child-sa: Use any fixed reqid configured on the CHILD_SA config
[strongswan.git] / src / libcharon / sa / child_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2005-2008 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #define _GNU_SOURCE
20 #include "child_sa.h"
21
22 #include <stdio.h>
23 #include <string.h>
24 #include <time.h>
25
26 #include <hydra.h>
27 #include <daemon.h>
28 #include <collections/array.h>
29
30 ENUM(child_sa_state_names, CHILD_CREATED, CHILD_DESTROYING,
31 "CREATED",
32 "ROUTED",
33 "INSTALLING",
34 "INSTALLED",
35 "UPDATING",
36 "REKEYING",
37 "REKEYED",
38 "RETRYING",
39 "DELETING",
40 "DESTROYING",
41 );
42
43 typedef struct private_child_sa_t private_child_sa_t;
44
45 /**
46 * Private data of a child_sa_t object.
47 */
48 struct private_child_sa_t {
49 /**
50 * Public interface of child_sa_t.
51 */
52 child_sa_t public;
53
54 /**
55 * address of us
56 */
57 host_t *my_addr;
58
59 /**
60 * address of remote
61 */
62 host_t *other_addr;
63
64 /**
65 * our actually used SPI, 0 if unused
66 */
67 u_int32_t my_spi;
68
69 /**
70 * others used SPI, 0 if unused
71 */
72 u_int32_t other_spi;
73
74 /**
75 * our Compression Parameter Index (CPI) used, 0 if unused
76 */
77 u_int16_t my_cpi;
78
79 /**
80 * others Compression Parameter Index (CPI) used, 0 if unused
81 */
82 u_int16_t other_cpi;
83
84 /**
85 * Array for local traffic selectors
86 */
87 array_t *my_ts;
88
89 /**
90 * Array for remote traffic selectors
91 */
92 array_t *other_ts;
93
94 /**
95 * Protocol used to protect this SA, ESP|AH
96 */
97 protocol_id_t protocol;
98
99 /**
100 * reqid used for this child_sa
101 */
102 u_int32_t reqid;
103
104 /**
105 * Did we allocate/confirm and must release the reqid?
106 */
107 bool reqid_allocated;
108
109 /*
110 * Unique CHILD_SA identifier
111 */
112 u_int32_t unique_id;
113
114 /**
115 * inbound mark used for this child_sa
116 */
117 mark_t mark_in;
118
119 /**
120 * outbound mark used for this child_sa
121 */
122 mark_t mark_out;
123
124 /**
125 * absolute time when rekeying is scheduled
126 */
127 time_t rekey_time;
128
129 /**
130 * absolute time when the SA expires
131 */
132 time_t expire_time;
133
134 /**
135 * absolute time when SA has been installed
136 */
137 time_t install_time;
138
139 /**
140 * state of the CHILD_SA
141 */
142 child_sa_state_t state;
143
144 /**
145 * TRUE if this CHILD_SA is used to install trap policies
146 */
147 bool trap;
148
149 /**
150 * Specifies if UDP encapsulation is enabled (NAT traversal)
151 */
152 bool encap;
153
154 /**
155 * Specifies the IPComp transform used (IPCOMP_NONE if disabled)
156 */
157 ipcomp_transform_t ipcomp;
158
159 /**
160 * mode this SA uses, tunnel/transport
161 */
162 ipsec_mode_t mode;
163
164 /**
165 * Action to enforce if peer closes the CHILD_SA
166 */
167 action_t close_action;
168
169 /**
170 * Action to enforce if peer is considered dead
171 */
172 action_t dpd_action;
173
174 /**
175 * selected proposal
176 */
177 proposal_t *proposal;
178
179 /**
180 * config used to create this child
181 */
182 child_cfg_t *config;
183
184 /**
185 * time of last use in seconds (inbound)
186 */
187 time_t my_usetime;
188
189 /**
190 * time of last use in seconds (outbound)
191 */
192 time_t other_usetime;
193
194 /**
195 * last number of inbound bytes
196 */
197 u_int64_t my_usebytes;
198
199 /**
200 * last number of outbound bytes
201 */
202 u_int64_t other_usebytes;
203
204 /**
205 * last number of inbound packets
206 */
207 u_int64_t my_usepackets;
208
209 /**
210 * last number of outbound bytes
211 */
212 u_int64_t other_usepackets;
213 };
214
215 /**
216 * convert an IKEv2 specific protocol identifier to the IP protocol identifier.
