NAT-T conditions were not inherited during IKE_SA rekeying
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Tobias Brunner
10 * Copyright (C) 2006 Daniel Roethlisberger
11 * Copyright (C) 2005-2006 Martin Willi
12 * Copyright (C) 2005 Jan Hutter
13 * Hochschule fuer Technik Rapperswil
14 *
15 * This program is free software; you can redistribute it and/or modify it
16 * under the terms of the GNU General Public License as published by the
17 * Free Software Foundation; either version 2 of the License, or (at your
18 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
19 *
20 * This program is distributed in the hope that it will be useful, but
21 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
22 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
23 * for more details.
24 */
25
26 #include <sys/time.h>
27 #include <string.h>
28 #include <printf.h>
29 #include <sys/stat.h>
30 #include <errno.h>
31
32 #include "ike_sa.h"
33
34 #include <library.h>
35 #include <daemon.h>
36 #include <utils/linked_list.h>
37 #include <utils/lexparser.h>
38 #include <crypto/diffie_hellman.h>
39 #include <crypto/prf_plus.h>
40 #include <crypto/crypters/crypter.h>
41 #include <crypto/hashers/hasher.h>
42 #include <encoding/payloads/sa_payload.h>
43 #include <encoding/payloads/nonce_payload.h>
44 #include <encoding/payloads/ke_payload.h>
45 #include <encoding/payloads/delete_payload.h>
46 #include <encoding/payloads/transform_substructure.h>
47 #include <encoding/payloads/transform_attribute.h>
48 #include <encoding/payloads/ts_payload.h>
49 #include <sa/task_manager.h>
50 #include <sa/tasks/ike_init.h>
51 #include <sa/tasks/ike_natd.h>
52 #include <sa/tasks/ike_mobike.h>
53 #include <sa/tasks/ike_auth.h>
54 #include <sa/tasks/ike_auth_lifetime.h>
55 #include <sa/tasks/ike_config.h>
56 #include <sa/tasks/ike_cert.h>
57 #include <sa/tasks/ike_rekey.h>
58 #include <sa/tasks/ike_reauth.h>
59 #include <sa/tasks/ike_delete.h>
60 #include <sa/tasks/ike_dpd.h>
61 #include <sa/tasks/child_create.h>
62 #include <sa/tasks/child_delete.h>
63 #include <sa/tasks/child_rekey.h>
64 #include <processing/jobs/retransmit_job.h>
65 #include <processing/jobs/delete_ike_sa_job.h>
66 #include <processing/jobs/send_dpd_job.h>
67 #include <processing/jobs/send_keepalive_job.h>
68 #include <processing/jobs/rekey_ike_sa_job.h>
69
70 #ifdef P2P
71 #include <sa/tasks/ike_p2p.h>
72 #include <processing/jobs/initiate_mediation_job.h>
73 #endif
74
75 #ifndef RESOLV_CONF
76 #define RESOLV_CONF "/etc/resolv.conf"
77 #endif
78
79 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
80 "CREATED",
81 "CONNECTING",
82 "ESTABLISHED",
83 "REKEYING",
84 "DELETING",
85 );
86
87 typedef struct private_ike_sa_t private_ike_sa_t;
88
89 /**
90 * Private data of an ike_sa_t object.
91 */
92 struct private_ike_sa_t {
93
94 /**
95 * Public members
96 */
97 ike_sa_t public;
98
99 /**
100 * Identifier for the current IKE_SA.
101 */
102 ike_sa_id_t *ike_sa_id;
103
104 /**
105 * unique numerical ID for this IKE_SA.
106 */
107 u_int32_t unique_id;
108
109 /**
110 * Current state of the IKE_SA
111 */
112 ike_sa_state_t state;
113
114 /**
115 * IKE configuration used to set up this IKE_SA
116 */
117 ike_cfg_t *ike_cfg;
118
119 /**
120 * Peer and authentication information to establish IKE_SA.
121 */
122 peer_cfg_t *peer_cfg;
123
124 /**
125 * Juggles tasks to process messages
126 */
127 task_manager_t *task_manager;
128
129 /**
130 * Address of local host
131 */
132 host_t *my_host;
133
134 /**
135 * Address of remote host
136 */
137 host_t *other_host;
138
139 #ifdef P2P
140 /**
141 * Server reflexive host
142 */
143 host_t *server_reflexive_host;
144 #endif /* P2P */
145
146 /**
147 * Identification used for us
148 */
149 identification_t *my_id;
150
151 /**
152 * Identification used for other
153 */
154 identification_t *other_id;
155
156 /**
157 * CA that issued the certificate of other
158 */
159 ca_info_t *other_ca;
160
161 /**
162 * set of extensions the peer supports
163 */
164 ike_extension_t extensions;
165
166 /**
167 * set of condition flags currently enabled for this IKE_SA
168 */
169 ike_condition_t conditions;
170
171 /**
172 * Linked List containing the child sa's of the current IKE_SA.
173 */
174 linked_list_t *child_sas;
175
176 /**
177 * crypter for inbound traffic
178 */
179 crypter_t *crypter_in;
180
181 /**
182 * crypter for outbound traffic
183 */
184 crypter_t *crypter_out;
185
186 /**
187 * Signer for inbound traffic
188 */
189 signer_t *signer_in;
190
191 /**
192 * Signer for outbound traffic
193 */
194 signer_t *signer_out;
195
196 /**
197 * Multi purpose prf, set key, use it, forget it
198 */
199 prf_t *prf;
200
201 /**
202 * Prf function for derivating keymat child SAs
203 */
204 prf_t *child_prf;
205
206 /**
207 * Key to build outging authentication data (SKp)
208 */
209 chunk_t skp_build;
210
211 /**
212 * Key to verify incoming authentication data (SKp)
213 */
214 chunk_t skp_verify;
215
216 /**
217 * Virtual IP on local host, if any
218 */
219 host_t *my_virtual_ip;
220
221 /**
222 * Virtual IP on remote host, if any
223 */
224 host_t *other_virtual_ip;
225
226 /**
227 * List of DNS servers installed by us
228 */
229 linked_list_t *dns_servers;
230
231 /**
232 * list of peers additional addresses, transmitted via MOBIKE
233 */
234 linked_list_t *additional_addresses;
235
236 /**
237 * number pending UPDATE_SA_ADDRESS (MOBIKE)
238 */
239 u_int32_t pending_updates;
240
241 /**
242 * Timestamps for this IKE_SA
243 */
244 struct {
245 /** last IKE message received */
246 u_int32_t inbound;
247 /** last IKE message sent */
248 u_int32_t outbound;
249 /** when IKE_SA became established */
250 u_int32_t established;
251 /** when IKE_SA gets rekeyed */
252 u_int32_t rekey;
253 /** when IKE_SA gets reauthenticated */
254 u_int32_t reauth;
255 /** when IKE_SA gets deleted */
256 u_int32_t delete;
257 } time;
258
259 /**
260 * how many times we have retried so far (keyingtries)
261 */
262 u_int32_t keyingtry;
263
264 /**
265 * are we the initiator of this IKE_SA (rekeying does not affect this flag)
266 */
267 bool ike_initiator;
268 };
269
270 /**
271 * get the time of the latest traffic processed by the kernel
272 */
273 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
274 {
275 iterator_t *iterator;
276 child_sa_t *child_sa;
277 time_t latest = 0, use_time;
278
279 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
280 while (iterator->iterate(iterator, (void**)&child_sa))
281 {
282 if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
283 {
284 latest = max(latest, use_time);
285 }
286 }
287 iterator->destroy(iterator);
288
289 if (inbound)
290 {
291 return max(this->time.inbound, latest);
292 }
293 else
294 {
295 return max(this->time.outbound, latest);
296 }
297 }
298
299 /**
300 * Implementation of ike_sa_t.get_unique_id
301 */
302 static u_int32_t get_unique_id(private_ike_sa_t *this)
303 {
304 return this->unique_id;
305 }
306
307 /**
308 * Implementation of ike_sa_t.get_name.
309 */
310 static char *get_name(private_ike_sa_t *this)
311 {
312 if (this->peer_cfg)
313 {
314 return this->peer_cfg->get_name(this->peer_cfg);
315 }
316 return "(unnamed)";
317 }
318
319 /**
320 * Implementation of ike_sa_t.get_statistic.
321 */
322 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
323 {
324 time_t now = time(NULL);
325
326 switch (kind)
327 {
328 case STAT_REKEY_TIME:
329 if (this->time.rekey > now)
330 {
331 return this->time.rekey - now;
332 }
333 break;
334 case STAT_REAUTH_TIME:
335 if (this->time.reauth > now)
336 {
337 return this->time.reauth - now;
338 }
339 break;
340 default:
341 break;
342 }
343 return 0;
344 }
345
346 /**
347 * Implementation of ike_sa_t.get_my_host.
