libhydra: Move kernel interface to libcharon
[strongswan.git] / src / libcharon / processing / jobs / adopt_children_job.c
1 /*
2 * Copyright (C) 2015 Tobias Brunner
3 * Hochschule fuer Technik Rapperswil
4 *
5 * Copyright (C) 2012 Martin Willi
6 * Copyright (C) 2012 revosec AG
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include "adopt_children_job.h"
20
21 #include <daemon.h>
22 #include <collections/array.h>
23 #include <processing/jobs/delete_ike_sa_job.h>
24
25 typedef struct private_adopt_children_job_t private_adopt_children_job_t;
26
27 /**
28 * Private data of an adopt_children_job_t object.
29 */
30 struct private_adopt_children_job_t {
31
32 /**
33 * Public adopt_children_job_t interface.
34 */
35 adopt_children_job_t public;
36
37 /**
38 * IKE_SA id to adopt children from
39 */
40 ike_sa_id_t *id;
41
42 /**
43 * Tasks queued for execution
44 */
45 array_t *tasks;
46 };
47
48 METHOD(job_t, destroy, void,
49 private_adopt_children_job_t *this)
50 {
51 array_destroy_offset(this->tasks, offsetof(task_t, destroy));
52 this->id->destroy(this->id);
53 free(this);
54 }
55
56 METHOD(job_t, execute, job_requeue_t,
57 private_adopt_children_job_t *this)
58 {
59 identification_t *my_id, *other_id, *xauth;
60 host_t *me, *other, *vip;
61 peer_cfg_t *cfg;
62 linked_list_t *children, *vips;
63 enumerator_t *enumerator, *subenum;
64 ike_sa_id_t *id;
65 ike_sa_t *ike_sa;
66 child_sa_t *child_sa;
67 u_int32_t unique;
68
69 ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, this->id);
70 if (ike_sa)
71 {
72 /* get what we need from new SA */
73 unique = ike_sa->get_unique_id(ike_sa);
74 me = ike_sa->get_my_host(ike_sa);
75 me = me->clone(me);
76 other = ike_sa->get_other_host(ike_sa);
77 other = other->clone(other);
78 my_id = ike_sa->get_my_id(ike_sa);
79 my_id = my_id->clone(my_id);
80 other_id = ike_sa->get_other_id(ike_sa);
81 other_id = other_id->clone(other_id);
82 xauth = ike_sa->get_other_eap_id(ike_sa);
83 xauth = xauth->clone(xauth);
84 cfg = ike_sa->get_peer_cfg(ike_sa);
85 cfg->get_ref(cfg);
86
87 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
88
89 /* find old SA to adopt children and virtual IPs from */
90 vips = linked_list_create();
91 children = linked_list_create();
92 enumerator = charon->ike_sa_manager->create_id_enumerator(
93 charon->ike_sa_manager, my_id, xauth,
94 other->get_family(other));
95 while (enumerator->enumerate(enumerator, &id))
96 {
97 if (id->equals(id, this->id))
98 { /* not from self */
99 continue;
100 }
101 ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id);
102 if (ike_sa)
103 {
104 if ((ike_sa->get_state(ike_sa) == IKE_ESTABLISHED ||
105 ike_sa->get_state(ike_sa) == IKE_PASSIVE) &&
106 me->equals(me, ike_sa->get_my_host(ike_sa)) &&
107 other->equals(other, ike_sa->get_other_host(ike_sa)) &&
108 other_id->equals(other_id, ike_sa->get_other_id(ike_sa)) &&
109 cfg->equals(cfg, ike_sa->get_peer_cfg(ike_sa)))
110 {
111 charon->bus->children_migrate(charon->bus, this->id, unique);
112 subenum = ike_sa->create_child_sa_enumerator(ike_sa);
113 while (subenum->enumerate(subenum, &child_sa))
114 {
115 ike_sa->remove_child_sa(ike_sa, subenum);
116 children->insert_last(children, child_sa);
117 }
118 subenum->destroy(subenum);
119
120 subenum = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
121 while (subenum->enumerate(subenum, &vip))
122 {
123 vips->insert_last(vips, vip->clone(vip));
124 }
125 subenum->destroy(subenum);
126 /* this does not release the addresses, which is good, but
127 * it does trigger an assign_vips(FALSE) event, so we also
128 * trigger one below */
129 ike_sa->clear_virtual_ips(ike_sa, FALSE);
