6884bf249979a03786a6e4b3322253c48e2aff67
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2015 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61
62 #ifdef ME
63 #include <sa/ikev2/tasks/ike_me.h>
64 #include <processing/jobs/initiate_mediation_job.h>
65 #endif
66
67 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
68 "CREATED",
69 "CONNECTING",
70 "ESTABLISHED",
71 "PASSIVE",
72 "REKEYING",
73 "DELETING",
74 "DESTROYING",
75 );
76
77 typedef struct private_ike_sa_t private_ike_sa_t;
78 typedef struct attribute_entry_t attribute_entry_t;
79
80 /**
81 * Private data of an ike_sa_t object.
82 */
83 struct private_ike_sa_t {
84
85 /**
86 * Public members
87 */
88 ike_sa_t public;
89
90 /**
91 * Identifier for the current IKE_SA.
92 */
93 ike_sa_id_t *ike_sa_id;
94
95 /**
96 * IKE version of this SA.
97 */
98 ike_version_t version;
99
100 /**
101 * unique numerical ID for this IKE_SA.
102 */
103 u_int32_t unique_id;
104
105 /**
106 * Current state of the IKE_SA
107 */
108 ike_sa_state_t state;
109
110 /**
111 * IKE configuration used to set up this IKE_SA
112 */
113 ike_cfg_t *ike_cfg;
114
115 /**
116 * Peer and authentication information to establish IKE_SA.
117 */
118 peer_cfg_t *peer_cfg;
119
120 /**
121 * currently used authentication ruleset, local
122 */
123 auth_cfg_t *my_auth;
124
125 /**
126 * currently used authentication constraints, remote
127 */
128 auth_cfg_t *other_auth;
129
130 /**
131 * Array of completed local authentication rounds (as auth_cfg_t)
132 */
133 array_t *my_auths;
134
135 /**
136 * Array of completed remote authentication rounds (as auth_cfg_t)
137 */
138 array_t *other_auths;
139
140 /**
141 * Selected IKE proposal
142 */
143 proposal_t *proposal;
144
145 /**
146 * Juggles tasks to process messages
147 */
148 task_manager_t *task_manager;
149
150 /**
151 * Address of local host
152 */
153 host_t *my_host;
154
155 /**
156 * Address of remote host
157 */
158 host_t *other_host;
159
160 #ifdef ME
161 /**
162 * Are we mediation server
163 */
164 bool is_mediation_server;
165
166 /**
167 * Server reflexive host
168 */
169 host_t *server_reflexive_host;
170
171 /**
172 * Connect ID
173 */
174 chunk_t connect_id;
175 #endif /* ME */
176
177 /**
178 * Identification used for us
179 */
180 identification_t *my_id;
181
182 /**
183 * Identification used for other
184 */
185 identification_t *other_id;
186
187 /**
188 * set of extensions the peer supports
189 */
190 ike_extension_t extensions;
191
192 /**
193 * set of condition flags currently enabled for this IKE_SA
194 */
195 ike_condition_t conditions;
196
197 /**
198 * Array containing the child sa's of the current IKE_SA.
199 */
200 array_t *child_sas;
201
202 /**
203 * keymat of this IKE_SA
204 */
205 keymat_t *keymat;
206
207 /**
208 * Virtual IPs on local host
209 */
210 array_t *my_vips;
211
212 /**
213 * Virtual IPs on remote host
214 */
215 array_t *other_vips;
216
217 /**
218 * List of configuration attributes (attribute_entry_t)
219 */
220 array_t *attributes;
221
222 /**
223 * list of peer's addresses, additional ones transmitted via MOBIKE
224 */
225 array_t *peer_addresses;
226
227 /**
228 * previously value of received DESTINATION_IP hash
229 */
230 chunk_t nat_detection_dest;
231
232 /**
233 * number pending UPDATE_SA_ADDRESS (MOBIKE)
234 */
235 u_int32_t pending_updates;
236
237 /**
238 * NAT keep alive interval
239 */
240 u_int32_t keepalive_interval;
241
242 /**
243 * The schedueld keep alive job, if any
244 */
245 send_keepalive_job_t *keepalive_job;
246
247 /**
248 * interval for retries during initiation (e.g. if DNS resolution failed),
249 * 0 to disable (default)
250 */
251 u_int32_t retry_initiate_interval;
252
253 /**
254 * TRUE if a retry_initiate_job has been queued
255 */
256 bool retry_initiate_queued;
257
258 /**
259 * Timestamps for this IKE_SA
260 */
261 u_int32_t stats[STAT_MAX];
262
263 /**
264 * how many times we have retried so far (keyingtries)
265 */
266 u_int32_t keyingtry;
267
268 /**
269 * local host address to be used for IKE, set via MIGRATE kernel message
270 */
271 host_t *local_host;
272
273 /**
274 * remote host address to be used for IKE, set via MIGRATE kernel message
275 */
276 host_t *remote_host;
277
278 /**
279 * Flush auth configs once established?
280 */
281 bool flush_auth_cfg;
282
283 /**
284 * Maximum length of a single fragment, 0 for address-specific defaults
285 */
286 size_t fragment_size;
287
288 /**
289 * Whether to follow IKEv2 redirects
290 */
291 bool follow_redirects;
292
293 /**
294 * Original gateway address from which we got redirected
295 */
296 host_t *redirected_from;
297 };
298
299 /**
300 * Entry to maintain install configuration attributes during IKE_SA lifetime
301 */
302 struct attribute_entry_t {
303 /** handler used to install this attribute */
304 attribute_handler_t *handler;
305 /** attribute type */
306 configuration_attribute_type_t type;
307 /** attribute data */
308 chunk_t data;
309 };
310
311 /**
312 * get the time of the latest traffic processed by the kernel
313 */
314 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
315 {
316 enumerator_t *enumerator;
317 child_sa_t *child_sa;
318 time_t use_time, current;
319
320 if (inbound)
321 {
322 use_time = this->stats[STAT_INBOUND];
323 }
324 else
325 {
326 use_time = this->stats[STAT_OUTBOUND];
327 }
328
329 enumerator = array_create_enumerator(this->child_sas);
330 while (enumerator->enumerate(enumerator, &child_sa))
331 {
332 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
333 use_time = max(use_time, current);
334 }
335 enumerator->destroy(enumerator);
336
337 return use_time;
338 }
339
340 METHOD(ike_sa_t, get_unique_id, u_int32_t,
341 private_ike_sa_t *this)
342 {
343 return this->unique_id;
344 }
345
346 METHOD(ike_sa_t, get_name, char*,
347 private_ike_sa_t *this)
348 {
349 if (this->peer_cfg)
350 {
351 return this->peer_cfg->get_name(this->peer_cfg);
352 }
353 return "(unnamed)";
354 }
355
356 METHOD(ike_sa_t, get_statistic, u_int32_t,
357 private_ike_sa_t *this, statistic_t kind)
358 {
359 if (kind < STAT_MAX)
360 {
361 return this->stats[kind];
362 }
363 return 0;
364 }
365
366 METHOD(ike_sa_t, set_statistic, void,
367 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
368 {
369 if (kind < STAT_MAX)
370 {
371 this->stats[kind] = value;
372 }
373 }
374
375 METHOD(ike_sa_t, get_my_host, host_t*,
376 private_ike_sa_t *this)
377 {
378 return this->my_host;
379 }
380
381 METHOD(ike_sa_t, set_my_host, void,
382 private_ike_sa_t *this, host_t *me)
383 {
384 DESTROY_IF(this->my_host);
385 this->my_host = me;
386 }
387
388 METHOD(ike_sa_t, get_other_host, host_t*,
389 private_ike_sa_t *this)
390 {
391 return this->other_host;
392 }
393
394 METHOD(ike_sa_t, set_other_host, void,
395 private_ike_sa_t *this, host_t *other)
396 {
397 DESTROY_IF(this->other_host);
398 this->other_host = other;
399 }
400
401 METHOD(ike_sa_t, get_redirected_from, host_t*,
402 private_ike_sa_t *this)
403 {
404 return this->redirected_from;
405 }
406
407 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
408 private_ike_sa_t *this)
409 {
410 return this->peer_cfg;
411 }
412
413 METHOD(ike_sa_t, set_peer_cfg, void,
414 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
415 {
416 peer_cfg->get_ref(peer_cfg);
417 DESTROY_IF(this->peer_cfg);
418 this->peer_cfg = peer_cfg;
419
420 if (this->ike_cfg == NULL)
421 {
422 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
423 this->ike_cfg->get_ref(this->ike_cfg);
424 }
425 }
426
427 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
428 private_ike_sa_t *this, bool local)
429 {
430 if (local)
431 {
432 return this->my_auth;
433 }
434 return this->other_auth;
435 }
436
437 METHOD(ike_sa_t, add_auth_cfg, void,
438 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
439 {
440 if (local)
441 {
442 array_insert(this->my_auths, ARRAY_TAIL, cfg);
443 }
444 else
445 {
446 array_insert(this->other_auths, ARRAY_TAIL, cfg);
447 }
448 }
449
450 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
451 private_ike_sa_t *this, bool local)
452 {
453 if (local)
454 {
