ike-sa: Properly set timing info for delete after rekeying
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2020 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
62
63 #ifdef ME
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
66 #endif
67
68 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
69 "CREATED",
70 "CONNECTING",
71 "ESTABLISHED",
72 "PASSIVE",
73 "REKEYING",
74 "REKEYED",
75 "DELETING",
76 "DESTROYING",
77 );
78
79 typedef struct private_ike_sa_t private_ike_sa_t;
80 typedef struct attribute_entry_t attribute_entry_t;
81
82 /**
83 * Private data of an ike_sa_t object.
84 */
85 struct private_ike_sa_t {
86
87 /**
88 * Public members
89 */
90 ike_sa_t public;
91
92 /**
93 * Identifier for the current IKE_SA.
94 */
95 ike_sa_id_t *ike_sa_id;
96
97 /**
98 * IKE version of this SA.
99 */
100 ike_version_t version;
101
102 /**
103 * unique numerical ID for this IKE_SA.
104 */
105 uint32_t unique_id;
106
107 /**
108 * Current state of the IKE_SA
109 */
110 ike_sa_state_t state;
111
112 /**
113 * IKE configuration used to set up this IKE_SA
114 */
115 ike_cfg_t *ike_cfg;
116
117 /**
118 * Peer and authentication information to establish IKE_SA.
119 */
120 peer_cfg_t *peer_cfg;
121
122 /**
123 * currently used authentication ruleset, local
124 */
125 auth_cfg_t *my_auth;
126
127 /**
128 * currently used authentication constraints, remote
129 */
130 auth_cfg_t *other_auth;
131
132 /**
133 * Array of completed local authentication rounds (as auth_cfg_t)
134 */
135 array_t *my_auths;
136
137 /**
138 * Array of completed remote authentication rounds (as auth_cfg_t)
139 */
140 array_t *other_auths;
141
142 /**
143 * Selected IKE proposal
144 */
145 proposal_t *proposal;
146
147 /**
148 * Juggles tasks to process messages
149 */
150 task_manager_t *task_manager;
151
152 /**
153 * Address of local host
154 */
155 host_t *my_host;
156
157 /**
158 * Address of remote host
159 */
160 host_t *other_host;
161
162 #ifdef ME
163 /**
164 * Are we mediation server
165 */
166 bool is_mediation_server;
167
168 /**
169 * Server reflexive host
170 */
171 host_t *server_reflexive_host;
172
173 /**
174 * Connect ID
175 */
176 chunk_t connect_id;
177 #endif /* ME */
178
179 /**
180 * Identification used for us
181 */
182 identification_t *my_id;
183
184 /**
185 * Identification used for other
186 */
187 identification_t *other_id;
188
189 /**
190 * set of extensions the peer supports
191 */
192 ike_extension_t extensions;
193
194 /**
195 * set of condition flags currently enabled for this IKE_SA
196 */
197 ike_condition_t conditions;
198
199 /**
200 * Array containing the child sa's of the current IKE_SA.
201 */
202 array_t *child_sas;
203
204 /**
205 * keymat of this IKE_SA
206 */
207 keymat_t *keymat;
208
209 /**
210 * Virtual IPs on local host
211 */
212 array_t *my_vips;
213
214 /**
215 * Virtual IPs on remote host
216 */
217 array_t *other_vips;
218
219 /**
220 * List of configuration attributes (attribute_entry_t)
221 */
222 array_t *attributes;
223
224 /**
225 * list of peer's addresses, additional ones transmitted via MOBIKE
226 */
227 array_t *peer_addresses;
228
229 /**
230 * previously value of received DESTINATION_IP hash
231 */
232 chunk_t nat_detection_dest;
233
234 /**
235 * NAT keep alive interval
236 */
237 uint32_t keepalive_interval;
238
239 /**
240 * Time the NAT keep alive interval may be exceeded before triggering a DPD
241 * instead of a NAT keep alive
242 */
243 uint32_t keepalive_dpd_margin;
244
245 /**
246 * The scheduled keep alive job, if any
247 */
248 send_keepalive_job_t *keepalive_job;
249
250 /**
251 * interval for retries during initiation (e.g. if DNS resolution failed),
252 * 0 to disable (default)
253 */
254 uint32_t retry_initiate_interval;
255
256 /**
257 * TRUE if a retry_initiate_job has been queued
258 */
259 bool retry_initiate_queued;
260
261 /**
262 * Timestamps for this IKE_SA
263 */
264 uint32_t stats[STAT_MAX];
265
266 /**
267 * how many times we have retried so far (keyingtries)
268 */
269 uint32_t keyingtry;
270
271 /**
272 * local host address to be used for IKE, set via MIGRATE kernel message
273 */
274 host_t *local_host;
275
276 /**
277 * remote host address to be used for IKE, set via MIGRATE kernel message
278 */
279 host_t *remote_host;
280
281 /**
282 * Flush auth configs once established?
283 */
284 bool flush_auth_cfg;
285
286 /**
287 * Maximum length of a single fragment, 0 for address-specific defaults
288 */
289 size_t fragment_size;
290
291 /**
292 * Whether to follow IKEv2 redirects
293 */
294 bool follow_redirects;
295
296 /**
297 * Original gateway address from which we got redirected
298 */
299 host_t *redirected_from;
300
301 /**
302 * Timestamps of redirect attempts to handle loops
303 */
304 array_t *redirected_at;
305
306 /**
307 * Inbound interface ID
308 */
309 uint32_t if_id_in;
310
311 /**
312 * Outbound interface ID
313 */
314 uint32_t if_id_out;
315 };
316
317 /**
318 * Entry to maintain install configuration attributes during IKE_SA lifetime
319 */
320 struct attribute_entry_t {
321 /** handler used to install this attribute */
322 attribute_handler_t *handler;
323 /** attribute type */
324 configuration_attribute_type_t type;
325 /** attribute data */
326 chunk_t data;
327 };
328
329 /**
330 * get the time of the latest traffic processed by the kernel
331 */
332 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
333 {
334 enumerator_t *enumerator;
335 child_sa_t *child_sa;
336 time_t use_time, current;
337
338 if (inbound)
339 {
340 use_time = this->stats[STAT_INBOUND];
341 }
342 else
343 {
344 use_time = this->stats[STAT_OUTBOUND];
345 }
346
347 enumerator = array_create_enumerator(this->child_sas);
348 while (enumerator->enumerate(enumerator, &child_sa))
349 {
350 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
351 use_time = max(use_time, current);
352 }
353 enumerator->destroy(enumerator);
354
355 return use_time;
356 }
357
358 METHOD(ike_sa_t, get_unique_id, uint32_t,
359 private_ike_sa_t *this)
360 {
361 return this->unique_id;
362 }
363
364 METHOD(ike_sa_t, get_name, char*,
365 private_ike_sa_t *this)
366 {
367 if (this->peer_cfg)
368 {
369 return this->peer_cfg->get_name(this->peer_cfg);
370 }
371 return "(unnamed)";
372 }
373
374 METHOD(ike_sa_t, get_statistic, uint32_t,
375 private_ike_sa_t *this, statistic_t kind)
376 {
377 if (kind < STAT_MAX)
378 {
379 return this->stats[kind];
380 }
381 return 0;
382 }
383
384 METHOD(ike_sa_t, set_statistic, void,
385 private_ike_sa_t *this, statistic_t kind, uint32_t value)
386 {
387 if (kind < STAT_MAX)
388 {
389 this->stats[kind] = value;
390 }
391 }
392
393 METHOD(ike_sa_t, get_my_host, host_t*,
394 private_ike_sa_t *this)
395 {
396 return this->my_host;
397 }
398
399 METHOD(ike_sa_t, set_my_host, void,
400 private_ike_sa_t *this, host_t *me)
401 {
402 DESTROY_IF(this->my_host);
403 this->my_host = me;
404 }
405
406 METHOD(ike_sa_t, get_other_host, host_t*,
407 private_ike_sa_t *this)
408 {
409 return this->other_host;
410 }
411
412 METHOD(ike_sa_t, set_other_host, void,
413 private_ike_sa_t *this, host_t *other)
414 {
415 DESTROY_IF(this->other_host);
416 this->other_host = other;
417 }
418
419 METHOD(ike_sa_t, get_redirected_from, host_t*,
420 private_ike_sa_t *this)
421 {
422 return this->redirected_from;
423 }
424
425 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
426 private_ike_sa_t *this)
427 {
428 return this->peer_cfg;
429 }
430
431 METHOD(ike_sa_t, set_peer_cfg, void,
432 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
433 {
434 peer_cfg->get_ref(peer_cfg);
435 DESTROY_IF(this->peer_cfg);
436 this->peer_cfg = peer_cfg;
437
438 if (!this->ike_cfg)
439 {
440 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
441 this->ike_cfg->get_ref(this->ike_cfg);
442 }
443
444 this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE);
445 this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE);
446 allocate_unique_if_ids(&this->if_id_in, &this->if_id_out);
447 }
448
449 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
450 private_ike_sa_t *this, bool local)
451 {
452 if (local)
453 {
454 return this->my_auth;
455 }
456 return this->other_auth;
457 }
458
459 METHOD(ike_sa_t, add_auth_cfg, void,
460 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
461 {
462 if (local)
463 {
464 array_insert(this->my_auths, ARRAY_TAIL, cfg);
465 }
466 else
467 {
468 array_insert(this->other_auths, ARRAY_TAIL, cfg);
469 }
470 }
471
472 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
473 private_ike_sa_t *this, bool local)
474 {
475 if (local)
476 {
477 return array_create_enumerator(this->my_auths);
478 }
479 return array_create_enumerator(this->other_auths);
480 }
481
482 /**
483 * Flush the stored authentication round information
484 */
485 static void flush_auth_cfgs(private_ike_sa_t *this)
486 {
487 auth_cfg_t *cfg;
488
489 this->my_auth->purge(this->my_auth, FALSE);
490 this->other_auth->purge(this->other_auth, FALSE);
491
492 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
493 {
494 cfg->destroy(cfg);
495 }
496 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
497 {
498 cfg->destroy(cfg);
499 }
500 }
501
502 METHOD(ike_sa_t, verify_peer_certificate, bool,
503 private_ike_sa_t *this)
504 {
505 enumerator_t *e1, *e2, *certs;
506 auth_cfg_t *cfg, *cfg_done;
507 certificate_t *peer, *cert;
508 public_key_t *key;
509 auth_cfg_t *auth;
510 auth_cfg_wrapper_t *wrapper;
511 time_t not_before, not_after;
512 bool valid = TRUE, found;
513
514 if (this->state != IKE_ESTABLISHED)
515 {
516 DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
517 ike_sa_state_names, this->state);
518 return FALSE;
519 }
520
521 if (!this->flush_auth_cfg &&
522 lib->settings->get_bool(lib->settings,
523 "%s.flush_auth_cfg", FALSE, lib->ns))
524 { /* we can do this check only once if auth configs are flushed */
525 DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
526 "information has been flushed");
527 return FALSE;
528 }
529 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
530 FALSE);
531
532 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
533 e2 = array_create_enumerator(this->other_auths);
534 while (e1->enumerate(e1, &cfg))
535 {
536 if (!e2->enumerate(e2, &cfg_done))
