libhydra: Move kernel interface to libcharon
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2015 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59
60 #ifdef ME
61 #include <sa/ikev2/tasks/ike_me.h>
62 #include <processing/jobs/initiate_mediation_job.h>
63 #endif
64
65 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
66 "CREATED",
67 "CONNECTING",
68 "ESTABLISHED",
69 "PASSIVE",
70 "REKEYING",
71 "DELETING",
72 "DESTROYING",
73 );
74
75 typedef struct private_ike_sa_t private_ike_sa_t;
76 typedef struct attribute_entry_t attribute_entry_t;
77
78 /**
79 * Private data of an ike_sa_t object.
80 */
81 struct private_ike_sa_t {
82
83 /**
84 * Public members
85 */
86 ike_sa_t public;
87
88 /**
89 * Identifier for the current IKE_SA.
90 */
91 ike_sa_id_t *ike_sa_id;
92
93 /**
94 * IKE version of this SA.
95 */
96 ike_version_t version;
97
98 /**
99 * unique numerical ID for this IKE_SA.
100 */
101 u_int32_t unique_id;
102
103 /**
104 * Current state of the IKE_SA
105 */
106 ike_sa_state_t state;
107
108 /**
109 * IKE configuration used to set up this IKE_SA
110 */
111 ike_cfg_t *ike_cfg;
112
113 /**
114 * Peer and authentication information to establish IKE_SA.
115 */
116 peer_cfg_t *peer_cfg;
117
118 /**
119 * currently used authentication ruleset, local
120 */
121 auth_cfg_t *my_auth;
122
123 /**
124 * currently used authentication constraints, remote
125 */
126 auth_cfg_t *other_auth;
127
128 /**
129 * Array of completed local authentication rounds (as auth_cfg_t)
130 */
131 array_t *my_auths;
132
133 /**
134 * Array of completed remote authentication rounds (as auth_cfg_t)
135 */
136 array_t *other_auths;
137
138 /**
139 * Selected IKE proposal
140 */
141 proposal_t *proposal;
142
143 /**
144 * Juggles tasks to process messages
145 */
146 task_manager_t *task_manager;
147
148 /**
149 * Address of local host
150 */
151 host_t *my_host;
152
153 /**
154 * Address of remote host
155 */
156 host_t *other_host;
157
158 #ifdef ME
159 /**
160 * Are we mediation server
161 */
162 bool is_mediation_server;
163
164 /**
165 * Server reflexive host
166 */
167 host_t *server_reflexive_host;
168
169 /**
170 * Connect ID
171 */
172 chunk_t connect_id;
173 #endif /* ME */
174
175 /**
176 * Identification used for us
177 */
178 identification_t *my_id;
179
180 /**
181 * Identification used for other
182 */
183 identification_t *other_id;
184
185 /**
186 * set of extensions the peer supports
187 */
188 ike_extension_t extensions;
189
190 /**
191 * set of condition flags currently enabled for this IKE_SA
192 */
193 ike_condition_t conditions;
194
195 /**
196 * Array containing the child sa's of the current IKE_SA.
197 */
198 array_t *child_sas;
199
200 /**
201 * keymat of this IKE_SA
202 */
203 keymat_t *keymat;
204
205 /**
206 * Virtual IPs on local host
207 */
208 array_t *my_vips;
209
210 /**
211 * Virtual IPs on remote host
212 */
213 array_t *other_vips;
214
215 /**
216 * List of configuration attributes (attribute_entry_t)
217 */
218 array_t *attributes;
219
220 /**
221 * list of peer's addresses, additional ones transmitted via MOBIKE
222 */
223 array_t *peer_addresses;
224
225 /**
226 * previously value of received DESTINATION_IP hash
227 */
228 chunk_t nat_detection_dest;
229
230 /**
231 * number pending UPDATE_SA_ADDRESS (MOBIKE)
232 */
233 u_int32_t pending_updates;
234
235 /**
236 * NAT keep alive interval
237 */
238 u_int32_t keepalive_interval;
239
240 /**
241 * The schedueld keep alive job, if any
242 */
243 send_keepalive_job_t *keepalive_job;
244
245 /**
246 * interval for retries during initiation (e.g. if DNS resolution failed),
247 * 0 to disable (default)
248 */
249 u_int32_t retry_initiate_interval;
250
251 /**
252 * TRUE if a retry_initiate_job has been queued
253 */
254 bool retry_initiate_queued;
255
256 /**
257 * Timestamps for this IKE_SA
258 */
259 u_int32_t stats[STAT_MAX];
260
261 /**
262 * how many times we have retried so far (keyingtries)
263 */
264 u_int32_t keyingtry;
265
266 /**
267 * local host address to be used for IKE, set via MIGRATE kernel message
268 */
269 host_t *local_host;
270
271 /**
272 * remote host address to be used for IKE, set via MIGRATE kernel message
273 */
274 host_t *remote_host;
275
276 /**
277 * Flush auth configs once established?
278 */
279 bool flush_auth_cfg;
280
281 /**
282 * Maximum length of a single fragment, 0 for address-specific defaults
283 */
284 size_t fragment_size;
285 };
286
287 /**
288 * Entry to maintain install configuration attributes during IKE_SA lifetime
289 */
290 struct attribute_entry_t {
291 /** handler used to install this attribute */
292 attribute_handler_t *handler;
293 /** attribute type */
294 configuration_attribute_type_t type;
295 /** attribute data */
296 chunk_t data;
297 };
298
299 /**
300 * get the time of the latest traffic processed by the kernel
301 */
302 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
303 {
304 enumerator_t *enumerator;
305 child_sa_t *child_sa;
306 time_t use_time, current;
307
308 if (inbound)
309 {
310 use_time = this->stats[STAT_INBOUND];
311 }
312 else
313 {
314 use_time = this->stats[STAT_OUTBOUND];
315 }
316
317 enumerator = array_create_enumerator(this->child_sas);
318 while (enumerator->enumerate(enumerator, &child_sa))
319 {
320 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
321 use_time = max(use_time, current);
322 }
323 enumerator->destroy(enumerator);
324
325 return use_time;
326 }
327
328 METHOD(ike_sa_t, get_unique_id, u_int32_t,
329 private_ike_sa_t *this)
330 {
331 return this->unique_id;
332 }
333
334 METHOD(ike_sa_t, get_name, char*,
335 private_ike_sa_t *this)
336 {
337 if (this->peer_cfg)
338 {
339 return this->peer_cfg->get_name(this->peer_cfg);
340 }
341 return "(unnamed)";
342 }
343
344 METHOD(ike_sa_t, get_statistic, u_int32_t,
345 private_ike_sa_t *this, statistic_t kind)
346 {
347 if (kind < STAT_MAX)
348 {
349 return this->stats[kind];
350 }
351 return 0;
352 }
353
354 METHOD(ike_sa_t, set_statistic, void,
355 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
356 {
357 if (kind < STAT_MAX)
358 {
359 this->stats[kind] = value;
360 }
361 }
362
363 METHOD(ike_sa_t, get_my_host, host_t*,
364 private_ike_sa_t *this)
365 {
366 return this->my_host;
367 }
368
369 METHOD(ike_sa_t, set_my_host, void,
370 private_ike_sa_t *this, host_t *me)
371 {
372 DESTROY_IF(this->my_host);
373 this->my_host = me;
374 }
375
376 METHOD(ike_sa_t, get_other_host, host_t*,
377 private_ike_sa_t *this)
378 {
379 return this->other_host;
380 }
381
382 METHOD(ike_sa_t, set_other_host, void,
383 private_ike_sa_t *this, host_t *other)
384 {
385 DESTROY_IF(this->other_host);
386 this->other_host = other;
387 }
388
389 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
390 private_ike_sa_t *this)
391 {
392 return this->peer_cfg;
393 }
394
395 METHOD(ike_sa_t, set_peer_cfg, void,
396 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
397 {
398 peer_cfg->get_ref(peer_cfg);
399 DESTROY_IF(this->peer_cfg);
400 this->peer_cfg = peer_cfg;
401
402 if (this->ike_cfg == NULL)
403 {
404 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
405 this->ike_cfg->get_ref(this->ike_cfg);
406 }
407 }
408
409 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
410 private_ike_sa_t *this, bool local)
411 {
412 if (local)
413 {
414 return this->my_auth;
415 }
416 return this->other_auth;
417 }
418
419 METHOD(ike_sa_t, add_auth_cfg, void,
420 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
421 {
422 if (local)
423 {
424 array_insert(this->my_auths, ARRAY_TAIL, cfg);
425 }
426 else
427 {
428 array_insert(this->other_auths, ARRAY_TAIL, cfg);
429 }
430 }
431
432 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
433 private_ike_sa_t *this, bool local)
434 {
435 if (local)
436 {
437 return array_create_enumerator(this->my_auths);
438 }
439 return array_create_enumerator(this->other_auths);
440 }
441
442 /**
443 * Flush the stored authentication round information