455 return array_create_enumerator(this->my_auths);
456 }
457 return array_create_enumerator(this->other_auths);
458 }
459
460 /**
461 * Flush the stored authentication round information
462 */
463 static void flush_auth_cfgs(private_ike_sa_t *this)
464 {
465 auth_cfg_t *cfg;
466
467 this->my_auth->purge(this->my_auth, FALSE);
468 this->other_auth->purge(this->other_auth, FALSE);
469
470 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
471 {
472 cfg->destroy(cfg);
473 }
474 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
475 {
476 cfg->destroy(cfg);
477 }
478 }
479
480 METHOD(ike_sa_t, get_proposal, proposal_t*,
481 private_ike_sa_t *this)
482 {
483 return this->proposal;
484 }
485
486 METHOD(ike_sa_t, set_proposal, void,
487 private_ike_sa_t *this, proposal_t *proposal)
488 {
489 DESTROY_IF(this->proposal);
490 this->proposal = proposal->clone(proposal);
491 }
492
493 METHOD(ike_sa_t, set_message_id, void,
494 private_ike_sa_t *this, bool initiate, u_int32_t mid)
495 {
496 if (initiate)
497 {
498 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
499 }
500 else
501 {
502 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
503 }
504 }
505
506 METHOD(ike_sa_t, send_keepalive, void,
507 private_ike_sa_t *this, bool scheduled)
508 {
509 time_t last_out, now, diff;
510
511 if (scheduled)
512 {
513 this->keepalive_job = NULL;
514 }
515 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
516 { /* keepalives disabled either by configuration or for passive IKE_SAs */
517 return;
518 }
519 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
520 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
521 return;
522 }
523
524 last_out = get_use_time(this, FALSE);
525 now = time_monotonic(NULL);
526
527 diff = now - last_out;
528
529 if (diff >= this->keepalive_interval)
530 {
531 packet_t *packet;
532 chunk_t data;
533
534 packet = packet_create();
535 packet->set_source(packet, this->my_host->clone(this->my_host));
536 packet->set_destination(packet, this->other_host->clone(this->other_host));
537 data.ptr = malloc(1);
538 data.ptr[0] = 0xFF;
539 data.len = 1;
540 packet->set_data(packet, data);
541 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
542 charon->sender->send_no_marker(charon->sender, packet);
543 diff = 0;
544 }
545 if (!this->keepalive_job)
546 {
547 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
548 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
549 this->keepalive_interval - diff);
550 }
551 }
552
553 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
554 private_ike_sa_t *this)
555 {
556 return this->ike_cfg;
557 }
558
559 METHOD(ike_sa_t, set_ike_cfg, void,
560 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
561 {
562 ike_cfg->get_ref(ike_cfg);
563 this->ike_cfg = ike_cfg;
564 }
565
566 METHOD(ike_sa_t, enable_extension, void,
567 private_ike_sa_t *this, ike_extension_t extension)
568 {
569 this->extensions |= extension;
570 }
571
572 METHOD(ike_sa_t, supports_extension, bool,
573 private_ike_sa_t *this, ike_extension_t extension)
574 {
575 return (this->extensions & extension) != FALSE;
576 }
577
578 METHOD(ike_sa_t, has_condition, bool,
579 private_ike_sa_t *this, ike_condition_t condition)
580 {
581 return (this->conditions & condition) != FALSE;
582 }
583
584 METHOD(ike_sa_t, set_condition, void,
585 private_ike_sa_t *this, ike_condition_t condition, bool enable)
586 {
587 if (has_condition(this, condition) != enable)
588 {
589 if (enable)
590 {
591 this->conditions |= condition;
592 switch (condition)
593 {
594 case COND_NAT_HERE:
595 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
596 this->conditions |= COND_NAT_ANY;
597 send_keepalive(this, FALSE);
598 break;
599 case COND_NAT_THERE:
600 DBG1(DBG_IKE, "remote host is behind NAT");
601 this->conditions |= COND_NAT_ANY;
602 break;
603 case COND_NAT_FAKE:
604 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
605 this->conditions |= COND_NAT_ANY;
606 break;
607 default:
608 break;
609 }
610 }
611 else
612 {
613 this->conditions &= ~condition;
614 switch (condition)
615 {
616 case COND_NAT_HERE:
617 case COND_NAT_FAKE:
618 case COND_NAT_THERE:
619 set_condition(this, COND_NAT_ANY,
620 has_condition(this, COND_NAT_HERE) ||
621 has_condition(this, COND_NAT_THERE) ||
622 has_condition(this, COND_NAT_FAKE));
623 break;
624 case COND_STALE:
625 send_keepalive(this, FALSE);
626 break;
627 default:
628 break;
629 }
630 }
631 }
632 }
633
634 METHOD(ike_sa_t, send_dpd, status_t,
635 private_ike_sa_t *this)
636 {
637 job_t *job;
638 time_t diff, delay;
639 bool task_queued = FALSE;
640
641 if (this->state == IKE_PASSIVE)
642 {
643 return INVALID_STATE;
644 }
645 delay = this->peer_cfg->get_dpd(this->peer_cfg);
646 if (this->task_manager->busy(this->task_manager))
647 {
648 /* an exchange is in the air, no need to start a DPD check */
649 diff = 0;
650 }
651 else
652 {
653 /* check if there was any inbound traffic */
654 time_t last_in, now;
655 last_in = get_use_time(this, TRUE);
656 now = time_monotonic(NULL);
657 diff = now - last_in;
658 if (!delay || diff >= delay)
659 {
660 /* too long ago, initiate dead peer detection */
661 DBG1(DBG_IKE, "sending DPD request");
662 this->task_manager->queue_dpd(this->task_manager);
663 task_queued = TRUE;
664 diff = 0;
665 }
666 }
667 /* recheck in "interval" seconds */
668 if (delay)
669 {
670 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
671 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
672 }
673 if (task_queued)
674 {
675 return this->task_manager->initiate(this->task_manager);
676 }
677 return SUCCESS;
678 }
679
680 METHOD(ike_sa_t, get_state, ike_sa_state_t,
681 private_ike_sa_t *this)
682 {
683 return this->state;
684 }
685
686 METHOD(ike_sa_t, set_state, void,
687 private_ike_sa_t *this, ike_sa_state_t state)
688 {
689 bool trigger_dpd = FALSE, keepalives = FALSE;
690
691 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
692 get_name(this), this->unique_id,
693 ike_sa_state_names, this->state,
694 ike_sa_state_names, state);
695
696 switch (state)
697 {
698 case IKE_ESTABLISHED:
699 {
700 if (this->state == IKE_CONNECTING ||
701 this->state == IKE_PASSIVE)
702 {
703 job_t *job;
704 u_int32_t t;
705
706 /* calculate rekey, reauth and lifetime */
707 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
708
709 /* schedule rekeying if we have a time which is smaller than
710 * an already scheduled rekeying */
711 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
712 if (t && (this->stats[STAT_REKEY] == 0 ||
713 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
714 {
715 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
716 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
717 lib->scheduler->schedule_job(lib->scheduler, job, t);
718 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
719 }
720 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
721 if (t && (this->stats[STAT_REAUTH] == 0 ||
722 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
723 {
724 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
725 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
726 lib->scheduler->schedule_job(lib->scheduler, job, t);
727 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
728 }
729 t = this->peer_cfg->get_over_time(this->peer_cfg);
730 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
731 {
732 if (this->stats[STAT_REAUTH] == 0)
733 {
734 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
735 }
736 else if (this->stats[STAT_REKEY] == 0)
737 {
738 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
739 }
740 else
741 {
742 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
743 this->stats[STAT_REAUTH]);
744 }
745 this->stats[STAT_DELETE] += t;
746 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
747 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
748 lib->scheduler->schedule_job(lib->scheduler, job, t);
749 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
750 }
751 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
752 if (trigger_dpd)
753 {
754 /* Some peers delay the DELETE after rekeying an IKE_SA.
