some task queueing improvements:
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2008 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <printf.h>
24 #include <sys/stat.h>
25 #include <errno.h>
26 #include <time.h>
27
28 #include "ike_sa.h"
29
30 #include <library.h>
31 #include <daemon.h>
32 #include <utils/linked_list.h>
33 #include <utils/lexparser.h>
34 #include <sa/task_manager.h>
35 #include <sa/tasks/ike_init.h>
36 #include <sa/tasks/ike_natd.h>
37 #include <sa/tasks/ike_mobike.h>
38 #include <sa/tasks/ike_auth.h>
39 #include <sa/tasks/ike_auth_lifetime.h>
40 #include <sa/tasks/ike_config.h>
41 #include <sa/tasks/ike_cert_pre.h>
42 #include <sa/tasks/ike_cert_post.h>
43 #include <sa/tasks/ike_rekey.h>
44 #include <sa/tasks/ike_reauth.h>
45 #include <sa/tasks/ike_delete.h>
46 #include <sa/tasks/ike_dpd.h>
47 #include <sa/tasks/child_create.h>
48 #include <sa/tasks/child_delete.h>
49 #include <sa/tasks/child_rekey.h>
50 #include <processing/jobs/retransmit_job.h>
51 #include <processing/jobs/delete_ike_sa_job.h>
52 #include <processing/jobs/send_dpd_job.h>
53 #include <processing/jobs/send_keepalive_job.h>
54 #include <processing/jobs/rekey_ike_sa_job.h>
55
56 #ifdef ME
57 #include <sa/tasks/ike_me.h>
58 #include <processing/jobs/initiate_mediation_job.h>
59 #endif
60
61 #ifndef RESOLV_CONF
62 #define RESOLV_CONF "/etc/resolv.conf"
63 #endif
64
65 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
66 "CREATED",
67 "CONNECTING",
68 "ESTABLISHED",
69 "PASSIVE",
70 "REKEYING",
71 "DELETING",
72 "DESTROYING",
73 );
74
75 typedef struct private_ike_sa_t private_ike_sa_t;
76
77 /**
78 * Private data of an ike_sa_t object.
79 */
80 struct private_ike_sa_t {
81
82 /**
83 * Public members
84 */
85 ike_sa_t public;
86
87 /**
88 * Identifier for the current IKE_SA.
89 */
90 ike_sa_id_t *ike_sa_id;
91
92 /**
93 * unique numerical ID for this IKE_SA.
94 */
95 u_int32_t unique_id;
96
97 /**
98 * Current state of the IKE_SA
99 */
100 ike_sa_state_t state;
101
102 /**
103 * IKE configuration used to set up this IKE_SA
104 */
105 ike_cfg_t *ike_cfg;
106
107 /**
108 * Peer and authentication information to establish IKE_SA.
109 */
110 peer_cfg_t *peer_cfg;
111
112 /**
113 * associated authentication/authorization info for local peer
114 */
115 auth_info_t *my_auth;
116
117 /**
118 * associated authentication/authorization info for remote peer
119 */
120 auth_info_t *other_auth;
121
122 /**
123 * Selected IKE proposal
124 */
125 proposal_t *proposal;
126
127 /**
128 * Juggles tasks to process messages
129 */
130 task_manager_t *task_manager;
131
132 /**
133 * Address of local host
134 */
135 host_t *my_host;
136
137 /**
138 * Address of remote host
139 */
140 host_t *other_host;
141
142 #ifdef ME
143 /**
144 * Are we mediation server
145 */
146 bool is_mediation_server;
147
148 /**
149 * Server reflexive host
150 */
151 host_t *server_reflexive_host;
152
153 /**
154 * Connect ID
155 */
156 chunk_t connect_id;
157 #endif /* ME */
158
159 /**
160 * Identification used for us
161 */
162 identification_t *my_id;
163
164 /**
165 * Identification used for other
166 */
167 identification_t *other_id;
168
169 /**
170 * EAP Identity exchange in EAP-Identity method
171 */
172 identification_t *eap_identity;;
173
174 /**
175 * set of extensions the peer supports
176 */
177 ike_extension_t extensions;
178
179 /**
180 * set of condition flags currently enabled for this IKE_SA
181 */
182 ike_condition_t conditions;
183
184 /**
185 * Linked List containing the child sa's of the current IKE_SA.
186 */
187 linked_list_t *child_sas;
188
189 /**
190 * keymat of this IKE_SA
191 */
192 keymat_t *keymat;
193
194 /**
195 * Virtual IP on local host, if any
196 */
197 host_t *my_virtual_ip;
198
199 /**
200 * Virtual IP on remote host, if any
201 */
202 host_t *other_virtual_ip;
203
204 /**
205 * List of DNS servers installed by us
206 */
207 linked_list_t *dns_servers;
208
209 /**
210 * list of peers additional addresses, transmitted via MOBIKE
211 */
212 linked_list_t *additional_addresses;
213
214 /**
215 * previously value of received DESTINATION_IP hash
216 */
217 chunk_t nat_detection_dest;
218
219 /**
220 * number pending UPDATE_SA_ADDRESS (MOBIKE)
221 */
222 u_int32_t pending_updates;
223
224 /**
225 * NAT keep alive interval
226 */
227 u_int32_t keepalive_interval;
228
229 /**
230 * Timestamps for this IKE_SA
231 */
232 u_int32_t stats[STAT_MAX];
233
234 /**
235 * how many times we have retried so far (keyingtries)
236 */
237 u_int32_t keyingtry;
238
239 /**
240 * local host address to be used for IKE, set via MIGRATE kernel message
241 */
242 host_t *local_host;
243
244 /**
245 * remote host address to be used for IKE, set via MIGRATE kernel message
246 */
247 host_t *remote_host;
248 };
249
250 /**
251 * get the time of the latest traffic processed by the kernel
252 */
253 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
254 {
255 enumerator_t *enumerator;
256 child_sa_t *child_sa;
257 time_t use_time;
258
259 if (inbound)
260 {
261 use_time = this->stats[STAT_INBOUND];
262 }
263 else
264 {
265 use_time = this->stats[STAT_OUTBOUND];
266 }
267 enumerator = this->child_sas->create_enumerator(this->child_sas);
268 while (enumerator->enumerate(enumerator, &child_sa))
269 {
270 use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
271 }
272 enumerator->destroy(enumerator);
273
274 return use_time;
275 }
276
277 /**
278 * Implementation of ike_sa_t.get_unique_id
279 */
280 static u_int32_t get_unique_id(private_ike_sa_t *this)
281 {
282 return this->unique_id;
283 }
284
285 /**
286 * Implementation of ike_sa_t.get_name.
287 */
288 static char *get_name(private_ike_sa_t *this)
289 {
290 if (this->peer_cfg)
291 {
292 return this->peer_cfg->get_name(this->peer_cfg);
293 }
294 return "(unnamed)";
295 }
296
297 /**
298 * Implementation of ike_sa_t.get_statistic.
299 */
300 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
301 {
302 if (kind < STAT_MAX)
303 {
304 return this->stats[kind];
305 }
306 return 0;
307 }
308
309 /**
310 * Implementation of ike_sa_t.get_my_host.
311 */
312 static host_t *get_my_host(private_ike_sa_t *this)
313 {
314 return this->my_host;
315 }
316
317 /**
318 * Implementation of ike_sa_t.set_my_host.
319 */
320 static void set_my_host(private_ike_sa_t *this, host_t *me)
321 {
322 DESTROY_IF(this->my_host);
323 this->my_host = me;
324 }
325
326 /**
327 * Implementation of ike_sa_t.get_other_host.
328 */
329 static host_t *get_other_host(private_ike_sa_t *this)
330 {
331 return this->other_host;
332 }
333
334 /**
335 * Implementation of ike_sa_t.set_other_host.
