ee3220d1b86898a61ae033dbcfd1572db2ceff93
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20 #include <sys/stat.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include "ike_sa.h"
25
26 #include <library.h>
27 #include <hydra.h>
28 #include <daemon.h>
29 #include <utils/linked_list.h>
30 #include <utils/lexparser.h>
31 #include <sa/keymat_v2.h>
32 #include <sa/task_manager_v2.h>
33 #include <sa/tasks/ike_init.h>
34 #include <sa/tasks/ike_natd.h>
35 #include <sa/tasks/ike_mobike.h>
36 #include <sa/tasks/ike_auth.h>
37 #include <sa/tasks/ike_auth_lifetime.h>
38 #include <sa/tasks/ike_config.h>
39 #include <sa/tasks/ike_cert_pre.h>
40 #include <sa/tasks/ike_cert_post.h>
41 #include <sa/tasks/ike_rekey.h>
42 #include <sa/tasks/ike_reauth.h>
43 #include <sa/tasks/ike_delete.h>
44 #include <sa/tasks/ike_dpd.h>
45 #include <sa/tasks/ike_vendor.h>
46 #include <sa/tasks/child_create.h>
47 #include <sa/tasks/child_delete.h>
48 #include <sa/tasks/child_rekey.h>
49 #include <processing/jobs/retransmit_job.h>
50 #include <processing/jobs/delete_ike_sa_job.h>
51 #include <processing/jobs/send_dpd_job.h>
52 #include <processing/jobs/send_keepalive_job.h>
53 #include <processing/jobs/rekey_ike_sa_job.h>
54 #include <encoding/payloads/unknown_payload.h>
55
56 #ifdef ME
57 #include <sa/tasks/ike_me.h>
58 #include <processing/jobs/initiate_mediation_job.h>
59 #endif
60
61 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
62 "CREATED",
63 "CONNECTING",
64 "ESTABLISHED",
65 "PASSIVE",
66 "REKEYING",
67 "DELETING",
68 "DESTROYING",
69 );
70
71 typedef struct private_ike_sa_t private_ike_sa_t;
72 typedef struct attribute_entry_t attribute_entry_t;
73
74 /**
75 * Private data of an ike_sa_t object.
76 */
77 struct private_ike_sa_t {
78
79 /**
80 * Public members
81 */
82 ike_sa_t public;
83
84 /**
85 * Identifier for the current IKE_SA.
86 */
87 ike_sa_id_t *ike_sa_id;
88
89 /**
90 * unique numerical ID for this IKE_SA.
91 */
92 u_int32_t unique_id;
93
94 /**
95 * Current state of the IKE_SA
96 */
97 ike_sa_state_t state;
98
99 /**
100 * IKE configuration used to set up this IKE_SA
101 */
102 ike_cfg_t *ike_cfg;
103
104 /**
105 * Peer and authentication information to establish IKE_SA.
106 */
107 peer_cfg_t *peer_cfg;
108
109 /**
110 * currently used authentication ruleset, local (as auth_cfg_t)
111 */
112 auth_cfg_t *my_auth;
113
114 /**
115 * list of completed local authentication rounds
116 */
117 linked_list_t *my_auths;
118
119 /**
120 * list of completed remote authentication rounds
121 */
122 linked_list_t *other_auths;
123
124 /**
125 * currently used authentication constraints, remote (as auth_cfg_t)
126 */
127 auth_cfg_t *other_auth;
128
129 /**
130 * Selected IKE proposal
131 */
132 proposal_t *proposal;
133
134 /**
135 * Juggles tasks to process messages
136 */
137 task_manager_t *task_manager;
138
139 /**
140 * Address of local host
141 */
142 host_t *my_host;
143
144 /**
145 * Address of remote host
146 */
147 host_t *other_host;
148
149 #ifdef ME
150 /**
151 * Are we mediation server
152 */
153 bool is_mediation_server;
154
155 /**
156 * Server reflexive host
157 */
158 host_t *server_reflexive_host;
159
160 /**
161 * Connect ID
162 */
163 chunk_t connect_id;
164 #endif /* ME */
165
166 /**
167 * Identification used for us
168 */
169 identification_t *my_id;
170
171 /**
172 * Identification used for other
173 */
174 identification_t *other_id;
175
176 /**
177 * set of extensions the peer supports
178 */
179 ike_extension_t extensions;
180
181 /**
182 * set of condition flags currently enabled for this IKE_SA
183 */
184 ike_condition_t conditions;
185
186 /**
187 * Linked List containing the child sa's of the current IKE_SA.
188 */
189 linked_list_t *child_sas;
190
191 /**
192 * keymat of this IKE_SA
193 */
194 keymat_t *keymat;
195
196 /**
197 * Virtual IP on local host, if any
198 */
199 host_t *my_virtual_ip;
200
201 /**
202 * Virtual IP on remote host, if any
203 */
204 host_t *other_virtual_ip;
205
206 /**
207 * List of configuration attributes (attribute_entry_t)
208 */
209 linked_list_t *attributes;
210
211 /**
212 * list of peers additional addresses, transmitted via MOBIKE
213 */
214 linked_list_t *additional_addresses;
215
216 /**
217 * previously value of received DESTINATION_IP hash
218 */
219 chunk_t nat_detection_dest;
220
221 /**
222 * number pending UPDATE_SA_ADDRESS (MOBIKE)
223 */
224 u_int32_t pending_updates;
225
226 /**
227 * NAT keep alive interval
228 */
229 u_int32_t keepalive_interval;
230
231 /**
232 * Timestamps for this IKE_SA
233 */
234 u_int32_t stats[STAT_MAX];
235
236 /**
237 * how many times we have retried so far (keyingtries)
238 */
239 u_int32_t keyingtry;
240
241 /**
242 * local host address to be used for IKE, set via MIGRATE kernel message
243 */
244 host_t *local_host;
245
246 /**
247 * remote host address to be used for IKE, set via MIGRATE kernel message
248 */
249 host_t *remote_host;
250 };
251
252 /**
253 * Entry to maintain install configuration attributes during IKE_SA lifetime
254 */
255 struct attribute_entry_t {
256 /** handler used to install this attribute */
257 attribute_handler_t *handler;
258 /** attribute type */
259 configuration_attribute_type_t type;
260 /** attribute data */
261 chunk_t data;
262 };
263
264 /**
265 * get the time of the latest traffic processed by the kernel
266 */
267 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
268 {
269 enumerator_t *enumerator;
270 child_sa_t *child_sa;
271 time_t use_time, current;
272
273 if (inbound)
274 {
275 use_time = this->stats[STAT_INBOUND];
276 }
277 else
278 {
279 use_time = this->stats[STAT_OUTBOUND];
280 }
281 enumerator = this->child_sas->create_enumerator(this->child_sas);
282 while (enumerator->enumerate(enumerator, &child_sa))
283 {
284 child_sa->get_usestats(child_sa, inbound, &current, NULL);
285 use_time = max(use_time, current);
286 }
287 enumerator->destroy(enumerator);
288
289 return use_time;
290 }
291
292 METHOD(ike_sa_t, get_unique_id, u_int32_t,
293 private_ike_sa_t *this)
294 {
295 return this->unique_id;
296 }
297
298 METHOD(ike_sa_t, get_name, char*,
299 private_ike_sa_t *this)
300 {
301 if (this->peer_cfg)
302 {
303 return this->peer_cfg->get_name(this->peer_cfg);
304 }
305 return "(unnamed)";
306 }
307
308 METHOD(ike_sa_t, get_statistic, u_int32_t,
309 private_ike_sa_t *this, statistic_t kind)
310 {
311 if (kind < STAT_MAX)
312 {
313 return this->stats[kind];
314 }
315 return 0;
316 }
317
318 METHOD(ike_sa_t, get_my_host, host_t*,
319 private_ike_sa_t *this)
320 {
321 return this->my_host;
322 }
323
324 METHOD(ike_sa_t, set_my_host, void,
325 private_ike_sa_t *this, host_t *me)
326 {
327 DESTROY_IF(this->my_host);
328 this->my_host = me;
329 }
330
331 METHOD(ike_sa_t, get_other_host, host_t*,
332 private_ike_sa_t *this)
333 {
334 return this->other_host;
335 }
336
