a3dbaa4f7ca33a4309c681e8955f86ad9f6dc7c9
[strongswan.git] / src / charon / sa / ike_sa.c
1 /**
2 * @file ike_sa.c
3 *
4 * @brief Implementation of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #include <sys/time.h>
26 #include <string.h>
27 #include <printf.h>
28 #include <sys/stat.h>
29
30 #include "ike_sa.h"
31
32 #include <library.h>
33 #include <daemon.h>
34 #include <utils/linked_list.h>
35 #include <utils/lexparser.h>
36 #include <crypto/diffie_hellman.h>
37 #include <crypto/prf_plus.h>
38 #include <crypto/crypters/crypter.h>
39 #include <crypto/hashers/hasher.h>
40 #include <encoding/payloads/sa_payload.h>
41 #include <encoding/payloads/nonce_payload.h>
42 #include <encoding/payloads/ke_payload.h>
43 #include <encoding/payloads/delete_payload.h>
44 #include <encoding/payloads/transform_substructure.h>
45 #include <encoding/payloads/transform_attribute.h>
46 #include <encoding/payloads/ts_payload.h>
47 #include <sa/task_manager.h>
48 #include <sa/tasks/ike_init.h>
49 #include <sa/tasks/ike_natd.h>
50 #include <sa/tasks/ike_auth.h>
51 #include <sa/tasks/ike_config.h>
52 #include <sa/tasks/ike_cert.h>
53 #include <sa/tasks/ike_rekey.h>
54 #include <sa/tasks/ike_delete.h>
55 #include <sa/tasks/ike_dpd.h>
56 #include <sa/tasks/child_create.h>
57 #include <sa/tasks/child_delete.h>
58 #include <sa/tasks/child_rekey.h>
59 #include <queues/jobs/retransmit_job.h>
60 #include <queues/jobs/delete_ike_sa_job.h>
61 #include <queues/jobs/send_dpd_job.h>
62 #include <queues/jobs/send_keepalive_job.h>
63 #include <queues/jobs/rekey_ike_sa_job.h>
64 #include <queues/jobs/route_job.h>
65 #include <queues/jobs/initiate_job.h>
66
67
68 #ifndef RESOLV_CONF
69 #define RESOLV_CONF "/etc/resolv.conf"
70 #endif
71
72 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
73 "CREATED",
74 "CONNECTING",
75 "ESTABLISHED",
76 "REKEYING",
77 "DELETING",
78 );
79
80 typedef struct private_ike_sa_t private_ike_sa_t;
81
82 /**
83 * Private data of an ike_sa_t object.
84 */
85 struct private_ike_sa_t {
86
87 /**
88 * Public members
89 */
90 ike_sa_t public;
91
92 /**
93 * Identifier for the current IKE_SA.
94 */
95 ike_sa_id_t *ike_sa_id;
96
97 /**
98 * unique numerical ID for this IKE_SA.
99 */
100 u_int32_t unique_id;
101
102 /**
103 * Current state of the IKE_SA
104 */
105 ike_sa_state_t state;
106
107 /**
108 * connection used to establish this IKE_SA.
109 */
110 connection_t *connection;
111
112 /**
113 * Peer and authentication information to establish IKE_SA.
114 */
115 policy_t *policy;
116
117 /**
118 * Juggles tasks to process messages
119 */
120 task_manager_t *task_manager;
121
122 /**
123 * Address of local host
124 */
125 host_t *my_host;
126
127 /**
128 * Address of remote host
129 */
130 host_t *other_host;
131
132 /**
133 * Identification used for us
134 */
135 identification_t *my_id;
136
137 /**
138 * Identification used for other
139 */
140 identification_t *other_id;
141
142 /**
143 * Linked List containing the child sa's of the current IKE_SA.
144 */
145 linked_list_t *child_sas;
146
147 /**
148 * crypter for inbound traffic
149 */
150 crypter_t *crypter_in;
151
152 /**
153 * crypter for outbound traffic
154 */
155 crypter_t *crypter_out;
156
157 /**
158 * Signer for inbound traffic
159 */
160 signer_t *signer_in;
161
162 /**
163 * Signer for outbound traffic
164 */
165 signer_t *signer_out;
166
167 /**
168 * Multi purpose prf, set key, use it, forget it
169 */
170 prf_t *prf;
171
172 /**
173 * Prf function for derivating keymat child SAs
174 */
175 prf_t *child_prf;
176
177 /**
178 * PRF to build outging authentication data
179 */
180 prf_t *auth_build;
181
182 /**
183 * PRF to verify incoming authentication data
184 */
185 prf_t *auth_verify;
186
187 /**
188 * NAT status of local host.
189 */
190 bool nat_here;
191
192 /**
193 * NAT status of remote host.
194 */
195 bool nat_there;
196
197 /**
198 * Virtual IP on local host, if any
199 */
200 host_t *my_virtual_ip;
201
202 /**
203 * Virtual IP on remote host, if any
204 */
205 host_t *other_virtual_ip;
206
207 /**
208 * List of DNS servers installed by us
209 */
210 linked_list_t *dns_servers;
211
212 /**
213 * Timestamps for this IKE_SA
214 */
215 struct {
216 /** last IKE message received */
217 u_int32_t inbound;
218 /** last IKE message sent */
219 u_int32_t outbound;
220 /** when IKE_SA became established */
221 u_int32_t established;
222 /** when IKE_SA gets rekeyed */
223 u_int32_t rekey;
224 /** when IKE_SA gets deleted */
225 u_int32_t delete;
226 } time;
227 };
228
229 /**
230 * get the time of the latest traffic processed by the kernel
231 */
232 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
233 {
234 iterator_t *iterator;
235 child_sa_t *child_sa;
236 time_t latest = 0, use_time;
237
238 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
239 while (iterator->iterate(iterator, (void**)&child_sa))
240 {
241 if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
242 {
243 latest = max(latest, use_time);
244 }
245 }
246 iterator->destroy(iterator);
247
248 if (inbound)
249 {
250 return max(this->time.inbound, latest);
251 }
252 else
253 {
254 return max(this->time.outbound, latest);
255 }
256 }
257
258 /**
259 * Implementation of ike_sa_t.get_unique_id
260 */
261 static u_int32_t get_unique_id(private_ike_sa_t *this)
262 {
263 return this->unique_id;
264 }
265
266 /**
267 * Implementation of ike_sa_t.get_name.
268 */
269 static char *get_name(private_ike_sa_t *this)
270 {
271 if (this->connection)
272 {
273 return this->connection->get_name(this->connection);
274 }
275 return "(unnamed)";
276 }
277
278 /**
279 * Implementation of ike_sa_t.get_connection
280 */
281 static connection_t* get_connection(private_ike_sa_t *this)
282 {
283 return this->connection;
284 }
285
286 /**
287 * Implementation of ike_sa_t.set_connection
288 */
289 static void set_connection(private_ike_sa_t *this, connection_t *connection)
290 {
291 this->connection = connection;
292 connection->get_ref(connection);
293 }
294
295 /**
296 * Implementation of ike_sa_t.get_policy
297 */
298 static policy_t *get_policy(private_ike_sa_t *this)
299 {
300 return this->policy;
301 }
302
303 /**
304 * Implementation of ike_sa_t.set_policy
305 */
306 static void set_policy(private_ike_sa_t *this, policy_t *policy)
307 {
308 policy->get_ref(policy);
309 this->policy = policy;
310 }
311
312 /**
313 * Implementation of ike_sa_t.get_my_host.