537 { /* this should not happen as the authentication should never have
538 * succeeded */
539 valid = FALSE;
540 break;
541 }
542 if ((uintptr_t)cfg_done->get(cfg_done,
543 AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
544 {
545 continue;
546 }
547 peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
548 if (!peer)
549 {
550 DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
551 "verification");
552 continue;
553 }
554 if (!peer->get_validity(peer, NULL, &not_before, &not_after))
555 {
556 DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
557 &not_before, FALSE, &not_after, FALSE);
558 valid = FALSE;
559 break;
560 }
561 key = peer->get_public_key(peer);
562 if (!key)
563 {
564 DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
565 "verification");
566 continue;
567 }
568 DBG1(DBG_IKE, "verifying peer certificate");
569 /* serve received certificates */
570 wrapper = auth_cfg_wrapper_create(cfg_done);
571 lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
572 certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
573 key->get_type(key), peer->get_subject(peer), TRUE);
574 key->destroy(key);
575
576 found = FALSE;
577 while (certs->enumerate(certs, &cert, &auth))
578 {
579 if (peer->equals(peer, cert))
580 {
581 cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
582 FALSE);
583 cfg_done->merge(cfg_done, auth, FALSE);
584 valid = cfg_done->complies(cfg_done, cfg, TRUE);
585 found = TRUE;
586 break;
587 }
588 }
589 certs->destroy(certs);
590 lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
591 wrapper->destroy(wrapper);
592 if (!found || !valid)
593 {
594 valid = FALSE;
595 break;
596 }
597 }
598 e1->destroy(e1);
599 e2->destroy(e2);
600
601 if (this->flush_auth_cfg)
602 {
603 this->flush_auth_cfg = FALSE;
604 flush_auth_cfgs(this);
605 }
606 return valid;
607 }
608
609 METHOD(ike_sa_t, get_proposal, proposal_t*,
610 private_ike_sa_t *this)
611 {
612 return this->proposal;
613 }
614
615 METHOD(ike_sa_t, set_proposal, void,
616 private_ike_sa_t *this, proposal_t *proposal)
617 {
618 DESTROY_IF(this->proposal);
619 this->proposal = proposal->clone(proposal, 0);
620 }
621
622 METHOD(ike_sa_t, set_message_id, void,
623 private_ike_sa_t *this, bool initiate, uint32_t mid)
624 {
625 if (initiate)
626 {
627 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
628 }
629 else
630 {
631 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
632 }
633 }
634
635 METHOD(ike_sa_t, get_message_id, uint32_t,
636 private_ike_sa_t *this, bool initiate)
637 {
638 return this->task_manager->get_mid(this->task_manager, initiate);
639 }
640
641 METHOD(ike_sa_t, send_keepalive, void,
642 private_ike_sa_t *this, bool scheduled)
643 {
644 time_t last_out, now, diff;
645
646 if (scheduled)
647 {
648 this->keepalive_job = NULL;
649 }
650 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
651 { /* keepalives disabled either by configuration or for passive IKE_SAs */
652 return;
653 }
654 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
655 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
656 return;
657 }
658
659 last_out = get_use_time(this, FALSE);
660 now = time_monotonic(NULL);
661
662 diff = now - last_out;
663
664 if (this->keepalive_dpd_margin &&
665 diff > (this->keepalive_interval + this->keepalive_dpd_margin))
666 {
667 if (!this->task_manager->busy(this->task_manager))
668 {
669 DBG1(DBG_IKE, "sending DPD instead of keep alive %ds after last "
670 "outbound message", diff);
671 this->task_manager->queue_dpd(this->task_manager);
672 this->task_manager->initiate(this->task_manager);
673 }
674 diff = 0;
675 }
676 else if (diff >= this->keepalive_interval)
677 {
678 packet_t *packet;
679 chunk_t data;
680
681 packet = packet_create();
682 packet->set_source(packet, this->my_host->clone(this->my_host));
683 packet->set_destination(packet, this->other_host->clone(this->other_host));
684 data.ptr = malloc(1);
685 data.ptr[0] = 0xFF;
686 data.len = 1;
687 packet->set_data(packet, data);
688 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
689 charon->sender->send_no_marker(charon->sender, packet);
690 this->stats[STAT_OUTBOUND] = now;
691 diff = 0;
692 }
693 if (!this->keepalive_job)
694 {
695 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
696 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
697 this->keepalive_interval - diff);
698 }
699 }
700
701 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
702 private_ike_sa_t *this)
703 {
704 return this->ike_cfg;
705 }
706
707 METHOD(ike_sa_t, set_ike_cfg, void,
708 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
709 {
710 DESTROY_IF(this->ike_cfg);
711 ike_cfg->get_ref(ike_cfg);
712 this->ike_cfg = ike_cfg;
713 }
714
715 METHOD(ike_sa_t, enable_extension, void,
716 private_ike_sa_t *this, ike_extension_t extension)
717 {
718 this->extensions |= extension;
719 }
720
721 METHOD(ike_sa_t, supports_extension, bool,
722 private_ike_sa_t *this, ike_extension_t extension)
723 {
724 return (this->extensions & extension) != FALSE;
725 }
726
727 METHOD(ike_sa_t, has_condition, bool,
728 private_ike_sa_t *this, ike_condition_t condition)
729 {
730 return (this->conditions & condition) != FALSE;
731 }
732
733 METHOD(ike_sa_t, set_condition, void,
734 private_ike_sa_t *this, ike_condition_t condition, bool enable)
735 {
736 if (has_condition(this, condition) != enable)
737 {
738 if (enable)
739 {
740 this->conditions |= condition;
741 switch (condition)
742 {
743 case COND_NAT_HERE:
744 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
745 this->conditions |= COND_NAT_ANY;
746 send_keepalive(this, FALSE);
747 break;
748 case COND_NAT_THERE:
749 DBG1(DBG_IKE, "remote host is behind NAT");
750 this->conditions |= COND_NAT_ANY;
751 break;
752 case COND_NAT_FAKE:
753 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
754 this->conditions |= COND_NAT_ANY;
755 break;
756 default:
757 break;
758 }
759 }
760 else
761 {
762 this->conditions &= ~condition;
763 switch (condition)
764 {
765 case COND_NAT_HERE:
766 case COND_NAT_THERE:
767 DBG1(DBG_IKE, "%s host is not behind NAT anymore",
768 condition == COND_NAT_HERE ? "local" : "remote");
769 /* fall-through */
770 case COND_NAT_FAKE:
771 set_condition(this, COND_NAT_ANY,
772 has_condition(this, COND_NAT_HERE) ||
773 has_condition(this, COND_NAT_THERE) ||
774 has_condition(this, COND_NAT_FAKE));
775 break;
776 case COND_STALE:
777 send_keepalive(this, FALSE);
778 break;
779 default:
780 break;
781 }
782 }
783 }
784 }
785
786 METHOD(ike_sa_t, send_dpd, status_t,
787 private_ike_sa_t *this)
788 {
789 job_t *job;
790 time_t diff, delay;
791 bool task_queued = FALSE;
792
793 if (this->state == IKE_PASSIVE)
794 {
795 return INVALID_STATE;
796 }
797 if (this->version == IKEV1 && this->state == IKE_REKEYING)
798 { /* don't send DPDs for rekeyed IKEv1 SAs */
799 return SUCCESS;
800 }
801 delay = this->peer_cfg->get_dpd(this->peer_cfg);
802 if (this->task_manager->busy(this->task_manager))
803 {
804 /* an exchange is in the air, no need to start a DPD check */
805 diff = 0;
806 }
807 else
808 {
809 /* check if there was any inbound traffic */
810 time_t last_in, now;
811 last_in = get_use_time(this, TRUE);
812 now = time_monotonic(NULL);
813 diff = now - last_in;
814 if (!delay || diff >= delay)
815 {
816 /* too long ago, initiate dead peer detection */
817 DBG1(DBG_IKE, "sending DPD request");
818 this->task_manager->queue_dpd(this->task_manager);
819 task_queued = TRUE;
820 diff = 0;
821 }
822 }
823 /* recheck in "interval" seconds */
824 if (delay)
825 {
826 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
827 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
828 }
829 if (task_queued)
830 {
831 return this->task_manager->initiate(this->task_manager);
832 }
833 return SUCCESS;
834 }
835
836 METHOD(ike_sa_t, get_state, ike_sa_state_t,
837 private_ike_sa_t *this)
838 {
839 return this->state;
840 }
841
842 METHOD(ike_sa_t, set_state, void,
843 private_ike_sa_t *this, ike_sa_state_t state)
844 {
845 bool trigger_dpd = FALSE, keepalives = FALSE;
846
847 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
848 get_name(this), this->unique_id,
849 ike_sa_state_names, this->state,
850 ike_sa_state_names, state);
851
852 switch (state)
853 {
854 case IKE_ESTABLISHED:
855 {
856 if (this->state == IKE_CONNECTING ||
857 this->state == IKE_PASSIVE)
858 {
859 job_t *job;
860 uint32_t t;
861
862 /* calculate rekey, reauth and lifetime */
863 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
864
865 /* schedule rekeying if we have a time which is smaller than
866 * an already scheduled rekeying */
867 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
868 if (t && (this->stats[STAT_REKEY] == 0 ||
869 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
870 {
871 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
872 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
873 lib->scheduler->schedule_job(lib->scheduler, job, t);
874 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
875 }
876 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
877 if (t && (this->stats[STAT_REAUTH] == 0 ||
878 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
879 {
880 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
881 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
882 lib->scheduler->schedule_job(lib->scheduler, job, t);
883 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
884 }
885 t = this->peer_cfg->get_over_time(this->peer_cfg);
886 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
887 {
888 if (this->stats[STAT_REAUTH] == 0)
889 {
890 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
891 }
892 else if (this->stats[STAT_REKEY] == 0)
893 {
894 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
895 }
896 else
897 {
898 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
899 this->stats[STAT_REAUTH]);
900 }
901 this->stats[STAT_DELETE] += t;
902 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
903 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
904 lib->scheduler->schedule_job(lib->scheduler, job, t);
905 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
906 }
907 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
908 if (trigger_dpd)
909 {
910 /* Some peers delay the DELETE after rekeying an IKE_SA.