348 */
349 static host_t *get_my_host(private_ike_sa_t *this)
350 {
351 return this->my_host;
352 }
353
354 /**
355 * Implementation of ike_sa_t.set_my_host.
356 */
357 static void set_my_host(private_ike_sa_t *this, host_t *me)
358 {
359 DESTROY_IF(this->my_host);
360 this->my_host = me;
361 }
362
363 /**
364 * Implementation of ike_sa_t.get_other_host.
365 */
366 static host_t *get_other_host(private_ike_sa_t *this)
367 {
368 return this->other_host;
369 }
370
371 /**
372 * Implementation of ike_sa_t.set_other_host.
373 */
374 static void set_other_host(private_ike_sa_t *this, host_t *other)
375 {
376 DESTROY_IF(this->other_host);
377 this->other_host = other;
378 }
379
380 /**
381 * Implementation of ike_sa_t.get_peer_cfg
382 */
383 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
384 {
385 return this->peer_cfg;
386 }
387
388 /**
389 * Implementation of ike_sa_t.set_peer_cfg
390 */
391 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
392 {
393 peer_cfg->get_ref(peer_cfg);
394 this->peer_cfg = peer_cfg;
395
396 if (this->ike_cfg == NULL)
397 {
398 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
399 this->ike_cfg->get_ref(this->ike_cfg);
400 }
401
402 /* apply values, so we are ready to initate/acquire */
403 if (this->my_host->is_anyaddr(this->my_host))
404 {
405 host_t *me = this->ike_cfg->get_my_host(this->ike_cfg);
406 set_my_host(this, me->clone(me));
407 }
408 if (this->other_host->is_anyaddr(this->other_host))
409 {
410 host_t *other = this->ike_cfg->get_other_host(this->ike_cfg);
411 set_other_host(this, other->clone(other));
412 }
413 /* apply IDs if they are not already set */
414 if (this->my_id->contains_wildcards(this->my_id))
415 {
416 DESTROY_IF(this->my_id);
417 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
418 this->my_id = this->my_id->clone(this->my_id);
419 }
420 if (this->other_id->contains_wildcards(this->other_id))
421 {
422 DESTROY_IF(this->other_id);
423 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
424 this->other_id = this->other_id->clone(this->other_id);
425 }
426 }
427
428 /**
429 * Implementation of ike_sa_t.send_keepalive
430 */
431 static void send_keepalive(private_ike_sa_t *this)
432 {
433 send_keepalive_job_t *job;
434 time_t last_out, now, diff;
435
436 if (!(this->conditions & COND_NAT_HERE))
437 { /* disable keep alives if we are not NATed anymore */
438 return;
439 }
440
441 last_out = get_use_time(this, FALSE);
442 now = time(NULL);
443
444 diff = now - last_out;
445
446 if (diff >= KEEPALIVE_INTERVAL)
447 {
448 packet_t *packet;
449 chunk_t data;
450
451 packet = packet_create();
452 packet->set_source(packet, this->my_host->clone(this->my_host));
453 packet->set_destination(packet, this->other_host->clone(this->other_host));
454 data.ptr = malloc(1);
455 data.ptr[0] = 0xFF;
456 data.len = 1;
457 packet->set_data(packet, data);
458 DBG1(DBG_IKE, "sending keep alive");
459 charon->sender->send(charon->sender, packet);
460 diff = 0;
461 }
462 job = send_keepalive_job_create(this->ike_sa_id);
463 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
464 (KEEPALIVE_INTERVAL - diff) * 1000);
465 }
466
467 /**
468 * Implementation of ike_sa_t.get_ike_cfg
469 */
470 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
471 {
472 return this->ike_cfg;
473 }
474
475 /**
476 * Implementation of ike_sa_t.set_ike_cfg
477 */
478 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
479 {
480 ike_cfg->get_ref(ike_cfg);
481 this->ike_cfg = ike_cfg;
482 }
483 /**
484 * Implementation of ike_sa_t.enable_extension.
485 */
486 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
487 {
488 this->extensions |= extension;
489 }
490
491 /**
492 * Implementation of ike_sa_t.has_extension.
493 */
494 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
495 {
496 return (this->extensions & extension) != FALSE;
497 }
498
499 /**
500 * Implementation of ike_sa_t.has_condition.
501 */
502 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
503 {
504 return (this->conditions & condition) != FALSE;
505 }
506
507 /**
508 * Implementation of ike_sa_t.enable_condition.
509 */
510 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
511 bool enable)
512 {
513 if (has_condition(this, condition) != enable)
514 {
515 if (enable)
516 {
517 this->conditions |= condition;
518 switch (condition)
519 {
520 case COND_NAT_HERE:
521 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
522 this->conditions |= COND_NAT_ANY;
523 send_keepalive(this);
524 break;
525 case COND_NAT_THERE:
526 DBG1(DBG_IKE, "remote host is behind NAT");
527 this->conditions |= COND_NAT_ANY;
528 break;
529 case COND_NAT_FAKE:
530 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
531 this->conditions |= COND_NAT_ANY;
532 break;
533 default:
534 break;
535 }
536 }
537 else
538 {
539 this->conditions &= ~condition;
540 switch (condition)
541 {
542 case COND_NAT_HERE:
543 case COND_NAT_FAKE:
544 case COND_NAT_THERE:
545 set_condition(this, COND_NAT_ANY,
546 has_condition(this, COND_NAT_HERE) ||
547 has_condition(this, COND_NAT_THERE) ||
548 has_condition(this, COND_NAT_FAKE));
549 break;
550 default:
551 break;
552 }
553 }
554 }
555 }
556
557 /**
558 * Implementation of ike_sa_t.send_dpd
559 */
560 static status_t send_dpd(private_ike_sa_t *this)
561 {
562 send_dpd_job_t *job;
563 time_t diff, delay;
564
565 delay = this->peer_cfg->get_dpd_delay(this->peer_cfg);
566
567 if (delay == 0)
568 {
569 /* DPD disabled */
570 return SUCCESS;
571 }
572
573 if (this->task_manager->busy(this->task_manager))
574 {
575 /* an exchange is in the air, no need to start a DPD check */
576 diff = 0;
577 }
578 else
579 {
580 /* check if there was any inbound traffic */
581 time_t last_in, now;
582 last_in = get_use_time(this, TRUE);
583 now = time(NULL);
584 diff = now - last_in;
585 if (diff >= delay)
586 {
587 /* to long ago, initiate dead peer detection */
588 task_t *task;
589
590 task = (task_t*)ike_dpd_create(TRUE);
591 diff = 0;
592 DBG1(DBG_IKE, "sending DPD request");
593
594 this->task_manager->queue_task(this->task_manager, task);
595 this->task_manager->initiate(this->task_manager);
596 }
597 }
598 /* recheck in "interval" seconds */
599 job = send_dpd_job_create(this->ike_sa_id);
600 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
601 (delay - diff) * 1000);
602 return SUCCESS;
603 }
604
605 /**
606 * Implementation of ike_sa_t.get_state.
607 */
608 static ike_sa_state_t get_state(private_ike_sa_t *this)
609 {
610 return this->state;
611 }
612
613 /**
614 * Implementation of ike_sa_t.set_state.