444 */
445 static void flush_auth_cfgs(private_ike_sa_t *this)
446 {
447 auth_cfg_t *cfg;
448
449 this->my_auth->purge(this->my_auth, FALSE);
450 this->other_auth->purge(this->other_auth, FALSE);
451
452 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
453 {
454 cfg->destroy(cfg);
455 }
456 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
457 {
458 cfg->destroy(cfg);
459 }
460 }
461
462 METHOD(ike_sa_t, get_proposal, proposal_t*,
463 private_ike_sa_t *this)
464 {
465 return this->proposal;
466 }
467
468 METHOD(ike_sa_t, set_proposal, void,
469 private_ike_sa_t *this, proposal_t *proposal)
470 {
471 DESTROY_IF(this->proposal);
472 this->proposal = proposal->clone(proposal);
473 }
474
475 METHOD(ike_sa_t, set_message_id, void,
476 private_ike_sa_t *this, bool initiate, u_int32_t mid)
477 {
478 if (initiate)
479 {
480 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
481 }
482 else
483 {
484 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
485 }
486 }
487
488 METHOD(ike_sa_t, send_keepalive, void,
489 private_ike_sa_t *this, bool scheduled)
490 {
491 time_t last_out, now, diff;
492
493 if (scheduled)
494 {
495 this->keepalive_job = NULL;
496 }
497 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
498 { /* keepalives disabled either by configuration or for passive IKE_SAs */
499 return;
500 }
501 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
502 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
503 return;
504 }
505
506 last_out = get_use_time(this, FALSE);
507 now = time_monotonic(NULL);
508
509 diff = now - last_out;
510
511 if (diff >= this->keepalive_interval)
512 {
513 packet_t *packet;
514 chunk_t data;
515
516 packet = packet_create();
517 packet->set_source(packet, this->my_host->clone(this->my_host));
518 packet->set_destination(packet, this->other_host->clone(this->other_host));
519 data.ptr = malloc(1);
520 data.ptr[0] = 0xFF;
521 data.len = 1;
522 packet->set_data(packet, data);
523 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
524 charon->sender->send_no_marker(charon->sender, packet);
525 diff = 0;
526 }
527 if (!this->keepalive_job)
528 {
529 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
530 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
531 this->keepalive_interval - diff);
532 }
533 }
534
535 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
536 private_ike_sa_t *this)
537 {
538 return this->ike_cfg;
539 }
540
541 METHOD(ike_sa_t, set_ike_cfg, void,
542 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
543 {
544 ike_cfg->get_ref(ike_cfg);
545 this->ike_cfg = ike_cfg;
546 }
547
548 METHOD(ike_sa_t, enable_extension, void,
549 private_ike_sa_t *this, ike_extension_t extension)
550 {
551 this->extensions |= extension;
552 }
553
554 METHOD(ike_sa_t, supports_extension, bool,
555 private_ike_sa_t *this, ike_extension_t extension)
556 {
557 return (this->extensions & extension) != FALSE;
558 }
559
560 METHOD(ike_sa_t, has_condition, bool,
561 private_ike_sa_t *this, ike_condition_t condition)
562 {
563 return (this->conditions & condition) != FALSE;
564 }
565
566 METHOD(ike_sa_t, set_condition, void,
567 private_ike_sa_t *this, ike_condition_t condition, bool enable)
568 {
569 if (has_condition(this, condition) != enable)
570 {
571 if (enable)
572 {
573 this->conditions |= condition;
574 switch (condition)
575 {
576 case COND_NAT_HERE:
577 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
578 this->conditions |= COND_NAT_ANY;
579 send_keepalive(this, FALSE);
580 break;
581 case COND_NAT_THERE:
582 DBG1(DBG_IKE, "remote host is behind NAT");
583 this->conditions |= COND_NAT_ANY;
584 break;
585 case COND_NAT_FAKE:
586 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
587 this->conditions |= COND_NAT_ANY;
588 break;
589 default:
590 break;
591 }
592 }
593 else
594 {
595 this->conditions &= ~condition;
596 switch (condition)
597 {
598 case COND_NAT_HERE:
599 case COND_NAT_FAKE:
600 case COND_NAT_THERE:
601 set_condition(this, COND_NAT_ANY,
602 has_condition(this, COND_NAT_HERE) ||
603 has_condition(this, COND_NAT_THERE) ||
604 has_condition(this, COND_NAT_FAKE));
605 break;
606 case COND_STALE:
607 send_keepalive(this, FALSE);
608 break;
609 default:
610 break;
611 }
612 }
613 }
614 }
615
616 METHOD(ike_sa_t, send_dpd, status_t,
617 private_ike_sa_t *this)
618 {
619 job_t *job;
620 time_t diff, delay;
621 bool task_queued = FALSE;
622
623 if (this->state == IKE_PASSIVE)
624 {
625 return INVALID_STATE;
626 }
627 delay = this->peer_cfg->get_dpd(this->peer_cfg);
628 if (this->task_manager->busy(this->task_manager))
629 {
630 /* an exchange is in the air, no need to start a DPD check */
631 diff = 0;
632 }
633 else
634 {
635 /* check if there was any inbound traffic */
636 time_t last_in, now;
637 last_in = get_use_time(this, TRUE);
638 now = time_monotonic(NULL);
639 diff = now - last_in;
640 if (!delay || diff >= delay)
641 {
642 /* too long ago, initiate dead peer detection */
643 DBG1(DBG_IKE, "sending DPD request");
644 this->task_manager->queue_dpd(this->task_manager);
645 task_queued = TRUE;
646 diff = 0;
647 }
648 }
649 /* recheck in "interval" seconds */
650 if (delay)
651 {
652 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
653 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
654 }
655 if (task_queued)
656 {
657 return this->task_manager->initiate(this->task_manager);
658 }
659 return SUCCESS;
660 }
661
662 METHOD(ike_sa_t, get_state, ike_sa_state_t,
663 private_ike_sa_t *this)
664 {
665 return this->state;
666 }
667
668 METHOD(ike_sa_t, set_state, void,
669 private_ike_sa_t *this, ike_sa_state_t state)
670 {
671 bool trigger_dpd = FALSE, keepalives = FALSE;
672
673 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
674 get_name(this), this->unique_id,
675 ike_sa_state_names, this->state,
676 ike_sa_state_names, state);
677
678 switch (state)
679 {
680 case IKE_ESTABLISHED:
681 {
682 if (this->state == IKE_CONNECTING ||
683 this->state == IKE_PASSIVE)
684 {
685 job_t *job;
686 u_int32_t t;
687
688 /* calculate rekey, reauth and lifetime */
689 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
690
691 /* schedule rekeying if we have a time which is smaller than
692 * an already scheduled rekeying */
693 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
694 if (t && (this->stats[STAT_REKEY] == 0 ||
695 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
696 {
697 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
698 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
699 lib->scheduler->schedule_job(lib->scheduler, job, t);
700 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
701 }
702 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
703 if (t && (this->stats[STAT_REAUTH] == 0 ||
704 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
705 {
706 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
707 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
708 lib->scheduler->schedule_job(lib->scheduler, job, t);
709 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
710 }
711 t = this->peer_cfg->get_over_time(this->peer_cfg);
712 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
713 {
714 if (this->stats[STAT_REAUTH] == 0)
715 {
716 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
717 }
718 else if (this->stats[STAT_REKEY] == 0)
719 {
720 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
721 }
722 else
723 {
724 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
725 this->stats[STAT_REAUTH]);
726 }
727 this->stats[STAT_DELETE] += t;
728 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
729 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
730 lib->scheduler->schedule_job(lib->scheduler, job, t);
731 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
732 }
733 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
734 if (trigger_dpd)
735 {
736 /* Some peers delay the DELETE after rekeying an IKE_SA.
