projects / strongswan.git / blob
? search:


442eb72081901f7a5b1da1bd9731f715e424bbc7
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20 #include <sys/stat.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include "ike_sa.h"
25
26 #include <library.h>
27 #include <hydra.h>
28 #include <daemon.h>
29 #include <utils/linked_list.h>
30 #include <utils/lexparser.h>
31 #include <processing/jobs/retransmit_job.h>
32 #include <processing/jobs/delete_ike_sa_job.h>
33 #include <processing/jobs/send_dpd_job.h>
34 #include <processing/jobs/send_keepalive_job.h>
35 #include <processing/jobs/rekey_ike_sa_job.h>
36
37 #ifdef ME
38 #include <sa/ikev2/tasks/ike_me.h>
39 #include <processing/jobs/initiate_mediation_job.h>
40 #endif
41
42 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
43 "CREATED",
44 "CONNECTING",
45 "ESTABLISHED",
46 "PASSIVE",
47 "REKEYING",
48 "DELETING",
49 "DESTROYING",
50 );
51
52 typedef struct private_ike_sa_t private_ike_sa_t;
53 typedef struct attribute_entry_t attribute_entry_t;
54
55 /**
56 * Private data of an ike_sa_t object.
57 */
58 struct private_ike_sa_t {
59
60 /**
61 * Public members
62 */
63 ike_sa_t public;
64
65 /**
66 * Identifier for the current IKE_SA.
67 */
68 ike_sa_id_t *ike_sa_id;
69
70 /**
71 * IKE version of this SA.
72 */
73 ike_version_t version;
74
75 /**
76 * unique numerical ID for this IKE_SA.
77 */
78 u_int32_t unique_id;
79
80 /**
81 * Current state of the IKE_SA
82 */
83 ike_sa_state_t state;
84
85 /**
86 * IKE configuration used to set up this IKE_SA
87 */
88 ike_cfg_t *ike_cfg;
89
90 /**
91 * Peer and authentication information to establish IKE_SA.
92 */
93 peer_cfg_t *peer_cfg;
94
95 /**
96 * currently used authentication ruleset, local (as auth_cfg_t)
97 */
98 auth_cfg_t *my_auth;
99
100 /**
101 * list of completed local authentication rounds
102 */
103 linked_list_t *my_auths;
104
105 /**
106 * list of completed remote authentication rounds
107 */
108 linked_list_t *other_auths;
109
110 /**
111 * currently used authentication constraints, remote (as auth_cfg_t)
112 */
113 auth_cfg_t *other_auth;
114
115 /**
116 * Selected IKE proposal
117 */
118 proposal_t *proposal;
119
120 /**
121 * Juggles tasks to process messages
122 */
123 task_manager_t *task_manager;
124
125 /**
126 * Address of local host
127 */
128 host_t *my_host;
129
130 /**
131 * Address of remote host
132 */
133 host_t *other_host;
134
135 #ifdef ME
136 /**
137 * Are we mediation server
138 */
139 bool is_mediation_server;
140
141 /**
142 * Server reflexive host
143 */
144 host_t *server_reflexive_host;
145
146 /**
147 * Connect ID
148 */
149 chunk_t connect_id;
150 #endif /* ME */
151
152 /**
153 * Identification used for us
154 */
155 identification_t *my_id;
156
157 /**
158 * Identification used for other
159 */
160 identification_t *other_id;
161
162 /**
163 * set of extensions the peer supports
164 */
165 ike_extension_t extensions;
166
167 /**
168 * set of condition flags currently enabled for this IKE_SA
169 */
170 ike_condition_t conditions;
171
172 /**
173 * Linked List containing the child sa's of the current IKE_SA.
174 */
175 linked_list_t *child_sas;
176
177 /**
178 * keymat of this IKE_SA
179 */
180 keymat_t *keymat;
181
182 /**
183 * Virtual IP on local host, if any
184 */
185 host_t *my_virtual_ip;
186
187 /**
188 * Virtual IP on remote host, if any
189 */
190 host_t *other_virtual_ip;
191
192 /**
193 * List of configuration attributes (attribute_entry_t)
194 */
195 linked_list_t *attributes;
196
197 /**
198 * list of peers additional addresses, transmitted via MOBIKE
199 */
200 linked_list_t *additional_addresses;
201
202 /**
203 * previously value of received DESTINATION_IP hash
204 */
205 chunk_t nat_detection_dest;
206
207 /**
208 * number pending UPDATE_SA_ADDRESS (MOBIKE)
209 */
210 u_int32_t pending_updates;
211
212 /**
213 * NAT keep alive interval
214 */
215 u_int32_t keepalive_interval;
216
217 /**
218 * Timestamps for this IKE_SA
219 */
220 u_int32_t stats[STAT_MAX];
221
222 /**
223 * how many times we have retried so far (keyingtries)
224 */
225 u_int32_t keyingtry;
226
227 /**
228 * local host address to be used for IKE, set via MIGRATE kernel message
229 */
230 host_t *local_host;
231
232 /**
233 * remote host address to be used for IKE, set via MIGRATE kernel message
234 */
235 host_t *remote_host;
236
237 /**
238 * Flush auth configs once established?
