schedule_job uses seconds to support time values larger than 49 days
[strongswan.git] / src / charon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 *
18 * $Id$
19 */
20
21 #include <sys/time.h>
22 #include <string.h>
23 #include <sys/stat.h>
24 #include <errno.h>
25 #include <time.h>
26
27 #include "ike_sa.h"
28
29 #include <library.h>
30 #include <daemon.h>
31 #include <utils/linked_list.h>
32 #include <utils/lexparser.h>
33 #include <sa/task_manager.h>
34 #include <sa/tasks/ike_init.h>
35 #include <sa/tasks/ike_natd.h>
36 #include <sa/tasks/ike_mobike.h>
37 #include <sa/tasks/ike_auth.h>
38 #include <sa/tasks/ike_auth_lifetime.h>
39 #include <sa/tasks/ike_config.h>
40 #include <sa/tasks/ike_cert_pre.h>
41 #include <sa/tasks/ike_cert_post.h>
42 #include <sa/tasks/ike_rekey.h>
43 #include <sa/tasks/ike_reauth.h>
44 #include <sa/tasks/ike_delete.h>
45 #include <sa/tasks/ike_dpd.h>
46 #include <sa/tasks/child_create.h>
47 #include <sa/tasks/child_delete.h>
48 #include <sa/tasks/child_rekey.h>
49 #include <processing/jobs/retransmit_job.h>
50 #include <processing/jobs/delete_ike_sa_job.h>
51 #include <processing/jobs/send_dpd_job.h>
52 #include <processing/jobs/send_keepalive_job.h>
53 #include <processing/jobs/rekey_ike_sa_job.h>
54
55 #ifdef ME
56 #include <sa/tasks/ike_me.h>
57 #include <processing/jobs/initiate_mediation_job.h>
58 #endif
59
60 #ifndef RESOLV_CONF
61 #define RESOLV_CONF "/etc/resolv.conf"
62 #endif
63
64 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
65 "CREATED",
66 "CONNECTING",
67 "ESTABLISHED",
68 "PASSIVE",
69 "REKEYING",
70 "DELETING",
71 "DESTROYING",
72 );
73
74 typedef struct private_ike_sa_t private_ike_sa_t;
75
76 /**
77 * Private data of an ike_sa_t object.
78 */
79 struct private_ike_sa_t {
80
81 /**
82 * Public members
83 */
84 ike_sa_t public;
85
86 /**
87 * Identifier for the current IKE_SA.
88 */
89 ike_sa_id_t *ike_sa_id;
90
91 /**
92 * unique numerical ID for this IKE_SA.
93 */
94 u_int32_t unique_id;
95
96 /**
97 * Current state of the IKE_SA
98 */
99 ike_sa_state_t state;
100
101 /**
102 * IKE configuration used to set up this IKE_SA
103 */
104 ike_cfg_t *ike_cfg;
105
106 /**
107 * Peer and authentication information to establish IKE_SA.
108 */
109 peer_cfg_t *peer_cfg;
110
111 /**
112 * currently used authentication ruleset, local (as auth_cfg_t)
113 */
114 auth_cfg_t *my_auth;
115
116 /**
117 * currently used authentication constraints, remote (as auth_cfg_t)
118 */
119 auth_cfg_t *other_auth;
120
121 /**
122 * Selected IKE proposal
123 */
124 proposal_t *proposal;
125
126 /**
127 * Juggles tasks to process messages
128 */
129 task_manager_t *task_manager;
130
131 /**
132 * Address of local host
133 */
134 host_t *my_host;
135
136 /**
137 * Address of remote host
138 */
139 host_t *other_host;
140
141 #ifdef ME
142 /**
143 * Are we mediation server
144 */
145 bool is_mediation_server;
146
147 /**
148 * Server reflexive host
149 */
150 host_t *server_reflexive_host;
151
152 /**
153 * Connect ID
154 */
155 chunk_t connect_id;
156 #endif /* ME */
157
158 /**
159 * Identification used for us
160 */
161 identification_t *my_id;
162
163 /**
164 * Identification used for other
165 */
166 identification_t *other_id;
167
168 /**
169 * EAP Identity exchange in EAP-Identity method
170 */
171 identification_t *eap_identity;;
172
173 /**
174 * set of extensions the peer supports
175 */
176 ike_extension_t extensions;
177
178 /**
179 * set of condition flags currently enabled for this IKE_SA
180 */
181 ike_condition_t conditions;
182
183 /**
184 * Linked List containing the child sa's of the current IKE_SA.
185 */
186 linked_list_t *child_sas;
187
188 /**
189 * keymat of this IKE_SA
190 */
191 keymat_t *keymat;
192
193 /**
194 * Virtual IP on local host, if any
195 */
196 host_t *my_virtual_ip;
197
198 /**
199 * Virtual IP on remote host, if any
200 */
201 host_t *other_virtual_ip;
202
203 /**
204 * List of DNS servers installed by us
205 */
206 linked_list_t *dns_servers;
207
208 /**
209 * list of peers additional addresses, transmitted via MOBIKE
210 */
211 linked_list_t *additional_addresses;
212
213 /**
214 * previously value of received DESTINATION_IP hash
215 */
216 chunk_t nat_detection_dest;
217
218 /**
219 * number pending UPDATE_SA_ADDRESS (MOBIKE)
220 */
221 u_int32_t pending_updates;
222
223 /**
224 * NAT keep alive interval
225 */
226 u_int32_t keepalive_interval;
227
228 /**
229 * Timestamps for this IKE_SA
230 */
231 u_int32_t stats[STAT_MAX];
232
233 /**
234 * how many times we have retried so far (keyingtries)
235 */
236 u_int32_t keyingtry;
237
238 /**
239 * local host address to be used for IKE, set via MIGRATE kernel message
240 */
241 host_t *local_host;
242
243 /**
244 * remote host address to be used for IKE, set via MIGRATE kernel message
245 */
246 host_t *remote_host;
247 };
248
249 /**
250 * get the time of the latest traffic processed by the kernel
251 */
252 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
253 {
254 enumerator_t *enumerator;
255 child_sa_t *child_sa;
256 time_t use_time;
257
258 if (inbound)
259 {
260 use_time = this->stats[STAT_INBOUND];
261 }
262 else
263 {
264 use_time = this->stats[STAT_OUTBOUND];
265 }
266 enumerator = this->child_sas->create_enumerator(this->child_sas);
267 while (enumerator->enumerate(enumerator, &child_sa))
268 {
269 use_time = max(use_time, child_sa->get_usetime(child_sa, inbound));
270 }
271 enumerator->destroy(enumerator);
272
273 return use_time;
274 }
275
276 /**
277 * Implementation of ike_sa_t.get_unique_id
278 */
279 static u_int32_t get_unique_id(private_ike_sa_t *this)
280 {
281 return this->unique_id;
282 }
283
284 /**
285 * Implementation of ike_sa_t.get_name.
286 */
287 static char *get_name(private_ike_sa_t *this)
288 {
289 if (this->peer_cfg)
290 {
291 return this->peer_cfg->get_name(this->peer_cfg);
292 }
293 return "(unnamed)";
294 }
295
296 /**
297 * Implementation of ike_sa_t.get_statistic.
298 */
299 static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
300 {
301 if (kind < STAT_MAX)
302 {
303 return this->stats[kind];
304 }
305 return 0;
306 }
307
308 /**
309 * Implementation of ike_sa_t.get_my_host.
310 */
311 static host_t *get_my_host(private_ike_sa_t *this)
312 {
313 return this->my_host;
314 }
315
316 /**
317 * Implementation of ike_sa_t.set_my_host.
318 */
319 static void set_my_host(private_ike_sa_t *this, host_t *me)
320 {
321 DESTROY_IF(this->my_host);
322 this->my_host = me;
323 }
324
325 /**
326 * Implementation of ike_sa_t.get_other_host.
327 */
328 static host_t *get_other_host(private_ike_sa_t *this)
329 {
330 return this->other_host;
331 }
332
333 /**
334 * Implementation of ike_sa_t.set_other_host.