337 METHOD(ike_sa_t, set_other_host, void,
338 private_ike_sa_t *this, host_t *other)
339 {
340 DESTROY_IF(this->other_host);
341 this->other_host = other;
342 }
343
344 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
345 private_ike_sa_t *this)
346 {
347 return this->peer_cfg;
348 }
349
350 METHOD(ike_sa_t, set_peer_cfg, void,
351 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
352 {
353 peer_cfg->get_ref(peer_cfg);
354 DESTROY_IF(this->peer_cfg);
355 this->peer_cfg = peer_cfg;
356
357 if (this->ike_cfg == NULL)
358 {
359 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
360 this->ike_cfg->get_ref(this->ike_cfg);
361 }
362 }
363
364 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
365 private_ike_sa_t *this, bool local)
366 {
367 if (local)
368 {
369 return this->my_auth;
370 }
371 return this->other_auth;
372 }
373
374 METHOD(ike_sa_t, add_auth_cfg, void,
375 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
376 {
377 if (local)
378 {
379 this->my_auths->insert_last(this->my_auths, cfg);
380 }
381 else
382 {
383 this->other_auths->insert_last(this->other_auths, cfg);
384 }
385 }
386
387 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
388 private_ike_sa_t *this, bool local)
389 {
390 if (local)
391 {
392 return this->my_auths->create_enumerator(this->my_auths);
393 }
394 return this->other_auths->create_enumerator(this->other_auths);
395 }
396
397 /**
398 * Flush the stored authentication round information
399 */
400 static void flush_auth_cfgs(private_ike_sa_t *this)
401 {
402 auth_cfg_t *cfg;
403
404 while (this->my_auths->remove_last(this->my_auths,
405 (void**)&cfg) == SUCCESS)
406 {
407 cfg->destroy(cfg);
408 }
409 while (this->other_auths->remove_last(this->other_auths,
410 (void**)&cfg) == SUCCESS)
411 {
412 cfg->destroy(cfg);
413 }
414 }
415
416 METHOD(ike_sa_t, get_proposal, proposal_t*,
417 private_ike_sa_t *this)
418 {
419 return this->proposal;
420 }
421
422 METHOD(ike_sa_t, set_proposal, void,
423 private_ike_sa_t *this, proposal_t *proposal)
424 {
425 DESTROY_IF(this->proposal);
426 this->proposal = proposal->clone(proposal);
427 }
428
429 METHOD(ike_sa_t, set_message_id, void,
430 private_ike_sa_t *this, bool initiate, u_int32_t mid)
431 {
432 if (initiate)
433 {
434 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
435 }
436 else
437 {
438 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
439 }
440 }
441
442 METHOD(ike_sa_t, send_keepalive, void,
443 private_ike_sa_t *this)
444 {
445 send_keepalive_job_t *job;
446 time_t last_out, now, diff;
447
448 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
449 { /* disable keep alives if we are not NATed anymore */
450 return;
451 }
452
453 last_out = get_use_time(this, FALSE);
454 now = time_monotonic(NULL);
455
456 diff = now - last_out;
457
458 if (diff >= this->keepalive_interval)
459 {
460 packet_t *packet;
461 chunk_t data;
462
463 packet = packet_create();
464 packet->set_source(packet, this->my_host->clone(this->my_host));
465 packet->set_destination(packet, this->other_host->clone(this->other_host));
466 data.ptr = malloc(1);
467 data.ptr[0] = 0xFF;
468 data.len = 1;
469 packet->set_data(packet, data);
470 DBG1(DBG_IKE, "sending keep alive");
471 charon->sender->send(charon->sender, packet);
472 diff = 0;
473 }
474 job = send_keepalive_job_create(this->ike_sa_id);
475 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
476 this->keepalive_interval - diff);
477 }
478
479 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
480 private_ike_sa_t *this)
481 {
482 return this->ike_cfg;
483 }
484
485 METHOD(ike_sa_t, set_ike_cfg, void,
486 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
487 {
488 ike_cfg->get_ref(ike_cfg);
489 this->ike_cfg = ike_cfg;
490 }
491
492 METHOD(ike_sa_t, enable_extension, void,
493 private_ike_sa_t *this, ike_extension_t extension)
494 {
495 this->extensions |= extension;
496 }
497
498 METHOD(ike_sa_t, supports_extension, bool,
499 private_ike_sa_t *this, ike_extension_t extension)
500 {
501 return (this->extensions & extension) != FALSE;
502 }
503
504 METHOD(ike_sa_t, has_condition, bool,
505 private_ike_sa_t *this, ike_condition_t condition)
506 {
507 return (this->conditions & condition) != FALSE;
508 }
509
510 METHOD(ike_sa_t, set_condition, void,
511 private_ike_sa_t *this, ike_condition_t condition, bool enable)
512 {
513 if (has_condition(this, condition) != enable)
514 {
515 if (enable)
516 {
517 this->conditions |= condition;
518 switch (condition)
519 {
520 case COND_NAT_HERE:
521 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
522 this->conditions |= COND_NAT_ANY;
523 send_keepalive(this);
524 break;
525 case COND_NAT_THERE:
526 DBG1(DBG_IKE, "remote host is behind NAT");
527 this->conditions |= COND_NAT_ANY;
528 break;
529 case COND_NAT_FAKE:
530 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
531 this->conditions |= COND_NAT_ANY;
532 break;
533 default:
534 break;
535 }
536 }
537 else
538 {
539 this->conditions &= ~condition;
540 switch (condition)
541 {
542 case COND_NAT_HERE:
543 case COND_NAT_FAKE:
544 case COND_NAT_THERE:
545 set_condition(this, COND_NAT_ANY,
546 has_condition(this, COND_NAT_HERE) ||
547 has_condition(this, COND_NAT_THERE) ||
548 has_condition(this, COND_NAT_FAKE));
549 break;
550 default:
551 break;
552 }
553 }
554 }
555 }
556
557 METHOD(ike_sa_t, send_dpd, status_t,
558 private_ike_sa_t *this)
559 {
560 job_t *job;
561 time_t diff, delay;
562
563 delay = this->peer_cfg->get_dpd(this->peer_cfg);
564 if (this->task_manager->busy(this->task_manager))
565 {
566 /* an exchange is in the air, no need to start a DPD check */
567 diff = 0;
568 }
569 else
570 {
571 /* check if there was any inbound traffic */
572 time_t last_in, now;
573 last_in = get_use_time(this, TRUE);
574 now = time_monotonic(NULL);
575 diff = now - last_in;
576 if (!delay || diff >= delay)
577 {
578 /* to long ago, initiate dead peer detection */
579 task_t *task;
580 ike_mobike_t *mobike;
581
582 if (supports_extension(this, EXT_MOBIKE) &&
583 has_condition(this, COND_NAT_HERE))
584 {
585 /* use mobike enabled DPD to detect NAT mapping changes */
586 mobike = ike_mobike_create(&this->public, TRUE);
587 mobike->dpd(mobike);
588 task = &mobike->task;
589 }
590 else
591 {
592 task = (task_t*)ike_dpd_create(TRUE);
593 }
594 diff = 0;
595 DBG1(DBG_IKE, "sending DPD request");
596
597 this->task_manager->queue_task(this->task_manager, task);
598 this->task_manager->initiate(this->task_manager);
599 }
600 }
601 /* recheck in "interval" seconds */
602 if (delay)
603 {
604 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
605 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
606 }
607 return SUCCESS;
608 }
609
610 METHOD(ike_sa_t, get_state, ike_sa_state_t,
611 private_ike_sa_t *this)
612 {
613 return this->state;
614 }
615
616 METHOD(ike_sa_t, set_state, void,