314 */
315 static host_t *get_my_host(private_ike_sa_t *this)
316 {
317 return this->my_host;
318 }
319
320 /**
321 * Implementation of ike_sa_t.set_my_host.
322 */
323 static void set_my_host(private_ike_sa_t *this, host_t *me)
324 {
325 DESTROY_IF(this->my_host);
326 this->my_host = me;
327 }
328
329 /**
330 * Implementation of ike_sa_t.get_other_host.
331 */
332 static host_t *get_other_host(private_ike_sa_t *this)
333 {
334 return this->other_host;
335 }
336
337 /**
338 * Implementation of ike_sa_t.set_other_host.
339 */
340 static void set_other_host(private_ike_sa_t *this, host_t *other)
341 {
342 DESTROY_IF(this->other_host);
343 this->other_host = other;
344 }
345
346 /**
347 * Update connection host, as addresses may change (NAT)
348 */
349 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
350 {
351 iterator_t *iterator = NULL;
352 child_sa_t *child_sa = NULL;
353 host_diff_t my_diff, other_diff;
354
355 if (this->my_host->is_anyaddr(this->my_host) ||
356 this->other_host->is_anyaddr(this->other_host))
357 {
358 /* on first received message */
359 this->my_host->destroy(this->my_host);
360 this->my_host = me->clone(me);
361 this->other_host->destroy(this->other_host);
362 this->other_host = other->clone(other);
363 return;
364 }
365
366 my_diff = me->get_differences(me, this->my_host);
367 other_diff = other->get_differences(other, this->other_host);
368
369 if (!my_diff && !other_diff)
370 {
371 return;
372 }
373
374 if (my_diff)
375 {
376 this->my_host->destroy(this->my_host);
377 this->my_host = me->clone(me);
378 }
379
380 if (!this->nat_here)
381 {
382 /* update without restrictions if we are not NATted */
383 if (other_diff)
384 {
385 this->other_host->destroy(this->other_host);
386 this->other_host = other->clone(other);
387 }
388 }
389 else
390 {
391 /* if we are natted, only port may change */
392 if (other_diff & HOST_DIFF_ADDR)
393 {
394 return;
395 }
396 else if (other_diff & HOST_DIFF_PORT)
397 {
398 this->other_host->set_port(this->other_host, other->get_port(other));
399 }
400 }
401 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
402 while (iterator->iterate(iterator, (void**)&child_sa))
403 {
404 child_sa->update_hosts(child_sa, this->my_host, this->other_host,
405 my_diff, other_diff);
406 }
407 iterator->destroy(iterator);
408 }
409
410 /**
411 * Implementation of ike_sa_t.generate
412 */
413 static status_t generate_message(private_ike_sa_t *this, message_t *message,
414 packet_t **packet)
415 {
416 this->time.outbound = time(NULL);
417 message->set_ike_sa_id(message, this->ike_sa_id);
418 message->set_destination(message, this->other_host->clone(this->other_host));
419 message->set_source(message, this->my_host->clone(this->my_host));
420 return message->generate(message, this->crypter_out, this->signer_out, packet);
421 }
422
423 /**
424 * send a notify back to the sender
425 */
426 static void send_notify_response(private_ike_sa_t *this, message_t *request,
427 notify_type_t type)
428 {
429 message_t *response;
430 packet_t *packet;
431
432 response = message_create();
433 response->set_exchange_type(response, request->get_exchange_type(request));
434 response->set_request(response, FALSE);
435 response->set_message_id(response, request->get_message_id(request));
436 response->add_notify(response, FALSE, type, chunk_empty);
437 if (this->my_host->is_anyaddr(this->my_host))
438 {
439 this->my_host->destroy(this->my_host);
440 this->my_host = request->get_destination(request);
441 this->my_host = this->my_host->clone(this->my_host);
442 }
443 if (this->other_host->is_anyaddr(this->other_host))
444 {
445 this->other_host->destroy(this->other_host);
446 this->other_host = request->get_source(request);
447 this->other_host = this->other_host->clone(this->other_host);
448 }
449 if (generate_message(this, response, &packet) == SUCCESS)
450 {
451 charon->send_queue->add(charon->send_queue, packet);
452 }
453 response->destroy(response);
454 }
455
456 /**
457 * Implementation of ike_sa_t.process_message.
458 */
459 static status_t process_message(private_ike_sa_t *this, message_t *message)
460 {
461 status_t status;
462 bool is_request;
463
464 is_request = message->get_request(message);
465
466 status = message->parse_body(message, this->crypter_in, this->signer_in);
467 if (status != SUCCESS)
468 {
469
470 if (is_request)
471 {
472 switch (status)
473 {
474 case NOT_SUPPORTED:
475 DBG1(DBG_IKE, "ciritcal unknown payloads found");
476 if (is_request)
477 {
478 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
479 }
480 break;
481 case PARSE_ERROR:
482 DBG1(DBG_IKE, "message parsing failed");
483 if (is_request)
484 {
485 send_notify_response(this, message, INVALID_SYNTAX);
486 }
487 break;
488 case VERIFY_ERROR:
489 DBG1(DBG_IKE, "message verification failed");
490 if (is_request)
491 {
492 send_notify_response(this, message, INVALID_SYNTAX);
493 }
494 break;
495 case FAILED:
496 DBG1(DBG_IKE, "integrity check failed");
497 /* ignored */
498 break;
499 case INVALID_STATE:
500 DBG1(DBG_IKE, "found encrypted message, but no keys available");
501 if (is_request)
502 {
503 send_notify_response(this, message, INVALID_SYNTAX);
504 }
505 default:
506 break;
507 }
508 }
509 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
510 exchange_type_names, message->get_exchange_type(message),
511 message->get_request(message) ? "request" : "response",
512 message->get_message_id(message));
513 return status;
514 }
515 else
516 {
517 host_t *me, *other;
518
519 me = message->get_destination(message);
520 other = message->get_source(message);
521
522 /* if this IKE_SA is virgin, we check for a connection */
523 if (this->connection == NULL)
524 {
525 this->connection = charon->connections->get_connection_by_hosts(
526 charon->connections, me, other);
527 if (this->connection == NULL)
528 {
529 /* no connection found for these hosts, destroy */
530 DBG1(DBG_IKE, "no connection found for %H...%H, sending %N",
531 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
532 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
533 return DESTROY_ME;
534 }
535 }
536
537 /* check if message is trustworthy, and update connection information */
538 if (this->state == IKE_CREATED ||
539 message->get_exchange_type(message) != IKE_SA_INIT)
540 {
541 update_hosts(this, me, other);
542 this->time.inbound = time(NULL);
543 }
544 return this->task_manager->process_message(this->task_manager, message);
545 }
546 }
547
548 /**
549 * apply the connection/policy information to this IKE_SA
550 */
551 static void apply_config(private_ike_sa_t *this,
552 connection_t *connection, policy_t *policy)
553 {
554 host_t *me, *other;
555 identification_t *my_id, *other_id;
556
557 if (this->connection == NULL && this->policy == NULL)
558 {
559 this->connection = connection;
560 connection->get_ref(connection);
561 this->policy = policy;
562 policy->get_ref(policy);
563
564 me = connection->get_my_host(connection);
565 other = connection->get_other_host(connection);
566 my_id = policy->get_my_id(policy);
567 other_id = policy->get_other_id(policy);
568 set_my_host(this, me->clone(me));
569 set_other_host(this, other->clone(other));
570 DESTROY_IF(this->my_id);
571 DESTROY_IF(this->other_id);
572 this->my_id = my_id->clone(my_id);
573 this->other_id = other_id->clone(other_id);
574 }
575 }
576
577 /**
578 * Implementation of ike_sa_t.initiate.