335 */
336 static void set_other_host(private_ike_sa_t *this, host_t *other)
337 {
338 DESTROY_IF(this->other_host);
339 this->other_host = other;
340 }
341
342 /**
343 * Implementation of ike_sa_t.get_peer_cfg
344 */
345 static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
346 {
347 return this->peer_cfg;
348 }
349
350 /**
351 * Implementation of ike_sa_t.set_peer_cfg
352 */
353 static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg)
354 {
355 DESTROY_IF(this->peer_cfg);
356 peer_cfg->get_ref(peer_cfg);
357 this->peer_cfg = peer_cfg;
358
359 if (this->ike_cfg == NULL)
360 {
361 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
362 this->ike_cfg->get_ref(this->ike_cfg);
363 }
364 }
365
366 /**
367 * Implementation of ike_sa_t.get_auth_cfg
368 */
369 static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local)
370 {
371 if (local)
372 {
373 return this->my_auth;
374 }
375 return this->other_auth;
376 }
377
378 /**
379 * Implementation of ike_sa_t.get_proposal
380 */
381 static proposal_t* get_proposal(private_ike_sa_t *this)
382 {
383 return this->proposal;
384 }
385
386 /**
387 * Implementation of ike_sa_t.set_proposal
388 */
389 static void set_proposal(private_ike_sa_t *this, proposal_t *proposal)
390 {
391 DESTROY_IF(this->proposal);
392 this->proposal = proposal->clone(proposal);
393 }
394
395 /**
396 * Implementation of ike_sa_t.set_message_id
397 */
398 static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid)
399 {
400 if (initiate)
401 {
402 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
403 }
404 else
405 {
406 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
407 }
408 }
409
410 /**
411 * Implementation of ike_sa_t.send_keepalive
412 */
413 static void send_keepalive(private_ike_sa_t *this)
414 {
415 send_keepalive_job_t *job;
416 time_t last_out, now, diff;
417
418 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
419 { /* disable keep alives if we are not NATed anymore */
420 return;
421 }
422
423 last_out = get_use_time(this, FALSE);
424 now = time(NULL);
425
426 diff = now - last_out;
427
428 if (diff >= this->keepalive_interval)
429 {
430 packet_t *packet;
431 chunk_t data;
432
433 packet = packet_create();
434 packet->set_source(packet, this->my_host->clone(this->my_host));
435 packet->set_destination(packet, this->other_host->clone(this->other_host));
436 data.ptr = malloc(1);
437 data.ptr[0] = 0xFF;
438 data.len = 1;
439 packet->set_data(packet, data);
440 DBG1(DBG_IKE, "sending keep alive");
441 charon->sender->send(charon->sender, packet);
442 diff = 0;
443 }
444 job = send_keepalive_job_create(this->ike_sa_id);
445 charon->scheduler->schedule_job(charon->scheduler, (job_t*)job,
446 this->keepalive_interval - diff);
447 }
448
449 /**
450 * Implementation of ike_sa_t.get_ike_cfg
451 */
452 static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
453 {
454 return this->ike_cfg;
455 }
456
457 /**
458 * Implementation of ike_sa_t.set_ike_cfg
459 */
460 static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg)
461 {
462 ike_cfg->get_ref(ike_cfg);
463 this->ike_cfg = ike_cfg;
464 }
465
466 /**
467 * Implementation of ike_sa_t.enable_extension.
468 */
469 static void enable_extension(private_ike_sa_t *this, ike_extension_t extension)
470 {
471 this->extensions |= extension;
472 }
473
474 /**
475 * Implementation of ike_sa_t.has_extension.
476 */
477 static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension)
478 {
479 return (this->extensions & extension) != FALSE;
480 }
481
482 /**
483 * Implementation of ike_sa_t.has_condition.
484 */
485 static bool has_condition(private_ike_sa_t *this, ike_condition_t condition)
486 {
487 return (this->conditions & condition) != FALSE;
488 }
489
490 /**
491 * Implementation of ike_sa_t.enable_condition.
492 */
493 static void set_condition(private_ike_sa_t *this, ike_condition_t condition,
494 bool enable)
495 {
496 if (has_condition(this, condition) != enable)
497 {
498 if (enable)
499 {
500 this->conditions |= condition;
501 switch (condition)
502 {
503 case COND_NAT_HERE:
504 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
505 this->conditions |= COND_NAT_ANY;
506 send_keepalive(this);
507 break;
508 case COND_NAT_THERE:
509 DBG1(DBG_IKE, "remote host is behind NAT");
510 this->conditions |= COND_NAT_ANY;
511 break;
512 case COND_NAT_FAKE:
513 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
514 this->conditions |= COND_NAT_ANY;
515 break;
516 default:
517 break;
518 }
519 }
520 else
521 {
522 this->conditions &= ~condition;
523 switch (condition)
524 {
525 case COND_NAT_HERE:
526 case COND_NAT_FAKE:
527 case COND_NAT_THERE:
528 set_condition(this, COND_NAT_ANY,
529 has_condition(this, COND_NAT_HERE) ||
530 has_condition(this, COND_NAT_THERE) ||
531 has_condition(this, COND_NAT_FAKE));
532 break;
533 default:
534 break;
535 }
536 }
537 }
538 }
539
540 /**
541 * Implementation of ike_sa_t.send_dpd
542 */
543 static status_t send_dpd(private_ike_sa_t *this)
544 {
545 job_t *job;
546 time_t diff, delay;
547
548 delay = this->peer_cfg->get_dpd(this->peer_cfg);
549
550 if (delay == 0)
551 {
552 /* DPD disabled */
553 return SUCCESS;
554 }
555
556 if (this->task_manager->busy(this->task_manager))
557 {
558 /* an exchange is in the air, no need to start a DPD check */
559 diff = 0;
560 }
561 else
562 {
563 /* check if there was any inbound traffic */
564 time_t last_in, now;
565 last_in = get_use_time(this, TRUE);
566 now = time(NULL);
567 diff = now - last_in;
568 if (diff >= delay)
569 {
570 /* to long ago, initiate dead peer detection */
571 task_t *task;
572 ike_mobike_t *mobike;
573
574 if (supports_extension(this, EXT_MOBIKE) &&
575 has_condition(this, COND_NAT_HERE))
576 {
577 /* use mobike enabled DPD to detect NAT mapping changes */
578 mobike = ike_mobike_create(&this->public, TRUE);
579 mobike->dpd(mobike);
580 task = &mobike->task;
581 }
582 else
583 {
584 task = (task_t*)ike_dpd_create(TRUE);
585 }
586 diff = 0;
587 DBG1(DBG_IKE, "sending DPD request");
588
589 this->task_manager->queue_task(this->task_manager, task);
590 this->task_manager->initiate(this->task_manager);
591 }
592 }
593 /* recheck in "interval" seconds */
594 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
595 charon->scheduler->schedule_job(charon->scheduler, job, delay - diff);
596 return SUCCESS;
597 }
598
599 /**
600 * Implementation of ike_sa_t.get_state.
601 */
602 static ike_sa_state_t get_state(private_ike_sa_t *this)
603 {
604 return this->state;
605 }
606
607 /**
608 * Implementation of ike_sa_t.set_state.
609 */
610 static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
611 {
612 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
613 get_name(this), this->unique_id,
614 ike_sa_state_names, this->state,
615 ike_sa_state_names, state);
616
617 switch (state)
618 {
619 case IKE_ESTABLISHED:
620 {
621 if (this->state == IKE_CONNECTING ||
622 this->state == IKE_PASSIVE)
623 {
624 job_t *job;
625 u_int32_t t;
626
627 /* calculate rekey, reauth and lifetime */
628 this->stats[STAT_ESTABLISHED] = time(NULL);
629
630 /* schedule rekeying if we have a time which is smaller than
631 * an already scheduled rekeying */
632 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
633 if (t && (this->stats[STAT_REKEY] == 0 ||
634 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
635 {
636 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
637 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
638 charon->scheduler->schedule_job(charon->scheduler, job, t);
639 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
640 }
641 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
642 if (t && (this->stats[STAT_REAUTH] == 0 ||
643 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
644 {
645 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
646 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
647 charon->scheduler->schedule_job(charon->scheduler, job, t);
648 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
649 }
650 t = this->peer_cfg->get_over_time(this->peer_cfg);
651 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
652 {
653 if (this->stats[STAT_REAUTH] == 0)
654 {
655 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
656 }
657 else if (this->stats[STAT_REKEY] == 0)
658 {
659 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
660 }
661 else
662 {
663 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
664 this->stats[STAT_REAUTH]);
665 }
666 this->stats[STAT_DELETE] += t;
667 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
668 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
669 charon->scheduler->schedule_job(charon->scheduler, job, t);
670 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
671 }
672
673 /* start DPD checks */
674 send_dpd(this);
675 }
676 break;
677 }
678 case IKE_DELETING:
679 {
680 /* delete may fail if a packet gets lost, so set a timeout */
681 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
682 charon->scheduler->schedule_job(charon->scheduler, job,
683 HALF_OPEN_IKE_SA_TIMEOUT);
684 break;
685 }
686 default:
687 break;
688 }
689 charon->bus->ike_state_change(charon->bus, &this->public, state);
690 this->state = state;
691 }
692
693 /**
694 * Implementation of ike_sa_t.reset
695 */
696 static void reset(private_ike_sa_t *this)
697 {
698 /* the responder ID is reset, as peer may choose another one */
699 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
700 {
701 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
702 }
703
704 set_state(this, IKE_CREATED);
705
706 this->task_manager->reset(this->task_manager, 0, 0);
707 }
708
709 /**
710 * Implementation of ike_sa_t.get_keymat
711 */
712 static keymat_t* get_keymat(private_ike_sa_t *this)
713 {
714 return this->keymat;
715 }
716
717 /**
718 * Implementation of ike_sa_t.set_virtual_ip
719 */
720 static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip)
721 {
722 if (local)
723 {
724 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
725 if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
726 this->my_host) == SUCCESS)
727 {
728 if (this->my_virtual_ip)
729 {
730 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
731 charon->kernel_interface->del_ip(charon->kernel_interface,
732 this->my_virtual_ip);
733 }
734 DESTROY_IF(this->my_virtual_ip);
735 this->my_virtual_ip = ip->clone(ip);
736 }
737 else
738 {
739 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
740 this->my_virtual_ip = NULL;
741 }
742 }
743 else
744 {
745 DESTROY_IF(this->other_virtual_ip);
746 this->other_virtual_ip = ip->clone(ip);
747 }
748 }
749
750 /**
751 * Implementation of ike_sa_t.get_virtual_ip
752 */
753 static host_t* get_virtual_ip(private_ike_sa_t *this, bool local)
754 {
755 if (local)
756 {
757 return this->my_virtual_ip;
758 }
759 else
760 {
761 return this->other_virtual_ip;
762 }
763 }
764
765 /**
766 * Implementation of ike_sa_t.add_additional_address.