617 private_ike_sa_t *this, ike_sa_state_t state)
618 {
619 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
620 get_name(this), this->unique_id,
621 ike_sa_state_names, this->state,
622 ike_sa_state_names, state);
623
624 switch (state)
625 {
626 case IKE_ESTABLISHED:
627 {
628 if (this->state == IKE_CONNECTING ||
629 this->state == IKE_PASSIVE)
630 {
631 job_t *job;
632 u_int32_t t;
633
634 /* calculate rekey, reauth and lifetime */
635 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
636
637 /* schedule rekeying if we have a time which is smaller than
638 * an already scheduled rekeying */
639 t = this->peer_cfg->get_rekey_time(this->peer_cfg);
640 if (t && (this->stats[STAT_REKEY] == 0 ||
641 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
642 {
643 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
644 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
645 lib->scheduler->schedule_job(lib->scheduler, job, t);
646 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
647 }
648 t = this->peer_cfg->get_reauth_time(this->peer_cfg);
649 if (t && (this->stats[STAT_REAUTH] == 0 ||
650 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
651 {
652 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
653 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
654 lib->scheduler->schedule_job(lib->scheduler, job, t);
655 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
656 }
657 t = this->peer_cfg->get_over_time(this->peer_cfg);
658 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
659 {
660 if (this->stats[STAT_REAUTH] == 0)
661 {
662 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
663 }
664 else if (this->stats[STAT_REKEY] == 0)
665 {
666 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
667 }
668 else
669 {
670 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
671 this->stats[STAT_REAUTH]);
672 }
673 this->stats[STAT_DELETE] += t;
674 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
675 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
676 lib->scheduler->schedule_job(lib->scheduler, job, t);
677 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
678 }
679
680 /* start DPD checks */
681 if (this->peer_cfg->get_dpd(this->peer_cfg))
682 {
683 send_dpd(this);
684 }
685 }
686 break;
687 }
688 case IKE_DELETING:
689 {
690 /* delete may fail if a packet gets lost, so set a timeout */
691 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
692 lib->scheduler->schedule_job(lib->scheduler, job,
693 HALF_OPEN_IKE_SA_TIMEOUT);
694 break;
695 }
696 default:
697 break;
698 }
699 charon->bus->ike_state_change(charon->bus, &this->public, state);
700 this->state = state;
701 }
702
703 METHOD(ike_sa_t, reset, void,
704 private_ike_sa_t *this)
705 {
706 /* the responder ID is reset, as peer may choose another one */
707 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
708 {
709 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
710 }
711
712 set_state(this, IKE_CREATED);
713
714 flush_auth_cfgs(this);
715
716 this->keymat->destroy(this->keymat);
717 this->keymat = &(keymat_v2_create(this->ike_sa_id->is_initiator(this->ike_sa_id))->keymat);
718
719 this->task_manager->reset(this->task_manager, 0, 0);
720 }
721
722 METHOD(ike_sa_t, get_keymat, keymat_t*,
723 private_ike_sa_t *this)
724 {
725 return this->keymat;
726 }
727
728 METHOD(ike_sa_t, set_virtual_ip, void,
729 private_ike_sa_t *this, bool local, host_t *ip)
730 {
731 if (local)
732 {
733 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
734 if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
735 this->my_host) == SUCCESS)
736 {
737 if (this->my_virtual_ip)
738 {
739 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
740 hydra->kernel_interface->del_ip(hydra->kernel_interface,
741 this->my_virtual_ip);
742 }
743 DESTROY_IF(this->my_virtual_ip);
744 this->my_virtual_ip = ip->clone(ip);
745 }
746 else
747 {
748 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
749 this->my_virtual_ip = NULL;
750 }
751 }
752 else
753 {
754 DESTROY_IF(this->other_virtual_ip);
755 this->other_virtual_ip = ip->clone(ip);
756 }
757 }
758
759 METHOD(ike_sa_t, get_virtual_ip, host_t*,
760 private_ike_sa_t *this, bool local)
761 {
762 if (local)
763 {
764 return this->my_virtual_ip;
765 }
766 else
767 {
768 return this->other_virtual_ip;
769 }
770 }
771
772 METHOD(ike_sa_t, add_additional_address, void,
773 private_ike_sa_t *this, host_t *host)
774 {
775 this->additional_addresses->insert_last(this->additional_addresses, host);
776 }
777
778 METHOD(ike_sa_t, create_additional_address_enumerator, enumerator_t*,
779 private_ike_sa_t *this)
780 {
781 return this->additional_addresses->create_enumerator(
782 this->additional_addresses);
783 }
784
785 METHOD(ike_sa_t, remove_additional_addresses, void,
786 private_ike_sa_t *this)
787 {
788 enumerator_t *enumerator = create_additional_address_enumerator(this);
789 host_t *host;
790 while (enumerator->enumerate(enumerator, (void**)&host))
791 {
792 this->additional_addresses->remove_at(this->additional_addresses,
793 enumerator);
794 host->destroy(host);
795 }
796 enumerator->destroy(enumerator);
797 }
798
799 METHOD(ike_sa_t, has_mapping_changed, bool,
800 private_ike_sa_t *this, chunk_t hash)
801 {
802 if (this->nat_detection_dest.ptr == NULL)
803 {
804 this->nat_detection_dest = chunk_clone(hash);
805 return FALSE;
806 }
807 if (chunk_equals(hash, this->nat_detection_dest))
808 {
809 return FALSE;
810 }
811 free(this->nat_detection_dest.ptr);
812 this->nat_detection_dest = chunk_clone(hash);
813 return TRUE;
814 }
815
816 METHOD(ike_sa_t, set_pending_updates, void,
817 private_ike_sa_t *this, u_int32_t updates)
818 {
819 this->pending_updates = updates;
820 }
821
822 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
823 private_ike_sa_t *this)
824 {
825 return this->pending_updates;
826 }
827
828 METHOD(ike_sa_t, float_ports, void,
829 private_ike_sa_t *this)
830 {
831 /* do not switch if we have a custom port from MOBIKE/NAT */
832 if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
833 {
834 this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
835 }
836 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
837 {
838 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
839 }
840 }
841
842 METHOD(ike_sa_t, update_hosts, void,
843 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
844 {
845 bool update = FALSE;
846
847 if (me == NULL)
848 {
849 me = this->my_host;
850 }
851 if (other == NULL)
852 {
853 other = this->other_host;
854 }
855
856 /* apply hosts on first received message */
857 if (this->my_host->is_anyaddr(this->my_host) ||
858 this->other_host->is_anyaddr(this->other_host))
859 {
860 set_my_host(this, me->clone(me));
861 set_other_host(this, other->clone(other));
862 update = TRUE;
863 }
864 else
865 {
866 /* update our address in any case */
867 if (!me->equals(me, this->my_host))