755 * If this delay is longer than our DPD delay, we would
756 * send a DPD request here. The IKE_SA is not ready to do
757 * so yet, so prevent that. */
758 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
759 }
760 if (this->state == IKE_PASSIVE)
761 {
762 keepalives = TRUE;
763 }
764 DESTROY_IF(this->redirected_from);
765 this->redirected_from = NULL;
766 }
767 break;
768 }
769 default:
770 break;
771 }
772 charon->bus->ike_state_change(charon->bus, &this->public, state);
773 this->state = state;
774
775 if (trigger_dpd)
776 {
777 if (supports_extension(this, EXT_DPD))
778 {
779 send_dpd(this);
780 }
781 else
782 {
783 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
784 }
785 }
786 if (keepalives)
787 {
788 send_keepalive(this, FALSE);
789 }
790 }
791
792 METHOD(ike_sa_t, reset, void,
793 private_ike_sa_t *this)
794 {
795 /* the responder ID is reset, as peer may choose another one */
796 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
797 {
798 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
799 }
800
801 set_state(this, IKE_CREATED);
802
803 flush_auth_cfgs(this);
804
805 this->keymat->destroy(this->keymat);
806 this->keymat = keymat_create(this->version,
807 this->ike_sa_id->is_initiator(this->ike_sa_id));
808
809 this->task_manager->reset(this->task_manager, 0, 0);
810 }
811
812 METHOD(ike_sa_t, get_keymat, keymat_t*,
813 private_ike_sa_t *this)
814 {
815 return this->keymat;
816 }
817
818 METHOD(ike_sa_t, add_virtual_ip, void,
819 private_ike_sa_t *this, bool local, host_t *ip)
820 {
821 if (local)
822 {
823 char *iface;
824
825 if (charon->kernel->get_interface(charon->kernel, this->my_host,
826 &iface))
827 {
828 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
829 if (charon->kernel->add_ip(charon->kernel, ip, -1,
830 iface) == SUCCESS)
831 {
832 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
833 }
834 else
835 {
836 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
837 }
838 free(iface);
839 }
840 else
841 {
842 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
843 }
844 }
845 else
846 {
847 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
848 }
849 }
850
851
852 METHOD(ike_sa_t, clear_virtual_ips, void,
853 private_ike_sa_t *this, bool local)
854 {
855 array_t *vips;
856 host_t *vip;
857
858 vips = local ? this->my_vips : this->other_vips;
859 if (!local && array_count(vips))
860 {
861 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
862 }
863 while (array_remove(vips, ARRAY_HEAD, &vip))
864 {
865 if (local)
866 {
867 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
868 }
869 vip->destroy(vip);
870 }
871 }
872
873 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
874 private_ike_sa_t *this, bool local)
875 {
876 if (local)
877 {
878 return array_create_enumerator(this->my_vips);
879 }
880 return array_create_enumerator(this->other_vips);
881 }
882
883 METHOD(ike_sa_t, add_peer_address, void,
884 private_ike_sa_t *this, host_t *host)
885 {
886 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
887 }
888
889 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
890 private_ike_sa_t *this)
891 {
892 if (this->peer_addresses)
893 {
894 return array_create_enumerator(this->peer_addresses);
895 }
896 /* in case we don't have MOBIKE */
897 return enumerator_create_single(this->other_host, NULL);
898 }
899
900 METHOD(ike_sa_t, clear_peer_addresses, void,
901 private_ike_sa_t *this)
902 {
903 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
904 this->peer_addresses = NULL;
905 }
906
907 METHOD(ike_sa_t, has_mapping_changed, bool,
908 private_ike_sa_t *this, chunk_t hash)
909 {
910 if (this->nat_detection_dest.ptr == NULL)
911 {
912 this->nat_detection_dest = chunk_clone(hash);
913 return FALSE;
914 }
915 if (chunk_equals(hash, this->nat_detection_dest))
916 {
917 return FALSE;
918 }
919 free(this->nat_detection_dest.ptr);
920 this->nat_detection_dest = chunk_clone(hash);
921 return TRUE;
922 }
923
924 METHOD(ike_sa_t, set_pending_updates, void,
925 private_ike_sa_t *this, u_int32_t updates)
926 {
927 this->pending_updates = updates;
928 }
929
930 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
931 private_ike_sa_t *this)
932 {
933 return this->pending_updates;
934 }
935
936 METHOD(ike_sa_t, float_ports, void,
937 private_ike_sa_t *this)
938 {
939 /* do not switch if we have a custom port from MOBIKE/NAT */
940 if (this->my_host->get_port(this->my_host) ==
941 charon->socket->get_port(charon->socket, FALSE))
942 {
943 this->my_host->set_port(this->my_host,
944 charon->socket->get_port(charon->socket, TRUE));
945 }
946 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
947 {
948 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
949 }
950 }
951
952 METHOD(ike_sa_t, update_hosts, void,
953 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
954 {
955 bool update = FALSE;
956
957 if (me == NULL)
958 {
959 me = this->my_host;
960 }
961 if (other == NULL)
962 {
963 other = this->other_host;
964 }
965
966 /* apply hosts on first received message */
967 if (this->my_host->is_anyaddr(this->my_host) ||
968 this->other_host->is_anyaddr(this->other_host))
969 {
970 set_my_host(this, me->clone(me));
971 set_other_host(this, other->clone(other));
972 update = TRUE;
973 }
974 else
975 {
976 /* update our address in any case */
977 if (force && !me->equals(me, this->my_host))
978 {
979 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
980 set_my_host(this, me->clone(me));
981 update = TRUE;
982 }
983
984 if (!other->equals(other, this->other_host) &&
985 (force || has_condition(this, COND_NAT_THERE)))
986 {
987 /* only update other's address if we are behind a static NAT,
988 * which we assume is the case if we are not initiator */
989 if (force ||
990 (!has_condition(this, COND_NAT_HERE) ||
991 !has_condition(this, COND_ORIGINAL_INITIATOR)))
992 {
993 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
994 set_other_host(this, other->clone(other));
995 update = TRUE;
996 }
997 }
998 }
999
1000 /* update all associated CHILD_SAs, if required */
1001 if (update)
1002 {
1003 enumerator_t *enumerator;
1004 child_sa_t *child_sa;
1005 linked_list_t *vips;
1006
1007 vips = linked_list_create_from_enumerator(
1008 array_create_enumerator(this->my_vips));
1009
1010 enumerator = array_create_enumerator(this->child_sas);
1011 while (enumerator->enumerate(enumerator, &child_sa))
1012 {
1013 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1014 charon->child_sa_manager->add(charon->child_sa_manager,
1015 child_sa, &this->public);
1016
1017 if (child_sa->update(child_sa, this->my_host, this->other_host,
1018 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1019 {
1020 this->public.rekey_child_sa(&this->public,
1021 child_sa->get_protocol(child_sa),
1022 child_sa->get_spi(child_sa, TRUE));
1023 }
1024
1025 }
1026 enumerator->destroy(enumerator);
1027
1028 vips->destroy(vips);
1029 }
1030 }
1031
1032 /**
1033 * Set configured DSCP value on packet
1034 */
1035 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1036 {
1037 ike_cfg_t *ike_cfg;
1038
1039 /* prefer IKE config on peer_cfg, as its selection is more accurate
1040 * then the initial IKE config */
1041 if (this->peer_cfg)
1042 {
1043 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1044 }
1045 else
1046 {
1047 ike_cfg = this->ike_cfg;
1048 }
1049 if (ike_cfg)
1050 {
1051 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1052 }
1053 }
1054
1055 METHOD(ike_sa_t, generate_message, status_t,
1056 private_ike_sa_t *this, message_t *message, packet_t **packet)
1057 {
1058 status_t status;
1059
1060 if (message->is_encoded(message))
1061 { /* already encoded in task, but set DSCP value */
1062 *packet = message->get_packet(message);
1063 set_dscp(this, *packet);
1064 return SUCCESS;
1065 }
1066 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1067 message->set_ike_sa_id(message, this->ike_sa_id);
1068 charon->bus->message(charon->bus, message, FALSE, TRUE);
1069 status = message->generate(message, this->keymat, packet);
1070 if (status == SUCCESS)
1071 {
1072 set_dscp(this, *packet);
1073 charon->bus->message(charon->bus, message, FALSE, FALSE);
1074 }
1075 return status;
1076 }
1077
1078 static bool filter_fragments(private_ike_sa_t *this, packet_t **fragment,
1079 packet_t **packet)
1080 {
1081 *packet = (*fragment)->clone(*fragment);
1082 set_dscp(this, *packet);
1083 return TRUE;
1084 }
1085
1086 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1087 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1088 {
1089 enumerator_t *fragments;
1090 packet_t *packet;
1091 status_t status;
1092 bool use_frags = FALSE;
1093
1094 if (this->ike_cfg)
1095 {
1096 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1097 {
1098 case FRAGMENTATION_FORCE:
1099 use_frags = TRUE;
1100 break;
1101 case FRAGMENTATION_YES:
1102 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1103 if (use_frags && this->version == IKEV1 &&
1104 supports_extension(this, EXT_MS_WINDOWS))
1105 {
1106 /* It seems Windows 7 and 8 peers only accept proprietary
1107 * fragmented messages if they expect certificates. */
1108 use_frags = message->get_payload(message,
1109 PLV1_CERTIFICATE) != NULL;
1110 }
1111 break;
1112 default:
1113 break;
1114 }
1115 }
1116 if (!use_frags)
1117 {
1118 status = generate_message(this, message, &packet);
1119 if (status != SUCCESS)
1120 {
1121 return status;
1122 }
1123 *packets = enumerator_create_single(packet, NULL);
1124 return SUCCESS;
1125 }
1126
1127 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1128 message->set_ike_sa_id(message, this->ike_sa_id);
1129 charon->bus->message(charon->bus, message, FALSE, TRUE);
1130 status = message->fragment(message, this->keymat, this->fragment_size,
1131 &fragments);
1132 if (status == SUCCESS)
1133 {
1134 charon->bus->message(charon->bus, message, FALSE, FALSE);
1135 *packets = enumerator_create_filter(fragments, (void*)filter_fragments,
1136 this, NULL);
1137 }
1138 return status;
1139 }
1140
1141 METHOD(ike_sa_t, set_kmaddress, void,
1142 private_ike_sa_t *this, host_t *local, host_t *remote)
1143 {
1144 DESTROY_IF(this->local_host);
1145 DESTROY_IF(this->remote_host);
1146 this->local_host = local->clone(local);
1147 this->remote_host = remote->clone(remote);
1148 }
1149
1150 #ifdef ME
1151 METHOD(ike_sa_t, act_as_mediation_server, void,
1152 private_ike_sa_t *this)
1153 {
1154 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1155 this->other_id, this->ike_sa_id);
1156 this->is_mediation_server = TRUE;
