afd6fdf2aa9c06bf74de47640337e032967e60a1
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2015 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <hydra.h>
50 #include <daemon.h>
51 #include <collections/array.h>
52 #include <utils/lexparser.h>
53 #include <processing/jobs/retransmit_job.h>
54 #include <processing/jobs/delete_ike_sa_job.h>
55 #include <processing/jobs/send_dpd_job.h>
56 #include <processing/jobs/send_keepalive_job.h>
57 #include <processing/jobs/rekey_ike_sa_job.h>
58 #include <processing/jobs/retry_initiate_job.h>
59 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
60
61 #ifdef ME
62 #include <sa/ikev2/tasks/ike_me.h>
63 #include <processing/jobs/initiate_mediation_job.h>
64 #endif
65
66 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
67 "CREATED",
68 "CONNECTING",
69 "ESTABLISHED",
70 "PASSIVE",
71 "REKEYING",
72 "DELETING",
73 "DESTROYING",
74 );
75
76 typedef struct private_ike_sa_t private_ike_sa_t;
77 typedef struct attribute_entry_t attribute_entry_t;
78
79 /**
80 * Private data of an ike_sa_t object.
81 */
82 struct private_ike_sa_t {
83
84 /**
85 * Public members
86 */
87 ike_sa_t public;
88
89 /**
90 * Identifier for the current IKE_SA.
91 */
92 ike_sa_id_t *ike_sa_id;
93
94 /**
95 * IKE version of this SA.
96 */
97 ike_version_t version;
98
99 /**
100 * unique numerical ID for this IKE_SA.
101 */
102 u_int32_t unique_id;
103
104 /**
105 * Current state of the IKE_SA
106 */
107 ike_sa_state_t state;
108
109 /**
110 * IKE configuration used to set up this IKE_SA
111 */
112 ike_cfg_t *ike_cfg;
113
114 /**
115 * Peer and authentication information to establish IKE_SA.
116 */
117 peer_cfg_t *peer_cfg;
118
119 /**
120 * currently used authentication ruleset, local
121 */
122 auth_cfg_t *my_auth;
123
124 /**
125 * currently used authentication constraints, remote
126 */
127 auth_cfg_t *other_auth;
128
129 /**
130 * Array of completed local authentication rounds (as auth_cfg_t)
131 */
132 array_t *my_auths;
133
134 /**
135 * Array of completed remote authentication rounds (as auth_cfg_t)
136 */
137 array_t *other_auths;
138
139 /**
140 * Selected IKE proposal
141 */
142 proposal_t *proposal;
143
144 /**
145 * Juggles tasks to process messages
146 */
147 task_manager_t *task_manager;
148
149 /**
150 * Address of local host
151 */
152 host_t *my_host;
153
154 /**
155 * Address of remote host
156 */
157 host_t *other_host;
158
159 #ifdef ME
160 /**
161 * Are we mediation server
162 */
163 bool is_mediation_server;
164
165 /**
166 * Server reflexive host
167 */
168 host_t *server_reflexive_host;
169
170 /**
171 * Connect ID
172 */
173 chunk_t connect_id;
174 #endif /* ME */
175
176 /**
177 * Identification used for us
178 */
179 identification_t *my_id;
180
181 /**
182 * Identification used for other
183 */
184 identification_t *other_id;
185
186 /**
187 * set of extensions the peer supports
188 */
189 ike_extension_t extensions;
190
191 /**
192 * set of condition flags currently enabled for this IKE_SA
193 */
194 ike_condition_t conditions;
195
196 /**
197 * Array containing the child sa's of the current IKE_SA.
198 */
199 array_t *child_sas;
200
201 /**
202 * keymat of this IKE_SA
203 */
204 keymat_t *keymat;
205
206 /**
207 * Virtual IPs on local host
208 */
209 array_t *my_vips;
210
211 /**
212 * Virtual IPs on remote host
213 */
214 array_t *other_vips;
215
216 /**
217 * List of configuration attributes (attribute_entry_t)
218 */
219 array_t *attributes;
220
221 /**
222 * list of peer's addresses, additional ones transmitted via MOBIKE
223 */
224 array_t *peer_addresses;
225
226 /**
227 * previously value of received DESTINATION_IP hash
228 */
229 chunk_t nat_detection_dest;
230
231 /**
232 * number pending UPDATE_SA_ADDRESS (MOBIKE)
233 */
234 u_int32_t pending_updates;
235
236 /**
237 * NAT keep alive interval
238 */
239 u_int32_t keepalive_interval;
240
241 /**
242 * The schedueld keep alive job, if any
243 */
244 send_keepalive_job_t *keepalive_job;
245
246 /**
247 * interval for retries during initiation (e.g. if DNS resolution failed),
248 * 0 to disable (default)
249 */
250 u_int32_t retry_initiate_interval;
251
252 /**
253 * TRUE if a retry_initiate_job has been queued
254 */
255 bool retry_initiate_queued;
256
257 /**
258 * Timestamps for this IKE_SA
259 */
260 u_int32_t stats[STAT_MAX];
261
262 /**
263 * how many times we have retried so far (keyingtries)
264 */
265 u_int32_t keyingtry;
266
267 /**
268 * local host address to be used for IKE, set via MIGRATE kernel message
269 */
270 host_t *local_host;
271
272 /**
273 * remote host address to be used for IKE, set via MIGRATE kernel message
274 */
275 host_t *remote_host;
276
277 /**
278 * Flush auth configs once established?
279 */
280 bool flush_auth_cfg;
281
282 /**
283 * Maximum length of a single fragment, 0 for address-specific defaults
284 */
285 size_t fragment_size;
286 };
287
288 /**
289 * Entry to maintain install configuration attributes during IKE_SA lifetime
290 */
291 struct attribute_entry_t {
292 /** handler used to install this attribute */
293 attribute_handler_t *handler;
294 /** attribute type */
295 configuration_attribute_type_t type;
296 /** attribute data */
297 chunk_t data;
298 };
299
300 /**
301 * get the time of the latest traffic processed by the kernel
302 */
303 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
304 {
305 enumerator_t *enumerator;
306 child_sa_t *child_sa;
307 time_t use_time, current;
308
309 if (inbound)
310 {
311 use_time = this->stats[STAT_INBOUND];
312 }
313 else
314 {
315 use_time = this->stats[STAT_OUTBOUND];
316 }
317
318 enumerator = array_create_enumerator(this->child_sas);
319 while (enumerator->enumerate(enumerator, &child_sa))
320 {
321 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
322 use_time = max(use_time, current);
323 }
324 enumerator->destroy(enumerator);
325
326 return use_time;
327 }
328
329 METHOD(ike_sa_t, get_unique_id, u_int32_t,
330 private_ike_sa_t *this)
331 {
332 return this->unique_id;
333 }
334
335 METHOD(ike_sa_t, get_name, char*,
336 private_ike_sa_t *this)
337 {
338 if (this->peer_cfg)
339 {
340 return this->peer_cfg->get_name(this->peer_cfg);
341 }
342 return "(unnamed)";
343 }
344
345 METHOD(ike_sa_t, get_statistic, u_int32_t,
346 private_ike_sa_t *this, statistic_t kind)
347 {
348 if (kind < STAT_MAX)
349 {
350 return this->stats[kind];
351 }
352 return 0;
353 }
354
355 METHOD(ike_sa_t, set_statistic, void,
356 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
357 {
358 if (kind < STAT_MAX)
359 {
360 this->stats[kind] = value;
361 }
362 }
363
364 METHOD(ike_sa_t, get_my_host, host_t*,
365 private_ike_sa_t *this)
366 {
367 return this->my_host;
368 }
369
370 METHOD(ike_sa_t, set_my_host, void,
371 private_ike_sa_t *this, host_t *me)
372 {
373 DESTROY_IF(this->my_host);
374 this->my_host = me;
375 }
376
377 METHOD(ike_sa_t, get_other_host, host_t*,
378 private_ike_sa_t *this)
379 {
380 return this->other_host;
381 }
382
383 METHOD(ike_sa_t, set_other_host, void,
384 private_ike_sa_t *this, host_t *other)
385 {
386 DESTROY_IF(this->other_host);
387 this->other_host = other;
388 }
389
390 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
391 private_ike_sa_t *this)
392 {
393 return this->peer_cfg;
394 }
395
396 METHOD(ike_sa_t, set_peer_cfg, void,
397 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
398 {
399 peer_cfg->get_ref(peer_cfg);
400 DESTROY_IF(this->peer_cfg);
401 this->peer_cfg = peer_cfg;
402
403 if (this->ike_cfg == NULL)
404 {
405 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
406 this->ike_cfg->get_ref(this->ike_cfg);
407 }
408 }
409
410 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
411 private_ike_sa_t *this, bool local)
412 {
413 if (local)
414 {
415 return this->my_auth;
416 }
417 return this->other_auth;
418 }
419
420 METHOD(ike_sa_t, add_auth_cfg, void,
421 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
422 {
423 if (local)
424 {
425 array_insert(this->my_auths, ARRAY_TAIL, cfg);
426 }
427 else
428 {
429 array_insert(this->other_auths, ARRAY_TAIL, cfg);
430 }
431 }
432
433 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