868 {
869 set_my_host(this, me->clone(me));
870 update = TRUE;
871 }
872
873 if (!other->equals(other, this->other_host))
874 {
875 /* update others address if we are NOT NATed */
876 if (force || !has_condition(this, COND_NAT_HERE))
877 {
878 set_other_host(this, other->clone(other));
879 update = TRUE;
880 }
881 }
882 }
883
884 /* update all associated CHILD_SAs, if required */
885 if (update)
886 {
887 enumerator_t *enumerator;
888 child_sa_t *child_sa;
889
890 enumerator = this->child_sas->create_enumerator(this->child_sas);
891 while (enumerator->enumerate(enumerator, (void**)&child_sa))
892 {
893 if (child_sa->update(child_sa, this->my_host,
894 this->other_host, this->my_virtual_ip,
895 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
896 {
897 this->public.rekey_child_sa(&this->public,
898 child_sa->get_protocol(child_sa),
899 child_sa->get_spi(child_sa, TRUE));
900 }
901 }
902 enumerator->destroy(enumerator);
903 }
904 }
905
906 METHOD(ike_sa_t, generate_message, status_t,
907 private_ike_sa_t *this, message_t *message, packet_t **packet)
908 {
909 if (message->is_encoded(message))
910 { /* already done */
911 *packet = message->get_packet(message);
912 return SUCCESS;
913 }
914 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
915 message->set_ike_sa_id(message, this->ike_sa_id);
916 charon->bus->message(charon->bus, message, FALSE);
917 return message->generate(message,
918 this->keymat->get_aead(this->keymat, FALSE), packet);
919 }
920
921 /**
922 * send a notify back to the sender
923 */
924 static void send_notify_response(private_ike_sa_t *this, message_t *request,
925 notify_type_t type, chunk_t data)
926 {
927 message_t *response;
928 packet_t *packet;
929
930 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
931 response->set_exchange_type(response, request->get_exchange_type(request));
932 response->set_request(response, FALSE);
933 response->set_message_id(response, request->get_message_id(request));
934 response->add_notify(response, FALSE, type, data);
935 if (this->my_host->is_anyaddr(this->my_host))
936 {
937 this->my_host->destroy(this->my_host);
938 this->my_host = request->get_destination(request);
939 this->my_host = this->my_host->clone(this->my_host);
940 }
941 if (this->other_host->is_anyaddr(this->other_host))
942 {
943 this->other_host->destroy(this->other_host);
944 this->other_host = request->get_source(request);
945 this->other_host = this->other_host->clone(this->other_host);
946 }
947 response->set_source(response, this->my_host->clone(this->my_host));
948 response->set_destination(response, this->other_host->clone(this->other_host));
949 if (generate_message(this, response, &packet) == SUCCESS)
950 {
951 charon->sender->send(charon->sender, packet);
952 }
953 response->destroy(response);
954 }
955
956 METHOD(ike_sa_t, set_kmaddress, void,
957 private_ike_sa_t *this, host_t *local, host_t *remote)
958 {
959 DESTROY_IF(this->local_host);
960 DESTROY_IF(this->remote_host);
961 this->local_host = local->clone(local);
962 this->remote_host = remote->clone(remote);
963 }
964
965 #ifdef ME
966 METHOD(ike_sa_t, act_as_mediation_server, void,
967 private_ike_sa_t *this)
968 {
969 charon->mediation_manager->update_sa_id(charon->mediation_manager,
970 this->other_id, this->ike_sa_id);
971 this->is_mediation_server = TRUE;
972 }
973
974 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
975 private_ike_sa_t *this)
976 {
977 return this->server_reflexive_host;
978 }
979
980 METHOD(ike_sa_t, set_server_reflexive_host, void,
981 private_ike_sa_t *this, host_t *host)
982 {
983 DESTROY_IF(this->server_reflexive_host);
984 this->server_reflexive_host = host;
985 }
986
987 METHOD(ike_sa_t, get_connect_id, chunk_t,
988 private_ike_sa_t *this)
989 {
990 return this->connect_id;
991 }
992
993 METHOD(ike_sa_t, respond, status_t,
994 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
995 {
996 ike_me_t *task = ike_me_create(&this->public, TRUE);
997 task->respond(task, peer_id, connect_id);
998 this->task_manager->queue_task(this->task_manager, (task_t*)task);
999 return this->task_manager->initiate(this->task_manager);
1000 }
1001
1002 METHOD(ike_sa_t, callback, status_t,
1003 private_ike_sa_t *this, identification_t *peer_id)
1004 {
1005 ike_me_t *task = ike_me_create(&this->public, TRUE);
1006 task->callback(task, peer_id);
1007 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1008 return this->task_manager->initiate(this->task_manager);
1009 }
1010
1011 METHOD(ike_sa_t, relay, status_t,
1012 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1013 chunk_t connect_key, linked_list_t *endpoints, bool response)
1014 {
1015 ike_me_t *task = ike_me_create(&this->public, TRUE);
1016 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1017 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1018 return this->task_manager->initiate(this->task_manager);
1019 }
1020
1021 METHOD(ike_sa_t, initiate_mediation, status_t,
1022 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1023 {
1024 ike_me_t *task = ike_me_create(&this->public, TRUE);
1025 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1026 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1027 return this->task_manager->initiate(this->task_manager);
1028 }
1029
1030 METHOD(ike_sa_t, initiate_mediated, status_t,
1031 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1032 {
1033 set_my_host(this, me->clone(me));
1034 set_other_host(this, other->clone(other));
1035 chunk_free(&this->connect_id);
1036 this->connect_id = chunk_clone(connect_id);
1037 return this->task_manager->initiate(this->task_manager);
1038 }
1039 #endif /* ME */
1040
1041 /**
1042 * Resolve DNS host in configuration
1043 */
1044 static void resolve_hosts(private_ike_sa_t *this)
1045 {
1046 host_t *host;
1047
1048 if (this->remote_host)
1049 {
1050 host = this->remote_host->clone(this->remote_host);
1051 host->set_port(host, IKEV2_UDP_PORT);
1052 }
1053 else
1054 {
1055 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1056 0, this->ike_cfg->get_other_port(this->ike_cfg));
1057 }
1058 if (host)
1059 {
1060 set_other_host(this, host);
1061 }
1062
1063 if (this->local_host)
1064 {
1065 host = this->local_host->clone(this->local_host);
1066 host->set_port(host, IKEV2_UDP_PORT);
1067 }
1068 else
1069 {
1070 int family = 0;
1071
1072 /* use same address family as for other */
1073 if (!this->other_host->is_anyaddr(this->other_host))
1074 {
1075 family = this->other_host->get_family(this->other_host);
1076 }
1077 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1078 family, this->ike_cfg->get_my_port(this->ike_cfg));
1079
1080 if (host && host->is_anyaddr(host) &&
1081 !this->other_host->is_anyaddr(this->other_host))
1082 {
1083 host->destroy(host);
1084 host = hydra->kernel_interface->get_source_addr(
1085 hydra->kernel_interface, this->other_host, NULL);