615 */
616 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
617 {
618 DBG1(DBG_IKE, "IKE_SA '%s' state change: %N => %N",
619 get_name(this),
620 ike_sa_state_names, this->state,
621 ike_sa_state_names, state);
622
623 switch (state)
624 {
625 case IKE_ESTABLISHED:
626 {
627 if (this->state == IKE_CONNECTING)
628 {
629 job_t *job;
630 u_int32_t t;
631
632 /* calculate rekey, reauth and lifetime */
633 this->time.established = time(NULL);
634
635 /* schedule rekeying if we have a time which is smaller than
636 * an already scheduled rekeying */
637 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
638 if (t && (this->time.rekey == 0 ||
639 (this->time.rekey > t + this->time.established)))
640 {
641 this->time.rekey = t + this->time.established;
642 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
643 charon->scheduler->schedule_job(charon->scheduler,
644 job, t * 1000);
645 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
646 }
647 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
648 if (t && (this->time.reauth == 0 ||
649 (this->time.reauth > t + this->time.established)))
650 {
651 this->time.reauth = t + this->time.established;
652 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
653 charon->scheduler->schedule_job(charon->scheduler,
654 job, t * 1000);
655 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
656 }
657 t = this->peer_cfg->get_over_time(this->peer_cfg);
658 if (this->time.rekey || this->time.reauth)
659 {
660 if (this->time.reauth == 0)
661 {
662 this->time.delete = this->time.rekey;
663 }
664 else if (this->time.rekey == 0)
665 {
666 this->time.delete = this->time.reauth;
667 }
668 else
669 {
670 this->time.delete = min(this->time.rekey, this->time.reauth);
671 }
672 this->time.delete += t;
673 t = this->time.delete - this->time.established;
674 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
675 charon->scheduler->schedule_job(charon->scheduler, job,
676 t * 1000);
677 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
678 }
679
680 /* start DPD checks */
681 send_dpd(this);
682 }
683 break;
684 }
685 case IKE_DELETING:
686 {
687 /* delete may fail if a packet gets lost, so set a timeout */
688 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
689 charon->scheduler->schedule_job(charon->scheduler, job,
690 HALF_OPEN_IKE_SA_TIMEOUT);
691 break;
692 }
693 default:
694 break;
695 }
696
697 this->state = state;
698 }
699
700 /**
701 * Implementation of ike_sa_t.reset
702 */
703 static void reset(private_ike_sa_t *this)
704 {
705 /* the responder ID is reset, as peer may choose another one */
706 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
707 {
708 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
709 }
710
711 set_state(this, IKE_CREATED);
712
713 this->task_manager->reset(this->task_manager);
714 }
715
716 /**
717 * Implementation of ike_sa_t.set_virtual_ip
718 */
719 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
720 {
721 if (local)
722 {
723 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
724 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
725 this->my_host) == SUCCESS)
726 {
727 if (this->my_virtual_ip)
728 {
729 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
730 charon->kernel_interface->del_ip(charon->kernel_interface,
731 this->my_virtual_ip);
732 }
733 DESTROY_IF(this->my_virtual_ip);
734 this->my_virtual_ip = ip->clone(ip);
735 }
736 else
737 {
738 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
739 this->my_virtual_ip = NULL;
740 }
741 }
742 else
743 {
744 DESTROY_IF(this->other_virtual_ip);
745 this->other_virtual_ip = ip->clone(ip);
746 }
747 }
748
749 /**
750 * Implementation of ike_sa_t.get_virtual_ip
751 */
752 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
753 {
754 if (local)
755 {
756 return this->my_virtual_ip;
757 }
758 else
759 {
760 return this->other_virtual_ip;
761 }
762 }
763
764 /**
765 * Implementation of ike_sa_t.add_additional_address.
766 */
767 static void add_additional_address(private_ike_sa_t *this, host_t *host)
768 {
769 this->additional_addresses->insert_last(this->additional_addresses, host);
770 }
771
772 /**
773 * Implementation of ike_sa_t.create_additional_address_iterator.
774 */
775 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
776 {
777 return this->additional_addresses->create_iterator(
778 this->additional_addresses, TRUE);
779 }
780
781 /**
782 * Implementation of ike_sa_t.set_pending_updates.
783 */
784 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
785 {
786 this->pending_updates = updates;
787 }
788
789 /**
790 * Implementation of ike_sa_t.get_pending_updates.
791 */
792 static u_int32_t get_pending_updates(private_ike_sa_t *this)
793 {
794 return this->pending_updates;
795 }
796
797 /**
798 * Update hosts, as addresses may change (NAT)
799 */
800 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
801 {
802 bool update = FALSE;
803
804 if (supports_extension(this, EXT_MOBIKE))
805 { /* if peer speaks mobike, address updates are explicit only */
806 return;
807 }
808
809 if (me == NULL)
810 {
811 me = this->my_host;
812 }
813 if (other == NULL)
814 {
815 other = this->other_host;
816 }
817
818 /* apply hosts on first received message */
819 if (this->my_host->is_anyaddr(this->my_host) ||
820 this->other_host->is_anyaddr(this->other_host))
821 {
822 set_my_host(this, me->clone(me));
823 set_other_host(this, other->clone(other));
824 update = TRUE;
825 }
826 else
827 {
828 /* update our address in any case */
829 if (!me->equals(me, this->my_host))
830 {
831 set_my_host(this, me->clone(me));
832 update = TRUE;
833 }
834
835 if (!other->equals(other, this->other_host))
836 {
837 /* update others adress if we are NOT NATed,
838 * and allow port changes if we are NATed */
839 if (!has_condition(this, COND_NAT_HERE) ||
840 other->ip_equals(other, this->other_host))
841 {
842 set_other_host(this, other->clone(other));
843 update = TRUE;
844 }
845 }
846 }
847
848 /* update all associated CHILD_SAs, if required */
849 if (update)
850 {
851 iterator_t *iterator;
852 child_sa_t *child_sa;
853
854 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
855 while (iterator->iterate(iterator, (void**)&child_sa))
856 {
857 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
858 has_condition(this, COND_NAT_ANY));
859 }
860 iterator->destroy(iterator);
861 }
862 }
863
864 /**
865 * Implementation of ike_sa_t.generate
866 */
867 static status_t generate_message(private_ike_sa_t *this, message_t *message,
868 packet_t **packet)
869 {
870 this->time.outbound = time(NULL);
871 message->set_ike_sa_id(message, this->ike_sa_id);
872 return message->generate(message, this->crypter_out, this->signer_out, packet);
873 }
874
875 /**
876 * send a notify back to the sender
877 */
878 static void send_notify_response(private_ike_sa_t *this, message_t *request,
879 notify_type_t type)
880 {
881 message_t *response;
882 packet_t *packet;
883
884 response = message_create();
885 response->set_exchange_type(response, request->get_exchange_type(request));
886 response->set_request(response, FALSE);
887 response->set_message_id(response, request->get_message_id(request));
888 response->add_notify(response, FALSE, type, chunk_empty);
889 if (this->my_host->is_anyaddr(this->my_host))
890 {
891 this->my_host->destroy(this->my_host);
892 this->my_host = request->get_destination(request);
893 this->my_host = this->my_host->clone(this->my_host);
894 }
895 if (this->other_host->is_anyaddr(this->other_host))
896 {
897 this->other_host->destroy(this->other_host);
898 this->other_host = request->get_source(request);
899 this->other_host = this->other_host->clone(this->other_host);
900 }
901 response->set_source(response, this->my_host->clone(this->my_host));
902 response->set_destination(response, this->other_host->clone(this->other_host));
903 if (generate_message(this, response, &packet) == SUCCESS)
904 {
905 charon->sender->send(charon->sender, packet);
906 }
907 response->destroy(response);
908 }
909
910 #ifdef P2P
911 /**
912 * Implementation of ike_sa_t.get_server_reflexive_host.
913 */
914 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
915 {
916 return this->server_reflexive_host;
917 }
918
919 /**
920 * Implementation of ike_sa_t.set_server_reflexive_host.
921 */
922 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
923 {
924 DESTROY_IF(this->server_reflexive_host);
925 this->server_reflexive_host = host;
926 }
927
928 /**
929 * Implementation of ike_sa_t.respond
930 */
931 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
932 chunk_t session_id)
933 {
934 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
935 task->respond(task, peer_id, session_id);
936 this->task_manager->queue_task(this->task_manager, (task_t*)task);
937 return this->task_manager->initiate(this->task_manager);
938 }
939
940 /**
941 * Implementation of ike_sa_t.callback
942 */
943 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
944 {
945 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
946 task->callback(task, peer_id);
947 this->task_manager->queue_task(this->task_manager, (task_t*)task);
948 return this->task_manager->initiate(this->task_manager);
949 }
950
951 /**
952 * Implementation of ike_sa_t.relay
953 */
954 static status_t relay(private_ike_sa_t *this, identification_t *requester,
955 chunk_t session_id, chunk_t session_key, linked_list_t *endpoints, bool response)
956 {
957 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
958 task->relay(task, requester, session_id, session_key, endpoints, response);
959 this->task_manager->queue_task(this->task_manager, (task_t*)task);
960 return this->task_manager->initiate(this->task_manager);
961 }
962
963 /**
964 * Implementation of ike_sa_t.initiate_mediation
965 */
966 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
967 {
968 ike_p2p_t *task = ike_p2p_create(&this->public, TRUE);
969 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
970 this->task_manager->queue_task(this->task_manager, (task_t*)task);
971 return this->task_manager->initiate(this->task_manager);
972 }
973
974 /**
975 * Implementation of ike_sa_t.initiate_mediated
976 */
977 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
978 linked_list_t *childs)
979 {
980 this->my_host = me->clone(me);
981 this->other_host = other->clone(other);
982
983 task_t *task;
984 child_cfg_t *child_cfg;
985 iterator_t *iterator = childs->create_iterator(childs, TRUE);
986 while (iterator->iterate(iterator, (void**)&child_cfg))
987 {
988 task = (task_t*)child_create_create(&this->public, child_cfg);
989 this->task_manager->queue_task(this->task_manager, task);
990 }
991 iterator->destroy(iterator);
992 return this->task_manager->initiate(this->task_manager);
993 }
994 #endif /* P2P */
995
996 /**
997 * Implementation of ike_sa_t.initiate.