434 private_ike_sa_t *this, bool local)
435 {
436 if (local)
437 {
438 return array_create_enumerator(this->my_auths);
439 }
440 return array_create_enumerator(this->other_auths);
441 }
442
443 /**
444 * Flush the stored authentication round information
445 */
446 static void flush_auth_cfgs(private_ike_sa_t *this)
447 {
448 auth_cfg_t *cfg;
449
450 this->my_auth->purge(this->my_auth, FALSE);
451 this->other_auth->purge(this->other_auth, FALSE);
452
453 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
454 {
455 cfg->destroy(cfg);
456 }
457 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
458 {
459 cfg->destroy(cfg);
460 }
461 }
462
463 METHOD(ike_sa_t, get_proposal, proposal_t*,
464 private_ike_sa_t *this)
465 {
466 return this->proposal;
467 }
468
469 METHOD(ike_sa_t, set_proposal, void,
470 private_ike_sa_t *this, proposal_t *proposal)
471 {
472 DESTROY_IF(this->proposal);
473 this->proposal = proposal->clone(proposal);
474 }
475
476 METHOD(ike_sa_t, set_message_id, void,
477 private_ike_sa_t *this, bool initiate, u_int32_t mid)
478 {
479 if (initiate)
480 {
481 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
482 }
483 else
484 {
485 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
486 }
487 }
488
489 METHOD(ike_sa_t, send_keepalive, void,
490 private_ike_sa_t *this, bool scheduled)
491 {
492 time_t last_out, now, diff;
493
494 if (scheduled)
495 {
496 this->keepalive_job = NULL;
497 }
498 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
499 { /* keepalives disabled either by configuration or for passive IKE_SAs */
500 return;
501 }
502 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
503 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
504 return;
505 }
506
507 last_out = get_use_time(this, FALSE);
508 now = time_monotonic(NULL);
509
510 diff = now - last_out;
511
512 if (diff >= this->keepalive_interval)
513 {
514 packet_t *packet;
515 chunk_t data;
516
517 packet = packet_create();
518 packet->set_source(packet, this->my_host->clone(this->my_host));
519 packet->set_destination(packet, this->other_host->clone(this->other_host));
520 data.ptr = malloc(1);
521 data.ptr[0] = 0xFF;
522 data.len = 1;
523 packet->set_data(packet, data);
524 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
525 charon->sender->send_no_marker(charon->sender, packet);
526 diff = 0;
527 }
528 if (!this->keepalive_job)
529 {
530 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
531 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
532 this->keepalive_interval - diff);
533 }
534 }
535
536 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
537 private_ike_sa_t *this)
538 {
539 return this->ike_cfg;
540 }
541
542 METHOD(ike_sa_t, set_ike_cfg, void,
543 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
544 {
545 ike_cfg->get_ref(ike_cfg);
546 this->ike_cfg = ike_cfg;
547 }
548
549 METHOD(ike_sa_t, enable_extension, void,
550 private_ike_sa_t *this, ike_extension_t extension)
551 {
552 this->extensions |= extension;
553 }
554
555 METHOD(ike_sa_t, supports_extension, bool,
556 private_ike_sa_t *this, ike_extension_t extension)
557 {
558 return (this->extensions & extension) != FALSE;
559 }
560
561 METHOD(ike_sa_t, has_condition, bool,
562 private_ike_sa_t *this, ike_condition_t condition)
563 {
564 return (this->conditions & condition) != FALSE;
565 }
566
567 METHOD(ike_sa_t, set_condition, void,
568 private_ike_sa_t *this, ike_condition_t condition, bool enable)
569 {
570 if (has_condition(this, condition) != enable)
571 {
572 if (enable)
573 {
574 this->conditions |= condition;
575 switch (condition)
576 {
577 case COND_NAT_HERE:
578 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
579 this->conditions |= COND_NAT_ANY;
580 send_keepalive(this, FALSE);
581 break;
582 case COND_NAT_THERE:
583 DBG1(DBG_IKE, "remote host is behind NAT");
584 this->conditions |= COND_NAT_ANY;
585 break;
586 case COND_NAT_FAKE:
587 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
588 this->conditions |= COND_NAT_ANY;
589 break;
590 default:
591 break;
592 }
593 }
594 else
595 {
596 this->conditions &= ~condition;
597 switch (condition)
598 {
599 case COND_NAT_HERE:
600 case COND_NAT_FAKE:
601 case COND_NAT_THERE:
602 set_condition(this, COND_NAT_ANY,
603 has_condition(this, COND_NAT_HERE) ||
604 has_condition(this, COND_NAT_THERE) ||
605 has_condition(this, COND_NAT_FAKE));
606 break;
607 case COND_STALE:
608 send_keepalive(this, FALSE);
609 break;
610 default:
611 break;
612 }
613 }
614 }
615 }
616
617 METHOD(ike_sa_t, send_dpd, status_t,
618 private_ike_sa_t *this)
619 {
620 job_t *job;
621 time_t diff, delay;
622 bool task_queued = FALSE;
623
624 if (this->state == IKE_PASSIVE)
625 {
626 return INVALID_STATE;
627 }
628 delay = this->peer_cfg->get_dpd(this->peer_cfg);
629 if (this->task_manager->busy(this->task_manager))
630 {
631 /* an exchange is in the air, no need to start a DPD check */
632 diff = 0;
633 }
634 else
635 {
636 /* check if there was any inbound traffic */
637 time_t last_in, now;
638 last_in = get_use_time(this, TRUE);
639 now = time_monotonic(NULL);
640 diff = now - last_in;
641 if (!delay || diff >= delay)
642 {
643 /* too long ago, initiate dead peer detection */
644 DBG1(DBG_IKE, "sending DPD request");
645 this->task_manager->queue_dpd(this->task_manager);
646 task_queued = TRUE;
647 diff = 0;
648 }
649 }
650 /* recheck in "interval" seconds */
651 if (delay)
652 {
653 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
654 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
655 }
656 if (task_queued)
657 {
658 return this->task_manager->initiate(this->task_manager);
659 }
660 return SUCCESS;
661 }
662
663 METHOD(ike_sa_t, get_state, ike_sa_state_t,
664 private_ike_sa_t *this)
665 {
666 return this->state;
667 }
668
669 METHOD(ike_sa_t, set_state, void,
670 private_ike_sa_t *this, ike_sa_state_t state)
671 {
672 bool trigger_dpd = FALSE, keepalives = FALSE;
673
674 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
675 get_name(this), this->unique_id,
676 ike_sa_state_names, this->state,
677 ike_sa_state_names, state);
678
679 switch (state)
680 {
681 case IKE_ESTABLISHED:
682 {
683 if (this->state == IKE_CONNECTING ||
684 this->state == IKE_PASSIVE)
685 {
686 job_t *job;
687 u_int32_t t;
688
689 /* calculate rekey, reauth and lifetime */
690 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
691
692 /* schedule rekeying if we have a time which is smaller than
693 * an already scheduled rekeying */
694 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
695 if (t && (this->stats[STAT_REKEY] == 0 ||
696 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
697 {
698 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
699 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
700 lib->scheduler->schedule_job(lib->scheduler, job, t);
701 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
702 }
703 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
704 if (t && (this->stats[STAT_REAUTH] == 0 ||
705 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
706 {
707 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
708 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
709 lib->scheduler->schedule_job(lib->scheduler, job, t);
710 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
711 }
712 t = this->peer_cfg->get_over_time(this->peer_cfg);
713 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
714 {
715 if (this->stats[STAT_REAUTH] == 0)
716 {
717 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
718 }
719 else if (this->stats[STAT_REKEY] == 0)
720 {
721 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
722 }
723 else
724 {
725 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
726 this->stats[STAT_REAUTH]);
727 }
728 this->stats[STAT_DELETE] += t;
729 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
730 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
731 lib->scheduler->schedule_job(lib->scheduler, job, t);
732 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
733 }
734 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
735 if (trigger_dpd)
736 {
737 /* Some peers delay the DELETE after rekeying an IKE_SA.