1086 if (host)
1087 {
1088 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1089 }
1090 else
1091 { /* fallback to address family specific %any(6), if configured */
1092 host = host_create_from_dns(
1093 this->ike_cfg->get_my_addr(this->ike_cfg),
1094 0, this->ike_cfg->get_my_port(this->ike_cfg));
1095 }
1096 }
1097 }
1098 if (host)
1099 {
1100 set_my_host(this, host);
1101 }
1102 }
1103
1104 METHOD(ike_sa_t, initiate, status_t,
1105 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1106 traffic_selector_t *tsi, traffic_selector_t *tsr)
1107 {
1108 task_t *task;
1109
1110 if (this->state == IKE_CREATED)
1111 {
1112 resolve_hosts(this);
1113
1114 if (this->other_host->is_anyaddr(this->other_host)
1115 #ifdef ME
1116 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1117 #endif /* ME */
1118 )
1119 {
1120 child_cfg->destroy(child_cfg);
1121 DBG1(DBG_IKE, "unable to initiate to %%any");
1122 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1123 return DESTROY_ME;
1124 }
1125
1126 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1127
1128 task = (task_t*)ike_vendor_create(&this->public, TRUE);
1129 this->task_manager->queue_task(this->task_manager, task);
1130 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1131 this->task_manager->queue_task(this->task_manager, task);
1132 task = (task_t*)ike_natd_create(&this->public, TRUE);
1133 this->task_manager->queue_task(this->task_manager, task);
1134 task = (task_t*)ike_cert_pre_create(&this->public, TRUE);
1135 this->task_manager->queue_task(this->task_manager, task);
1136 task = (task_t*)ike_auth_create(&this->public, TRUE);
1137 this->task_manager->queue_task(this->task_manager, task);
1138 task = (task_t*)ike_cert_post_create(&this->public, TRUE);
1139 this->task_manager->queue_task(this->task_manager, task);
1140 task = (task_t*)ike_config_create(&this->public, TRUE);
1141 this->task_manager->queue_task(this->task_manager, task);
1142 task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE);
1143 this->task_manager->queue_task(this->task_manager, task);
1144 if (this->peer_cfg->use_mobike(this->peer_cfg))
1145 {
1146 task = (task_t*)ike_mobike_create(&this->public, TRUE);
1147 this->task_manager->queue_task(this->task_manager, task);
1148 }
1149 #ifdef ME
1150 task = (task_t*)ike_me_create(&this->public, TRUE);
1151 this->task_manager->queue_task(this->task_manager, task);
1152 #endif /* ME */
1153 }
1154
1155 #ifdef ME
1156 if (this->peer_cfg->is_mediation(this->peer_cfg))
1157 {
1158 if (this->state == IKE_ESTABLISHED)
1159 {
1160 /* mediation connection is already established, retrigger state
1161 * change to notify bus listeners */
1162 DBG1(DBG_IKE, "mediation connection is already up");
1163 set_state(this, IKE_ESTABLISHED);
1164 }
1165 DESTROY_IF(child_cfg);
1166 }
1167 else
1168 #endif /* ME */
1169 {
1170 /* normal IKE_SA with CHILD_SA */
1171 task = (task_t*)child_create_create(&this->public, child_cfg, FALSE,
1172 tsi, tsr);
1173 child_cfg->destroy(child_cfg);
1174 if (reqid)
1175 {
1176 child_create_t *child_create = (child_create_t*)task;
1177 child_create->use_reqid(child_create, reqid);
1178 }
1179 this->task_manager->queue_task(this->task_manager, task);
1180
1181 #ifdef ME
1182 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1183 {
1184 /* mediated connection, initiate mediation process */
1185 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1186 lib->processor->queue_job(lib->processor, job);
1187 return SUCCESS;
1188 }
1189 #endif /* ME */
1190 }
1191
1192 return this->task_manager->initiate(this->task_manager);
1193 }
1194
1195 METHOD(ike_sa_t, process_message, status_t,
1196 private_ike_sa_t *this, message_t *message)
1197 {
1198 status_t status;
1199 bool is_request;
1200 u_int8_t type = 0;
1201
1202 if (this->state == IKE_PASSIVE)
1203 { /* do not handle messages in passive state */
1204 return FAILED;
1205 }
1206
1207 is_request = message->get_request(message);
1208
1209 status = message->parse_body(message,
1210 this->keymat->get_aead(this->keymat, TRUE));
1211 if (status == SUCCESS)
1212 { /* check for unsupported critical payloads */
1213 enumerator_t *enumerator;
1214 unknown_payload_t *unknown;
1215 payload_t *payload;
1216
1217 enumerator = message->create_payload_enumerator(message);
1218 while (enumerator->enumerate(enumerator, &payload))
1219 {
1220 unknown = (unknown_payload_t*)payload;
1221 type = payload->get_type(payload);
1222 if (!payload_is_known(type) &&
1223 unknown->is_critical(unknown))
1224 {
1225 DBG1(DBG_ENC, "payload type %N is not supported, "
1226 "but its critical!", payload_type_names, type);
1227 status = NOT_SUPPORTED;
1228 }
1229 }
1230 enumerator->destroy(enumerator);
1231 }
1232 if (status != SUCCESS)
1233 {
1234 if (is_request)
1235 {
1236 switch (status)
1237 {
1238 case NOT_SUPPORTED:
1239 DBG1(DBG_IKE, "critical unknown payloads found");
1240 if (is_request)
1241 {
1242 send_notify_response(this, message,
1243 UNSUPPORTED_CRITICAL_PAYLOAD,
1244 chunk_from_thing(type));
1245 this->task_manager->incr_mid(this->task_manager, FALSE);
1246 }
1247 break;
1248 case PARSE_ERROR:
1249 DBG1(DBG_IKE, "message parsing failed");
1250 if (is_request)
1251 {
1252 send_notify_response(this, message,
1253 INVALID_SYNTAX, chunk_empty);
1254 this->task_manager->incr_mid(this->task_manager, FALSE);
1255 }
1256 break;
1257 case VERIFY_ERROR:
1258 DBG1(DBG_IKE, "message verification failed");
1259 if (is_request)
1260 {
1261 send_notify_response(this, message,
1262 INVALID_SYNTAX, chunk_empty);
1263 this->task_manager->incr_mid(this->task_manager, FALSE);
1264 }
1265 break;
1266 case FAILED:
1267 DBG1(DBG_IKE, "integrity check failed");
1268 /* ignored */
1269 break;
1270 case INVALID_STATE:
1271 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1272 default:
1273 break;
1274 }
1275 }
1276 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1277 exchange_type_names, message->get_exchange_type(message),
1278 message->get_request(message) ? "request" : "response",
1279 message->get_message_id(message));
1280
1281 if (this->state == IKE_CREATED)
1282 { /* invalid initiation attempt, close SA */
1283 return DESTROY_ME;
1284 }
1285 }
1286 else
1287 {
1288 /* if this IKE_SA is virgin, we check for a config */
1289 if (this->ike_cfg == NULL)
1290 {
1291 job_t *job;
1292 host_t *me = message->get_destination(message),
1293 *other = message->get_source(message);
1294 this->ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1295 me, other);
1296 if (this->ike_cfg == NULL)
1297 {
1298 /* no config found for these hosts, destroy */
1299 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1300 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1301 send_notify_response(this, message,
1302 NO_PROPOSAL_CHOSEN, chunk_empty);
1303 return DESTROY_ME;
1304 }
1305 /* add a timeout if peer does not establish it completely */