239 */
240 bool flush_auth_cfg;
241 };
242
243 /**
244 * Entry to maintain install configuration attributes during IKE_SA lifetime
245 */
246 struct attribute_entry_t {
247 /** handler used to install this attribute */
248 attribute_handler_t *handler;
249 /** attribute type */
250 configuration_attribute_type_t type;
251 /** attribute data */
252 chunk_t data;
253 };
254
255 /**
256 * get the time of the latest traffic processed by the kernel
257 */
258 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
259 {
260 enumerator_t *enumerator;
261 child_sa_t *child_sa;
262 time_t use_time, current;
263
264 if (inbound)
265 {
266 use_time = this->stats[STAT_INBOUND];
267 }
268 else
269 {
270 use_time = this->stats[STAT_OUTBOUND];
271 }
272 enumerator = this->child_sas->create_enumerator(this->child_sas);
273 while (enumerator->enumerate(enumerator, &child_sa))
274 {
275 child_sa->get_usestats(child_sa, inbound, &current, NULL);
276 use_time = max(use_time, current);
277 }
278 enumerator->destroy(enumerator);
279
280 return use_time;
281 }
282
283 METHOD(ike_sa_t, get_unique_id, u_int32_t,
284 private_ike_sa_t *this)
285 {
286 return this->unique_id;
287 }
288
289 METHOD(ike_sa_t, get_name, char*,
290 private_ike_sa_t *this)
291 {
292 if (this->peer_cfg)
293 {
294 return this->peer_cfg->get_name(this->peer_cfg);
295 }
296 return "(unnamed)";
297 }
298
299 METHOD(ike_sa_t, get_statistic, u_int32_t,
300 private_ike_sa_t *this, statistic_t kind)
301 {
302 if (kind < STAT_MAX)
303 {
304 return this->stats[kind];
305 }
306 return 0;
307 }
308
309 METHOD(ike_sa_t, set_statistic, void,
310 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
311 {
312 if (kind < STAT_MAX)
313 {
314 this->stats[kind] = value;
315 }
316 }
317
318 METHOD(ike_sa_t, get_my_host, host_t*,
319 private_ike_sa_t *this)
320 {
321 return this->my_host;
322 }
323
324 METHOD(ike_sa_t, set_my_host, void,
325 private_ike_sa_t *this, host_t *me)
326 {
327 DESTROY_IF(this->my_host);
328 this->my_host = me;
329 }
330
331 METHOD(ike_sa_t, get_other_host, host_t*,
332 private_ike_sa_t *this)
333 {
334 return this->other_host;
335 }
336
337 METHOD(ike_sa_t, set_other_host, void,
338 private_ike_sa_t *this, host_t *other)
339 {
340 DESTROY_IF(this->other_host);
341 this->other_host = other;
342 }
343
344 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
345 private_ike_sa_t *this)
346 {
347 return this->peer_cfg;
348 }
349
350 METHOD(ike_sa_t, set_peer_cfg, void,
351 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
352 {
353 peer_cfg->get_ref(peer_cfg);
354 DESTROY_IF(this->peer_cfg);
355 this->peer_cfg = peer_cfg;
356
357 if (this->ike_cfg == NULL)
358 {
359 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
360 this->ike_cfg->get_ref(this->ike_cfg);
361 }
362 }
363
364 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
365 private_ike_sa_t *this, bool local)
366 {
367 if (local)
368 {
369 return this->my_auth;
370 }
371 return this->other_auth;
372 }
373
374 METHOD(ike_sa_t, add_auth_cfg, void,
375 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
376 {
377 if (local)
378 {
379 this->my_auths->insert_last(this->my_auths, cfg);
380 }
381 else
382 {
383 this->other_auths->insert_last(this->other_auths, cfg);
384 }
385 }
386
387 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
388 private_ike_sa_t *this, bool local)
389 {
390 if (local)
391 {
392 return this->my_auths->create_enumerator(this->my_auths);
393 }
394 return this->other_auths->create_enumerator(this->other_auths);
395 }
396
397 /**
398 * Flush the stored authentication round information
399 */
400 static void flush_auth_cfgs(private_ike_sa_t *this)
401 {
402 auth_cfg_t *cfg;
403
404 this->my_auth->purge(this->my_auth, FALSE);
405 this->other_auth->purge(this->other_auth, FALSE);
406
407 while (this->my_auths->remove_last(this->my_auths,
408 (void**)&cfg) == SUCCESS)
409 {
410 cfg->destroy(cfg);
411 }
412 while (this->other_auths->remove_last(this->other_auths,
413 (void**)&cfg) == SUCCESS)
414 {
415 cfg->destroy(cfg);
416 }
417 }
418
419 METHOD(ike_sa_t, get_proposal, proposal_t*,
420 private_ike_sa_t *this)
421 {
422 return this->proposal;
423 }
424
425 METHOD(ike_sa_t, set_proposal, void,
426 private_ike_sa_t *this, proposal_t *proposal)
427 {
428 DESTROY_IF(this->proposal);
429 this->proposal = proposal->clone(proposal);
430 }
431
432 METHOD(ike_sa_t, set_message_id, void,
433 private_ike_sa_t *this, bool initiate, u_int32_t mid)
434 {
435 if (initiate)
436 {
437 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
438 }
439 else
440 {
441 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
442 }
443 }
444
445 METHOD(ike_sa_t, send_keepalive, void,
446 private_ike_sa_t *this)
447 {
448 send_keepalive_job_t *job;
449 time_t last_out, now, diff;
450
451 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
452 { /* disable keep alives if we are not NATed anymore */
453 return;
454 }
455
456 last_out = get_use_time(this, FALSE);
457 now = time_monotonic(NULL);
458
459 diff = now - last_out;
460
461 if (diff >= this->keepalive_interval)
462 {
463 packet_t *packet;
464 chunk_t data;
465
466 packet = packet_create();
467 packet->set_source(packet, this->my_host->clone(this->my_host));
468 packet->set_destination(packet, this->other_host->clone(this->other_host));
469 data.ptr = malloc(1);
470 data.ptr[0] = 0xFF;
471 data.len = 1;
472 packet->set_data(packet, data);
473 DBG1(DBG_IKE, "sending keep alive");
474 charon->sender->send(charon->sender, packet);
475 diff = 0;
476 }
477 job = send_keepalive_job_create(this->ike_sa_id);
478 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
479 this->keepalive_interval - diff);
480 }
481
482 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
483 private_ike_sa_t *this)
484 {
485 return this->ike_cfg;
486 }
487
488 METHOD(ike_sa_t, set_ike_cfg, void,
489 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
490 {
491 ike_cfg->get_ref(ike_cfg);
492 this->ike_cfg = ike_cfg;
493 }
494
495 METHOD(ike_sa_t, enable_extension, void,
496 private_ike_sa_t *this, ike_extension_t extension)
497 {
498 this->extensions |= extension;
499 }
500
501 METHOD(ike_sa_t, supports_extension, bool,
502 private_ike_sa_t *this, ike_extension_t extension)
503 {
504 return (this->extensions & extension) != FALSE;
505 }
506
507 METHOD(ike_sa_t, has_condition, bool,
508 private_ike_sa_t *this, ike_condition_t condition)
509 {
510 return (this->conditions & condition) != FALSE;
511 }
512
513 METHOD(ike_sa_t, set_condition, void,
514 private_ike_sa_t *this, ike_condition_t condition, bool enable)
515 {
516 if (has_condition(this, condition) != enable)
517 {
518 if (enable)
519 {
520 this->conditions |= condition;
521 switch (condition)
522 {
523 case COND_NAT_HERE:
524 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
525 this->conditions |= COND_NAT_ANY;
526 send_keepalive(this);
527 break;
528 case COND_NAT_THERE:
529 DBG1(DBG_IKE, "remote host is behind NAT");
530 this->conditions |= COND_NAT_ANY;
531 break;
532 case COND_NAT_FAKE:
533 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
534 this->conditions |= COND_NAT_ANY;
535 break;
536 default:
537 break;
538 }
539 }
540 else
541 {
542 this->conditions &= ~condition;