217 */
218 static inline u_int8_t proto_ike2ip(protocol_id_t protocol)
219 {
220 switch (protocol)
221 {
222 case PROTO_ESP:
223 return IPPROTO_ESP;
224 case PROTO_AH:
225 return IPPROTO_AH;
226 default:
227 return protocol;
228 }
229 }
230
231 METHOD(child_sa_t, get_name, char*,
232 private_child_sa_t *this)
233 {
234 return this->config->get_name(this->config);
235 }
236
237 METHOD(child_sa_t, get_reqid, u_int32_t,
238 private_child_sa_t *this)
239 {
240 return this->reqid;
241 }
242
243 METHOD(child_sa_t, get_unique_id, u_int32_t,
244 private_child_sa_t *this)
245 {
246 return this->unique_id;
247 }
248
249 METHOD(child_sa_t, get_config, child_cfg_t*,
250 private_child_sa_t *this)
251 {
252 return this->config;
253 }
254
255 METHOD(child_sa_t, set_state, void,
256 private_child_sa_t *this, child_sa_state_t state)
257 {
258 charon->bus->child_state_change(charon->bus, &this->public, state);
259 this->state = state;
260 }
261
262 METHOD(child_sa_t, get_state, child_sa_state_t,
263 private_child_sa_t *this)
264 {
265 return this->state;
266 }
267
268 METHOD(child_sa_t, get_spi, u_int32_t,
269 private_child_sa_t *this, bool inbound)
270 {
271 return inbound ? this->my_spi : this->other_spi;
272 }
273
274 METHOD(child_sa_t, get_cpi, u_int16_t,
275 private_child_sa_t *this, bool inbound)
276 {
277 return inbound ? this->my_cpi : this->other_cpi;
278 }
279
280 METHOD(child_sa_t, get_protocol, protocol_id_t,
281 private_child_sa_t *this)
282 {
283 return this->protocol;
284 }
285
286 METHOD(child_sa_t, set_protocol, void,
287 private_child_sa_t *this, protocol_id_t protocol)
288 {
289 this->protocol = protocol;
290 }
291
292 METHOD(child_sa_t, get_mode, ipsec_mode_t,
293 private_child_sa_t *this)
294 {
295 return this->mode;
296 }
297
298 METHOD(child_sa_t, set_mode, void,
299 private_child_sa_t *this, ipsec_mode_t mode)
300 {
301 this->mode = mode;
302 }
303
304 METHOD(child_sa_t, has_encap, bool,
305 private_child_sa_t *this)
306 {
307 return this->encap;
308 }
309
310 METHOD(child_sa_t, get_ipcomp, ipcomp_transform_t,
311 private_child_sa_t *this)
312 {
313 return this->ipcomp;
314 }
315
316 METHOD(child_sa_t, set_ipcomp, void,
317 private_child_sa_t *this, ipcomp_transform_t ipcomp)
318 {
319 this->ipcomp = ipcomp;
320 }
321
322 METHOD(child_sa_t, set_close_action, void,
323 private_child_sa_t *this, action_t action)
324 {
325 this->close_action = action;
326 }
327
328 METHOD(child_sa_t, get_close_action, action_t,
329 private_child_sa_t *this)
330 {
331 return this->close_action;
332 }
333
334 METHOD(child_sa_t, set_dpd_action, void,
335 private_child_sa_t *this, action_t action)
336 {
337 this->dpd_action = action;
338 }
339
340 METHOD(child_sa_t, get_dpd_action, action_t,
341 private_child_sa_t *this)
342 {
343 return this->dpd_action;
344 }
345
346 METHOD(child_sa_t, get_proposal, proposal_t*,
347 private_child_sa_t *this)
348 {
349 return this->proposal;
350 }
351
352 METHOD(child_sa_t, set_proposal, void,
353 private_child_sa_t *this, proposal_t *proposal)
354 {
355 this->proposal = proposal->clone(proposal);
356 }
357
358 METHOD(child_sa_t, create_ts_enumerator, enumerator_t*,
359 private_child_sa_t *this, bool local)
360 {
361 if (local)
362 {
363 return array_create_enumerator(this->my_ts);
364 }
365 return array_create_enumerator(this->other_ts);
366 }
367
368 typedef struct policy_enumerator_t policy_enumerator_t;
369
370 /**
371 * Private policy enumerator
372 */
373 struct policy_enumerator_t {
374 /** implements enumerator_t */
375 enumerator_t public;
376 /** enumerator over own TS */
377 enumerator_t *mine;
378 /** enumerator over others TS */
379 enumerator_t *other;
380 /** array of others TS, to recreate enumerator */
381 array_t *array;
382 /** currently enumerating TS for "me" side */
383 traffic_selector_t *ts;
384 };
385
386 METHOD(enumerator_t, policy_enumerate, bool,
387 policy_enumerator_t *this, traffic_selector_t **my_out,
388 traffic_selector_t **other_out)
389 {
390 traffic_selector_t *other_ts;
391
392 while (this->ts || this->mine->enumerate(this->mine, &this->ts))
393 {
394 if (!this->other->enumerate(this->other, &other_ts))
395 { /* end of others list, restart with new of mine */
396 this->other->destroy(this->other);
397 this->other = array_create_enumerator(this->array);
398 this->ts = NULL;
399 continue;
400 }
401 if (this->ts->get_type(this->ts) != other_ts->get_type(other_ts))
402 { /* family mismatch */
403 continue;
404 }
405 if (this->ts->get_protocol(this->ts) &&
406 other_ts->get_protocol(other_ts) &&
407 this->ts->get_protocol(this->ts) != other_ts->get_protocol(other_ts))
408 { /* protocol mismatch */
409 continue;
410 }
411 *my_out = this->ts;
412 *other_out = other_ts;
413 return TRUE;
414 }
415 return FALSE;
416 }
417
418 METHOD(enumerator_t, policy_destroy, void,
419 policy_enumerator_t *this)
420 {
421 this->mine->destroy(this->mine);
422 this->other->destroy(this->other);
423 free(this);
424 }
425
426 METHOD(child_sa_t, create_policy_enumerator, enumerator_t*,
427 private_child_sa_t *this)
428 {
429 policy_enumerator_t *e;
430
431 INIT(e,
432 .public = {
433 .enumerate = (void*)_policy_enumerate,
434 .destroy = _policy_destroy,
435 },
436 .mine = array_create_enumerator(this->my_ts),
437 .other = array_create_enumerator(this->other_ts),
438 .array = this->other_ts,
439 .ts = NULL,
440 );
441
442 return &e->public;
443 }
444
445 /**
446 * update the cached usebytes
447 * returns SUCCESS if the usebytes have changed, FAILED if not or no SPIs
448 * are available, and NOT_SUPPORTED if the kernel interface does not support
449 * querying the usebytes.