911 * If this delay is longer than our DPD delay, we would
912 * send a DPD request here. The IKE_SA is not ready to do
913 * so yet, so prevent that. */
914 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
915 }
916 if (this->state == IKE_PASSIVE)
917 {
918 keepalives = TRUE;
919 }
920 DESTROY_IF(this->redirected_from);
921 this->redirected_from = NULL;
922 }
923 break;
924 }
925 default:
926 break;
927 }
928 charon->bus->ike_state_change(charon->bus, &this->public, state);
929 this->state = state;
930
931 if (trigger_dpd)
932 {
933 if (supports_extension(this, EXT_DPD))
934 {
935 send_dpd(this);
936 }
937 else
938 {
939 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
940 }
941 }
942 if (keepalives)
943 {
944 send_keepalive(this, FALSE);
945 }
946 }
947
948 METHOD(ike_sa_t, reset, void,
949 private_ike_sa_t *this, bool new_spi)
950 {
951 /* reset the initiator SPI if requested */
952 if (new_spi)
953 {
954 charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager,
955 &this->public);
956
957 /* when starting from scratch, connect to the original peer again e.g.
958 * if we got redirected but weren't able to connect successfully */
959 if (this->redirected_from)
960 {
961 this->redirected_from->destroy(this->redirected_from);
962 this->redirected_from = NULL;
963 /* we can't restore the original value, if there was any */
964 DESTROY_IF(this->remote_host);
965 this->remote_host = NULL;
966 }
967 }
968 /* the responder ID is reset, as peer may choose another one */
969 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
970 {
971 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
972 }
973
974 set_state(this, IKE_CREATED);
975
976 flush_auth_cfgs(this);
977
978 this->keymat->destroy(this->keymat);
979 this->keymat = keymat_create(this->version,
980 this->ike_sa_id->is_initiator(this->ike_sa_id));
981
982 this->task_manager->reset(this->task_manager, 0, 0);
983 this->task_manager->queue_ike(this->task_manager);
984 }
985
986 METHOD(ike_sa_t, get_keymat, keymat_t*,
987 private_ike_sa_t *this)
988 {
989 return this->keymat;
990 }
991
992 METHOD(ike_sa_t, add_virtual_ip, void,
993 private_ike_sa_t *this, bool local, host_t *ip)
994 {
995 if (local)
996 {
997 char *iface;
998
999 if (charon->kernel->get_interface(charon->kernel, this->my_host,
1000 &iface))
1001 {
1002 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
1003 if (charon->kernel->add_ip(charon->kernel, ip, -1,
1004 iface) == SUCCESS)
1005 {
1006 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
1007 }
1008 else
1009 {
1010 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
1011 }
1012 free(iface);
1013 }
1014 else
1015 {
1016 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
1017 }
1018 }
1019 else
1020 {
1021 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
1022 }
1023 }
1024
1025
1026 METHOD(ike_sa_t, clear_virtual_ips, void,
1027 private_ike_sa_t *this, bool local)
1028 {
1029 array_t *vips;
1030 host_t *vip;
1031
1032 vips = local ? this->my_vips : this->other_vips;
1033 if (!local && array_count(vips))
1034 {
1035 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
1036 }
1037 while (array_remove(vips, ARRAY_HEAD, &vip))
1038 {
1039 if (local)
1040 {
1041 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
1042 }
1043 vip->destroy(vip);
1044 }
1045 }
1046
1047 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
1048 private_ike_sa_t *this, bool local)
1049 {
1050 if (local)
1051 {
1052 return array_create_enumerator(this->my_vips);
1053 }
1054 return array_create_enumerator(this->other_vips);
1055 }
1056
1057 METHOD(ike_sa_t, add_peer_address, void,
1058 private_ike_sa_t *this, host_t *host)
1059 {
1060 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
1061 }
1062
1063 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
1064 private_ike_sa_t *this)
1065 {
1066 if (this->peer_addresses)
1067 {
1068 return array_create_enumerator(this->peer_addresses);
1069 }
1070 /* in case we don't have MOBIKE */
1071 return enumerator_create_single(this->other_host, NULL);
1072 }
1073
1074 METHOD(ike_sa_t, clear_peer_addresses, void,
1075 private_ike_sa_t *this)
1076 {
1077 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
1078 this->peer_addresses = NULL;
1079 }
1080
1081 METHOD(ike_sa_t, has_mapping_changed, bool,
1082 private_ike_sa_t *this, chunk_t hash)
1083 {
1084 if (this->nat_detection_dest.ptr == NULL)
1085 {
1086 this->nat_detection_dest = chunk_clone(hash);
1087 return FALSE;
1088 }
1089 if (chunk_equals(hash, this->nat_detection_dest))
1090 {
1091 return FALSE;
1092 }
1093 free(this->nat_detection_dest.ptr);
1094 this->nat_detection_dest = chunk_clone(hash);
1095 return TRUE;
1096 }
1097
1098 METHOD(ike_sa_t, float_ports, void,
1099 private_ike_sa_t *this)
1100 {
1101 /* even if the remote port is not 500 (e.g. because the response was natted)
1102 * we switch the remote port if we used port 500 */
1103 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
1104 this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
1105 {
1106 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
1107 }
1108 if (this->my_host->get_port(this->my_host) ==
1109 charon->socket->get_port(charon->socket, FALSE))
1110 {
1111 this->my_host->set_port(this->my_host,
1112 charon->socket->get_port(charon->socket, TRUE));
1113 }
1114 }
1115
1116 METHOD(ike_sa_t, update_hosts, void,
1117 private_ike_sa_t *this, host_t *me, host_t *other, update_hosts_flag_t flags)
1118 {
1119 host_t *new_me = NULL, *new_other = NULL;
1120 bool silent = FALSE;
1121
1122 if (me == NULL)
1123 {
1124 me = this->my_host;
1125 }
1126 if (other == NULL)
1127 {
1128 other = this->other_host;
1129 }
1130
1131 /* apply hosts on first received message */
1132 if (this->my_host->is_anyaddr(this->my_host) ||
1133 this->other_host->is_anyaddr(this->other_host))
1134 {
1135 new_me = me;
1136 new_other = other;
1137 silent = TRUE;
1138 }
1139 else
1140 {
1141 /* update our address only if forced */
1142 if ((flags & UPDATE_HOSTS_FORCE_LOCAL) && !me->equals(me, this->my_host))
1143 {
1144 new_me = me;
1145 }
1146
1147 if (!other->equals(other, this->other_host) &&
1148 ((flags & UPDATE_HOSTS_FORCE_REMOTE) || has_condition(this, COND_NAT_THERE)))
1149 {
1150 /* only update other's address if we are behind a static NAT,
1151 * which we assume is the case if we are not initiator */
1152 if ((flags & UPDATE_HOSTS_FORCE_REMOTE) ||
1153 (!has_condition(this, COND_NAT_HERE) ||
1154 !has_condition(this, COND_ORIGINAL_INITIATOR)))
1155 {
1156 new_other = other;
1157 }
1158 }
1159 }
1160
1161 if (new_me || new_other || (flags & UPDATE_HOSTS_FORCE_CHILDREN))
1162 {
1163 enumerator_t *enumerator;
1164 child_sa_t *child_sa;
1165 linked_list_t *vips;
1166
1167 if ((new_me || new_other) && !silent)
1168 {
1169 charon->bus->ike_update(charon->bus, &this->public,
1170 new_me ?: this->my_host,
1171 new_other ?: this->other_host);
1172 }
1173 if (new_me)
1174 {
1175 set_my_host(this, new_me->clone(new_me));
1176 }
1177 if (new_other)
1178 {
1179 set_other_host(this, new_other->clone(new_other));
1180 }
1181
1182 vips = linked_list_create_from_enumerator(
1183 array_create_enumerator(this->my_vips));
1184
1185 enumerator = array_create_enumerator(this->child_sas);
1186 while (enumerator->enumerate(enumerator, &child_sa))
1187 {
1188 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1189 charon->child_sa_manager->add(charon->child_sa_manager,
1190 child_sa, &this->public);
1191
1192 if (child_sa->update(child_sa, this->my_host, this->other_host,
1193 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1194 {
1195 this->public.rekey_child_sa(&this->public,
1196 child_sa->get_protocol(child_sa),
1197 child_sa->get_spi(child_sa, TRUE));
1198 }
1199
1200 }
1201 enumerator->destroy(enumerator);
1202
1203 vips->destroy(vips);
1204 }
1205 }
1206
1207 /**
1208 * Set configured DSCP value on packet
1209 */
1210 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1211 {
1212 ike_cfg_t *ike_cfg;
1213
1214 /* prefer IKE config on peer_cfg, as its selection is more accurate
1215 * then the initial IKE config */
1216 if (this->peer_cfg)
1217 {
1218 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1219 }
1220 else
1221 {
1222 ike_cfg = this->ike_cfg;
1223 }
1224 if (ike_cfg)
1225 {
1226 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1227 }
1228 }
1229
1230 METHOD(ike_sa_t, generate_message, status_t,
1231 private_ike_sa_t *this, message_t *message, packet_t **packet)
1232 {
1233 status_t status;
1234
1235 if (message->is_encoded(message))
1236 { /* already encoded in task, but set DSCP value */
1237 *packet = message->get_packet(message);
1238 set_dscp(this, *packet);
1239 return SUCCESS;
1240 }
1241 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1242 message->set_ike_sa_id(message, this->ike_sa_id);
1243 charon->bus->message(charon->bus, message, FALSE, TRUE);
1244 status = message->generate(message, this->keymat, packet);
1245 if (status == SUCCESS)
1246 {
1247 set_dscp(this, *packet);
1248 charon->bus->message(charon->bus, message, FALSE, FALSE);
1249 }
1250 return status;
1251 }
1252
1253 CALLBACK(filter_fragments, bool,
1254 private_ike_sa_t *this, enumerator_t *orig, va_list args)
1255 {
1256 packet_t *fragment, **packet;
1257
1258 VA_ARGS_VGET(args, packet);
1259
1260 if (orig->enumerate(orig, &fragment))
1261 {
1262 *packet = fragment->clone(fragment);
1263 set_dscp(this, *packet);
1264 return TRUE;
1265 }
1266 return FALSE;
1267 }
1268
1269 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1270 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1271 {
1272 enumerator_t *fragments;
1273 packet_t *packet;
1274 status_t status;
1275 bool use_frags = FALSE;
1276 bool pre_generated = FALSE;
1277
1278 if (this->ike_cfg)
1279 {
1280 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1281 {
1282 case FRAGMENTATION_FORCE:
1283 use_frags = TRUE;
1284 break;
1285 case FRAGMENTATION_YES:
1286 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1287 if (use_frags && this->version == IKEV1 &&
1288 supports_extension(this, EXT_MS_WINDOWS))
1289 {
1290 /* It seems Windows 7 and 8 peers only accept proprietary
1291 * fragmented messages if they expect certificates. */