737 * If this delay is longer than our DPD delay, we would
738 * send a DPD request here. The IKE_SA is not ready to do
739 * so yet, so prevent that. */
740 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
741 }
742 if (this->state == IKE_PASSIVE)
743 {
744 keepalives = TRUE;
745 }
746 }
747 break;
748 }
749 default:
750 break;
751 }
752 charon->bus->ike_state_change(charon->bus, &this->public, state);
753 this->state = state;
754
755 if (trigger_dpd)
756 {
757 if (supports_extension(this, EXT_DPD))
758 {
759 send_dpd(this);
760 }
761 else
762 {
763 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
764 }
765 }
766 if (keepalives)
767 {
768 send_keepalive(this, FALSE);
769 }
770 }
771
772 METHOD(ike_sa_t, reset, void,
773 private_ike_sa_t *this)
774 {
775 /* the responder ID is reset, as peer may choose another one */
776 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
777 {
778 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
779 }
780
781 set_state(this, IKE_CREATED);
782
783 flush_auth_cfgs(this);
784
785 this->keymat->destroy(this->keymat);
786 this->keymat = keymat_create(this->version,
787 this->ike_sa_id->is_initiator(this->ike_sa_id));
788
789 this->task_manager->reset(this->task_manager, 0, 0);
790 }
791
792 METHOD(ike_sa_t, get_keymat, keymat_t*,
793 private_ike_sa_t *this)
794 {
795 return this->keymat;
796 }
797
798 METHOD(ike_sa_t, add_virtual_ip, void,
799 private_ike_sa_t *this, bool local, host_t *ip)
800 {
801 if (local)
802 {
803 char *iface;
804
805 if (charon->kernel->get_interface(charon->kernel, this->my_host,
806 &iface))
807 {
808 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
809 if (charon->kernel->add_ip(charon->kernel, ip, -1,
810 iface) == SUCCESS)
811 {
812 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
813 }
814 else
815 {
816 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
817 }
818 free(iface);
819 }
820 else
821 {
822 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
823 }
824 }
825 else
826 {
827 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
828 }
829 }
830
831
832 METHOD(ike_sa_t, clear_virtual_ips, void,
833 private_ike_sa_t *this, bool local)
834 {
835 array_t *vips;
836 host_t *vip;
837
838 vips = local ? this->my_vips : this->other_vips;
839 if (!local && array_count(vips))
840 {
841 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
842 }
843 while (array_remove(vips, ARRAY_HEAD, &vip))
844 {
845 if (local)
846 {
847 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
848 }
849 vip->destroy(vip);
850 }
851 }
852
853 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
854 private_ike_sa_t *this, bool local)
855 {
856 if (local)
857 {
858 return array_create_enumerator(this->my_vips);
859 }
860 return array_create_enumerator(this->other_vips);
861 }
862
863 METHOD(ike_sa_t, add_peer_address, void,
864 private_ike_sa_t *this, host_t *host)
865 {
866 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
867 }
868
869 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
870 private_ike_sa_t *this)
871 {
872 if (this->peer_addresses)
873 {
874 return array_create_enumerator(this->peer_addresses);
875 }
876 /* in case we don't have MOBIKE */
877 return enumerator_create_single(this->other_host, NULL);
878 }
879
880 METHOD(ike_sa_t, clear_peer_addresses, void,
881 private_ike_sa_t *this)
882 {
883 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
884 this->peer_addresses = NULL;
885 }
886
887 METHOD(ike_sa_t, has_mapping_changed, bool,
888 private_ike_sa_t *this, chunk_t hash)
889 {
890 if (this->nat_detection_dest.ptr == NULL)
891 {
892 this->nat_detection_dest = chunk_clone(hash);
893 return FALSE;
894 }
895 if (chunk_equals(hash, this->nat_detection_dest))
896 {
897 return FALSE;
898 }
899 free(this->nat_detection_dest.ptr);
900 this->nat_detection_dest = chunk_clone(hash);
901 return TRUE;
902 }
903
904 METHOD(ike_sa_t, set_pending_updates, void,
905 private_ike_sa_t *this, u_int32_t updates)
906 {
907 this->pending_updates = updates;
908 }
909
910 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
911 private_ike_sa_t *this)
912 {
913 return this->pending_updates;
914 }
915
916 METHOD(ike_sa_t, float_ports, void,
917 private_ike_sa_t *this)
918 {
919 /* do not switch if we have a custom port from MOBIKE/NAT */
920 if (this->my_host->get_port(this->my_host) ==
921 charon->socket->get_port(charon->socket, FALSE))
922 {
923 this->my_host->set_port(this->my_host,
924 charon->socket->get_port(charon->socket, TRUE));
925 }
926 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
927 {
928 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
929 }
930 }
931
932 METHOD(ike_sa_t, update_hosts, void,
933 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
934 {
935 bool update = FALSE;
936
937 if (me == NULL)
938 {
939 me = this->my_host;
940 }
941 if (other == NULL)
942 {
943 other = this->other_host;
944 }
945
946 /* apply hosts on first received message */
947 if (this->my_host->is_anyaddr(this->my_host) ||
948 this->other_host->is_anyaddr(this->other_host))
949 {
950 set_my_host(this, me->clone(me));
951 set_other_host(this, other->clone(other));
952 update = TRUE;
953 }
954 else
955 {
956 /* update our address in any case */
957 if (force && !me->equals(me, this->my_host))
958 {
959 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
960 set_my_host(this, me->clone(me));
961 update = TRUE;
962 }
963
964 if (!other->equals(other, this->other_host) &&
965 (force || has_condition(this, COND_NAT_THERE)))
966 {
967 /* only update other's address if we are behind a static NAT,
968 * which we assume is the case if we are not initiator */
969 if (force ||
970 (!has_condition(this, COND_NAT_HERE) ||
971 !has_condition(this, COND_ORIGINAL_INITIATOR)))
972 {
973 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
974 set_other_host(this, other->clone(other));
975 update = TRUE;
976 }
977 }
978 }
979
980 /* update all associated CHILD_SAs, if required */
981 if (update)
982 {
983 enumerator_t *enumerator;
984 child_sa_t *child_sa;
985 linked_list_t *vips;
986
987 vips = linked_list_create_from_enumerator(
988 array_create_enumerator(this->my_vips));
989
990 enumerator = array_create_enumerator(this->child_sas);
991 while (enumerator->enumerate(enumerator, &child_sa))
992 {
993 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
994 charon->child_sa_manager->add(charon->child_sa_manager,
995 child_sa, &this->public);
996
997 if (child_sa->update(child_sa, this->my_host, this->other_host,
998 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
999 {
1000 this->public.rekey_child_sa(&this->public,
1001 child_sa->get_protocol(child_sa),
1002 child_sa->get_spi(child_sa, TRUE));
1003 }
1004
1005 }
1006 enumerator->destroy(enumerator);
1007
1008 vips->destroy(vips);
1009 }
1010 }
1011
1012 /**
1013 * Set configured DSCP value on packet
1014 */
1015 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1016 {
1017 ike_cfg_t *ike_cfg;
1018
1019 /* prefer IKE config on peer_cfg, as its selection is more accurate
1020 * then the initial IKE config */
1021 if (this->peer_cfg)
1022 {
1023 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1024 }
1025 else
1026 {
1027 ike_cfg = this->ike_cfg;
1028 }
1029 if (ike_cfg)
1030 {
1031 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1032 }
1033 }
1034
1035 METHOD(ike_sa_t, generate_message, status_t,
1036 private_ike_sa_t *this, message_t *message, packet_t **packet)
1037 {
1038 status_t status;
1039
1040 if (message->is_encoded(message))
1041 { /* already encoded in task, but set DSCP value */
1042 *packet = message->get_packet(message);
1043 set_dscp(this, *packet);
1044 return SUCCESS;
1045 }
1046 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1047 message->set_ike_sa_id(message, this->ike_sa_id);
1048 charon->bus->message(charon->bus, message, FALSE, TRUE);
1049 status = message->generate(message, this->keymat, packet);
1050 if (status == SUCCESS)
1051 {
1052 set_dscp(this, *packet);
1053 charon->bus->message(charon->bus, message, FALSE, FALSE);
1054 }
1055 return status;
1056 }
1057
1058 static bool filter_fragments(private_ike_sa_t *this, packet_t **fragment,
1059 packet_t **packet)
1060 {
1061 *packet = (*fragment)->clone(*fragment);
1062 set_dscp(this, *packet);
1063 return TRUE;
1064 }
1065
1066 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1067 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1068 {
1069 enumerator_t *fragments;
1070 packet_t *packet;
1071 status_t status;
1072 bool use_frags = FALSE;
1073
1074 if (this->ike_cfg)
1075 {
1076 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1077 {
1078 case FRAGMENTATION_FORCE:
1079 use_frags = TRUE;
1080 break;
1081 case FRAGMENTATION_YES:
1082 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1083 if (use_frags && this->version == IKEV1 &&
1084 supports_extension(this, EXT_MS_WINDOWS))
1085 {
1086 /* It seems Windows 7 and 8 peers only accept proprietary
1087 * fragmented messages if they expect certificates. */
1088 use_frags = message->get_payload(message,
1089 PLV1_CERTIFICATE) != NULL;
1090 }
1091 break;
1092 default:
1093 break;
1094 }
1095 }
1096 if (!use_frags)
1097 {
1098 status = generate_message(this, message, &packet);
1099 if (status != SUCCESS)
1100 {
1101 return status;