1157 }
1158
1159 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1160 private_ike_sa_t *this)
1161 {
1162 return this->server_reflexive_host;
1163 }
1164
1165 METHOD(ike_sa_t, set_server_reflexive_host, void,
1166 private_ike_sa_t *this, host_t *host)
1167 {
1168 DESTROY_IF(this->server_reflexive_host);
1169 this->server_reflexive_host = host;
1170 }
1171
1172 METHOD(ike_sa_t, get_connect_id, chunk_t,
1173 private_ike_sa_t *this)
1174 {
1175 return this->connect_id;
1176 }
1177
1178 METHOD(ike_sa_t, respond, status_t,
1179 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1180 {
1181 ike_me_t *task = ike_me_create(&this->public, TRUE);
1182 task->respond(task, peer_id, connect_id);
1183 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1184 return this->task_manager->initiate(this->task_manager);
1185 }
1186
1187 METHOD(ike_sa_t, callback, status_t,
1188 private_ike_sa_t *this, identification_t *peer_id)
1189 {
1190 ike_me_t *task = ike_me_create(&this->public, TRUE);
1191 task->callback(task, peer_id);
1192 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1193 return this->task_manager->initiate(this->task_manager);
1194 }
1195
1196 METHOD(ike_sa_t, relay, status_t,
1197 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1198 chunk_t connect_key, linked_list_t *endpoints, bool response)
1199 {
1200 ike_me_t *task = ike_me_create(&this->public, TRUE);
1201 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1202 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1203 return this->task_manager->initiate(this->task_manager);
1204 }
1205
1206 METHOD(ike_sa_t, initiate_mediation, status_t,
1207 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1208 {
1209 ike_me_t *task = ike_me_create(&this->public, TRUE);
1210 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1211 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1212 return this->task_manager->initiate(this->task_manager);
1213 }
1214
1215 METHOD(ike_sa_t, initiate_mediated, status_t,
1216 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1217 {
1218 set_my_host(this, me->clone(me));
1219 set_other_host(this, other->clone(other));
1220 chunk_free(&this->connect_id);
1221 this->connect_id = chunk_clone(connect_id);
1222 return this->task_manager->initiate(this->task_manager);
1223 }
1224 #endif /* ME */
1225
1226 /**
1227 * Resolve DNS host in configuration
1228 */
1229 static void resolve_hosts(private_ike_sa_t *this)
1230 {
1231 host_t *host;
1232 int family = AF_UNSPEC;
1233
1234 switch (charon->socket->supported_families(charon->socket))
1235 {
1236 case SOCKET_FAMILY_IPV4:
1237 family = AF_INET;
1238 break;
1239 case SOCKET_FAMILY_IPV6:
1240 family = AF_INET6;
1241 break;
1242 case SOCKET_FAMILY_BOTH:
1243 case SOCKET_FAMILY_NONE:
1244 break;
1245 }
1246
1247 /* if an IP address is set locally, use the same family to resolve remote */
1248 if (family == AF_UNSPEC && !this->remote_host)
1249 {
1250 if (this->local_host)
1251 {
1252 family = this->local_host->get_family(this->local_host);
1253 }
1254 else
1255 {
1256 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1257 }
1258 }
1259
1260 if (this->remote_host)
1261 {
1262 host = this->remote_host->clone(this->remote_host);
1263 host->set_port(host, IKEV2_UDP_PORT);
1264 }
1265 else
1266 {
1267 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1268 }
1269 if (host)
1270 {
1271 if (!host->is_anyaddr(host) ||
1272 this->other_host->is_anyaddr(this->other_host))
1273 { /* don't set to %any if we currently have an address, but the
1274 * address family might have changed */
1275 set_other_host(this, host);
1276 }
1277 else
1278 { /* reuse the original port as some implementations might not like
1279 * initial IKE messages on other ports */
1280 this->other_host->set_port(this->other_host, host->get_port(host));
1281 host->destroy(host);
1282 }
1283 }
1284
1285 if (this->local_host)
1286 {
1287 host = this->local_host->clone(this->local_host);
1288 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1289 }
1290 else
1291 {
1292 /* use same address family as for other */
1293 if (!this->other_host->is_anyaddr(this->other_host))
1294 {
1295 family = this->other_host->get_family(this->other_host);
1296 }
1297 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1298
1299 if (host && host->is_anyaddr(host) &&
1300 !this->other_host->is_anyaddr(this->other_host))
1301 {
1302 host->destroy(host);
1303 host = charon->kernel->get_source_addr(charon->kernel,
1304 this->other_host, NULL);
1305 if (host)
1306 {
1307 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1308 }
1309 else
1310 { /* fallback to address family specific %any(6), if configured */
1311 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1312 }
1313 }
1314 }
1315 if (host)
1316 {
1317 set_my_host(this, host);
1318 }
1319 }
1320
1321 METHOD(ike_sa_t, initiate, status_t,
1322 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1323 traffic_selector_t *tsi, traffic_selector_t *tsr)
1324 {
1325 bool defer_initiate = FALSE;
1326
1327 if (this->state == IKE_CREATED)
1328 {
1329 if (this->my_host->is_anyaddr(this->my_host) ||
1330 this->other_host->is_anyaddr(this->other_host))
1331 {
1332 resolve_hosts(this);
1333 }
1334
1335 if (this->other_host->is_anyaddr(this->other_host)
1336 #ifdef ME
1337 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1338 #endif /* ME */
1339 )
1340 {
1341 char *addr;
1342
1343 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1344 if (!this->retry_initiate_interval)
1345 {
1346 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1347 addr);
1348 DESTROY_IF(child_cfg);
1349 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1350 return DESTROY_ME;
1351 }
1352 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1353 addr, this->retry_initiate_interval);
1354 defer_initiate = TRUE;
1355 }
1356
1357 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1358 this->task_manager->queue_ike(this->task_manager);
1359 }
1360
1361 #ifdef ME
1362 if (this->peer_cfg->is_mediation(this->peer_cfg))
1363 {
1364 if (this->state == IKE_ESTABLISHED)
1365 {
1366 /* mediation connection is already established, retrigger state
1367 * change to notify bus listeners */
1368 DBG1(DBG_IKE, "mediation connection is already up");
1369 set_state(this, IKE_ESTABLISHED);
1370 }
1371 DESTROY_IF(child_cfg);
1372 }
1373 else
1374 #endif /* ME */
1375 if (child_cfg)
1376 {
1377 /* normal IKE_SA with CHILD_SA */
1378 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1379 tsi, tsr);
1380 #ifdef ME
1381 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1382 {
1383 /* mediated connection, initiate mediation process */
1384 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1385 lib->processor->queue_job(lib->processor, job);
1386 return SUCCESS;
1387 }
1388 #endif /* ME */
1389 }
1390
1391 if (defer_initiate)
1392 {
1393 if (!this->retry_initiate_queued)
1394 {
1395 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1396 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1397 this->retry_initiate_interval);
1398 this->retry_initiate_queued = TRUE;
1399 }
1400 return SUCCESS;
1401 }
1402 this->retry_initiate_queued = FALSE;
1403 return this->task_manager->initiate(this->task_manager);
1404 }
1405
1406 METHOD(ike_sa_t, retry_initiate, status_t,
1407 private_ike_sa_t *this)
1408 {
1409 if (this->retry_initiate_queued)
1410 {
1411 this->retry_initiate_queued = FALSE;
1412 return initiate(this, NULL, 0, NULL, NULL);
1413 }
1414 return SUCCESS;
1415 }
1416
1417 METHOD(ike_sa_t, process_message, status_t,
1418 private_ike_sa_t *this, message_t *message)
1419 {
1420 status_t status;
1421
1422 if (this->state == IKE_PASSIVE)
1423 { /* do not handle messages in passive state */
1424 return FAILED;
1425 }
1426 if (message->get_major_version(message) != this->version)
1427 {
1428 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1429 exchange_type_names, message->get_exchange_type(message),
1430 message->get_major_version(message),
1431 ike_version_names, this->version);
1432 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1433 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1434 return FAILED;
1435 }
1436 status = this->task_manager->process_message(this->task_manager, message);
1437 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1438 {
1439 /* authentication completed */
1440 this->flush_auth_cfg = FALSE;
1441 flush_auth_cfgs(this);
1442 }
1443 return status;
1444 }
1445
1446 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1447 private_ike_sa_t *this)
1448 {
1449 return this->ike_sa_id;
1450 }
1451
1452 METHOD(ike_sa_t, get_version, ike_version_t,
1453 private_ike_sa_t *this)
1454 {
1455 return this->version;
1456 }
1457
1458 METHOD(ike_sa_t, get_my_id, identification_t*,
1459 private_ike_sa_t *this)
1460 {
1461 return this->my_id;
1462 }
1463
1464 METHOD(ike_sa_t, set_my_id, void,
1465 private_ike_sa_t *this, identification_t *me)
1466 {
1467 DESTROY_IF(this->my_id);
1468 this->my_id = me;
1469 }
1470
1471 METHOD(ike_sa_t, get_other_id, identification_t*,
1472 private_ike_sa_t *this)
1473 {
1474 return this->other_id;
1475 }
1476
1477 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1478 private_ike_sa_t *this)
1479 {
1480 identification_t *id = NULL, *current;
1481 enumerator_t *enumerator;
1482 auth_cfg_t *cfg;
1483
1484 enumerator = array_create_enumerator(this->other_auths);
1485 while (enumerator->enumerate(enumerator, &cfg))
1486 {
1487 /* prefer EAP-Identity of last round */
1488 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1489 if (!current || current->get_type(current) == ID_ANY)
1490 {
1491 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1492 }
1493 if (!current || current->get_type(current) == ID_ANY)
1494 {
1495 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1496 }
1497 if (current && current->get_type(current) != ID_ANY)
1498 {
1499 id = current;
1500 continue;
1501 }
1502 }
1503 enumerator->destroy(enumerator);
1504 if (id)
1505 {
1506 return id;
1507 }
1508 return this->other_id;
1509 }
1510
1511 METHOD(ike_sa_t, set_other_id, void,
1512 private_ike_sa_t *this, identification_t *other)
1513 {
1514 DESTROY_IF(this->other_id);
1515 this->other_id = other;
1516 }
1517
1518 METHOD(ike_sa_t, add_child_sa, void,
1519 private_ike_sa_t *this, child_sa_t *child_sa)
1520 {
1521 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1522 charon->child_sa_manager->add(charon->child_sa_manager,
1523 child_sa, &this->public);
1524 }
1525