543 switch (condition)
544 {
545 case COND_NAT_HERE:
546 case COND_NAT_FAKE:
547 case COND_NAT_THERE:
548 set_condition(this, COND_NAT_ANY,
549 has_condition(this, COND_NAT_HERE) ||
550 has_condition(this, COND_NAT_THERE) ||
551 has_condition(this, COND_NAT_FAKE));
552 break;
553 default:
554 break;
555 }
556 }
557 }
558 }
559
560 METHOD(ike_sa_t, send_dpd, status_t,
561 private_ike_sa_t *this)
562 {
563 job_t *job;
564 time_t diff, delay;
565
566 delay = this->peer_cfg->get_dpd(this->peer_cfg);
567 if (this->task_manager->busy(this->task_manager))
568 {
569 /* an exchange is in the air, no need to start a DPD check */
570 diff = 0;
571 }
572 else
573 {
574 /* check if there was any inbound traffic */
575 time_t last_in, now;
576 last_in = get_use_time(this, TRUE);
577 now = time_monotonic(NULL);
578 diff = now - last_in;
579 if (!delay || diff >= delay)
580 {
581 /* to long ago, initiate dead peer detection */
582 DBG1(DBG_IKE, "sending DPD request");
583 this->task_manager->queue_dpd(this->task_manager);
584 diff = 0;
585 }
586 }
587 /* recheck in "interval" seconds */
588 if (delay)
589 {
590 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
591 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
592 }
593 return this->task_manager->initiate(this->task_manager);
594 }
595
596 METHOD(ike_sa_t, get_state, ike_sa_state_t,
597 private_ike_sa_t *this)
598 {
599 return this->state;
600 }
601
602 METHOD(ike_sa_t, set_state, void,
603 private_ike_sa_t *this, ike_sa_state_t state)
604 {
605 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
606 get_name(this), this->unique_id,
607 ike_sa_state_names, this->state,
608 ike_sa_state_names, state);
609
610 switch (state)
611 {
612 case IKE_ESTABLISHED:
613 {
614 if (this->state == IKE_CONNECTING ||
615 this->state == IKE_PASSIVE)
616 {
617 job_t *job;
618 u_int32_t t;
619
620 /* calculate rekey, reauth and lifetime */
621 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
622
623 /* schedule rekeying if we have a time which is smaller than
624 * an already scheduled rekeying */
625 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
626 if (t && (this->stats[STAT_REKEY] == 0 ||
627 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
628 {
629 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
630 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
631 lib->scheduler->schedule_job(lib->scheduler, job, t);
632 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
633 }
634 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
635 if (t && (this->stats[STAT_REAUTH] == 0 ||
636 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
637 {
638 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
639 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
640 lib->scheduler->schedule_job(lib->scheduler, job, t);
641 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
642 }
643 t = this->peer_cfg->get_over_time(this->peer_cfg);
644 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
645 {
646 if (this->stats[STAT_REAUTH] == 0)
647 {
648 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
649 }
650 else if (this->stats[STAT_REKEY] == 0)
651 {
652 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
653 }
654 else
655 {
656 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
657 this->stats[STAT_REAUTH]);
658 }
659 this->stats[STAT_DELETE] += t;
660 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
661 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
662 lib->scheduler->schedule_job(lib->scheduler, job, t);
663 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
664 }
665
666 /* start DPD checks */
667 if (this->peer_cfg->get_dpd(this->peer_cfg))
668 {
669 send_dpd(this);
670 }
671 }
672 break;
673 }
674 case IKE_DELETING:
675 {
676 /* delete may fail if a packet gets lost, so set a timeout */
677 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
678 lib->scheduler->schedule_job(lib->scheduler, job,
679 HALF_OPEN_IKE_SA_TIMEOUT);
680 break;
681 }
682 default:
683 break;
684 }
685 charon->bus->ike_state_change(charon->bus, &this->public, state);
686 this->state = state;
687 }
688
689 METHOD(ike_sa_t, reset, void,
690 private_ike_sa_t *this)
691 {
692 /* the responder ID is reset, as peer may choose another one */
693 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
694 {
695 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
696 }
697
698 set_state(this, IKE_CREATED);
699
700 flush_auth_cfgs(this);
701
702 this->keymat->destroy(this->keymat);
703 this->keymat = keymat_create(this->version,
704 this->ike_sa_id->is_initiator(this->ike_sa_id));
705
706 this->task_manager->reset(this->task_manager, 0, 0);
707 }
708
709 METHOD(ike_sa_t, get_keymat, keymat_t*,
710 private_ike_sa_t *this)
711 {
712 return this->keymat;
713 }
714
715 METHOD(ike_sa_t, set_virtual_ip, void,
716 private_ike_sa_t *this, bool local, host_t *ip)
717 {
718 if (local)
719 {
720 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
721 if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
722 this->my_host) == SUCCESS)
723 {
724 if (this->my_virtual_ip)
725 {
726 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
727 hydra->kernel_interface->del_ip(hydra->kernel_interface,
728 this->my_virtual_ip);
729 }
730 DESTROY_IF(this->my_virtual_ip);
731 this->my_virtual_ip = ip->clone(ip);
732 }
733 else
734 {
735 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
736 this->my_virtual_ip = NULL;
737 }
738 }
739 else
740 {
741 DESTROY_IF(this->other_virtual_ip);
742 this->other_virtual_ip = ip->clone(ip);
743 }
744 }
745
746 METHOD(ike_sa_t, get_virtual_ip, host_t*,
747 private_ike_sa_t *this, bool local)
748 {
749 if (local)
750 {
751 return this->my_virtual_ip;
752 }
753 else
754 {
755 return this->other_virtual_ip;
756 }
757 }
758
759 METHOD(ike_sa_t, add_additional_address, void,
760 private_ike_sa_t *this, host_t *host)
761 {
762 this->additional_addresses->insert_last(this->additional_addresses, host);
763 }
764
765 METHOD(ike_sa_t, create_additional_address_enumerator, enumerator_t*,
766 private_ike_sa_t *this)
767 {
768 return this->additional_addresses->create_enumerator(
769 this->additional_addresses);
770 }
771
772 METHOD(ike_sa_t, remove_additional_addresses, void,
773 private_ike_sa_t *this)
774 {
775 enumerator_t *enumerator = create_additional_address_enumerator(this);
776 host_t *host;
777 while (enumerator->enumerate(enumerator, (void**)&host))
778 {
779 this->additional_addresses->remove_at(this->additional_addresses,
780 enumerator);
781 host->destroy(host);
782 }
783 enumerator->destroy(enumerator);
784 }
785
786 METHOD(ike_sa_t, has_mapping_changed, bool,
787 private_ike_sa_t *this, chunk_t hash)
788 {
789 if (this->nat_detection_dest.ptr == NULL)
790 {
791 this->nat_detection_dest = chunk_clone(hash);
792 return FALSE;
793 }
794 if (chunk_equals(hash, this->nat_detection_dest))
795 {
796 return FALSE;
797 }
798 free(this->nat_detection_dest.ptr);
799 this->nat_detection_dest = chunk_clone(hash);
800 return TRUE;
801 }
802
803 METHOD(ike_sa_t, set_pending_updates, void,
804 private_ike_sa_t *this, u_int32_t updates)
805 {
806 this->pending_updates = updates;
807 }
808
809 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