1292 use_frags = message->get_payload(message,
1293 PLV1_CERTIFICATE) != NULL;
1294 }
1295 break;
1296 default:
1297 break;
1298 }
1299 }
1300 if (!use_frags)
1301 {
1302 status = generate_message(this, message, &packet);
1303 if (status != SUCCESS)
1304 {
1305 return status;
1306 }
1307 *packets = enumerator_create_single(packet, NULL);
1308 return SUCCESS;
1309 }
1310
1311 pre_generated = message->is_encoded(message);
1312 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1313 message->set_ike_sa_id(message, this->ike_sa_id);
1314 if (!pre_generated)
1315 {
1316 charon->bus->message(charon->bus, message, FALSE, TRUE);
1317 }
1318 status = message->fragment(message, this->keymat, this->fragment_size,
1319 &fragments);
1320 if (status == SUCCESS)
1321 {
1322 if (!pre_generated)
1323 {
1324 charon->bus->message(charon->bus, message, FALSE, FALSE);
1325 }
1326 *packets = enumerator_create_filter(fragments, filter_fragments,
1327 this, NULL);
1328 }
1329 return status;
1330 }
1331
1332 METHOD(ike_sa_t, set_kmaddress, void,
1333 private_ike_sa_t *this, host_t *local, host_t *remote)
1334 {
1335 DESTROY_IF(this->local_host);
1336 DESTROY_IF(this->remote_host);
1337 this->local_host = local->clone(local);
1338 this->remote_host = remote->clone(remote);
1339 }
1340
1341 #ifdef ME
1342 METHOD(ike_sa_t, act_as_mediation_server, void,
1343 private_ike_sa_t *this)
1344 {
1345 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1346 this->other_id, this->ike_sa_id);
1347 this->is_mediation_server = TRUE;
1348 }
1349
1350 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1351 private_ike_sa_t *this)
1352 {
1353 return this->server_reflexive_host;
1354 }
1355
1356 METHOD(ike_sa_t, set_server_reflexive_host, void,
1357 private_ike_sa_t *this, host_t *host)
1358 {
1359 DESTROY_IF(this->server_reflexive_host);
1360 this->server_reflexive_host = host;
1361 }
1362
1363 METHOD(ike_sa_t, get_connect_id, chunk_t,
1364 private_ike_sa_t *this)
1365 {
1366 return this->connect_id;
1367 }
1368
1369 METHOD(ike_sa_t, respond, status_t,
1370 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1371 {
1372 ike_me_t *task = ike_me_create(&this->public, TRUE);
1373 task->respond(task, peer_id, connect_id);
1374 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1375 return this->task_manager->initiate(this->task_manager);
1376 }
1377
1378 METHOD(ike_sa_t, callback, status_t,
1379 private_ike_sa_t *this, identification_t *peer_id)
1380 {
1381 ike_me_t *task = ike_me_create(&this->public, TRUE);
1382 task->callback(task, peer_id);
1383 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1384 return this->task_manager->initiate(this->task_manager);
1385 }
1386
1387 METHOD(ike_sa_t, relay, status_t,
1388 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1389 chunk_t connect_key, linked_list_t *endpoints, bool response)
1390 {
1391 ike_me_t *task = ike_me_create(&this->public, TRUE);
1392 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1393 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1394 return this->task_manager->initiate(this->task_manager);
1395 }
1396
1397 METHOD(ike_sa_t, initiate_mediation, status_t,
1398 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1399 {
1400 ike_me_t *task = ike_me_create(&this->public, TRUE);
1401 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1402 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1403 return this->task_manager->initiate(this->task_manager);
1404 }
1405
1406 METHOD(ike_sa_t, initiate_mediated, status_t,
1407 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1408 {
1409 set_my_host(this, me->clone(me));
1410 set_other_host(this, other->clone(other));
1411 chunk_free(&this->connect_id);
1412 this->connect_id = chunk_clone(connect_id);
1413 return this->task_manager->initiate(this->task_manager);
1414 }
1415 #endif /* ME */
1416
1417 /**
1418 * Resolve DNS host in configuration
1419 */
1420 static void resolve_hosts(private_ike_sa_t *this)
1421 {
1422 host_t *host;
1423 int family = AF_UNSPEC;
1424
1425 switch (charon->socket->supported_families(charon->socket))
1426 {
1427 case SOCKET_FAMILY_IPV4:
1428 family = AF_INET;
1429 break;
1430 case SOCKET_FAMILY_IPV6:
1431 family = AF_INET6;
1432 break;
1433 case SOCKET_FAMILY_BOTH:
1434 case SOCKET_FAMILY_NONE:
1435 break;
1436 }
1437
1438 /* if an IP address is set locally, use the same family to resolve remote */
1439 if (family == AF_UNSPEC && !this->remote_host)
1440 {
1441 if (this->local_host)
1442 {
1443 family = this->local_host->get_family(this->local_host);
1444 }
1445 else
1446 {
1447 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1448 }
1449 }
1450
1451 if (this->remote_host)
1452 {
1453 host = this->remote_host->clone(this->remote_host);
1454 host->set_port(host, IKEV2_UDP_PORT);
1455 }
1456 else
1457 {
1458 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1459 }
1460 if (host)
1461 {
1462 if (!host->is_anyaddr(host) ||
1463 this->other_host->is_anyaddr(this->other_host))
1464 { /* don't set to %any if we currently have an address, but the
1465 * address family might have changed */
1466 set_other_host(this, host);
1467 }
1468 else
1469 { /* reuse the original port as some implementations might not like
1470 * initial IKE messages on other ports */
1471 this->other_host->set_port(this->other_host, host->get_port(host));
1472 host->destroy(host);
1473 }
1474 }
1475
1476 if (this->local_host)
1477 {
1478 host = this->local_host->clone(this->local_host);
1479 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1480 }
1481 else
1482 {
1483 /* use same address family as for other */
1484 if (!this->other_host->is_anyaddr(this->other_host))
1485 {
1486 family = this->other_host->get_family(this->other_host);
1487 }
1488 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1489
1490 if (host && host->is_anyaddr(host) &&
1491 !this->other_host->is_anyaddr(this->other_host))
1492 {
1493 host->destroy(host);
1494 host = charon->kernel->get_source_addr(charon->kernel,
1495 this->other_host, NULL);
1496 if (host)
1497 {
1498 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1499 }
1500 else
1501 { /* fallback to address family specific %any(6), if configured */
1502 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1503 }
1504 }
1505 }
1506 if (host)
1507 {
1508 set_my_host(this, host);
1509 }
1510 }
1511
1512 METHOD(ike_sa_t, initiate, status_t,
1513 private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid,
1514 traffic_selector_t *tsi, traffic_selector_t *tsr)
1515 {
1516 bool defer_initiate = FALSE;
1517
1518 if (this->state == IKE_CREATED)
1519 {
1520 if (this->my_host->is_anyaddr(this->my_host) ||
1521 this->other_host->is_anyaddr(this->other_host))
1522 {
1523 resolve_hosts(this);
1524 }
1525
1526 if (this->other_host->is_anyaddr(this->other_host)
1527 #ifdef ME
1528 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1529 #endif /* ME */
1530 )
1531 {
1532 char *addr;
1533
1534 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1535 if (!this->retry_initiate_interval)
1536 {
1537 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1538 addr);
1539 DESTROY_IF(child_cfg);
1540 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1541 return DESTROY_ME;
1542 }
1543 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1544 addr, this->retry_initiate_interval);
1545 defer_initiate = TRUE;
1546 }
1547
1548 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1549 this->task_manager->queue_ike(this->task_manager);
1550 }
1551
1552 #ifdef ME
1553 if (this->peer_cfg->is_mediation(this->peer_cfg))
1554 {
1555 if (this->state == IKE_ESTABLISHED)
1556 {
1557 /* mediation connection is already established, retrigger state
1558 * change to notify bus listeners */
1559 DBG1(DBG_IKE, "mediation connection is already up");
1560 set_state(this, IKE_ESTABLISHED);
1561 }
1562 DESTROY_IF(child_cfg);
1563 }
1564 else
1565 #endif /* ME */
1566 if (child_cfg)
1567 {
1568 /* normal IKE_SA with CHILD_SA */
1569 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1570 tsi, tsr);
1571 #ifdef ME
1572 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1573 {
1574 /* mediated connection, initiate mediation process */
1575 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1576 lib->processor->queue_job(lib->processor, job);
1577 return SUCCESS;
1578 }
1579 #endif /* ME */
1580 }
1581
1582 if (defer_initiate)
1583 {
1584 if (!this->retry_initiate_queued)
1585 {
1586 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1587 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1588 this->retry_initiate_interval);
1589 this->retry_initiate_queued = TRUE;
1590 }
1591 return SUCCESS;
1592 }
1593 this->retry_initiate_queued = FALSE;
1594 return this->task_manager->initiate(this->task_manager);
1595 }
1596
1597 METHOD(ike_sa_t, retry_initiate, status_t,
1598 private_ike_sa_t *this)
1599 {
1600 if (this->retry_initiate_queued)
1601 {
1602 this->retry_initiate_queued = FALSE;
1603 return initiate(this, NULL, 0, NULL, NULL);
1604 }
1605 return SUCCESS;
1606 }
1607
1608 METHOD(ike_sa_t, process_message, status_t,
1609 private_ike_sa_t *this, message_t *message)
1610 {
1611 status_t status;
1612
1613 if (this->state == IKE_PASSIVE)
1614 { /* do not handle messages in passive state */
1615 return FAILED;
1616 }
1617 if (message->get_major_version(message) != this->version)
1618 {
1619 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1620 exchange_type_names, message->get_exchange_type(message),
1621 message->get_major_version(message),
1622 ike_version_names, this->version);
1623 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1624 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1625 return FAILED;
1626 }
1627 status = this->task_manager->process_message(this->task_manager, message);
1628 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1629 {
1630 /* authentication completed but if the online validation is suspended we
1631 * need the auth cfgs until we did the delayed verification, we flush
1632 * them afterwards */
1633 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
1634 {
1635 this->flush_auth_cfg = FALSE;
1636 flush_auth_cfgs(this);
1637 }
1638 }
1639 return status;
1640 }
1641