1526 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1527 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1528 {
1529 enumerator_t *enumerator;
1530 child_sa_t *current, *found = NULL;
1531
1532 enumerator = array_create_enumerator(this->child_sas);
1533 while (enumerator->enumerate(enumerator, (void**)&current))
1534 {
1535 if (current->get_spi(current, inbound) == spi &&
1536 current->get_protocol(current) == protocol)
1537 {
1538 found = current;
1539 }
1540 }
1541 enumerator->destroy(enumerator);
1542 return found;
1543 }
1544
1545 METHOD(ike_sa_t, get_child_count, int,
1546 private_ike_sa_t *this)
1547 {
1548 return array_count(this->child_sas);
1549 }
1550
1551 /**
1552 * Private data of a create_child_sa_enumerator()
1553 */
1554 typedef struct {
1555 /** implements enumerator */
1556 enumerator_t public;
1557 /** inner array enumerator */
1558 enumerator_t *inner;
1559 /** current item */
1560 child_sa_t *current;
1561 } child_enumerator_t;
1562
1563 METHOD(enumerator_t, child_enumerate, bool,
1564 child_enumerator_t *this, child_sa_t **child_sa)
1565 {
1566 if (this->inner->enumerate(this->inner, &this->current))
1567 {
1568 *child_sa = this->current;
1569 return TRUE;
1570 }
1571 return FALSE;
1572 }
1573
1574 METHOD(enumerator_t, child_enumerator_destroy, void,
1575 child_enumerator_t *this)
1576 {
1577 this->inner->destroy(this->inner);
1578 free(this);
1579 }
1580
1581 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1582 private_ike_sa_t *this)
1583 {
1584 child_enumerator_t *enumerator;
1585
1586 INIT(enumerator,
1587 .public = {
1588 .enumerate = (void*)_child_enumerate,
1589 .destroy = _child_enumerator_destroy,
1590 },
1591 .inner = array_create_enumerator(this->child_sas),
1592 );
1593 return &enumerator->public;
1594 }
1595
1596 METHOD(ike_sa_t, remove_child_sa, void,
1597 private_ike_sa_t *this, enumerator_t *enumerator)
1598 {
1599 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1600
1601 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1602 array_remove_at(this->child_sas, ce->inner);
1603 }
1604
1605 METHOD(ike_sa_t, rekey_child_sa, status_t,
1606 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1607 {
1608 if (this->state == IKE_PASSIVE)
1609 {
1610 return INVALID_STATE;
1611 }
1612 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1613 return this->task_manager->initiate(this->task_manager);
1614 }
1615
1616 METHOD(ike_sa_t, delete_child_sa, status_t,
1617 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
1618 {
1619 if (this->state == IKE_PASSIVE)
1620 {
1621 return INVALID_STATE;
1622 }
1623 this->task_manager->queue_child_delete(this->task_manager,
1624 protocol, spi, expired);
1625 return this->task_manager->initiate(this->task_manager);
1626 }
1627
1628 METHOD(ike_sa_t, destroy_child_sa, status_t,
1629 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1630 {
1631 enumerator_t *enumerator;
1632 child_sa_t *child_sa;
1633 status_t status = NOT_FOUND;
1634
1635 enumerator = create_child_sa_enumerator(this);
1636 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1637 {
1638 if (child_sa->get_protocol(child_sa) == protocol &&
1639 child_sa->get_spi(child_sa, TRUE) == spi)
1640 {
1641 remove_child_sa(this, enumerator);
1642 child_sa->destroy(child_sa);
1643 status = SUCCESS;
1644 break;
1645 }
1646 }
1647 enumerator->destroy(enumerator);
1648 return status;
1649 }
1650
1651 METHOD(ike_sa_t, delete_, status_t,
1652 private_ike_sa_t *this)
1653 {
1654 switch (this->state)
1655 {
1656 case IKE_REKEYING:
1657 if (this->version == IKEV1)
1658 { /* SA has been reauthenticated, delete */
1659 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1660 break;
1661 }
1662 /* FALL */
1663 case IKE_ESTABLISHED:
1664 if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
1665 { /* IKE_SA hard lifetime hit */
1666 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1667 }
1668 this->task_manager->queue_ike_delete(this->task_manager);
1669 return this->task_manager->initiate(this->task_manager);
1670 case IKE_CREATED:
1671 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1672 break;
1673 case IKE_PASSIVE:
1674 break;
1675 default:
1676 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1677 "without notification", ike_sa_state_names, this->state);
1678 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1679 break;
1680 }
1681 return DESTROY_ME;
1682 }
1683
1684 METHOD(ike_sa_t, rekey, status_t,
1685 private_ike_sa_t *this)
1686 {
1687 if (this->state == IKE_PASSIVE)
1688 {
1689 return INVALID_STATE;
1690 }
1691 this->task_manager->queue_ike_rekey(this->task_manager);
1692 return this->task_manager->initiate(this->task_manager);
1693 }
1694
1695 METHOD(ike_sa_t, reauth, status_t,
1696 private_ike_sa_t *this)
1697 {
1698 if (this->state == IKE_PASSIVE)
1699 {
1700 return INVALID_STATE;
1701 }
1702 if (this->state == IKE_CONNECTING)
1703 {
1704 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1705 get_name(this), this->unique_id);
1706 reset(this);
1707 this->task_manager->queue_ike(this->task_manager);
1708 return this->task_manager->initiate(this->task_manager);
1709 }
1710 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1711 * If the peer does not support RFC4478, there is no way to keep the
1712 * IKE_SA up. */
1713 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1714 {
1715 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1716 if (array_count(this->other_vips) != 0 ||
1717 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1718 has_condition(this, COND_EAP_AUTHENTICATED)
1719 #ifdef ME
1720 /* as mediation server we too cannot reauth the IKE_SA */
1721 || this->is_mediation_server
1722 #endif /* ME */
1723 )
1724 {
1725 time_t del, now;
1726
1727 del = this->stats[STAT_DELETE];
1728 now = time_monotonic(NULL);
1729 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1730 get_name(this), this->unique_id, &now, &del);
1731 return FAILED;
1732 }
1733 else
1734 {
1735 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1736 get_name(this), this->unique_id);
1737 }
1738 }
1739 else
1740 {
1741 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1742 get_name(this), this->unique_id);
1743 }
1744 set_condition(this, COND_REAUTHENTICATING, TRUE);
1745 this->task_manager->queue_ike_reauth(this->task_manager);
1746 return this->task_manager->initiate(this->task_manager);
1747 }
1748
1749 /**
1750 * Check if tasks to create CHILD_SAs are queued in the given queue
1751 */
1752 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1753 {
1754 enumerator_t *enumerator;
1755 task_t *task;
1756 bool found = FALSE;
1757
1758 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1759 queue);
1760 while (enumerator->enumerate(enumerator, &task))
1761 {
1762 if (task->get_type(task) == TASK_CHILD_CREATE ||
1763 task->get_type(task) == TASK_QUICK_MODE)
1764 {
1765 found = TRUE;
1766 break;
1767 }
1768 }
1769 enumerator->destroy(enumerator);
1770 return found;
1771 }
1772
1773 /**
1774 * Reestablish CHILD_SAs and migrate queued tasks.
1775 *
1776 * If force is true all SAs are restarted, otherwise their close/dpd_action
1777 * is followed.
1778 */
1779 static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
1780 bool force)
1781 {
1782 enumerator_t *enumerator;
1783 child_sa_t *child_sa;
1784 child_cfg_t *child_cfg;
1785 action_t action;
1786 status_t status = FAILED;
1787
1788 /* handle existing CHILD_SAs */
1789 enumerator = create_child_sa_enumerator(this);
1790 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1791 {
1792 if (force)
1793 {
1794 switch (child_sa->get_state(child_sa))
1795 {
1796 case CHILD_ROUTED:
1797 { /* move routed child directly */
1798 remove_child_sa(this, enumerator);
1799 new->add_child_sa(new, child_sa);
1800 action = ACTION_NONE;
1801 break;
1802 }
1803 default:
1804 { /* initiate/queue all other CHILD_SAs */
1805 action = ACTION_RESTART;
1806 break;
1807 }
1808 }
1809 }
1810 else
1811 { /* only restart CHILD_SAs that are configured accordingly */
1812 if (this->state == IKE_DELETING)
1813 {
1814 action = child_sa->get_close_action(child_sa);
1815 }
1816 else
1817 {
1818 action = child_sa->get_dpd_action(child_sa);
1819 }
1820 }
1821 switch (action)
1822 {
1823 case ACTION_RESTART:
1824 child_cfg = child_sa->get_config(child_sa);
1825 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1826 child_cfg->get_name(child_cfg));
1827 child_cfg->get_ref(child_cfg);
1828 status = new->initiate(new, child_cfg,
1829 child_sa->get_reqid(child_sa), NULL, NULL);
1830 break;
1831 default:
1832 continue;
1833 }
1834 if (status == DESTROY_ME)
1835 {
1836 break;
1837 }
1838 }
1839 enumerator->destroy(enumerator);
1840 /* adopt any active or queued CHILD-creating tasks */
1841 if (status != DESTROY_ME)
1842 {
1843 task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
1844 other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
1845 if (new->get_state(new) == IKE_CREATED)
1846 {
1847 status = new->initiate(new, NULL, 0, NULL, NULL);
1848 }
1849 }
1850 return status;
1851 }
1852
1853 METHOD(ike_sa_t, reestablish, status_t,
1854 private_ike_sa_t *this)
1855 {
1856 ike_sa_t *new;
1857 host_t *host;
1858 action_t action;
1859 enumerator_t *enumerator;
1860 child_sa_t *child_sa;
1861 bool restart = FALSE;
1862 status_t status = FAILED;
1863
1864 if (has_condition(this, COND_REAUTHENTICATING))
1865 { /* only reauthenticate if we have children */
1866 if (array_count(this->child_sas) == 0
1867 #ifdef ME
1868 /* allow reauth of mediation connections without CHILD_SAs */
1869 && !this->peer_cfg->is_mediation(this->peer_cfg)
1870 #endif /* ME */
1871 )
1872 {
1873 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
1874 "to recreate");
1875 }
1876 else
1877 {
1878 restart = TRUE;
1879 }
1880 }
1881 else
1882 { /* check if we have children to keep up at all */
1883 enumerator = array_create_enumerator(this->child_sas);
1884 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1885 {
1886 if (this->state == IKE_DELETING)
1887 {
1888 action = child_sa->get_close_action(child_sa);
1889 }
1890 else
1891 {
1892 action = child_sa->get_dpd_action(child_sa);
1893 }
1894 switch (action)
1895 {
1896 case ACTION_RESTART:
1897 restart = TRUE;
1898 break;
1899 case ACTION_ROUTE:
1900 charon->traps->install(charon->traps, this->peer_cfg,
1901 child_sa->get_config(child_sa),
1902 child_sa->get_reqid(child_sa));
1903 break;
1904 default:
1905 break;
1906 }
1907 }
1908 enumerator->destroy(enumerator);
1909 /* check if we have tasks that recreate children */