738 * If this delay is longer than our DPD delay, we would
739 * send a DPD request here. The IKE_SA is not ready to do
740 * so yet, so prevent that. */
741 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
742 }
743 if (this->state == IKE_PASSIVE)
744 {
745 keepalives = TRUE;
746 }
747 }
748 break;
749 }
750 default:
751 break;
752 }
753 charon->bus->ike_state_change(charon->bus, &this->public, state);
754 this->state = state;
755
756 if (trigger_dpd)
757 {
758 if (supports_extension(this, EXT_DPD))
759 {
760 send_dpd(this);
761 }
762 else
763 {
764 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
765 }
766 }
767 if (keepalives)
768 {
769 send_keepalive(this, FALSE);
770 }
771 }
772
773 METHOD(ike_sa_t, reset, void,
774 private_ike_sa_t *this)
775 {
776 /* the responder ID is reset, as peer may choose another one */
777 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
778 {
779 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
780 }
781
782 set_state(this, IKE_CREATED);
783
784 flush_auth_cfgs(this);
785
786 this->keymat->destroy(this->keymat);
787 this->keymat = keymat_create(this->version,
788 this->ike_sa_id->is_initiator(this->ike_sa_id));
789
790 this->task_manager->reset(this->task_manager, 0, 0);
791 }
792
793 METHOD(ike_sa_t, get_keymat, keymat_t*,
794 private_ike_sa_t *this)
795 {
796 return this->keymat;
797 }
798
799 METHOD(ike_sa_t, add_virtual_ip, void,
800 private_ike_sa_t *this, bool local, host_t *ip)
801 {
802 if (local)
803 {
804 char *iface;
805
806 if (hydra->kernel_interface->get_interface(hydra->kernel_interface,
807 this->my_host, &iface))
808 {
809 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
810 if (hydra->kernel_interface->add_ip(hydra->kernel_interface,
811 ip, -1, iface) == SUCCESS)
812 {
813 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
814 }
815 else
816 {
817 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
818 }
819 free(iface);
820 }
821 else
822 {
823 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
824 }
825 }
826 else
827 {
828 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
829 }
830 }
831
832
833 METHOD(ike_sa_t, clear_virtual_ips, void,
834 private_ike_sa_t *this, bool local)
835 {
836 array_t *vips;
837 host_t *vip;
838
839 vips = local ? this->my_vips : this->other_vips;
840 if (!local && array_count(vips))
841 {
842 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
843 }
844 while (array_remove(vips, ARRAY_HEAD, &vip))
845 {
846 if (local)
847 {
848 hydra->kernel_interface->del_ip(hydra->kernel_interface,
849 vip, -1, TRUE);
850 }
851 vip->destroy(vip);
852 }
853 }
854
855 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
856 private_ike_sa_t *this, bool local)
857 {
858 if (local)
859 {
860 return array_create_enumerator(this->my_vips);
861 }
862 return array_create_enumerator(this->other_vips);
863 }
864
865 METHOD(ike_sa_t, add_peer_address, void,
866 private_ike_sa_t *this, host_t *host)
867 {
868 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
869 }
870
871 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
872 private_ike_sa_t *this)
873 {
874 if (this->peer_addresses)
875 {
876 return array_create_enumerator(this->peer_addresses);
877 }
878 /* in case we don't have MOBIKE */
879 return enumerator_create_single(this->other_host, NULL);
880 }
881
882 METHOD(ike_sa_t, clear_peer_addresses, void,
883 private_ike_sa_t *this)
884 {
885 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
886 this->peer_addresses = NULL;
887 }
888
889 METHOD(ike_sa_t, has_mapping_changed, bool,
890 private_ike_sa_t *this, chunk_t hash)
891 {
892 if (this->nat_detection_dest.ptr == NULL)
893 {
894 this->nat_detection_dest = chunk_clone(hash);
895 return FALSE;
896 }
897 if (chunk_equals(hash, this->nat_detection_dest))
898 {
899 return FALSE;
900 }
901 free(this->nat_detection_dest.ptr);
902 this->nat_detection_dest = chunk_clone(hash);
903 return TRUE;
904 }
905
906 METHOD(ike_sa_t, set_pending_updates, void,
907 private_ike_sa_t *this, u_int32_t updates)
908 {
909 this->pending_updates = updates;
910 }
911
912 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
913 private_ike_sa_t *this)
914 {
915 return this->pending_updates;
916 }
917
918 METHOD(ike_sa_t, float_ports, void,
919 private_ike_sa_t *this)
920 {
921 /* do not switch if we have a custom port from MOBIKE/NAT */
922 if (this->my_host->get_port(this->my_host) ==
923 charon->socket->get_port(charon->socket, FALSE))
924 {
925 this->my_host->set_port(this->my_host,
926 charon->socket->get_port(charon->socket, TRUE));
927 }
928 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
929 {
930 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
931 }
932 }
933
934 METHOD(ike_sa_t, update_hosts, void,
935 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
936 {
937 bool update = FALSE;
938
939 if (me == NULL)
940 {
941 me = this->my_host;
942 }
943 if (other == NULL)
944 {
945 other = this->other_host;
946 }
947
948 /* apply hosts on first received message */
949 if (this->my_host->is_anyaddr(this->my_host) ||
950 this->other_host->is_anyaddr(this->other_host))
951 {
952 set_my_host(this, me->clone(me));
953 set_other_host(this, other->clone(other));
954 update = TRUE;
955 }
956 else
957 {
958 /* update our address in any case */
959 if (force && !me->equals(me, this->my_host))
960 {
961 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
962 set_my_host(this, me->clone(me));
963 update = TRUE;
964 }
965
966 if (!other->equals(other, this->other_host) &&
967 (force || has_condition(this, COND_NAT_THERE)))
968 {
969 /* only update other's address if we are behind a static NAT,
970 * which we assume is the case if we are not initiator */
971 if (force ||
972 (!has_condition(this, COND_NAT_HERE) ||
973 !has_condition(this, COND_ORIGINAL_INITIATOR)))
974 {
975 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
976 set_other_host(this, other->clone(other));
977 update = TRUE;
978 }
979 }
980 }
981
982 /* update all associated CHILD_SAs, if required */
983 if (update)
984 {
985 enumerator_t *enumerator;
986 child_sa_t *child_sa;
987 linked_list_t *vips;
988
989 vips = linked_list_create_from_enumerator(
990 array_create_enumerator(this->my_vips));
991
992 enumerator = array_create_enumerator(this->child_sas);
993 while (enumerator->enumerate(enumerator, &child_sa))
994 {
995 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
996 charon->child_sa_manager->add(charon->child_sa_manager,
997 child_sa, &this->public);
998
999 if (child_sa->update(child_sa, this->my_host, this->other_host,
1000 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1001 {
1002 this->public.rekey_child_sa(&this->public,
1003 child_sa->get_protocol(child_sa),
1004 child_sa->get_spi(child_sa, TRUE));
1005 }
1006
1007 }
1008 enumerator->destroy(enumerator);
1009
1010 vips->destroy(vips);
1011 }
1012 }
1013
1014 /**
1015 * Set configured DSCP value on packet
1016 */
1017 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1018 {
1019 ike_cfg_t *ike_cfg;
1020
1021 /* prefer IKE config on peer_cfg, as its selection is more accurate
1022 * then the initial IKE config */
1023 if (this->peer_cfg)
1024 {
1025 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1026 }
1027 else
1028 {
1029 ike_cfg = this->ike_cfg;
1030 }
1031 if (ike_cfg)
1032 {
1033 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1034 }
1035 }
1036
1037 METHOD(ike_sa_t, generate_message, status_t,
1038 private_ike_sa_t *this, message_t *message, packet_t **packet)
1039 {
1040 status_t status;
1041
1042 if (message->is_encoded(message))
1043 { /* already encoded in task, but set DSCP value */
1044 *packet = message->get_packet(message);
1045 set_dscp(this, *packet);
1046 return SUCCESS;
1047 }
1048 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1049 message->set_ike_sa_id(message, this->ike_sa_id);
1050 charon->bus->message(charon->bus, message, FALSE, TRUE);
1051 status = message->generate(message, this->keymat, packet);
1052 if (status == SUCCESS)
1053 {
1054 set_dscp(this, *packet);
1055 charon->bus->message(charon->bus, message, FALSE, FALSE);
1056 }
1057 return status;
1058 }
1059
1060 static bool filter_fragments(private_ike_sa_t *this, packet_t **fragment,
1061 packet_t **packet)
1062 {
1063 *packet = (*fragment)->clone(*fragment);
1064 set_dscp(this, *packet);
1065 return TRUE;
1066 }
1067
1068 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1069 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1070 {
1071 enumerator_t *fragments;
1072 packet_t *packet;
1073 status_t status;
1074 bool use_frags = FALSE;
1075
1076 if (this->ike_cfg)
1077 {
1078 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1079 {
1080 case FRAGMENTATION_FORCE:
1081 use_frags = TRUE;
1082 break;
1083 case FRAGMENTATION_YES:
1084 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1085 if (use_frags && this->version == IKEV1 &&
1086 supports_extension(this, EXT_MS_WINDOWS))
1087 {
1088 /* It seems Windows 7 and 8 peers only accept proprietary
1089 * fragmented messages if they expect certificates. */
1090 use_frags = message->get_payload(message,
1091 PLV1_CERTIFICATE) != NULL;
1092 }
1093 break;
1094 default:
1095 break;
1096 }
1097 }
1098 if (!use_frags)
1099 {
1100 status = generate_message(this, message, &packet);