767 */
768 static void add_additional_address(private_ike_sa_t *this, host_t *host)
769 {
770 this->additional_addresses->insert_last(this->additional_addresses, host);
771 }
772
773 /**
774 * Implementation of ike_sa_t.create_additional_address_iterator.
775 */
776 static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
777 {
778 return this->additional_addresses->create_iterator(
779 this->additional_addresses, TRUE);
780 }
781
782 /**
783 * Implementation of ike_sa_t.has_mapping_changed
784 */
785 static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash)
786 {
787 if (this->nat_detection_dest.ptr == NULL)
788 {
789 this->nat_detection_dest = chunk_clone(hash);
790 return FALSE;
791 }
792 if (chunk_equals(hash, this->nat_detection_dest))
793 {
794 return FALSE;
795 }
796 free(this->nat_detection_dest.ptr);
797 this->nat_detection_dest = chunk_clone(hash);
798 return TRUE;
799 }
800
801 /**
802 * Implementation of ike_sa_t.set_pending_updates.
803 */
804 static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates)
805 {
806 this->pending_updates = updates;
807 }
808
809 /**
810 * Implementation of ike_sa_t.get_pending_updates.
811 */
812 static u_int32_t get_pending_updates(private_ike_sa_t *this)
813 {
814 return this->pending_updates;
815 }
816
817 /**
818 * Update hosts, as addresses may change (NAT)
819 */
820 static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
821 {
822 bool update = FALSE;
823
824 if (me == NULL)
825 {
826 me = this->my_host;
827 }
828 if (other == NULL)
829 {
830 other = this->other_host;
831 }
832
833 /* apply hosts on first received message */
834 if (this->my_host->is_anyaddr(this->my_host) ||
835 this->other_host->is_anyaddr(this->other_host))
836 {
837 set_my_host(this, me->clone(me));
838 set_other_host(this, other->clone(other));
839 update = TRUE;
840 }
841 else
842 {
843 /* update our address in any case */
844 if (!me->equals(me, this->my_host))
845 {
846 set_my_host(this, me->clone(me));
847 update = TRUE;
848 }
849
850 if (!other->equals(other, this->other_host))
851 {
852 /* update others adress if we are NOT NATed,
853 * and allow port changes if we are NATed */
854 if (!has_condition(this, COND_NAT_HERE) ||
855 other->ip_equals(other, this->other_host))
856 {
857 set_other_host(this, other->clone(other));
858 update = TRUE;
859 }
860 }
861 }
862
863 /* update all associated CHILD_SAs, if required */
864 if (update)
865 {
866 iterator_t *iterator;
867 child_sa_t *child_sa;
868
869 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
870 while (iterator->iterate(iterator, (void**)&child_sa))
871 {
872 if (child_sa->update(child_sa, this->my_host,
873 this->other_host, this->my_virtual_ip,
874 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
875 {
876 this->public.rekey_child_sa(&this->public,
877 child_sa->get_protocol(child_sa),
878 child_sa->get_spi(child_sa, TRUE));
879 }
880 }
881 iterator->destroy(iterator);
882 }
883 }
884
885 /**
886 * Implementation of ike_sa_t.generate
887 */
888 static status_t generate_message(private_ike_sa_t *this, message_t *message,
889 packet_t **packet)
890 {
891 this->stats[STAT_OUTBOUND] = time(NULL);
892 message->set_ike_sa_id(message, this->ike_sa_id);
893 return message->generate(message,
894 this->keymat->get_crypter(this->keymat, FALSE),
895 this->keymat->get_signer(this->keymat, FALSE), packet);
896 }
897
898 /**
899 * send a notify back to the sender
900 */
901 static void send_notify_response(private_ike_sa_t *this, message_t *request,
902 notify_type_t type)
903 {
904 message_t *response;
905 packet_t *packet;
906
907 response = message_create();
908 response->set_exchange_type(response, request->get_exchange_type(request));
909 response->set_request(response, FALSE);
910 response->set_message_id(response, request->get_message_id(request));
911 response->add_notify(response, FALSE, type, chunk_empty);
912 if (this->my_host->is_anyaddr(this->my_host))
913 {
914 this->my_host->destroy(this->my_host);
915 this->my_host = request->get_destination(request);
916 this->my_host = this->my_host->clone(this->my_host);
917 }
918 if (this->other_host->is_anyaddr(this->other_host))
919 {
920 this->other_host->destroy(this->other_host);
921 this->other_host = request->get_source(request);
922 this->other_host = this->other_host->clone(this->other_host);
923 }
924 response->set_source(response, this->my_host->clone(this->my_host));
925 response->set_destination(response, this->other_host->clone(this->other_host));
926 if (generate_message(this, response, &packet) == SUCCESS)
927 {
928 charon->sender->send(charon->sender, packet);
929 }
930 response->destroy(response);
931 }
932
933 /**
934 * Implementation of ike_sa_t.set_kmaddress.
935 */
936 static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote)
937 {
938 DESTROY_IF(this->local_host);
939 DESTROY_IF(this->remote_host);
940 this->local_host = local->clone(local);
941 this->remote_host = remote->clone(remote);
942 }
943
944 #ifdef ME
945 /**
946 * Implementation of ike_sa_t.act_as_mediation_server.
947 */
948 static void act_as_mediation_server(private_ike_sa_t *this)
949 {
950 charon->mediation_manager->update_sa_id(charon->mediation_manager,
951 this->other_id, this->ike_sa_id);
952 this->is_mediation_server = TRUE;
953 }
954
955 /**
956 * Implementation of ike_sa_t.get_server_reflexive_host.
957 */
958 static host_t *get_server_reflexive_host(private_ike_sa_t *this)
959 {
960 return this->server_reflexive_host;
961 }
962
963 /**
964 * Implementation of ike_sa_t.set_server_reflexive_host.
965 */
966 static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host)
967 {
968 DESTROY_IF(this->server_reflexive_host);
969 this->server_reflexive_host = host;
970 }
971
972 /**
973 * Implementation of ike_sa_t.get_connect_id.