336 */
337 static void set_other_host(private_ike_sa_t *this, host_t *other)
338 {
339 DESTROY_IF(this->other_host);
340 this->other_host = other;
341 }
342
343 /**
344 * Implementation of ike_sa_t.get_peer_cfg
345 */
346 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
347 {
348 return this->peer_cfg;
349 }
350
351 /**
352 * Implementation of ike_sa_t.set_peer_cfg
353 */
354 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
355 {
356 DESTROY_IF(this->peer_cfg);
357 peer_cfg->get_ref(peer_cfg);
358 this->peer_cfg = peer_cfg;
359
360 if (this->ike_cfg == NULL)
361 {
362 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
363 this->ike_cfg->get_ref(this->ike_cfg);
364 }
365 /* apply IDs if they are not already set */
366 if (this->my_id->contains_wildcards(this->my_id))
367 {
368 DESTROY_IF(this->my_id);
369 this->my_id = this->peer_cfg->get_my_id(this->peer_cfg);
370 this->my_id = this->my_id->clone(this->my_id);
371 }
372 if (this->other_id->contains_wildcards(this->other_id))
373 {
374 DESTROY_IF(this->other_id);
375 this->other_id = this->peer_cfg->get_other_id(this->peer_cfg);
376 this->other_id = this->other_id->clone(this->other_id);
377 }
378 }
379
380 /**
381 * Implementation of ike_sa_t.get_my_auth.
382 */
383 static auth_info_t* get_my_auth(private_ike_sa_t *this)
384 {
385 return this->my_auth;
386 }
387
388 /**
389 * Implementation of ike_sa_t.get_other_auth.
390 */
391 static auth_info_t* get_other_auth(private_ike_sa_t *this)
392 {
393 return this->other_auth;
394 }
395
396 /**
397 * Implementation of ike_sa_t.get_proposal
398 */
399 static proposal_t* get_proposal(private_ike_sa_t *this)
400 {
401 return this->proposal;
402 }
403
404 /**
405 * Implementation of ike_sa_t.set_proposal
406 */
407 static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
408 {
409 DESTROY_IF(this->proposal);
410 this->proposal = proposal->clone(proposal);
411 }
412
413 /**
414 * Implementation of ike_sa_t.set_message_id
415 */
416 static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
417 {
418 if (initiate)
419 {
420 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
421 }
422 else
423 {
424 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
425 }
426 }
427
428 /**
429 * Implementation of ike_sa_t.send_keepalive
430 */
431 static void send_keepalive(private_ike_sa_t *this)
432 {
433 send_keepalive_job_t *job;
434 time_t last_out, now, diff;
435
436 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
437 { /* disable keep alives if we are not NATed anymore */
438 return;
439 }
440
441 last_out = get_use_time(this, FALSE);
442 now = time(NULL);
443
444 diff = now - last_out;
445
446 if (diff >= this->keepalive_interval)
447 {
448 packet_t *packet;
449 chunk_t data;
450
451 packet = packet_create();
452 packet->set_source(packet, this->my_host->clone(this->my_host));
453 packet->set_destination(packet, this->other_host->clone(this->other_host));
454 data.ptr = malloc(1);
455 data.ptr[0] = 0xFF;
456 data.len = 1;
457 packet->set_data(packet, data);
458 DBG1(DBG_IKE, "sending keep alive");
459 charon->sender->send(charon->sender, packet);
460 diff = 0;
461 }
462 job = send_keepalive_job_create(this->ike_sa_id);
463 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
464 (this->keepalive_interval - diff) * 1000);
465 }
466
467 /**
468 * Implementation of ike_sa_t.get_ike_cfg
469 */
470 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
471 {
472 return this->ike_cfg;
473 }
474
475 /**
476 * Implementation of ike_sa_t.set_ike_cfg
477 */
478 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
479 {
480 ike_cfg->get_ref(ike_cfg);
481 this->ike_cfg = ike_cfg;
482 }
483
484 /**
485 * Implementation of ike_sa_t.enable_extension.
486 */
487 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
488 {
489 this->extensions |= extension;
490 }
491
492 /**
493 * Implementation of ike_sa_t.has_extension.
494 */
495 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
496 {
497 return (this->extensions & extension) != FALSE;
498 }
499
500 /**
501 * Implementation of ike_sa_t.has_condition.
502 */
503 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
504 {
505 return (this->conditions & condition) != FALSE;
506 }
507
508 /**
509 * Implementation of ike_sa_t.enable_condition.
510 */
511 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
512 bool enable)
513 {
514 if (has_condition(this, condition) != enable)
515 {
516 if (enable)
517 {
518 this->conditions |= condition;
519 switch (condition)
520 {
521 case COND_NAT_HERE:
522 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
523 this->conditions |= COND_NAT_ANY;
524 send_keepalive(this);
525 break;
526 case COND_NAT_THERE:
527 DBG1(DBG_IKE, "remote host is behind NAT");
528 this->conditions |= COND_NAT_ANY;
529 break;
530 case COND_NAT_FAKE:
531 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
532 this->conditions |= COND_NAT_ANY;
533 break;
534 default:
535 break;
536 }
537 }
538 else
539 {
540 this->conditions &= ~condition;
541 switch (condition)
542 {
543 case COND_NAT_HERE:
544 case COND_NAT_FAKE:
545 case COND_NAT_THERE:
546 set_condition(this, COND_NAT_ANY,
547 has_condition(this, COND_NAT_HERE) ||
548 has_condition(this, COND_NAT_THERE) ||
549 has_condition(this, COND_NAT_FAKE));
550 break;
551 default:
552 break;
553 }
554 }
555 }
556 }
557
558 /**
559 * Implementation of ike_sa_t.send_dpd
560 */
561 static status_t send_dpd(private_ike_sa_t *this)
562 {
563 send_dpd_job_t *job;
564 time_t diff, delay;
565
566 delay = this->peer_cfg->get_dpd(this->peer_cfg);
567
568 if (delay == 0)
569 {
570 /* DPD disabled */
571 return SUCCESS;
572 }
573
574 if (this->task_manager->busy(this->task_manager))
575 {
576 /* an exchange is in the air, no need to start a DPD check */
577 diff = 0;
578 }
579 else
580 {
581 /* check if there was any inbound traffic */
582 time_t last_in, now;
583 last_in = get_use_time(this, TRUE);
584 now = time(NULL);
585 diff = now - last_in;
586 if (diff >= delay)
587 {
588 /* to long ago, initiate dead peer detection */
589 task_t *task;
590 ike_mobike_t *mobike;
591
592 if (supports_extension(this, EXT_MOBIKE) &&
593 has_condition(this, COND_NAT_HERE))
594 {
595 /* use mobike enabled DPD to detect NAT mapping changes */
596 mobike = ike_mobike_create(&this->public, TRUE);
597 mobike->dpd(mobike);
598 task = &mobike->task;
599 }
600 else
601 {
602 task = (task_t*)ike_dpd_create(TRUE);
603 }
604 diff = 0;
605 DBG1(DBG_IKE, "sending DPD request");
606
607 this->task_manager->queue_task(this->task_manager, task);
608 this->task_manager->initiate(this->task_manager);
609 }
610 }
611 /* recheck in "interval" seconds */
612 job = send_dpd_job_create(this->ike_sa_id);
613 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
614 (delay - diff) * 1000);
615 return SUCCESS;
616 }
617
618 /**
619 * Implementation of ike_sa_t.get_state.
620 */
621 static ike_sa_state_t get_state(private_ike_sa_t *this)
622 {
623 return this->state;
624 }
625
626 /**
627 * Implementation of ike_sa_t.set_state.