810 private_ike_sa_t *this)
811 {
812 return this->pending_updates;
813 }
814
815 METHOD(ike_sa_t, float_ports, void,
816 private_ike_sa_t *this)
817 {
818 /* do not switch if we have a custom port from MOBIKE/NAT */
819 if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
820 {
821 this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
822 }
823 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
824 {
825 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
826 }
827 }
828
829 METHOD(ike_sa_t, update_hosts, void,
830 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
831 {
832 bool update = FALSE;
833
834 if (me == NULL)
835 {
836 me = this->my_host;
837 }
838 if (other == NULL)
839 {
840 other = this->other_host;
841 }
842
843 /* apply hosts on first received message */
844 if (this->my_host->is_anyaddr(this->my_host) ||
845 this->other_host->is_anyaddr(this->other_host))
846 {
847 set_my_host(this, me->clone(me));
848 set_other_host(this, other->clone(other));
849 update = TRUE;
850 }
851 else
852 {
853 /* update our address in any case */
854 if (!me->equals(me, this->my_host))
855 {
856 set_my_host(this, me->clone(me));
857 update = TRUE;
858 }
859
860 if (!other->equals(other, this->other_host))
861 {
862 /* update others address if we are NOT NATed */
863 if (force || !has_condition(this, COND_NAT_HERE))
864 {
865 set_other_host(this, other->clone(other));
866 update = TRUE;
867 }
868 }
869 }
870
871 /* update all associated CHILD_SAs, if required */
872 if (update)
873 {
874 enumerator_t *enumerator;
875 child_sa_t *child_sa;
876
877 enumerator = this->child_sas->create_enumerator(this->child_sas);
878 while (enumerator->enumerate(enumerator, (void**)&child_sa))
879 {
880 if (child_sa->update(child_sa, this->my_host,
881 this->other_host, this->my_virtual_ip,
882 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
883 {
884 this->public.rekey_child_sa(&this->public,
885 child_sa->get_protocol(child_sa),
886 child_sa->get_spi(child_sa, TRUE));
887 }
888 }
889 enumerator->destroy(enumerator);
890 }
891 }
892
893 METHOD(ike_sa_t, generate_message, status_t,
894 private_ike_sa_t *this, message_t *message, packet_t **packet)
895 {
896 if (message->is_encoded(message))
897 { /* already done */
898 *packet = message->get_packet(message);
899 return SUCCESS;
900 }
901 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
902 message->set_ike_sa_id(message, this->ike_sa_id);
903 charon->bus->message(charon->bus, message, FALSE);
904 return message->generate(message, this->keymat, packet);
905 }
906
907 METHOD(ike_sa_t, set_kmaddress, void,
908 private_ike_sa_t *this, host_t *local, host_t *remote)
909 {
910 DESTROY_IF(this->local_host);
911 DESTROY_IF(this->remote_host);
912 this->local_host = local->clone(local);
913 this->remote_host = remote->clone(remote);
914 }
915
916 #ifdef ME
917 METHOD(ike_sa_t, act_as_mediation_server, void,
918 private_ike_sa_t *this)
919 {
920 charon->mediation_manager->update_sa_id(charon->mediation_manager,
921 this->other_id, this->ike_sa_id);
922 this->is_mediation_server = TRUE;
923 }
924
925 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
926 private_ike_sa_t *this)
927 {
928 return this->server_reflexive_host;
929 }
930
931 METHOD(ike_sa_t, set_server_reflexive_host, void,
932 private_ike_sa_t *this, host_t *host)
933 {
934 DESTROY_IF(this->server_reflexive_host);
935 this->server_reflexive_host = host;
936 }
937
938 METHOD(ike_sa_t, get_connect_id, chunk_t,
939 private_ike_sa_t *this)
940 {
941 return this->connect_id;
942 }
943
944 METHOD(ike_sa_t, respond, status_t,
945 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
946 {
947 ike_me_t *task = ike_me_create(&this->public, TRUE);
948 task->respond(task, peer_id, connect_id);
949 this->task_manager->queue_task(this->task_manager, (task_t*)task);
950 return this->task_manager->initiate(this->task_manager);
951 }
952
953 METHOD(ike_sa_t, callback, status_t,
954 private_ike_sa_t *this, identification_t *peer_id)
955 {
956 ike_me_t *task = ike_me_create(&this->public, TRUE);
957 task->callback(task, peer_id);
958 this->task_manager->queue_task(this->task_manager, (task_t*)task);
959 return this->task_manager->initiate(this->task_manager);
960 }
961
962 METHOD(ike_sa_t, relay, status_t,
963 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
964 chunk_t connect_key, linked_list_t *endpoints, bool response)
965 {
966 ike_me_t *task = ike_me_create(&this->public, TRUE);
967 task->relay(task, requester, connect_id, connect_key, endpoints, response);
968 this->task_manager->queue_task(this->task_manager, (task_t*)task);
969 return this->task_manager->initiate(this->task_manager);
970 }
971
972 METHOD(ike_sa_t, initiate_mediation, status_t,
973 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
974 {
975 ike_me_t *task = ike_me_create(&this->public, TRUE);
976 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
977 this->task_manager->queue_task(this->task_manager, (task_t*)task);
978 return this->task_manager->initiate(this->task_manager);
979 }
980
981 METHOD(ike_sa_t, initiate_mediated, status_t,
982 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
983 {
984 set_my_host(this, me->clone(me));
985 set_other_host(this, other->clone(other));
986 chunk_free(&this->connect_id);
987 this->connect_id = chunk_clone(connect_id);
988 return this->task_manager->initiate(this->task_manager);
989 }
990 #endif /* ME */
991
992 /**
993 * Resolve DNS host in configuration
994 */
995 static void resolve_hosts(private_ike_sa_t *this)
996 {
997 host_t *host;
998
999 if (this->remote_host)
1000 {
1001 host = this->remote_host->clone(this->remote_host);
1002 host->set_port(host, IKEV2_UDP_PORT);
1003 }
1004 else
1005 {
1006 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1007 0, this->ike_cfg->get_other_port(this->ike_cfg));
1008 }
1009 if (host)
1010 {
1011 set_other_host(this, host);
1012 }
1013
1014 if (this->local_host)
1015 {
1016 host = this->local_host->clone(this->local_host);
1017 host->set_port(host, IKEV2_UDP_PORT);
1018 }
1019 else
1020 {
1021 int family = 0;
1022
1023 /* use same address family as for other */
1024 if (!this->other_host->is_anyaddr(this->other_host))
1025 {
1026 family = this->other_host->get_family(this->other_host);
1027 }
1028 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1029 family, this->ike_cfg->get_my_port(this->ike_cfg));
1030
1031 if (host && host->is_anyaddr(host) &&
1032 !this->other_host->is_anyaddr(this->other_host))
1033 {
1034 host->destroy(host);
1035 host = hydra->kernel_interface->get_source_addr(
1036 hydra->kernel_interface, this->other_host, NULL);
1037 if (host)
1038 {
1039 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1040 }
1041 else
1042 { /* fallback to address family specific %any(6), if configured */
1043 host = host_create_from_dns(
1044 this->ike_cfg->get_my_addr(this->ike_cfg),
1045 0, this->ike_cfg->get_my_port(this->ike_cfg));
1046 }
1047 }
1048 }
1049 if (host)
1050 {
1051 set_my_host(this, host);
1052 }
1053 }
1054
1055 METHOD(ike_sa_t, initiate, status_t,
1056 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1057 traffic_selector_t *tsi, traffic_selector_t *tsr)
1058 {
1059 if (this->state == IKE_CREATED)