1642 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1643 private_ike_sa_t *this)
1644 {
1645 return this->ike_sa_id;
1646 }
1647
1648 METHOD(ike_sa_t, get_version, ike_version_t,
1649 private_ike_sa_t *this)
1650 {
1651 return this->version;
1652 }
1653
1654 METHOD(ike_sa_t, get_my_id, identification_t*,
1655 private_ike_sa_t *this)
1656 {
1657 return this->my_id;
1658 }
1659
1660 METHOD(ike_sa_t, set_my_id, void,
1661 private_ike_sa_t *this, identification_t *me)
1662 {
1663 DESTROY_IF(this->my_id);
1664 this->my_id = me;
1665 }
1666
1667 METHOD(ike_sa_t, get_other_id, identification_t*,
1668 private_ike_sa_t *this)
1669 {
1670 return this->other_id;
1671 }
1672
1673 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1674 private_ike_sa_t *this)
1675 {
1676 identification_t *id = NULL, *current;
1677 enumerator_t *enumerator;
1678 auth_cfg_t *cfg;
1679
1680 enumerator = array_create_enumerator(this->other_auths);
1681 while (enumerator->enumerate(enumerator, &cfg))
1682 {
1683 /* prefer EAP-Identity of last round */
1684 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1685 if (!current || current->get_type(current) == ID_ANY)
1686 {
1687 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1688 }
1689 if (!current || current->get_type(current) == ID_ANY)
1690 {
1691 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1692 }
1693 if (current && current->get_type(current) != ID_ANY)
1694 {
1695 id = current;
1696 continue;
1697 }
1698 }
1699 enumerator->destroy(enumerator);
1700 if (id)
1701 {
1702 return id;
1703 }
1704 return this->other_id;
1705 }
1706
1707 METHOD(ike_sa_t, set_other_id, void,
1708 private_ike_sa_t *this, identification_t *other)
1709 {
1710 DESTROY_IF(this->other_id);
1711 this->other_id = other;
1712 }
1713
1714 METHOD(ike_sa_t, get_if_id, uint32_t,
1715 private_ike_sa_t *this, bool inbound)
1716 {
1717 return inbound ? this->if_id_in : this->if_id_out;
1718 }
1719
1720 METHOD(ike_sa_t, add_child_sa, void,
1721 private_ike_sa_t *this, child_sa_t *child_sa)
1722 {
1723 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1724 charon->child_sa_manager->add(charon->child_sa_manager,
1725 child_sa, &this->public);
1726 }
1727
1728 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1729 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
1730 {
1731 enumerator_t *enumerator;
1732 child_sa_t *current, *found = NULL;
1733
1734 enumerator = array_create_enumerator(this->child_sas);
1735 while (enumerator->enumerate(enumerator, (void**)&current))
1736 {
1737 if (current->get_spi(current, inbound) == spi &&
1738 current->get_protocol(current) == protocol)
1739 {
1740 found = current;
1741 }
1742 }
1743 enumerator->destroy(enumerator);
1744 return found;
1745 }
1746
1747 METHOD(ike_sa_t, get_child_count, int,
1748 private_ike_sa_t *this)
1749 {
1750 return array_count(this->child_sas);
1751 }
1752
1753 /**
1754 * Private data of a create_child_sa_enumerator()
1755 */
1756 typedef struct {
1757 /** implements enumerator */
1758 enumerator_t public;
1759 /** inner array enumerator */
1760 enumerator_t *inner;
1761 /** current item */
1762 child_sa_t *current;
1763 } child_enumerator_t;
1764
1765 METHOD(enumerator_t, child_enumerate, bool,
1766 child_enumerator_t *this, va_list args)
1767 {
1768 child_sa_t **child_sa;
1769
1770 VA_ARGS_VGET(args, child_sa);
1771 if (this->inner->enumerate(this->inner, &this->current))
1772 {
1773 *child_sa = this->current;
1774 return TRUE;
1775 }
1776 return FALSE;
1777 }
1778
1779 METHOD(enumerator_t, child_enumerator_destroy, void,
1780 child_enumerator_t *this)
1781 {
1782 this->inner->destroy(this->inner);
1783 free(this);
1784 }
1785
1786 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1787 private_ike_sa_t *this)
1788 {
1789 child_enumerator_t *enumerator;
1790
1791 INIT(enumerator,
1792 .public = {
1793 .enumerate = enumerator_enumerate_default,
1794 .venumerate = _child_enumerate,
1795 .destroy = _child_enumerator_destroy,
1796 },
1797 .inner = array_create_enumerator(this->child_sas),
1798 );
1799 return &enumerator->public;
1800 }
1801
1802 METHOD(ike_sa_t, remove_child_sa, void,
1803 private_ike_sa_t *this, enumerator_t *enumerator)
1804 {
1805 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1806
1807 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1808 array_remove_at(this->child_sas, ce->inner);
1809 }
1810
1811 METHOD(ike_sa_t, rekey_child_sa, status_t,
1812 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1813 {
1814 if (this->state == IKE_PASSIVE)
1815 {
1816 return INVALID_STATE;
1817 }
1818 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1819 return this->task_manager->initiate(this->task_manager);
1820 }
1821
1822 METHOD(ike_sa_t, delete_child_sa, status_t,
1823 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
1824 {
1825 if (this->state == IKE_PASSIVE)
1826 {
1827 return INVALID_STATE;
1828 }
1829 this->task_manager->queue_child_delete(this->task_manager,
1830 protocol, spi, expired);
1831 return this->task_manager->initiate(this->task_manager);
1832 }
1833
1834 METHOD(ike_sa_t, destroy_child_sa, status_t,
1835 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1836 {
1837 enumerator_t *enumerator;
1838 child_sa_t *child_sa;
1839 status_t status = NOT_FOUND;
1840
1841 enumerator = create_child_sa_enumerator(this);
1842 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1843 {
1844 if (child_sa->get_protocol(child_sa) == protocol &&
1845 child_sa->get_spi(child_sa, TRUE) == spi)
1846 {
1847 remove_child_sa(this, enumerator);
1848 child_sa->destroy(child_sa);
1849 status = SUCCESS;
1850 break;
1851 }
1852 }
1853 enumerator->destroy(enumerator);
1854 return status;
1855 }
1856
1857 METHOD(ike_sa_t, delete_, status_t,
1858 private_ike_sa_t *this, bool force)
1859 {
1860 status_t status = DESTROY_ME;
1861
1862 switch (this->state)
1863 {
1864 case IKE_ESTABLISHED:
1865 case IKE_REKEYING:
1866 if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
1867 !(this->version == IKEV1 && this->state == IKE_REKEYING))
1868 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1869 * IKEv1 SAs */
1870 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1871 }
1872 this->task_manager->queue_ike_delete(this->task_manager);
1873 status = this->task_manager->initiate(this->task_manager);
1874 break;
1875 case IKE_CREATED:
1876 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1877 break;
1878 case IKE_PASSIVE:
1879 break;
1880 default:
1881 DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1882 ike_sa_state_names, this->state);
1883 force = TRUE;
1884 break;
1885 }
1886
1887 if (force)
1888 {
1889 status = DESTROY_ME;
1890
1891 if (this->version == IKEV2)
1892 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1893 switch (this->state)
1894 {
1895 case IKE_ESTABLISHED:
1896 case IKE_REKEYING:
1897 case IKE_DELETING:
1898 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1899 default:
1900 break;
1901 }
1902 }
1903 }
1904 return status;
1905 }
1906
1907 METHOD(ike_sa_t, rekey, status_t,
1908 private_ike_sa_t *this)
1909 {
1910 if (this->state == IKE_PASSIVE)
1911 {
1912 return INVALID_STATE;
1913 }
1914 this->task_manager->queue_ike_rekey(this->task_manager);
1915 return this->task_manager->initiate(this->task_manager);
1916 }
1917
1918 METHOD(ike_sa_t, reauth, status_t,
1919 private_ike_sa_t *this)
1920 {
1921 if (this->state == IKE_PASSIVE)
1922 {
1923 return INVALID_STATE;
1924 }
1925 if (this->state == IKE_CONNECTING)
1926 {
1927 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1928 get_name(this), this->unique_id);
1929 reset(this, TRUE);
1930 return this->task_manager->initiate(this->task_manager);
1931 }
1932 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1933 * If the peer does not support RFC4478, there is no way to keep the
1934 * IKE_SA up. */
1935 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1936 {
1937 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1938 if (array_count(this->other_vips) != 0 ||
1939 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1940 has_condition(this, COND_EAP_AUTHENTICATED)
1941 #ifdef ME
1942 /* as mediation server we too cannot reauth the IKE_SA */
1943 || this->is_mediation_server
1944 #endif /* ME */
1945 )
1946 {
1947 time_t del, now;
1948
1949 del = this->stats[STAT_DELETE];
1950 now = time_monotonic(NULL);
1951 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1952 get_name(this), this->unique_id, &now, &del);
1953 return FAILED;
1954 }
1955 else
1956 {
1957 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1958 get_name(this), this->unique_id);
1959 }
1960 }
1961 else
1962 {
1963 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1964 get_name(this), this->unique_id);
1965 }
1966 set_condition(this, COND_REAUTHENTICATING, TRUE);
1967 this->task_manager->queue_ike_reauth(this->task_manager);
1968 return this->task_manager->initiate(this->task_manager);
1969 }
1970
1971 /**
1972 * Check if any tasks of a specific type are queued in the given queue.
1973 */
1974 static bool is_task_queued(private_ike_sa_t *this, task_queue_t queue,
1975 task_type_t type)
1976 {
1977 enumerator_t *enumerator;
1978 task_t *task;
1979 bool found = FALSE;
1980
1981 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1982 queue);
1983 while (enumerator->enumerate(enumerator, &task))
1984 {
1985 if (task->get_type(task) == type)
1986 {
1987 found = TRUE;
1988 break;
1989 }
1990 }
1991 enumerator->destroy(enumerator);
1992 return found;
1993 }
1994
1995 /**
1996 * Check if any tasks to create CHILD_SAs are queued in the given queue.
1997 */
1998 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1999 {
2000 return is_task_queued(this, queue,
2001 this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE);
2002 }
2003
2004 /**
2005 * Check if any tasks to delete the IKE_SA are queued in the given queue.
2006 */
2007 static bool is_delete_queued(private_ike_sa_t *this, task_queue_t queue)
2008 {
2009 return is_task_queued(this, queue,
2010 this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE);
2011 }
2012
2013 /**
2014 * Reestablish CHILD_SAs and migrate queued tasks.
2015 *
2016 * If force is true all SAs are restarted, otherwise their close/dpd_action
2017 * is followed.