1101 if (status != SUCCESS)
1102 {
1103 return status;
1104 }
1105 *packets = enumerator_create_single(packet, NULL);
1106 return SUCCESS;
1107 }
1108
1109 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1110 message->set_ike_sa_id(message, this->ike_sa_id);
1111 charon->bus->message(charon->bus, message, FALSE, TRUE);
1112 status = message->fragment(message, this->keymat, this->fragment_size,
1113 &fragments);
1114 if (status == SUCCESS)
1115 {
1116 charon->bus->message(charon->bus, message, FALSE, FALSE);
1117 *packets = enumerator_create_filter(fragments, (void*)filter_fragments,
1118 this, NULL);
1119 }
1120 return status;
1121 }
1122
1123 METHOD(ike_sa_t, set_kmaddress, void,
1124 private_ike_sa_t *this, host_t *local, host_t *remote)
1125 {
1126 DESTROY_IF(this->local_host);
1127 DESTROY_IF(this->remote_host);
1128 this->local_host = local->clone(local);
1129 this->remote_host = remote->clone(remote);
1130 }
1131
1132 #ifdef ME
1133 METHOD(ike_sa_t, act_as_mediation_server, void,
1134 private_ike_sa_t *this)
1135 {
1136 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1137 this->other_id, this->ike_sa_id);
1138 this->is_mediation_server = TRUE;
1139 }
1140
1141 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1142 private_ike_sa_t *this)
1143 {
1144 return this->server_reflexive_host;
1145 }
1146
1147 METHOD(ike_sa_t, set_server_reflexive_host, void,
1148 private_ike_sa_t *this, host_t *host)
1149 {
1150 DESTROY_IF(this->server_reflexive_host);
1151 this->server_reflexive_host = host;
1152 }
1153
1154 METHOD(ike_sa_t, get_connect_id, chunk_t,
1155 private_ike_sa_t *this)
1156 {
1157 return this->connect_id;
1158 }
1159
1160 METHOD(ike_sa_t, respond, status_t,
1161 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1162 {
1163 ike_me_t *task = ike_me_create(&this->public, TRUE);
1164 task->respond(task, peer_id, connect_id);
1165 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1166 return this->task_manager->initiate(this->task_manager);
1167 }
1168
1169 METHOD(ike_sa_t, callback, status_t,
1170 private_ike_sa_t *this, identification_t *peer_id)
1171 {
1172 ike_me_t *task = ike_me_create(&this->public, TRUE);
1173 task->callback(task, peer_id);
1174 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1175 return this->task_manager->initiate(this->task_manager);
1176 }
1177
1178 METHOD(ike_sa_t, relay, status_t,
1179 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1180 chunk_t connect_key, linked_list_t *endpoints, bool response)
1181 {
1182 ike_me_t *task = ike_me_create(&this->public, TRUE);
1183 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1184 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1185 return this->task_manager->initiate(this->task_manager);
1186 }
1187
1188 METHOD(ike_sa_t, initiate_mediation, status_t,
1189 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1190 {
1191 ike_me_t *task = ike_me_create(&this->public, TRUE);
1192 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1193 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1194 return this->task_manager->initiate(this->task_manager);
1195 }
1196
1197 METHOD(ike_sa_t, initiate_mediated, status_t,
1198 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1199 {
1200 set_my_host(this, me->clone(me));
1201 set_other_host(this, other->clone(other));
1202 chunk_free(&this->connect_id);
1203 this->connect_id = chunk_clone(connect_id);
1204 return this->task_manager->initiate(this->task_manager);
1205 }
1206 #endif /* ME */
1207
1208 /**
1209 * Resolve DNS host in configuration
1210 */
1211 static void resolve_hosts(private_ike_sa_t *this)
1212 {
1213 host_t *host;
1214 int family = AF_UNSPEC;
1215
1216 switch (charon->socket->supported_families(charon->socket))
1217 {
1218 case SOCKET_FAMILY_IPV4:
1219 family = AF_INET;
1220 break;
1221 case SOCKET_FAMILY_IPV6:
1222 family = AF_INET6;
1223 break;
1224 case SOCKET_FAMILY_BOTH:
1225 case SOCKET_FAMILY_NONE:
1226 break;
1227 }
1228
1229 /* if an IP address is set locally, use the same family to resolve remote */
1230 if (family == AF_UNSPEC && !this->remote_host)
1231 {
1232 if (this->local_host)
1233 {
1234 family = this->local_host->get_family(this->local_host);
1235 }
1236 else
1237 {
1238 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1239 }
1240 }
1241
1242 if (this->remote_host)
1243 {
1244 host = this->remote_host->clone(this->remote_host);
1245 host->set_port(host, IKEV2_UDP_PORT);
1246 }
1247 else
1248 {
1249 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1250 }
1251 if (host)
1252 {
1253 if (!host->is_anyaddr(host) ||
1254 this->other_host->is_anyaddr(this->other_host))
1255 { /* don't set to %any if we currently have an address, but the
1256 * address family might have changed */
1257 set_other_host(this, host);
1258 }
1259 else
1260 { /* reuse the original port as some implementations might not like
1261 * initial IKE messages on other ports */
1262 this->other_host->set_port(this->other_host, host->get_port(host));
1263 host->destroy(host);
1264 }
1265 }
1266
1267 if (this->local_host)
1268 {
1269 host = this->local_host->clone(this->local_host);
1270 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1271 }
1272 else
1273 {
1274 /* use same address family as for other */
1275 if (!this->other_host->is_anyaddr(this->other_host))
1276 {
1277 family = this->other_host->get_family(this->other_host);
1278 }
1279 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1280
1281 if (host && host->is_anyaddr(host) &&
1282 !this->other_host->is_anyaddr(this->other_host))
1283 {
1284 host->destroy(host);
1285 host = hydra->kernel_interface->get_source_addr(
1286 hydra->kernel_interface, this->other_host, NULL);
1287 if (host)
1288 {
1289 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1290 }
1291 else
1292 { /* fallback to address family specific %any(6), if configured */
1293 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1294 }
1295 }
1296 }
1297 if (host)
1298 {
1299 set_my_host(this, host);
1300 }
1301 }
1302
1303 METHOD(ike_sa_t, initiate, status_t,
1304 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1305 traffic_selector_t *tsi, traffic_selector_t *tsr)
1306 {
1307 bool defer_initiate = FALSE;
1308
1309 if (this->state == IKE_CREATED)
1310 {
1311 if (this->my_host->is_anyaddr(this->my_host) ||
1312 this->other_host->is_anyaddr(this->other_host))
1313 {
1314 resolve_hosts(this);
1315 }
1316
1317 if (this->other_host->is_anyaddr(this->other_host)
1318 #ifdef ME
1319 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1320 #endif /* ME */
1321 )
1322 {
1323 char *addr;
1324
1325 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1326 if (!this->retry_initiate_interval)
1327 {
1328 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1329 addr);
1330 DESTROY_IF(child_cfg);
1331 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1332 return DESTROY_ME;
1333 }
1334 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1335 addr, this->retry_initiate_interval);
1336 defer_initiate = TRUE;
1337 }
1338
1339 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1340 this->task_manager->queue_ike(this->task_manager);
1341 }
1342
1343 #ifdef ME
1344 if (this->peer_cfg->is_mediation(this->peer_cfg))
1345 {
1346 if (this->state == IKE_ESTABLISHED)
1347 {
1348 /* mediation connection is already established, retrigger state
1349 * change to notify bus listeners */
1350 DBG1(DBG_IKE, "mediation connection is already up");
1351 set_state(this, IKE_ESTABLISHED);
1352 }
1353 DESTROY_IF(child_cfg);
1354 }
1355 else
1356 #endif /* ME */
1357 if (child_cfg)
1358 {
1359 /* normal IKE_SA with CHILD_SA */
1360 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1361 tsi, tsr);
1362 #ifdef ME
1363 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1364 {
1365 /* mediated connection, initiate mediation process */
1366 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1367 lib->processor->queue_job(lib->processor, job);
1368 return SUCCESS;
1369 }
1370 #endif /* ME */
1371 }
1372
1373 if (defer_initiate)
1374 {
1375 if (!this->retry_initiate_queued)
1376 {
1377 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1378 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1379 this->retry_initiate_interval);
1380 this->retry_initiate_queued = TRUE;
1381 }
1382 return SUCCESS;
1383 }
1384 this->retry_initiate_queued = FALSE;
1385 return this->task_manager->initiate(this->task_manager);
1386 }
1387
1388 METHOD(ike_sa_t, retry_initiate, status_t,
1389 private_ike_sa_t *this)
1390 {
1391 if (this->retry_initiate_queued)
1392 {
1393 this->retry_initiate_queued = FALSE;
1394 return initiate(this, NULL, 0, NULL, NULL);
1395 }
1396 return SUCCESS;
1397 }
1398
1399 METHOD(ike_sa_t, process_message, status_t,
1400 private_ike_sa_t *this, message_t *message)
1401 {
1402 status_t status;
1403
1404 if (this->state == IKE_PASSIVE)
1405 { /* do not handle messages in passive state */
1406 return FAILED;
1407 }
1408 if (message->get_major_version(message) != this->version)
1409 {
1410 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1411 exchange_type_names, message->get_exchange_type(message),
1412 message->get_major_version(message),
1413 ike_version_names, this->version);
1414 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1415 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1416 return FAILED;