1910 if (!restart)
1911 {
1912 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
1913 is_child_queued(this, TASK_QUEUE_QUEUED);
1914 }
1915 #ifdef ME
1916 /* mediation connections have no children, keep them up anyway */
1917 if (this->peer_cfg->is_mediation(this->peer_cfg))
1918 {
1919 restart = TRUE;
1920 }
1921 #endif /* ME */
1922 }
1923 if (!restart)
1924 {
1925 return FAILED;
1926 }
1927
1928 /* check if we are able to reestablish this IKE_SA */
1929 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1930 (array_count(this->other_vips) != 0 ||
1931 has_condition(this, COND_EAP_AUTHENTICATED)
1932 #ifdef ME
1933 || this->is_mediation_server
1934 #endif /* ME */
1935 ))
1936 {
1937 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1938 return FAILED;
1939 }
1940
1941 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1942 this->version, TRUE);
1943 if (!new)
1944 {
1945 return FAILED;
1946 }
1947 new->set_peer_cfg(new, this->peer_cfg);
1948 host = this->other_host;
1949 new->set_other_host(new, host->clone(host));
1950 host = this->my_host;
1951 new->set_my_host(new, host->clone(host));
1952 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
1953 /* resolve hosts but use the old addresses above as fallback */
1954 resolve_hosts((private_ike_sa_t*)new);
1955 /* if we already have a virtual IP, we reuse it */
1956 enumerator = array_create_enumerator(this->my_vips);
1957 while (enumerator->enumerate(enumerator, &host))
1958 {
1959 new->add_virtual_ip(new, TRUE, host);
1960 }
1961 enumerator->destroy(enumerator);
1962
1963 #ifdef ME
1964 if (this->peer_cfg->is_mediation(this->peer_cfg))
1965 {
1966 status = new->initiate(new, NULL, 0, NULL, NULL);
1967 }
1968 else
1969 #endif /* ME */
1970 {
1971 status = reestablish_children(this, new,
1972 has_condition(this, COND_REAUTHENTICATING));
1973 }
1974
1975 if (status == DESTROY_ME)
1976 {
1977 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1978 FALSE);
1979 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1980 status = FAILED;
1981 }
1982 else
1983 {
1984 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1985 TRUE);
1986 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1987 status = SUCCESS;
1988 }
1989 charon->bus->set_sa(charon->bus, &this->public);
1990 return status;
1991 }
1992
1993 /**
1994 * Resolve the given gateway ID
1995 */
1996 static host_t *resolve_gateway_id(identification_t *gateway)
1997 {
1998 char gw[BUF_LEN];
1999 host_t *addr;
2000
2001 snprintf(gw, sizeof(gw), "%Y", gateway);
2002 gw[sizeof(gw)-1] = '\0';
2003 addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2004 if (!addr)
2005 {
2006 DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2007 gateway);
2008 }
2009 return addr;
2010 }
2011
2012 /**
2013 * Redirect the current SA to the given target host
2014 */
2015 static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2016 {
2017 private_ike_sa_t *new_priv;
2018 ike_sa_t *new;
2019 host_t *other;
2020
2021 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2022 this->version, TRUE);
2023 if (!new)
2024 {
2025 return FALSE;
2026 }
2027 new_priv = (private_ike_sa_t*)new;
2028 new->set_peer_cfg(new, this->peer_cfg);
2029 new_priv->redirected_from = this->other_host->clone(this->other_host);
2030 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2031 other = resolve_gateway_id(to);
2032 if (other)
2033 {
2034 set_my_host(new_priv, this->my_host->clone(this->my_host));
2035 /* this allows us to force the remote address while we still properly
2036 * resolve the local address */
2037 new_priv->remote_host = other;
2038 resolve_hosts(new_priv);
2039 if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2040 {
2041 #ifdef USE_IKEV2
2042 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2043 this->ike_sa_id));
2044 #endif
2045 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2046 TRUE);
2047 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2048 charon->bus->set_sa(charon->bus, &this->public);
2049 return TRUE;
2050 }
2051 }
2052 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2053 FALSE);
2054 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2055 charon->bus->set_sa(charon->bus, &this->public);
2056 return FALSE;
2057 }
2058
2059 /**
2060 * Redirect the current connecting SA to the given target host
2061 */
2062 static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2063 {
2064 host_t *other;
2065
2066 other = resolve_gateway_id(to);
2067 if (!other)
2068 {
2069 return FALSE;
2070 }
2071 reset(this);
2072 DESTROY_IF(this->redirected_from);
2073 this->redirected_from = this->other_host->clone(this->other_host);
2074 DESTROY_IF(this->remote_host);
2075 /* this allows us to force the remote address while we still properly
2076 * resolve the local address */
2077 this->remote_host = other;
2078 resolve_hosts(this);
2079 return TRUE;
2080 }
2081
2082 METHOD(ike_sa_t, handle_redirect, bool,
2083 private_ike_sa_t *this, identification_t *gateway)
2084 {
2085 DBG1(DBG_IKE, "redirected to %Y", gateway);
2086 if (!this->follow_redirects)
2087 {
2088 DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2089 return FALSE;
2090 }
2091
2092 switch (this->state)
2093 {
2094 case IKE_CONNECTING:
2095 return redirect_connecting(this, gateway);
2096 case IKE_ESTABLISHED:
2097 return redirect_established(this, gateway);
2098 default:
2099 DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2100 ike_sa_state_names, this->state);
2101 return FALSE;
2102 }
2103 }
2104
2105 METHOD(ike_sa_t, redirect, status_t,
2106 private_ike_sa_t *this, identification_t *gateway)
2107 {
2108 switch (this->state)
2109 {
2110 case IKE_CONNECTING:
2111 case IKE_ESTABLISHED:
2112 case IKE_REKEYING:
2113 if (has_condition(this, COND_REDIRECTED))
2114 { /* IKE_SA already got redirected */
2115 return SUCCESS;
2116 }
2117 if (has_condition(this, COND_ORIGINAL_INITIATOR))
2118 {
2119 DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2120 return FAILED;
2121 }
2122 if (this->version == IKEV1)
2123 {
2124 DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2125 return FAILED;
2126 }
2127 if (!supports_extension(this, EXT_IKE_REDIRECTION))
2128 {
2129 DBG1(DBG_IKE, "client does not support IKE redirection");
2130 return FAILED;
2131 }
2132 #ifdef USE_IKEV2
2133 this->task_manager->queue_task(this->task_manager,
2134 (task_t*)ike_redirect_create(&this->public, gateway));
2135 #endif
2136 return this->task_manager->initiate(this->task_manager);
2137 default:
2138 DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2139 ike_sa_state_names, this->state);
2140 return INVALID_STATE;
2141 }
2142 }
2143
2144 METHOD(ike_sa_t, retransmit, status_t,
2145 private_ike_sa_t *this, u_int32_t message_id)
2146 {
2147 if (this->state == IKE_PASSIVE)
2148 {
2149 return INVALID_STATE;
2150 }
2151 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2152 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
2153 {
2154 /* send a proper signal to brief interested bus listeners */
2155 switch (this->state)
2156 {
2157 case IKE_CONNECTING:
2158 {
2159 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2160 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2161 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2162 this->keyingtry);
2163 this->keyingtry++;
2164 if (tries == 0 || tries > this->keyingtry)
2165 {
2166 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2167 this->keyingtry + 1, tries);
2168 reset(this);
2169 resolve_hosts(this);
2170 this->task_manager->queue_ike(this->task_manager);
2171 return this->task_manager->initiate(this->task_manager);
2172 }
2173 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2174 break;
2175 }
2176 case IKE_DELETING:
2177 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2178 if (has_condition(this, COND_REAUTHENTICATING))
2179 {
2180 DBG1(DBG_IKE, "delete during reauthentication failed, "
2181 "trying to reestablish IKE_SA anyway");
2182 reestablish(this);
2183 }
2184 break;
2185 case IKE_REKEYING:
2186 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2187 /* FALL */
2188 default:
2189 reestablish(this);
2190 break;
2191 }
2192 if (this->state != IKE_CONNECTING)
2193 {
2194 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2195 }
2196 return DESTROY_ME;
2197 }
2198 return SUCCESS;
2199 }
2200
2201 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2202 private_ike_sa_t *this, u_int32_t lifetime)
2203 {
2204 u_int32_t diff, hard, soft, now;
2205 bool send_update;
2206
2207 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2208 now = time_monotonic(NULL);
2209 hard = now + lifetime;
2210 soft = hard - diff;
2211
2212 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2213 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2214 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2215 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2216 (array_count(this->other_vips) != 0 ||
2217 has_condition(this, COND_EAP_AUTHENTICATED));
2218
2219 if (lifetime < diff)
2220 {
2221 this->stats[STAT_REAUTH] = now;
2222
2223 if (!send_update)
2224 {
2225 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2226 "starting reauthentication", lifetime);
2227 lib->processor->queue_job(lib->processor,
2228 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2229 }
2230 }
2231 else if (this->stats[STAT_REAUTH] == 0 ||
2232 this->stats[STAT_REAUTH] > soft)
2233 {
2234 this->stats[STAT_REAUTH] = soft;
2235 if (!send_update)
2236 {
2237 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2238 "reauthentication in %ds", lifetime, lifetime - diff);
2239 lib->scheduler->schedule_job(lib->scheduler,
2240 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2241 lifetime - diff);
2242 }
2243 }
2244 else
2245 {
2246 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2247 "reauthentication already scheduled in %ds", lifetime,
2248 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2249 send_update = FALSE;
2250 }
2251 /* give at least some seconds to reauthenticate */
2252 this->stats[STAT_DELETE] = max(hard, now + 10);
2253
2254 #ifdef USE_IKEV2
2255 if (send_update)
2256 {
2257 ike_auth_lifetime_t *task;
2258
2259 task = ike_auth_lifetime_create(&this->public, TRUE);
2260 this->task_manager->queue_task(this->task_manager, &task->task);
2261 return this->task_manager->initiate(this->task_manager);
2262 }
2263 #endif
2264 return SUCCESS;
2265 }
2266
2267 /**
2268 * Check if the current combination of source and destination address is still
2269 * valid.