2018 */
2019 static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
2020 bool force)
2021 {
2022 enumerator_t *enumerator;
2023 child_sa_t *child_sa;
2024 child_cfg_t *child_cfg;
2025 action_t action;
2026 status_t status = FAILED;
2027
2028 /* handle existing CHILD_SAs */
2029 enumerator = create_child_sa_enumerator(this);
2030 while (enumerator->enumerate(enumerator, (void**)&child_sa))
2031 {
2032 switch (child_sa->get_state(child_sa))
2033 {
2034 case CHILD_REKEYED:
2035 case CHILD_DELETED:
2036 /* ignore CHILD_SAs in these states */
2037 continue;
2038 default:
2039 break;
2040 }
2041 if (force)
2042 {
2043 action = ACTION_RESTART;
2044 }
2045 else
2046 { /* only restart CHILD_SAs that are configured accordingly */
2047 if (this->state == IKE_DELETING)
2048 {
2049 action = child_sa->get_close_action(child_sa);
2050 }
2051 else
2052 {
2053 action = child_sa->get_dpd_action(child_sa);
2054 }
2055 }
2056 switch (action)
2057 {
2058 case ACTION_RESTART:
2059 child_cfg = child_sa->get_config(child_sa);
2060 DBG1(DBG_IKE, "restarting CHILD_SA %s",
2061 child_cfg->get_name(child_cfg));
2062 child_cfg->get_ref(child_cfg);
2063 status = new->initiate(new, child_cfg,
2064 child_sa->get_reqid(child_sa), NULL, NULL);
2065 break;
2066 default:
2067 continue;
2068 }
2069 if (status == DESTROY_ME)
2070 {
2071 break;
2072 }
2073 }
2074 enumerator->destroy(enumerator);
2075 /* adopt any active or queued CHILD-creating tasks */
2076 if (status != DESTROY_ME)
2077 {
2078 new->adopt_child_tasks(new, &this->public);
2079 if (new->get_state(new) == IKE_CREATED)
2080 {
2081 status = new->initiate(new, NULL, 0, NULL, NULL);
2082 }
2083 }
2084 return status;
2085 }
2086
2087 METHOD(ike_sa_t, reestablish, status_t,
2088 private_ike_sa_t *this)
2089 {
2090 ike_sa_t *new;
2091 host_t *host;
2092 action_t action;
2093 enumerator_t *enumerator;
2094 child_sa_t *child_sa;
2095 bool restart = FALSE;
2096 status_t status = FAILED;
2097
2098 if (is_delete_queued(this, TASK_QUEUE_QUEUED))
2099 { /* don't reestablish IKE_SAs that have explicitly been deleted in the
2100 * mean time */
2101 return FAILED;
2102 }
2103
2104 if (has_condition(this, COND_REAUTHENTICATING))
2105 { /* only reauthenticate if we have children */
2106 if (array_count(this->child_sas) == 0
2107 #ifdef ME
2108 /* allow reauth of mediation connections without CHILD_SAs */
2109 && !this->peer_cfg->is_mediation(this->peer_cfg)
2110 #endif /* ME */
2111 )
2112 {
2113 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2114 "to recreate");
2115 }
2116 else
2117 {
2118 restart = TRUE;
2119 }
2120 }
2121 else
2122 { /* check if we have children to keep up at all */
2123 enumerator = array_create_enumerator(this->child_sas);
2124 while (enumerator->enumerate(enumerator, (void**)&child_sa))
2125 {
2126 switch (child_sa->get_state(child_sa))
2127 {
2128 case CHILD_REKEYED:
2129 case CHILD_DELETED:
2130 /* ignore CHILD_SAs in these states */
2131 continue;
2132 default:
2133 break;
2134 }
2135 if (this->state == IKE_DELETING)
2136 {
2137 action = child_sa->get_close_action(child_sa);
2138 }
2139 else
2140 {
2141 action = child_sa->get_dpd_action(child_sa);
2142 }
2143 switch (action)
2144 {
2145 case ACTION_RESTART:
2146 restart = TRUE;
2147 break;
2148 case ACTION_ROUTE:
2149 charon->traps->install(charon->traps, this->peer_cfg,
2150 child_sa->get_config(child_sa));
2151 break;
2152 default:
2153 break;
2154 }
2155 }
2156 enumerator->destroy(enumerator);
2157 /* check if we have tasks that recreate children */
2158 if (!restart)
2159 {
2160 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
2161 is_child_queued(this, TASK_QUEUE_QUEUED);
2162 }
2163 #ifdef ME
2164 /* mediation connections have no children, keep them up anyway */
2165 if (this->peer_cfg->is_mediation(this->peer_cfg))
2166 {
2167 restart = TRUE;
2168 }
2169 #endif /* ME */
2170 }
2171 if (!restart)
2172 {
2173 return FAILED;
2174 }
2175
2176 /* check if we are able to reestablish this IKE_SA */
2177 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2178 (array_count(this->other_vips) != 0 ||
2179 has_condition(this, COND_EAP_AUTHENTICATED)
2180 #ifdef ME
2181 || this->is_mediation_server
2182 #endif /* ME */
2183 ))
2184 {
2185 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
2186 return FAILED;
2187 }
2188
2189 new = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
2190 this->version, TRUE);
2191 if (!new)
2192 {
2193 return FAILED;
2194 }
2195 new->set_peer_cfg(new, this->peer_cfg);
2196 host = this->other_host;
2197 new->set_other_host(new, host->clone(host));
2198 host = this->my_host;
2199 new->set_my_host(new, host->clone(host));
2200 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2201 if (!has_condition(this, COND_REAUTHENTICATING))
2202 { /* reauthenticate to the same addresses, but resolve hosts if
2203 * reestablishing (old addresses serve as fallback) */
2204 resolve_hosts((private_ike_sa_t*)new);
2205 }
2206 /* if we already have a virtual IP, we reuse it */
2207 enumerator = array_create_enumerator(this->my_vips);
2208 while (enumerator->enumerate(enumerator, &host))
2209 {
2210 new->add_virtual_ip(new, TRUE, host);
2211 }
2212 enumerator->destroy(enumerator);
2213
2214 #ifdef ME
2215 if (this->peer_cfg->is_mediation(this->peer_cfg))
2216 {
2217 status = new->initiate(new, NULL, 0, NULL, NULL);
2218 }
2219 else
2220 #endif /* ME */
2221 {
2222 status = reestablish_children(this, new,
2223 has_condition(this, COND_REAUTHENTICATING));
2224 }
2225
2226 if (status == DESTROY_ME)
2227 {
2228 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2229 FALSE);
2230 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2231 status = FAILED;
2232 }
2233 else
2234 {
2235 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2236 TRUE);
2237 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2238 status = SUCCESS;
2239 }
2240 charon->bus->set_sa(charon->bus, &this->public);
2241 return status;
2242 }
2243
2244 /**
2245 * Resolve the given gateway ID
2246 */
2247 static host_t *resolve_gateway_id(identification_t *gateway)
2248 {
2249 char gw[BUF_LEN];
2250 host_t *addr;
2251
2252 snprintf(gw, sizeof(gw), "%Y", gateway);
2253 gw[sizeof(gw)-1] = '\0';
2254 addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2255 if (!addr)
2256 {
2257 DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2258 gateway);
2259 }
2260 return addr;
2261 }
2262
2263 /**
2264 * Redirect the current SA to the given target host
2265 */
2266 static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2267 {
2268 private_ike_sa_t *new_priv;
2269 ike_sa_t *new;
2270 host_t *other;
2271 time_t redirect;
2272
2273 new = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
2274 this->version, TRUE);
2275 if (!new)
2276 {
2277 return FALSE;
2278 }
2279 new_priv = (private_ike_sa_t*)new;
2280 new->set_peer_cfg(new, this->peer_cfg);
2281 new_priv->redirected_from = this->other_host->clone(this->other_host);
2282 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2283 other = resolve_gateway_id(to);
2284 if (other)
2285 {
2286 set_my_host(new_priv, this->my_host->clone(this->my_host));
2287 /* this allows us to force the remote address while we still properly
2288 * resolve the local address */
2289 new_priv->remote_host = other;
2290 resolve_hosts(new_priv);
2291 new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2292 while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2293 {
2294 array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2295 }
2296 if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2297 {
2298 #ifdef USE_IKEV2
2299 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2300 this->ike_sa_id));
2301 #endif
2302 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2303 TRUE);
2304 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2305 charon->bus->set_sa(charon->bus, &this->public);
2306 return TRUE;
2307 }
2308 }
2309 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2310 FALSE);
2311 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2312 charon->bus->set_sa(charon->bus, &this->public);
2313 return FALSE;
2314 }
2315
2316 /**
2317 * Redirect the current connecting SA to the given target host
2318 */
2319 static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2320 {
2321 host_t *other;
2322
2323 other = resolve_gateway_id(to);
2324 if (!other)
2325 {
2326 return FALSE;
2327 }
2328 reset(this, TRUE);
2329 DESTROY_IF(this->redirected_from);
2330 this->redirected_from = this->other_host->clone(this->other_host);
2331 /* this allows us to force the remote address while we still properly
2332 * resolve the local address */
2333 DESTROY_IF(this->remote_host);
2334 this->remote_host = other;
2335 resolve_hosts(this);
2336 return TRUE;
2337 }
2338
2339 /**
2340 * Check if the current redirect exceeds the limits for redirects
2341 */
2342 static bool redirect_count_exceeded(private_ike_sa_t *this)
2343 {
2344 time_t now, redirect;
2345
2346 now = time_monotonic(NULL);
2347 /* remove entries outside the defined period */
2348 while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2349 now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2350 {
2351 array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2352 }
2353 if (array_count(this->redirected_at) < MAX_REDIRECTS)
2354 {
2355 if (!this->redirected_at)
2356 {
2357 this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2358 }
2359 array_insert(this->redirected_at, ARRAY_TAIL, &now);
2360 return FALSE;
2361 }
2362 return TRUE;
2363 }
2364
2365 METHOD(ike_sa_t, handle_redirect, bool,
2366 private_ike_sa_t *this, identification_t *gateway)
2367 {
2368 DBG1(DBG_IKE, "redirected to %Y", gateway);
2369 if (!this->follow_redirects)
2370 {
2371 DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2372 return FALSE;
2373 }
2374 if (redirect_count_exceeded(this))
2375 {
2376 DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2377 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2378 return FALSE;
2379 }
2380
2381 switch (this->state)
2382 {
2383 case IKE_CONNECTING:
2384 return redirect_connecting(this, gateway);
2385 case IKE_ESTABLISHED:
2386 return redirect_established(this, gateway);
2387 default:
2388 DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2389 ike_sa_state_names, this->state);
2390 return FALSE;
2391 }
2392 }
2393
2394 METHOD(ike_sa_t, redirect, status_t,
2395 private_ike_sa_t *this, identification_t *gateway)
2396 {
2397 switch (this->state)
2398 {
2399 case IKE_CONNECTING:
2400 case IKE_ESTABLISHED:
2401 case IKE_REKEYING:
2402 if (has_condition(this, COND_REDIRECTED))
2403 { /* IKE_SA already got redirected */
2404 return SUCCESS;
