207 fclose(file);
2208 return;
2209 }
2210
2211 fclose(file);
2212 file = fopen(RESOLV_CONF, "w");
2213 if (file == NULL)
2214 {
2215 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2216 RESOLV_CONF, strerror(errno));
2217 return;
2218 }
2219
2220 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2221 dns, this->other_id) < 0)
2222 {
2223 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2224 }
2225 else
2226 {
2227 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2228 }
2229 fwrite(contents.ptr, contents.len, 1, file);
2230
2231 fclose(file);
2232 }
2233
2234 /**
2235 * Implementation of ike_sa_t.destroy.
2236 */
2237 static void destroy(private_ike_sa_t *this)
2238 {
2239 set_state(this, IKE_DESTROYING);
2240
2241 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2242
2243 /* unset SA after here to avoid usage by the listeners */
2244 charon->bus->set_sa(charon->bus, NULL);
2245
2246 this->task_manager->destroy(this->task_manager);
2247 this->keymat->destroy(this->keymat);
2248
2249 if (this->my_virtual_ip)
2250 {
2251 charon->kernel_interface->del_ip(charon->kernel_interface,
2252 this->my_virtual_ip);
2253 this->my_virtual_ip->destroy(this->my_virtual_ip);
2254 }
2255 if (this->other_virtual_ip)
2256 {
2257 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2258 {
2259 charon->attributes->release_address(charon->attributes,
2260 this->peer_cfg->get_pool(this->peer_cfg),
2261 this->other_virtual_ip);
2262 }
2263 this->other_virtual_ip->destroy(this->other_virtual_ip);
2264 }
2265
2266 remove_dns_servers(this);
2267 this->dns_servers->destroy_offset(this->dns_servers,
2268 offsetof(host_t, destroy));
2269 this->additional_addresses->destroy_offset(this->additional_addresses,
2270 offsetof(host_t, destroy));
2271 #ifdef ME
2272 if (this->is_mediation_server)
2273 {
2274 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2275 }
2276 DESTROY_IF(this->server_reflexive_host);
2277 chunk_free(&this->connect_id);
2278 #endif /* ME */
2279 free(this->nat_detection_dest.ptr);
2280
2281 DESTROY_IF(this->my_host);
2282 DESTROY_IF(this->other_host);
2283 DESTROY_IF(this->my_id);
2284 DESTROY_IF(this->other_id);
2285 DESTROY_IF(this->local_host);
2286 DESTROY_IF(this->remote_host);
2287 DESTROY_IF(this->eap_identity);
2288
2289 DESTROY_IF(this->ike_cfg);
2290 DESTROY_IF(this->peer_cfg);
2291 DESTROY_IF(this->my_auth);
2292 DESTROY_IF(this->other_auth);
2293 DESTROY_IF(this->proposal);
2294
2295 this->ike_sa_id->destroy(this->ike_sa_id);
2296 free(this);
2297 }
2298
2299 /*
2300 * Described in header.
2301 */
2302 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2303 {
2304 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2305 static u_int32_t unique_id = 0;
2306
2307 /* Public functions */
2308 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2309 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2310 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2311 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2312 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2313 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2314 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2315 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2316 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2317 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2318 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2319 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2320 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2321 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2322 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2323 this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
2324 this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
2325 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2326 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2327 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2328 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2329 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2330 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2331 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2332 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2333 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2334 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2335 this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
2336 this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
2337 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2338 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2339 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2340 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2341 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2342 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2343 this->public.is_ike_initiator = (bool (*)(ike_sa_t*))is_ike_initiator;
2344 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2345 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2346 this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
2347 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2348 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2349 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2350 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2351 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2352 this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
2353 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2354 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2355 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2356 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2357 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2358 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2359 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2360 this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
2361 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2362 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2363 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2364 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2365 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2366 this->public.reset = (void (*)(ike_sa_t*))reset;
2367 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2368 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2369 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2370 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2371 this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
2372 #ifdef ME
2373 this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
2374 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2375 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2376 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2377 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2378 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
2379 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2380 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2381 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2382 #endif /* ME */
2383
2384 /* initialize private fields */
2385 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2386 this->child_sas = linked_list_create();
2387 this->my_host = host_create_any(AF_INET);
2388 this->other_host = host_create_any(AF_INET);
2389 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2390 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2391 this->eap_identity = NULL;
2392 this->extensions = 0;
2393 this->conditions = 0;
2394 this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
2395 this->state = IKE_CREATED;
2396 this->keepalive_interval = lib->settings->get_time(lib->settings,
2397 "charon.keep_alive", KEEPALIVE_INTERVAL);
2398 memset(this->stats, 0, sizeof(this->stats));
2399 this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
2400 this->ike_cfg = NULL;
2401 this->peer_cfg = NULL;
2402 this->my_auth = auth_info_create();
2403 this->other_auth = auth_info_create();
2404 this->proposal = NULL;
2405 this->task_manager = task_manager_create(&this->public);
2406 this->unique_id = ++unique_id;
2407 this->my_virtual_ip = NULL;
2408 this->other_virtual_ip = NULL;
2409 this->dns_servers = linked_list_create();
2410 this->additional_addresses = linked_list_create();
2411 this->nat_detection_dest = chunk_empty;
2412 this->pending_updates = 0;
2413 this->keyingtry = 0;
2414 this->ike_initiator = FALSE;
2415 this->local_host = NULL;
2416 this->remote_host = NULL;
2417 #ifdef ME
2418 this->is_mediation_server = FALSE;
2419 this->server_reflexive_host = NULL;
2420 this->connect_id = chunk_empty;
2421 #endif /* ME */
2422
2423 return &this->public;
2424 }