1417 }
1418 status = this->task_manager->process_message(this->task_manager, message);
1419 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1420 {
1421 /* authentication completed */
1422 this->flush_auth_cfg = FALSE;
1423 flush_auth_cfgs(this);
1424 }
1425 return status;
1426 }
1427
1428 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1429 private_ike_sa_t *this)
1430 {
1431 return this->ike_sa_id;
1432 }
1433
1434 METHOD(ike_sa_t, get_version, ike_version_t,
1435 private_ike_sa_t *this)
1436 {
1437 return this->version;
1438 }
1439
1440 METHOD(ike_sa_t, get_my_id, identification_t*,
1441 private_ike_sa_t *this)
1442 {
1443 return this->my_id;
1444 }
1445
1446 METHOD(ike_sa_t, set_my_id, void,
1447 private_ike_sa_t *this, identification_t *me)
1448 {
1449 DESTROY_IF(this->my_id);
1450 this->my_id = me;
1451 }
1452
1453 METHOD(ike_sa_t, get_other_id, identification_t*,
1454 private_ike_sa_t *this)
1455 {
1456 return this->other_id;
1457 }
1458
1459 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1460 private_ike_sa_t *this)
1461 {
1462 identification_t *id = NULL, *current;
1463 enumerator_t *enumerator;
1464 auth_cfg_t *cfg;
1465
1466 enumerator = array_create_enumerator(this->other_auths);
1467 while (enumerator->enumerate(enumerator, &cfg))
1468 {
1469 /* prefer EAP-Identity of last round */
1470 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1471 if (!current || current->get_type(current) == ID_ANY)
1472 {
1473 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1474 }
1475 if (!current || current->get_type(current) == ID_ANY)
1476 {
1477 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1478 }
1479 if (current && current->get_type(current) != ID_ANY)
1480 {
1481 id = current;
1482 continue;
1483 }
1484 }
1485 enumerator->destroy(enumerator);
1486 if (id)
1487 {
1488 return id;
1489 }
1490 return this->other_id;
1491 }
1492
1493 METHOD(ike_sa_t, set_other_id, void,
1494 private_ike_sa_t *this, identification_t *other)
1495 {
1496 DESTROY_IF(this->other_id);
1497 this->other_id = other;
1498 }
1499
1500 METHOD(ike_sa_t, add_child_sa, void,
1501 private_ike_sa_t *this, child_sa_t *child_sa)
1502 {
1503 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1504 charon->child_sa_manager->add(charon->child_sa_manager,
1505 child_sa, &this->public);
1506 }
1507
1508 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1509 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1510 {
1511 enumerator_t *enumerator;
1512 child_sa_t *current, *found = NULL;
1513
1514 enumerator = array_create_enumerator(this->child_sas);
1515 while (enumerator->enumerate(enumerator, (void**)&current))
1516 {
1517 if (current->get_spi(current, inbound) == spi &&
1518 current->get_protocol(current) == protocol)
1519 {
1520 found = current;
1521 }
1522 }
1523 enumerator->destroy(enumerator);
1524 return found;
1525 }
1526
1527 METHOD(ike_sa_t, get_child_count, int,
1528 private_ike_sa_t *this)
1529 {
1530 return array_count(this->child_sas);
1531 }
1532
1533 /**
1534 * Private data of a create_child_sa_enumerator()
1535 */
1536 typedef struct {
1537 /** implements enumerator */
1538 enumerator_t public;
1539 /** inner array enumerator */
1540 enumerator_t *inner;
1541 /** current item */
1542 child_sa_t *current;
1543 } child_enumerator_t;
1544
1545 METHOD(enumerator_t, child_enumerate, bool,
1546 child_enumerator_t *this, child_sa_t **child_sa)
1547 {
1548 if (this->inner->enumerate(this->inner, &this->current))
1549 {
1550 *child_sa = this->current;
1551 return TRUE;
1552 }
1553 return FALSE;
1554 }
1555
1556 METHOD(enumerator_t, child_enumerator_destroy, void,
1557 child_enumerator_t *this)
1558 {
1559 this->inner->destroy(this->inner);
1560 free(this);
1561 }
1562
1563 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1564 private_ike_sa_t *this)
1565 {
1566 child_enumerator_t *enumerator;
1567
1568 INIT(enumerator,
1569 .public = {
1570 .enumerate = (void*)_child_enumerate,
1571 .destroy = _child_enumerator_destroy,
1572 },
1573 .inner = array_create_enumerator(this->child_sas),
1574 );
1575 return &enumerator->public;
1576 }
1577
1578 METHOD(ike_sa_t, remove_child_sa, void,
1579 private_ike_sa_t *this, enumerator_t *enumerator)
1580 {
1581 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1582
1583 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1584 array_remove_at(this->child_sas, ce->inner);
1585 }
1586
1587 METHOD(ike_sa_t, rekey_child_sa, status_t,
1588 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1589 {
1590 if (this->state == IKE_PASSIVE)
1591 {
1592 return INVALID_STATE;
1593 }
1594 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1595 return this->task_manager->initiate(this->task_manager);
1596 }
1597
1598 METHOD(ike_sa_t, delete_child_sa, status_t,
1599 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
1600 {
1601 if (this->state == IKE_PASSIVE)
1602 {
1603 return INVALID_STATE;
1604 }
1605 this->task_manager->queue_child_delete(this->task_manager,
1606 protocol, spi, expired);
1607 return this->task_manager->initiate(this->task_manager);
1608 }
1609
1610 METHOD(ike_sa_t, destroy_child_sa, status_t,
1611 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1612 {
1613 enumerator_t *enumerator;
1614 child_sa_t *child_sa;
1615 status_t status = NOT_FOUND;
1616
1617 enumerator = create_child_sa_enumerator(this);
1618 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1619 {
1620 if (child_sa->get_protocol(child_sa) == protocol &&
1621 child_sa->get_spi(child_sa, TRUE) == spi)
1622 {
1623 remove_child_sa(this, enumerator);
1624 child_sa->destroy(child_sa);
1625 status = SUCCESS;
1626 break;
1627 }
1628 }
1629 enumerator->destroy(enumerator);
1630 return status;
1631 }
1632
1633 METHOD(ike_sa_t, delete_, status_t,
1634 private_ike_sa_t *this)
1635 {
1636 switch (this->state)
1637 {
1638 case IKE_REKEYING:
1639 if (this->version == IKEV1)
1640 { /* SA has been reauthenticated, delete */
1641 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1642 break;
1643 }
1644 /* FALL */
1645 case IKE_ESTABLISHED:
1646 if (time_monotonic(NULL) >= this->stats[STAT_DELETE])
1647 { /* IKE_SA hard lifetime hit */
1648 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1649 }
1650 this->task_manager->queue_ike_delete(this->task_manager);
1651 return this->task_manager->initiate(this->task_manager);
1652 case IKE_CREATED:
1653 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1654 break;
1655 case IKE_PASSIVE:
1656 break;
1657 default:
1658 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1659 "without notification", ike_sa_state_names, this->state);
1660 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1661 break;
1662 }
1663 return DESTROY_ME;
1664 }
1665
1666 METHOD(ike_sa_t, rekey, status_t,
1667 private_ike_sa_t *this)
1668 {
1669 if (this->state == IKE_PASSIVE)
1670 {
1671 return INVALID_STATE;
1672 }
1673 this->task_manager->queue_ike_rekey(this->task_manager);
1674 return this->task_manager->initiate(this->task_manager);
1675 }
1676
1677 METHOD(ike_sa_t, reauth, status_t,
1678 private_ike_sa_t *this)
1679 {
1680 if (this->state == IKE_PASSIVE)
1681 {
1682 return INVALID_STATE;
1683 }
1684 if (this->state == IKE_CONNECTING)
1685 {
1686 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1687 get_name(this), this->unique_id);
1688 reset(this);
1689 this->task_manager->queue_ike(this->task_manager);
1690 return this->task_manager->initiate(this->task_manager);
1691 }
1692 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1693 * If the peer does not support RFC4478, there is no way to keep the
1694 * IKE_SA up. */
1695 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1696 {
1697 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1698 if (array_count(this->other_vips) != 0 ||
1699 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1700 has_condition(this, COND_EAP_AUTHENTICATED)
1701 #ifdef ME
1702 /* as mediation server we too cannot reauth the IKE_SA */
1703 || this->is_mediation_server
1704 #endif /* ME */
1705 )
1706 {
1707 time_t del, now;
1708
1709 del = this->stats[STAT_DELETE];
1710 now = time_monotonic(NULL);
1711 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1712 get_name(this), this->unique_id, &now, &del);
1713 return FAILED;
1714 }
1715 else
1716 {
1717 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1718 get_name(this), this->unique_id);
1719 }
1720 }
1721 else
1722 {
1723 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1724 get_name(this), this->unique_id);
1725 }
1726 set_condition(this, COND_REAUTHENTICATING, TRUE);
1727 this->task_manager->queue_ike_reauth(this->task_manager);
1728 return this->task_manager->initiate(this->task_manager);
1729 }
1730
1731 /**
1732 * Check if tasks to create CHILD_SAs are queued in the given queue
1733 */
1734 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1735 {
1736 enumerator_t *enumerator;
1737 task_t *task;
1738 bool found = FALSE;
1739
1740 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1741 queue);
1742 while (enumerator->enumerate(enumerator, &task))
1743 {
1744 if (task->get_type(task) == TASK_CHILD_CREATE ||
1745 task->get_type(task) == TASK_QUICK_MODE)
1746 {
1747 found = TRUE;
1748 break;
1749 }
1750 }
1751 enumerator->destroy(enumerator);