130 if (children->get_count(children) || vips->get_count(vips))
131 {
132 DBG1(DBG_IKE, "detected reauth of existing IKE_SA, "
133 "adopting %d children and %d virtual IPs",
134 children->get_count(children), vips->get_count(vips));
135 }
136 if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
137 {
138 charon->ike_sa_manager->checkin_and_destroy(
139 charon->ike_sa_manager, ike_sa);
140 }
141 else
142 {
143 lib->scheduler->schedule_job(lib->scheduler, (job_t*)
144 delete_ike_sa_job_create(ike_sa->get_id(ike_sa),
145 TRUE), 10);
146 charon->ike_sa_manager->checkin(
147 charon->ike_sa_manager, ike_sa);
148 }
149 }
150 else
151 {
152 charon->ike_sa_manager->checkin(
153 charon->ike_sa_manager, ike_sa);
154 }
155 if (children->get_count(children) || vips->get_count(vips))
156 {
157 break;
158 }
159 }
160 }
161 enumerator->destroy(enumerator);
162
163 me->destroy(me);
164 other->destroy(other);
165 my_id->destroy(my_id);
166 other_id->destroy(other_id);
167 xauth->destroy(xauth);
168 cfg->destroy(cfg);
169
170 if (children->get_count(children) || vips->get_count(vips))
171 {
172 /* adopt children by new SA */
173 ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
174 this->id);
175 if (ike_sa)
176 {
177 while (children->remove_last(children,
178 (void**)&child_sa) == SUCCESS)
179 {
180 ike_sa->add_child_sa(ike_sa, child_sa);
181 }
182 if (vips->get_count(vips))
183 {
184 while (vips->remove_first(vips, (void**)&vip) == SUCCESS)
185 {
186 ike_sa->add_virtual_ip(ike_sa, FALSE, vip);
187 vip->destroy(vip);
188 }
189 charon->bus->assign_vips(charon->bus, ike_sa, TRUE);
190 }
191 charon->bus->children_migrate(charon->bus, NULL, 0);
192 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
193 }
194 }
195 children->destroy_offset(children, offsetof(child_sa_t, destroy));
196 /* FIXME: If we still have addresses here it means we weren't able to
197 * find the new SA anymore (while not very likely during a proper
198 * reauthentication, this theoretically could happen because the SA is
199 * not locked while we search for the old one). So the addresses here
200 * should be released properly to avoid leaking these leases. This is
201 * currently not possible, though, due to the changed interface of
202 * release_address(), which now takes a complete IKE_SA object. */
203 vips->destroy_offset(vips, offsetof(host_t, destroy));
204
205 if (array_count(this->tasks))
206 {
207 ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
208 this->id);
209 if (ike_sa)
210 {
211 task_t *task;
212
213 while (array_remove(this->tasks, ARRAY_HEAD, &task))
214 {
215 task->migrate(task, ike_sa);
216 ike_sa->queue_task(ike_sa, task);
217 }
218 if (ike_sa->initiate(ike_sa, NULL, 0, NULL, NULL) == DESTROY_ME)
219 {
220 charon->ike_sa_manager->checkin_and_destroy(
221 charon->ike_sa_manager, ike_sa);
222 }
223 else
224 {
225 charon->ike_sa_manager->checkin(charon->ike_sa_manager,
226 ike_sa);
227 }
228 }
229 }
230 }
231 return JOB_REQUEUE_NONE;
232 }
233
234 METHOD(job_t, get_priority, job_priority_t,
235 private_adopt_children_job_t *this)
236 {
237 return JOB_PRIO_HIGH;
238 }
239
240 METHOD(adopt_children_job_t, queue_task, void,
241 private_adopt_children_job_t *this, task_t *task)
242 {
243 array_insert_create(&this->tasks, ARRAY_TAIL, task);
244 }
245
246 /**
247 * See header
248 */
249 adopt_children_job_t *adopt_children_job_create(ike_sa_id_t *id)
250 {
251 private_adopt_children_job_t *this;
252
253 INIT(this,
254 .public = {
255 .job_interface = {
256 .execute = _execute,
257 .get_priority = _get_priority,
258 .destroy = _destroy,
259 },
260 .queue_task = _queue_task,
261 },
262 .id = id->clone(id),
263 );
264
265 return &this->public;
266 }