2405 }
2406 if (has_condition(this, COND_ORIGINAL_INITIATOR))
2407 {
2408 DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2409 return FAILED;
2410 }
2411 if (this->version == IKEV1)
2412 {
2413 DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2414 return FAILED;
2415 }
2416 if (!supports_extension(this, EXT_IKE_REDIRECTION))
2417 {
2418 DBG1(DBG_IKE, "client does not support IKE redirection");
2419 return FAILED;
2420 }
2421 #ifdef USE_IKEV2
2422 this->task_manager->queue_task(this->task_manager,
2423 (task_t*)ike_redirect_create(&this->public, gateway));
2424 #endif
2425 return this->task_manager->initiate(this->task_manager);
2426 default:
2427 DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2428 ike_sa_state_names, this->state);
2429 return INVALID_STATE;
2430 }
2431 }
2432
2433 METHOD(ike_sa_t, retransmit, status_t,
2434 private_ike_sa_t *this, uint32_t message_id)
2435 {
2436 if (this->state == IKE_PASSIVE)
2437 {
2438 return INVALID_STATE;
2439 }
2440 switch (this->task_manager->retransmit(this->task_manager, message_id))
2441 {
2442 case SUCCESS:
2443 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2444 return SUCCESS;
2445 case INVALID_STATE:
2446 return INVALID_STATE;
2447 default:
2448 break;
2449 }
2450 /* send a proper signal to brief interested bus listeners */
2451 switch (this->state)
2452 {
2453 case IKE_CONNECTING:
2454 {
2455 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2456 uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2457 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2458 this->keyingtry);
2459 this->keyingtry++;
2460 if (tries == 0 || tries > this->keyingtry)
2461 {
2462 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2463 this->keyingtry + 1, tries);
2464 reset(this, TRUE);
2465 resolve_hosts(this);
2466 return this->task_manager->initiate(this->task_manager);
2467 }
2468 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2469
2470 if (this->version == IKEV1 && array_count(this->child_sas))
2471 {
2472 enumerator_t *enumerator;
2473 child_sa_t *child_sa;
2474
2475 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2476 * in this state with CHILD_SAs), try again from scratch */
2477 DBG1(DBG_IKE, "reauthentication failed, trying to "
2478 "reestablish IKE_SA");
2479 reestablish(this);
2480 /* trigger down events for the CHILD_SAs, as no down event
2481 * is triggered below for IKE SAs in this state */
2482 enumerator = array_create_enumerator(this->child_sas);
2483 while (enumerator->enumerate(enumerator, &child_sa))
2484 {
2485 if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
2486 child_sa->get_state(child_sa) != CHILD_DELETED)
2487 {
2488 charon->bus->child_updown(charon->bus, child_sa,
2489 FALSE);
2490 }
2491 }
2492 enumerator->destroy(enumerator);
2493 }
2494 break;
2495 }
2496 case IKE_DELETING:
2497 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2498 if (has_condition(this, COND_REAUTHENTICATING) &&
2499 !lib->settings->get_bool(lib->settings,
2500 "%s.make_before_break", FALSE, lib->ns))
2501 {
2502 DBG1(DBG_IKE, "delete during reauthentication failed, "
2503 "trying to reestablish IKE_SA anyway");
2504 reestablish(this);
2505 }
2506 break;
2507 case IKE_REKEYING:
2508 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2509 /* FALL */
2510 default:
2511 reestablish(this);
2512 break;
2513 }
2514 if (this->state != IKE_CONNECTING &&
2515 this->state != IKE_REKEYED)
2516 {
2517 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2518 }
2519 return DESTROY_ME;
2520 }
2521
2522 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2523 private_ike_sa_t *this, uint32_t lifetime)
2524 {
2525 uint32_t diff, hard, soft, now;
2526 bool send_update;
2527
2528 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2529 now = time_monotonic(NULL);
2530 hard = now + lifetime;
2531 soft = hard - diff;
2532
2533 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2534 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2535 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2536 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2537 (array_count(this->other_vips) != 0 ||
2538 has_condition(this, COND_EAP_AUTHENTICATED));
2539
2540 if (lifetime < diff)
2541 {
2542 this->stats[STAT_REAUTH] = now;
2543
2544 if (!send_update)
2545 {
2546 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2547 "starting reauthentication", lifetime);
2548 lib->processor->queue_job(lib->processor,
2549 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2550 }
2551 }
2552 else if (this->stats[STAT_REAUTH] == 0 ||
2553 this->stats[STAT_REAUTH] > soft)
2554 {
2555 this->stats[STAT_REAUTH] = soft;
2556 if (!send_update)
2557 {
2558 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2559 "reauthentication in %ds", lifetime, lifetime - diff);
2560 lib->scheduler->schedule_job(lib->scheduler,
2561 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2562 lifetime - diff);
2563 }
2564 }
2565 else
2566 {
2567 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2568 "reauthentication already scheduled in %ds", lifetime,
2569 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2570 send_update = FALSE;
2571 }
2572 /* give at least some seconds to reauthenticate */
2573 this->stats[STAT_DELETE] = max(hard, now + 10);
2574
2575 #ifdef USE_IKEV2
2576 if (send_update)
2577 {
2578 ike_auth_lifetime_t *task;
2579
2580 task = ike_auth_lifetime_create(&this->public, TRUE);
2581 this->task_manager->queue_task(this->task_manager, &task->task);
2582 return this->task_manager->initiate(this->task_manager);
2583 }
2584 #endif
2585 return SUCCESS;
2586 }
2587
2588 /**
2589 * Check if the current combination of source and destination address is still
2590 * valid.
2591 */
2592 static bool is_current_path_valid(private_ike_sa_t *this)
2593 {
2594 bool valid = FALSE;
2595 host_t *src;
2596
2597 if (supports_extension(this, EXT_MOBIKE) &&
2598 lib->settings->get_bool(lib->settings,
2599 "%s.prefer_best_path", FALSE, lib->ns))
2600 {
2601 /* check if the current path is the best path; migrate otherwise */
2602 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2603 NULL);
2604 if (src)
2605 {
2606 valid = src->ip_equals(src, this->my_host);
2607 src->destroy(src);
2608 }
2609 if (!valid)
2610 {
2611 DBG1(DBG_IKE, "old path is not preferred anymore");
2612 }
2613 return valid;
2614 }
2615 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2616 this->my_host);
2617 if (src)
2618 {
2619 if (src->ip_equals(src, this->my_host))
2620 {
2621 valid = TRUE;
2622 }
2623 src->destroy(src);
2624 }
2625 if (!valid)
2626 {
2627 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2628 }
2629 return valid;
2630 }
2631
2632 /**
2633 * Check if we have any path available for this IKE SA.
2634 */
2635 static bool is_any_path_valid(private_ike_sa_t *this)
2636 {
2637 bool valid = FALSE;
2638 enumerator_t *enumerator;
2639 host_t *src = NULL, *addr;
2640 int family = AF_UNSPEC;
2641
2642 switch (charon->socket->supported_families(charon->socket))
2643 {
2644 case SOCKET_FAMILY_IPV4:
2645 family = AF_INET;
2646 break;
2647 case SOCKET_FAMILY_IPV6:
2648 family = AF_INET6;
2649 break;
2650 case SOCKET_FAMILY_BOTH:
2651 case SOCKET_FAMILY_NONE:
2652 break;
2653 }
2654
2655 enumerator = create_peer_address_enumerator(this);
2656 while (enumerator->enumerate(enumerator, &addr))
2657 {
2658 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2659 {
2660 continue;
2661 }
2662 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2663 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2664 if (src)
2665 {
2666 break;
2667 }
2668 }
2669 enumerator->destroy(enumerator);
2670 if (src)
2671 {
2672 valid = TRUE;
2673 src->destroy(src);
2674 }
2675 return valid;
2676 }
2677
2678 METHOD(ike_sa_t, roam, status_t,
2679 private_ike_sa_t *this, bool address)
2680 {
2681 switch (this->state)
2682 {
2683 case IKE_CREATED:
2684 case IKE_DELETING:
2685 case IKE_DESTROYING:
2686 case IKE_PASSIVE:
2687 case IKE_REKEYED:
2688 return SUCCESS;
2689 default:
2690 break;
2691 }
2692
2693 if (!this->ike_cfg)
2694 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2695 * without config assigned */
2696 return SUCCESS;
2697 }
2698 if (this->version == IKEV1)
2699 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2700 * have to reestablish from scratch (reauth is not enough) */
2701 return SUCCESS;
2702 }
2703
2704 /* ignore roam events if MOBIKE is not supported/enabled and the local
2705 * address is statically configured */
2706 if (!supports_extension(this, EXT_MOBIKE) &&
2707 ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
2708 {
2709 DBG2(DBG_IKE, "keeping statically configured path %H - %H",
2710 this->my_host, this->other_host);
2711 return SUCCESS;
2712 }
2713
2714 /* keep existing path if possible */
2715 if (is_current_path_valid(this))
2716 {
2717 DBG2(DBG_IKE, "keeping connection path %H - %H",
2718 this->my_host, this->other_host);
2719 set_condition(this, COND_STALE, FALSE);
2720
2721 if (supports_extension(this, EXT_MOBIKE) && address)
2722 { /* if any addresses changed, send an updated list */
2723 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2724 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2725 return this->task_manager->initiate(this->task_manager);
2726 }
2727 if (lib->settings->get_bool(lib->settings,
2728 "%s.check_current_path", FALSE, lib->ns) &&
2729 !this->task_manager->busy(this->task_manager))
2730 {
2731 DBG1(DBG_IKE, "checking if current path still works using DPD");
2732 this->task_manager->queue_dpd(this->task_manager);
2733 return this->task_manager->initiate(this->task_manager);
2734 }
2735 return SUCCESS;
2736 }
2737
2738 if (!is_any_path_valid(this))
2739 {
2740 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2741 this->other_host);
2742 set_condition(this, COND_STALE, TRUE);
2743 return SUCCESS;
2744 }
2745 set_condition(this, COND_STALE, FALSE);
2746
2747 /* update addresses with mobike, if supported ... */
2748 if (supports_extension(this, EXT_MOBIKE))
2749 {
2750 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2751 { /* responder updates the peer about changed address config */
2752 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2753 "implicitly requesting an address change");
2754 address = TRUE;
2755 }
2756 else
2757 {
2758 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2759 }
2760 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2761 return this->task_manager->initiate(this->task_manager);
2762 }
2763
2764 /* ... reauth if not */
2765 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2766 { /* responder does not reauthenticate */