1102 }
1103 *packets = enumerator_create_single(packet, NULL);
1104 return SUCCESS;
1105 }
1106
1107 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1108 message->set_ike_sa_id(message, this->ike_sa_id);
1109 charon->bus->message(charon->bus, message, FALSE, TRUE);
1110 status = message->fragment(message, this->keymat, this->fragment_size,
1111 &fragments);
1112 if (status == SUCCESS)
1113 {
1114 charon->bus->message(charon->bus, message, FALSE, FALSE);
1115 *packets = enumerator_create_filter(fragments, (void*)filter_fragments,
1116 this, NULL);
1117 }
1118 return status;
1119 }
1120
1121 METHOD(ike_sa_t, set_kmaddress, void,
1122 private_ike_sa_t *this, host_t *local, host_t *remote)
1123 {
1124 DESTROY_IF(this->local_host);
1125 DESTROY_IF(this->remote_host);
1126 this->local_host = local->clone(local);
1127 this->remote_host = remote->clone(remote);
1128 }
1129
1130 #ifdef ME
1131 METHOD(ike_sa_t, act_as_mediation_server, void,
1132 private_ike_sa_t *this)
1133 {
1134 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1135 this->other_id, this->ike_sa_id);
1136 this->is_mediation_server = TRUE;
1137 }
1138
1139 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1140 private_ike_sa_t *this)
1141 {
1142 return this->server_reflexive_host;
1143 }
1144
1145 METHOD(ike_sa_t, set_server_reflexive_host, void,
1146 private_ike_sa_t *this, host_t *host)
1147 {
1148 DESTROY_IF(this->server_reflexive_host);
1149 this->server_reflexive_host = host;
1150 }
1151
1152 METHOD(ike_sa_t, get_connect_id, chunk_t,
1153 private_ike_sa_t *this)
1154 {
1155 return this->connect_id;
1156 }
1157
1158 METHOD(ike_sa_t, respond, status_t,
1159 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1160 {
1161 ike_me_t *task = ike_me_create(&this->public, TRUE);
1162 task->respond(task, peer_id, connect_id);
1163 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1164 return this->task_manager->initiate(this->task_manager);
1165 }
1166
1167 METHOD(ike_sa_t, callback, status_t,
1168 private_ike_sa_t *this, identification_t *peer_id)
1169 {
1170 ike_me_t *task = ike_me_create(&this->public, TRUE);
1171 task->callback(task, peer_id);
1172 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1173 return this->task_manager->initiate(this->task_manager);
1174 }
1175
1176 METHOD(ike_sa_t, relay, status_t,
1177 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1178 chunk_t connect_key, linked_list_t *endpoints, bool response)
1179 {
1180 ike_me_t *task = ike_me_create(&this->public, TRUE);
1181 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1182 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1183 return this->task_manager->initiate(this->task_manager);
1184 }
1185
1186 METHOD(ike_sa_t, initiate_mediation, status_t,
1187 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1188 {
1189 ike_me_t *task = ike_me_create(&this->public, TRUE);
1190 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1191 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1192 return this->task_manager->initiate(this->task_manager);
1193 }
1194
1195 METHOD(ike_sa_t, initiate_mediated, status_t,
1196 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1197 {
1198 set_my_host(this, me->clone(me));
1199 set_other_host(this, other->clone(other));
1200 chunk_free(&this->connect_id);
1201 this->connect_id = chunk_clone(connect_id);
1202 return this->task_manager->initiate(this->task_manager);
1203 }
1204 #endif /* ME */
1205
1206 /**
1207 * Resolve DNS host in configuration
1208 */
1209 static void resolve_hosts(private_ike_sa_t *this)
1210 {
1211 host_t *host;
1212 int family = AF_UNSPEC;
1213
1214 switch (charon->socket->supported_families(charon->socket))
1215 {
1216 case SOCKET_FAMILY_IPV4:
1217 family = AF_INET;
1218 break;
1219 case SOCKET_FAMILY_IPV6:
1220 family = AF_INET6;
1221 break;
1222 case SOCKET_FAMILY_BOTH:
1223 case SOCKET_FAMILY_NONE:
1224 break;
1225 }
1226
1227 /* if an IP address is set locally, use the same family to resolve remote */
1228 if (family == AF_UNSPEC && !this->remote_host)
1229 {
1230 if (this->local_host)
1231 {
1232 family = this->local_host->get_family(this->local_host);
1233 }
1234 else
1235 {
1236 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1237 }
1238 }
1239
1240 if (this->remote_host)
1241 {
1242 host = this->remote_host->clone(this->remote_host);
1243 host->set_port(host, IKEV2_UDP_PORT);
1244 }
1245 else
1246 {
1247 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1248 }
1249 if (host)
1250 {
1251 if (!host->is_anyaddr(host) ||
1252 this->other_host->is_anyaddr(this->other_host))
1253 { /* don't set to %any if we currently have an address, but the
1254 * address family might have changed */
1255 set_other_host(this, host);
1256 }
1257 else
1258 { /* reuse the original port as some implementations might not like
1259 * initial IKE messages on other ports */
1260 this->other_host->set_port(this->other_host, host->get_port(host));
1261 host->destroy(host);
1262 }
1263 }
1264
1265 if (this->local_host)
1266 {
1267 host = this->local_host->clone(this->local_host);
1268 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1269 }
1270 else
1271 {
1272 /* use same address family as for other */
1273 if (!this->other_host->is_anyaddr(this->other_host))
1274 {
1275 family = this->other_host->get_family(this->other_host);
1276 }
1277 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1278
1279 if (host && host->is_anyaddr(host) &&
1280 !this->other_host->is_anyaddr(this->other_host))
1281 {
1282 host->destroy(host);
1283 host = charon->kernel->get_source_addr(charon->kernel,
1284 this->other_host, NULL);
1285 if (host)
1286 {
1287 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1288 }
1289 else
1290 { /* fallback to address family specific %any(6), if configured */
1291 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1292 }
1293 }
1294 }
1295 if (host)
1296 {
1297 set_my_host(this, host);
1298 }
1299 }
1300
1301 METHOD(ike_sa_t, initiate, status_t,
1302 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1303 traffic_selector_t *tsi, traffic_selector_t *tsr)
1304 {
1305 bool defer_initiate = FALSE;
1306
1307 if (this->state == IKE_CREATED)
1308 {
1309 if (this->my_host->is_anyaddr(this->my_host) ||
1310 this->other_host->is_anyaddr(this->other_host))
1311 {
1312 resolve_hosts(this);
1313 }
1314
1315 if (this->other_host->is_anyaddr(this->other_host)
1316 #ifdef ME
1317 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1318 #endif /* ME */
1319 )
1320 {
1321 char *addr;
1322
1323 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1324 if (!this->retry_initiate_interval)
1325 {
1326 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1327 addr);
1328 DESTROY_IF(child_cfg);
1329 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1330 return DESTROY_ME;
1331 }
1332 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1333 addr, this->retry_initiate_interval);
1334 defer_initiate = TRUE;
1335 }
1336
1337 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1338 this->task_manager->queue_ike(this->task_manager);
1339 }
1340
1341 #ifdef ME
1342 if (this->peer_cfg->is_mediation(this->peer_cfg))
1343 {
1344 if (this->state == IKE_ESTABLISHED)
1345 {
1346 /* mediation connection is already established, retrigger state
1347 * change to notify bus listeners */
1348 DBG1(DBG_IKE, "mediation connection is already up");
1349 set_state(this, IKE_ESTABLISHED);
1350 }
1351 DESTROY_IF(child_cfg);
1352 }
1353 else
1354 #endif /* ME */
1355 if (child_cfg)
1356 {
1357 /* normal IKE_SA with CHILD_SA */
1358 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1359 tsi, tsr);
1360 #ifdef ME
1361 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1362 {
1363 /* mediated connection, initiate mediation process */
1364 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1365 lib->processor->queue_job(lib->processor, job);
1366 return SUCCESS;
1367 }
1368 #endif /* ME */
1369 }
1370
1371 if (defer_initiate)
1372 {
1373 if (!this->retry_initiate_queued)
1374 {
1375 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1376 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1377 this->retry_initiate_interval);
1378 this->retry_initiate_queued = TRUE;
1379 }
1380 return SUCCESS;
1381 }
1382 this->retry_initiate_queued = FALSE;
1383 return this->task_manager->initiate(this->task_manager);
1384 }
1385
1386 METHOD(ike_sa_t, retry_initiate, status_t,
1387 private_ike_sa_t *this)
1388 {
1389 if (this->retry_initiate_queued)
1390 {
1391 this->retry_initiate_queued = FALSE;
1392 return initiate(this, NULL, 0, NULL, NULL);
1393 }
1394 return SUCCESS;
1395 }
1396
1397 METHOD(ike_sa_t, process_message, status_t,
1398 private_ike_sa_t *this, message_t *message)
1399 {
1400 status_t status;
1401
1402 if (this->state == IKE_PASSIVE)
1403 { /* do not handle messages in passive state */
1404 return FAILED;
1405 }
1406 if (message->get_major_version(message) != this->version)
1407 {
1408 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1409 exchange_type_names, message->get_exchange_type(message),
1410 message->get_major_version(message),
1411 ike_version_names, this->version);
1412 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1413 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1414 return FAILED;