974 */
975 static chunk_t get_connect_id(private_ike_sa_t *this)
976 {
977 return this->connect_id;
978 }
979
980 /**
981 * Implementation of ike_sa_t.respond
982 */
983 static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
984 chunk_t connect_id)
985 {
986 ike_me_t *task = ike_me_create(&this->public, TRUE);
987 task->respond(task, peer_id, connect_id);
988 this->task_manager->queue_task(this->task_manager, (task_t*)task);
989 return this->task_manager->initiate(this->task_manager);
990 }
991
992 /**
993 * Implementation of ike_sa_t.callback
994 */
995 static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
996 {
997 ike_me_t *task = ike_me_create(&this->public, TRUE);
998 task->callback(task, peer_id);
999 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1000 return this->task_manager->initiate(this->task_manager);
1001 }
1002
1003 /**
1004 * Implementation of ike_sa_t.relay
1005 */
1006 static status_t relay(private_ike_sa_t *this, identification_t *requester,
1007 chunk_t connect_id, chunk_t connect_key, linked_list_t *endpoints, bool response)
1008 {
1009 ike_me_t *task = ike_me_create(&this->public, TRUE);
1010 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1011 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1012 return this->task_manager->initiate(this->task_manager);
1013 }
1014
1015 /**
1016 * Implementation of ike_sa_t.initiate_mediation
1017 */
1018 static status_t initiate_mediation(private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1019 {
1020 ike_me_t *task = ike_me_create(&this->public, TRUE);
1021 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1022 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1023 return this->task_manager->initiate(this->task_manager);
1024 }
1025
1026 /**
1027 * Implementation of ike_sa_t.initiate_mediated
1028 */
1029 static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, host_t *other,
1030 chunk_t connect_id)
1031 {
1032 set_my_host(this, me->clone(me));
1033 set_other_host(this, other->clone(other));
1034 chunk_free(&this->connect_id);
1035 this->connect_id = chunk_clone(connect_id);
1036
1037 return this->task_manager->initiate(this->task_manager);
1038 }
1039 #endif /* ME */
1040
1041 /**
1042 * Resolve DNS host in configuration
1043 */
1044 static void resolve_hosts(private_ike_sa_t *this)
1045 {
1046 host_t *host;
1047
1048 if (this->remote_host)
1049 {
1050 host = this->remote_host->clone(this->remote_host);
1051 host->set_port(host, IKEV2_UDP_PORT);
1052 }
1053 else
1054 {
1055 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1056 0, IKEV2_UDP_PORT);
1057 }
1058 if (host)
1059 {
1060 set_other_host(this, host);
1061 }
1062
1063 if (this->local_host)
1064 {
1065 host = this->local_host->clone(this->local_host);
1066 host->set_port(host, IKEV2_UDP_PORT);
1067 }
1068 else
1069 {
1070 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1071 this->my_host->get_family(this->my_host),
1072 IKEV2_UDP_PORT);
1073
1074 if (host && host->is_anyaddr(host) &&
1075 !this->other_host->is_anyaddr(this->other_host))
1076 {
1077 host->destroy(host);
1078 host = charon->kernel_interface->get_source_addr(
1079 charon->kernel_interface, this->other_host, NULL);
1080 if (host)
1081 {
1082 host->set_port(host, IKEV2_UDP_PORT);
1083 }
1084 else
1085 { /* fallback to address family specific %any(6), if configured */
1086 host = host_create_from_dns(
1087 this->ike_cfg->get_my_addr(this->ike_cfg),
1088 0, IKEV2_UDP_PORT);
1089 }
1090 }
1091 }
1092 if (host)
1093 {
1094 set_my_host(this, host);
1095 }
1096 }
1097
1098 /**
1099 * Initiates a CHILD_SA using the appropriate reqid
1100 */
1101 static status_t initiate_with_reqid(private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid)
1102 {
1103 task_t *task;
1104
1105 if (this->state == IKE_CREATED)
1106 {
1107 resolve_hosts(this);
1108
1109 if (this->other_host->is_anyaddr(this->other_host)
1110 #ifdef ME
1111 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1112 #endif /* ME */
1113 )
1114 {
1115 child_cfg->destroy(child_cfg);
1116 DBG1(DBG_IKE, "unable to initiate to %%any");
1117 return DESTROY_ME;
1118 }
1119
1120 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1121
1122 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1123 this->task_manager->queue_task(this->task_manager, task);
1124 task = (task_t*)ike_natd_create(&this->public, TRUE);
1125 this->task_manager->queue_task(this->task_manager, task);
1126 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1127 this->task_manager->queue_task(this->task_manager, task);
1128 task = (task_t*)ike_auth_create(&this->public, TRUE);
1129 this->task_manager->queue_task(this->task_manager, task);
1130 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1131 this->task_manager->queue_task(this->task_manager, task);
1132 task = (task_t*)ike_config_create(&this->public, TRUE);
1133 this->task_manager->queue_task(this->task_manager, task);
1134 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1135 this->task_manager->queue_task(this->task_manager, task);
1136 if (this->peer_cfg->use_mobike(this->peer_cfg))
1137 {
1138 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1139 this->task_manager->queue_task(this->task_manager, task);
1140 }
1141 #ifdef ME
1142 task = (task_t*)ike_me_create(&this->public, TRUE);
1143 this->task_manager->queue_task(this->task_manager, task);
1144 #endif /* ME */
1145 }
1146
1147 #ifdef ME
1148 if (this->peer_cfg->is_mediation(this->peer_cfg))
1149 {
1150 if (this->state == IKE_ESTABLISHED)
1151 {
1152 /* mediation connection is already established, retrigger state change
1153 * to notify bus listeners */
1154 DBG1(DBG_IKE, "mediation connection is already up");
1155 set_state(this, IKE_ESTABLISHED);
1156 }
1157 DESTROY_IF(child_cfg);
1158 }
1159 else
1160 #endif /* ME */
1161 {
1162 /* normal IKE_SA with CHILD_SA */
1163 task = (task_t*)child_create_create(&this->public, child_cfg);
1164 child_cfg->destroy(child_cfg);
1165 if (reqid)
1166 {
1167 child_create_t *child_create = (child_create_t*)task;
1168 child_create->use_reqid(child_create, reqid);
1169 }
1170 this->task_manager->queue_task(this->task_manager, task);
1171
1172 #ifdef ME
1173 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1174 {
1175 /* mediated connection, initiate mediation process */
1176 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1177 charon->processor->queue_job(charon->processor, job);
1178 return SUCCESS;
1179 }
1180 #endif /* ME */
1181 }
1182
1183 return this->task_manager->initiate(this->task_manager);
1184 }
1185
1186 /**
1187 * Implementation of ike_sa_t.initiate.
1188 */
1189 static status_t initiate(private_ike_sa_t *this, child_cfg_t *child_cfg)
1190 {
1191 return initiate_with_reqid(this, child_cfg, 0);
1192 }
1193
1194 /**
1195 * Implementation of ike_sa_t.acquire.
1196 */
1197 static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
1198 {
1199 child_cfg_t *child_cfg;
1200 iterator_t *iterator;
1201 child_sa_t *current, *child_sa = NULL;
1202
1203 switch (this->state)
1204 {
1205 case IKE_DELETING:
1206 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1207 "IKE_SA is deleting", reqid);
1208 return FAILED;
1209 case IKE_PASSIVE:
1210 /* do not process acquires if passive */
1211 return FAILED;
1212 default:
1213 break;
1214 }
1215
1216 /* find CHILD_SA */
1217 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1218 while (iterator->iterate(iterator, (void**)&current))
1219 {
1220 if (current->get_reqid(current) == reqid)
1221 {
1222 child_sa = current;
1223 break;
1224 }
1225 }
1226 iterator->destroy(iterator);
1227 if (!child_sa)
1228 {
1229 DBG1(DBG_IKE, "acquiring CHILD_SA {reqid %d} failed: "
1230 "CHILD_SA not found", reqid);
1231 return FAILED;
1232 }
1233
1234 child_cfg = child_sa->get_config(child_sa);
1235 child_cfg->get_ref(child_cfg);
1236
1237 return initiate_with_reqid(this, child_cfg, reqid);
1238 }
1239
1240 /**
1241 * Implementation of ike_sa_t.route.