628 */
629 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
630 {
631 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
632 get_name(this), this->unique_id,
633 ike_sa_state_names, this->state,
634 ike_sa_state_names, state);
635
636 switch (state)
637 {
638 case IKE_ESTABLISHED:
639 {
640 if (this->state == IKE_CONNECTING ||
641 this->state == IKE_PASSIVE)
642 {
643 job_t *job;
644 u_int32_t t;
645
646 /* calculate rekey, reauth and lifetime */
647 this->stats[STAT_ESTABLISHED] = time(NULL);
648
649 /* schedule rekeying if we have a time which is smaller than
650 * an already scheduled rekeying */
651 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
652 if (t && (this->stats[STAT_REKEY] == 0 ||
653 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
654 {
655 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
656 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
657 charon->scheduler->schedule_job(charon->scheduler,
658 job, t * 1000);
659 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
660 }
661 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
662 if (t && (this->stats[STAT_REAUTH] == 0 ||
663 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
664 {
665 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
666 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
667 charon->scheduler->schedule_job(charon->scheduler,
668 job, t * 1000);
669 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
670 }
671 t = this->peer_cfg->get_over_time(this->peer_cfg);
672 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
673 {
674 if (this->stats[STAT_REAUTH] == 0)
675 {
676 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
677 }
678 else if (this->stats[STAT_REKEY] == 0)
679 {
680 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
681 }
682 else
683 {
684 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
685 this->stats[STAT_REAUTH]);
686 }
687 this->stats[STAT_DELETE] += t;
688 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
689 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
690 charon->scheduler->schedule_job(charon->scheduler, job,
691 t * 1000);
692 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
693 }
694
695 /* start DPD checks */
696 send_dpd(this);
697 }
698 break;
699 }
700 case IKE_DELETING:
701 {
702 /* delete may fail if a packet gets lost, so set a timeout */
703 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
704 charon->scheduler->schedule_job(charon->scheduler, job,
705 HALF_OPEN_IKE_SA_TIMEOUT);
706 break;
707 }
708 default:
709 break;
710 }
711 charon->bus->ike_state_change(charon->bus, &this->public, state);
712 this->state = state;
713 }
714
715 /**
716 * Implementation of ike_sa_t.reset
717 */
718 static void reset(private_ike_sa_t *this)
719 {
720 /* the responder ID is reset, as peer may choose another one */
721 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
722 {
723 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
724 }
725
726 set_state(this, IKE_CREATED);
727
728 this->task_manager->reset(this->task_manager, 0, 0);
729 }
730
731 /**
732 * Implementation of ike_sa_t.get_keymat
733 */
734 static keymat_t* get_keymat(private_ike_sa_t *this)
735 {
736 return this->keymat;
737 }
738
739 /**
740 * Implementation of ike_sa_t.set_virtual_ip
741 */
742 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
743 {
744 if (local)
745 {
746 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
747 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
748 this->my_host) == SUCCESS)
749 {
750 if (this->my_virtual_ip)
751 {
752 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
753 charon->kernel_interface->del_ip(charon->kernel_interface,
754 this->my_virtual_ip);
755 }
756 DESTROY_IF(this->my_virtual_ip);
757 this->my_virtual_ip = ip->clone(ip);
758 }
759 else
760 {
761 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
762 this->my_virtual_ip = NULL;
763 }
764 }
765 else
766 {
767 DESTROY_IF(this->other_virtual_ip);
768 this->other_virtual_ip = ip->clone(ip);
769 }
770 }
771
772 /**
773 * Implementation of ike_sa_t.get_virtual_ip
774 */
775 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
776 {
777 if (local)
778 {
779 return this->my_virtual_ip;
780 }
781 else
782 {
783 return this->other_virtual_ip;
784 }
785 }
786
787 /**
788 * Implementation of ike_sa_t.add_additional_address.
789 */
790 static void add_additional_address(private_ike_sa_t *this, host_t *host)
791 {
792 this->additional_addresses->insert_last(this->additional_addresses, host);
793 }
794
795 /**
796 * Implementation of ike_sa_t.create_additional_address_iterator.
797 */
798 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
799 {
800 return this->additional_addresses->create_iterator(
801 this->additional_addresses, TRUE);
802 }
803
804 /**
805 * Implementation of ike_sa_t.has_mapping_changed
806 */
807 static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
808 {
809 if (this->nat_detection_dest.ptr == NULL)
810 {
811 this->nat_detection_dest = chunk_clone(hash);
812 return FALSE;
813 }
814 if (chunk_equals(hash, this->nat_detection_dest))
815 {
816 return FALSE;
817 }
818 free(this->nat_detection_dest.ptr);
819 this->nat_detection_dest = chunk_clone(hash);
820 return TRUE;
821 }
822
823 /**
824 * Implementation of ike_sa_t.set_pending_updates.
825 */
826 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
827 {
828 this->pending_updates = updates;
829 }
830
831 /**
832 * Implementation of ike_sa_t.get_pending_updates.
833 */
834 static u_int32_t get_pending_updates(private_ike_sa_t *this)
835 {
836 return this->pending_updates;
837 }
838
839 /**
840 * Update hosts, as addresses may change (NAT)
841 */
842 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
843 {
844 bool update = FALSE;
845
846 if (me == NULL)
847 {
848 me = this->my_host;
849 }
850 if (other == NULL)
851 {
852 other = this->other_host;
853 }
854
855 /* apply hosts on first received message */
856 if (this->my_host->is_anyaddr(this->my_host) ||
857 this->other_host->is_anyaddr(this->other_host))
858 {
859 set_my_host(this, me->clone(me));
860 set_other_host(this, other->clone(other));
861 update = TRUE;
862 }
863 else
864 {
865 /* update our address in any case */
866 if (!me->equals(me, this->my_host))
867 {
868 set_my_host(this, me->clone(me));
869 update = TRUE;
870 }
871
872 if (!other->equals(other, this->other_host))
873 {
874 /* update others adress if we are NOT NATed,
875 * and allow port changes if we are NATed */
876 if (!has_condition(this, COND_NAT_HERE) ||
877 other->ip_equals(other, this->other_host))
878 {
879 set_other_host(this, other->clone(other));
880 update = TRUE;
881 }
882 }
883 }
884
885 /* update all associated CHILD_SAs, if required */
886 if (update)
887 {
888 iterator_t *iterator;
889 child_sa_t *child_sa;
890
891 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
892 while (iterator->iterate(iterator, (void**)&child_sa))
893 {
894 if (child_sa->update(child_sa, this->my_host,
895 this->other_host, this->my_virtual_ip,
896 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
897 {
898 this->public.rekey_child_sa(&this->public,
899 child_sa->get_protocol(child_sa),
900 child_sa->get_spi(child_sa, TRUE));
901 }
902 }
903 iterator->destroy(iterator);
904 }
905 }
906
907 /**
908 * Implementation of ike_sa_t.generate
909 */
910 static status_t generate_message(private_ike_sa_t *this, message_t *message,
911 packet_t **packet)
912 {
913 this->stats[STAT_OUTBOUND] = time(NULL);
914 message->set_ike_sa_id(message, this->ike_sa_id);
915 return message->generate(message,
916 this->keymat->get_crypter(this->keymat, FALSE),
917 this->keymat->get_signer(this->keymat, FALSE), packet);
918 }
919
920 /**
921 * send a notify back to the sender
922 */
923 static void send_notify_response(private_ike_sa_t *this, message_t *request,
924 notify_type_t type)
925 {
926 message_t *response;
927 packet_t *packet;
928
929 response = message_create();
930 response->set_exchange_type(response, request->get_exchange_type(request));
931 response->set_request(response, FALSE);
932 response->set_message_id(response, request->get_message_id(request));
933 response->add_notify(response, FALSE, type, chunk_empty);
934 if (this->my_host->is_anyaddr(this->my_host))
935 {
936 this->my_host->destroy(this->my_host);
937 this->my_host = request->get_destination(request);
938 this->my_host = this->my_host->clone(this->my_host);
939 }
940 if (this->other_host->is_anyaddr(this->other_host))
941 {
942 this->other_host->destroy(this->other_host);
943 this->other_host = request->get_source(request);
944 this->other_host = this->other_host->clone(this->other_host);
945 }
946 response->set_source(response, this->my_host->clone(this->my_host));
947 response->set_destination(response, this->other_host->clone(this->other_host));
948 if (generate_message(this, response, &packet) == SUCCESS)
949 {
950 charon->sender->send(charon->sender, packet);
951 }
952 response->destroy(response);
953 }
954
955 /**
956 * Implementation of ike_sa_t.set_kmaddress.
957 */
958 static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
959 {
960 DESTROY_IF(this->local_host);
961 DESTROY_IF(this->remote_host);
962 this->local_host = local->clone(local);
963 this->remote_host = remote->clone(remote);
964 }
965
966 #ifdef ME
967 /**
968 * Implementation of ike_sa_t.act_as_mediation_server.