2270 */
2271 static bool is_current_path_valid(private_ike_sa_t *this)
2272 {
2273 bool valid = FALSE;
2274 host_t *src;
2275 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2276 this->my_host);
2277 if (src)
2278 {
2279 if (src->ip_equals(src, this->my_host))
2280 {
2281 valid = TRUE;
2282 }
2283 src->destroy(src);
2284 }
2285 return valid;
2286 }
2287
2288 /**
2289 * Check if we have any path avialable for this IKE SA.
2290 */
2291 static bool is_any_path_valid(private_ike_sa_t *this)
2292 {
2293 bool valid = FALSE;
2294 enumerator_t *enumerator;
2295 host_t *src = NULL, *addr;
2296 int family = AF_UNSPEC;
2297
2298 switch (charon->socket->supported_families(charon->socket))
2299 {
2300 case SOCKET_FAMILY_IPV4:
2301 family = AF_INET;
2302 break;
2303 case SOCKET_FAMILY_IPV6:
2304 family = AF_INET6;
2305 break;
2306 case SOCKET_FAMILY_BOTH:
2307 case SOCKET_FAMILY_NONE:
2308 break;
2309 }
2310
2311 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2312 enumerator = create_peer_address_enumerator(this);
2313 while (enumerator->enumerate(enumerator, &addr))
2314 {
2315 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2316 {
2317 continue;
2318 }
2319 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2320 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2321 if (src)
2322 {
2323 break;
2324 }
2325 }
2326 enumerator->destroy(enumerator);
2327 if (src)
2328 {
2329 valid = TRUE;
2330 src->destroy(src);
2331 }
2332 return valid;
2333 }
2334
2335 METHOD(ike_sa_t, roam, status_t,
2336 private_ike_sa_t *this, bool address)
2337 {
2338 switch (this->state)
2339 {
2340 case IKE_CREATED:
2341 case IKE_DELETING:
2342 case IKE_DESTROYING:
2343 case IKE_PASSIVE:
2344 return SUCCESS;
2345 default:
2346 break;
2347 }
2348
2349 /* keep existing path if possible */
2350 if (is_current_path_valid(this))
2351 {
2352 DBG2(DBG_IKE, "keeping connection path %H - %H",
2353 this->my_host, this->other_host);
2354 set_condition(this, COND_STALE, FALSE);
2355
2356 if (supports_extension(this, EXT_MOBIKE) && address)
2357 { /* if any addresses changed, send an updated list */
2358 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2359 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2360 return this->task_manager->initiate(this->task_manager);
2361 }
2362 return SUCCESS;
2363 }
2364
2365 if (!is_any_path_valid(this))
2366 {
2367 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2368 this->other_host);
2369 set_condition(this, COND_STALE, TRUE);
2370 return SUCCESS;
2371 }
2372 set_condition(this, COND_STALE, FALSE);
2373
2374 /* update addresses with mobike, if supported ... */
2375 if (supports_extension(this, EXT_MOBIKE))
2376 {
2377 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2378 { /* responder updates the peer about changed address config */
2379 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2380 "implicitly requesting an address change");
2381 address = TRUE;
2382 }
2383 else
2384 {
2385 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2386 }
2387 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2388 return this->task_manager->initiate(this->task_manager);
2389 }
2390
2391 /* ... reauth if not */
2392 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2393 { /* responder does not reauthenticate */
2394 set_condition(this, COND_STALE, TRUE);
2395 return SUCCESS;
2396 }
2397 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2398 /* since our previous path is not valid anymore, try and find a new one */
2399 resolve_hosts(this);
2400 return reauth(this);
2401 }
2402
2403 METHOD(ike_sa_t, add_configuration_attribute, void,
2404 private_ike_sa_t *this, attribute_handler_t *handler,
2405 configuration_attribute_type_t type, chunk_t data)
2406 {
2407 attribute_entry_t entry = {
2408 .handler = handler,
2409 .type = type,
2410 .data = chunk_clone(data),
2411 };
2412 array_insert(this->attributes, ARRAY_TAIL, &entry);
2413 }
2414
2415 /**
2416 * Enumerator filter for attributes
2417 */
2418 static bool filter_attribute(void *null, attribute_entry_t **in,
2419 configuration_attribute_type_t *type, void *in2,
2420 chunk_t *data, void *in3, bool *handled)
2421 {
2422 *type = (*in)->type;
2423 *data = (*in)->data;
2424 *handled = (*in)->handler != NULL;
2425 return TRUE;
2426 }
2427
2428 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2429 private_ike_sa_t *this)
2430 {
2431 return enumerator_create_filter(array_create_enumerator(this->attributes),
2432 (void*)filter_attribute, NULL, NULL);
2433 }
2434
2435 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2436 private_ike_sa_t *this, task_queue_t queue)
2437 {
2438 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2439 }
2440
2441 METHOD(ike_sa_t, flush_queue, void,
2442 private_ike_sa_t *this, task_queue_t queue)
2443 {
2444 this->task_manager->flush_queue(this->task_manager, queue);
2445 }
2446
2447 METHOD(ike_sa_t, queue_task, void,
2448 private_ike_sa_t *this, task_t *task)
2449 {
2450 this->task_manager->queue_task(this->task_manager, task);
2451 }
2452
2453 METHOD(ike_sa_t, inherit_pre, void,
2454 private_ike_sa_t *this, ike_sa_t *other_public)
2455 {
2456 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2457
2458 /* apply config and hosts */
2459 set_peer_cfg(this, other->peer_cfg);
2460 set_my_host(this, other->my_host->clone(other->my_host));
2461 set_other_host(this, other->other_host->clone(other->other_host));
2462
2463 /* apply extensions and conditions with a few exceptions */
2464 this->extensions = other->extensions;
2465 this->conditions = other->conditions;
2466 this->conditions &= ~COND_STALE;
2467 this->conditions &= ~COND_REAUTHENTICATING;
2468 }
2469
2470 METHOD(ike_sa_t, inherit_post, void,
2471 private_ike_sa_t *this, ike_sa_t *other_public)
2472 {
2473 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2474 child_sa_t *child_sa;
2475 enumerator_t *enumerator;
2476 attribute_entry_t entry;
2477 auth_cfg_t *cfg;
2478 host_t *vip;
2479
2480 /* apply hosts and ids */
2481 this->my_host->destroy(this->my_host);
2482 this->other_host->destroy(this->other_host);
2483 this->my_id->destroy(this->my_id);
2484 this->other_id->destroy(this->other_id);
2485 this->my_host = other->my_host->clone(other->my_host);
2486 this->other_host = other->other_host->clone(other->other_host);
2487 this->my_id = other->my_id->clone(other->my_id);
2488 this->other_id = other->other_id->clone(other->other_id);
2489
2490 /* apply assigned virtual IPs... */
2491 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2492 {
2493 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2494 }
2495 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2496 {
2497 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2498 }
2499
2500 /* MOBIKE additional addresses */
2501 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2502 {
2503 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2504 }
2505
2506 /* authentication information */
2507 enumerator = array_create_enumerator(other->my_auths);
2508 while (enumerator->enumerate(enumerator, &cfg))
2509 {
2510 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2511 }
2512 enumerator->destroy(enumerator);
2513 enumerator = array_create_enumerator(other->other_auths);
2514 while (enumerator->enumerate(enumerator, &cfg))
2515 {
2516 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2517 }
2518 enumerator->destroy(enumerator);
2519
2520 /* ... and configuration attributes */
2521 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2522 {
2523 array_insert(this->attributes, ARRAY_TAIL, &entry);
2524 }
2525
2526 /* inherit all conditions */
2527 this->conditions = other->conditions;
2528 if (this->conditions & COND_NAT_HERE)
2529 {
2530 send_keepalive(this, FALSE);
2531 }
2532
2533 #ifdef ME
2534 if (other->is_mediation_server)
2535 {
2536 act_as_mediation_server(this);
2537 }
2538 else if (other->server_reflexive_host)
2539 {
2540 this->server_reflexive_host = other->server_reflexive_host->clone(
2541 other->server_reflexive_host);
2542 }
2543 #endif /* ME */
2544
2545 /* adopt all children */
2546 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2547 {
2548 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2549 add_child_sa(this, child_sa);
2550 }
2551
2552 /* move pending tasks to the new IKE_SA */
2553 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2554
2555 /* reauthentication timeout survives a rekeying */
2556 if (other->stats[STAT_REAUTH])
2557 {
2558 time_t reauth, delete, now = time_monotonic(NULL);
2559
2560 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2561 reauth = this->stats[STAT_REAUTH] - now;
2562 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2563 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2564 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2565 "lifetime reduced to %ds", reauth, delete);
2566 lib->scheduler->schedule_job(lib->scheduler,