1306 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE);
1307 lib->scheduler->schedule_job(lib->scheduler, job,
1308 lib->settings->get_int(lib->settings,
1309 "charon.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT));
1310 }
1311 this->stats[STAT_INBOUND] = time_monotonic(NULL);
1312 status = this->task_manager->process_message(this->task_manager,
1313 message);
1314 if (message->get_exchange_type(message) == IKE_AUTH &&
1315 this->state == IKE_ESTABLISHED &&
1316 lib->settings->get_bool(lib->settings,
1317 "charon.flush_auth_cfg", FALSE))
1318 { /* authentication completed */
1319 flush_auth_cfgs(this);
1320 }
1321 }
1322 return status;
1323 }
1324
1325 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1326 private_ike_sa_t *this)
1327 {
1328 return this->ike_sa_id;
1329 }
1330
1331 METHOD(ike_sa_t, get_my_id, identification_t*,
1332 private_ike_sa_t *this)
1333 {
1334 return this->my_id;
1335 }
1336
1337 METHOD(ike_sa_t, set_my_id, void,
1338 private_ike_sa_t *this, identification_t *me)
1339 {
1340 DESTROY_IF(this->my_id);
1341 this->my_id = me;
1342 }
1343
1344 METHOD(ike_sa_t, get_other_id, identification_t*,
1345 private_ike_sa_t *this)
1346 {
1347 return this->other_id;
1348 }
1349
1350 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1351 private_ike_sa_t *this)
1352 {
1353 identification_t *id = NULL, *current;
1354 enumerator_t *enumerator;
1355 auth_cfg_t *cfg;
1356
1357 enumerator = this->other_auths->create_enumerator(this->other_auths);
1358 while (enumerator->enumerate(enumerator, &cfg))
1359 {
1360 /* prefer EAP-Identity of last round */
1361 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1362 if (!current || current->get_type(current) == ID_ANY)
1363 {
1364 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1365 }
1366 if (current && current->get_type(current) != ID_ANY)
1367 {
1368 id = current;
1369 continue;
1370 }
1371 }
1372 enumerator->destroy(enumerator);
1373 if (id)
1374 {
1375 return id;
1376 }
1377 return this->other_id;
1378 }
1379
1380 METHOD(ike_sa_t, set_other_id, void,
1381 private_ike_sa_t *this, identification_t *other)
1382 {
1383 DESTROY_IF(this->other_id);
1384 this->other_id = other;
1385 }
1386
1387 METHOD(ike_sa_t, add_child_sa, void,
1388 private_ike_sa_t *this, child_sa_t *child_sa)
1389 {
1390 this->child_sas->insert_last(this->child_sas, child_sa);
1391 }
1392
1393 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1394 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1395 {
1396 enumerator_t *enumerator;
1397 child_sa_t *current, *found = NULL;
1398
1399 enumerator = this->child_sas->create_enumerator(this->child_sas);
1400 while (enumerator->enumerate(enumerator, (void**)&current))
1401 {
1402 if (current->get_spi(current, inbound) == spi &&
1403 current->get_protocol(current) == protocol)
1404 {
1405 found = current;
1406 }
1407 }
1408 enumerator->destroy(enumerator);
1409 return found;
1410 }
1411
1412 METHOD(ike_sa_t, get_child_count, int,
1413 private_ike_sa_t *this)
1414 {
1415 return this->child_sas->get_count(this->child_sas);
1416 }
1417
1418 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1419 private_ike_sa_t *this)
1420 {
1421 return this->child_sas->create_enumerator(this->child_sas);
1422 }
1423
1424 METHOD(ike_sa_t, remove_child_sa, void,
1425 private_ike_sa_t *this, enumerator_t *enumerator)
1426 {
1427 this->child_sas->remove_at(this->child_sas, enumerator);
1428 }
1429
1430 METHOD(ike_sa_t, rekey_child_sa, status_t,
1431 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1432 {
1433 child_rekey_t *child_rekey;
1434
1435 child_rekey = child_rekey_create(&this->public, protocol, spi);
1436 this->task_manager->queue_task(this->task_manager, &child_rekey->task);
1437 return this->task_manager->initiate(this->task_manager);
1438 }
1439
1440 METHOD(ike_sa_t, delete_child_sa, status_t,
1441 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1442 {
1443 child_delete_t *child_delete;
1444
1445 child_delete = child_delete_create(&this->public, protocol, spi);
1446 this->task_manager->queue_task(this->task_manager, &child_delete->task);
1447 return this->task_manager->initiate(this->task_manager);
1448 }
1449
1450 METHOD(ike_sa_t, destroy_child_sa, status_t,
1451 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1452 {
1453 enumerator_t *enumerator;
1454 child_sa_t *child_sa;
1455 status_t status = NOT_FOUND;
1456
1457 enumerator = this->child_sas->create_enumerator(this->child_sas);
1458 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1459 {
1460 if (child_sa->get_protocol(child_sa) == protocol &&
1461 child_sa->get_spi(child_sa, TRUE) == spi)
1462 {
1463 this->child_sas->remove_at(this->child_sas, enumerator);
1464 child_sa->destroy(child_sa);
1465 status = SUCCESS;
1466 break;
1467 }
1468 }
1469 enumerator->destroy(enumerator);
1470 return status;
1471 }
1472
1473 METHOD(ike_sa_t, delete_, status_t,
1474 private_ike_sa_t *this)
1475 {
1476 ike_delete_t *ike_delete;
1477
1478 switch (this->state)
1479 {
1480 case IKE_ESTABLISHED:
1481 case IKE_REKEYING:
1482 ike_delete = ike_delete_create(&this->public, TRUE);
1483 this->task_manager->queue_task(this->task_manager, &ike_delete->task);
1484 return this->task_manager->initiate(this->task_manager);
1485 case IKE_CREATED:
1486 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1487 break;
1488 case IKE_PASSIVE:
1489 break;
1490 default:
1491 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1492 "without notification", ike_sa_state_names, this->state);
1493 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1494 break;
1495 }
1496 return DESTROY_ME;
1497 }
1498
1499 METHOD(ike_sa_t, rekey, status_t,
1500 private_ike_sa_t *this)
1501 {
1502 ike_rekey_t *ike_rekey;
1503
1504 ike_rekey = ike_rekey_create(&this->public, TRUE);
1505
1506 this->task_manager->queue_task(this->task_manager, &ike_rekey->task);
1507 return this->task_manager->initiate(this->task_manager);
1508 }
1509
1510 METHOD(ike_sa_t, reauth, status_t,
1511 private_ike_sa_t *this)
1512 {
1513 task_t *task;
1514
1515 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1516 * If the peer does not support RFC4478, there is no way to keep the
1517 * IKE_SA up. */
1518 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1519 {
1520 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1521 if (this->other_virtual_ip != NULL ||
1522 has_condition(this, COND_EAP_AUTHENTICATED)
1523 #ifdef ME
1524 /* as mediation server we too cannot reauth the IKE_SA */
1525 || this->is_mediation_server
1526 #endif /* ME */
1527 )
1528 {
1529 time_t now = time_monotonic(NULL);
1530
1531 DBG1(DBG_IKE, "IKE_SA will timeout in %V",
1532 &now, &this->stats[STAT_DELETE]);
1533 return FAILED;
1534 }
1535 else
1536 {
1537 DBG1(DBG_IKE, "reauthenticating actively");
1538 }
1539 }
1540 task = (task_t*)ike_reauth_create(&this->public);