998 */
999 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1000 {
1001 task_t *task;
1002
1003 if (this->state == IKE_CREATED)
1004 {
1005 if (this->other_host->is_anyaddr(this->other_host)
1006 #ifdef P2P
1007 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1008 #endif /* P2P */
1009 )
1010 {
1011 child_cfg->destroy(child_cfg);
1012 SIG(IKE_UP_START, "initiating IKE_SA");
1013 SIG(IKE_UP_FAILED, "unable to initiate to %%any");
1014 return DESTROY_ME;
1015 }
1016
1017 this->ike_initiator = TRUE;
1018
1019 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1020 this->task_manager->queue_task(this->task_manager, task);
1021 task = (task_t*)ike_natd_create(&this->public, TRUE);
1022 this->task_manager->queue_task(this->task_manager, task);
1023 task = (task_t*)ike_cert_create(&this->public, TRUE);
1024 this->task_manager->queue_task(this->task_manager, task);
1025 task = (task_t*)ike_auth_create(&this->public, TRUE);
1026 this->task_manager->queue_task(this->task_manager, task);
1027 task = (task_t*)ike_config_create(&this->public, TRUE);
1028 this->task_manager->queue_task(this->task_manager, task);
1029 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1030 this->task_manager->queue_task(this->task_manager, task);
1031 if (this->peer_cfg->use_mobike(this->peer_cfg))
1032 {
1033 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1034 this->task_manager->queue_task(this->task_manager, task);
1035 }
1036 #ifdef P2P
1037 task = (task_t*)ike_p2p_create(&this->public, TRUE);
1038 this->task_manager->queue_task(this->task_manager, task);
1039 #endif /* P2P */
1040 }
1041
1042 #ifdef P2P
1043 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1044 {
1045 /* mediated connection, initiate mediation process */
1046 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id, child_cfg);
1047 child_cfg->destroy(child_cfg);
1048 charon->processor->queue_job(charon->processor, job);
1049 return SUCCESS;
1050 }
1051 else if (this->peer_cfg->is_mediation(this->peer_cfg))
1052 {
1053 if (this->state == IKE_ESTABLISHED)
1054 { /* FIXME: we should try to find a better solution to this */
1055 SIG(CHILD_UP_SUCCESS, "mediation connection is already up and running");
1056 }
1057 }
1058 else
1059 #endif /* P2P */
1060 {
1061 /* normal IKE_SA with CHILD_SA */
1062 task = (task_t*)child_create_create(&this->public, child_cfg);
1063 child_cfg->destroy(child_cfg);
1064 this->task_manager->queue_task(this->task_manager, task);
1065 }
1066
1067 return this->task_manager->initiate(this->task_manager);
1068 }
1069
1070 /**
1071 * Implementation of ike_sa_t.acquire.
1072 */
1073 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1074 { /* FIXME: P2P-NAT-T */
1075 child_cfg_t *child_cfg;
1076 iterator_t *iterator;
1077 child_sa_t *current, *child_sa = NULL;
1078 task_t *task;
1079 child_create_t *child_create;
1080
1081 if (this->state == IKE_DELETING)
1082 {
1083 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1084 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1085 "IKE_SA is deleting", reqid);
1086 return FAILED;
1087 }
1088
1089 /* find CHILD_SA */
1090 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1091 while (iterator->iterate(iterator, (void**)&current))
1092 {
1093 if (current->get_reqid(current) == reqid)
1094 {
1095 child_sa = current;
1096 break;
1097 }
1098 }
1099 iterator->destroy(iterator);
1100 if (!child_sa)
1101 {
1102 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
1103 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
1104 "CHILD_SA not found", reqid);
1105 return FAILED;
1106 }
1107
1108
1109 if (this->state == IKE_CREATED)
1110 {
1111 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1112 this->task_manager->queue_task(this->task_manager, task);
1113 task = (task_t*)ike_natd_create(&this->public, TRUE);
1114 this->task_manager->queue_task(this->task_manager, task);
1115 task = (task_t*)ike_cert_create(&this->public, TRUE);
1116 this->task_manager->queue_task(this->task_manager, task);
1117 task = (task_t*)ike_auth_create(&this->public, TRUE);
1118 this->task_manager->queue_task(this->task_manager, task);
1119 task = (task_t*)ike_config_create(&this->public, TRUE);
1120 this->task_manager->queue_task(this->task_manager, task);
1121 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1122 this->task_manager->queue_task(this->task_manager, task);
1123 if (this->peer_cfg->use_mobike(this->peer_cfg))
1124 {
1125 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1126 this->task_manager->queue_task(this->task_manager, task);
1127 }
1128 }
1129
1130 child_cfg = child_sa->get_config(child_sa);
1131 child_create = child_create_create(&this->public, child_cfg);
1132 child_create->use_reqid(child_create, reqid);
1133 this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
1134
1135 return this->task_manager->initiate(this->task_manager);
1136 }
1137
1138 /**
1139 * Implementation of ike_sa_t.route.
1140 */
1141 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1142 {
1143 child_sa_t *child_sa;
1144 iterator_t *iterator;
1145 linked_list_t *my_ts, *other_ts;
1146 host_t *me, *other;
1147 status_t status;
1148
1149 SIG(CHILD_ROUTE_START, "routing CHILD_SA");
1150
1151 /* check if not already routed*/
1152 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1153 while (iterator->iterate(iterator, (void**)&child_sa))
1154 {
1155 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1156 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1157 {
1158 iterator->destroy(iterator);
1159 SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a config already routed");
1160 return FAILED;
1161 }
1162 }
1163 iterator->destroy(iterator);
1164
1165 switch (this->state)
1166 {
1167 case IKE_DELETING:
1168 case IKE_REKEYING:
1169 SIG(CHILD_ROUTE_FAILED,
1170 "unable to route CHILD_SA, as its IKE_SA gets deleted");
1171 return FAILED;
1172 case IKE_CREATED:
1173 case IKE_CONNECTING:
1174 case IKE_ESTABLISHED:
1175 default:
1176 break;
1177 }
1178
1179 /* install kernel policies */
1180 child_sa = child_sa_create(this->my_host, this->other_host, this->my_id,
1181 this->other_id, child_cfg, FALSE, 0);
1182 me = this->my_host;
1183 if (this->my_virtual_ip)
1184 {
1185 me = this->my_virtual_ip;
1186 }
1187 other = this->other_host;
1188 if (this->other_virtual_ip)
1189 {
1190 other = this->other_virtual_ip;
1191 }
1192
1193 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1194 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1195 status = child_sa->add_policies(child_sa, my_ts, other_ts,
1196 child_cfg->get_mode(child_cfg));
1197 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1198 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1199 if (status == SUCCESS)
1200 {
1201 this->child_sas->insert_last(this->child_sas, child_sa);
1202 SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
1203 }
1204 else
1205 {
1206 SIG(CHILD_ROUTE_FAILED, "routing CHILD_SA failed");
1207 }
1208 return status;
1209 }
1210
1211 /**
1212 * Implementation of ike_sa_t.unroute.
1213 */
1214 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1215 {
1216 iterator_t *iterator;
1217 child_sa_t *child_sa;
1218 bool found = FALSE;
1219
1220 SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
1221
1222 /* find CHILD_SA in ROUTED state */
1223 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1224 while (iterator->iterate(iterator, (void**)&child_sa))
1225 {
1226 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1227 child_sa->get_reqid(child_sa) == reqid)
1228 {
1229 iterator->remove(iterator);
1230 SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
1231 child_sa->destroy(child_sa);
1232 found = TRUE;
1233 break;
1234 }
1235 }
1236 iterator->destroy(iterator);
1237
1238 if (!found)
1239 {
1240 SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
1241 return FAILED;
1242 }
1243 /* if we are not established, and we have no more routed childs, remove whole SA */
1244 if (this->state == IKE_CREATED &&
1245 this->child_sas->get_count(this->child_sas) == 0)
1246 {
1247 return DESTROY_ME;
1248 }
1249 return SUCCESS;
1250 }
1251 /**
1252 * Implementation of ike_sa_t.process_message.