1060 {
1061 resolve_hosts(this);
1062
1063 if (this->other_host->is_anyaddr(this->other_host)
1064 #ifdef ME
1065 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1066 #endif /* ME */
1067 )
1068 {
1069 child_cfg->destroy(child_cfg);
1070 DBG1(DBG_IKE, "unable to initiate to %%any");
1071 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1072 return DESTROY_ME;
1073 }
1074
1075 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1076 this->task_manager->queue_ike(this->task_manager);
1077 }
1078
1079 #ifdef ME
1080 if (this->peer_cfg->is_mediation(this->peer_cfg))
1081 {
1082 if (this->state == IKE_ESTABLISHED)
1083 {
1084 /* mediation connection is already established, retrigger state
1085 * change to notify bus listeners */
1086 DBG1(DBG_IKE, "mediation connection is already up");
1087 set_state(this, IKE_ESTABLISHED);
1088 }
1089 DESTROY_IF(child_cfg);
1090 }
1091 else
1092 #endif /* ME */
1093 {
1094 /* normal IKE_SA with CHILD_SA */
1095 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1096 tsi, tsr);
1097 #ifdef ME
1098 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1099 {
1100 /* mediated connection, initiate mediation process */
1101 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1102 lib->processor->queue_job(lib->processor, job);
1103 return SUCCESS;
1104 }
1105 #endif /* ME */
1106 }
1107
1108 return this->task_manager->initiate(this->task_manager);
1109 }
1110
1111 METHOD(ike_sa_t, process_message, status_t,
1112 private_ike_sa_t *this, message_t *message)
1113 {
1114 status_t status;
1115
1116 if (this->state == IKE_PASSIVE)
1117 { /* do not handle messages in passive state */
1118 return FAILED;
1119 }
1120 if (message->get_major_version(message) != this->version)
1121 {
1122 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1123 exchange_type_names, message->get_exchange_type(message),
1124 message->get_major_version(message),
1125 ike_version_names, this->version);
1126 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1127 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1128 return FAILED;
1129 }
1130 status = this->task_manager->process_message(this->task_manager, message);
1131 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1132 {
1133 /* authentication completed */
1134 this->flush_auth_cfg = FALSE;
1135 flush_auth_cfgs(this);
1136 }
1137 return status;
1138 }
1139
1140 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1141 private_ike_sa_t *this)
1142 {
1143 return this->ike_sa_id;
1144 }
1145
1146 METHOD(ike_sa_t, get_version, ike_version_t,
1147 private_ike_sa_t *this)
1148 {
1149 return this->version;
1150 }
1151
1152 METHOD(ike_sa_t, get_my_id, identification_t*,
1153 private_ike_sa_t *this)
1154 {
1155 return this->my_id;
1156 }
1157
1158 METHOD(ike_sa_t, set_my_id, void,
1159 private_ike_sa_t *this, identification_t *me)
1160 {
1161 DESTROY_IF(this->my_id);
1162 this->my_id = me;
1163 }
1164
1165 METHOD(ike_sa_t, get_other_id, identification_t*,
1166 private_ike_sa_t *this)
1167 {
1168 return this->other_id;
1169 }
1170
1171 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1172 private_ike_sa_t *this)
1173 {
1174 identification_t *id = NULL, *current;
1175 enumerator_t *enumerator;
1176 auth_cfg_t *cfg;
1177
1178 enumerator = this->other_auths->create_enumerator(this->other_auths);
1179 while (enumerator->enumerate(enumerator, &cfg))
1180 {
1181 /* prefer EAP-Identity of last round */
1182 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1183 if (!current || current->get_type(current) == ID_ANY)
1184 {
1185 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1186 }
1187 if (current && current->get_type(current) != ID_ANY)
1188 {
1189 id = current;
1190 continue;
1191 }
1192 }
1193 enumerator->destroy(enumerator);
1194 if (id)
1195 {
1196 return id;
1197 }
1198 return this->other_id;
1199 }
1200
1201 METHOD(ike_sa_t, set_other_id, void,
1202 private_ike_sa_t *this, identification_t *other)
1203 {
1204 DESTROY_IF(this->other_id);
1205 this->other_id = other;
1206 }
1207
1208 METHOD(ike_sa_t, add_child_sa, void,
1209 private_ike_sa_t *this, child_sa_t *child_sa)
1210 {
1211 this->child_sas->insert_last(this->child_sas, child_sa);
1212 }
1213
1214 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1215 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1216 {
1217 enumerator_t *enumerator;
1218 child_sa_t *current, *found = NULL;
1219
1220 enumerator = this->child_sas->create_enumerator(this->child_sas);
1221 while (enumerator->enumerate(enumerator, (void**)&current))
1222 {
1223 if (current->get_spi(current, inbound) == spi &&
1224 current->get_protocol(current) == protocol)
1225 {
1226 found = current;
1227 }
1228 }
1229 enumerator->destroy(enumerator);
1230 return found;
1231 }
1232
1233 METHOD(ike_sa_t, get_child_count, int,
1234 private_ike_sa_t *this)
1235 {
1236 return this->child_sas->get_count(this->child_sas);
1237 }
1238
1239 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1240 private_ike_sa_t *this)
1241 {
1242 return this->child_sas->create_enumerator(this->child_sas);
1243 }
1244
1245 METHOD(ike_sa_t, remove_child_sa, void,
1246 private_ike_sa_t *this, enumerator_t *enumerator)
1247 {
1248 this->child_sas->remove_at(this->child_sas, enumerator);
1249 }
1250
1251 METHOD(ike_sa_t, rekey_child_sa, status_t,
1252 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1253 {
1254 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1255 return this->task_manager->initiate(this->task_manager);
1256 }
1257
1258 METHOD(ike_sa_t, delete_child_sa, status_t,
1259 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1260 {
1261 this->task_manager->queue_child_delete(this->task_manager, protocol, spi);
1262 return this->task_manager->initiate(this->task_manager);
1263 }
1264
1265 METHOD(ike_sa_t, destroy_child_sa, status_t,
1266 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1267 {
1268 enumerator_t *enumerator;
1269 child_sa_t *child_sa;
1270 status_t status = NOT_FOUND;
1271
1272 enumerator = this->child_sas->create_enumerator(this->child_sas);
1273 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1274 {
1275 if (child_sa->get_protocol(child_sa) == protocol &&
1276 child_sa->get_spi(child_sa, TRUE) == spi)
1277 {
1278 this->child_sas->remove_at(this->child_sas, enumerator);
1279 child_sa->destroy(child_sa);
1280 status = SUCCESS;
1281 break;
1282 }
1283 }
1284 enumerator->destroy(enumerator);
1285 return status;
1286 }
1287
1288 METHOD(ike_sa_t, delete_, status_t,
1289 private_ike_sa_t *this)
1290 {
1291 switch (this->state)
1292 {
1293 case IKE_ESTABLISHED:
1294 case IKE_REKEYING:
1295 this->task_manager->queue_ike_delete(this->task_manager);
1296 return this->task_manager->initiate(this->task_manager);
1297 case IKE_CREATED:
1298 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1299 break;
1300 case IKE_PASSIVE:
1301 break;
1302 default:
1303 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1304 "without notification", ike_sa_state_names, this->state);
1305 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1306 break;
1307 }
1308 return DESTROY_ME;
1309 }
1310
1311 METHOD(ike_sa_t, rekey, status_t,
1312 private_ike_sa_t *this)
1313 {