1541 this->task_manager->queue_task(this->task_manager, task);
1542
1543 return this->task_manager->initiate(this->task_manager);
1544 }
1545
1546 METHOD(ike_sa_t, reestablish, status_t,
1547 private_ike_sa_t *this)
1548 {
1549 ike_sa_t *new;
1550 host_t *host;
1551 action_t action;
1552 enumerator_t *enumerator;
1553 child_sa_t *child_sa;
1554 child_cfg_t *child_cfg;
1555 bool restart = FALSE;
1556 status_t status = FAILED;
1557
1558 /* check if we have children to keep up at all */
1559 enumerator = this->child_sas->create_enumerator(this->child_sas);
1560 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1561 {
1562 if (this->state == IKE_DELETING)
1563 {
1564 action = child_sa->get_close_action(child_sa);
1565 }
1566 else
1567 {
1568 action = child_sa->get_dpd_action(child_sa);
1569 }
1570 switch (action)
1571 {
1572 case ACTION_RESTART:
1573 restart = TRUE;
1574 break;
1575 case ACTION_ROUTE:
1576 charon->traps->install(charon->traps, this->peer_cfg,
1577 child_sa->get_config(child_sa));
1578 break;
1579 default:
1580 break;
1581 }
1582 }
1583 enumerator->destroy(enumerator);
1584 #ifdef ME
1585 /* mediation connections have no children, keep them up anyway */
1586 if (this->peer_cfg->is_mediation(this->peer_cfg))
1587 {
1588 restart = TRUE;
1589 }
1590 #endif /* ME */
1591 if (!restart)
1592 {
1593 return FAILED;
1594 }
1595
1596 /* check if we are able to reestablish this IKE_SA */
1597 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1598 (this->other_virtual_ip != NULL ||
1599 has_condition(this, COND_EAP_AUTHENTICATED)
1600 #ifdef ME
1601 || this->is_mediation_server
1602 #endif /* ME */
1603 ))
1604 {
1605 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1606 return FAILED;
1607 }
1608
1609 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
1610 new->set_peer_cfg(new, this->peer_cfg);
1611 host = this->other_host;
1612 new->set_other_host(new, host->clone(host));
1613 host = this->my_host;
1614 new->set_my_host(new, host->clone(host));
1615 /* if we already have a virtual IP, we reuse it */
1616 host = this->my_virtual_ip;
1617 if (host)
1618 {
1619 new->set_virtual_ip(new, TRUE, host);
1620 }
1621
1622 #ifdef ME
1623 if (this->peer_cfg->is_mediation(this->peer_cfg))
1624 {
1625 status = new->initiate(new, NULL, 0, NULL, NULL);
1626 }
1627 else
1628 #endif /* ME */
1629 {
1630 enumerator = this->child_sas->create_enumerator(this->child_sas);
1631 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1632 {
1633 if (this->state == IKE_DELETING)
1634 {
1635 action = child_sa->get_close_action(child_sa);
1636 }
1637 else
1638 {
1639 action = child_sa->get_dpd_action(child_sa);
1640 }
1641 switch (action)
1642 {
1643 case ACTION_RESTART:
1644 child_cfg = child_sa->get_config(child_sa);
1645 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1646 child_cfg->get_name(child_cfg));
1647 child_cfg->get_ref(child_cfg);
1648 status = new->initiate(new, child_cfg, 0, NULL, NULL);
1649 break;
1650 default:
1651 continue;
1652 }
1653 if (status == DESTROY_ME)
1654 {
1655 break;
1656 }
1657 }
1658 enumerator->destroy(enumerator);
1659 }
1660
1661 if (status == DESTROY_ME)
1662 {
1663 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1664 status = FAILED;
1665 }
1666 else
1667 {
1668 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1669 status = SUCCESS;
1670 }
1671 charon->bus->set_sa(charon->bus, &this->public);
1672 return status;
1673 }
1674
1675 /**
1676 * Requeue the IKE_SA_INIT tasks for initiation, if required
1677 */
1678 static void requeue_init_tasks(private_ike_sa_t *this)
1679 {
1680 enumerator_t *enumerator;
1681 bool has_init = FALSE;
1682 task_t *task;
1683
1684 /* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks
1685 * have already completed. Recreate them if necessary. */
1686 enumerator = this->task_manager->create_task_enumerator(
1687 this->task_manager, TASK_QUEUE_QUEUED);
1688 while (enumerator->enumerate(enumerator, &task))
1689 {
1690 if (task->get_type(task) == IKE_INIT)
1691 {
1692 has_init = TRUE;
1693 break;
1694 }
1695 }
1696 enumerator->destroy(enumerator);
1697
1698 if (!has_init)
1699 {
1700 task = (task_t*)ike_vendor_create(&this->public, TRUE);
1701 this->task_manager->queue_task(this->task_manager, task);
1702 task = (task_t*)ike_natd_create(&this->public, TRUE);
1703 this->task_manager->queue_task(this->task_manager, task);
1704 task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
1705 this->task_manager->queue_task(this->task_manager, task);
1706 }
1707 }
1708
1709 METHOD(ike_sa_t, retransmit, status_t,
1710 private_ike_sa_t *this, u_int32_t message_id)
1711 {
1712 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1713 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1714 {
1715 /* send a proper signal to brief interested bus listeners */
1716 switch (this->state)
1717 {
1718 case IKE_CONNECTING:
1719 {
1720 /* retry IKE_SA_INIT if we have multiple keyingtries */
1721 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1722 this->keyingtry++;
1723 if (tries == 0 || tries > this->keyingtry)
1724 {
1725 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1726 this->keyingtry + 1, tries);
1727 reset(this);
1728 requeue_init_tasks(this);
1729 return this->task_manager->initiate(this->task_manager);
1730 }
1731 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1732 break;
1733 }
1734 case IKE_DELETING:
1735 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1736 break;
1737 case IKE_REKEYING:
1738 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1739 /* FALL */
1740 default:
1741 reestablish(this);
1742 break;
1743 }
1744 return DESTROY_ME;
1745 }
1746 return SUCCESS;
1747 }
1748
1749 METHOD(ike_sa_t, set_auth_lifetime, void,
1750 private_ike_sa_t *this, u_int32_t lifetime)
1751 {
1752 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1753 u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
1754
1755 if (lifetime < reduction)
1756 {
1757 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1758 lifetime);
1759 lib->processor->queue_job(lib->processor,
1760 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1761 }
1762 else if (this->stats[STAT_REAUTH] == 0 ||
1763 this->stats[STAT_REAUTH] > reauth_time)
1764 {
1765 this->stats[STAT_REAUTH] = reauth_time;
1766 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1767 " in %ds", lifetime, lifetime - reduction);
1768 lib->scheduler->schedule_job(lib->scheduler,
1769 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1770 lifetime - reduction);
1771 }
1772 else
1773 {
1774 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1775 "reauthentication already scheduled in %ds", lifetime,
1776 this->stats[STAT_REAUTH] - time_monotonic(NULL));
1777 }
1778 }
1779
1780 /**
1781 * Check if the current combination of source and destination address is still
1782 * valid.