969 */
970 static void act_as_mediation_server(private_ike_sa_t *this)
971 {
972 charon->mediation_manager->update_sa_id(charon->mediation_manager,
973 this->other_id, this->ike_sa_id);
974 this->is_mediation_server = TRUE;
975 }
976
977 /**
978 * Implementation of ike_sa_t.get_server_reflexive_host.
979 */
980 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
981 {
982 return this->server_reflexive_host;
983 }
984
985 /**
986 * Implementation of ike_sa_t.set_server_reflexive_host.
987 */
988 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
989 {
990 DESTROY_IF(this->server_reflexive_host);
991 this->server_reflexive_host = host;
992 }
993
994 /**
995 * Implementation of ike_sa_t.get_connect_id.
996 */
997 static chunk_t get_connect_id(private_ike_sa_t *this)
998 {
999 return this->connect_id;
1000 }
1001
1002 /**
1003 * Implementation of ike_sa_t.respond
1004 */
1005 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
1006 chunk_t connect_id)
1007 {
1008 ike_me_t *task = ike_me_create(&this->public, TRUE);
1009 task->respond(task, peer_id, connect_id);
1010 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1011 return this->task_manager->initiate(this->task_manager);
1012 }
1013
1014 /**
1015 * Implementation of ike_sa_t.callback
1016 */
1017 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
1018 {
1019 ike_me_t *task = ike_me_create(&this->public, TRUE);
1020 task->callback(task, peer_id);
1021 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1022 return this->task_manager->initiate(this->task_manager);
1023 }
1024
1025 /**
1026 * Implementation of ike_sa_t.relay
1027 */
1028 static status_t relay(private_ike_sa_t *this, identification_t *requester,
1029 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
1030 {
1031 ike_me_t *task = ike_me_create(&this->public, TRUE);
1032 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1033 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1034 return this->task_manager->initiate(this->task_manager);
1035 }
1036
1037 /**
1038 * Implementation of ike_sa_t.initiate_mediation
1039 */
1040 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1041 {
1042 ike_me_t *task = ike_me_create(&this->public, TRUE);
1043 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1044 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1045 return this->task_manager->initiate(this->task_manager);
1046 }
1047
1048 /**
1049 * Implementation of ike_sa_t.initiate_mediated
1050 */
1051 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1052 chunk_t connect_id)
1053 {
1054 set_my_host(this, me->clone(me));
1055 set_other_host(this, other->clone(other));
1056 chunk_free(&this->connect_id);
1057 this->connect_id = chunk_clone(connect_id);
1058
1059 return this->task_manager->initiate(this->task_manager);
1060 }
1061 #endif /* ME */
1062
1063 /**
1064 * Resolve DNS host in configuration
1065 */
1066 static void resolve_hosts(private_ike_sa_t *this)
1067 {
1068 host_t *host;
1069
1070 if (this->remote_host)
1071 {
1072 host = this->remote_host->clone(this->remote_host);
1073 host->set_port(host, IKEV2_UDP_PORT);
1074 }
1075 else
1076 {
1077 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1078 0, IKEV2_UDP_PORT);
1079 }
1080 if (host)
1081 {
1082 set_other_host(this, host);
1083 }
1084
1085 if (this->local_host)
1086 {
1087 host = this->local_host->clone(this->local_host);
1088 host->set_port(host, IKEV2_UDP_PORT);
1089 }
1090 else
1091 {
1092 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1093 this->my_host->get_family(this->my_host),
1094 IKEV2_UDP_PORT);
1095
1096 if (host && host->is_anyaddr(host) &&
1097 !this->other_host->is_anyaddr(this->other_host))
1098 {
1099 host->destroy(host);
1100 host = charon->kernel_interface->get_source_addr(
1101 charon->kernel_interface, this->other_host, NULL);
1102 if (host)
1103 {
1104 host->set_port(host, IKEV2_UDP_PORT);
1105 }
1106 }
1107 }
1108 if (host)
1109 {
1110 set_my_host(this, host);
1111 }
1112 }
1113
1114 /**
1115 * Initiates a CHILD_SA using the appropriate reqid
1116 */
1117 static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
1118 {
1119 task_t *task;
1120
1121 if (this->state == IKE_CREATED)
1122 {
1123 resolve_hosts(this);
1124
1125 if (this->other_host->is_anyaddr(this->other_host)
1126 #ifdef ME
1127 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1128 #endif /* ME */
1129 )
1130 {
1131 child_cfg->destroy(child_cfg);
1132 DBG1(DBG_IKE, "unable to initiate to %%any");
1133 return DESTROY_ME;
1134 }
1135
1136 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1137
1138 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1139 this->task_manager->queue_task(this->task_manager, task);
1140 task = (task_t*)ike_natd_create(&this->public, TRUE);
1141 this->task_manager->queue_task(this->task_manager, task);
1142 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1143 this->task_manager->queue_task(this->task_manager, task);
1144 task = (task_t*)ike_auth_create(&this->public, TRUE);
1145 this->task_manager->queue_task(this->task_manager, task);
1146 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1147 this->task_manager->queue_task(this->task_manager, task);
1148 task = (task_t*)ike_config_create(&this->public, TRUE);
1149 this->task_manager->queue_task(this->task_manager, task);
1150 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1151 this->task_manager->queue_task(this->task_manager, task);
1152 if (this->peer_cfg->use_mobike(this->peer_cfg))
1153 {
1154 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1155 this->task_manager->queue_task(this->task_manager, task);
1156 }
1157 #ifdef ME
1158 task = (task_t*)ike_me_create(&this->public, TRUE);
1159 this->task_manager->queue_task(this->task_manager, task);
1160 #endif /* ME */
1161 }
1162
1163 #ifdef ME
1164 if (this->peer_cfg->is_mediation(this->peer_cfg))
1165 {
1166 if (this->state == IKE_ESTABLISHED)
1167 {
1168 /* mediation connection is already established, retrigger state change
1169 * to notify bus listeners */
1170 DBG1(DBG_IKE, "mediation connection is already up");
1171 set_state(this, IKE_ESTABLISHED);
1172 }
1173 DESTROY_IF(child_cfg);
1174 }
1175 else
1176 #endif /* ME */
1177 {
1178 /* normal IKE_SA with CHILD_SA */
1179 task = (task_t*)child_create_create(&this->public, child_cfg);
1180 child_cfg->destroy(child_cfg);
1181 if (reqid)
1182 {
1183 child_create_t *child_create = (child_create_t*)task;
1184 child_create->use_reqid(child_create, reqid);
1185 }
1186 this->task_manager->queue_task(this->task_manager, task);
1187
1188 #ifdef ME
1189 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1190 {
1191 /* mediated connection, initiate mediation process */
1192 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1193 charon->processor->queue_job(charon->processor, job);
1194 return SUCCESS;
1195 }
1196 #endif /* ME */
1197 }
1198
1199 return this->task_manager->initiate(this->task_manager);
1200 }
1201
1202 /**
1203 * Implementation of ike_sa_t.initiate.
1204 */
1205 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1206 {
1207 return initiate_with_reqid(this, child_cfg, 0);
1208 }
1209
1210 /**
1211 * Implementation of ike_sa_t.acquire.
1212 */
1213 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1214 {
1215 child_cfg_t *child_cfg;
1216 iterator_t *iterator;
1217 child_sa_t *current, *child_sa = NULL;
1218
1219 switch (this->state)
1220 {
1221 case IKE_DELETING:
1222 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1223 "IKE_SA is deleting", reqid);
1224 return FAILED;
1225 case IKE_PASSIVE:
1226 /* do not process acquires if passive */
1227 return FAILED;
1228 default:
1229 break;
1230 }
1231
1232 /* find CHILD_SA */
1233 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1234 while (iterator->iterate(iterator, (void**)&current))
1235 {
1236 if (current->get_reqid(current) == reqid)
1237 {
1238 child_sa = current;
1239 break;
1240 }
1241 }
1242 iterator->destroy(iterator);
1243 if (!child_sa)
1244 {
1245 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1246 "CHILD_SA not found", reqid);
1247 return FAILED;
1248 }
1249
1250 child_cfg = child_sa->get_config(child_sa);
1251 child_cfg->get_ref(child_cfg);
1252
1253 return initiate_with_reqid(this, child_cfg, reqid);
1254 }
1255
1256 /**
1257 * Implementation of ike_sa_t.route.