579 */
580 static status_t initiate(private_ike_sa_t *this,
581 connection_t *connection, policy_t *policy)
582 {
583 task_t *task;
584
585 if (this->state == IKE_CREATED)
586 {
587 /* if we aren't established/establishing, do so */
588 apply_config(this, connection, policy);
589
590 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
591 this->task_manager->queue_task(this->task_manager, task);
592 task = (task_t*)ike_natd_create(&this->public, TRUE);
593 this->task_manager->queue_task(this->task_manager, task);
594 task = (task_t*)ike_cert_create(&this->public, TRUE);
595 this->task_manager->queue_task(this->task_manager, task);
596 task = (task_t*)ike_auth_create(&this->public, TRUE);
597 this->task_manager->queue_task(this->task_manager, task);
598 task = (task_t*)ike_config_create(&this->public, policy);
599 this->task_manager->queue_task(this->task_manager, task);
600 }
601
602 task = (task_t*)child_create_create(&this->public, policy);
603 this->task_manager->queue_task(this->task_manager, task);
604
605 return this->task_manager->initiate(this->task_manager);
606 }
607
608 /**
609 * Implementation of ike_sa_t.acquire.
610 */
611 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
612 {
613 policy_t *policy;
614 iterator_t *iterator;
615 child_sa_t *current, *child_sa = NULL;
616 task_t *task;
617 child_create_t *child_create;
618
619 if (this->state == IKE_DELETING)
620 {
621 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
622 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
623 "IKE_SA is deleting", reqid);
624 return FAILED;
625 }
626
627 /* find CHILD_SA */
628 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
629 while (iterator->iterate(iterator, (void**)&current))
630 {
631 if (current->get_reqid(current) == reqid)
632 {
633 child_sa = current;
634 break;
635 }
636 }
637 iterator->destroy(iterator);
638 if (!child_sa)
639 {
640 SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
641 SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
642 "CHILD_SA not found", reqid);
643 return FAILED;
644 }
645
646 policy = child_sa->get_policy(child_sa);
647
648 if (this->state == IKE_CREATED)
649 {
650 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
651 this->task_manager->queue_task(this->task_manager, task);
652 task = (task_t*)ike_natd_create(&this->public, TRUE);
653 this->task_manager->queue_task(this->task_manager, task);
654 task = (task_t*)ike_cert_create(&this->public, TRUE);
655 this->task_manager->queue_task(this->task_manager, task);
656 task = (task_t*)ike_auth_create(&this->public, TRUE);
657 this->task_manager->queue_task(this->task_manager, task);
658 task = (task_t*)ike_config_create(&this->public, policy);
659 this->task_manager->queue_task(this->task_manager, task);
660 }
661
662 child_create = child_create_create(&this->public, policy);
663 child_create->use_reqid(child_create, reqid);
664 this->task_manager->queue_task(this->task_manager, (task_t*)child_create);
665
666 return this->task_manager->initiate(this->task_manager);
667 }
668
669 /**
670 * compare two lists of traffic selectors for equality
671 */
672 static bool ts_list_equals(linked_list_t *l1, linked_list_t *l2)
673 {
674 bool equals = TRUE;
675 iterator_t *i1, *i2;
676 traffic_selector_t *t1, *t2;
677
678 if (l1->get_count(l1) != l2->get_count(l2))
679 {
680 return FALSE;
681 }
682
683 i1 = l1->create_iterator(l1, TRUE);
684 i2 = l2->create_iterator(l2, TRUE);
685 while (i1->iterate(i1, (void**)&t1) && i2->iterate(i2, (void**)&t2))
686 {
687 if (!t1->equals(t1, t2))
688 {
689 equals = FALSE;
690 break;
691 }
692 }
693 i1->destroy(i1);
694 i2->destroy(i2);
695 return equals;
696 }
697
698 /**
699 * Implementation of ike_sa_t.route.
700 */
701 static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t *policy)
702 {
703 child_sa_t *child_sa = NULL;
704 iterator_t *iterator;
705 linked_list_t *my_ts, *other_ts;
706 status_t status;
707
708 SIG(CHILD_ROUTE_START, "routing CHILD_SA");
709
710 /* check if not already routed*/
711 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
712 while (iterator->iterate(iterator, (void**)&child_sa))
713 {
714 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
715 {
716 linked_list_t *my_ts_conf, *other_ts_conf;
717
718 my_ts = child_sa->get_my_traffic_selectors(child_sa);
719 other_ts = child_sa->get_other_traffic_selectors(child_sa);
720
721 my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
722 other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
723
724 if (ts_list_equals(my_ts, my_ts_conf) &&
725 ts_list_equals(other_ts, other_ts_conf))
726 {
727 iterator->destroy(iterator);
728 my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
729 other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
730 SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed");
731 return FAILED;
732 }
733 my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
734 other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
735 }
736 }
737 iterator->destroy(iterator);
738
739 switch (this->state)
740 {
741 case IKE_DELETING:
742 case IKE_REKEYING:
743 SIG(CHILD_ROUTE_FAILED,
744 "unable to route CHILD_SA, as its IKE_SA gets deleted");
745 return FAILED;
746 case IKE_CREATED:
747 /* apply connection information, we need it to acquire */
748 apply_config(this, connection, policy);
749 break;
750 case IKE_CONNECTING:
751 case IKE_ESTABLISHED:
752 default:
753 break;
754 }
755
756 /* install kernel policies */
757 child_sa = child_sa_create(this->my_host, this->other_host,
758 this->my_id, this->other_id, policy, FALSE, 0);
759
760 my_ts = policy->get_my_traffic_selectors(policy, this->my_host);
761 other_ts = policy->get_other_traffic_selectors(policy, this->other_host);
762 status = child_sa->add_policies(child_sa, my_ts, other_ts,
763 policy->get_mode(policy));
764 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
765 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
766 this->child_sas->insert_last(this->child_sas, child_sa);
767 SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
768 return status;
769 }
770
771 /**
772 * Implementation of ike_sa_t.unroute.
773 */
774 static status_t unroute(private_ike_sa_t *this, policy_t *policy)
775 {
776 iterator_t *iterator;
777 child_sa_t *child_sa = NULL;
778 bool found = FALSE;
779 linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf;
780
781 SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
782
783 /* find CHILD_SA in ROUTED state */
784 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
785 while (iterator->iterate(iterator, (void**)&child_sa))
786 {
787 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
788 {
789 my_ts = child_sa->get_my_traffic_selectors(child_sa);
790 other_ts = child_sa->get_other_traffic_selectors(child_sa);
791
792 my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
793 other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
794
795 if (ts_list_equals(my_ts, my_ts_conf) &&
796 ts_list_equals(other_ts, other_ts_conf))
797 {
798 iterator->remove(iterator);
799 SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
800 child_sa->destroy(child_sa);
801 my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
802 other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
803 found = TRUE;
804 break;
805 }
806 my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
807 other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
808 }
809 }
810 iterator->destroy(iterator);
811
812 if (!found)
813 {
814 SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
815 return FAILED;
816 }
817 /* if we are not established, and we have no more routed childs, remove whole SA */
818 if (this->state == IKE_CREATED &&
819 this->child_sas->get_count(this->child_sas) == 0)
820 {
821 return DESTROY_ME;
822 }
823 return SUCCESS;
824 }
825
826 /**
827 * Implementation of ike_sa_t.retransmit.