1314 this->task_manager->queue_ike_rekey(this->task_manager);
1315 return this->task_manager->initiate(this->task_manager);
1316 }
1317
1318 METHOD(ike_sa_t, reauth, status_t,
1319 private_ike_sa_t *this)
1320 {
1321 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1322 * If the peer does not support RFC4478, there is no way to keep the
1323 * IKE_SA up. */
1324 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1325 {
1326 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1327 if (this->other_virtual_ip != NULL ||
1328 has_condition(this, COND_EAP_AUTHENTICATED)
1329 #ifdef ME
1330 /* as mediation server we too cannot reauth the IKE_SA */
1331 || this->is_mediation_server
1332 #endif /* ME */
1333 )
1334 {
1335 time_t now = time_monotonic(NULL);
1336
1337 DBG1(DBG_IKE, "IKE_SA will timeout in %V",
1338 &now, &this->stats[STAT_DELETE]);
1339 return FAILED;
1340 }
1341 else
1342 {
1343 DBG1(DBG_IKE, "reauthenticating actively");
1344 }
1345 }
1346 this->task_manager->queue_ike_reauth(this->task_manager);
1347 return this->task_manager->initiate(this->task_manager);
1348 }
1349
1350 METHOD(ike_sa_t, reestablish, status_t,
1351 private_ike_sa_t *this)
1352 {
1353 ike_sa_t *new;
1354 host_t *host;
1355 action_t action;
1356 enumerator_t *enumerator;
1357 child_sa_t *child_sa;
1358 child_cfg_t *child_cfg;
1359 bool restart = FALSE;
1360 status_t status = FAILED;
1361
1362 /* check if we have children to keep up at all */
1363 enumerator = this->child_sas->create_enumerator(this->child_sas);
1364 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1365 {
1366 if (this->state == IKE_DELETING)
1367 {
1368 action = child_sa->get_close_action(child_sa);
1369 }
1370 else
1371 {
1372 action = child_sa->get_dpd_action(child_sa);
1373 }
1374 switch (action)
1375 {
1376 case ACTION_RESTART:
1377 restart = TRUE;
1378 break;
1379 case ACTION_ROUTE:
1380 charon->traps->install(charon->traps, this->peer_cfg,
1381 child_sa->get_config(child_sa));
1382 break;
1383 default:
1384 break;
1385 }
1386 }
1387 enumerator->destroy(enumerator);
1388 #ifdef ME
1389 /* mediation connections have no children, keep them up anyway */
1390 if (this->peer_cfg->is_mediation(this->peer_cfg))
1391 {
1392 restart = TRUE;
1393 }
1394 #endif /* ME */
1395 if (!restart)
1396 {
1397 return FAILED;
1398 }
1399
1400 /* check if we are able to reestablish this IKE_SA */
1401 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1402 (this->other_virtual_ip != NULL ||
1403 has_condition(this, COND_EAP_AUTHENTICATED)
1404 #ifdef ME
1405 || this->is_mediation_server
1406 #endif /* ME */
1407 ))
1408 {
1409 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1410 return FAILED;
1411 }
1412
1413 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1414 this->version, TRUE);
1415 if (!new)
1416 {
1417 return FAILED;
1418 }
1419 new->set_peer_cfg(new, this->peer_cfg);
1420 host = this->other_host;
1421 new->set_other_host(new, host->clone(host));
1422 host = this->my_host;
1423 new->set_my_host(new, host->clone(host));
1424 /* if we already have a virtual IP, we reuse it */
1425 host = this->my_virtual_ip;
1426 if (host)
1427 {
1428 new->set_virtual_ip(new, TRUE, host);
1429 }
1430
1431 #ifdef ME
1432 if (this->peer_cfg->is_mediation(this->peer_cfg))
1433 {
1434 status = new->initiate(new, NULL, 0, NULL, NULL);
1435 }
1436 else
1437 #endif /* ME */
1438 {
1439 enumerator = this->child_sas->create_enumerator(this->child_sas);
1440 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1441 {
1442 if (this->state == IKE_DELETING)
1443 {
1444 action = child_sa->get_close_action(child_sa);
1445 }
1446 else
1447 {
1448 action = child_sa->get_dpd_action(child_sa);
1449 }
1450 switch (action)
1451 {
1452 case ACTION_RESTART:
1453 child_cfg = child_sa->get_config(child_sa);
1454 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1455 child_cfg->get_name(child_cfg));
1456 child_cfg->get_ref(child_cfg);
1457 status = new->initiate(new, child_cfg, 0, NULL, NULL);
1458 break;
1459 default:
1460 continue;
1461 }
1462 if (status == DESTROY_ME)
1463 {
1464 break;
1465 }
1466 }
1467 enumerator->destroy(enumerator);
1468 }
1469
1470 if (status == DESTROY_ME)
1471 {
1472 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1473 status = FAILED;
1474 }
1475 else
1476 {
1477 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1478 status = SUCCESS;
1479 }
1480 charon->bus->set_sa(charon->bus, &this->public);
1481 return status;
1482 }
1483
1484 METHOD(ike_sa_t, retransmit, status_t,
1485 private_ike_sa_t *this, u_int32_t message_id)
1486 {
1487 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1488 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1489 {
1490 /* send a proper signal to brief interested bus listeners */
1491 switch (this->state)
1492 {
1493 case IKE_CONNECTING:
1494 {
1495 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
1496 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1497 this->keyingtry++;
1498 if (tries == 0 || tries > this->keyingtry)
1499 {
1500 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1501 this->keyingtry + 1, tries);
1502 reset(this);
1503 this->task_manager->queue_ike(this->task_manager);
1504 return this->task_manager->initiate(this->task_manager);
1505 }
1506 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1507 break;
1508 }
1509 case IKE_DELETING:
1510 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1511 break;
1512 case IKE_REKEYING:
1513 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1514 /* FALL */
1515 default:
1516 reestablish(this);
1517 break;
1518 }
1519 return DESTROY_ME;
1520 }
1521 return SUCCESS;
1522 }
1523
1524 METHOD(ike_sa_t, set_auth_lifetime, void,
1525 private_ike_sa_t *this, u_int32_t lifetime)
1526 {
1527 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1528 u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
1529
1530 if (lifetime < reduction)
1531 {
1532 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1533 lifetime);
1534 lib->processor->queue_job(lib->processor,
1535 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1536 }
1537 else if (this->stats[STAT_REAUTH] == 0 ||
1538 this->stats[STAT_REAUTH] > reauth_time)
1539 {
1540 this->stats[STAT_REAUTH] = reauth_time;
1541 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1542 " in %ds", lifetime, lifetime - reduction);
1543 lib->scheduler->schedule_job(lib->scheduler,
1544 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1545 lifetime - reduction);
1546 }
1547 else
1548 {
1549 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1550 "reauthentication already scheduled in %ds", lifetime,
1551 this->stats[STAT_REAUTH] - time_monotonic(NULL));
1552 }
1553 }
1554
1555 /**
1556 * Check if the current combination of source and destination address is still
1557 * valid.
1558 */
1559 static bool is_current_path_valid(private_ike_sa_t *this)
1560 {
1561 bool valid = FALSE;
1562 host_t *src;
1563 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1564 this->other_host, this->my_host);
1565 if (src)
1566 {
1567 if (src->ip_equals(src, this->my_host))
1568 {
1569 valid = TRUE;
1570 }
1571 src->destroy(src);
1572 }
1573 return valid;
1574 }
1575
1576 /**
1577 * Check if we have any path avialable for this IKE SA.