1258 */
1259 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1260 {
1261 child_sa_t *child_sa;
1262 iterator_t *iterator;
1263 linked_list_t *my_ts, *other_ts;
1264 host_t *me, *other;
1265 status_t status;
1266
1267 /* check if not already routed*/
1268 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1269 while (iterator->iterate(iterator, (void**)&child_sa))
1270 {
1271 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1272 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1273 {
1274 iterator->destroy(iterator);
1275 DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
1276 return FAILED;
1277 }
1278 }
1279 iterator->destroy(iterator);
1280
1281 switch (this->state)
1282 {
1283 case IKE_DELETING:
1284 case IKE_REKEYING:
1285 DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
1286 ike_sa_state_names, this->state);
1287 return FAILED;
1288 case IKE_CREATED:
1289 case IKE_CONNECTING:
1290 case IKE_ESTABLISHED:
1291 case IKE_PASSIVE:
1292 default:
1293 break;
1294 }
1295
1296 resolve_hosts(this);
1297
1298 /* install kernel policies */
1299 child_sa = child_sa_create(this->my_host, this->other_host,
1300 child_cfg, 0, FALSE);
1301 me = this->my_host;
1302 if (this->my_virtual_ip)
1303 {
1304 me = this->my_virtual_ip;
1305 }
1306 other = this->other_host;
1307 if (this->other_virtual_ip)
1308 {
1309 other = this->other_virtual_ip;
1310 }
1311
1312 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1313 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1314
1315 child_sa->set_mode(child_sa, child_cfg->get_mode(child_cfg));
1316 status = child_sa->add_policies(child_sa, my_ts, other_ts);
1317
1318 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1319 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1320 if (status == SUCCESS)
1321 {
1322 this->child_sas->insert_last(this->child_sas, child_sa);
1323 DBG1(DBG_IKE, "CHILD_SA routed");
1324 }
1325 else
1326 {
1327 child_sa->destroy(child_sa);
1328 DBG1(DBG_IKE, "routing CHILD_SA failed");
1329 }
1330 return status;
1331 }
1332
1333 /**
1334 * Implementation of ike_sa_t.unroute.
1335 */
1336 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1337 {
1338 iterator_t *iterator;
1339 child_sa_t *child_sa;
1340 bool found = FALSE;
1341
1342 /* find CHILD_SA in ROUTED state */
1343 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1344 while (iterator->iterate(iterator, (void**)&child_sa))
1345 {
1346 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1347 child_sa->get_reqid(child_sa) == reqid)
1348 {
1349 iterator->remove(iterator);
1350 DBG1(DBG_IKE, "CHILD_SA unrouted");
1351 child_sa->destroy(child_sa);
1352 found = TRUE;
1353 break;
1354 }
1355 }
1356 iterator->destroy(iterator);
1357
1358 if (!found)
1359 {
1360 DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
1361 return FAILED;
1362 }
1363 /* if we are not established, and we have no more routed childs, remove whole SA */
1364 if (this->state == IKE_CREATED &&
1365 this->child_sas->get_count(this->child_sas) == 0)
1366 {
1367 return DESTROY_ME;
1368 }
1369 return SUCCESS;
1370 }
1371
1372 /**
1373 * Implementation of ike_sa_t.process_message.
1374 */
1375 static status_t process_message(private_ike_sa_t *this, message_t *message)
1376 {
1377 status_t status;
1378 bool is_request;
1379
1380 if (this->state == IKE_PASSIVE)
1381 { /* do not handle messages in passive state */
1382 return FAILED;
1383 }
1384
1385 is_request = message->get_request(message);
1386
1387 status = message->parse_body(message,
1388 this->keymat->get_crypter(this->keymat, TRUE),
1389 this->keymat->get_signer(this->keymat, TRUE));
1390 if (status != SUCCESS)
1391 {
1392
1393 if (is_request)
1394 {
1395 switch (status)
1396 {
1397 case NOT_SUPPORTED:
1398 DBG1(DBG_IKE, "critical unknown payloads found");
1399 if (is_request)
1400 {
1401 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1402 }
1403 break;
1404 case PARSE_ERROR:
1405 DBG1(DBG_IKE, "message parsing failed");
1406 if (is_request)
1407 {
1408 send_notify_response(this, message, INVALID_SYNTAX);
1409 }
1410 break;
1411 case VERIFY_ERROR:
1412 DBG1(DBG_IKE, "message verification failed");
1413 if (is_request)
1414 {
1415 send_notify_response(this, message, INVALID_SYNTAX);
1416 }
1417 break;
1418 case FAILED:
1419 DBG1(DBG_IKE, "integrity check failed");
1420 /* ignored */
1421 break;
1422 case INVALID_STATE:
1423 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1424 if (is_request)
1425 {
1426 send_notify_response(this, message, INVALID_SYNTAX);
1427 }
1428 default:
1429 break;
1430 }
1431 }
1432 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1433 exchange_type_names, message->get_exchange_type(message),
1434 message->get_request(message) ? "request" : "response",
1435 message->get_message_id(message));
1436 return status;
1437 }
1438 else
1439 {
1440 host_t *me, *other;
1441 private_ike_sa_t *new;
1442 iterator_t *iterator;
1443 child_sa_t *child;
1444 bool has_routed = FALSE;
1445
1446 me = message->get_destination(message);
1447 other = message->get_source(message);
1448
1449 /* if this IKE_SA is virgin, we check for a config */
1450 if (this->ike_cfg == NULL)
1451 {
1452 job_t *job;
1453 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1454 me, other);
1455 if (this->ike_cfg == NULL)
1456 {
1457 /* no config found for these hosts, destroy */
1458 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1459 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1460 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1461 return DESTROY_ME;
1462 }
1463 /* add a timeout if peer does not establish it completely */
1464 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1465 charon->scheduler->schedule_job(charon->scheduler, job,
1466 HALF_OPEN_IKE_SA_TIMEOUT);
1467 }
1468 this->stats[STAT_INBOUND] = time(NULL);
1469 /* check if message is trustworthy, and update host information */
1470 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1471 message->get_exchange_type(message) != IKE_SA_INIT)
1472 {
1473 if (!supports_extension(this, EXT_MOBIKE))
1474 { /* with MOBIKE, we do no implicit updates */
1475 update_hosts(this, me, other);
1476 }
1477 }
1478 status = this->task_manager->process_message(this->task_manager, message);
1479 if (status != DESTROY_ME)
1480 {
1481 return status;
1482 }
1483 /* if IKE_SA gets closed for any reasons, reroute routed children */
1484 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1485 while (iterator->iterate(iterator, (void**)&child))
1486 {
1487 if (child->get_state(child) == CHILD_ROUTED)
1488 {
1489 has_routed = TRUE;
1490 break;
1491 }
1492 }
1493 iterator->destroy(iterator);
1494 if (!has_routed)
1495 {
1496 return status;
1497 }
1498 /* move routed children to a new IKE_SA, apply connection info */
1499 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1500 charon->ike_sa_manager, TRUE);
1501 set_peer_cfg(new, this->peer_cfg);
1502 new->other_host->destroy(new->other_host);
1503 new->other_host = this->other_host->clone(this->other_host);
1504 if (!has_condition(this, COND_NAT_THERE))
1505 {
1506 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1507 }
1508 if (this->my_virtual_ip)
1509 {
1510 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1511 }
1512 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1513 while (iterator->iterate(iterator, (void**)&child))
1514 {
1515 if (child->get_state(child) == CHILD_ROUTED)
1516 {
1517 route(new, child->get_config(child));
1518 }
1519 }
1520 iterator->destroy(iterator);
1521 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1522 return status;
1523 }
1524 }
1525
1526 /**
1527 * Implementation of ike_sa_t.get_id.
1528 */
1529 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1530 {
1531 return this->ike_sa_id;
1532 }
1533
1534 /**
1535 * Implementation of ike_sa_t.get_my_id.
1536 */
1537 static identification_t* get_my_id(private_ike_sa_t *this)
1538 {
1539 return this->my_id;
1540 }
1541
1542 /**
1543 * Implementation of ike_sa_t.set_my_id.