828 */
829 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
830 {
831 this->time.outbound = time(NULL);
832 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
833 {
834 policy_t *policy;
835 child_sa_t* child_sa;
836 linked_list_t *to_route, *to_restart;
837 iterator_t *iterator;
838
839 /* send a proper signal to brief interested bus listeners */
840 switch (this->state)
841 {
842 case IKE_CONNECTING:
843 SIG(IKE_UP_FAILED, "establishing IKE_SA failed, peer not responding");
844 break;
845 case IKE_REKEYING:
846 SIG(IKE_REKEY_FAILED, "rekeying IKE_SA failed, peer not responding");
847 break;
848 case IKE_DELETING:
849 SIG(IKE_DOWN_FAILED, "proper IKE_SA delete failed, peer not responding");
850 break;
851 default:
852 break;
853 }
854
855 /* summarize how we have to handle each child */
856 to_route = linked_list_create();
857 to_restart = linked_list_create();
858 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
859 while (iterator->iterate(iterator, (void**)&child_sa))
860 {
861 policy = child_sa->get_policy(child_sa);
862
863 if (child_sa->get_state(child_sa) == CHILD_ROUTED)
864 {
865 /* reroute routed CHILD_SAs */
866 to_route->insert_last(to_route, policy);
867 }
868 else
869 {
870 /* use DPD action for established CHILD_SAs */
871 switch (policy->get_dpd_action(policy))
872 {
873 case DPD_ROUTE:
874 to_route->insert_last(to_route, policy);
875 break;
876 case DPD_RESTART:
877 to_restart->insert_last(to_restart, policy);
878 break;
879 default:
880 break;
881 }
882 }
883 }
884 iterator->destroy(iterator);
885
886 /* create a new IKE_SA if we have to route or to restart */
887 if (to_route->get_count(to_route) || to_restart->get_count(to_restart))
888 {
889 ike_sa_id_t *other_id;
890 private_ike_sa_t *new;
891 task_t *task;
892
893 other_id = ike_sa_id_create(0, 0, TRUE);
894 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout(
895 charon->ike_sa_manager, other_id);
896 other_id->destroy(other_id);
897
898 apply_config(new, this->connection, this->policy);
899 /* use actual used host, not the wildcarded one in connection */
900 new->other_host->destroy(new->other_host);
901 new->other_host = this->other_host->clone(this->other_host);
902
903 /* install routes */
904 while (to_route->remove_last(to_route, (void**)&policy) == SUCCESS)
905 {
906 route(new, new->connection, policy);
907 }
908
909 /* restart children */
910 if (to_restart->get_count(to_restart))
911 {
912 task = (task_t*)ike_init_create(&new->public, TRUE, NULL);
913 new->task_manager->queue_task(new->task_manager, task);
914 task = (task_t*)ike_natd_create(&new->public, TRUE);
915 new->task_manager->queue_task(new->task_manager, task);
916 task = (task_t*)ike_cert_create(&new->public, TRUE);
917 new->task_manager->queue_task(new->task_manager, task);
918 task = (task_t*)ike_config_create(&new->public, new->policy);
919 new->task_manager->queue_task(new->task_manager, task);
920 task = (task_t*)ike_auth_create(&new->public, TRUE);
921 new->task_manager->queue_task(new->task_manager, task);
922
923 while (to_restart->remove_last(to_restart, (void**)&policy) == SUCCESS)
924 {
925 task = (task_t*)child_create_create(&new->public, policy);
926 new->task_manager->queue_task(new->task_manager, task);
927 }
928 new->task_manager->initiate(new->task_manager);
929 }
930 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
931 }
932 to_route->destroy(to_route);
933 to_restart->destroy(to_restart);
934 return DESTROY_ME;
935 }
936 return SUCCESS;
937 }
938
939 /**
940 * Implementation of ike_sa_t.send_dpd
941 */
942 static status_t send_dpd(private_ike_sa_t *this)
943 {
944 send_dpd_job_t *job;
945 time_t diff, delay;
946
947 delay = this->connection->get_dpd_delay(this->connection);
948
949 if (delay == 0)
950 {
951 /* DPD disabled */
952 return SUCCESS;
953 }
954
955 if (this->task_manager->busy(this->task_manager))
956 {
957 /* an exchange is in the air, no need to start a DPD check */
958 diff = 0;
959 }
960 else
961 {
962 /* check if there was any inbound traffic */
963 time_t last_in, now;
964 last_in = get_use_time(this, TRUE);
965 now = time(NULL);
966 diff = now - last_in;
967 if (diff >= delay)
968 {
969 /* to long ago, initiate dead peer detection */
970 task_t *task;
971
972 task = (task_t*)ike_dpd_create(TRUE);
973 diff = 0;
974 DBG1(DBG_IKE, "sending DPD request");
975
976 this->task_manager->queue_task(this->task_manager, task);
977 this->task_manager->initiate(this->task_manager);
978 }
979 }
980 /* recheck in "interval" seconds */
981 job = send_dpd_job_create(this->ike_sa_id);
982 charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
983 (delay - diff) * 1000);
984 return SUCCESS;
985 }
986
987 /**
988 * Implementation of ike_sa_t.send_keepalive
989 */
990 static void send_keepalive(private_ike_sa_t *this)
991 {
992 send_keepalive_job_t *job;
993 time_t last_out, now, diff, interval;
994
995 last_out = get_use_time(this, FALSE);
996 now = time(NULL);
997
998 diff = now - last_out;
999 interval = charon->configuration->get_keepalive_interval(charon->configuration);
1000
1001 if (diff >= interval)
1002 {
1003 packet_t *packet;
1004 chunk_t data;
1005
1006 packet = packet_create();
1007 packet->set_source(packet, this->my_host->clone(this->my_host));
1008 packet->set_destination(packet, this->other_host->clone(this->other_host));
1009 data.ptr = malloc(1);
1010 data.ptr[0] = 0xFF;
1011 data.len = 1;
1012 packet->set_data(packet, data);
1013 charon->send_queue->add(charon->send_queue, packet);
1014 DBG1(DBG_IKE, "sending keep alive");
1015 diff = 0;
1016 }
1017 job = send_keepalive_job_create(this->ike_sa_id);
1018 charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
1019 (interval - diff) * 1000);
1020 }
1021
1022 /**
1023 * Implementation of ike_sa_t.get_state.
1024 */
1025 static ike_sa_state_t get_state(private_ike_sa_t *this)
1026 {
1027 return this->state;
1028 }
1029
1030 /**
1031 * Implementation of ike_sa_t.set_state.