2567 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2568 lib->scheduler->schedule_job(lib->scheduler,
2569 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2570 }
2571 }
2572
2573 METHOD(ike_sa_t, destroy, void,
2574 private_ike_sa_t *this)
2575 {
2576 attribute_entry_t entry;
2577 child_sa_t *child_sa;
2578 host_t *vip;
2579
2580 charon->bus->set_sa(charon->bus, &this->public);
2581
2582 set_state(this, IKE_DESTROYING);
2583 if (this->task_manager)
2584 {
2585 this->task_manager->flush(this->task_manager);
2586 }
2587
2588 /* remove attributes first, as we pass the IKE_SA to the handler */
2589 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2590 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2591 {
2592 if (entry.handler)
2593 {
2594 charon->attributes->release(charon->attributes, entry.handler,
2595 &this->public, entry.type, entry.data);
2596 }
2597 free(entry.data.ptr);
2598 }
2599 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2600 * routes that the CHILD_SA tries to uninstall. */
2601 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2602 {
2603 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2604 child_sa->destroy(child_sa);
2605 }
2606 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2607 {
2608 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
2609 vip->destroy(vip);
2610 }
2611 if (array_count(this->other_vips))
2612 {
2613 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2614 }
2615 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2616 {
2617 if (this->peer_cfg)
2618 {
2619 linked_list_t *pools;
2620
2621 pools = linked_list_create_from_enumerator(
2622 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
2623 charon->attributes->release_address(charon->attributes,
2624 pools, vip, &this->public);
2625 pools->destroy(pools);
2626 }
2627 vip->destroy(vip);
2628 }
2629
2630 /* unset SA after here to avoid usage by the listeners */
2631 charon->bus->set_sa(charon->bus, NULL);
2632
2633 array_destroy(this->child_sas);
2634 DESTROY_IF(this->task_manager);
2635 DESTROY_IF(this->keymat);
2636 array_destroy(this->attributes);
2637 array_destroy(this->my_vips);
2638 array_destroy(this->other_vips);
2639 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
2640 #ifdef ME
2641 if (this->is_mediation_server)
2642 {
2643 charon->mediation_manager->remove(charon->mediation_manager,
2644 this->ike_sa_id);
2645 }
2646 DESTROY_IF(this->server_reflexive_host);
2647 chunk_free(&this->connect_id);
2648 #endif /* ME */
2649 free(this->nat_detection_dest.ptr);
2650
2651 DESTROY_IF(this->my_host);
2652 DESTROY_IF(this->other_host);
2653 DESTROY_IF(this->my_id);
2654 DESTROY_IF(this->other_id);
2655 DESTROY_IF(this->local_host);
2656 DESTROY_IF(this->remote_host);
2657 DESTROY_IF(this->redirected_from);
2658
2659 DESTROY_IF(this->ike_cfg);
2660 DESTROY_IF(this->peer_cfg);
2661 DESTROY_IF(this->proposal);
2662 this->my_auth->destroy(this->my_auth);
2663 this->other_auth->destroy(this->other_auth);
2664 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
2665 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
2666
2667 this->ike_sa_id->destroy(this->ike_sa_id);
2668 free(this);
2669 }
2670
2671 /*
2672 * Described in header.
2673 */
2674 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2675 ike_version_t version)
2676 {
2677 private_ike_sa_t *this;
2678 static refcount_t unique_id = 0;
2679
2680 if (version == IKE_ANY)
2681 { /* prefer IKEv2 if protocol not specified */
2682 #ifdef USE_IKEV2
2683 version = IKEV2;
2684 #else
2685 version = IKEV1;
2686 #endif
2687 }
2688
2689 INIT(this,
2690 .public = {
2691 .get_version = _get_version,
2692 .get_state = _get_state,
2693 .set_state = _set_state,
2694 .get_name = _get_name,
2695 .get_statistic = _get_statistic,
2696 .set_statistic = _set_statistic,
2697 .process_message = _process_message,
2698 .initiate = _initiate,
2699 .retry_initiate = _retry_initiate,
2700 .get_ike_cfg = _get_ike_cfg,
2701 .set_ike_cfg = _set_ike_cfg,
2702 .get_peer_cfg = _get_peer_cfg,
2703 .set_peer_cfg = _set_peer_cfg,
2704 .get_auth_cfg = _get_auth_cfg,
2705 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2706 .add_auth_cfg = _add_auth_cfg,
2707 .get_proposal = _get_proposal,
2708 .set_proposal = _set_proposal,
2709 .get_id = _get_id,
2710 .get_my_host = _get_my_host,
2711 .set_my_host = _set_my_host,
2712 .get_other_host = _get_other_host,
2713 .set_other_host = _set_other_host,
2714 .set_message_id = _set_message_id,
2715 .float_ports = _float_ports,
2716 .update_hosts = _update_hosts,
2717 .get_my_id = _get_my_id,
2718 .set_my_id = _set_my_id,
2719 .get_other_id = _get_other_id,
2720 .set_other_id = _set_other_id,
2721 .get_other_eap_id = _get_other_eap_id,
2722 .enable_extension = _enable_extension,
2723 .supports_extension = _supports_extension,
2724 .set_condition = _set_condition,
2725 .has_condition = _has_condition,
2726 .set_pending_updates = _set_pending_updates,
2727 .get_pending_updates = _get_pending_updates,
2728 .create_peer_address_enumerator = _create_peer_address_enumerator,
2729 .add_peer_address = _add_peer_address,
2730 .clear_peer_addresses = _clear_peer_addresses,
2731 .has_mapping_changed = _has_mapping_changed,
2732 .retransmit = _retransmit,
2733 .delete = _delete_,
2734 .destroy = _destroy,
2735 .send_dpd = _send_dpd,
2736 .send_keepalive = _send_keepalive,
2737 .redirect = _redirect,
2738 .handle_redirect = _handle_redirect,
2739 .get_redirected_from = _get_redirected_from,
2740 .get_keymat = _get_keymat,
2741 .add_child_sa = _add_child_sa,
2742 .get_child_sa = _get_child_sa,
2743 .get_child_count = _get_child_count,
2744 .create_child_sa_enumerator = _create_child_sa_enumerator,
2745 .remove_child_sa = _remove_child_sa,
2746 .rekey_child_sa = _rekey_child_sa,
2747 .delete_child_sa = _delete_child_sa,
2748 .destroy_child_sa = _destroy_child_sa,
2749 .rekey = _rekey,
2750 .reauth = _reauth,
2751 .reestablish = _reestablish,
2752 .set_auth_lifetime = _set_auth_lifetime,
2753 .roam = _roam,
2754 .inherit_pre = _inherit_pre,
2755 .inherit_post = _inherit_post,
2756 .generate_message = _generate_message,
2757 .generate_message_fragmented = _generate_message_fragmented,
2758 .reset = _reset,
2759 .get_unique_id = _get_unique_id,
2760 .add_virtual_ip = _add_virtual_ip,
2761 .clear_virtual_ips = _clear_virtual_ips,
2762 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
2763 .add_configuration_attribute = _add_configuration_attribute,
2764 .create_attribute_enumerator = _create_attribute_enumerator,
2765 .set_kmaddress = _set_kmaddress,
2766 .create_task_enumerator = _create_task_enumerator,
2767 .flush_queue = _flush_queue,
2768 .queue_task = _queue_task,
2769 #ifdef ME
2770 .act_as_mediation_server = _act_as_mediation_server,
2771 .get_server_reflexive_host = _get_server_reflexive_host,
2772 .set_server_reflexive_host = _set_server_reflexive_host,
2773 .get_connect_id = _get_connect_id,
2774 .initiate_mediation = _initiate_mediation,
2775 .initiate_mediated = _initiate_mediated,
2776 .relay = _relay,
2777 .callback = _callback,
2778 .respond = _respond,
2779 #endif /* ME */
2780 },
2781 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2782 .version = version,
2783 .my_host = host_create_any(AF_INET),
2784 .other_host = host_create_any(AF_INET),
2785 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2786 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2787 .keymat = keymat_create(version, initiator),
2788 .state = IKE_CREATED,
2789 .stats[STAT_INBOUND] = time_monotonic(NULL),
2790 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2791 .my_auth = auth_cfg_create(),
2792 .other_auth = auth_cfg_create(),
2793 .my_auths = array_create(0, 0),
2794 .other_auths = array_create(0, 0),
2795 .attributes = array_create(sizeof(attribute_entry_t), 0),
2796 .unique_id = ref_get(&unique_id),
2797 .keepalive_interval = lib->settings->get_time(lib->settings,
2798 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
2799 .retry_initiate_interval = lib->settings->get_time(lib->settings,
2800 "%s.retry_initiate_interval", 0, lib->ns),
2801 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2802 "%s.flush_auth_cfg", FALSE, lib->ns),
2803 .fragment_size = lib->settings->get_int(lib->settings,
2804 "%s.fragment_size", 0, lib->ns),
2805 .follow_redirects = lib->settings->get_bool(lib->settings,
2806 "%s.follow_redirects", TRUE, lib->ns),
2807 );
2808
2809 if (version == IKEV2)
2810 { /* always supported with IKEv2 */
2811 enable_extension(this, EXT_DPD);
2812 }
2813
2814 this->task_manager = task_manager_create(&this->public);
2815 this->my_host->set_port(this->my_host,
2816 charon->socket->get_port(charon->socket, FALSE));
2817
2818 if (!this->task_manager || !this->keymat)
2819 {
2820 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2821 destroy(this);
2822 return NULL;
2823 }
2824 return &this->public;
2825 }