1752 return found;
1753 }
1754
1755 METHOD(ike_sa_t, reestablish, status_t,
1756 private_ike_sa_t *this)
1757 {
1758 ike_sa_t *new;
1759 host_t *host;
1760 action_t action;
1761 enumerator_t *enumerator;
1762 child_sa_t *child_sa;
1763 child_cfg_t *child_cfg;
1764 bool restart = FALSE;
1765 status_t status = FAILED;
1766
1767 if (has_condition(this, COND_REAUTHENTICATING))
1768 { /* only reauthenticate if we have children */
1769 if (array_count(this->child_sas) == 0
1770 #ifdef ME
1771 /* allow reauth of mediation connections without CHILD_SAs */
1772 && !this->peer_cfg->is_mediation(this->peer_cfg)
1773 #endif /* ME */
1774 )
1775 {
1776 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
1777 "to recreate");
1778 }
1779 else
1780 {
1781 restart = TRUE;
1782 }
1783 }
1784 else
1785 { /* check if we have children to keep up at all */
1786 enumerator = array_create_enumerator(this->child_sas);
1787 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1788 {
1789 if (this->state == IKE_DELETING)
1790 {
1791 action = child_sa->get_close_action(child_sa);
1792 }
1793 else
1794 {
1795 action = child_sa->get_dpd_action(child_sa);
1796 }
1797 switch (action)
1798 {
1799 case ACTION_RESTART:
1800 restart = TRUE;
1801 break;
1802 case ACTION_ROUTE:
1803 charon->traps->install(charon->traps, this->peer_cfg,
1804 child_sa->get_config(child_sa),
1805 child_sa->get_reqid(child_sa));
1806 break;
1807 default:
1808 break;
1809 }
1810 }
1811 enumerator->destroy(enumerator);
1812 /* check if we have tasks that recreate children */
1813 if (!restart)
1814 {
1815 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
1816 is_child_queued(this, TASK_QUEUE_QUEUED);
1817 }
1818 #ifdef ME
1819 /* mediation connections have no children, keep them up anyway */
1820 if (this->peer_cfg->is_mediation(this->peer_cfg))
1821 {
1822 restart = TRUE;
1823 }
1824 #endif /* ME */
1825 }
1826 if (!restart)
1827 {
1828 return FAILED;
1829 }
1830
1831 /* check if we are able to reestablish this IKE_SA */
1832 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1833 (array_count(this->other_vips) != 0 ||
1834 has_condition(this, COND_EAP_AUTHENTICATED)
1835 #ifdef ME
1836 || this->is_mediation_server
1837 #endif /* ME */
1838 ))
1839 {
1840 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1841 return FAILED;
1842 }
1843
1844 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1845 this->version, TRUE);
1846 if (!new)
1847 {
1848 return FAILED;
1849 }
1850 new->set_peer_cfg(new, this->peer_cfg);
1851 host = this->other_host;
1852 new->set_other_host(new, host->clone(host));
1853 host = this->my_host;
1854 new->set_my_host(new, host->clone(host));
1855 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
1856 /* resolve hosts but use the old addresses above as fallback */
1857 resolve_hosts((private_ike_sa_t*)new);
1858 /* if we already have a virtual IP, we reuse it */
1859 enumerator = array_create_enumerator(this->my_vips);
1860 while (enumerator->enumerate(enumerator, &host))
1861 {
1862 new->add_virtual_ip(new, TRUE, host);
1863 }
1864 enumerator->destroy(enumerator);
1865
1866 #ifdef ME
1867 if (this->peer_cfg->is_mediation(this->peer_cfg))
1868 {
1869 status = new->initiate(new, NULL, 0, NULL, NULL);
1870 }
1871 else
1872 #endif /* ME */
1873 {
1874 /* handle existing CHILD_SAs */
1875 enumerator = create_child_sa_enumerator(this);
1876 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1877 {
1878 if (has_condition(this, COND_REAUTHENTICATING))
1879 {
1880 switch (child_sa->get_state(child_sa))
1881 {
1882 case CHILD_ROUTED:
1883 { /* move routed child directly */
1884 remove_child_sa(this, enumerator);
1885 new->add_child_sa(new, child_sa);
1886 action = ACTION_NONE;
1887 break;
1888 }
1889 default:
1890 { /* initiate/queue all other CHILD_SAs */
1891 action = ACTION_RESTART;
1892 break;
1893 }
1894 }
1895 }
1896 else
1897 { /* only restart CHILD_SAs that are configured accordingly */
1898 if (this->state == IKE_DELETING)
1899 {
1900 action = child_sa->get_close_action(child_sa);
1901 }
1902 else
1903 {
1904 action = child_sa->get_dpd_action(child_sa);
1905 }
1906 }
1907 switch (action)
1908 {
1909 case ACTION_RESTART:
1910 child_cfg = child_sa->get_config(child_sa);
1911 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1912 child_cfg->get_name(child_cfg));
1913 child_cfg->get_ref(child_cfg);
1914 status = new->initiate(new, child_cfg,
1915 child_sa->get_reqid(child_sa), NULL, NULL);
1916 break;
1917 default:
1918 continue;
1919 }
1920 if (status == DESTROY_ME)
1921 {
1922 break;
1923 }
1924 }
1925 enumerator->destroy(enumerator);
1926 /* adopt any active or queued CHILD-creating tasks */
1927 if (status != DESTROY_ME)
1928 {
1929 task_manager_t *other_tasks = ((private_ike_sa_t*)new)->task_manager;
1930 other_tasks->adopt_child_tasks(other_tasks, this->task_manager);
1931 if (new->get_state(new) == IKE_CREATED)
1932 {
1933 status = new->initiate(new, NULL, 0, NULL, NULL);
1934 }
1935 }
1936 }
1937
1938 if (status == DESTROY_ME)
1939 {
1940 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1941 FALSE);
1942 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1943 status = FAILED;
1944 }
1945 else
1946 {
1947 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
1948 TRUE);
1949 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1950 status = SUCCESS;
1951 }
1952 charon->bus->set_sa(charon->bus, &this->public);
1953 return status;
1954 }
1955
1956 METHOD(ike_sa_t, retransmit, status_t,
1957 private_ike_sa_t *this, u_int32_t message_id)
1958 {
1959 if (this->state == IKE_PASSIVE)
1960 {
1961 return INVALID_STATE;
1962 }
1963 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1964 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1965 {
1966 /* send a proper signal to brief interested bus listeners */
1967 switch (this->state)
1968 {
1969 case IKE_CONNECTING:
1970 {
1971 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
1972 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1973 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
1974 this->keyingtry);
1975 this->keyingtry++;
1976 if (tries == 0 || tries > this->keyingtry)
1977 {
1978 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1979 this->keyingtry + 1, tries);
1980 reset(this);
1981 resolve_hosts(this);
1982 this->task_manager->queue_ike(this->task_manager);
1983 return this->task_manager->initiate(this->task_manager);
1984 }
1985 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1986 break;
1987 }
1988 case IKE_DELETING:
1989 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1990 if (has_condition(this, COND_REAUTHENTICATING))
1991 {
1992 DBG1(DBG_IKE, "delete during reauthentication failed, "
1993 "trying to reestablish IKE_SA anyway");
1994 reestablish(this);
1995 }
1996 break;
1997 case IKE_REKEYING:
1998 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1999 /* FALL */
2000 default:
2001 reestablish(this);
2002 break;
2003 }
2004 if (this->state != IKE_CONNECTING)
2005 {
2006 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2007 }
2008 return DESTROY_ME;
2009 }
2010 return SUCCESS;
2011 }
2012
2013 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2014 private_ike_sa_t *this, u_int32_t lifetime)
2015 {
2016 u_int32_t diff, hard, soft, now;
2017 bool send_update;
2018
2019 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2020 now = time_monotonic(NULL);
2021 hard = now + lifetime;
2022 soft = hard - diff;
2023
2024 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2025 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2026 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2027 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2028 (array_count(this->other_vips) != 0 ||
2029 has_condition(this, COND_EAP_AUTHENTICATED));
2030
2031 if (lifetime < diff)
2032 {
2033 this->stats[STAT_REAUTH] = now;
2034
2035 if (!send_update)
2036 {
2037 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2038 "starting reauthentication", lifetime);
2039 lib->processor->queue_job(lib->processor,
2040 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2041 }
2042 }
2043 else if (this->stats[STAT_REAUTH] == 0 ||
2044 this->stats[STAT_REAUTH] > soft)
2045 {
2046 this->stats[STAT_REAUTH] = soft;
2047 if (!send_update)
2048 {
2049 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2050 "reauthentication in %ds", lifetime, lifetime - diff);
2051 lib->scheduler->schedule_job(lib->scheduler,
2052 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2053 lifetime - diff);
2054 }
2055 }
2056 else
2057 {
2058 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2059 "reauthentication already scheduled in %ds", lifetime,
2060 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2061 send_update = FALSE;
2062 }
2063 /* give at least some seconds to reauthenticate */
2064 this->stats[STAT_DELETE] = max(hard, now + 10);
2065
2066 #ifdef USE_IKEV2
2067 if (send_update)
2068 {
2069 ike_auth_lifetime_t *task;
2070
2071 task = ike_auth_lifetime_create(&this->public, TRUE);
2072 this->task_manager->queue_task(this->task_manager, &task->task);
2073 return this->task_manager->initiate(this->task_manager);
2074 }
2075 #endif
2076 return SUCCESS;
2077 }
2078
2079 /**
2080 * Check if the current combination of source and destination address is still
2081 * valid.