1578 */
1579 static bool is_any_path_valid(private_ike_sa_t *this)
1580 {
1581 bool valid = FALSE;
1582 enumerator_t *enumerator;
1583 host_t *src, *addr;
1584 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
1585 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1586 this->other_host, NULL);
1587 if (!src)
1588 {
1589 enumerator = this->additional_addresses->create_enumerator(
1590 this->additional_addresses);
1591 while (enumerator->enumerate(enumerator, &addr))
1592 {
1593 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
1594 src = hydra->kernel_interface->get_source_addr(
1595 hydra->kernel_interface, addr, NULL);
1596 if (src)
1597 {
1598 break;
1599 }
1600 }
1601 enumerator->destroy(enumerator);
1602 }
1603 if (src)
1604 {
1605 valid = TRUE;
1606 src->destroy(src);
1607 }
1608 return valid;
1609 }
1610
1611 METHOD(ike_sa_t, roam, status_t,
1612 private_ike_sa_t *this, bool address)
1613 {
1614 switch (this->state)
1615 {
1616 case IKE_CREATED:
1617 case IKE_DELETING:
1618 case IKE_DESTROYING:
1619 case IKE_PASSIVE:
1620 return SUCCESS;
1621 default:
1622 break;
1623 }
1624
1625 /* keep existing path if possible */
1626 if (is_current_path_valid(this))
1627 {
1628 DBG2(DBG_IKE, "keeping connection path %H - %H",
1629 this->my_host, this->other_host);
1630 set_condition(this, COND_STALE, FALSE);
1631
1632 if (supports_extension(this, EXT_MOBIKE) && address)
1633 { /* if any addresses changed, send an updated list */
1634 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1635 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
1636 return this->task_manager->initiate(this->task_manager);
1637 }
1638 return SUCCESS;
1639 }
1640
1641 if (!is_any_path_valid(this))
1642 {
1643 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
1644 this->other_host);
1645 set_condition(this, COND_STALE, TRUE);
1646 return SUCCESS;
1647 }
1648 set_condition(this, COND_STALE, FALSE);
1649
1650 /* update addresses with mobike, if supported ... */
1651 if (supports_extension(this, EXT_MOBIKE))
1652 {
1653 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1654 { /* responder updates the peer about changed address config */
1655 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
1656 "implicitly requesting an address change");
1657 address = TRUE;
1658 }
1659 else
1660 {
1661 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1662 }
1663 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
1664 return this->task_manager->initiate(this->task_manager);
1665 }
1666
1667 /* ... reauth if not */
1668 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1669 { /* responder does not reauthenticate */
1670 set_condition(this, COND_STALE, TRUE);
1671 return SUCCESS;
1672 }
1673 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1674 return reauth(this);
1675 }
1676
1677 METHOD(ike_sa_t, add_configuration_attribute, void,
1678 private_ike_sa_t *this, attribute_handler_t *handler,
1679 configuration_attribute_type_t type, chunk_t data)
1680 {
1681 attribute_entry_t *entry = malloc_thing(attribute_entry_t);
1682
1683 entry->handler = handler;
1684 entry->type = type;
1685 entry->data = chunk_clone(data);
1686
1687 this->attributes->insert_last(this->attributes, entry);
1688 }
1689
1690 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
1691 private_ike_sa_t *this, task_queue_t queue)
1692 {
1693 return this->task_manager->create_task_enumerator(this->task_manager, queue);
1694 }
1695
1696 METHOD(ike_sa_t, queue_task, void,
1697 private_ike_sa_t *this, task_t *task)
1698 {
1699 this->task_manager->queue_task(this->task_manager, task);
1700 }
1701
1702 METHOD(ike_sa_t, inherit, void,
1703 private_ike_sa_t *this, ike_sa_t *other_public)
1704 {
1705 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
1706 child_sa_t *child_sa;
1707 attribute_entry_t *entry;
1708 enumerator_t *enumerator;
1709 auth_cfg_t *cfg;
1710
1711 /* apply hosts and ids */
1712 this->my_host->destroy(this->my_host);
1713 this->other_host->destroy(this->other_host);
1714 this->my_id->destroy(this->my_id);
1715 this->other_id->destroy(this->other_id);
1716 this->my_host = other->my_host->clone(other->my_host);
1717 this->other_host = other->other_host->clone(other->other_host);
1718 this->my_id = other->my_id->clone(other->my_id);
1719 this->other_id = other->other_id->clone(other->other_id);
1720
1721 /* apply virtual assigned IPs... */
1722 if (other->my_virtual_ip)
1723 {
1724 this->my_virtual_ip = other->my_virtual_ip;
1725 other->my_virtual_ip = NULL;
1726 }
1727 if (other->other_virtual_ip)
1728 {
1729 this->other_virtual_ip = other->other_virtual_ip;
1730 other->other_virtual_ip = NULL;
1731 }
1732
1733 /* authentication information */
1734 enumerator = other->my_auths->create_enumerator(other->my_auths);
1735 while (enumerator->enumerate(enumerator, &cfg))
1736 {
1737 this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
1738 }
1739 enumerator->destroy(enumerator);
1740 enumerator = other->other_auths->create_enumerator(other->other_auths);
1741 while (enumerator->enumerate(enumerator, &cfg))
1742 {
1743 this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
1744 }
1745 enumerator->destroy(enumerator);
1746
1747 /* ... and configuration attributes */
1748 while (other->attributes->remove_last(other->attributes,
1749 (void**)&entry) == SUCCESS)
1750 {
1751 this->attributes->insert_first(this->attributes, entry);
1752 }
1753
1754 /* inherit all conditions */
1755 this->conditions = other->conditions;
1756 if (this->conditions & COND_NAT_HERE)
1757 {
1758 send_keepalive(this);
1759 }
1760
1761 #ifdef ME
1762 if (other->is_mediation_server)
1763 {
1764 act_as_mediation_server(this);
1765 }
1766 else if (other->server_reflexive_host)
1767 {
1768 this->server_reflexive_host = other->server_reflexive_host->clone(
1769 other->server_reflexive_host);
1770 }
1771 #endif /* ME */
1772
1773 /* adopt all children */
1774 while (other->child_sas->remove_last(other->child_sas,
1775 (void**)&child_sa) == SUCCESS)
1776 {
1777 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
1778 }
1779
1780 /* move pending tasks to the new IKE_SA */
1781 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
1782
1783 /* reauthentication timeout survives a rekeying */
1784 if (other->stats[STAT_REAUTH])
1785 {
1786 time_t reauth, delete, now = time_monotonic(NULL);
1787
1788 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
1789 reauth = this->stats[STAT_REAUTH] - now;
1790 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
1791 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
1792 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
1793 "lifetime reduced to %ds", reauth, delete);
1794 lib->scheduler->schedule_job(lib->scheduler,
1795 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
1796 lib->scheduler->schedule_job(lib->scheduler,
1797 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
1798 }
1799 }
1800
1801 METHOD(ike_sa_t, destroy, void,
1802 private_ike_sa_t *this)
1803 {
1804 attribute_entry_t *entry;
1805
1806 charon->bus->set_sa(charon->bus, &this->public);
1807
1808 set_state(this, IKE_DESTROYING);
1809 DESTROY_IF(this->task_manager);
1810
1811 /* remove attributes first, as we pass the IKE_SA to the handler */
1812 while (this->attributes->remove_last(this->attributes,
1813 (void**)&entry) == SUCCESS)
1814 {
1815 hydra->attributes->release(hydra->attributes, entry->handler,
1816 this->other_id, entry->type, entry->data);
1817 free(entry->data.ptr);
1818 free(entry);
1819 }
1820 this->attributes->destroy(this->attributes);
1821
1822 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
1823
1824 /* unset SA after here to avoid usage by the listeners */
1825 charon->bus->set_sa(charon->bus, NULL);
1826
1827 DESTROY_IF(this->keymat);
1828
1829 if (this->my_virtual_ip)
1830 {
1831 hydra->kernel_interface->del_ip(hydra->kernel_interface,
1832 this->my_virtual_ip);
1833 this->my_virtual_ip->destroy(this->my_virtual_ip);
1834 }
1835 if (this->other_virtual_ip)
1836 {
1837 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
1838 {
1839 hydra->attributes->release_address(hydra->attributes,
1840 this->peer_cfg->get_pool(this->peer_cfg),
1841 this->other_virtual_ip, get_other_eap_id(this));
1842 }
1843 this->other_virtual_ip->destroy(this->other_virtual_ip);
1844 }
1845 this->additional_addresses->destroy_offset(this->additional_addresses,
1846 offsetof(host_t, destroy));
1847 #ifdef ME
1848 if (this->is_mediation_server)
1849 {
1850 charon->mediation_manager->remove(charon->mediation_manager,
1851 this->ike_sa_id);
1852 }
1853 DESTROY_IF(this->server_reflexive_host);
1854 chunk_free(&this->connect_id);
1855 #endif /* ME */
1856 free(this->nat_detection_dest.ptr);
1857
1858 DESTROY_IF(this->my_host);
1859 DESTROY_IF(this->other_host);
1860 DESTROY_IF(this->my_id);
1861 DESTROY_IF(this->other_id);
1862 DESTROY_IF(this->local_host);
1863 DESTROY_IF(this->remote_host);
1864
1865 DESTROY_IF(this->ike_cfg);
1866 DESTROY_IF(this->peer_cfg);
1867 DESTROY_IF(this->proposal);
1868 this->my_auth->destroy(this->my_auth);
1869 this->other_auth->destroy(this->other_auth);
1870 this->my_auths->destroy_offset(this->my_auths,
1871 offsetof(auth_cfg_t, destroy));
1872 this->other_auths->destroy_offset(this->other_auths,
1873 offsetof(auth_cfg_t, destroy));
1874
1875 this->ike_sa_id->destroy(this->ike_sa_id);
1876 free(this);
1877 }
1878
1879 /*
1880 * Described in header.