1242 */
1243 static status_t route(private_ike_sa_t *this, child_cfg_t *child_cfg)
1244 {
1245 child_sa_t *child_sa;
1246 iterator_t *iterator;
1247 linked_list_t *my_ts, *other_ts;
1248 host_t *me, *other;
1249 status_t status;
1250
1251 /* check if not already routed*/
1252 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1253 while (iterator->iterate(iterator, (void**)&child_sa))
1254 {
1255 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1256 streq(child_sa->get_name(child_sa), child_cfg->get_name(child_cfg)))
1257 {
1258 iterator->destroy(iterator);
1259 DBG1(DBG_IKE, "routing CHILD_SA failed: already routed");
1260 return FAILED;
1261 }
1262 }
1263 iterator->destroy(iterator);
1264
1265 switch (this->state)
1266 {
1267 case IKE_DELETING:
1268 case IKE_REKEYING:
1269 DBG1(DBG_IKE, "routing CHILD_SA failed: IKE_SA is %N",
1270 ike_sa_state_names, this->state);
1271 return FAILED;
1272 case IKE_CREATED:
1273 case IKE_CONNECTING:
1274 case IKE_ESTABLISHED:
1275 case IKE_PASSIVE:
1276 default:
1277 break;
1278 }
1279
1280 resolve_hosts(this);
1281
1282 /* install kernel policies */
1283 child_sa = child_sa_create(this->my_host, this->other_host,
1284 child_cfg, 0, FALSE);
1285 me = this->my_host;
1286 if (this->my_virtual_ip)
1287 {
1288 me = this->my_virtual_ip;
1289 }
1290 other = this->other_host;
1291 if (this->other_virtual_ip)
1292 {
1293 other = this->other_virtual_ip;
1294 }
1295
1296 my_ts = child_cfg->get_traffic_selectors(child_cfg, TRUE, NULL, me);
1297 other_ts = child_cfg->get_traffic_selectors(child_cfg, FALSE, NULL, other);
1298
1299 child_sa->set_mode(child_sa, child_cfg->get_mode(child_cfg));
1300 status = child_sa->add_policies(child_sa, my_ts, other_ts);
1301
1302 my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
1303 other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
1304 if (status == SUCCESS)
1305 {
1306 this->child_sas->insert_last(this->child_sas, child_sa);
1307 DBG1(DBG_IKE, "CHILD_SA routed");
1308 }
1309 else
1310 {
1311 child_sa->destroy(child_sa);
1312 DBG1(DBG_IKE, "routing CHILD_SA failed");
1313 }
1314 return status;
1315 }
1316
1317 /**
1318 * Implementation of ike_sa_t.unroute.
1319 */
1320 static status_t unroute(private_ike_sa_t *this, u_int32_t reqid)
1321 {
1322 iterator_t *iterator;
1323 child_sa_t *child_sa;
1324 bool found = FALSE;
1325
1326 /* find CHILD_SA in ROUTED state */
1327 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1328 while (iterator->iterate(iterator, (void**)&child_sa))
1329 {
1330 if (child_sa->get_state(child_sa) == CHILD_ROUTED &&
1331 child_sa->get_reqid(child_sa) == reqid)
1332 {
1333 iterator->remove(iterator);
1334 DBG1(DBG_IKE, "CHILD_SA unrouted");
1335 child_sa->destroy(child_sa);
1336 found = TRUE;
1337 break;
1338 }
1339 }
1340 iterator->destroy(iterator);
1341
1342 if (!found)
1343 {
1344 DBG1(DBG_IKE, "unrouting CHILD_SA failed: reqid %d not found", reqid);
1345 return FAILED;
1346 }
1347 /* if we are not established, and we have no more routed childs, remove whole SA */
1348 if (this->state == IKE_CREATED &&
1349 this->child_sas->get_count(this->child_sas) == 0)
1350 {
1351 return DESTROY_ME;
1352 }
1353 return SUCCESS;
1354 }
1355
1356 /**
1357 * Implementation of ike_sa_t.process_message.
1358 */
1359 static status_t process_message(private_ike_sa_t *this, message_t *message)
1360 {
1361 status_t status;
1362 bool is_request;
1363
1364 if (this->state == IKE_PASSIVE)
1365 { /* do not handle messages in passive state */
1366 return FAILED;
1367 }
1368
1369 is_request = message->get_request(message);
1370
1371 status = message->parse_body(message,
1372 this->keymat->get_crypter(this->keymat, TRUE),
1373 this->keymat->get_signer(this->keymat, TRUE));
1374 if (status != SUCCESS)
1375 {
1376
1377 if (is_request)
1378 {
1379 switch (status)
1380 {
1381 case NOT_SUPPORTED:
1382 DBG1(DBG_IKE, "critical unknown payloads found");
1383 if (is_request)
1384 {
1385 send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
1386 }
1387 break;
1388 case PARSE_ERROR:
1389 DBG1(DBG_IKE, "message parsing failed");
1390 if (is_request)
1391 {
1392 send_notify_response(this, message, INVALID_SYNTAX);
1393 }
1394 break;
1395 case VERIFY_ERROR:
1396 DBG1(DBG_IKE, "message verification failed");
1397 if (is_request)
1398 {
1399 send_notify_response(this, message, INVALID_SYNTAX);
1400 }
1401 break;
1402 case FAILED:
1403 DBG1(DBG_IKE, "integrity check failed");
1404 /* ignored */
1405 break;
1406 case INVALID_STATE:
1407 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1408 if (is_request)
1409 {
1410 send_notify_response(this, message, INVALID_SYNTAX);
1411 }
1412 default:
1413 break;
1414 }
1415 }
1416 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1417 exchange_type_names, message->get_exchange_type(message),
1418 message->get_request(message) ? "request" : "response",
1419 message->get_message_id(message));
1420 return status;
1421 }
1422 else
1423 {
1424 host_t *me, *other;
1425 private_ike_sa_t *new;
1426 iterator_t *iterator;
1427 child_sa_t *child;
1428 bool has_routed = FALSE;
1429
1430 me = message->get_destination(message);
1431 other = message->get_source(message);
1432
1433 /* if this IKE_SA is virgin, we check for a config */
1434 if (this->ike_cfg == NULL)
1435 {
1436 job_t *job;
1437 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1438 me, other);
1439 if (this->ike_cfg == NULL)
1440 {
1441 /* no config found for these hosts, destroy */
1442 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1443 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1444 send_notify_response(this, message, NO_PROPOSAL_CHOSEN);
1445 return DESTROY_ME;
1446 }
1447 /* add a timeout if peer does not establish it completely */
1448 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1449 charon->scheduler->schedule_job(charon->scheduler, job,
1450 HALF_OPEN_IKE_SA_TIMEOUT);
1451 }
1452 this->stats[STAT_INBOUND] = time(NULL);
1453 /* check if message is trustworthy, and update host information */
1454 if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
1455 message->get_exchange_type(message) != IKE_SA_INIT)
1456 {
1457 if (!supports_extension(this, EXT_MOBIKE))
1458 { /* with MOBIKE, we do no implicit updates */
1459 update_hosts(this, me, other);
1460 }
1461 }
1462 status = this->task_manager->process_message(this->task_manager, message);
1463 if (status != DESTROY_ME)
1464 {
1465 return status;
1466 }
1467 /* if IKE_SA gets closed for any reasons, reroute routed children */
1468 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1469 while (iterator->iterate(iterator, (void**)&child))
1470 {
1471 if (child->get_state(child) == CHILD_ROUTED)
1472 {
1473 has_routed = TRUE;
1474 break;
1475 }
1476 }
1477 iterator->destroy(iterator);
1478 if (!has_routed)
1479 {
1480 return status;
1481 }
1482 /* move routed children to a new IKE_SA, apply connection info */
1483 new = (private_ike_sa_t*)charon->ike_sa_manager->checkout_new(
1484 charon->ike_sa_manager, TRUE);
1485 set_peer_cfg(new, this->peer_cfg);
1486 new->other_host->destroy(new->other_host);
1487 new->other_host = this->other_host->clone(this->other_host);
1488 if (!has_condition(this, COND_NAT_THERE))
1489 {
1490 new->other_host->set_port(new->other_host, IKEV2_UDP_PORT);
1491 }
1492 if (this->my_virtual_ip)
1493 {
1494 set_virtual_ip(new, TRUE, this->my_virtual_ip);
1495 }
1496 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1497 while (iterator->iterate(iterator, (void**)&child))
1498 {
1499 if (child->get_state(child) == CHILD_ROUTED)
1500 {
1501 route(new, child->get_config(child));
1502 }
1503 }
1504 iterator->destroy(iterator);
1505 charon->ike_sa_manager->checkin(charon->ike_sa_manager, &new->public);
1506 return status;
1507 }
1508 }
1509
1510 /**
1511 * Implementation of ike_sa_t.get_id.
1512 */
1513 static ike_sa_id_t* get_id(private_ike_sa_t *this)
1514 {
1515 return this->ike_sa_id;
1516 }
1517
1518 /**
1519 * Implementation of ike_sa_t.get_my_id.
1520 */
1521 static identification_t* get_my_id(private_ike_sa_t *this)
1522 {
1523 return this->my_id;
1524 }
1525
1526 /**
1527 * Implementation of ike_sa_t.set_my_id.
1528 */
1529 static void set_my_id(private_ike_sa_t *this, identification_t *me)
1530 {
1531 DESTROY_IF(this->my_id);
1532 this->my_id = me;
1533 }
1534
1535 /**
1536 * Implementation of ike_sa_t.get_other_id.
1537 */
1538 static identification_t* get_other_id(private_ike_sa_t *this)
1539 {
1540 return this->other_id;
1541 }
1542
1543 /**
1544 * Implementation of ike_sa_t.set_other_id.