1544 */
1545 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1546 {
1547 DESTROY_IF(this->my_id);
1548 this->my_id = me;
1549 }
1550
1551 /**
1552 * Implementation of ike_sa_t.get_other_id.
1553 */
1554 static identification_t* get_other_id(private_ike_sa_t *this)
1555 {
1556 return this->other_id;
1557 }
1558
1559 /**
1560 * Implementation of ike_sa_t.set_other_id.
1561 */
1562 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1563 {
1564 DESTROY_IF(this->other_id);
1565 this->other_id = other;
1566 }
1567
1568 /**
1569 * Implementation of ike_sa_t.get_eap_identity.
1570 */
1571 static identification_t* get_eap_identity(private_ike_sa_t *this)
1572 {
1573 return this->eap_identity;
1574 }
1575
1576 /**
1577 * Implementation of ike_sa_t.set_eap_identity.
1578 */
1579 static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
1580 {
1581 DESTROY_IF(this->eap_identity);
1582 this->eap_identity = id;
1583 }
1584
1585 /**
1586 * Implementation of ike_sa_t.add_child_sa.
1587 */
1588 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1589 {
1590 this->child_sas->insert_last(this->child_sas, child_sa);
1591 }
1592
1593 /**
1594 * Implementation of ike_sa_t.get_child_sa.
1595 */
1596 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1597 u_int32_t spi, bool inbound)
1598 {
1599 iterator_t *iterator;
1600 child_sa_t *current, *found = NULL;
1601
1602 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1603 while (iterator->iterate(iterator, (void**)&current))
1604 {
1605 if (current->get_spi(current, inbound) == spi &&
1606 current->get_protocol(current) == protocol)
1607 {
1608 found = current;
1609 }
1610 }
1611 iterator->destroy(iterator);
1612 return found;
1613 }
1614
1615 /**
1616 * Implementation of ike_sa_t.create_child_sa_iterator.
1617 */
1618 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1619 {
1620 return this->child_sas->create_iterator(this->child_sas, TRUE);
1621 }
1622
1623 /**
1624 * Implementation of ike_sa_t.rekey_child_sa.
1625 */
1626 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1627 u_int32_t spi)
1628 {
1629 child_rekey_t *child_rekey;
1630
1631 child_rekey = child_rekey_create(&this->public, protocol, spi);
1632 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1633 return this->task_manager->initiate(this->task_manager);
1634 }
1635
1636 /**
1637 * Implementation of ike_sa_t.delete_child_sa.
1638 */
1639 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1640 u_int32_t spi)
1641 {
1642 child_delete_t *child_delete;
1643
1644 child_delete = child_delete_create(&this->public, protocol, spi);
1645 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1646 return this->task_manager->initiate(this->task_manager);
1647 }
1648
1649 /**
1650 * Implementation of ike_sa_t.destroy_child_sa.
1651 */
1652 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1653 u_int32_t spi)
1654 {
1655 iterator_t *iterator;
1656 child_sa_t *child_sa;
1657 status_t status = NOT_FOUND;
1658
1659 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1660 while (iterator->iterate(iterator, (void**)&child_sa))
1661 {
1662 if (child_sa->get_protocol(child_sa) == protocol &&
1663 child_sa->get_spi(child_sa, TRUE) == spi)
1664 {
1665 child_sa->destroy(child_sa);
1666 iterator->remove(iterator);
1667 status = SUCCESS;
1668 break;
1669 }
1670 }
1671 iterator->destroy(iterator);
1672 return status;
1673 }
1674
1675 /**
1676 * Implementation of public_ike_sa_t.delete.
1677 */
1678 static status_t delete_(private_ike_sa_t *this)
1679 {
1680 ike_delete_t *ike_delete;
1681
1682 switch (this->state)
1683 {
1684 case IKE_ESTABLISHED:
1685 case IKE_REKEYING:
1686 ike_delete = ike_delete_create(&this->public, TRUE);
1687 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1688 return this->task_manager->initiate(this->task_manager);
1689 case IKE_CREATED:
1690 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1691 break;
1692 case IKE_PASSIVE:
1693 break;
1694 default:
1695 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1696 "without notification", ike_sa_state_names, this->state);
1697 break;
1698 }
1699 return DESTROY_ME;
1700 }
1701
1702 /**
1703 * Implementation of ike_sa_t.rekey.
1704 */
1705 static status_t rekey(private_ike_sa_t *this)
1706 {
1707 ike_rekey_t *ike_rekey;
1708
1709 ike_rekey = ike_rekey_create(&this->public, TRUE);
1710
1711 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1712 return this->task_manager->initiate(this->task_manager);
1713 }
1714
1715 /**
1716 * Implementation of ike_sa_t.reauth
1717 */
1718 static status_t reauth(private_ike_sa_t *this)
1719 {
1720 task_t *task;
1721
1722 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1723 * If the peer does not support RFC4478, there is no way to keep the
1724 * IKE_SA up. */
1725 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1726 {
1727 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1728 if (this->other_virtual_ip != NULL ||
1729 has_condition(this, COND_EAP_AUTHENTICATED)
1730 #ifdef ME
1731 /* if we are mediation server we too cannot reauth the IKE_SA */
1732 || this->is_mediation_server
1733 #endif /* ME */
1734 )
1735 {
1736 time_t now = time(NULL);
1737
1738 DBG1(DBG_IKE, "IKE_SA will timeout in %#V",
1739 &now, &this->stats[STAT_DELETE]);
1740 return FAILED;
1741 }
1742 else
1743 {
1744 DBG1(DBG_IKE, "reauthenticating actively");
1745 }
1746 }
1747 task = (task_t*)ike_reauth_create(&this->public);
1748 this->task_manager->queue_task(this->task_manager, task);
1749
1750 return this->task_manager->initiate(this->task_manager);
1751 }
1752
1753 /**
1754 * Implementation of ike_sa_t.reestablish
1755 */
1756 static status_t reestablish(private_ike_sa_t *this)
1757 {
1758 ike_sa_t *new;
1759 host_t *host;
1760 action_t action;
1761 iterator_t *iterator;
1762 child_sa_t *child_sa;
1763 child_cfg_t *child_cfg;
1764 bool required = FALSE;
1765 status_t status = FAILED;
1766
1767 /* check if we have children to keep up at all*/
1768 iterator = create_child_sa_iterator(this);
1769 while (iterator->iterate(iterator, (void**)&child_sa))
1770 {
1771 child_cfg = child_sa->get_config(child_sa);
1772 if (this->state == IKE_DELETING)
1773 {
1774 action = child_cfg->get_close_action(child_cfg);
1775 }
1776 else
1777 {
1778 action = child_cfg->get_dpd_action(child_cfg);
1779 }
1780 switch (action)
1781 {
1782 case ACTION_RESTART:
1783 case ACTION_ROUTE:
1784 required = TRUE;
1785 default:
1786 break;
1787 }
1788 }
1789 iterator->destroy(iterator);
1790 #ifdef ME
1791 /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
1792 if (this->peer_cfg->is_mediation(this->peer_cfg))
1793 {
1794 required = TRUE;
1795 }
1796 #endif /* ME */
1797 if (!required)
1798 {
1799 return FAILED;
1800 }
1801
1802 /* check if we are able to reestablish this IKE_SA */
1803 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1804 (this->other_virtual_ip != NULL ||
1805 has_condition(this, COND_EAP_AUTHENTICATED)
1806 #ifdef ME
1807 || this->is_mediation_server
1808 #endif /* ME */
1809 ))
1810 {
1811 DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
1812 return FAILED;
1813 }
1814
1815 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
1816 new->set_peer_cfg(new, this->peer_cfg);
1817 host = this->other_host;
1818 new->set_other_host(new, host->clone(host));
1819 host = this->my_host;
1820 new->set_my_host(new, host->clone(host));
1821 /* if we already have a virtual IP, we reuse it */
1822 host = this->my_virtual_ip;
1823 if (host)
1824 {
1825 new->set_virtual_ip(new, TRUE, host);
1826 }
1827
1828 #ifdef ME
1829 if (this->peer_cfg->is_mediation(this->peer_cfg))
1830 {
1831 status = new->initiate(new, NULL);
1832 }
1833 else
1834 #endif /* ME */
1835 {
1836 iterator = create_child_sa_iterator(this);
1837 while (iterator->iterate(iterator, (void**)&child_sa))
1838 {
1839 child_cfg = child_sa->get_config(child_sa);
1840 if (this->state == IKE_DELETING)
1841 {
1842 action = child_cfg->get_close_action(child_cfg);
1843 }
1844 else
1845 {
1846 action = child_cfg->get_dpd_action(child_cfg);
1847 }
1848 switch (action)
1849 {
1850 case ACTION_RESTART:
1851 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1852 child_cfg->get_name(child_cfg));
1853 child_cfg->get_ref(child_cfg);
1854 status = new->initiate(new, child_cfg);
1855 break;
1856 case ACTION_ROUTE:
1857 status = new->route(new, child_cfg);
1858 break;
1859 default:
1860 continue;
1861 }
1862 if (status == DESTROY_ME)
1863 {
1864 break;
1865 }
1866 }
1867 iterator->destroy(iterator);
1868 }
1869
1870 if (status == DESTROY_ME)
1871 {
1872 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1873 return FAILED;
1874 }
1875 else
1876 {
1877 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1878 return SUCCESS;
1879 }
1880 }
1881
1882 /**
1883 * Implementation of ike_sa_t.retransmit.