1253 */
1254 static status_t process_message(private_ike_sa_t *this, message_t *message)
1255 {
1256 status_t status;
1257 bool is_request;
1258
1259 is_request = message->get_request(message);
1260
1261 status = message->parse_body(message, this->crypter_in, this->signer_in);
1262 if (status != SUCCESS)
1263 {
1264
1265 if (is_request)
1266 {
1267 switch (status)
1268 {
1269 case NOT_SUPPORTED:
1270 DBG1(DBG_IKE, "ciritcal unknown payloads found");
1271 if (is_request)
1272 {
1273 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1274 }
1275 break;
1276 case PARSE_ERROR:
1277 DBG1(DBG_IKE, "message parsing failed");
1278 if (is_request)
1279 {
1280 send_notify_response(this, message, INVALID_SYNTAX);
1281 }
1282 break;
1283 case VERIFY_ERROR:
1284 DBG1(DBG_IKE, "message verification failed");
1285 if (is_request)
1286 {
1287 send_notify_response(this, message, INVALID_SYNTAX);
1288 }
1289 break;
1290 case FAILED:
1291 DBG1(DBG_IKE, "integrity check failed");
1292 /* ignored */
1293 break;
1294 case INVALID_STATE:
1295 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1296 if (is_request)
1297 {
1298 send_notify_response(this, message, INVALID_SYNTAX);
1299 }
1300 default:
1301 break;
1302 }
1303 }
1304 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1305 exchange_type_names, message->get_exchange_type(message),
1306 message->get_request(message) ? "request" : "response",
1307 message->get_message_id(message));
1308 return status;
1309 }
1310 else
1311 {
1312 host_t *me, *other;
1313 private_ike_sa_t *new;
1314 iterator_t *iterator;
1315 child_sa_t *child;
1316 bool has_routed = FALSE;
1317
1318 me = message->get_destination(message);
1319 other = message->get_source(message);
1320
1321 /* if this IKE_SA is virgin, we check for a config */
1322 if (this->ike_cfg == NULL)
1323 {
1324 job_t *job;
1325 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1326 me, other);
1327 if (this->ike_cfg == NULL)
1328 {
1329 /* no config found for these hosts, destroy */
1330 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1331 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1332 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1333 return DESTROY_ME;
1334 }
1335 /* add a timeout if peer does not establish it completely */
1336 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1337 charon->scheduler->schedule_job(charon->scheduler, job,
1338 HALF_OPEN_IKE_SA_TIMEOUT);
1339 }
1340
1341 /* check if message is trustworthy, and update host information */
1342 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1343 message->get_exchange_type(message) != IKE_SA_INIT)
1344 {
1345 update_hosts(this, me, other);
1346 this->time.inbound = time(NULL);
1347 }
1348 status = this->task_manager->process_message(this->task_manager, message);
1349 if (status != DESTROY_ME)
1350 {
1351 return status;
1352 }
1353 /* if IKE_SA gets closed for any reasons, reroute routed children */
1354 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1355 while (iterator->iterate(iterator, (void**)&child))
1356 {
1357 if (child->get_state(child) == CHILD_ROUTED)
1358 {
1359 has_routed = TRUE;
1360 break;
1361 }
1362 }
1363 iterator->destroy(iterator);
1364 if (!has_routed)
1365 {
1366 return status;
1367 }
1368 /* move routed children to a new IKE_SA, apply connection info */
1369 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1370 charon->ike_sa_manager, TRUE);
1371 set_peer_cfg(new, this->peer_cfg);
1372 new->other_host->destroy(new->other_host);
1373 new->other_host = this->other_host->clone(this->other_host);
1374 if (!has_condition(this, COND_NAT_THERE))
1375 {
1376 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1377 }
1378 if (this->my_virtual_ip)
1379 {
1380 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1381 }
1382 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1383 while (iterator->iterate(iterator, (void**)&child))
1384 {
1385 if (child->get_state(child) == CHILD_ROUTED)
1386 {
1387 route(new, child->get_config(child));
1388 }
1389 }
1390 iterator->destroy(iterator);
1391 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1392 return status;
1393 }
1394 }
1395
1396 /**
1397 * Implementation of ike_sa_t.retransmit.
1398 */
1399 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1400 { /* FIXME: P2P-NAT-T */
1401 this->time.outbound = time(NULL);
1402 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1403 {
1404 child_cfg_t *child_cfg;
1405 child_sa_t* child_sa;
1406 linked_list_t *to_route, *to_restart;
1407 iterator_t *iterator;
1408
1409 /* send a proper signal to brief interested bus listeners */
1410 switch (this->state)
1411 {
1412 case IKE_CONNECTING:
1413 {
1414 /* retry IKE_SA_INIT if we have multiple keyingtries */
1415 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1416 this->keyingtry++;
1417 if (tries == 0 || tries > this->keyingtry)
1418 {
1419 SIG(IKE_UP_FAILED, "peer not responding, trying again "
1420 "(%d/%d) in background ", this->keyingtry + 1, tries);
1421 reset(this);
1422 return this->task_manager->initiate(this->task_manager);
1423 }
1424 SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
1425 break;
1426 }
1427 case IKE_REKEYING:
1428 SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
1429 break;
1430 case IKE_DELETING:
1431 SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
1432 break;
1433 default:
1434 break;
1435 }
1436
1437 /* summarize how we have to handle each child */
1438 to_route = linked_list_create();
1439 to_restart = linked_list_create();
1440 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1441 while (iterator->iterate(iterator, (void**)&child_sa))
1442 {
1443 child_cfg = child_sa->get_config(child_sa);
1444
1445 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
1446 {
1447 /* reroute routed CHILD_SAs */
1448 to_route->insert_last(to_route, child_cfg);
1449 }
1450 else
1451 {
1452 /* use DPD action for established CHILD_SAs */
1453 switch (this->peer_cfg->get_dpd_action(this->peer_cfg))
1454 {
1455 case DPD_ROUTE:
1456 to_route->insert_last(to_route, child_cfg);
1457 break;
1458 case DPD_RESTART:
1459 to_restart->insert_last(to_restart, child_cfg);
1460 break;
1461 default:
1462 break;
1463 }
1464 }
1465 }
1466 iterator->destroy(iterator);
1467
1468 /* create a new IKE_SA if we have to route or to restart */
1469 if (to_route->get_count(to_route) || to_restart->get_count(to_restart))
1470 {
1471 private_ike_sa_t *new;
1472 task_t *task;
1473
1474 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1475 charon->ike_sa_manager, TRUE);
1476
1477 set_peer_cfg(new, this->peer_cfg);
1478 /* use actual used host, not the wildcarded one in config */
1479 new->other_host->destroy(new->other_host);
1480 new->other_host = this->other_host->clone(this->other_host);
1481 /* reset port to 500, but only if peer is not NATed */
1482 if (!has_condition(this, COND_NAT_THERE))
1483 {
1484 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1485 }
1486 /* take over virtual ip, as we need it for a proper route */
1487 if (this->my_virtual_ip)
1488 {
1489 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1490 }
1491
1492 /* install routes */
1493 while (to_route->remove_last(to_route, (void**)&child_cfg) == SUCCESS)
1494 {
1495 route(new, child_cfg);
1496 }
1497
1498 /* restart children */
1499 if (to_restart->get_count(to_restart))
1500 {
1501 task = (task_t*)ike_init_create(&new->public, TRUE, NULL);
1502 new->task_manager->queue_task(new->task_manager, task);
1503 task = (task_t*)ike_natd_create(&new->public, TRUE);
1504 new->task_manager->queue_task(new->task_manager, task);
1505 task = (task_t*)ike_cert_create(&new->public, TRUE);
1506 new->task_manager->queue_task(new->task_manager, task);
1507 task = (task_t*)ike_config_create(&new->public, TRUE);
1508 new->task_manager->queue_task(new->task_manager, task);
1509 task = (task_t*)ike_auth_create(&new->public, TRUE);
1510 new->task_manager->queue_task(new->task_manager, task);
1511
1512 while (to_restart->remove_last(to_restart, (void**)&child_cfg) == SUCCESS)
1513 {
1514 task = (task_t*)child_create_create(&new->public, child_cfg);
1515 new->task_manager->queue_task(new->task_manager, task);
1516 }
1517 task = (task_t*)ike_auth_lifetime_create(&new->public, TRUE);
1518 new->task_manager->queue_task(new->task_manager, task);
1519 if (this->peer_cfg->use_mobike(this->peer_cfg))
1520 {
1521 task = (task_t*)ike_mobike_create(&new->public, TRUE);
1522 new->task_manager->queue_task(new->task_manager, task);
1523 }
1524 new->task_manager->initiate(new->task_manager);
1525 }
1526 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1527 }
1528 to_route->destroy(to_route);
1529 to_restart->destroy(to_restart);
1530 return DESTROY_ME;
1531 }
1532 return SUCCESS;
1533 }
1534
1535 /**
1536 * Implementation of ike_sa_t.get_prf.