450 */
451 static status_t update_usebytes(private_child_sa_t *this, bool inbound)
452 {
453 status_t status = FAILED;
454 u_int64_t bytes, packets;
455 time_t time;
456
457 if (inbound)
458 {
459 if (this->my_spi)
460 {
461 status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
462 this->other_addr, this->my_addr, this->my_spi,
463 proto_ike2ip(this->protocol), this->mark_in,
464 &bytes, &packets, &time);
465 if (status == SUCCESS)
466 {
467 if (bytes > this->my_usebytes)
468 {
469 this->my_usebytes = bytes;
470 this->my_usepackets = packets;
471 if (time)
472 {
473 this->my_usetime = time;
474 }
475 return SUCCESS;
476 }
477 return FAILED;
478 }
479 }
480 }
481 else
482 {
483 if (this->other_spi)
484 {
485 status = hydra->kernel_interface->query_sa(hydra->kernel_interface,
486 this->my_addr, this->other_addr, this->other_spi,
487 proto_ike2ip(this->protocol), this->mark_out,
488 &bytes, &packets, &time);
489 if (status == SUCCESS)
490 {
491 if (bytes > this->other_usebytes)
492 {
493 this->other_usebytes = bytes;
494 this->other_usepackets = packets;
495 if (time)
496 {
497 this->other_usetime = time;
498 }
499 return SUCCESS;
500 }
501 return FAILED;
502 }
503 }
504 }
505 return status;
506 }
507
508 /**
509 * updates the cached usetime
510 */
511 static bool update_usetime(private_child_sa_t *this, bool inbound)
512 {
513 enumerator_t *enumerator;
514 traffic_selector_t *my_ts, *other_ts;
515 time_t last_use = 0;
516
517 enumerator = create_policy_enumerator(this);
518 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
519 {
520 time_t in, out, fwd;
521
522 if (inbound)
523 {
524 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
525 other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS)
526 {
527 last_use = max(last_use, in);
528 }
529 if (this->mode != MODE_TRANSPORT)
530 {
531 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
532 other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS)
533 {
534 last_use = max(last_use, fwd);
535 }
536 }
537 }
538 else
539 {
540 if (hydra->kernel_interface->query_policy(hydra->kernel_interface,
541 my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS)
542 {
543 last_use = max(last_use, out);
544 }
545 }
546 }
547 enumerator->destroy(enumerator);
548
549 if (last_use == 0)
550 {
551 return FALSE;
552 }
553 if (inbound)
554 {
555 this->my_usetime = last_use;
556 }
557 else
558 {
559 this->other_usetime = last_use;
560 }
561 return TRUE;
562 }
563
564 METHOD(child_sa_t, get_usestats, void,
565 private_child_sa_t *this, bool inbound,
566 time_t *time, u_int64_t *bytes, u_int64_t *packets)
567 {
568 if ((!bytes && !packets) || update_usebytes(this, inbound) != FAILED)
569 {
570 /* there was traffic since last update or the kernel interface
571 * does not support querying the number of usebytes.