2082 */
2083 static bool is_current_path_valid(private_ike_sa_t *this)
2084 {
2085 bool valid = FALSE;
2086 host_t *src;
2087 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
2088 this->other_host, this->my_host);
2089 if (src)
2090 {
2091 if (src->ip_equals(src, this->my_host))
2092 {
2093 valid = TRUE;
2094 }
2095 src->destroy(src);
2096 }
2097 return valid;
2098 }
2099
2100 /**
2101 * Check if we have any path avialable for this IKE SA.
2102 */
2103 static bool is_any_path_valid(private_ike_sa_t *this)
2104 {
2105 bool valid = FALSE;
2106 enumerator_t *enumerator;
2107 host_t *src = NULL, *addr;
2108 int family = AF_UNSPEC;
2109
2110 switch (charon->socket->supported_families(charon->socket))
2111 {
2112 case SOCKET_FAMILY_IPV4:
2113 family = AF_INET;
2114 break;
2115 case SOCKET_FAMILY_IPV6:
2116 family = AF_INET6;
2117 break;
2118 case SOCKET_FAMILY_BOTH:
2119 case SOCKET_FAMILY_NONE:
2120 break;
2121 }
2122
2123 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2124 enumerator = create_peer_address_enumerator(this);
2125 while (enumerator->enumerate(enumerator, &addr))
2126 {
2127 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2128 {
2129 continue;
2130 }
2131 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2132 src = hydra->kernel_interface->get_source_addr(
2133 hydra->kernel_interface, addr, NULL);
2134 if (src)
2135 {
2136 break;
2137 }
2138 }
2139 enumerator->destroy(enumerator);
2140 if (src)
2141 {
2142 valid = TRUE;
2143 src->destroy(src);
2144 }
2145 return valid;
2146 }
2147
2148 METHOD(ike_sa_t, roam, status_t,
2149 private_ike_sa_t *this, bool address)
2150 {
2151 switch (this->state)
2152 {
2153 case IKE_CREATED:
2154 case IKE_DELETING:
2155 case IKE_DESTROYING:
2156 case IKE_PASSIVE:
2157 return SUCCESS;
2158 default:
2159 break;
2160 }
2161
2162 /* keep existing path if possible */
2163 if (is_current_path_valid(this))
2164 {
2165 DBG2(DBG_IKE, "keeping connection path %H - %H",
2166 this->my_host, this->other_host);
2167 set_condition(this, COND_STALE, FALSE);
2168
2169 if (supports_extension(this, EXT_MOBIKE) && address)
2170 { /* if any addresses changed, send an updated list */
2171 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2172 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2173 return this->task_manager->initiate(this->task_manager);
2174 }
2175 return SUCCESS;
2176 }
2177
2178 if (!is_any_path_valid(this))
2179 {
2180 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2181 this->other_host);
2182 set_condition(this, COND_STALE, TRUE);
2183 return SUCCESS;
2184 }
2185 set_condition(this, COND_STALE, FALSE);
2186
2187 /* update addresses with mobike, if supported ... */
2188 if (supports_extension(this, EXT_MOBIKE))
2189 {
2190 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2191 { /* responder updates the peer about changed address config */
2192 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2193 "implicitly requesting an address change");
2194 address = TRUE;
2195 }
2196 else
2197 {
2198 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2199 }
2200 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2201 return this->task_manager->initiate(this->task_manager);
2202 }
2203
2204 /* ... reauth if not */
2205 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2206 { /* responder does not reauthenticate */
2207 set_condition(this, COND_STALE, TRUE);
2208 return SUCCESS;
2209 }
2210 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2211 /* since our previous path is not valid anymore, try and find a new one */
2212 resolve_hosts(this);
2213 return reauth(this);
2214 }
2215
2216 METHOD(ike_sa_t, add_configuration_attribute, void,
2217 private_ike_sa_t *this, attribute_handler_t *handler,
2218 configuration_attribute_type_t type, chunk_t data)
2219 {
2220 attribute_entry_t entry = {
2221 .handler = handler,
2222 .type = type,
2223 .data = chunk_clone(data),
2224 };
2225 array_insert(this->attributes, ARRAY_TAIL, &entry);
2226 }
2227
2228 /**
2229 * Enumerator filter for attributes
2230 */
2231 static bool filter_attribute(void *null, attribute_entry_t **in,
2232 configuration_attribute_type_t *type, void *in2,
2233 chunk_t *data, void *in3, bool *handled)
2234 {
2235 *type = (*in)->type;
2236 *data = (*in)->data;
2237 *handled = (*in)->handler != NULL;
2238 return TRUE;
2239 }
2240
2241 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2242 private_ike_sa_t *this)
2243 {
2244 return enumerator_create_filter(array_create_enumerator(this->attributes),
2245 (void*)filter_attribute, NULL, NULL);
2246 }
2247
2248 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2249 private_ike_sa_t *this, task_queue_t queue)
2250 {
2251 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2252 }
2253
2254 METHOD(ike_sa_t, flush_queue, void,
2255 private_ike_sa_t *this, task_queue_t queue)
2256 {
2257 this->task_manager->flush_queue(this->task_manager, queue);
2258 }
2259
2260 METHOD(ike_sa_t, queue_task, void,
2261 private_ike_sa_t *this, task_t *task)
2262 {
2263 this->task_manager->queue_task(this->task_manager, task);
2264 }
2265
2266 METHOD(ike_sa_t, inherit_pre, void,
2267 private_ike_sa_t *this, ike_sa_t *other_public)
2268 {
2269 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2270
2271 /* apply config and hosts */
2272 set_peer_cfg(this, other->peer_cfg);
2273 set_my_host(this, other->my_host->clone(other->my_host));
2274 set_other_host(this, other->other_host->clone(other->other_host));
2275
2276 /* apply extensions and conditions with a few exceptions */
2277 this->extensions = other->extensions;
2278 this->conditions = other->conditions;
2279 this->conditions &= ~COND_STALE;
2280 this->conditions &= ~COND_REAUTHENTICATING;
2281 }
2282
2283 METHOD(ike_sa_t, inherit_post, void,
2284 private_ike_sa_t *this, ike_sa_t *other_public)
2285 {
2286 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2287 child_sa_t *child_sa;
2288 enumerator_t *enumerator;
2289 attribute_entry_t entry;
2290 auth_cfg_t *cfg;
2291 host_t *vip;
2292
2293 /* apply hosts and ids */
2294 this->my_host->destroy(this->my_host);
2295 this->other_host->destroy(this->other_host);
2296 this->my_id->destroy(this->my_id);
2297 this->other_id->destroy(this->other_id);
2298 this->my_host = other->my_host->clone(other->my_host);
2299 this->other_host = other->other_host->clone(other->other_host);
2300 this->my_id = other->my_id->clone(other->my_id);
2301 this->other_id = other->other_id->clone(other->other_id);
2302
2303 /* apply assigned virtual IPs... */
2304 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2305 {
2306 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2307 }
2308 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2309 {
2310 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2311 }
2312
2313 /* MOBIKE additional addresses */
2314 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2315 {
2316 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2317 }
2318
2319 /* authentication information */
2320 enumerator = array_create_enumerator(other->my_auths);
2321 while (enumerator->enumerate(enumerator, &cfg))
2322 {
2323 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2324 }
2325 enumerator->destroy(enumerator);
2326 enumerator = array_create_enumerator(other->other_auths);
2327 while (enumerator->enumerate(enumerator, &cfg))
2328 {
2329 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2330 }
2331 enumerator->destroy(enumerator);
2332
2333 /* ... and configuration attributes */
2334 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2335 {
2336 array_insert(this->attributes, ARRAY_TAIL, &entry);
2337 }
2338
2339 /* inherit all conditions */
2340 this->conditions = other->conditions;
2341 if (this->conditions & COND_NAT_HERE)
2342 {
2343 send_keepalive(this, FALSE);
2344 }
2345
2346 #ifdef ME
2347 if (other->is_mediation_server)
2348 {
2349 act_as_mediation_server(this);
2350 }
2351 else if (other->server_reflexive_host)
2352 {
2353 this->server_reflexive_host = other->server_reflexive_host->clone(
2354 other->server_reflexive_host);
2355 }
2356 #endif /* ME */
2357
2358 /* adopt all children */
2359 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2360 {
2361 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2362 add_child_sa(this, child_sa);
2363 }
2364
2365 /* move pending tasks to the new IKE_SA */
2366 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2367
2368 /* reauthentication timeout survives a rekeying */
2369 if (other->stats[STAT_REAUTH])
2370 {
2371 time_t reauth, delete, now = time_monotonic(NULL);
2372
2373 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2374 reauth = this->stats[STAT_REAUTH] - now;
2375 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2376 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2377 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2378 "lifetime reduced to %ds", reauth, delete);