1884 */
1885 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1886 {
1887 this->stats[STAT_OUTBOUND] = time(NULL);
1888 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1889 {
1890 /* send a proper signal to brief interested bus listeners */
1891 switch (this->state)
1892 {
1893 case IKE_CONNECTING:
1894 {
1895 /* retry IKE_SA_INIT if we have multiple keyingtries */
1896 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1897 this->keyingtry++;
1898 if (tries == 0 || tries > this->keyingtry)
1899 {
1900 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1901 this->keyingtry + 1, tries);
1902 reset(this);
1903 return this->task_manager->initiate(this->task_manager);
1904 }
1905 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1906 break;
1907 }
1908 case IKE_DELETING:
1909 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1910 break;
1911 case IKE_REKEYING:
1912 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1913 /* FALL */
1914 default:
1915 reestablish(this);
1916 break;
1917 }
1918 return DESTROY_ME;
1919 }
1920 return SUCCESS;
1921 }
1922
1923 /**
1924 * Implementation of ike_sa_t.set_auth_lifetime.
1925 */
1926 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1927 {
1928 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1929 u_int32_t reauth_time = time(NULL) + lifetime - reduction;
1930
1931 if (lifetime < reduction)
1932 {
1933 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1934 lifetime);
1935 charon->processor->queue_job(charon->processor,
1936 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1937 }
1938 else if (this->stats[STAT_REAUTH] == 0 ||
1939 this->stats[STAT_REAUTH] > reauth_time)
1940 {
1941 this->stats[STAT_REAUTH] = reauth_time;
1942 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1943 " in %ds", lifetime, lifetime - reduction);
1944 charon->scheduler->schedule_job(charon->scheduler,
1945 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1946 (lifetime - reduction) * 1000);
1947 }
1948 else
1949 {
1950 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
1951 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
1952 }
1953 }
1954
1955 /**
1956 * Implementation of ike_sa_t.roam.
1957 */
1958 static status_t roam(private_ike_sa_t *this, bool address)
1959 {
1960 host_t *src;
1961 ike_mobike_t *mobike;
1962
1963 switch (this->state)
1964 {
1965 case IKE_CREATED:
1966 case IKE_DELETING:
1967 case IKE_PASSIVE:
1968 return SUCCESS;
1969 default:
1970 break;
1971 }
1972 /* responder just updates the peer about changed address config */
1973 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
1974 {
1975 if (supports_extension(this, EXT_MOBIKE) && address)
1976 {
1977 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1978 mobike = ike_mobike_create(&this->public, TRUE);
1979 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1980 return this->task_manager->initiate(this->task_manager);
1981 }
1982 return SUCCESS;
1983 }
1984
1985 /* keep existing path if possible */
1986 src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
1987 this->other_host, this->my_host);
1988 if (src)
1989 {
1990 if (src->ip_equals(src, this->my_host))
1991 {
1992 DBG2(DBG_IKE, "keeping connection path %H - %H",
1993 src, this->other_host);
1994 src->destroy(src);
1995 return SUCCESS;
1996 }
1997 src->destroy(src);
1998 }
1999
2000 /* update addresses with mobike, if supported ... */
2001 if (supports_extension(this, EXT_MOBIKE))
2002 {
2003 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2004 mobike = ike_mobike_create(&this->public, TRUE);
2005 mobike->roam(mobike, address);
2006 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
2007 return this->task_manager->initiate(this->task_manager);
2008 }
2009 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2010 /* ... reauth if not */
2011 return reauth(this);
2012 }
2013
2014 /**
2015 * Implementation of ike_sa_t.inherit.
2016 */
2017 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2018 {
2019 child_sa_t *child_sa;
2020 host_t *ip;
2021
2022 /* apply hosts and ids */
2023 this->my_host->destroy(this->my_host);
2024 this->other_host->destroy(this->other_host);
2025 this->my_id->destroy(this->my_id);
2026 this->other_id->destroy(this->other_id);
2027 this->my_host = other->my_host->clone(other->my_host);
2028 this->other_host = other->other_host->clone(other->other_host);
2029 this->my_id = other->my_id->clone(other->my_id);
2030 this->other_id = other->other_id->clone(other->other_id);
2031
2032 /* apply virtual assigned IPs... */
2033 if (other->my_virtual_ip)
2034 {
2035 this->my_virtual_ip = other->my_virtual_ip;
2036 other->my_virtual_ip = NULL;
2037 }
2038 if (other->other_virtual_ip)
2039 {
2040 this->other_virtual_ip = other->other_virtual_ip;
2041 other->other_virtual_ip = NULL;
2042 }
2043
2044 /* ... and DNS servers */
2045 while (other->dns_servers->remove_last(other->dns_servers,
2046 (void**)&ip) == SUCCESS)
2047 {
2048 this->dns_servers->insert_first(this->dns_servers, ip);
2049 }
2050
2051 /* inherit all conditions */
2052 this->conditions = other->conditions;
2053 if (this->conditions & COND_NAT_HERE)
2054 {
2055 send_keepalive(this);
2056 }
2057
2058 #ifdef ME
2059 if (other->is_mediation_server)
2060 {
2061 act_as_mediation_server(this);
2062 }
2063 else if (other->server_reflexive_host)
2064 {
2065 this->server_reflexive_host = other->server_reflexive_host->clone(
2066 other->server_reflexive_host);
2067 }
2068 #endif /* ME */
2069
2070 /* adopt all children */
2071 while (other->child_sas->remove_last(other->child_sas,
2072 (void**)&child_sa) == SUCCESS)
2073 {
2074 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2075 }
2076
2077 /* move pending tasks to the new IKE_SA */
2078 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2079
2080 /* reauthentication timeout survives a rekeying */
2081 if (other->stats[STAT_REAUTH])
2082 {
2083 time_t reauth, delete, now = time(NULL);
2084
2085 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2086 reauth = this->stats[STAT_REAUTH] - now;
2087 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2088 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2089 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2090 "lifetime reduced to %ds", reauth, delete);
2091 charon->scheduler->schedule_job(charon->scheduler,
2092 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2093 reauth * 1000);
2094 charon->scheduler->schedule_job(charon->scheduler,
2095 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE),
2096 delete * 1000);
2097 }
2098 /* we have to initate here, there may be new tasks to handle */
2099 return this->task_manager->initiate(this->task_manager);
2100 }
2101
2102 /**
2103 * Implementation of ike_sa_t.remove_dns_server
2104 */
2105 static void remove_dns_servers(private_ike_sa_t *this)
2106 {
2107 FILE *file;
2108 struct stat stats;
2109 chunk_t contents, line, orig_line, token;
2110 char string[INET6_ADDRSTRLEN];
2111 host_t *ip;
2112 iterator_t *iterator;
2113
2114 if (this->dns_servers->get_count(this->dns_servers) == 0)
2115 {
2116 /* don't touch anything if we have no nameservers installed */
2117 return;
2118 }
2119
2120 file = fopen(RESOLV_CONF, "r");
2121 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2122 {
2123 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2124 RESOLV_CONF, strerror(errno));
2125 return;
2126 }
2127
2128 contents = chunk_alloca((size_t)stats.st_size);
2129
2130 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2131 {
2132 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2133 fclose(file);
2134 return;
2135 }
2136
2137 fclose(file);
2138 file = fopen(RESOLV_CONF, "w");
2139 if (file == NULL)
2140 {
2141 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2142 RESOLV_CONF, strerror(errno));
2143 return;
2144 }
2145
2146 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2147 while (fetchline(&contents, &line))
2148 {
2149 bool found = FALSE;
2150 orig_line = line;
2151 if (extract_token(&token, ' ', &line) &&
2152 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2153 {
2154 if (!extract_token(&token, ' ', &line))
2155 {
2156 token = line;
2157 }
2158 iterator->reset(iterator);
2159 while (iterator->iterate(iterator, (void**)&ip))
2160 {
2161 snprintf(string, sizeof(string), "%H", ip);
2162 if (strlen(string) == token.len &&
2163 strncmp(token.ptr, string, token.len) == 0)
2164 {
2165 iterator->remove(iterator);
2166 ip->destroy(ip);
2167 found = TRUE;
2168 break;
2169 }
2170 }
2171 }
2172
2173 if (!found)
2174 {
2175 /* write line untouched back to file */
2176 ignore_result(fwrite(orig_line.ptr, orig_line.len, 1, file));
2177 fprintf(file, "\n");
2178 }
2179 }
2180 iterator->destroy(iterator);
2181 fclose(file);
2182 }
2183
2184 /**
2185 * Implementation of ike_sa_t.add_dns_server
2186 */
2187 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2188 {
2189 FILE *file;
2190 struct stat stats;
2191 chunk_t contents;
2192
2193 DBG1(DBG_IKE, "installing DNS server %H", dns);
2194
2195 file = fopen(RESOLV_CONF, "a+");
2196 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2197 {