1032 */
1033 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
1034 {
1035 DBG1(DBG_IKE, "IKE_SA state change: %N => %N",
1036 ike_sa_state_names, this->state,
1037 ike_sa_state_names, state);
1038
1039 if (state == IKE_ESTABLISHED)
1040 {
1041 job_t *job;
1042 u_int32_t now = time(NULL);
1043 u_int32_t soft, hard;
1044 bool reauth;
1045
1046 this->time.established = now;
1047 /* start DPD checks */
1048 send_dpd(this);
1049
1050 /* schedule rekeying/reauthentication */
1051 soft = this->connection->get_soft_lifetime(this->connection);
1052 hard = this->connection->get_hard_lifetime(this->connection);
1053 reauth = this->connection->get_reauth(this->connection);
1054 DBG1(DBG_IKE, "scheduling %s in %ds, maximum lifetime %ds",
1055 reauth ? "reauthentication": "rekeying", soft, hard);
1056
1057 if (soft)
1058 {
1059 this->time.rekey = now + soft;
1060 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, reauth);
1061 charon->event_queue->add_relative(charon->event_queue, job,
1062 soft * 1000);
1063 }
1064
1065 if (hard)
1066 {
1067 this->time.delete = now + hard;
1068 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
1069 charon->event_queue->add_relative(charon->event_queue, job,
1070 hard * 1000);
1071 }
1072 }
1073
1074 this->state = state;
1075 }
1076
1077 /**
1078 * Implementation of ike_sa_t.get_prf.
1079 */
1080 static prf_t *get_prf(private_ike_sa_t *this)
1081 {
1082 return this->prf;
1083 }
1084
1085 /**
1086 * Implementation of ike_sa_t.get_prf.
1087 */
1088 static prf_t *get_child_prf(private_ike_sa_t *this)
1089 {
1090 return this->child_prf;
1091 }
1092
1093 /**
1094 * Implementation of ike_sa_t.get_auth_bild
1095 */
1096 static prf_t *get_auth_build(private_ike_sa_t *this)
1097 {
1098 return this->auth_build;
1099 }
1100
1101 /**
1102 * Implementation of ike_sa_t.get_auth_verify
1103 */
1104 static prf_t *get_auth_verify(private_ike_sa_t *this)
1105 {
1106 return this->auth_verify;
1107 }
1108
1109 /**
1110 * Implementation of ike_sa_t.get_id.
1111 */
1112 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1113 {
1114 return this->ike_sa_id;
1115 }
1116
1117 /**
1118 * Implementation of ike_sa_t.get_my_id.
1119 */
1120 static identification_t* get_my_id(private_ike_sa_t *this)
1121 {
1122 return this->my_id;
1123 }
1124
1125 /**
1126 * Implementation of ike_sa_t.set_my_id.
1127 */
1128 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1129 {
1130 DESTROY_IF(this->my_id);
1131 this->my_id = me;
1132 }
1133
1134 /**
1135 * Implementation of ike_sa_t.get_other_id.
1136 */
1137 static identification_t* get_other_id(private_ike_sa_t *this)
1138 {
1139 return this->other_id;
1140 }
1141
1142 /**
1143 * Implementation of ike_sa_t.set_other_id.
1144 */
1145 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1146 {
1147 DESTROY_IF(this->other_id);
1148 this->other_id = other;
1149 }
1150
1151 /**
1152 * Implementation of ike_sa_t.derive_keys.
1153 */
1154 static status_t derive_keys(private_ike_sa_t *this,
1155 proposal_t *proposal, chunk_t secret,
1156 chunk_t nonce_i, chunk_t nonce_r,
1157 bool initiator, prf_t *child_prf, prf_t *old_prf)
1158 {
1159 prf_plus_t *prf_plus;
1160 chunk_t skeyseed, key, nonces, prf_plus_seed;
1161 algorithm_t *algo;
1162 size_t key_size;
1163 crypter_t *crypter_i, *crypter_r;
1164 signer_t *signer_i, *signer_r;
1165 prf_t *prf_i, *prf_r;
1166 u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
1167 chunk_t spi_i = chunk_from_buf(spi_i_buf);
1168 chunk_t spi_r = chunk_from_buf(spi_r_buf);
1169
1170 /* Create SAs general purpose PRF first, we may use it here */
1171 if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
1172 {
1173 DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
1174 return FAILED;
1175 }
1176 this->prf = prf_create(algo->algorithm);
1177 if (this->prf == NULL)
1178 {
1179 DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
1180 "%N not supported!", pseudo_random_function_names, algo->algorithm);
1181 return FAILED;
1182 }
1183
1184 DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
1185 nonces = chunk_cat("cc", nonce_i, nonce_r);
1186 *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
1187 *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
1188 prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
1189
1190 /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
1191 *
1192 * if we are rekeying, SKEYSEED is built on another way
1193 */
1194 if (child_prf == NULL) /* not rekeying */
1195 {
1196 /* SKEYSEED = prf(Ni | Nr, g^ir) */
1197 this->prf->set_key(this->prf, nonces);
1198 this->prf->allocate_bytes(this->prf, secret, &skeyseed);
1199 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1200 this->prf->set_key(this->prf, skeyseed);
1201 chunk_free(&skeyseed);
1202 chunk_free(&secret);
1203 prf_plus = prf_plus_create(this->prf, prf_plus_seed);
1204 }
1205 else
1206 {
1207 /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
1208 * use OLD SAs PRF functions for both prf_plus and prf */
1209 secret = chunk_cat("mc", secret, nonces);
1210 child_prf->allocate_bytes(child_prf, secret, &skeyseed);
1211 DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
1212 old_prf->set_key(old_prf, skeyseed);
1213 chunk_free(&skeyseed);
1214 chunk_free(&secret);
1215 prf_plus = prf_plus_create(old_prf, prf_plus_seed);
1216 }
1217 chunk_free(&nonces);
1218 chunk_free(&prf_plus_seed);
1219
1220 /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
1221
1222 /* SK_d is used for generating CHILD_SA key mat => child_prf */
1223 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
1224 this->child_prf = prf_create(algo->algorithm);
1225 key_size = this->child_prf->get_key_size(this->child_prf);
1226 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1227 DBG4(DBG_IKE, "Sk_d secret %B", &key);
1228 this->child_prf->set_key(this->child_prf, key);
1229 chunk_free(&key);
1230
1231 /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
1232 if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
1233 {
1234 DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
1235 return FAILED;
1236 }
1237 signer_i = signer_create(algo->algorithm);
1238 signer_r = signer_create(algo->algorithm);
1239 if (signer_i == NULL || signer_r == NULL)
1240 {
1241 DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
1242 "%N not supported!", integrity_algorithm_names ,algo->algorithm);
1243 return FAILED;
1244 }
1245 key_size = signer_i->get_key_size(signer_i);
1246
1247 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1248 DBG4(DBG_IKE, "Sk_ai secret %B", &key);
1249 signer_i->set_key(signer_i, key);
1250 chunk_free(&key);
1251
1252 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1253 DBG4(DBG_IKE, "Sk_ar secret %B", &key);
1254 signer_r->set_key(signer_r, key);
1255 chunk_free(&key);
1256
1257 if (initiator)
1258 {
1259 this->signer_in = signer_r;
1260 this->signer_out = signer_i;
1261 }
1262 else
1263 {
1264 this->signer_in = signer_i;
1265 this->signer_out = signer_r;
1266 }
1267
1268 /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
1269 if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
1270 {
1271 DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
1272 return FAILED;
1273 }
1274 crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
1275 crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
1276 if (crypter_i == NULL || crypter_r == NULL)
1277 {
1278 DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
1279 "%N (key size %d) not supported!",
1280 encryption_algorithm_names, algo->algorithm, algo->key_size);
1281 return FAILED;
1282 }
1283 key_size = crypter_i->get_key_size(crypter_i);
1284
1285 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1286 DBG4(DBG_IKE, "Sk_ei secret %B", &key);
1287 crypter_i->set_key(crypter_i, key);
1288 chunk_free(&key);
1289
1290 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1291 DBG4(DBG_IKE, "Sk_er secret %B", &key);
1292 crypter_r->set_key(crypter_r, key);
1293 chunk_free(&key);
1294
1295 if (initiator)
1296 {
1297 this->crypter_in = crypter_r;
1298 this->crypter_out = crypter_i;
1299 }
1300 else
1301 {
1302 this->crypter_in = crypter_i;
1303 this->crypter_out = crypter_r;
1304 }
1305
1306 /* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */
1307 proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
1308 prf_i = prf_create(algo->algorithm);
1309 prf_r = prf_create(algo->algorithm);
1310
1311 key_size = prf_i->get_key_size(prf_i);
1312 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1313 DBG4(DBG_IKE, "Sk_pi secret %B", &key);
1314 prf_i->set_key(prf_i, key);
1315 chunk_free(&key);
1316
1317 prf_plus->allocate_bytes(prf_plus, key_size, &key);
1318 DBG4(DBG_IKE, "Sk_pr secret %B", &key);
1319 prf_r->set_key(prf_r, key);
1320 chunk_free(&key);
1321
1322 if (initiator)
1323 {
1324 this->auth_verify = prf_r;
1325 this->auth_build = prf_i;
1326 }
1327 else
1328 {
1329 this->auth_verify = prf_i;
1330 this->auth_build = prf_r;
1331 }
1332
1333 /* all done, prf_plus not needed anymore */
1334 prf_plus->destroy(prf_plus);
1335
1336 return SUCCESS;
1337 }
1338
1339 /**
1340 * Implementation of ike_sa_t.add_child_sa.