1545 */
1546 static void set_other_id(private_ike_sa_t *this, identification_t *other)
1547 {
1548 DESTROY_IF(this->other_id);
1549 this->other_id = other;
1550 }
1551
1552 /**
1553 * Implementation of ike_sa_t.get_eap_identity.
1554 */
1555 static identification_t* get_eap_identity(private_ike_sa_t *this)
1556 {
1557 return this->eap_identity;
1558 }
1559
1560 /**
1561 * Implementation of ike_sa_t.set_eap_identity.
1562 */
1563 static void set_eap_identity(private_ike_sa_t *this, identification_t *id)
1564 {
1565 DESTROY_IF(this->eap_identity);
1566 this->eap_identity = id;
1567 }
1568
1569 /**
1570 * Implementation of ike_sa_t.add_child_sa.
1571 */
1572 static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
1573 {
1574 this->child_sas->insert_last(this->child_sas, child_sa);
1575 }
1576
1577 /**
1578 * Implementation of ike_sa_t.get_child_sa.
1579 */
1580 static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1581 u_int32_t spi, bool inbound)
1582 {
1583 iterator_t *iterator;
1584 child_sa_t *current, *found = NULL;
1585
1586 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1587 while (iterator->iterate(iterator, (void**)&current))
1588 {
1589 if (current->get_spi(current, inbound) == spi &&
1590 current->get_protocol(current) == protocol)
1591 {
1592 found = current;
1593 }
1594 }
1595 iterator->destroy(iterator);
1596 return found;
1597 }
1598
1599 /**
1600 * Implementation of ike_sa_t.create_child_sa_iterator.
1601 */
1602 static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
1603 {
1604 return this->child_sas->create_iterator(this->child_sas, TRUE);
1605 }
1606
1607 /**
1608 * Implementation of ike_sa_t.rekey_child_sa.
1609 */
1610 static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1611 u_int32_t spi)
1612 {
1613 child_rekey_t *child_rekey;
1614
1615 child_rekey = child_rekey_create(&this->public, protocol, spi);
1616 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1617 return this->task_manager->initiate(this->task_manager);
1618 }
1619
1620 /**
1621 * Implementation of ike_sa_t.delete_child_sa.
1622 */
1623 static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1624 u_int32_t spi)
1625 {
1626 child_delete_t *child_delete;
1627
1628 child_delete = child_delete_create(&this->public, protocol, spi);
1629 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1630 return this->task_manager->initiate(this->task_manager);
1631 }
1632
1633 /**
1634 * Implementation of ike_sa_t.destroy_child_sa.
1635 */
1636 static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
1637 u_int32_t spi)
1638 {
1639 iterator_t *iterator;
1640 child_sa_t *child_sa;
1641 status_t status = NOT_FOUND;
1642
1643 iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
1644 while (iterator->iterate(iterator, (void**)&child_sa))
1645 {
1646 if (child_sa->get_protocol(child_sa) == protocol &&
1647 child_sa->get_spi(child_sa, TRUE) == spi)
1648 {
1649 child_sa->destroy(child_sa);
1650 iterator->remove(iterator);
1651 status = SUCCESS;
1652 break;
1653 }
1654 }
1655 iterator->destroy(iterator);
1656 return status;
1657 }
1658
1659 /**
1660 * Implementation of public_ike_sa_t.delete.
1661 */
1662 static status_t delete_(private_ike_sa_t *this)
1663 {
1664 ike_delete_t *ike_delete;
1665
1666 switch (this->state)
1667 {
1668 case IKE_ESTABLISHED:
1669 case IKE_REKEYING:
1670 ike_delete = ike_delete_create(&this->public, TRUE);
1671 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1672 return this->task_manager->initiate(this->task_manager);
1673 case IKE_CREATED:
1674 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1675 break;
1676 case IKE_PASSIVE:
1677 break;
1678 default:
1679 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1680 "without notification", ike_sa_state_names, this->state);
1681 break;
1682 }
1683 return DESTROY_ME;
1684 }
1685
1686 /**
1687 * Implementation of ike_sa_t.rekey.
1688 */
1689 static status_t rekey(private_ike_sa_t *this)
1690 {
1691 ike_rekey_t *ike_rekey;
1692
1693 ike_rekey = ike_rekey_create(&this->public, TRUE);
1694
1695 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1696 return this->task_manager->initiate(this->task_manager);
1697 }
1698
1699 /**
1700 * Implementation of ike_sa_t.reauth
1701 */
1702 static status_t reauth(private_ike_sa_t *this)
1703 {
1704 task_t *task;
1705
1706 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1707 * If the peer does not support RFC4478, there is no way to keep the
1708 * IKE_SA up. */
1709 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1710 {
1711 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1712 if (this->other_virtual_ip != NULL ||
1713 has_condition(this, COND_EAP_AUTHENTICATED)
1714 #ifdef ME
1715 /* if we are mediation server we too cannot reauth the IKE_SA */
1716 || this->is_mediation_server
1717 #endif /* ME */
1718 )
1719 {
1720 time_t now = time(NULL);
1721
1722 DBG1(DBG_IKE, "IKE_SA will timeout in %V",
1723 &now, &this->stats[STAT_DELETE]);
1724 return FAILED;
1725 }
1726 else
1727 {
1728 DBG1(DBG_IKE, "reauthenticating actively");
1729 }
1730 }
1731 task = (task_t*)ike_reauth_create(&this->public);
1732 this->task_manager->queue_task(this->task_manager, task);
1733
1734 return this->task_manager->initiate(this->task_manager);
1735 }
1736
1737 /**
1738 * Implementation of ike_sa_t.reestablish
1739 */
1740 static status_t reestablish(private_ike_sa_t *this)
1741 {
1742 ike_sa_t *new;
1743 host_t *host;
1744 action_t action;
1745 iterator_t *iterator;
1746 child_sa_t *child_sa;
1747 child_cfg_t *child_cfg;
1748 bool required = FALSE;
1749 status_t status = FAILED;
1750
1751 /* check if we have children to keep up at all*/
1752 iterator = create_child_sa_iterator(this);
1753 while (iterator->iterate(iterator, (void**)&child_sa))
1754 {
1755 child_cfg = child_sa->get_config(child_sa);
1756 if (this->state == IKE_DELETING)
1757 {
1758 action = child_cfg->get_close_action(child_cfg);
1759 }
1760 else
1761 {
1762 action = child_cfg->get_dpd_action(child_cfg);
1763 }
1764 switch (action)
1765 {
1766 case ACTION_RESTART:
1767 case ACTION_ROUTE:
1768 required = TRUE;
1769 default:
1770 break;
1771 }
1772 }
1773 iterator->destroy(iterator);
1774 #ifdef ME
1775 /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
1776 if (this->peer_cfg->is_mediation(this->peer_cfg))
1777 {
1778 required = TRUE;
1779 }
1780 #endif /* ME */
1781 if (!required)
1782 {
1783 return FAILED;
1784 }
1785
1786 /* check if we are able to reestablish this IKE_SA */
1787 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1788 (this->other_virtual_ip != NULL ||
1789 has_condition(this, COND_EAP_AUTHENTICATED)
1790 #ifdef ME
1791 || this->is_mediation_server
1792 #endif /* ME */
1793 ))
1794 {
1795 DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
1796 return FAILED;
1797 }
1798
1799 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
1800 new->set_peer_cfg(new, this->peer_cfg);
1801 host = this->other_host;
1802 new->set_other_host(new, host->clone(host));
1803 host = this->my_host;
1804 new->set_my_host(new, host->clone(host));
1805 /* if we already have a virtual IP, we reuse it */
1806 host = this->my_virtual_ip;
1807 if (host)
1808 {
1809 new->set_virtual_ip(new, TRUE, host);
1810 }
1811
1812 #ifdef ME
1813 if (this->peer_cfg->is_mediation(this->peer_cfg))
1814 {
1815 status = new->initiate(new, NULL);
1816 }
1817 else
1818 #endif /* ME */
1819 {
1820 iterator = create_child_sa_iterator(this);
1821 while (iterator->iterate(iterator, (void**)&child_sa))
1822 {
1823 child_cfg = child_sa->get_config(child_sa);
1824 if (this->state == IKE_DELETING)
1825 {
1826 action = child_cfg->get_close_action(child_cfg);
1827 }
1828 else
1829 {
1830 action = child_cfg->get_dpd_action(child_cfg);
1831 }
1832 switch (action)
1833 {
1834 case ACTION_RESTART:
1835 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1836 child_cfg->get_name(child_cfg));
1837 child_cfg->get_ref(child_cfg);
1838 status = new->initiate(new, child_cfg);
1839 break;
1840 case ACTION_ROUTE:
1841 status = new->route(new, child_cfg);
1842 break;
1843 default:
1844 continue;
1845 }
1846 if (status == DESTROY_ME)
1847 {
1848 break;
1849 }
1850 }
1851 iterator->destroy(iterator);
1852 }
1853
1854 if (status == DESTROY_ME)
1855 {
1856 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1857 return FAILED;
1858 }
1859 else
1860 {
1861 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1862 return SUCCESS;
1863 }
1864 }
1865
1866 /**
1867 * Implementation of ike_sa_t.retransmit.