572 */
573 if (time)
574 {
575 if (!update_usetime(this, inbound) && !bytes && !packets)
576 {
577 /* if policy query did not yield a usetime, query SAs instead */
578 update_usebytes(this, inbound);
579 }
580 }
581 }
582 if (time)
583 {
584 *time = inbound ? this->my_usetime : this->other_usetime;
585 }
586 if (bytes)
587 {
588 *bytes = inbound ? this->my_usebytes : this->other_usebytes;
589 }
590 if (packets)
591 {
592 *packets = inbound ? this->my_usepackets : this->other_usepackets;
593 }
594 }
595
596 METHOD(child_sa_t, get_mark, mark_t,
597 private_child_sa_t *this, bool inbound)
598 {
599 if (inbound)
600 {
601 return this->mark_in;
602 }
603 return this->mark_out;
604 }
605
606 METHOD(child_sa_t, get_lifetime, time_t,
607 private_child_sa_t *this, bool hard)
608 {
609 return hard ? this->expire_time : this->rekey_time;
610 }
611
612 METHOD(child_sa_t, get_installtime, time_t,
613 private_child_sa_t *this)
614 {
615 return this->install_time;
616 }
617
618 METHOD(child_sa_t, alloc_spi, u_int32_t,
619 private_child_sa_t *this, protocol_id_t protocol)
620 {
621 if (hydra->kernel_interface->get_spi(hydra->kernel_interface,
622 this->other_addr, this->my_addr,
623 proto_ike2ip(protocol),
624 &this->my_spi) == SUCCESS)
625 {
626 /* if we allocate a SPI, but then are unable to establish the SA, we
627 * need to know the protocol family to delete the partial SA */
628 this->protocol = protocol;
629 return this->my_spi;
630 }
631 return 0;
632 }
633
634 METHOD(child_sa_t, alloc_cpi, u_int16_t,
635 private_child_sa_t *this)
636 {
637 if (hydra->kernel_interface->get_cpi(hydra->kernel_interface,
638 this->other_addr, this->my_addr,
639 &this->my_cpi) == SUCCESS)
640 {
641 return this->my_cpi;
642 }
643 return 0;
644 }
645
646 METHOD(child_sa_t, install, status_t,
647 private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi,
648 u_int16_t cpi, bool initiator, bool inbound, bool tfcv3,
649 linked_list_t *my_ts, linked_list_t *other_ts)
650 {
651 u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size;
652 u_int16_t esn = NO_EXT_SEQ_NUMBERS;
653 linked_list_t *src_ts = NULL, *dst_ts = NULL;
654 time_t now;
655 lifetime_cfg_t *lifetime;
656 u_int32_t tfc = 0;
657 host_t *src, *dst;
658 status_t status;
659 bool update = FALSE;
660
661 /* now we have to decide which spi to use. Use self allocated, if "in",
662 * or the one in the proposal, if not "in" (others). Additionally,
663 * source and dest host switch depending on the role */
664 if (inbound)
665 {
666 dst = this->my_addr;
667 src = this->other_addr;
668 if (this->my_spi == spi)
669 { /* alloc_spi has been called, do an SA update */
670 update = TRUE;
671 }
672 this->my_spi = spi;
673 this->my_cpi = cpi;
674 }
675 else
676 {
677 src = this->my_addr;
678 dst = this->other_addr;
679 this->other_spi = spi;
680 this->other_cpi = cpi;
681
682 if (tfcv3)
683 {
684 tfc = this->config->get_tfc(this->config);
685 }
686 }
687
688 DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound",
689 protocol_id_names, this->protocol);
690
691 /* send SA down to the kernel */
692 DBG2(DBG_CHD, " SPI 0x%.8x, src %H dst %H", ntohl(spi), src, dst);
693
694 this->proposal->get_algorithm(this->proposal, ENCRYPTION_ALGORITHM,
695 &enc_alg, &size);
696 this->proposal->get_algorithm(this->proposal, INTEGRITY_ALGORITHM,
697 &int_alg, &size);
698 this->proposal->get_algorithm(this->proposal, EXTENDED_SEQUENCE_NUMBERS,
699 &esn, NULL);
700
701 if (!this->reqid_allocated && !this->reqid)
702 {
703 status = hydra->kernel_interface->alloc_reqid(hydra->kernel_interface,
704 my_ts, other_ts, this->mark_in, this->mark_out,
705 &this->reqid);
706 if (status != SUCCESS)
707 {
708 return status;
709 }
710 this->reqid_allocated = TRUE;
711 }
712
713 lifetime = this->config->get_lifetime(this->config);
714
715 now = time_monotonic(NULL);
716 if (lifetime->time.rekey)
717 {
718 if (this->rekey_time)
719 {
720 this->rekey_time = min(this->rekey_time, now + lifetime->time.rekey);
721 }
722 else
723 {
724 this->rekey_time = now + lifetime->time.rekey;
725 }
726 }
727 if (lifetime->time.life)
728 {
729 this->expire_time = now + lifetime->time.life;
730 }
731
732 if (!lifetime->time.jitter && !inbound)
733 { /* avoid triggering multiple rekey events */
734 lifetime->time.rekey = 0;
735 }
736
737 /* BEET requires the bound address from the traffic selectors */
738 if (inbound)
739 {
740 dst_ts = my_ts;
741 src_ts = other_ts;
742 }
743 else
744 {
745 src_ts = my_ts;
746 dst_ts = other_ts;
747 }
748