1341 */
1342 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1343 {
1344 this->child_sas->insert_last(this->child_sas, child_sa);
1345 }
1346
1347 /**
1348 * Implementation of ike_sa_t.get_child_sa.
1349 */
1350 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1351 u_int32_t spi, bool inbound)
1352 {
1353 iterator_t *iterator;
1354 child_sa_t *current, *found = NULL;
1355
1356 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1357 while (iterator->iterate(iterator, (void**)&current))
1358 {
1359 if (current->get_spi(current, inbound) == spi &&
1360 current->get_protocol(current) == protocol)
1361 {
1362 found = current;
1363 }
1364 }
1365 iterator->destroy(iterator);
1366 return found;
1367 }
1368
1369 /**
1370 * Implementation of ike_sa_t.create_child_sa_iterator.
1371 */
1372 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1373 {
1374 return this->child_sas->create_iterator(this->child_sas, TRUE);
1375 }
1376
1377 /**
1378 * Implementation of ike_sa_t.rekey_child_sa.
1379 */
1380 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1381 {
1382 child_sa_t *child_sa;
1383 child_rekey_t *child_rekey;
1384
1385 child_sa = get_child_sa(this, protocol, spi, TRUE);
1386 if (child_sa)
1387 {
1388 child_rekey = child_rekey_create(&this->public, child_sa);
1389 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1390 return this->task_manager->initiate(this->task_manager);
1391 }
1392 return FAILED;
1393 }
1394
1395 /**
1396 * Implementation of ike_sa_t.delete_child_sa.
1397 */
1398 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1399 {
1400 child_sa_t *child_sa;
1401 child_delete_t *child_delete;
1402
1403 child_sa = get_child_sa(this, protocol, spi, TRUE);
1404 if (child_sa)
1405 {
1406 child_delete = child_delete_create(&this->public, child_sa);
1407 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1408 return this->task_manager->initiate(this->task_manager);
1409 }
1410 return FAILED;
1411 }
1412
1413 /**
1414 * Implementation of ike_sa_t.destroy_child_sa.
1415 */
1416 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1417 u_int32_t spi)
1418 {
1419 iterator_t *iterator;
1420 child_sa_t *child_sa;
1421 status_t status = NOT_FOUND;
1422
1423 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1424 while (iterator->iterate(iterator, (void**)&child_sa))
1425 {
1426 if (child_sa->get_protocol(child_sa) == protocol &&
1427 child_sa->get_spi(child_sa, TRUE) == spi)
1428 {
1429 child_sa->destroy(child_sa);
1430 iterator->remove(iterator);
1431 status = SUCCESS;
1432 break;
1433 }
1434 }
1435 iterator->destroy(iterator);
1436 return status;
1437 }
1438
1439 /**
1440 * Implementation of public_ike_sa_t.delete.
1441 */
1442 static status_t delete_(private_ike_sa_t *this)
1443 {
1444 ike_delete_t *ike_delete;
1445
1446 switch (this->state)
1447 {
1448 case IKE_ESTABLISHED:
1449 DBG1(DBG_IKE, "deleting IKE_SA");
1450 /* do not log when rekeyed */
1451 case IKE_REKEYING:
1452 ike_delete = ike_delete_create(&this->public, TRUE);
1453 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1454 return this->task_manager->initiate(this->task_manager);
1455 default:
1456 DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1457 ike_sa_state_names, this->state);
1458 break;
1459 }
1460 return DESTROY_ME;
1461 }
1462
1463 /**
1464 * Implementation of ike_sa_t.rekey.
1465 */
1466 static status_t rekey(private_ike_sa_t *this)
1467 {
1468 ike_rekey_t *ike_rekey;
1469
1470 ike_rekey = ike_rekey_create(&this->public, TRUE);
1471
1472 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1473 return this->task_manager->initiate(this->task_manager);
1474 }
1475
1476 /**
1477 * Implementation of ike_sa_t.reestablish
1478 */
1479 static void reestablish(private_ike_sa_t *this)
1480 {
1481 ike_sa_id_t *other_id;
1482 private_ike_sa_t *other;
1483 iterator_t *iterator;
1484 child_sa_t *child_sa;
1485 policy_t *policy;
1486 task_t *task;
1487 job_t *job;
1488
1489 other_id = ike_sa_id_create(0, 0, TRUE);
1490 other = (private_ike_sa_t*)charon->ike_sa_manager->checkout(
1491 charon->ike_sa_manager, other_id);
1492 other_id->destroy(other_id);
1493
1494 apply_config(other, this->connection, this->policy);
1495 other->other_host->destroy(other->other_host);
1496 other->other_host = this->other_host->clone(this->other_host);
1497
1498 if (this->state == IKE_ESTABLISHED)
1499 {
1500 task = (task_t*)ike_init_create(&other->public, TRUE, NULL);
1501 other->task_manager->queue_task(other->task_manager, task);
1502 task = (task_t*)ike_natd_create(&other->public, TRUE);
1503 other->task_manager->queue_task(other->task_manager, task);
1504 task = (task_t*)ike_cert_create(&other->public, TRUE);
1505 other->task_manager->queue_task(other->task_manager, task);
1506 task = (task_t*)ike_config_create(&other->public, other->policy);
1507 other->task_manager->queue_task(other->task_manager, task);
1508 task = (task_t*)ike_auth_create(&other->public, TRUE);
1509 other->task_manager->queue_task(other->task_manager, task);
1510 }
1511
1512 other->task_manager->adopt_tasks(other->task_manager, this->task_manager);
1513
1514 /* Create task for established children, adopt routed children directly */
1515 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1516 while(iterator->iterate(iterator, (void**)&child_sa))
1517 {
1518 switch (child_sa->get_state(child_sa))
1519 {
1520 case CHILD_ROUTED:
1521 {
1522 iterator->remove(iterator);
1523 other->child_sas->insert_first(other->child_sas, child_sa);
1524 break;
1525 }
1526 default:
1527 {
1528 policy = child_sa->get_policy(child_sa);
1529 task = (task_t*)child_create_create(&other->public, policy);
1530 other->task_manager->queue_task(other->task_manager, task);
1531 break;
1532 }
1533 }
1534 }
1535 iterator->destroy(iterator);
1536
1537 other->task_manager->initiate(other->task_manager);
1538
1539 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &other->public);
1540
1541 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
1542 charon->job_queue->add(charon->job_queue, job);
1543 }
1544
1545 /**
1546 * Implementation of ike_sa_t.inherit.