1537 */
1538 static prf_t *get_prf(private_ike_sa_t *this)
1539 {
1540 return this->prf;
1541 }
1542
1543 /**
1544 * Implementation of ike_sa_t.get_prf.
1545 */
1546 static prf_t *get_child_prf(private_ike_sa_t *this)
1547 {
1548 return this->child_prf;
1549 }
1550
1551 /**
1552 * Implementation of ike_sa_t.get_skp_bild
1553 */
1554 static chunk_t get_skp_build(private_ike_sa_t *this)
1555 {
1556 return this->skp_build;
1557 }
1558
1559 /**
1560 * Implementation of ike_sa_t.get_skp_verify
1561 */
1562 static chunk_t get_skp_verify(private_ike_sa_t *this)
1563 {
1564 return this->skp_verify;
1565 }
1566
1567 /**
1568 * Implementation of ike_sa_t.get_id.
1569 */
1570 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1571 {
1572 return this->ike_sa_id;
1573 }
1574
1575 /**
1576 * Implementation of ike_sa_t.get_my_id.
1577 */
1578 static identification_t* get_my_id(private_ike_sa_t *this)
1579 {
1580 return this->my_id;
1581 }
1582
1583 /**
1584 * Implementation of ike_sa_t.set_my_id.
1585 */
1586 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1587 {
1588 DESTROY_IF(this->my_id);
1589 this->my_id = me;
1590 }
1591
1592 /**
1593 * Implementation of ike_sa_t.get_other_id.
1594 */
1595 static identification_t* get_other_id(private_ike_sa_t *this)
1596 {
1597 return this->other_id;
1598 }
1599
1600 /**
1601 * Implementation of ike_sa_t.set_other_id.
1602 */
1603 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1604 {
1605 DESTROY_IF(this->other_id);
1606 this->other_id = other;
1607 }
1608
1609 /**
1610 * Implementation of ike_sa_t.get_other_ca.
1611 */
1612 static ca_info_t* get_other_ca(private_ike_sa_t *this)
1613 {
1614 return this->other_ca;
1615 }
1616
1617 /**
1618 * Implementation of ike_sa_t.set_other_ca.
1619 */
1620 static void set_other_ca(private_ike_sa_t *this, ca_info_t *other_ca)
1621 {
1622 this->other_ca = other_ca;
1623 }
1624
1625 /**
1626 * Implementation of ike_sa_t.derive_keys.
1627 */
1628 static status_t derive_keys(private_ike_sa_t *this,
1629 proposal_t *proposal, chunk_t secret,
1630 chunk_t nonce_i, chunk_t nonce_r,
1631 bool initiator, prf_t *child_prf, prf_t *old_prf)
1632 {
1633 prf_plus_t *prf_plus;
1634 chunk_t skeyseed, key, nonces, prf_plus_seed;
1635 algorithm_t *algo;
1636 size_t key_size;
1637 crypter_t *crypter_i, *crypter_r;
1638 signer_t *signer_i, *signer_r;
1639 u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
1640 chunk_t spi_i = chunk_from_buf(spi_i_buf);
1641 chunk_t spi_r = chunk_from_buf(spi_r_buf);
1642
1643 /* Create SAs general purpose PRF first, we may use it here */
1644 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
1645 {
1646 DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
1647 return FAILED;
1648 }
1649 this->prf = prf_create(algo->algorithm);
1650 if (this->prf == NULL)
1651 {
1652 DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
1653 "%N not supported!", pseudo_random_function_names, algo->algorithm);
1654 return FAILED;
1655 }
1656
1657 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
1658 nonces = chunk_cat("cc", nonce_i, nonce_r);
1659 *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
1660 *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
1661 prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
1662
1663 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
1664 *
1665 * if we are rekeying, SKEYSEED is built on another way
1666 */
1667 if (child_prf == NULL) /* not rekeying */
1668 {
1669 /* SKEYSEED = prf(Ni | Nr, g^ir) */
1670 this->prf->set_key(this->prf, nonces);
1671 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
1672 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1673 this->prf->set_key(this->prf, skeyseed);
1674 chunk_free(&skeyseed);
1675 chunk_free(&secret);
1676 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
1677 }
1678 else
1679 {
1680 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
1681 * use OLD SAs PRF functions for both prf_plus and prf */
1682 secret = chunk_cat("mc", secret, nonces);
1683 child_prf->allocate_bytes(child_prf, secret, &skeyseed);
1684 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1685 old_prf->set_key(old_prf, skeyseed);
1686 chunk_free(&skeyseed);
1687 chunk_free(&secret);
1688 prf_plus = prf_plus_create(old_prf, prf_plus_seed);
1689 }
1690 chunk_free(&nonces);
1691 chunk_free(&prf_plus_seed);
1692
1693 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
1694
1695 /* SK_d is used for generating CHILD_SA key mat => child_prf */
1696 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
1697 this->child_prf = prf_create(algo->algorithm);
1698 key_size = this->child_prf->get_key_size(this->child_prf);
1699 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1700 DBG4(DBG_IKE, "Sk_d secret %B", &key);
1701 this->child_prf->set_key(this->child_prf, key);
1702 chunk_free(&key);
1703
1704 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
1705 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
1706 {
1707 DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
1708 return FAILED;
1709 }
1710 signer_i = signer_create(algo->algorithm);
1711 signer_r = signer_create(algo->algorithm);
1712 if (signer_i == NULL || signer_r == NULL)
1713 {
1714 DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
1715 "%N not supported!", integrity_algorithm_names ,algo->algorithm);
1716 return FAILED;
1717 }
1718 key_size = signer_i->get_key_size(signer_i);
1719
1720 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1721 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
1722 signer_i->set_key(signer_i, key);
1723 chunk_free(&key);
1724
1725 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1726 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
1727 signer_r->set_key(signer_r, key);
1728 chunk_free(&key);
1729
1730 if (initiator)
1731 {
1732 this->signer_in = signer_r;
1733 this->signer_out = signer_i;
1734 }
1735 else
1736 {
1737 this->signer_in = signer_i;
1738 this->signer_out = signer_r;
1739 }
1740
1741 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
1742 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
1743 {
1744 DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
1745 return FAILED;
1746 }
1747 crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
1748 crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
1749 if (crypter_i == NULL || crypter_r == NULL)
1750 {
1751 DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
1752 "%N (key size %d) not supported!",
1753 encryption_algorithm_names, algo->algorithm, algo->key_size);
1754 return FAILED;
1755 }
1756 key_size = crypter_i->get_key_size(crypter_i);
1757
1758 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1759 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
1760 crypter_i->set_key(crypter_i, key);
1761 chunk_free(&key);
1762
1763 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1764 DBG4(DBG_IKE, "Sk_er secret %B", &key);
1765 crypter_r->set_key(crypter_r, key);
1766 chunk_free(&key);
1767
1768 if (initiator)
1769 {
1770 this->crypter_in = crypter_r;
1771 this->crypter_out = crypter_i;
1772 }
1773 else
1774 {
1775 this->crypter_in = crypter_i;
1776 this->crypter_out = crypter_r;
1777 }
1778
1779 /* SK_pi/SK_pr used for authentication => stored for later */
1780 key_size = this->prf->get_key_size(this->prf);
1781 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1782 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
1783 if (initiator)
1784 {
1785 this->skp_build = key;
1786 }
1787 else
1788 {
1789 this->skp_verify = key;
1790 }
1791 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1792 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
1793 if (initiator)
1794 {
1795 this->skp_verify = key;
1796 }
1797 else
1798 {
1799 this->skp_build = key;
1800 }
1801
1802 /* all done, prf_plus not needed anymore */
1803 prf_plus->destroy(prf_plus);
1804
1805 return SUCCESS;
1806 }
1807
1808 /**
1809 * Implementation of ike_sa_t.add_child_sa.
1810 */
1811 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1812 {
1813 this->child_sas->insert_last(this->child_sas, child_sa);
1814 }
1815
1816 /**
1817 * Implementation of ike_sa_t.get_child_sa.
1818 */
1819 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1820 u_int32_t spi, bool inbound)
1821 {
1822 iterator_t *iterator;
1823 child_sa_t *current, *found = NULL;
1824
1825 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1826 while (iterator->iterate(iterator, (void**)&current))
1827 {
1828 if (current->get_spi(current, inbound) == spi &&
1829 current->get_protocol(current) == protocol)
1830 {
1831 found = current;
1832 }
1833 }
1834 iterator->destroy(iterator);
1835 return found;
1836 }
1837
1838 /**
1839 * Implementation of ike_sa_t.create_child_sa_iterator.