749 status = hydra->kernel_interface->add_sa(hydra->kernel_interface,
750 src, dst, spi, proto_ike2ip(this->protocol), this->reqid,
751 inbound ? this->mark_in : this->mark_out, tfc,
752 lifetime, enc_alg, encr, int_alg, integ, this->mode,
753 this->ipcomp, cpi, this->config->get_replay_window(this->config),
754 initiator, this->encap, esn, inbound, update, src_ts, dst_ts);
755
756 free(lifetime);
757
758 return status;
759 }
760
761 /**
762 * Check kernel interface if policy updates are required
763 */
764 static bool require_policy_update()
765 {
766 kernel_feature_t f;
767
768 f = hydra->kernel_interface->get_features(hydra->kernel_interface);
769 return !(f & KERNEL_NO_POLICY_UPDATES);
770 }
771
772 /**
773 * Install 3 policies: out, in and forward
774 */
775 static status_t install_policies_internal(private_child_sa_t *this,
776 host_t *my_addr, host_t *other_addr, traffic_selector_t *my_ts,
777 traffic_selector_t *other_ts, ipsec_sa_cfg_t *my_sa,
778 ipsec_sa_cfg_t *other_sa, policy_type_t type, policy_priority_t priority)
779 {
780 status_t status = SUCCESS;
781 status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
782 my_addr, other_addr, my_ts, other_ts,
783 POLICY_OUT, type, other_sa,
784 this->mark_out, priority);
785
786 status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
787 other_addr, my_addr, other_ts, my_ts,
788 POLICY_IN, type, my_sa,
789 this->mark_in, priority);
790 if (this->mode != MODE_TRANSPORT)
791 {
792 status |= hydra->kernel_interface->add_policy(hydra->kernel_interface,
793 other_addr, my_addr, other_ts, my_ts,
794 POLICY_FWD, type, my_sa,
795 this->mark_in, priority);
796 }
797 return status;
798 }
799
800 /**
801 * Delete 3 policies: out, in and forward
802 */
803 static void del_policies_internal(private_child_sa_t *this,
804 traffic_selector_t *my_ts, traffic_selector_t *other_ts,
805 policy_priority_t priority)
806 {
807 hydra->kernel_interface->del_policy(hydra->kernel_interface,
808 my_ts, other_ts, POLICY_OUT, this->reqid,
809 this->mark_out, priority);
810 hydra->kernel_interface->del_policy(hydra->kernel_interface,
811 other_ts, my_ts, POLICY_IN, this->reqid,
812 this->mark_in, priority);
813 if (this->mode != MODE_TRANSPORT)
814 {
815 hydra->kernel_interface->del_policy(hydra->kernel_interface,
816 other_ts, my_ts, POLICY_FWD, this->reqid,
817 this->mark_in, priority);
818 }
819 }
820
821 METHOD(child_sa_t, add_policies, status_t,
822 private_child_sa_t *this, linked_list_t *my_ts_list,
823 linked_list_t *other_ts_list)
824 {
825 enumerator_t *enumerator;
826 traffic_selector_t *my_ts, *other_ts;
827 status_t status = SUCCESS;
828
829 if (!this->reqid_allocated && !this->reqid)
830 {
831 /* trap policy, get or confirm reqid */
832 status = hydra->kernel_interface->alloc_reqid(
833 hydra->kernel_interface, my_ts_list, other_ts_list,
834 this->mark_in, this->mark_out, &this->reqid);
835 if (status != SUCCESS)
836 {
837 return status;
838 }
839 this->reqid_allocated = TRUE;
840 }
841
842 /* apply traffic selectors */
843 enumerator = my_ts_list->create_enumerator(my_ts_list);
844 while (enumerator->enumerate(enumerator, &my_ts))
845 {
846 array_insert(this->my_ts, ARRAY_TAIL, my_ts->clone(my_ts));
847 }
848 enumerator->destroy(enumerator);
849 array_sort(this->my_ts, (void*)traffic_selector_cmp, NULL);
850
851 enumerator = other_ts_list->create_enumerator(other_ts_list);
852 while (enumerator->enumerate(enumerator, &other_ts))
853 {
854 array_insert(this->other_ts, ARRAY_TAIL, other_ts->clone(other_ts));
855 }
856 enumerator->destroy(enumerator);
857 array_sort(this->other_ts, (void*)traffic_selector_cmp, NULL);
858
859 if (this->config->install_policy(this->config))
860 {
861 policy_priority_t priority;
862 ipsec_sa_cfg_t my_sa = {
863 .mode = this->mode,
864 .reqid = this->reqid,
865 .ipcomp = {
866 .transform = this->ipcomp,
867 },
868 }, other_sa = my_sa;
869
870 my_sa.ipcomp.cpi = this->my_cpi;
871 other_sa.ipcomp.cpi = this->other_cpi;
872
873 if (this->protocol == PROTO_ESP)
874 {
875 my_sa.esp.use = TRUE;
876 my_sa.esp.spi = this->my_spi;
877 other_sa.esp.use = TRUE;
878 other_sa.esp.spi = this->other_spi;
879 }
880 else
881 {
882 my_sa.ah.use = TRUE;
883 my_sa.ah.spi = this->my_spi;
884 other_sa.ah.use = TRUE;
885 other_sa.ah.spi = this->other_spi;
886 }
887
888 /* if we're not in state CHILD_INSTALLING (i.e. if there is no SAD
889 * entry) we install a trap policy */
890 this->trap = this->state == CHILD_CREATED;
891 priority = this->trap ? POLICY_PRIORITY_ROUTED