1415 }
1416 status = this->task_manager->process_message(this->task_manager, message);
1417 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1418 {
1419 /* authentication completed */
1420 this->flush_auth_cfg = FALSE;
1421 flush_auth_cfgs(this);
1422 }
1423 return status;
1424 }
1425
1426 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1427 private_ike_sa_t *this)
1428 {
1429 return this->ike_sa_id;
1430 }
1431
1432 METHOD(ike_sa_t, get_version, ike_version_t,
1433 private_ike_sa_t *this)
1434 {
1435 return this->version;
1436 }
1437
1438 METHOD(ike_sa_t, get_my_id, identification_t*,
1439 private_ike_sa_t *this)
1440 {
1441 return this->my_id;
1442 }
1443
1444 METHOD(ike_sa_t, set_my_id, void,
1445 private_ike_sa_t *this, identification_t *me)
1446 {
1447 DESTROY_IF(this->my_id);
1448 this->my_id = me;
1449 }
1450
1451 METHOD(ike_sa_t, get_other_id, identification_t*,
1452 private_ike_sa_t *this)
1453 {
1454 return this->other_id;
1455 }
1456
1457 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1458 private_ike_sa_t *this)
1459 {
1460 identification_t *id = NULL, *current;
1461 enumerator_t *enumerator;
1462 auth_cfg_t *cfg;
1463
1464 enumerator = array_create_enumerator(this->other_auths);
1465 while (enumerator->enumerate(enumerator, &cfg))
1466 {
1467 /* prefer EAP-Identity of last round */
1468 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1469 if (!current || current->get_type(current) == ID_ANY)
1470 {
1471 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1472 }
1473 if (!current || current->get_type(current) == ID_ANY)
1474 {
1475 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1476 }
1477 if (current && current->get_type(current) != ID_ANY)
1478 {
1479 id = current;
1480 continue;
1481 }
1482 }
1483 enumerator->destroy(enumerator);
1484 if (id)
1485 {
1486 return id;
1487 }
1488 return this->other_id;
1489 }
1490
1491 METHOD(ike_sa_t, set_other_id, void,
1492 private_ike_sa_t *this, identification_t *other)
1493 {
1494 DESTROY_IF(this->other_id);
1495 this->other_id = other;
1496 }
1497
1498 METHOD(ike_sa_t, add_child_sa, void,
1499 private_ike_sa_t *this, child_sa_t *child_sa)
1500 {
1501 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1502 charon->child_sa_manager->add(charon->child_sa_manager,
1503 child_sa, &this->public);
1504 }
1505
1506 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1507 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1508 {
1509 enumerator_t *enumerator;
1510 child_sa_t *current, *found = NULL;
1511
1512 enumerator = array_create_enumerator(this->child_sas);
1513 while (enumerator->enumerate(enumerator, (void**)&current))
1514 {
1515 if (current->get_spi(current, inbound) == spi &&
1516 current->get_protocol(current) == protocol)
1517 {
1518 found = current;
1519 }
1520 }
1521 enumerator->destroy(enumerator);
1522 return found;
1523 }
1524
1525 METHOD(ike_sa_t, get_child_count, int,
1526 private_ike_sa_t *this)
1527 {
1528 return array_count(this->child_sas);
1529 }
1530
1531 /**
1532 * Private data of a create_child_sa_enumerator()
1533 */
1534 typedef struct {
1535 /** implements enumerator */
1536 enumerator_t public;
1537 /** inner array enumerator */
1538 enumerator_t *inner;
1539 /** current item */
1540 child_sa_t *current;
1541 } child_enumerator_t;
1542
1543 METHOD(enumerator_t, child_enumerate, bool,
1544 child_enumerator_t *this, child_sa_t **child_sa)
1545 {
1546 if (this->inner->enumerate(this->inner, &this->current))
1547 {
1548 *child_sa = this->current;
1549 return TRUE;
1550 }
1551 return FALSE;
1552 }
1553
1554 METHOD(enumerator_t, child_enumerator_destroy, void,
1555 child_enumerator_t *this)
1556 {
1557 this->inner->destroy(this->inner);
1558 free(this);
1559 }
1560
1561 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1562 private_ike_sa_t *this)
1563 {
1564 child_enumerator_t *enumerator;
1565
1566 INIT(enumerator,
1567 .public = {
1568 .enumerate = (void*)_child_enumerate,
1569 .destroy = _child_enumerator_destroy,
1570 },
1571 .inner = array_create_enumerator(this->child_sas),
1572 );
1573 return &enumerator->public;
1574 }
1575
1576 METHOD(ike_sa_t, remove_child_sa, void,
1577 private_ike_sa_t *this, enumerator_t *enumerator)
1578 {
1579 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1580
1581 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1582 array_remove_at(this->child_sas, ce->inner);
1583 }
1584
1585 METHOD(ike_sa_t, rekey_child_sa, status_t,
1586 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1587 {
1588 if (this->state == IKE_PASSIVE)
1589 {
1590 return INVALID_STATE;
1591 }
1592 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1593 return this->task_manager->initiate(this->task_manager);
1594 }
1595
1596 METHOD(ike_sa_t, delete_child_sa, status_t,
1597 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
1598 {
1599 if (this->state == IKE_PASSIVE)
1600 {
1601 return INVALID_STATE;
1602 }
1603 this->task_manager->queue_child_delete(this->task_manager,
1604 protocol, spi, expired);
1605 return this->task_manager->initiate(this->task_manager);
1606 }
1607
1608 METHOD(ike_sa_t, destroy_child_sa, status_t,
1609 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1610 {
1611 enumerator_t *enumerator;
1612 child_sa_t *child_sa;
1613 status_t status = NOT_FOUND;
1614
1615 enumerator = create_child_sa_enumerator(this);
1616 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1617 {
1618 if (child_sa->get_protocol(child_sa) == protocol &&
1619 child_sa->get_spi(child_sa, TRUE) == spi)
1620 {
1621 remove_child_sa(this, enumerator);
1622 child_sa->destroy(child_sa);
1623 status = SUCCESS;
1624 break;
1625 }
1626 }
1627 enumerator->destroy(enumerator);
1628 return status;
1629 }
1630
1631 METHOD(ike_sa_t, delete_, status_t,
1632 private_ike_sa_t *this)
1633 {
1634 switch (this->state)
1635 {
1636 case IKE_REKEYING:
1637 if (this->version == IKEV1)
1638 { /* SA has been reauthenticated, delete */
1639 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1640 break;
1641 }
1642 /* FALL */
1643 case IKE_ESTABLISHED:
1644 if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
1645 { /* IKE_SA hard lifetime hit */
1646 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1647 }
1648 this->task_manager->queue_ike_delete(this->task_manager);
1649 return this->task_manager->initiate(this->task_manager);
1650 case IKE_CREATED:
1651 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1652 break;
1653 case IKE_PASSIVE:
1654 break;
1655 default:
1656 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1657 "without notification", ike_sa_state_names, this->state);
1658 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1659 break;
1660 }
1661 return DESTROY_ME;
1662 }
1663
1664 METHOD(ike_sa_t, rekey, status_t,
1665 private_ike_sa_t *this)
1666 {
1667 if (this->state == IKE_PASSIVE)
1668 {
1669 return INVALID_STATE;
1670 }
1671 this->task_manager->queue_ike_rekey(this->task_manager);
1672 return this->task_manager->initiate(this->task_manager);
1673 }
1674
1675 METHOD(ike_sa_t, reauth, status_t,
1676 private_ike_sa_t *this)
1677 {
1678 if (this->state == IKE_PASSIVE)
1679 {
1680 return INVALID_STATE;
1681 }
1682 if (this->state == IKE_CONNECTING)
1683 {
1684 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1685 get_name(this), this->unique_id);
1686 reset(this);
1687 this->task_manager->queue_ike(this->task_manager);
1688 return this->task_manager->initiate(this->task_manager);
1689 }
1690 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1691 * If the peer does not support RFC4478, there is no way to keep the
1692 * IKE_SA up. */
1693 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1694 {
1695 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1696 if (array_count(this->other_vips) != 0 ||
1697 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1698 has_condition(this, COND_EAP_AUTHENTICATED)
1699 #ifdef ME
1700 /* as mediation server we too cannot reauth the IKE_SA */
1701 || this->is_mediation_server
1702 #endif /* ME */
1703 )
1704 {
1705 time_t del, now;
1706
1707 del = this->stats[STAT_DELETE];
1708 now = time_monotonic(NULL);
1709 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1710 get_name(this), this->unique_id, &now, &del);
1711 return FAILED;
1712 }
1713 else
1714 {
1715 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1716 get_name(this), this->unique_id);
1717 }
1718 }
1719 else
1720 {
1721 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1722 get_name(this), this->unique_id);
1723 }
1724 set_condition(this, COND_REAUTHENTICATING, TRUE);
1725 this->task_manager->queue_ike_reauth(this->task_manager);
1726 return this->task_manager->initiate(this->task_manager);
1727 }
1728
1729 /**
1730 * Check if tasks to create CHILD_SAs are queued in the given queue
1731 */
1732 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1733 {
1734 enumerator_t *enumerator;
1735 task_t *task;
1736 bool found = FALSE;
1737
1738 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1739 queue);
1740 while (enumerator->enumerate(enumerator, &task))
1741 {
1742 if (task->get_type(task) == TASK_CHILD_CREATE ||
1743 task->get_type(task) == TASK_QUICK_MODE)
1744 {
1745 found = TRUE;
1746 break;
1747 }
1748 }
1749 enumerator->destroy(enumerator);