1868 */
1869 static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
1870 {
1871 this->stats[STAT_OUTBOUND] = time(NULL);
1872 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1873 {
1874 /* send a proper signal to brief interested bus listeners */
1875 switch (this->state)
1876 {
1877 case IKE_CONNECTING:
1878 {
1879 /* retry IKE_SA_INIT if we have multiple keyingtries */
1880 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1881 this->keyingtry++;
1882 if (tries == 0 || tries > this->keyingtry)
1883 {
1884 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1885 this->keyingtry + 1, tries);
1886 reset(this);
1887 return this->task_manager->initiate(this->task_manager);
1888 }
1889 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1890 break;
1891 }
1892 case IKE_DELETING:
1893 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1894 break;
1895 case IKE_REKEYING:
1896 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1897 /* FALL */
1898 default:
1899 reestablish(this);
1900 break;
1901 }
1902 return DESTROY_ME;
1903 }
1904 return SUCCESS;
1905 }
1906
1907 /**
1908 * Implementation of ike_sa_t.set_auth_lifetime.
1909 */
1910 static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime)
1911 {
1912 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1913 u_int32_t reauth_time = time(NULL) + lifetime - reduction;
1914
1915 if (lifetime < reduction)
1916 {
1917 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1918 lifetime);
1919 charon->processor->queue_job(charon->processor,
1920 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1921 }
1922 else if (this->stats[STAT_REAUTH] == 0 ||
1923 this->stats[STAT_REAUTH] > reauth_time)
1924 {
1925 this->stats[STAT_REAUTH] = reauth_time;
1926 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1927 " in %ds", lifetime, lifetime - reduction);
1928 charon->scheduler->schedule_job(charon->scheduler,
1929 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1930 lifetime - reduction);
1931 }
1932 else
1933 {
1934 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, reauthentication already "
1935 "scheduled in %ds", lifetime, this->stats[STAT_REAUTH] - time(NULL));
1936 }
1937 }
1938
1939 /**
1940 * Implementation of ike_sa_t.roam.
1941 */
1942 static status_t roam(private_ike_sa_t *this, bool address)
1943 {
1944 host_t *src;
1945 ike_mobike_t *mobike;
1946
1947 switch (this->state)
1948 {
1949 case IKE_CREATED:
1950 case IKE_DELETING:
1951 case IKE_PASSIVE:
1952 return SUCCESS;
1953 default:
1954 break;
1955 }
1956 /* responder just updates the peer about changed address config */
1957 if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
1958 {
1959 if (supports_extension(this, EXT_MOBIKE) && address)
1960 {
1961 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1962 mobike = ike_mobike_create(&this->public, TRUE);
1963 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1964 return this->task_manager->initiate(this->task_manager);
1965 }
1966 return SUCCESS;
1967 }
1968
1969 /* keep existing path if possible */
1970 src = charon->kernel_interface->get_source_addr(charon->kernel_interface,
1971 this->other_host, this->my_host);
1972 if (src)
1973 {
1974 if (src->ip_equals(src, this->my_host))
1975 {
1976 DBG2(DBG_IKE, "keeping connection path %H - %H",
1977 src, this->other_host);
1978 src->destroy(src);
1979 return SUCCESS;
1980 }
1981 src->destroy(src);
1982 }
1983
1984 /* update addresses with mobike, if supported ... */
1985 if (supports_extension(this, EXT_MOBIKE))
1986 {
1987 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1988 mobike = ike_mobike_create(&this->public, TRUE);
1989 mobike->roam(mobike, address);
1990 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1991 return this->task_manager->initiate(this->task_manager);
1992 }
1993 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1994 /* ... reauth if not */
1995 return reauth(this);
1996 }
1997
1998 /**
1999 * Implementation of ike_sa_t.inherit.
2000 */
2001 static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
2002 {
2003 child_sa_t *child_sa;
2004 host_t *ip;
2005
2006 /* apply hosts and ids */
2007 this->my_host->destroy(this->my_host);
2008 this->other_host->destroy(this->other_host);
2009 this->my_id->destroy(this->my_id);
2010 this->other_id->destroy(this->other_id);
2011 this->my_host = other->my_host->clone(other->my_host);
2012 this->other_host = other->other_host->clone(other->other_host);
2013 this->my_id = other->my_id->clone(other->my_id);
2014 this->other_id = other->other_id->clone(other->other_id);
2015
2016 /* apply virtual assigned IPs... */
2017 if (other->my_virtual_ip)
2018 {
2019 this->my_virtual_ip = other->my_virtual_ip;
2020 other->my_virtual_ip = NULL;
2021 }
2022 if (other->other_virtual_ip)
2023 {
2024 this->other_virtual_ip = other->other_virtual_ip;
2025 other->other_virtual_ip = NULL;
2026 }
2027
2028 /* ... and DNS servers */
2029 while (other->dns_servers->remove_last(other->dns_servers,
2030 (void**)&ip) == SUCCESS)
2031 {
2032 this->dns_servers->insert_first(this->dns_servers, ip);
2033 }
2034
2035 /* inherit all conditions */
2036 this->conditions = other->conditions;
2037 if (this->conditions & COND_NAT_HERE)
2038 {
2039 send_keepalive(this);
2040 }
2041
2042 #ifdef ME
2043 if (other->is_mediation_server)
2044 {
2045 act_as_mediation_server(this);
2046 }
2047 else if (other->server_reflexive_host)
2048 {
2049 this->server_reflexive_host = other->server_reflexive_host->clone(
2050 other->server_reflexive_host);
2051 }
2052 #endif /* ME */
2053
2054 /* adopt all children */
2055 while (other->child_sas->remove_last(other->child_sas,
2056 (void**)&child_sa) == SUCCESS)
2057 {
2058 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2059 }
2060
2061 /* move pending tasks to the new IKE_SA */
2062 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2063
2064 /* reauthentication timeout survives a rekeying */
2065 if (other->stats[STAT_REAUTH])
2066 {
2067 time_t reauth, delete, now = time(NULL);
2068
2069 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2070 reauth = this->stats[STAT_REAUTH] - now;
2071 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2072 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2073 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2074 "lifetime reduced to %ds", reauth, delete);
2075 charon->scheduler->schedule_job(charon->scheduler,
2076 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2077 charon->scheduler->schedule_job(charon->scheduler,
2078 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2079 }
2080 /* we have to initate here, there may be new tasks to handle */
2081 return this->task_manager->initiate(this->task_manager);
2082 }
2083
2084 /**
2085 * Implementation of ike_sa_t.remove_dns_server
2086 */
2087 static void remove_dns_servers(private_ike_sa_t *this)
2088 {
2089 FILE *file;
2090 struct stat stats;
2091 chunk_t contents, line, orig_line, token;
2092 char string[INET6_ADDRSTRLEN];
2093 host_t *ip;
2094 iterator_t *iterator;
2095
2096 if (this->dns_servers->get_count(this->dns_servers) == 0)
2097 {
2098 /* don't touch anything if we have no nameservers installed */
2099 return;
2100 }
2101
2102 file = fopen(RESOLV_CONF, "r");
2103 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2104 {
2105 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2106 RESOLV_CONF, strerror(errno));
2107 return;
2108 }
2109
2110 contents = chunk_alloca((size_t)stats.st_size);
2111
2112 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2113 {
2114 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2115 fclose(file);
2116 return;
2117 }
2118
2119 fclose(file);
2120 file = fopen(RESOLV_CONF, "w");
2121 if (file == NULL)
2122 {
2123 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2124 RESOLV_CONF, strerror(errno));
2125 return;
2126 }
2127
2128 iterator = this->dns_servers->create_iterator(this->dns_servers, TRUE);
2129 while (fetchline(&contents, &line))
2130 {
2131 bool found = FALSE;
2132 orig_line = line;
2133 if (extract_token(&token, ' ', &line) &&
2134 strncasecmp(token.ptr, "nameserver", token.len) == 0)
2135 {
2136 if (!extract_token(&token, ' ', &line))
2137 {
2138 token = line;
2139 }
2140 iterator->reset(iterator);
2141 while (iterator->iterate(iterator, (void**)&ip))
2142 {
2143 snprintf(string, sizeof(string), "%H", ip);
2144 if (strlen(string) == token.len &&
2145 strncmp(token.ptr, string, token.len) == 0)
2146 {
2147 iterator->remove(iterator);
2148 ip->destroy(ip);
2149 found = TRUE;
2150 break;
2151 }
2152 }
2153 }
2154
2155 if (!found)
2156 {
2157 /* write line untouched back to file */
2158 ignore_result(fwrite(orig_line.ptr, orig_line.len, 1, file));
2159 fprintf(file, "\n");
2160 }
2161 }
2162 iterator->destroy(iterator);
2163 fclose(file);
2164 }
2165
2166 /**
2167 * Implementation of ike_sa_t.add_dns_server
2168 */
2169 static void add_dns_server(private_ike_sa_t *this, host_t *dns)
2170 {
2171 FILE *file;
2172 struct stat stats;
2173 chunk_t contents;
2174
2175 DBG1(DBG_IKE, "installing DNS server %H", dns);
2176
2177 file = fopen(RESOLV_CONF, "a+");
2178 if (file == NULL || stat(RESOLV_CONF, &stats) != 0)
2179 {
2180 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2181 RESOLV_CONF, strerror(errno));
2182 return;
2183 }
2184
2185 contents = chunk_alloca(stats.st_size);
2186
2187 if (fread(contents.ptr, 1, contents.len, file) != contents.len)
2188 {
2189 DBG1(DBG_IKE, "unable to read DNS configuration file: %s", strerror(errno));
2190 fclose(file);
2191 return;
2192 }
2193
2194 fclose(file);
2195 file = fopen(RESOLV_CONF, "w");
2196 if (file == NULL)
2197 {
2198 DBG1(DBG_IKE, "unable to open DNS configuration file %s: %s",
2199 RESOLV_CONF, strerror(errno));
2200 return;
2201 }
2202
2203 if (fprintf(file, "nameserver %H # added by strongSwan, assigned by %D\n",
2204 dns, this->other_id) < 0)
2205 {
2206 DBG1(DBG_IKE, "unable to write DNS configuration: %s", strerror(errno));
2207 }
2208 else
2209 {
2210 this->dns_servers->insert_last(this->dns_servers, dns->clone(dns));
2211 }
2212 ignore_result(fwrite(contents.ptr, contents.len, 1, file));
2213
2214 fclose(file);
2215 }
2216
2217 /**
2218 * Implementation of ike_sa_t.destroy.