1547 */
1548 static void inherit(private_ike_sa_t *this, private_ike_sa_t *other)
1549 {
1550 child_sa_t *child_sa;
1551 host_t *ip;
1552
1553 /* apply hosts and ids */
1554 this->my_host->destroy(this->my_host);
1555 this->other_host->destroy(this->other_host);
1556 this->my_id->destroy(this->my_id);
1557 this->other_id->destroy(this->other_id);
1558 this->my_host = other->my_host->clone(other->my_host);
1559 this->other_host = other->other_host->clone(other->other_host);
1560 this->my_id = other->my_id->clone(other->my_id);
1561 this->other_id = other->other_id->clone(other->other_id);
1562
1563 /* apply virtual assigned IPs... */
1564 if (other->my_virtual_ip)
1565 {
1566 this->my_virtual_ip = other->my_virtual_ip;
1567 other->my_virtual_ip = NULL;
1568 }
1569 if (other->other_virtual_ip)
1570 {
1571 this->other_virtual_ip = other->other_virtual_ip;
1572 other->other_virtual_ip = NULL;
1573 }
1574
1575 /* ... and DNS servers */
1576 while (other->dns_servers->remove_last(other->dns_servers,
1577 (void**)&ip) == SUCCESS)
1578 {
1579 this->dns_servers->insert_first(this->dns_servers, ip);
1580 }
1581
1582 /* adopt all children */
1583 while (other->child_sas->remove_last(other->child_sas,
1584 (void**)&child_sa) == SUCCESS)
1585 {
1586 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
1587 }
1588 }
1589
1590 /**
1591 * Implementation of ike_sa_t.is_natt_enabled.
1592 */
1593 static bool is_natt_enabled(private_ike_sa_t *this)
1594 {
1595 return this->nat_here || this->nat_there;
1596 }
1597
1598 /**
1599 * Implementation of ike_sa_t.enable_natt.
1600 */
1601 static void enable_natt(private_ike_sa_t *this, bool local)
1602 {
1603 if (local)
1604 {
1605 DBG1(DBG_IKE, "local host is behind NAT, scheduling keep alives");
1606 this->nat_here = TRUE;
1607 send_keepalive(this);
1608 }
1609 else
1610 {
1611 DBG1(DBG_IKE, "remote host is behind NAT");
1612 this->nat_there = TRUE;
1613 }
1614 }
1615
1616 /**
1617 * Implementation of ike_sa_t.reset
1618 */
1619 static void reset(private_ike_sa_t *this)
1620 {
1621 /* the responder ID is reset, as peer may choose another one */
1622 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
1623 {
1624 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
1625 }
1626
1627 set_state(this, IKE_CREATED);
1628
1629 this->task_manager->reset(this->task_manager);
1630 }
1631
1632 /**
1633 * Implementation of ike_sa_t.set_virtual_ip
1634 */
1635 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
1636 {
1637 if (local)
1638 {
1639 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
1640 if (this->my_virtual_ip)
1641 {
1642 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
1643 charon->kernel_interface->del_ip(charon->kernel_interface,
1644 this->my_virtual_ip,
1645 this->my_host);
1646 this->my_virtual_ip->destroy(this->my_virtual_ip);
1647 }
1648 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
1649 this->my_host) == SUCCESS)
1650 {
1651 this->my_virtual_ip = ip->clone(ip);
1652 }
1653 else
1654 {
1655 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
1656 this->my_virtual_ip = NULL;
1657 }
1658 }
1659 else
1660 {
1661 DESTROY_IF(this->other_virtual_ip);
1662 this->other_virtual_ip = ip->clone(ip);
1663 }
1664 }
1665
1666 /**
1667 * Implementation of ike_sa_t.get_virtual_ip
1668 */
1669 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
1670 {
1671 if (local)
1672 {
1673 return this->my_virtual_ip;
1674 }
1675 else
1676 {
1677 return this->other_virtual_ip;
1678 }
1679 }
1680
1681 /**
1682 * Implementation of ike_sa_t.remove_dns_server
1683 */
1684 static void remove_dns_servers(private_ike_sa_t *this)
1685 {
1686 FILE *file;
1687 struct stat stats;
1688 chunk_t contents, line, orig_line, token;
1689 char string[INET6_ADDRSTRLEN];
1690 host_t *ip;
1691 iterator_t *iterator;
1692
1693 if (this->dns_servers->get_count(this->dns_servers) == 0)
1694 {
1695 /* don't touch anything if we have no nameservers installed */
1696 return;
1697 }
1698
1699 file = fopen(RESOLV_CONF, "r");
1700 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
1701 {
1702 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
1703 return;
1704 }
1705
1706 contents = chunk_alloca((size_t)stats.st_size);
1707
1708 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
1709 {
1710 DBG1(DBG_IKE, "unable to read DNS configuration file: %m");
1711 fclose(file);
1712 return;
1713 }
1714
1715 fclose(file);
1716 file = fopen(RESOLV_CONF, "w");
1717 if (file == NULL)
1718 {
1719 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
1720 return;
1721 }
1722
1723 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
1724 while (fetchline(&contents, &line))
1725 {
1726 bool found = FALSE;
1727 orig_line = line;
1728 if (extract_token(&token, ' ', &line) &&
1729 strncasecmp(token.ptr, "nameserver", token.len) == 0)
1730 {
1731 if (!extract_token(&token, ' ', &line))
1732 {
1733 token = line;
1734 }
1735 iterator->reset(iterator);
1736 while (iterator->iterate(iterator, (void**)&ip))
1737 {
1738 snprintf(string, sizeof(string), "%H", ip);
1739 if (strlen(string) == token.len &&
1740 strncmp(token.ptr, string, token.len) == 0)
1741 {
1742 iterator->remove(iterator);
1743 ip->destroy(ip);
1744 found = TRUE;
1745 break;
1746 }
1747 }
1748 }
1749
1750 if (!found)
1751 {
1752 /* write line untouched back to file */
1753 fwrite(orig_line.ptr, orig_line.len, 1, file);
1754 fprintf(file, "\n");
1755 }
1756 }
1757 iterator->destroy(iterator);
1758 fclose(file);
1759 }
1760
1761 /**
1762 * Implementation of ike_sa_t.add_dns_server
1763 */
1764 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
1765 {
1766 FILE *file;
1767 struct stat stats;
1768 chunk_t contents;
1769
1770 DBG1(DBG_IKE, "installing DNS server %H", dns);
1771
1772 file = fopen(RESOLV_CONF, "a+");
1773 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
1774 {
1775 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
1776 return;
1777 }
1778
1779 contents = chunk_alloca(stats.st_size);
1780
1781 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
1782 {
1783 DBG1(DBG_IKE, "unable to read DNS configuration file: %m");
1784 fclose(file);
1785 return;
1786 }
1787
1788 fclose(file);
1789 file = fopen(RESOLV_CONF, "w");
1790 if (file == NULL)
1791 {
1792 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %m", RESOLV_CONF);
1793 return;
1794 }
1795
1796 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
1797 dns, this->other_id) < 0)
1798 {
1799 DBG1(DBG_IKE, "unable to write DNS configuration: %m");
1800 }
1801 else
1802 {
1803 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
1804 }
1805 fwrite(contents.ptr, contents.len, 1, file);
1806
1807 fclose(file);
1808 }
1809
1810 /**
1811 * output handler in printf()
1812 */
1813 static int print(FILE *stream, const struct printf_info *info,
1814 const void *const *args)
1815 {
1816 int written = 0;
1817 bool reauth = FALSE;