1750 return found;
1751 }
1752
1753 METHOD(ike_sa_t, reestablish, status_t,
1754 private_ike_sa_t *this)
1755 {
1756 ike_sa_t *new;
1757 host_t *host;
1758 action_t action;
1759 enumerator_t *enumerator;
1760 child_sa_t *child_sa;
1761 child_cfg_t *child_cfg;
1762 bool restart = FALSE;
1763 status_t status = FAILED;
1764
1765 if (has_condition(this, COND_REAUTHENTICATING))
1766 { /* only reauthenticate if we have children */
1767 if (array_count(this->child_sas) == 0
1768 #ifdef ME
1769 /* allow reauth of mediation connections without CHILD_SAs */
1770 && !this->peer_cfg->is_mediation(this->peer_cfg)
1771 #endif /* ME */
1772 )
1773 {
1774 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
1775 "to recreate");
1776 }
1777 else
1778 {
1779 restart = TRUE;
1780 }
1781 }
1782 else
1783 { /* check if we have children to keep up at all */
1784 enumerator = array_create_enumerator(this->child_sas);
1785 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1786 {
1787 if (this->state == IKE_DELETING)
1788 {
1789 action = child_sa->get_close_action(child_sa);
1790 }
1791 else
1792 {
1793 action = child_sa->get_dpd_action(child_sa);
1794 }
1795 switch (action)
1796 {
1797 case ACTION_RESTART:
1798 restart = TRUE;
1799 break;
1800 case ACTION_ROUTE:
1801 charon->traps->install(charon->traps, this->peer_cfg,
1802 child_sa->get_config(child_sa),
1803 child_sa->get_reqid(child_sa));
1804 break;
1805 default:
1806 break;
1807 }
1808 }
1809 enumerator->destroy(enumerator);
1810 /* check if we have tasks that recreate children */
1811 if (!restart)
1812 {
1813 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
1814 is_child_queued(this, TASK_QUEUE_QUEUED);
1815 }
1816 #ifdef ME
1817 /* mediation connections have no children, keep them up anyway */
1818 if (this->peer_cfg->is_mediation(this->peer_cfg))
1819 {
1820 restart = TRUE;
1821 }
1822 #endif /* ME */
1823 }
1824 if (!restart)
1825 {
1826 return FAILED;
1827 }
1828
1829 /* check if we are able to reestablish this IKE_SA */
1830 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1831 (array_count(this->other_vips) != 0 ||
1832 has_condition(this, COND_EAP_AUTHENTICATED)
1833 #ifdef ME
1834 || this->is_mediation_server
1835 #endif /* ME */
1836 ))
1837 {
1838 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1839 return FAILED;
1840 }
1841
1842 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1843 this->version, TRUE);
1844 if (!new)
1845 {
1846 return FAILED;
1847 }
1848 new->set_peer_cfg(new, this->peer_cfg);
1849 host = this->other_host;
1850 new->set_other_host(new, host->clone(host));
1851 host = this->my_host;
1852 new->set_my_host(new, host->clone(host));
1853 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
1854 /* resolve hosts but use the old addresses above as fallback */
1855 resolve_hosts((private_ike_sa_t*)new);
1856 /* if we already have a virtual IP, we reuse it */
1857 enumerator = array_create_enumerator(this->my_vips);
1858 while (enumerator->enumerate(enumerator, &host))
1859 {
1860 new->add_virtual_ip(new, TRUE, host);
1861 }
1862 enumerator->destroy(enumerator);
1863
1864 #ifdef ME
1865 if (this->peer_cfg->is_mediation(this->peer_cfg))
1866 {
1867 status = new->initiate(new, NULL, 0, NULL, NULL);
1868 }
1869 else
1870 #endif /* ME */
1871 {
1872 /* handle existing CHILD_SAs */
1873 enumerator = create_child_sa_enumerator(this);
1874 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1875 {
1876 if (has_condition(this, COND_REAUTHENTICATING))
1877 {
1878 switch (child_sa->get_state(child_sa))
1879 {
1880 case CHILD_ROUTED:
1881 { /* move routed child directly */
1882 remove_child_sa(this, enumerator);
1883 new->add_child_sa(new, child_sa);
1884 action = ACTION_NONE;
1885 break;
1886 }
1887 default:
1888 { /* initiate/queue all other CHILD_SAs */
1889 action = ACTION_RESTART;
1890 break;
1891 }
1892 }
1893 }
1894 else
1895 { /* only restart CHILD_SAs that are configured accordingly */
1896 if (this->state == IKE_DELETING)
1897 {
1898 action = child_sa->get_close_action(child_sa);
1899 }
1900 else
1901 {
1902 action = child_sa->get_dpd_action(child_sa);
1903 }
1904 }
1905 switch (action)
1906 {
1907 case ACTION_RESTART:
1908 child_cfg = child_sa->get_config(child_sa);
1909 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1910 child_cfg->get_name(child_cfg));
1911 child_cfg->get_ref(child_cfg);
1912 status = new->initiate(new, child_cfg,
1913 child_sa->get_reqid(child_sa), NULL, NULL);
1914 break;
1915 default:
1916 continue;
1917 }
1918 if (status == DESTROY_ME)
1919 {
1920 break;
1921 }
1922 }
1923 enumerator->destroy(enumerator);
1924 /* adopt any active or queued CHILD-creating tasks */
1925 if (status != DESTROY_ME)
1926 {
1927 task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
1928 other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
1929 if (new->get_state(new) == IKE_CREATED)
1930 {
1931 status = new->initiate(new, NULL, 0, NULL, NULL);
1932 }
1933 }
1934 }
1935
1936 if (status == DESTROY_ME)
1937 {
1938 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1939 FALSE);
1940 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1941 status = FAILED;
1942 }
1943 else
1944 {
1945 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1946 TRUE);
1947 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1948 status = SUCCESS;
1949 }
1950 charon->bus->set_sa(charon->bus, &this->public);
1951 return status;
1952 }
1953
1954 METHOD(ike_sa_t, retransmit, status_t,
1955 private_ike_sa_t *this, u_int32_t message_id)
1956 {
1957 if (this->state == IKE_PASSIVE)
1958 {
1959 return INVALID_STATE;
1960 }
1961 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1962 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1963 {
1964 /* send a proper signal to brief interested bus listeners */
1965 switch (this->state)
1966 {
1967 case IKE_CONNECTING:
1968 {
1969 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
1970 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1971 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
1972 this->keyingtry);
1973 this->keyingtry++;
1974 if (tries == 0 || tries > this->keyingtry)
1975 {
1976 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1977 this->keyingtry + 1, tries);
1978 reset(this);
1979 resolve_hosts(this);
1980 this->task_manager->queue_ike(this->task_manager);
1981 return this->task_manager->initiate(this->task_manager);
1982 }
1983 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1984 break;
1985 }
1986 case IKE_DELETING:
1987 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1988 if (has_condition(this, COND_REAUTHENTICATING))
1989 {
1990 DBG1(DBG_IKE, "delete during reauthentication failed, "
1991 "trying to reestablish IKE_SA anyway");
1992 reestablish(this);
1993 }
1994 break;
1995 case IKE_REKEYING:
1996 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1997 /* FALL */
1998 default:
1999 reestablish(this);
2000 break;
2001 }
2002 if (this->state != IKE_CONNECTING)
2003 {
2004 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2005 }
2006 return DESTROY_ME;
2007 }
2008 return SUCCESS;
2009 }
2010
2011 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2012 private_ike_sa_t *this, u_int32_t lifetime)
2013 {
2014 u_int32_t diff, hard, soft, now;
2015 bool send_update;
2016
2017 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2018 now = time_monotonic(NULL);
2019 hard = now + lifetime;
2020 soft = hard - diff;
2021
2022 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2023 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2024 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2025 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2026 (array_count(this->other_vips) != 0 ||
2027 has_condition(this, COND_EAP_AUTHENTICATED));
2028
2029 if (lifetime < diff)
2030 {
2031 this->stats[STAT_REAUTH] = now;
2032
2033 if (!send_update)
2034 {
2035 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2036 "starting reauthentication", lifetime);
2037 lib->processor->queue_job(lib->processor,
2038 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2039 }
2040 }
2041 else if (this->stats[STAT_REAUTH] == 0 ||
2042 this->stats[STAT_REAUTH] > soft)
2043 {
2044 this->stats[STAT_REAUTH] = soft;
2045 if (!send_update)
2046 {
2047 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2048 "reauthentication in %ds", lifetime, lifetime - diff);
2049 lib->scheduler->schedule_job(lib->scheduler,
2050 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2051 lifetime - diff);
2052 }
2053 }
2054 else
2055 {
2056 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2057 "reauthentication already scheduled in %ds", lifetime,
2058 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2059 send_update = FALSE;
2060 }
2061 /* give at least some seconds to reauthenticate */
2062 this->stats[STAT_DELETE] = max(hard, now + 10);
2063
2064 #ifdef USE_IKEV2
2065 if (send_update)
2066 {
2067 ike_auth_lifetime_t *task;
2068
2069 task = ike_auth_lifetime_create(&this->public, TRUE);
2070 this->task_manager->queue_task(this->task_manager, &task->task);
2071 return this->task_manager->initiate(this->task_manager);
2072 }
2073 #endif
2074 return SUCCESS;
2075 }
2076
2077 /**
2078 * Check if the current combination of source and destination address is still
2079 * valid.