2767 set_condition(this, COND_STALE, TRUE);
2768 return SUCCESS;
2769 }
2770 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2771 /* since our previous path is not valid anymore, try and find a new one */
2772 resolve_hosts(this);
2773 return reauth(this);
2774 }
2775
2776 METHOD(ike_sa_t, add_configuration_attribute, void,
2777 private_ike_sa_t *this, attribute_handler_t *handler,
2778 configuration_attribute_type_t type, chunk_t data)
2779 {
2780 attribute_entry_t entry = {
2781 .handler = handler,
2782 .type = type,
2783 .data = chunk_clone(data),
2784 };
2785 array_insert(this->attributes, ARRAY_TAIL, &entry);
2786 }
2787
2788 CALLBACK(filter_attribute, bool,
2789 void *null, enumerator_t *orig, va_list args)
2790 {
2791 attribute_entry_t *entry;
2792 configuration_attribute_type_t *type;
2793 chunk_t *data;
2794 bool *handled;
2795
2796 VA_ARGS_VGET(args, type, data, handled);
2797
2798 if (orig->enumerate(orig, &entry))
2799 {
2800 *type = entry->type;
2801 *data = entry->data;
2802 *handled = entry->handler != NULL;
2803 return TRUE;
2804 }
2805 return FALSE;
2806 }
2807
2808 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2809 private_ike_sa_t *this)
2810 {
2811 return enumerator_create_filter(array_create_enumerator(this->attributes),
2812 filter_attribute, NULL, NULL);
2813 }
2814
2815 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2816 private_ike_sa_t *this, task_queue_t queue)
2817 {
2818 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2819 }
2820
2821 METHOD(ike_sa_t, remove_task, void,
2822 private_ike_sa_t *this, enumerator_t *enumerator)
2823 {
2824 return this->task_manager->remove_task(this->task_manager, enumerator);
2825 }
2826
2827 METHOD(ike_sa_t, flush_queue, void,
2828 private_ike_sa_t *this, task_queue_t queue)
2829 {
2830 this->task_manager->flush_queue(this->task_manager, queue);
2831 }
2832
2833 METHOD(ike_sa_t, queue_task, void,
2834 private_ike_sa_t *this, task_t *task)
2835 {
2836 this->task_manager->queue_task(this->task_manager, task);
2837 }
2838
2839 METHOD(ike_sa_t, queue_task_delayed, void,
2840 private_ike_sa_t *this, task_t *task, uint32_t delay)
2841 {
2842 this->task_manager->queue_task_delayed(this->task_manager, task, delay);
2843 }
2844
2845 /**
2846 * Migrate and queue child-creating tasks from another IKE_SA
2847 */
2848 static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
2849 task_queue_t queue)
2850 {
2851 enumerator_t *enumerator;
2852 task_t *task;
2853
2854 enumerator = other->create_task_enumerator(other, queue);
2855 while (enumerator->enumerate(enumerator, &task))
2856 {
2857 if (task->get_type(task) == TASK_CHILD_CREATE ||
2858 task->get_type(task) == TASK_QUICK_MODE)
2859 {
2860 other->remove_task(other, enumerator);
2861 task->migrate(task, &this->public);
2862 queue_task(this, task);
2863 }
2864 }
2865 enumerator->destroy(enumerator);
2866 }
2867
2868 METHOD(ike_sa_t, adopt_child_tasks, void,
2869 private_ike_sa_t *this, ike_sa_t *other)
2870 {
2871 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
2872 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
2873 }
2874
2875 METHOD(ike_sa_t, inherit_pre, void,
2876 private_ike_sa_t *this, ike_sa_t *other_public)
2877 {
2878 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2879
2880 /* apply config and hosts */
2881 set_peer_cfg(this, other->peer_cfg);
2882 set_my_host(this, other->my_host->clone(other->my_host));
2883 set_other_host(this, other->other_host->clone(other->other_host));
2884
2885 /* apply extensions and conditions with a few exceptions */
2886 this->extensions = other->extensions;
2887 this->conditions = other->conditions;
2888 this->conditions &= ~COND_STALE;
2889 this->conditions &= ~COND_REAUTHENTICATING;
2890 }
2891
2892 METHOD(ike_sa_t, inherit_post, void,
2893 private_ike_sa_t *this, ike_sa_t *other_public)
2894 {
2895 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2896 child_sa_t *child_sa;
2897 enumerator_t *enumerator;
2898 attribute_entry_t entry;
2899 auth_cfg_t *cfg;
2900 host_t *vip;
2901
2902 /* apply hosts and ids */
2903 this->my_host->destroy(this->my_host);
2904 this->other_host->destroy(this->other_host);
2905 this->my_id->destroy(this->my_id);
2906 this->other_id->destroy(this->other_id);
2907 this->my_host = other->my_host->clone(other->my_host);
2908 this->other_host = other->other_host->clone(other->other_host);
2909 this->my_id = other->my_id->clone(other->my_id);
2910 this->other_id = other->other_id->clone(other->other_id);
2911 this->if_id_in = other->if_id_in;
2912 this->if_id_out = other->if_id_out;
2913
2914 /* apply assigned virtual IPs... */
2915 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2916 {
2917 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2918 }
2919 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2920 {
2921 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2922 }
2923
2924 /* MOBIKE additional addresses */
2925 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2926 {
2927 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2928 }
2929
2930 /* authentication information */
2931 enumerator = array_create_enumerator(other->my_auths);
2932 while (enumerator->enumerate(enumerator, &cfg))
2933 {
2934 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2935 }
2936 enumerator->destroy(enumerator);
2937 enumerator = array_create_enumerator(other->other_auths);
2938 while (enumerator->enumerate(enumerator, &cfg))
2939 {
2940 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2941 }
2942 enumerator->destroy(enumerator);
2943
2944 /* ... and configuration attributes */
2945 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2946 {
2947 array_insert(this->attributes, ARRAY_TAIL, &entry);
2948 }
2949
2950 /* inherit all conditions */
2951 this->conditions = other->conditions;
2952 if (this->conditions & COND_NAT_HERE)
2953 {
2954 send_keepalive(this, FALSE);
2955 }
2956
2957 #ifdef ME
2958 if (other->is_mediation_server)
2959 {
2960 act_as_mediation_server(this);
2961 }
2962 else if (other->server_reflexive_host)
2963 {
2964 this->server_reflexive_host = other->server_reflexive_host->clone(
2965 other->server_reflexive_host);
2966 }
2967 #endif /* ME */
2968
2969 /* adopt all children */
2970 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2971 {
2972 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2973 add_child_sa(this, child_sa);
2974 }
2975
2976 /* move pending tasks to the new IKE_SA */
2977 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2978
2979 /* reauthentication timeout survives a rekeying */
2980 if (other->stats[STAT_REAUTH])
2981 {
2982 time_t reauth, delete, now = time_monotonic(NULL);
2983
2984 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2985 reauth = max(0, this->stats[STAT_REAUTH] - now);
2986 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2987 this->stats[STAT_DELETE] = now + delete;
2988 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2989 "lifetime reduced to %ds", reauth, delete);
2990 lib->scheduler->schedule_job(lib->scheduler,
2991 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2992 lib->scheduler->schedule_job(lib->scheduler,
2993 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2994 }
2995 }
2996
2997 METHOD(ike_sa_t, destroy, void,
2998 private_ike_sa_t *this)
2999 {
3000 attribute_entry_t entry;
3001 child_sa_t *child_sa;
3002 host_t *vip;
3003
3004 charon->bus->set_sa(charon->bus, &this->public);
3005
3006 set_state(this, IKE_DESTROYING);
3007 if (this->task_manager)
3008 {
3009 this->task_manager->flush(this->task_manager);
3010 }
3011
3012 /* remove attributes first, as we pass the IKE_SA to the handler */
3013 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
3014 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
3015 {
3016 if (entry.handler)
3017 {
3018 charon->attributes->release(charon->attributes, entry.handler,
3019 &this->public, entry.type, entry.data);
3020 }
3021 free(entry.data.ptr);
3022 }
3023 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
3024 * routes that the CHILD_SA tries to uninstall. */
3025 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
3026 {
3027 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
3028 child_sa->destroy(child_sa);
3029 }
3030 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
3031 {
3032 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
3033 vip->destroy(vip);
3034 }
3035 if (array_count(this->other_vips))
3036 {
3037 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
3038 }
3039 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
3040 {
3041 if (this->peer_cfg)
3042 {
3043 linked_list_t *pools;
3044
3045 pools = linked_list_create_from_enumerator(
3046 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
3047 charon->attributes->release_address(charon->attributes,
3048 pools, vip, &this->public);
3049 pools->destroy(pools);
3050 }
3051 vip->destroy(vip);
3052 }
3053
3054 /* unset SA after here to avoid usage by the listeners */
3055 charon->bus->set_sa(charon->bus, NULL);
3056
3057 array_destroy(this->child_sas);
3058 DESTROY_IF(this->task_manager);
3059 DESTROY_IF(this->keymat);
3060 array_destroy(this->attributes);
3061 array_destroy(this->my_vips);
3062 array_destroy(this->other_vips);
3063 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
3064 #ifdef ME
3065 if (this->is_mediation_server)
3066 {
3067 charon->mediation_manager->remove(charon->mediation_manager,
3068 this->ike_sa_id);
3069 }
3070 DESTROY_IF(this->server_reflexive_host);
3071 chunk_free(&this->connect_id);
3072 #endif /* ME */
3073 free(this->nat_detection_dest.ptr);
3074
3075 DESTROY_IF(this->my_host);
3076 DESTROY_IF(this->other_host);
3077 DESTROY_IF(this->my_id);
3078 DESTROY_IF(this->other_id);
3079 DESTROY_IF(this->local_host);
3080 DESTROY_IF(this->remote_host);
3081 DESTROY_IF(this->redirected_from);
3082 array_destroy(this->redirected_at);
3083
3084 DESTROY_IF(this->ike_cfg);
3085 DESTROY_IF(this->peer_cfg);
3086 DESTROY_IF(this->proposal);
3087 this->my_auth->destroy(this->my_auth);
3088 this->other_auth->destroy(this->other_auth);
3089 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
3090 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
3091
3092 this->ike_sa_id->destroy(this->ike_sa_id);
3093 free(this);
3094 }
3095
3096 /*
3097 * Described in header.
3098 */
3099 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
3100 ike_version_t version)
3101 {
3102 private_ike_sa_t *this;
3103 static refcount_t unique_id = 0;
3104
3105 if (version == IKE_ANY)
3106 { /* prefer IKEv2 if protocol not specified */
3107 #ifdef USE_IKEV2
3108 version = IKEV2;
3109 #else
3110 version = IKEV1;