892 : POLICY_PRIORITY_DEFAULT;
893
894 enumerator = create_policy_enumerator(this);
895 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
896 {
897 my_sa.policy_count++;
898 other_sa.policy_count++;
899 }
900 enumerator->destroy(enumerator);
901
902 /* enumerate pairs of traffic selectors */
903 enumerator = create_policy_enumerator(this);
904 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
905 {
906 /* install outbound drop policy to avoid packets leaving unencrypted
907 * when updating policies */
908 if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
909 {
910 status |= install_policies_internal(this, this->my_addr,
911 this->other_addr, my_ts, other_ts,
912 &my_sa, &other_sa, POLICY_DROP,
913 POLICY_PRIORITY_FALLBACK);
914 }
915
916 /* install policies */
917 status |= install_policies_internal(this, this->my_addr,
918 this->other_addr, my_ts, other_ts,
919 &my_sa, &other_sa, POLICY_IPSEC, priority);
920
921 if (status != SUCCESS)
922 {
923 break;
924 }
925 }
926 enumerator->destroy(enumerator);
927 }
928
929 if (status == SUCCESS && this->trap)
930 {
931 set_state(this, CHILD_ROUTED);
932 }
933 return status;
934 }
935
936 /**
937 * Callback to reinstall a virtual IP
938 */
939 static void reinstall_vip(host_t *vip, host_t *me)
940 {
941 char *iface;
942
943 if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
944 me, &iface))
945 {
946 hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
947 hydra->kernel_interface->add_ip(hydra->kernel_interface, vip, -1, iface);
948 free(iface);
949 }
950 }
951
952 METHOD(child_sa_t, update, status_t,
953 private_child_sa_t *this, host_t *me, host_t *other, linked_list_t *vips,
954 bool encap)
955 {
956 child_sa_state_t old;
957 bool transport_proxy_mode;
958
959 /* anything changed at all? */
960 if (me->equals(me, this->my_addr) &&
961 other->equals(other, this->other_addr) && this->encap == encap)
962 {
963 return SUCCESS;
964 }
965
966 old = this->state;
967 set_state(this, CHILD_UPDATING);
968 transport_proxy_mode = this->config->use_proxy_mode(this->config) &&
969 this->mode == MODE_TRANSPORT;
970
971 if (!transport_proxy_mode)
972 {
973 /* update our (initiator) SA */
974 if (this->my_spi)
975 {
976 if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
977 this->my_spi, proto_ike2ip(this->protocol),
978 this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
979 this->other_addr, this->my_addr, other, me,
980 this->encap, encap, this->mark_in) == NOT_SUPPORTED)
981 {
982 set_state(this, old);
983 return NOT_SUPPORTED;
984 }
985 }
986
987 /* update his (responder) SA */
988 if (this->other_spi)
989 {
990 if (hydra->kernel_interface->update_sa(hydra->kernel_interface,
991 this->other_spi, proto_ike2ip(this->protocol),
992 this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0,
993 this->my_addr, this->other_addr, me, other,
994 this->encap, encap, this->mark_out) == NOT_SUPPORTED)
995 {
996 set_state(this, old);
997 return NOT_SUPPORTED;
998 }
999 }
1000 }
1001
1002 if (this->config->install_policy(this->config) && require_policy_update())
1003 {
1004 ipsec_sa_cfg_t my_sa = {
1005 .mode = this->mode,
1006 .reqid = this->reqid,
1007 .ipcomp = {
1008 .transform = this->ipcomp,
1009 },
1010 }, other_sa = my_sa;
1011
1012 my_sa.ipcomp.cpi = this->my_cpi;
1013 other_sa.ipcomp.cpi = this->other_cpi;
1014
1015 if (this->protocol == PROTO_ESP)
1016 {
1017 my_sa.esp.use = TRUE;
1018 my_sa.esp.spi = this->my_spi;
1019 other_sa.esp.use = TRUE;
1020 other_sa.esp.spi = this->other_spi;
1021 }
1022 else
1023 {
1024 my_sa.ah.use = TRUE;
1025 my_sa.ah.spi = this->my_spi;
1026 other_sa.ah.use = TRUE;
1027 other_sa.ah.spi = this->other_spi;
1028 }
1029
1030 /* update policies */
1031 if (!me->ip_equals(me, this->my_addr) ||
1032 !other->ip_equals(other, this->other_addr))
1033 {
1034 enumerator_t *enumerator;
1035 traffic_selector_t *my_ts, *other_ts;
1036
1037 /* always use high priorities, as hosts getting updated are INSTALLED */
1038 enumerator = create_policy_enumerator(this);
1039 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
1040 {
1041 traffic_selector_t *old_my_ts = NULL, *old_other_ts = NULL;
1042 /* remove old policies first */
1043 del_policies_internal(this, my_ts, other_ts,
1044 POLICY_PRIORITY_DEFAULT);
1045
1046 /* check if we have to update a "dynamic" traffic selector */
1047 if (!me->ip_equals(me, this->my_addr) &&
1048 my_ts->is_host(my_ts, this->my_addr))
1049 {
1050 old_my_ts = my_ts->clone(my_ts);
1051 my_ts->set_address(my_ts, me);