2080 */
2081 static bool is_current_path_valid(private_ike_sa_t *this)
2082 {
2083 bool valid = FALSE;
2084 host_t *src;
2085 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2086 this->my_host);
2087 if (src)
2088 {
2089 if (src->ip_equals(src, this->my_host))
2090 {
2091 valid = TRUE;
2092 }
2093 src->destroy(src);
2094 }
2095 return valid;
2096 }
2097
2098 /**
2099 * Check if we have any path avialable for this IKE SA.
2100 */
2101 static bool is_any_path_valid(private_ike_sa_t *this)
2102 {
2103 bool valid = FALSE;
2104 enumerator_t *enumerator;
2105 host_t *src = NULL, *addr;
2106 int family = AF_UNSPEC;
2107
2108 switch (charon->socket->supported_families(charon->socket))
2109 {
2110 case SOCKET_FAMILY_IPV4:
2111 family = AF_INET;
2112 break;
2113 case SOCKET_FAMILY_IPV6:
2114 family = AF_INET6;
2115 break;
2116 case SOCKET_FAMILY_BOTH:
2117 case SOCKET_FAMILY_NONE:
2118 break;
2119 }
2120
2121 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2122 enumerator = create_peer_address_enumerator(this);
2123 while (enumerator->enumerate(enumerator, &addr))
2124 {
2125 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2126 {
2127 continue;
2128 }
2129 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2130 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2131 if (src)
2132 {
2133 break;
2134 }
2135 }
2136 enumerator->destroy(enumerator);
2137 if (src)
2138 {
2139 valid = TRUE;
2140 src->destroy(src);
2141 }
2142 return valid;
2143 }
2144
2145 METHOD(ike_sa_t, roam, status_t,
2146 private_ike_sa_t *this, bool address)
2147 {
2148 switch (this->state)
2149 {
2150 case IKE_CREATED:
2151 case IKE_DELETING:
2152 case IKE_DESTROYING:
2153 case IKE_PASSIVE:
2154 return SUCCESS;
2155 default:
2156 break;
2157 }
2158
2159 /* keep existing path if possible */
2160 if (is_current_path_valid(this))
2161 {
2162 DBG2(DBG_IKE, "keeping connection path %H - %H",
2163 this->my_host, this->other_host);
2164 set_condition(this, COND_STALE, FALSE);
2165
2166 if (supports_extension(this, EXT_MOBIKE) && address)
2167 { /* if any addresses changed, send an updated list */
2168 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2169 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2170 return this->task_manager->initiate(this->task_manager);
2171 }
2172 return SUCCESS;
2173 }
2174
2175 if (!is_any_path_valid(this))
2176 {
2177 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2178 this->other_host);
2179 set_condition(this, COND_STALE, TRUE);
2180 return SUCCESS;
2181 }
2182 set_condition(this, COND_STALE, FALSE);
2183
2184 /* update addresses with mobike, if supported ... */
2185 if (supports_extension(this, EXT_MOBIKE))
2186 {
2187 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2188 { /* responder updates the peer about changed address config */
2189 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2190 "implicitly requesting an address change");
2191 address = TRUE;
2192 }
2193 else
2194 {
2195 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2196 }
2197 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2198 return this->task_manager->initiate(this->task_manager);
2199 }
2200
2201 /* ... reauth if not */
2202 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2203 { /* responder does not reauthenticate */
2204 set_condition(this, COND_STALE, TRUE);
2205 return SUCCESS;
2206 }
2207 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2208 /* since our previous path is not valid anymore, try and find a new one */
2209 resolve_hosts(this);
2210 return reauth(this);
2211 }
2212
2213 METHOD(ike_sa_t, add_configuration_attribute, void,
2214 private_ike_sa_t *this, attribute_handler_t *handler,
2215 configuration_attribute_type_t type, chunk_t data)
2216 {
2217 attribute_entry_t entry = {
2218 .handler = handler,
2219 .type = type,
2220 .data = chunk_clone(data),
2221 };
2222 array_insert(this->attributes, ARRAY_TAIL, &entry);
2223 }
2224
2225 /**
2226 * Enumerator filter for attributes
2227 */
2228 static bool filter_attribute(void *null, attribute_entry_t **in,
2229 configuration_attribute_type_t *type, void *in2,
2230 chunk_t *data, void *in3, bool *handled)
2231 {
2232 *type = (*in)->type;
2233 *data = (*in)->data;
2234 *handled = (*in)->handler != NULL;
2235 return TRUE;
2236 }
2237
2238 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2239 private_ike_sa_t *this)
2240 {
2241 return enumerator_create_filter(array_create_enumerator(this->attributes),
2242 (void*)filter_attribute, NULL, NULL);
2243 }
2244
2245 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2246 private_ike_sa_t *this, task_queue_t queue)
2247 {
2248 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2249 }
2250
2251 METHOD(ike_sa_t, flush_queue, void,
2252 private_ike_sa_t *this, task_queue_t queue)
2253 {
2254 this->task_manager->flush_queue(this->task_manager, queue);
2255 }
2256
2257 METHOD(ike_sa_t, queue_task, void,
2258 private_ike_sa_t *this, task_t *task)
2259 {
2260 this->task_manager->queue_task(this->task_manager, task);
2261 }
2262
2263 METHOD(ike_sa_t, inherit_pre, void,
2264 private_ike_sa_t *this, ike_sa_t *other_public)
2265 {
2266 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2267
2268 /* apply config and hosts */
2269 set_peer_cfg(this, other->peer_cfg);
2270 set_my_host(this, other->my_host->clone(other->my_host));
2271 set_other_host(this, other->other_host->clone(other->other_host));
2272
2273 /* apply extensions and conditions with a few exceptions */
2274 this->extensions = other->extensions;
2275 this->conditions = other->conditions;
2276 this->conditions &= ~COND_STALE;
2277 this->conditions &= ~COND_REAUTHENTICATING;
2278 }
2279
2280 METHOD(ike_sa_t, inherit_post, void,
2281 private_ike_sa_t *this, ike_sa_t *other_public)
2282 {
2283 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2284 child_sa_t *child_sa;
2285 enumerator_t *enumerator;
2286 attribute_entry_t entry;
2287 auth_cfg_t *cfg;
2288 host_t *vip;
2289
2290 /* apply hosts and ids */
2291 this->my_host->destroy(this->my_host);
2292 this->other_host->destroy(this->other_host);
2293 this->my_id->destroy(this->my_id);
2294 this->other_id->destroy(this->other_id);
2295 this->my_host = other->my_host->clone(other->my_host);
2296 this->other_host = other->other_host->clone(other->other_host);
2297 this->my_id = other->my_id->clone(other->my_id);
2298 this->other_id = other->other_id->clone(other->other_id);
2299
2300 /* apply assigned virtual IPs... */
2301 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2302 {
2303 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2304 }
2305 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2306 {
2307 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2308 }
2309
2310 /* MOBIKE additional addresses */
2311 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2312 {
2313 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2314 }
2315
2316 /* authentication information */
2317 enumerator = array_create_enumerator(other->my_auths);
2318 while (enumerator->enumerate(enumerator, &cfg))
2319 {
2320 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2321 }
2322 enumerator->destroy(enumerator);
2323 enumerator = array_create_enumerator(other->other_auths);
2324 while (enumerator->enumerate(enumerator, &cfg))
2325 {
2326 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2327 }
2328 enumerator->destroy(enumerator);
2329
2330 /* ... and configuration attributes */
2331 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2332 {
2333 array_insert(this->attributes, ARRAY_TAIL, &entry);
2334 }
2335
2336 /* inherit all conditions */
2337 this->conditions = other->conditions;
2338 if (this->conditions & COND_NAT_HERE)
2339 {
2340 send_keepalive(this, FALSE);
2341 }
2342
2343 #ifdef ME
2344 if (other->is_mediation_server)
2345 {
2346 act_as_mediation_server(this);
2347 }
2348 else if (other->server_reflexive_host)
2349 {
2350 this->server_reflexive_host = other->server_reflexive_host->clone(
2351 other->server_reflexive_host);
2352 }
2353 #endif /* ME */
2354
2355 /* adopt all children */
2356 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2357 {
2358 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2359 add_child_sa(this, child_sa);
2360 }
2361
2362 /* move pending tasks to the new IKE_SA */
2363 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2364
2365 /* reauthentication timeout survives a rekeying */
2366 if (other->stats[STAT_REAUTH])
2367 {
2368 time_t reauth, delete, now = time_monotonic(NULL);
2369
2370 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2371 reauth = this->stats[STAT_REAUTH] - now;
2372 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2373 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2374 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2375 "lifetime reduced to %ds", reauth, delete);
