ike: Delay actively initiated reauthentication when other exchanges in progress
[strongswan.git] / src / libcharon / processing / jobs / rekey_ike_sa_job.c
1 /*
2 * Copyright (C) 2006 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "rekey_ike_sa_job.h"
17
18 #include <daemon.h>
19
20 typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t;
21
22 /**
23 * Private data of an rekey_ike_sa_job_t object.
24 */
25 struct private_rekey_ike_sa_job_t {
26 /**
27 * Public rekey_ike_sa_job_t interface.
28 */
29 rekey_ike_sa_job_t public;
30
31 /**
32 * ID of the IKE_SA to rekey
33 */
34 ike_sa_id_t *ike_sa_id;
35
36 /**
37 * force reauthentication of the peer (full IKE_SA setup)
38 */
39 bool reauth;
40 };
41
42 METHOD(job_t, destroy, void,
43 private_rekey_ike_sa_job_t *this)
44 {
45 this->ike_sa_id->destroy(this->ike_sa_id);
46 free(this);
47 }
48
49 /**
50 * Check if we should delay a reauth, and by how many seconds
51 */
52 static u_int32_t get_retry_delay(ike_sa_t *ike_sa)
53 {
54 enumerator_t *enumerator;
55 child_sa_t *child_sa;
56 u_int32_t retry = 0;
57
58 /* avoid reauth collisions for certain IKE_SA/CHILD_SA states */
59 if (ike_sa->get_state(ike_sa) != IKE_ESTABLISHED)
60 {
61 retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
62 DBG1(DBG_IKE, "unable to reauthenticate in %N state, delaying for %us",
63 ike_sa_state_names, ike_sa->get_state(ike_sa), retry);
64 }
65 else
66 {
67 enumerator = ike_sa->create_child_sa_enumerator(ike_sa);
68 while (enumerator->enumerate(enumerator, &child_sa))
69 {
70 if (child_sa->get_state(child_sa) != CHILD_INSTALLED)
71 {
72 retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
73 DBG1(DBG_IKE, "unable to reauthenticate in CHILD_SA %N state, "
74 "delaying for %us", child_sa_state_names,
75 child_sa->get_state(child_sa), retry);
76 break;
77 }
78 }
79 enumerator->destroy(enumerator);
80 }
81 return retry;
82 }
83
84 METHOD(job_t, execute, job_requeue_t,
85 private_rekey_ike_sa_job_t *this)
86 {
87 ike_sa_t *ike_sa;
88 status_t status = SUCCESS;
89 u_int32_t retry = 0;
90
91 ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager,
92 this->ike_sa_id);
93 if (ike_sa == NULL)
94 {
95 DBG2(DBG_JOB, "IKE_SA to rekey not found");
96 }
97 else
98 {
99 if (this->reauth)
100 {
101 retry = get_retry_delay(ike_sa);
102 if (!retry)
103 {
104 status = ike_sa->reauth(ike_sa);
105 }
106 }
107 else
108 {
109 status = ike_sa->rekey(ike_sa);
110 }
111
112 if (status == DESTROY_ME)
113 {
114 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager,
115 ike_sa);
116 }
117 else
118 {
119 charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
120 }
121 }
122 if (retry)
123 {
124 return JOB_RESCHEDULE(retry);
125 }
126 return JOB_REQUEUE_NONE;
127 }
128
129 METHOD(job_t, get_priority, job_priority_t,
130 private_rekey_ike_sa_job_t *this)
131 {
132 return JOB_PRIO_MEDIUM;
133 }
134
135 /*
136 * Described in header
137 */
138 rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth)
139 {
140 private_rekey_ike_sa_job_t *this;
141
142 INIT(this,
143 .public = {
144 .job_interface = {
145 .execute = _execute,
146 .get_priority = _get_priority,
147 .destroy = _destroy,
148 },
149 },
150 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
151 .reauth = reauth,
152 );
153
154 return &(this->public);
155 }