2219 */
2220 static void destroy(private_ike_sa_t *this)
2221 {
2222 charon->bus->set_sa(charon->bus, &this->public);
2223
2224 set_state(this, IKE_DESTROYING);
2225
2226 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2227
2228 /* unset SA after here to avoid usage by the listeners */
2229 charon->bus->set_sa(charon->bus, NULL);
2230
2231 this->task_manager->destroy(this->task_manager);
2232 this->keymat->destroy(this->keymat);
2233
2234 if (this->my_virtual_ip)
2235 {
2236 charon->kernel_interface->del_ip(charon->kernel_interface,
2237 this->my_virtual_ip);
2238 this->my_virtual_ip->destroy(this->my_virtual_ip);
2239 }
2240 if (this->other_virtual_ip)
2241 {
2242 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2243 {
2244 charon->attributes->release_address(charon->attributes,
2245 this->peer_cfg->get_pool(this->peer_cfg),
2246 this->other_virtual_ip, this->other_id);
2247 }
2248 this->other_virtual_ip->destroy(this->other_virtual_ip);
2249 }
2250
2251 remove_dns_servers(this);
2252 this->dns_servers->destroy_offset(this->dns_servers,
2253 offsetof(host_t, destroy));
2254 this->additional_addresses->destroy_offset(this->additional_addresses,
2255 offsetof(host_t, destroy));
2256 #ifdef ME
2257 if (this->is_mediation_server)
2258 {
2259 charon->mediation_manager->remove(charon->mediation_manager, this->ike_sa_id);
2260 }
2261 DESTROY_IF(this->server_reflexive_host);
2262 chunk_free(&this->connect_id);
2263 #endif /* ME */
2264 free(this->nat_detection_dest.ptr);
2265
2266 DESTROY_IF(this->my_host);
2267 DESTROY_IF(this->other_host);
2268 DESTROY_IF(this->my_id);
2269 DESTROY_IF(this->other_id);
2270 DESTROY_IF(this->local_host);
2271 DESTROY_IF(this->remote_host);
2272 DESTROY_IF(this->eap_identity);
2273
2274 DESTROY_IF(this->ike_cfg);
2275 DESTROY_IF(this->peer_cfg);
2276 DESTROY_IF(this->proposal);
2277 this->my_auth->destroy(this->my_auth);
2278 this->other_auth->destroy(this->other_auth);
2279
2280 this->ike_sa_id->destroy(this->ike_sa_id);
2281 free(this);
2282 }
2283
2284 /*
2285 * Described in header.
2286 */
2287 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2288 {
2289 private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
2290 static u_int32_t unique_id = 0;
2291
2292 /* Public functions */
2293 this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state;
2294 this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
2295 this->public.get_name = (char* (*)(ike_sa_t*))get_name;
2296 this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic;
2297 this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message;
2298 this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*)) initiate;
2299 this->public.route = (status_t (*)(ike_sa_t*,child_cfg_t*)) route;
2300 this->public.unroute = (status_t (*)(ike_sa_t*,u_int32_t)) unroute;
2301 this->public.acquire = (status_t (*)(ike_sa_t*,u_int32_t)) acquire;
2302 this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg;
2303 this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
2304 this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg;
2305 this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
2306 this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
2307 this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal;
2308 this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
2309 this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id;
2310 this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host;
2311 this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
2312 this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host;
2313 this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
2314 this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id;
2315 this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
2316 this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id;
2317 this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
2318 this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id;
2319 this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
2320 this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity;
2321 this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
2322 this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
2323 this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
2324 this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition;
2325 this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
2326 this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
2327 this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates;
2328 this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator;
2329 this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
2330 this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
2331 this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit;
2332 this->public.delete = (status_t (*)(ike_sa_t*))delete_;
2333 this->public.destroy = (void (*)(ike_sa_t*))destroy;
2334 this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
2335 this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
2336 this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat;
2337 this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
2338 this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
2339 this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
2340 this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
2341 this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
2342 this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
2343 this->public.rekey = (status_t (*)(ike_sa_t*))rekey;
2344 this->public.reauth = (status_t (*)(ike_sa_t*))reauth;
2345 this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish;
2346 this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
2347 this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
2348 this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit;
2349 this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message;
2350 this->public.reset = (void (*)(ike_sa_t*))reset;
2351 this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id;
2352 this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip;
2353 this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
2354 this->public.add_dns_server = (void (*)(ike_sa_t*,host_t*))add_dns_server;
2355 this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
2356 #ifdef ME
2357 this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
2358 this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host;
2359 this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
2360 this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id;
2361 this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation;
2362 this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated;
2363 this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
2364 this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback;
2365 this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond;
2366 #endif /* ME */
2367
2368 /* initialize private fields */
2369 this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
2370 this->child_sas = linked_list_create();
2371 this->my_host = host_create_any(AF_INET);
2372 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2373 this->other_host = host_create_any(AF_INET);
2374 this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2375 this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty);
2376 this->eap_identity = NULL;
2377 this->extensions = 0;
2378 this->conditions = 0;
2379 this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id));
2380 this->state = IKE_CREATED;
2381 this->keepalive_interval = lib->settings->get_time(lib->settings,
2382 "charon.keep_alive", KEEPALIVE_INTERVAL);
2383 memset(this->stats, 0, sizeof(this->stats));
2384 this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time(NULL);
2385 this->ike_cfg = NULL;
2386 this->peer_cfg = NULL;
2387 this->my_auth = auth_cfg_create();
2388 this->other_auth = auth_cfg_create();
2389 this->proposal = NULL;
2390 this->task_manager = task_manager_create(&this->public);
2391 this->unique_id = ++unique_id;
2392 this->my_virtual_ip = NULL;
2393 this->other_virtual_ip = NULL;
2394 this->dns_servers = linked_list_create();
2395 this->additional_addresses = linked_list_create();
2396 this->nat_detection_dest = chunk_empty;
2397 this->pending_updates = 0;
2398 this->keyingtry = 0;
2399 this->local_host = NULL;
2400 this->remote_host = NULL;
2401 #ifdef ME
2402 this->is_mediation_server = FALSE;
2403 this->server_reflexive_host = NULL;
2404 this->connect_id = chunk_empty;
2405 #endif /* ME */
2406
2407 return &this->public;
2408 }