1840 */
1841 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1842 {
1843 return this->child_sas->create_iterator(this->child_sas, TRUE);
1844 }
1845
1846 /**
1847 * Implementation of ike_sa_t.rekey_child_sa.
1848 */
1849 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1850 {
1851 child_sa_t *child_sa;
1852 child_rekey_t *child_rekey;
1853
1854 child_sa = get_child_sa(this, protocol, spi, TRUE);
1855 if (child_sa)
1856 {
1857 child_rekey = child_rekey_create(&this->public, child_sa);
1858 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1859 return this->task_manager->initiate(this->task_manager);
1860 }
1861 return FAILED;
1862 }
1863
1864 /**
1865 * Implementation of ike_sa_t.delete_child_sa.
1866 */
1867 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1868 {
1869 child_sa_t *child_sa;
1870 child_delete_t *child_delete;
1871
1872 child_sa = get_child_sa(this, protocol, spi, TRUE);
1873 if (child_sa)
1874 {
1875 child_delete = child_delete_create(&this->public, child_sa);
1876 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1877 return this->task_manager->initiate(this->task_manager);
1878 }
1879 return FAILED;
1880 }
1881
1882 /**
1883 * Implementation of ike_sa_t.destroy_child_sa.
1884 */
1885 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1886 u_int32_t spi)
1887 {
1888 iterator_t *iterator;
1889 child_sa_t *child_sa;
1890 status_t status = NOT_FOUND;
1891
1892 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1893 while (iterator->iterate(iterator, (void**)&child_sa))
1894 {
1895 if (child_sa->get_protocol(child_sa) == protocol &&
1896 child_sa->get_spi(child_sa, TRUE) == spi)
1897 {
1898 child_sa->destroy(child_sa);
1899 iterator->remove(iterator);
1900 status = SUCCESS;
1901 break;
1902 }
1903 }
1904 iterator->destroy(iterator);
1905 return status;
1906 }
1907
1908 /**
1909 * Implementation of public_ike_sa_t.delete.
1910 */
1911 static status_t delete_(private_ike_sa_t *this)
1912 {
1913 ike_delete_t *ike_delete;
1914
1915 switch (this->state)
1916 {
1917 case IKE_ESTABLISHED:
1918 case IKE_REKEYING:
1919 ike_delete = ike_delete_create(&this->public, TRUE);
1920 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1921 return this->task_manager->initiate(this->task_manager);
1922 case IKE_CREATED:
1923 SIG(IKE_DOWN_SUCCESS, "deleting unestablished IKE_SA");
1924 break;
1925 default:
1926 SIG(IKE_DOWN_SUCCESS, "destroying IKE_SA in state %N "
1927 "without notification", ike_sa_state_names, this->state);
1928 break;
1929 }
1930 return DESTROY_ME;
1931 }
1932
1933 /**
1934 * Implementation of ike_sa_t.rekey.
1935 */
1936 static status_t rekey(private_ike_sa_t *this)
1937 {
1938 ike_rekey_t *ike_rekey;
1939
1940 ike_rekey = ike_rekey_create(&this->public, TRUE);
1941
1942 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1943 return this->task_manager->initiate(this->task_manager);
1944 }
1945
1946 /**
1947 * Implementation of ike_sa_t.reestablish
1948 */
1949 static status_t reestablish(private_ike_sa_t *this)
1950 {
1951 task_t *task;
1952
1953 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1954 * If the peer does not support RFC4478, there is no way to keep the
1955 * IKE_SA up. */
1956 if (!this->ike_initiator)
1957 {
1958 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1959 if (this->other_virtual_ip != NULL ||
1960 has_condition(this, COND_EAP_AUTHENTICATED))
1961 {
1962 time_t now = time(NULL);
1963
1964 DBG1(DBG_IKE, "IKE_SA will timeout in %#V", &now, &this->time.delete);
1965 return FAILED;
1966 }
1967 else
1968 {
1969 DBG1(DBG_IKE, "reauthenticating actively");
1970 }
1971 }
1972 task = (task_t*)ike_reauth_create(&this->public);
1973 this->task_manager->queue_task(this->task_manager, task);
1974
1975 return this->task_manager->initiate(this->task_manager);
1976 }
1977
1978 /**
1979 * Implementation of ike_sa_t.set_auth_lifetime.
1980 */
1981 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1982 {
1983 job_t *job;
1984 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1985
1986 this->time.reauth = time(NULL) + lifetime - reduction;
1987 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
1988
1989 if (lifetime < reduction)
1990 {
1991 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1992 lifetime);
1993 charon->processor->queue_job(charon->processor, job);
1994 }
1995 else
1996 {
1997 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1998 " in %ds", lifetime, lifetime - reduction);
1999 charon->scheduler->schedule_job(charon->scheduler, job,
2000 (lifetime - reduction) * 1000);
2001 }
2002 }
2003
2004 /**
2005 * Implementation of ike_sa_t.roam.
2006 */
2007 static status_t roam(private_ike_sa_t *this, bool address)
2008 {
2009 host_t *me, *other;
2010 ike_mobike_t *mobike;
2011
2012 /* responder just updates the peer about changed address config */
2013 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
2014 {
2015 if (supports_extension(this, EXT_MOBIKE) && address)
2016 {
2017 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2018 mobike = ike_mobike_create(&this->public, TRUE);
2019 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2020 return this->task_manager->initiate(this->task_manager);
2021 }
2022 return SUCCESS;
2023 }
2024
2025 /* get best address pair to use */
2026 other = this->other_host;
2027 me = charon->kernel_interface->get_source_addr(charon->kernel_interface,
2028 other);
2029
2030 if (me)
2031 {
2032 if (me->ip_equals(me, this->my_host) &&
2033 other->ip_equals(other, this->other_host))
2034 {
2035 DBG2(DBG_IKE, "keeping connection path %H - %H", this->other_host, me);
2036 me->destroy(me);
2037 return SUCCESS;
2038 }
2039 me->destroy(me);
2040 }
2041
2042 /* update addresses with mobike, if supported ... */
2043 if (supports_extension(this, EXT_MOBIKE))
2044 {
2045 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2046 mobike = ike_mobike_create(&this->public, TRUE);
2047 mobike->roam(mobike, address);
2048 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2049 return this->task_manager->initiate(this->task_manager);
2050 }
2051 DBG1(DBG_IKE, "reestablishing IKE_SA due address change");
2052 /* ... reestablish if not */
2053 return reestablish(this);
2054 }
2055
2056 /**
2057 * Implementation of ike_sa_t.inherit.