2198 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2199 RESOLV_CONF, strerror(errno));
2200 return;
2201 }
2202
2203 contents = chunk_alloca(stats.st_size);
2204
2205 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2206 {
2207 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2208 fclose(file);
2209 return;
2210 }
2211
2212 fclose(file);
2213 file = fopen(RESOLV_CONF, "w");
2214 if (file == NULL)
2215 {
2216 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2217 RESOLV_CONF, strerror(errno));
2218 return;
2219 }
2220
2221 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2222 dns, this->other_id) < 0)
2223 {
2224 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2225 }
2226 else
2227 {
2228 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2229 }
2230 ignore_result(fwrite(contents.ptr, contents.len, 1, file));
2231
2232 fclose(file);
2233 }
2234
2235 /**
2236 * Implementation of ike_sa_t.destroy.
2237 */
2238 static void destroy(private_ike_sa_t *this)
2239 {
2240 charon->bus->set_sa(charon->bus, &this->public);
2241
2242 set_state(this, IKE_DESTROYING);
2243
2244 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2245
2246 /* unset SA after here to avoid usage by the listeners */
2247 charon->bus->set_sa(charon->bus, NULL);
2248
2249 this->task_manager->destroy(this->task_manager);
2250 this->keymat->destroy(this->keymat);
2251
2252 if (this->my_virtual_ip)
2253 {
2254 charon->kernel_interface->del_ip(charon->kernel_interface,
2255 this->my_virtual_ip);
2256 this->my_virtual_ip->destroy(this->my_virtual_ip);
2257 }
2258 if (this->other_virtual_ip)
2259 {
2260 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2261 {
2262 charon->attributes->release_address(charon->attributes,
2263 this->peer_cfg->get_pool(this->peer_cfg),
2264 this->other_virtual_ip);
2265 }
2266 this->other_virtual_ip->destroy(this->other_virtual_ip);
2267 }
2268
2269 remove_dns_servers(this);
2270 this->dns_servers->destroy_offset(this->dns_servers,
2271 offsetof(host_t, destroy));
2272 this->additional_addresses->destroy_offset(this->additional_addresses,
2273 offsetof(host_t, destroy));
2274 #ifdef ME
2275 if (this->is_mediation_server)
2276 {
2277 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2278 }
2279 DESTROY_IF(this->server_reflexive_host);
2280 chunk_free(&this->connect_id);
2281 #endif /* ME */
2282 free(this->nat_detection_dest.ptr);
2283
2284 DESTROY_IF(this->my_host);
2285 DESTROY_IF(this->other_host);
2286 DESTROY_IF(this->my_id);
2287 DESTROY_IF(this->other_id);
2288 DESTROY_IF(this->local_host);
2289 DESTROY_IF(this->remote_host);
2290 DESTROY_IF(this->eap_identity);
2291
2292 DESTROY_IF(this->ike_cfg);
2293 DESTROY_IF(this->peer_cfg);
2294 DESTROY_IF(this->my_auth);
2295 DESTROY_IF(this->other_auth);
2296 DESTROY_IF(this->proposal);
2297
2298 this->ike_sa_id->destroy(this->ike_sa_id);
2299 free(this);
2300 }
2301
2302 /*
2303 * Described in header.
2304 */
2305 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2306 {
2307 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2308 static u_int32_t unique_id = 0;
2309
2310 /* Public functions */
2311 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2312 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2313 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2314 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2315 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2316 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2317 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2318 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2319 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2320 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2321 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2322 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2323 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2324 this->public.get_my_auth = (auth_info_t*(*)(ike_sa_t*))get_my_auth;
2325 this->public.get_other_auth = (auth_info_t*(*)(ike_sa_t*))get_other_auth;
2326 this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
2327 this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
2328 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2329 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2330 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2331 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2332 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2333 this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id;
2334 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2335 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2336 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2337 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2338 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2339 this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
2340 this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
2341 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2342 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2343 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2344 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2345 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2346 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2347 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2348 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2349 this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
2350 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2351 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2352 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2353 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2354 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2355 this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
2356 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2357 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2358 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2359 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2360 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2361 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2362 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2363 this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
2364 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2365 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2366 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2367 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2368 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2369 this->public.reset = (void (*)(ike_sa_t*))reset;
2370 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2371 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2372 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2373 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2374 this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
2375 #ifdef ME
2376 this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
2377 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2378 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2379 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2380 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2381 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
2382 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2383 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2384 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2385 #endif /* ME */
2386
2387 /* initialize private fields */
2388 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2389 this->child_sas = linked_list_create();
2390 this->my_host = host_create_any(AF_INET);
2391 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2392 this->other_host = host_create_any(AF_INET);
2393 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2394 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2395 this->eap_identity = NULL;
2396 this->extensions = 0;
2397 this->conditions = 0;
2398 this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
2399 this->state = IKE_CREATED;
2400 this->keepalive_interval = lib->settings->get_time(lib->settings,
2401 "charon.keep_alive", KEEPALIVE_INTERVAL);
2402 memset(this->stats, 0, sizeof(this->stats));
2403 this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
2404 this->ike_cfg = NULL;
2405 this->peer_cfg = NULL;
2406 this->my_auth = auth_info_create();
2407 this->other_auth = auth_info_create();
2408 this->proposal = NULL;
2409 this->task_manager = task_manager_create(&this->public);
2410 this->unique_id = ++unique_id;
2411 this->my_virtual_ip = NULL;
2412 this->other_virtual_ip = NULL;
2413 this->dns_servers = linked_list_create();
2414 this->additional_addresses = linked_list_create();
2415 this->nat_detection_dest = chunk_empty;
2416 this->pending_updates = 0;
2417 this->keyingtry = 0;
2418 this->local_host = NULL;
2419 this->remote_host = NULL;
2420 #ifdef ME
2421 this->is_mediation_server = FALSE;
2422 this->server_reflexive_host = NULL;
2423 this->connect_id = chunk_empty;
2424 #endif /* ME */
2425
2426 return &this->public;
2427 }