1881 */
1882 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1883 ike_version_t version)
1884 {
1885 private_ike_sa_t *this;
1886 static u_int32_t unique_id = 0;
1887
1888 if (version == IKE_ANY)
1889 { /* prefer IKEv2 if protocol not specified */
1890 #ifdef USE_IKEV2
1891 version = IKEV2;
1892 #else
1893 version = IKEV1;
1894 #endif
1895 }
1896
1897 INIT(this,
1898 .public = {
1899 .get_version = _get_version,
1900 .get_state = _get_state,
1901 .set_state = _set_state,
1902 .get_name = _get_name,
1903 .get_statistic = _get_statistic,
1904 .set_statistic = _set_statistic,
1905 .process_message = _process_message,
1906 .initiate = _initiate,
1907 .get_ike_cfg = _get_ike_cfg,
1908 .set_ike_cfg = _set_ike_cfg,
1909 .get_peer_cfg = _get_peer_cfg,
1910 .set_peer_cfg = _set_peer_cfg,
1911 .get_auth_cfg = _get_auth_cfg,
1912 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
1913 .add_auth_cfg = _add_auth_cfg,
1914 .get_proposal = _get_proposal,
1915 .set_proposal = _set_proposal,
1916 .get_id = _get_id,
1917 .get_my_host = _get_my_host,
1918 .set_my_host = _set_my_host,
1919 .get_other_host = _get_other_host,
1920 .set_other_host = _set_other_host,
1921 .set_message_id = _set_message_id,
1922 .float_ports = _float_ports,
1923 .update_hosts = _update_hosts,
1924 .get_my_id = _get_my_id,
1925 .set_my_id = _set_my_id,
1926 .get_other_id = _get_other_id,
1927 .set_other_id = _set_other_id,
1928 .get_other_eap_id = _get_other_eap_id,
1929 .enable_extension = _enable_extension,
1930 .supports_extension = _supports_extension,
1931 .set_condition = _set_condition,
1932 .has_condition = _has_condition,
1933 .set_pending_updates = _set_pending_updates,
1934 .get_pending_updates = _get_pending_updates,
1935 .create_additional_address_enumerator = _create_additional_address_enumerator,
1936 .add_additional_address = _add_additional_address,
1937 .remove_additional_addresses = _remove_additional_addresses,
1938 .has_mapping_changed = _has_mapping_changed,
1939 .retransmit = _retransmit,
1940 .delete = _delete_,
1941 .destroy = _destroy,
1942 .send_dpd = _send_dpd,
1943 .send_keepalive = _send_keepalive,
1944 .get_keymat = _get_keymat,
1945 .add_child_sa = _add_child_sa,
1946 .get_child_sa = _get_child_sa,
1947 .get_child_count = _get_child_count,
1948 .create_child_sa_enumerator = _create_child_sa_enumerator,
1949 .remove_child_sa = _remove_child_sa,
1950 .rekey_child_sa = _rekey_child_sa,
1951 .delete_child_sa = _delete_child_sa,
1952 .destroy_child_sa = _destroy_child_sa,
1953 .rekey = _rekey,
1954 .reauth = _reauth,
1955 .reestablish = _reestablish,
1956 .set_auth_lifetime = _set_auth_lifetime,
1957 .roam = _roam,
1958 .inherit = _inherit,
1959 .generate_message = _generate_message,
1960 .reset = _reset,
1961 .get_unique_id = _get_unique_id,
1962 .set_virtual_ip = _set_virtual_ip,
1963 .get_virtual_ip = _get_virtual_ip,
1964 .add_configuration_attribute = _add_configuration_attribute,
1965 .set_kmaddress = _set_kmaddress,
1966 .create_task_enumerator = _create_task_enumerator,
1967 .queue_task = _queue_task,
1968 #ifdef ME
1969 .act_as_mediation_server = _act_as_mediation_server,
1970 .get_server_reflexive_host = _get_server_reflexive_host,
1971 .set_server_reflexive_host = _set_server_reflexive_host,
1972 .get_connect_id = _get_connect_id,
1973 .initiate_mediation = _initiate_mediation,
1974 .initiate_mediated = _initiate_mediated,
1975 .relay = _relay,
1976 .callback = _callback,
1977 .respond = _respond,
1978 #endif /* ME */
1979 },
1980 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
1981 .version = version,
1982 .child_sas = linked_list_create(),
1983 .my_host = host_create_any(AF_INET),
1984 .other_host = host_create_any(AF_INET),
1985 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
1986 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
1987 .keymat = keymat_create(version, initiator),
1988 .state = IKE_CREATED,
1989 .stats[STAT_INBOUND] = time_monotonic(NULL),
1990 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
1991 .my_auth = auth_cfg_create(),
1992 .other_auth = auth_cfg_create(),
1993 .my_auths = linked_list_create(),
1994 .other_auths = linked_list_create(),
1995 .unique_id = ++unique_id,
1996 .additional_addresses = linked_list_create(),
1997 .attributes = linked_list_create(),
1998 .keepalive_interval = lib->settings->get_time(lib->settings,
1999 "charon.keep_alive", KEEPALIVE_INTERVAL),
2000 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2001 "charon.flush_auth_cfg", FALSE),
2002 );
2003
2004 this->task_manager = task_manager_create(&this->public);
2005 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2006
2007 if (!this->task_manager || !this->keymat)
2008 {
2009 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2010 destroy(this);
2011 return NULL;
2012 }
2013 return &this->public;
2014 }
strongSwan - IPsec VPN