2376 lib->scheduler->schedule_job(lib->scheduler,
2377 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2378 lib->scheduler->schedule_job(lib->scheduler,
2379 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2380 }
2381 }
2382
2383 METHOD(ike_sa_t, destroy, void,
2384 private_ike_sa_t *this)
2385 {
2386 attribute_entry_t entry;
2387 child_sa_t *child_sa;
2388 host_t *vip;
2389
2390 charon->bus->set_sa(charon->bus, &this->public);
2391
2392 set_state(this, IKE_DESTROYING);
2393 if (this->task_manager)
2394 {
2395 this->task_manager->flush(this->task_manager);
2396 }
2397
2398 /* remove attributes first, as we pass the IKE_SA to the handler */
2399 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2400 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2401 {
2402 if (entry.handler)
2403 {
2404 charon->attributes->release(charon->attributes, entry.handler,
2405 &this->public, entry.type, entry.data);
2406 }
2407 free(entry.data.ptr);
2408 }
2409 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2410 * routes that the CHILD_SA tries to uninstall. */
2411 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2412 {
2413 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2414 child_sa->destroy(child_sa);
2415 }
2416 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2417 {
2418 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
2419 vip->destroy(vip);
2420 }
2421 if (array_count(this->other_vips))
2422 {
2423 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2424 }
2425 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2426 {
2427 if (this->peer_cfg)
2428 {
2429 linked_list_t *pools;
2430
2431 pools = linked_list_create_from_enumerator(
2432 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
2433 charon->attributes->release_address(charon->attributes,
2434 pools, vip, &this->public);
2435 pools->destroy(pools);
2436 }
2437 vip->destroy(vip);
2438 }
2439
2440 /* unset SA after here to avoid usage by the listeners */
2441 charon->bus->set_sa(charon->bus, NULL);
2442
2443 array_destroy(this->child_sas);
2444 DESTROY_IF(this->task_manager);
2445 DESTROY_IF(this->keymat);
2446 array_destroy(this->attributes);
2447 array_destroy(this->my_vips);
2448 array_destroy(this->other_vips);
2449 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
2450 #ifdef ME
2451 if (this->is_mediation_server)
2452 {
2453 charon->mediation_manager->remove(charon->mediation_manager,
2454 this->ike_sa_id);
2455 }
2456 DESTROY_IF(this->server_reflexive_host);
2457 chunk_free(&this->connect_id);
2458 #endif /* ME */
2459 free(this->nat_detection_dest.ptr);
2460
2461 DESTROY_IF(this->my_host);
2462 DESTROY_IF(this->other_host);
2463 DESTROY_IF(this->my_id);
2464 DESTROY_IF(this->other_id);
2465 DESTROY_IF(this->local_host);
2466 DESTROY_IF(this->remote_host);
2467
2468 DESTROY_IF(this->ike_cfg);
2469 DESTROY_IF(this->peer_cfg);
2470 DESTROY_IF(this->proposal);
2471 this->my_auth->destroy(this->my_auth);
2472 this->other_auth->destroy(this->other_auth);
2473 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
2474 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
2475
2476 this->ike_sa_id->destroy(this->ike_sa_id);
2477 free(this);
2478 }
2479
2480 /*
2481 * Described in header.
2482 */
2483 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2484 ike_version_t version)
2485 {
2486 private_ike_sa_t *this;
2487 static refcount_t unique_id = 0;
2488
2489 if (version == IKE_ANY)
2490 { /* prefer IKEv2 if protocol not specified */
2491 #ifdef USE_IKEV2
2492 version = IKEV2;
2493 #else
2494 version = IKEV1;
2495 #endif
2496 }
2497
2498 INIT(this,
2499 .public = {
2500 .get_version = _get_version,
2501 .get_state = _get_state,
2502 .set_state = _set_state,
2503 .get_name = _get_name,
2504 .get_statistic = _get_statistic,
2505 .set_statistic = _set_statistic,
2506 .process_message = _process_message,
2507 .initiate = _initiate,
2508 .retry_initiate = _retry_initiate,
2509 .get_ike_cfg = _get_ike_cfg,
2510 .set_ike_cfg = _set_ike_cfg,
2511 .get_peer_cfg = _get_peer_cfg,
2512 .set_peer_cfg = _set_peer_cfg,
2513 .get_auth_cfg = _get_auth_cfg,
2514 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2515 .add_auth_cfg = _add_auth_cfg,
2516 .get_proposal = _get_proposal,
2517 .set_proposal = _set_proposal,
2518 .get_id = _get_id,
2519 .get_my_host = _get_my_host,
2520 .set_my_host = _set_my_host,
2521 .get_other_host = _get_other_host,
2522 .set_other_host = _set_other_host,
2523 .set_message_id = _set_message_id,
2524 .float_ports = _float_ports,
2525 .update_hosts = _update_hosts,
2526 .get_my_id = _get_my_id,
2527 .set_my_id = _set_my_id,
2528 .get_other_id = _get_other_id,
2529 .set_other_id = _set_other_id,
2530 .get_other_eap_id = _get_other_eap_id,
2531 .enable_extension = _enable_extension,
2532 .supports_extension = _supports_extension,
2533 .set_condition = _set_condition,
2534 .has_condition = _has_condition,
2535 .set_pending_updates = _set_pending_updates,
2536 .get_pending_updates = _get_pending_updates,
2537 .create_peer_address_enumerator = _create_peer_address_enumerator,
2538 .add_peer_address = _add_peer_address,
2539 .clear_peer_addresses = _clear_peer_addresses,
2540 .has_mapping_changed = _has_mapping_changed,
2541 .retransmit = _retransmit,
2542 .delete = _delete_,
2543 .destroy = _destroy,
2544 .send_dpd = _send_dpd,
2545 .send_keepalive = _send_keepalive,
2546 .get_keymat = _get_keymat,
2547 .add_child_sa = _add_child_sa,
2548 .get_child_sa = _get_child_sa,
2549 .get_child_count = _get_child_count,
2550 .create_child_sa_enumerator = _create_child_sa_enumerator,
2551 .remove_child_sa = _remove_child_sa,
2552 .rekey_child_sa = _rekey_child_sa,
2553 .delete_child_sa = _delete_child_sa,
2554 .destroy_child_sa = _destroy_child_sa,
2555 .rekey = _rekey,
2556 .reauth = _reauth,
2557 .reestablish = _reestablish,
2558 .set_auth_lifetime = _set_auth_lifetime,
2559 .roam = _roam,
2560 .inherit_pre = _inherit_pre,
2561 .inherit_post = _inherit_post,
2562 .generate_message = _generate_message,
2563 .generate_message_fragmented = _generate_message_fragmented,
2564 .reset = _reset,
2565 .get_unique_id = _get_unique_id,
2566 .add_virtual_ip = _add_virtual_ip,
2567 .clear_virtual_ips = _clear_virtual_ips,
2568 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
2569 .add_configuration_attribute = _add_configuration_attribute,
2570 .create_attribute_enumerator = _create_attribute_enumerator,
2571 .set_kmaddress = _set_kmaddress,
2572 .create_task_enumerator = _create_task_enumerator,
2573 .flush_queue = _flush_queue,
2574 .queue_task = _queue_task,
2575 #ifdef ME
2576 .act_as_mediation_server = _act_as_mediation_server,
2577 .get_server_reflexive_host = _get_server_reflexive_host,
2578 .set_server_reflexive_host = _set_server_reflexive_host,
2579 .get_connect_id = _get_connect_id,
2580 .initiate_mediation = _initiate_mediation,
2581 .initiate_mediated = _initiate_mediated,
2582 .relay = _relay,
2583 .callback = _callback,
2584 .respond = _respond,
2585 #endif /* ME */
2586 },
2587 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2588 .version = version,
2589 .my_host = host_create_any(AF_INET),
2590 .other_host = host_create_any(AF_INET),
2591 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2592 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2593 .keymat = keymat_create(version, initiator),
2594 .state = IKE_CREATED,
2595 .stats[STAT_INBOUND] = time_monotonic(NULL),
2596 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2597 .my_auth = auth_cfg_create(),
2598 .other_auth = auth_cfg_create(),
2599 .my_auths = array_create(0, 0),
2600 .other_auths = array_create(0, 0),
2601 .attributes = array_create(sizeof(attribute_entry_t), 0),
2602 .unique_id = ref_get(&unique_id),
2603 .keepalive_interval = lib->settings->get_time(lib->settings,
2604 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
2605 .retry_initiate_interval = lib->settings->get_time(lib->settings,
2606 "%s.retry_initiate_interval", 0, lib->ns),
2607 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2608 "%s.flush_auth_cfg", FALSE, lib->ns),
2609 .fragment_size = lib->settings->get_int(lib->settings,
2610 "%s.fragment_size", 0, lib->ns),
2611 );
2612
2613 if (version == IKEV2)
2614 { /* always supported with IKEv2 */
2615 enable_extension(this, EXT_DPD);
2616 }
2617
2618 this->task_manager = task_manager_create(&this->public);
2619 this->my_host->set_port(this->my_host,
2620 charon->socket->get_port(charon->socket, FALSE));
2621
2622 if (!this->task_manager || !this->keymat)
2623 {
2624 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2625 destroy(this);
2626 return NULL;
2627 }
2628 return &this->public;
2629 }