1818 private_ike_sa_t *this = *((private_ike_sa_t**)(args[0]));
1819
1820 if (this->connection)
1821 {
1822 reauth = this->connection->get_reauth(this->connection);
1823 }
1824
1825 if (this == NULL)
1826 {
1827 return fprintf(stream, "(null)");
1828 }
1829
1830 written = fprintf(stream, "%12s[%d]: %N, %H[%D]...%H[%D]", get_name(this),
1831 this->unique_id, ike_sa_state_names, this->state,
1832 this->my_host, this->my_id, this->other_host,
1833 this->other_id);
1834 written += fprintf(stream, "\n%12s[%d]: IKE SPIs: %J, %s in %ds",
1835 get_name(this), this->unique_id, this->ike_sa_id,
1836 this->connection && reauth? "reauthentication":"rekeying",
1837 this->time.rekey - time(NULL));
1838
1839 if (info->alt)
1840 {
1841
1842 }
1843 return written;
1844 }
1845
1846 /**
1847 * register printf() handlers
1848 */
1849 static void __attribute__ ((constructor))print_register()
1850 {
1851 register_printf_function(PRINTF_IKE_SA, print, arginfo_ptr);
1852 }
1853
1854 /**
1855 * Implementation of ike_sa_t.destroy.
1856 */
1857 static void destroy(private_ike_sa_t *this)
1858 {
1859 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
1860
1861 DESTROY_IF(this->crypter_in);
1862 DESTROY_IF(this->crypter_out);
1863 DESTROY_IF(this->signer_in);
1864 DESTROY_IF(this->signer_out);
1865 DESTROY_IF(this->prf);
1866 DESTROY_IF(this->child_prf);
1867 DESTROY_IF(this->auth_verify);
1868 DESTROY_IF(this->auth_build);
1869
1870 if (this->my_virtual_ip)
1871 {
1872 charon->kernel_interface->del_ip(charon->kernel_interface,
1873 this->my_virtual_ip, this->my_host);
1874 this->my_virtual_ip->destroy(this->my_virtual_ip);
1875 }
1876 DESTROY_IF(this->other_virtual_ip);
1877
1878 remove_dns_servers(this);
1879 this->dns_servers->destroy_offset(this->dns_servers, offsetof(host_t, destroy));
1880
1881 DESTROY_IF(this->my_host);
1882 DESTROY_IF(this->other_host);
1883 DESTROY_IF(this->my_id);
1884 DESTROY_IF(this->other_id);
1885
1886 DESTROY_IF(this->connection);
1887 DESTROY_IF(this->policy);
1888
1889 this->ike_sa_id->destroy(this->ike_sa_id);
1890 this->task_manager->destroy(this->task_manager);
1891 free(this);
1892 }
1893
1894 /*
1895 * Described in header.
1896 */
1897 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
1898 {
1899 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
1900 static u_int32_t unique_id = 0;
1901
1902 /* Public functions */
1903 this->public.get_state = (ike_sa_state_t(*)(ike_sa_t*)) get_state;
1904 this->public.set_state = (void(*)(ike_sa_t*,ike_sa_state_t)) set_state;
1905 this->public.get_name = (char*(*)(ike_sa_t*))get_name;
1906 this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
1907 this->public.initiate = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) initiate;
1908 this->public.route = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) route;
1909 this->public.unroute = (status_t(*)(ike_sa_t*,policy_t*)) unroute;
1910 this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
1911 this->public.get_connection = (connection_t*(*)(ike_sa_t*))get_connection;
1912 this->public.set_connection = (void(*)(ike_sa_t*,connection_t*))set_connection;
1913 this->public.get_policy = (policy_t*(*)(ike_sa_t*))get_policy;
1914 this->public.set_policy = (void(*)(ike_sa_t*,policy_t*))set_policy;
1915 this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
1916 this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
1917 this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host;
1918 this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
1919 this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host;
1920 this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
1921 this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
1922 this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
1923 this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id;
1924 this->public.retransmit = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit;
1925 this->public.delete = (status_t(*)(ike_sa_t*))delete_;
1926 this->public.destroy = (void(*)(ike_sa_t*))destroy;
1927 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
1928 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
1929 this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf;
1930 this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
1931 this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify;
1932 this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build;
1933 this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,chunk_t,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
1934 this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
1935 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
1936 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
1937 this->public.rekey_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
1938 this->public.delete_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
1939 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
1940 this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
1941 this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
1942 this->public.rekey = (status_t(*)(ike_sa_t*))rekey;
1943 this->public.reestablish = (void(*)(ike_sa_t*))reestablish;
1944 this->public.inherit = (void(*)(ike_sa_t*,ike_sa_t*))inherit;
1945 this->public.generate_message = (status_t(*)(ike_sa_t*,message_t*,packet_t**))generate_message;
1946 this->public.reset = (void(*)(ike_sa_t*))reset;
1947 this->public.get_unique_id = (u_int32_t(*)(ike_sa_t*))get_unique_id;
1948 this->public.set_virtual_ip = (void(*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
1949 this->public.get_virtual_ip = (host_t*(*)(ike_sa_t*,bool))get_virtual_ip;
1950 this->public.add_dns_server = (void(*)(ike_sa_t*,host_t*))add_dns_server;
1951
1952 /* initialize private fields */
1953 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
1954 this->child_sas = linked_list_create();
1955 this->my_host = host_create_any(AF_INET);
1956 this->other_host = host_create_any(AF_INET);
1957 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
1958 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
1959 this->crypter_in = NULL;
1960 this->crypter_out = NULL;
1961 this->signer_in = NULL;
1962 this->signer_out = NULL;
1963 this->prf = NULL;
1964 this->auth_verify = NULL;
1965 this->auth_build = NULL;
1966 this->child_prf = NULL;
1967 this->nat_here = FALSE;
1968 this->nat_there = FALSE;
1969 this->state = IKE_CREATED;
1970 this->time.inbound = this->time.outbound = time(NULL);
1971 this->time.established = 0;
1972 this->time.rekey = 0;
1973 this->time.delete = 0;
1974 this->connection = NULL;
1975 this->policy = NULL;
1976 this->task_manager = task_manager_create(&this->public);
1977 this->unique_id = ++unique_id;
1978 this->my_virtual_ip = NULL;
1979 this->other_virtual_ip = NULL;
1980 this->dns_servers = linked_list_create();
1981
1982 return &this->public;
1983 }