2058 */
2059 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2060 {
2061 child_sa_t *child_sa;
2062 host_t *ip;
2063
2064 /* apply hosts and ids */
2065 this->my_host->destroy(this->my_host);
2066 this->other_host->destroy(this->other_host);
2067 this->my_id->destroy(this->my_id);
2068 this->other_id->destroy(this->other_id);
2069 this->my_host = other->my_host->clone(other->my_host);
2070 this->other_host = other->other_host->clone(other->other_host);
2071 this->my_id = other->my_id->clone(other->my_id);
2072 this->other_id = other->other_id->clone(other->other_id);
2073 this->ike_initiator = other->ike_initiator;
2074
2075 /* apply virtual assigned IPs... */
2076 if (other->my_virtual_ip)
2077 {
2078 this->my_virtual_ip = other->my_virtual_ip;
2079 other->my_virtual_ip = NULL;
2080 }
2081 if (other->other_virtual_ip)
2082 {
2083 this->other_virtual_ip = other->other_virtual_ip;
2084 other->other_virtual_ip = NULL;
2085 }
2086
2087 /* ... and DNS servers */
2088 while (other->dns_servers->remove_last(other->dns_servers,
2089 (void**)&ip) == SUCCESS)
2090 {
2091 this->dns_servers->insert_first(this->dns_servers, ip);
2092 }
2093
2094 /* inherit NAT-T conditions */
2095 this->conditions = other->conditions;
2096 if (this->conditions & COND_NAT_HERE)
2097 {
2098 send_keepalive(this);
2099 }
2100
2101 /* adopt all children */
2102 while (other->child_sas->remove_last(other->child_sas,
2103 (void**)&child_sa) == SUCCESS)
2104 {
2105 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2106 }
2107
2108 /* move pending tasks to the new IKE_SA */
2109 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2110
2111 /* reauthentication timeout survives a rekeying */
2112 if (other->time.reauth)
2113 {
2114 time_t reauth, delete, now = time(NULL);
2115
2116 this->time.reauth = other->time.reauth;
2117 reauth = this->time.reauth - now;
2118 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2119 this->time.delete = this->time.reauth + delete;
2120 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2121 "lifetime reduced to %ds", reauth, delete);
2122 charon->scheduler->schedule_job(charon->scheduler,
2123 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2124 reauth * 1000);
2125 charon->scheduler->schedule_job(charon->scheduler,
2126 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2127 delete * 1000);
2128 }
2129 /* we have to initate here, there may be new tasks to handle */
2130 return this->task_manager->initiate(this->task_manager);
2131 }
2132
2133 /**
2134 * Implementation of ike_sa_t.remove_dns_server
2135 */
2136 static void remove_dns_servers(private_ike_sa_t *this)
2137 {
2138 FILE *file;
2139 struct stat stats;
2140 chunk_t contents, line, orig_line, token;
2141 char string[INET6_ADDRSTRLEN];
2142 host_t *ip;
2143 iterator_t *iterator;
2144
2145 if (this->dns_servers->get_count(this->dns_servers) == 0)
2146 {
2147 /* don't touch anything if we have no nameservers installed */
2148 return;
2149 }
2150
2151 file = fopen(RESOLV_CONF, "r");
2152 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2153 {
2154 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2155 RESOLV_CONF, strerror(errno));
2156 return;
2157 }
2158
2159 contents = chunk_alloca((size_t)stats.st_size);
2160
2161 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2162 {
2163 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2164 fclose(file);
2165 return;
2166 }
2167
2168 fclose(file);
2169 file = fopen(RESOLV_CONF, "w");
2170 if (file == NULL)
2171 {
2172 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2173 RESOLV_CONF, strerror(errno));
2174 return;
2175 }
2176
2177 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2178 while (fetchline(&contents, &line))
2179 {
2180 bool found = FALSE;
2181 orig_line = line;
2182 if (extract_token(&token, ' ', &line) &&
2183 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2184 {
2185 if (!extract_token(&token, ' ', &line))
2186 {
2187 token = line;
2188 }
2189 iterator->reset(iterator);
2190 while (iterator->iterate(iterator, (void**)&ip))
2191 {
2192 snprintf(string, sizeof(string), "%H", ip);
2193 if (strlen(string) == token.len &&
2194 strncmp(token.ptr, string, token.len) == 0)
2195 {
2196 iterator->remove(iterator);
2197 ip->destroy(ip);
2198 found = TRUE;
2199 break;
2200 }
2201 }
2202 }
2203
2204 if (!found)
2205 {
2206 /* write line untouched back to file */
2207 fwrite(orig_line.ptr, orig_line.len, 1, file);
2208 fprintf(file, "\n");
2209 }
2210 }
2211 iterator->destroy(iterator);
2212 fclose(file);
2213 }
2214
2215 /**
2216 * Implementation of ike_sa_t.add_dns_server
2217 */
2218 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2219 {
2220 FILE *file;
2221 struct stat stats;
2222 chunk_t contents;
2223
2224 DBG1(DBG_IKE, "installing DNS server %H", dns);
2225
2226 file = fopen(RESOLV_CONF, "a+");
2227 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2228 {
2229 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2230 RESOLV_CONF, strerror(errno));
2231 return;
2232 }
2233
2234 contents = chunk_alloca(stats.st_size);
2235
2236 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2237 {
2238 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2239 fclose(file);
2240 return;
2241 }
2242
2243 fclose(file);
2244 file = fopen(RESOLV_CONF, "w");
2245 if (file == NULL)
2246 {
2247 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2248 RESOLV_CONF, strerror(errno));
2249 return;
2250 }
2251
2252 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2253 dns, this->other_id) < 0)
2254 {
2255 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2256 }
2257 else
2258 {
2259 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2260 }
2261 fwrite(contents.ptr, contents.len, 1, file);
2262
2263 fclose(file);
2264 }
2265
2266 /**
2267 * Implementation of ike_sa_t.destroy.
2268 */
2269 static void destroy(private_ike_sa_t *this)
2270 {
2271 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2272
2273 DESTROY_IF(this->crypter_in);
2274 DESTROY_IF(this->crypter_out);
2275 DESTROY_IF(this->signer_in);
2276 DESTROY_IF(this->signer_out);
2277 DESTROY_IF(this->prf);
2278 DESTROY_IF(this->child_prf);
2279 chunk_free(&this->skp_verify);
2280 chunk_free(&this->skp_build);
2281
2282 if (this->my_virtual_ip)
2283 {
2284 charon->kernel_interface->del_ip(charon->kernel_interface,
2285 this->my_virtual_ip);
2286 this->my_virtual_ip->destroy(this->my_virtual_ip);
2287 }
2288 DESTROY_IF(this->other_virtual_ip);
2289
2290 remove_dns_servers(this);
2291 this->dns_servers->destroy_offset(this->dns_servers,
2292 offsetof(host_t, destroy));
2293 this->additional_addresses->destroy_offset(this->additional_addresses,
2294 offsetof(host_t, destroy));
2295 #ifdef P2P
2296 if (this->peer_cfg && this->peer_cfg->is_mediation(this->peer_cfg) &&
2297 !this->ike_sa_id->is_initiator(this->ike_sa_id))
2298 {
2299 /* mediation server */
2300 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2301 }
2302 DESTROY_IF(this->server_reflexive_host);
2303 #endif /* P2P */
2304
2305 DESTROY_IF(this->my_host);
2306 DESTROY_IF(this->other_host);
2307 DESTROY_IF(this->my_id);
2308 DESTROY_IF(this->other_id);
2309
2310 DESTROY_IF(this->ike_cfg);
2311 DESTROY_IF(this->peer_cfg);
2312
2313 this->ike_sa_id->destroy(this->ike_sa_id);
2314 this->task_manager->destroy(this->task_manager);
2315 free(this);
2316 }
2317
2318 /*
2319 * Described in header.
2320 */
2321 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2322 {
2323 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2324 static u_int32_t unique_id = 0;
2325
2326 /* Public functions */
2327 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2328 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2329 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2330 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2331 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2332 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2333 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2334 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2335 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2336 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2337 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2338 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2339 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2340 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2341 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2342 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2343 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2344 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2345 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2346 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2347 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2348 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2349 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2350 this->public.get_other_ca = (ca_info_t* (*)(ike_sa_t*)) get_other_ca;
2351 this->public.set_other_ca = (void (*)(ike_sa_t*,ca_info_t*)) set_other_ca;
2352 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2353 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2354 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2355 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2356 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2357 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2358 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2359 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2360 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2361 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2362 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2363 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2364 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2365 this->public.get_prf = (prf_t* (*)(ike_sa_t*)) get_prf;
2366 this->public.get_child_prf = (prf_t* (*)(ike_sa_t *)) get_child_prf;
2367 this->public.get_skp_verify = (chunk_t (*)(ike_sa_t *)) get_skp_verify;
2368 this->public.get_skp_build = (chunk_t (*)(ike_sa_t *)) get_skp_build;
2369 this->public.derive_keys = (status_t (*)(ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
2370 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2371 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2372 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2373 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2374 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2375 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2376 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2377 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2378 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2379 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2380 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2381 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2382 this->public.reset = (void (*)(ike_sa_t*))reset;
2383 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2384 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2385 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2386 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2387 #ifdef P2P
2388 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2389 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2390 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2391 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,linked_list_t*)) initiate_mediated;
2392 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2393 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2394 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2395 #endif /* P2P */
2396
2397 /* initialize private fields */
2398 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2399 this->child_sas = linked_list_create();
2400 this->my_host = host_create_any(AF_INET);
2401 this->other_host = host_create_any(AF_INET);
2402 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2403 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2404 this->other_ca = NULL;
2405 this->extensions = 0;
2406 this->conditions = 0;
2407 this->crypter_in = NULL;
2408 this->crypter_out = NULL;
2409 this->signer_in = NULL;
2410 this->signer_out = NULL;
2411 this->prf = NULL;
2412 this->skp_verify = chunk_empty;
2413 this->skp_build = chunk_empty;
2414 this->child_prf = NULL;
2415 this->state = IKE_CREATED;
2416 this->time.inbound = this->time.outbound = time(NULL);
2417 this->time.established = 0;
2418 this->time.rekey = 0;
2419 this->time.reauth = 0;
2420 this->time.delete = 0;
2421 this->ike_cfg = NULL;
2422 this->peer_cfg = NULL;
2423 this->task_manager = task_manager_create(&this->public);
2424 this->unique_id = ++unique_id;
2425 this->my_virtual_ip = NULL;
2426 this->other_virtual_ip = NULL;
2427 this->dns_servers = linked_list_create();
2428 this->additional_addresses = linked_list_create();
2429 this->pending_updates = 0;
2430 this->keyingtry = 0;
2431 this->ike_initiator = FALSE;
2432 #ifdef P2P
2433 this->server_reflexive_host = NULL;
2434 #endif /* P2P */
2435
2436 return &this->public;
2437 }