1052 }
1053 if (!other->ip_equals(other, this->other_addr) &&
1054 other_ts->is_host(other_ts, this->other_addr))
1055 {
1056 old_other_ts = other_ts->clone(other_ts);
1057 other_ts->set_address(other_ts, other);
1058 }
1059
1060 /* we reinstall the virtual IP to handle interface roaming
1061 * correctly */
1062 vips->invoke_function(vips, (void*)reinstall_vip, me);
1063
1064 /* reinstall updated policies */
1065 install_policies_internal(this, me, other, my_ts, other_ts,
1066 &my_sa, &other_sa, POLICY_IPSEC,
1067 POLICY_PRIORITY_DEFAULT);
1068
1069 /* update fallback policies after the new policy is in place */
1070 if (old_my_ts || old_other_ts)
1071 {
1072 del_policies_internal(this, old_my_ts ?: my_ts,
1073 old_other_ts ?: other_ts,
1074 POLICY_PRIORITY_FALLBACK);
1075 install_policies_internal(this, me, other, my_ts, other_ts,
1076 &my_sa, &other_sa, POLICY_DROP,
1077 POLICY_PRIORITY_FALLBACK);
1078 DESTROY_IF(old_my_ts);
1079 DESTROY_IF(old_other_ts);
1080 }
1081 }
1082 enumerator->destroy(enumerator);
1083 }
1084 }
1085
1086 if (!transport_proxy_mode)
1087 {
1088 /* apply hosts */
1089 if (!me->equals(me, this->my_addr))
1090 {
1091 this->my_addr->destroy(this->my_addr);
1092 this->my_addr = me->clone(me);
1093 }
1094 if (!other->equals(other, this->other_addr))
1095 {
1096 this->other_addr->destroy(this->other_addr);
1097 this->other_addr = other->clone(other);
1098 }
1099 }
1100
1101 this->encap = encap;
1102 set_state(this, old);
1103
1104 return SUCCESS;
1105 }
1106
1107 METHOD(child_sa_t, destroy, void,
1108 private_child_sa_t *this)
1109 {
1110 enumerator_t *enumerator;
1111 traffic_selector_t *my_ts, *other_ts;
1112 policy_priority_t priority;
1113
1114 priority = this->trap ? POLICY_PRIORITY_ROUTED : POLICY_PRIORITY_DEFAULT;
1115
1116 set_state(this, CHILD_DESTROYING);
1117
1118 if (this->config->install_policy(this->config))
1119 {
1120 /* delete all policies in the kernel */
1121 enumerator = create_policy_enumerator(this);
1122 while (enumerator->enumerate(enumerator, &my_ts, &other_ts))
1123 {
1124 del_policies_internal(this, my_ts, other_ts, priority);
1125 if (priority == POLICY_PRIORITY_DEFAULT && require_policy_update())
1126 {
1127 del_policies_internal(this, my_ts, other_ts,
1128 POLICY_PRIORITY_FALLBACK);
1129 }
1130 }
1131 enumerator->destroy(enumerator);
1132 }
1133
1134 /* delete SAs in the kernel, if they are set up */
1135 if (this->my_spi)
1136 {
1137 hydra->kernel_interface->del_sa(hydra->kernel_interface,
1138 this->other_addr, this->my_addr, this->my_spi,
1139 proto_ike2ip(this->protocol), this->my_cpi,
1140 this->mark_in);
1141 }
1142 if (this->other_spi)
1143 {
1144 hydra->kernel_interface->del_sa(hydra->kernel_interface,
1145 this->my_addr, this->other_addr, this->other_spi,
1146 proto_ike2ip(this->protocol), this->other_cpi,
1147 this->mark_out);
1148 }
1149
1150 if (this->reqid_allocated)
1151 {
1152 if (hydra->kernel_interface->release_reqid(hydra->kernel_interface,
1153 this->reqid, this->mark_in, this->mark_out) != SUCCESS)
1154 {
1155 DBG1(DBG_CHD, "releasing reqid %u failed", this->reqid);
1156 }
1157 }
1158
1159 array_destroy_offset(this->my_ts, offsetof(traffic_selector_t, destroy));
1160 array_destroy_offset(this->other_ts, offsetof(traffic_selector_t, destroy));
1161 this->my_addr->destroy(this->my_addr);
1162 this->other_addr->destroy(this->other_addr);
1163 DESTROY_IF(this->proposal);
1164 this->config->destroy(this->config);
1165 free(this);
1166 }
1167
1168 /**
1169 * Get proxy address for one side, if any
1170 */
1171 static host_t* get_proxy_addr(child_cfg_t *config, host_t *ike, bool local)
1172 {
1173 host_t *host = NULL;
1174 u_int8_t mask;
1175 enumerator_t *enumerator;
1176 linked_list_t *ts_list, *list;
1177 traffic_selector_t *ts;
1178
1179 list = linked_list_create_with_items(ike, NULL);
1180 ts_list = config->get_traffic_selectors(config, local, NULL, list);
1181 list->destroy(list);
1182
1183 enumerator = ts_list->create_enumerator(ts_list);
1184 while (enumerator->enumerate(enumerator, &ts))
1185 {
1186 if (ts->is_host(ts, NULL) && ts->to_subnet(ts, &host, &mask))
1187 {
1188 DBG1(DBG_CHD, "%s address: %H is a transport mode proxy for %H",
1189 local ? "my" : "other", ike, host);
1190 break;
1191 }
1192 }
1193 enumerator->destroy(enumerator);
1194 ts_list->destroy_offset(ts_list, offsetof(traffic_selector_t, destroy));
1195
1196 if (!host)
1197 {
1198 host = ike->clone(ike);
1199 }
1200 return host;
1201 }
1202
1203 /**
1204 * Described in header.