2379 lib->scheduler->schedule_job(lib->scheduler,
2380 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2381 lib->scheduler->schedule_job(lib->scheduler,
2382 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2383 }
2384 }
2385
2386 METHOD(ike_sa_t, destroy, void,
2387 private_ike_sa_t *this)
2388 {
2389 attribute_entry_t entry;
2390 child_sa_t *child_sa;
2391 host_t *vip;
2392
2393 charon->bus->set_sa(charon->bus, &this->public);
2394
2395 set_state(this, IKE_DESTROYING);
2396 if (this->task_manager)
2397 {
2398 this->task_manager->flush(this->task_manager);
2399 }
2400
2401 /* remove attributes first, as we pass the IKE_SA to the handler */
2402 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2403 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2404 {
2405 if (entry.handler)
2406 {
2407 charon->attributes->release(charon->attributes, entry.handler,
2408 &this->public, entry.type, entry.data);
2409 }
2410 free(entry.data.ptr);
2411 }
2412 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2413 * routes that the CHILD_SA tries to uninstall. */
2414 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2415 {
2416 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2417 child_sa->destroy(child_sa);
2418 }
2419 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2420 {
2421 hydra->kernel_interface->del_ip(hydra->kernel_interface, vip, -1, TRUE);
2422 vip->destroy(vip);
2423 }
2424 if (array_count(this->other_vips))
2425 {
2426 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2427 }
2428 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2429 {
2430 if (this->peer_cfg)
2431 {
2432 linked_list_t *pools;
2433
2434 pools = linked_list_create_from_enumerator(
2435 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
2436 charon->attributes->release_address(charon->attributes,
2437 pools, vip, &this->public);
2438 pools->destroy(pools);
2439 }
2440 vip->destroy(vip);
2441 }
2442
2443 /* unset SA after here to avoid usage by the listeners */
2444 charon->bus->set_sa(charon->bus, NULL);
2445
2446 array_destroy(this->child_sas);
2447 DESTROY_IF(this->task_manager);
2448 DESTROY_IF(this->keymat);
2449 array_destroy(this->attributes);
2450 array_destroy(this->my_vips);
2451 array_destroy(this->other_vips);
2452 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
2453 #ifdef ME
2454 if (this->is_mediation_server)
2455 {
2456 charon->mediation_manager->remove(charon->mediation_manager,
2457 this->ike_sa_id);
2458 }
2459 DESTROY_IF(this->server_reflexive_host);
2460 chunk_free(&this->connect_id);
2461 #endif /* ME */
2462 free(this->nat_detection_dest.ptr);
2463
2464 DESTROY_IF(this->my_host);
2465 DESTROY_IF(this->other_host);
2466 DESTROY_IF(this->my_id);
2467 DESTROY_IF(this->other_id);
2468 DESTROY_IF(this->local_host);
2469 DESTROY_IF(this->remote_host);
2470
2471 DESTROY_IF(this->ike_cfg);
2472 DESTROY_IF(this->peer_cfg);
2473 DESTROY_IF(this->proposal);
2474 this->my_auth->destroy(this->my_auth);
2475 this->other_auth->destroy(this->other_auth);
2476 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
2477 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
2478
2479 this->ike_sa_id->destroy(this->ike_sa_id);
2480 free(this);
2481 }
2482
2483 /*
2484 * Described in header.
2485 */
2486 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
2487 ike_version_t version)
2488 {
2489 private_ike_sa_t *this;
2490 static refcount_t unique_id = 0;
2491
2492 if (version == IKE_ANY)
2493 { /* prefer IKEv2 if protocol not specified */
2494 #ifdef USE_IKEV2
2495 version = IKEV2;
2496 #else
2497 version = IKEV1;
2498 #endif
2499 }
2500
2501 INIT(this,
2502 .public = {
2503 .get_version = _get_version,
2504 .get_state = _get_state,
2505 .set_state = _set_state,
2506 .get_name = _get_name,
2507 .get_statistic = _get_statistic,
2508 .set_statistic = _set_statistic,
2509 .process_message = _process_message,
2510 .initiate = _initiate,
2511 .retry_initiate = _retry_initiate,
2512 .get_ike_cfg = _get_ike_cfg,
2513 .set_ike_cfg = _set_ike_cfg,
2514 .get_peer_cfg = _get_peer_cfg,
2515 .set_peer_cfg = _set_peer_cfg,
2516 .get_auth_cfg = _get_auth_cfg,
2517 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2518 .add_auth_cfg = _add_auth_cfg,
2519 .get_proposal = _get_proposal,
2520 .set_proposal = _set_proposal,
2521 .get_id = _get_id,
2522 .get_my_host = _get_my_host,
2523 .set_my_host = _set_my_host,
2524 .get_other_host = _get_other_host,
2525 .set_other_host = _set_other_host,
2526 .set_message_id = _set_message_id,
2527 .float_ports = _float_ports,
2528 .update_hosts = _update_hosts,
2529 .get_my_id = _get_my_id,
2530 .set_my_id = _set_my_id,
2531 .get_other_id = _get_other_id,
2532 .set_other_id = _set_other_id,
2533 .get_other_eap_id = _get_other_eap_id,
2534 .enable_extension = _enable_extension,
2535 .supports_extension = _supports_extension,
2536 .set_condition = _set_condition,
2537 .has_condition = _has_condition,
2538 .set_pending_updates = _set_pending_updates,
2539 .get_pending_updates = _get_pending_updates,
2540 .create_peer_address_enumerator = _create_peer_address_enumerator,
2541 .add_peer_address = _add_peer_address,
2542 .clear_peer_addresses = _clear_peer_addresses,
2543 .has_mapping_changed = _has_mapping_changed,
2544 .retransmit = _retransmit,
2545 .delete = _delete_,
2546 .destroy = _destroy,
2547 .send_dpd = _send_dpd,
2548 .send_keepalive = _send_keepalive,
2549 .get_keymat = _get_keymat,
2550 .add_child_sa = _add_child_sa,
2551 .get_child_sa = _get_child_sa,
2552 .get_child_count = _get_child_count,
2553 .create_child_sa_enumerator = _create_child_sa_enumerator,
2554 .remove_child_sa = _remove_child_sa,
2555 .rekey_child_sa = _rekey_child_sa,
2556 .delete_child_sa = _delete_child_sa,
2557 .destroy_child_sa = _destroy_child_sa,
2558 .rekey = _rekey,
2559 .reauth = _reauth,
2560 .reestablish = _reestablish,
2561 .set_auth_lifetime = _set_auth_lifetime,
2562 .roam = _roam,
2563 .inherit_pre = _inherit_pre,
2564 .inherit_post = _inherit_post,
2565 .generate_message = _generate_message,
2566 .generate_message_fragmented = _generate_message_fragmented,
2567 .reset = _reset,
2568 .get_unique_id = _get_unique_id,
2569 .add_virtual_ip = _add_virtual_ip,
2570 .clear_virtual_ips = _clear_virtual_ips,
2571 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
2572 .add_configuration_attribute = _add_configuration_attribute,
2573 .create_attribute_enumerator = _create_attribute_enumerator,
2574 .set_kmaddress = _set_kmaddress,
2575 .create_task_enumerator = _create_task_enumerator,
2576 .flush_queue = _flush_queue,
2577 .queue_task = _queue_task,
2578 #ifdef ME
2579 .act_as_mediation_server = _act_as_mediation_server,
2580 .get_server_reflexive_host = _get_server_reflexive_host,
2581 .set_server_reflexive_host = _set_server_reflexive_host,
2582 .get_connect_id = _get_connect_id,
2583 .initiate_mediation = _initiate_mediation,
2584 .initiate_mediated = _initiate_mediated,
2585 .relay = _relay,
2586 .callback = _callback,
2587 .respond = _respond,
2588 #endif /* ME */
2589 },
2590 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2591 .version = version,
2592 .my_host = host_create_any(AF_INET),
2593 .other_host = host_create_any(AF_INET),
2594 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2595 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2596 .keymat = keymat_create(version, initiator),
2597 .state = IKE_CREATED,
2598 .stats[STAT_INBOUND] = time_monotonic(NULL),
2599 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2600 .my_auth = auth_cfg_create(),
2601 .other_auth = auth_cfg_create(),
2602 .my_auths = array_create(0, 0),
2603 .other_auths = array_create(0, 0),
2604 .attributes = array_create(sizeof(attribute_entry_t), 0),
2605 .unique_id = ref_get(&unique_id),
2606 .keepalive_interval = lib->settings->get_time(lib->settings,
2607 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
2608 .retry_initiate_interval = lib->settings->get_time(lib->settings,
2609 "%s.retry_initiate_interval", 0, lib->ns),
2610 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2611 "%s.flush_auth_cfg", FALSE, lib->ns),
2612 .fragment_size = lib->settings->get_int(lib->settings,
2613 "%s.fragment_size", 0, lib->ns),
2614 );
2615
2616 if (version == IKEV2)
2617 { /* always supported with IKEv2 */
2618 enable_extension(this, EXT_DPD);
2619 }
2620
2621 this->task_manager = task_manager_create(&this->public);
2622 this->my_host->set_port(this->my_host,
2623 charon->socket->get_port(charon->socket, FALSE));
2624
2625 if (!this->task_manager || !this->keymat)
2626 {
2627 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2628 destroy(this);
2629 return NULL;
2630 }
2631 return &this->public;
2632 }