1205 */
1206 child_sa_t * child_sa_create(host_t *me, host_t* other,
1207 child_cfg_t *config, u_int32_t rekey, bool encap,
1208 u_int mark_in, u_int mark_out)
1209 {
1210 private_child_sa_t *this;
1211 static refcount_t unique_id = 0, unique_mark = 0, mark;
1212
1213 INIT(this,
1214 .public = {
1215 .get_name = _get_name,
1216 .get_reqid = _get_reqid,
1217 .get_unique_id = _get_unique_id,
1218 .get_config = _get_config,
1219 .get_state = _get_state,
1220 .set_state = _set_state,
1221 .get_spi = _get_spi,
1222 .get_cpi = _get_cpi,
1223 .get_protocol = _get_protocol,
1224 .set_protocol = _set_protocol,
1225 .get_mode = _get_mode,
1226 .set_mode = _set_mode,
1227 .get_proposal = _get_proposal,
1228 .set_proposal = _set_proposal,
1229 .get_lifetime = _get_lifetime,
1230 .get_installtime = _get_installtime,
1231 .get_usestats = _get_usestats,
1232 .get_mark = _get_mark,
1233 .has_encap = _has_encap,
1234 .get_ipcomp = _get_ipcomp,
1235 .set_ipcomp = _set_ipcomp,
1236 .get_close_action = _get_close_action,
1237 .set_close_action = _set_close_action,
1238 .get_dpd_action = _get_dpd_action,
1239 .set_dpd_action = _set_dpd_action,
1240 .alloc_spi = _alloc_spi,
1241 .alloc_cpi = _alloc_cpi,
1242 .install = _install,
1243 .update = _update,
1244 .add_policies = _add_policies,
1245 .create_ts_enumerator = _create_ts_enumerator,
1246 .create_policy_enumerator = _create_policy_enumerator,
1247 .destroy = _destroy,
1248 },
1249 .encap = encap,
1250 .ipcomp = IPCOMP_NONE,
1251 .state = CHILD_CREATED,
1252 .my_ts = array_create(0, 0),
1253 .other_ts = array_create(0, 0),
1254 .protocol = PROTO_NONE,
1255 .mode = MODE_TUNNEL,
1256 .close_action = config->get_close_action(config),
1257 .dpd_action = config->get_dpd_action(config),
1258 .reqid = config->get_reqid(config),
1259 .unique_id = ref_get(&unique_id),
1260 .mark_in = config->get_mark(config, TRUE),
1261 .mark_out = config->get_mark(config, FALSE),
1262 .install_time = time_monotonic(NULL),
1263 );
1264
1265 this->config = config;
1266 config->get_ref(config);
1267
1268 if (mark_in)
1269 {
1270 this->mark_in.value = mark_in;
1271 }
1272 if (mark_out)
1273 {
1274 this->mark_out.value = mark_out;
1275 }
1276 if (this->mark_in.value == MARK_UNIQUE ||
1277 this->mark_out.value == MARK_UNIQUE)
1278 {
1279 mark = ref_get(&unique_mark);
1280 if (this->mark_in.value == MARK_UNIQUE)
1281 {
1282 this->mark_in.value = mark;
1283 }
1284 if (this->mark_out.value == MARK_UNIQUE)
1285 {
1286 this->mark_out.value = mark;
1287 }
1288 }
1289
1290 if (!this->reqid)
1291 {
1292 /* reuse old reqid if we are rekeying an existing CHILD_SA. While the
1293 * reqid cache would find the same reqid for our selectors, this does
1294 * not work in a special case: If an SA is triggered by a trap policy,
1295 * but the negotiated SA gets narrowed, we still must reuse the same
1296 * reqid to successfully "trigger" the SA on the kernel level. Rekeying
1297 * such an SA requires an explicit reqid, as the cache currently knows
1298 * the original selectors only for that reqid. */
1299 if (rekey)
1300 {
1301 this->reqid = rekey;
1302 }
1303 else
1304 {
1305 this->reqid = charon->traps->find_reqid(charon->traps, config);
1306 }
1307 }
1308
1309 /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */
1310 if (config->get_mode(config) == MODE_TRANSPORT &&
1311 config->use_proxy_mode(config))
1312 {
1313 this->mode = MODE_TRANSPORT;
1314
1315 this->my_addr = get_proxy_addr(config, me, TRUE);
1316 this->other_addr = get_proxy_addr(config, other, FALSE);
1317 }
1318 else
1319 {
1320 this->my_addr = me->clone(me);
1321 this->other_addr = other->clone(other);
1322 }
1323 return &this->public;
1324 }