1783 */
1784 static bool is_current_path_valid(private_ike_sa_t *this)
1785 {
1786 bool valid = FALSE;
1787 host_t *src;
1788 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1789 this->other_host, this->my_host);
1790 if (src)
1791 {
1792 if (src->ip_equals(src, this->my_host))
1793 {
1794 valid = TRUE;
1795 }
1796 src->destroy(src);
1797 }
1798 return valid;
1799 }
1800
1801 /**
1802 * Check if we have any path avialable for this IKE SA.
1803 */
1804 static bool is_any_path_valid(private_ike_sa_t *this)
1805 {
1806 bool valid = FALSE;
1807 enumerator_t *enumerator;
1808 host_t *src, *addr;
1809 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
1810 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1811 this->other_host, NULL);
1812 if (!src)
1813 {
1814 enumerator = this->additional_addresses->create_enumerator(
1815 this->additional_addresses);
1816 while (enumerator->enumerate(enumerator, &addr))
1817 {
1818 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
1819 src = hydra->kernel_interface->get_source_addr(
1820 hydra->kernel_interface, addr, NULL);
1821 if (src)
1822 {
1823 break;
1824 }
1825 }
1826 enumerator->destroy(enumerator);
1827 }
1828 if (src)
1829 {
1830 valid = TRUE;
1831 src->destroy(src);
1832 }
1833 return valid;
1834 }
1835
1836 METHOD(ike_sa_t, roam, status_t,
1837 private_ike_sa_t *this, bool address)
1838 {
1839 ike_mobike_t *mobike;
1840
1841 switch (this->state)
1842 {
1843 case IKE_CREATED:
1844 case IKE_DELETING:
1845 case IKE_DESTROYING:
1846 case IKE_PASSIVE:
1847 return SUCCESS;
1848 default:
1849 break;
1850 }
1851
1852 /* keep existing path if possible */
1853 if (is_current_path_valid(this))
1854 {
1855 DBG2(DBG_IKE, "keeping connection path %H - %H",
1856 this->my_host, this->other_host);
1857 set_condition(this, COND_STALE, FALSE);
1858
1859 if (supports_extension(this, EXT_MOBIKE) && address)
1860 { /* if any addresses changed, send an updated list */
1861 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1862 mobike = ike_mobike_create(&this->public, TRUE);
1863 mobike->addresses(mobike);
1864 this->task_manager->queue_task(this->task_manager,
1865 (task_t*)mobike);
1866 return this->task_manager->initiate(this->task_manager);
1867 }
1868 return SUCCESS;
1869 }
1870
1871 if (!is_any_path_valid(this))
1872 {
1873 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
1874 this->other_host);
1875 set_condition(this, COND_STALE, TRUE);
1876 return SUCCESS;
1877 }
1878 set_condition(this, COND_STALE, FALSE);
1879
1880 /* update addresses with mobike, if supported ... */
1881 if (supports_extension(this, EXT_MOBIKE))
1882 {
1883 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1884 { /* responder updates the peer about changed address config */
1885 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
1886 "implicitly requesting an address change");
1887 address = TRUE;
1888 }
1889 else
1890 {
1891 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1892 }
1893 mobike = ike_mobike_create(&this->public, TRUE);
1894 mobike->roam(mobike, address);
1895 this->task_manager->queue_task(this->task_manager, (task_t*)mobike);
1896 return this->task_manager->initiate(this->task_manager);
1897 }
1898
1899 /* ... reauth if not */
1900 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1901 { /* responder does not reauthenticate */
1902 set_condition(this, COND_STALE, TRUE);
1903 return SUCCESS;
1904 }
1905 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1906 return reauth(this);
1907 }
1908
1909 METHOD(ike_sa_t, add_configuration_attribute, void,
1910 private_ike_sa_t *this, attribute_handler_t *handler,
1911 configuration_attribute_type_t type, chunk_t data)
1912 {
1913 attribute_entry_t *entry = malloc_thing(attribute_entry_t);
1914
1915 entry->handler = handler;
1916 entry->type = type;
1917 entry->data = chunk_clone(data);
1918
1919 this->attributes->insert_last(this->attributes, entry);
1920 }
1921
1922 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
1923 private_ike_sa_t *this, task_queue_t queue)
1924 {
1925 return this->task_manager->create_task_enumerator(this->task_manager, queue);
1926 }
1927
1928 METHOD(ike_sa_t, inherit, void,
1929 private_ike_sa_t *this, ike_sa_t *other_public)
1930 {
1931 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
1932 child_sa_t *child_sa;
1933 attribute_entry_t *entry;
1934 enumerator_t *enumerator;
1935 auth_cfg_t *cfg;
1936
1937 /* apply hosts and ids */
1938 this->my_host->destroy(this->my_host);
1939 this->other_host->destroy(this->other_host);
1940 this->my_id->destroy(this->my_id);
1941 this->other_id->destroy(this->other_id);
1942 this->my_host = other->my_host->clone(other->my_host);
1943 this->other_host = other->other_host->clone(other->other_host);
1944 this->my_id = other->my_id->clone(other->my_id);
1945 this->other_id = other->other_id->clone(other->other_id);
1946
1947 /* apply virtual assigned IPs... */
1948 if (other->my_virtual_ip)
1949 {
1950 this->my_virtual_ip = other->my_virtual_ip;
1951 other->my_virtual_ip = NULL;
1952 }
1953 if (other->other_virtual_ip)
1954 {
1955 this->other_virtual_ip = other->other_virtual_ip;
1956 other->other_virtual_ip = NULL;
1957 }
1958
1959 /* authentication information */
1960 enumerator = other->my_auths->create_enumerator(other->my_auths);
1961 while (enumerator->enumerate(enumerator, &cfg))
1962 {
1963 this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
1964 }
1965 enumerator->destroy(enumerator);
1966 enumerator = other->other_auths->create_enumerator(other->other_auths);
1967 while (enumerator->enumerate(enumerator, &cfg))
1968 {
1969 this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
1970 }
1971 enumerator->destroy(enumerator);
1972
1973 /* ... and configuration attributes */
1974 while (other->attributes->remove_last(other->attributes,
1975 (void**)&entry) == SUCCESS)
1976 {
1977 this->attributes->insert_first(this->attributes, entry);
1978 }
1979
1980 /* inherit all conditions */
1981 this->conditions = other->conditions;
1982 if (this->conditions & COND_NAT_HERE)
1983 {
1984 send_keepalive(this);
1985 }
1986
1987 #ifdef ME
1988 if (other->is_mediation_server)
1989 {
1990 act_as_mediation_server(this);
1991 }
1992 else if (other->server_reflexive_host)
1993 {
1994 this->server_reflexive_host = other->server_reflexive_host->clone(
1995 other->server_reflexive_host);
1996 }
1997 #endif /* ME */
1998
1999 /* adopt all children */
2000 while (other->child_sas->remove_last(other->child_sas,
2001 (void**)&child_sa) == SUCCESS)
2002 {
2003 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
2004 }
2005
2006 /* move pending tasks to the new IKE_SA */
2007 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2008
2009 /* reauthentication timeout survives a rekeying */
2010 if (other->stats[STAT_REAUTH])
2011 {
2012 time_t reauth, delete, now = time_monotonic(NULL);
2013
2014 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2015 reauth = this->stats[STAT_REAUTH] - now;
2016 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2017 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2018 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2019 "lifetime reduced to %ds", reauth, delete);
2020 lib->scheduler->schedule_job(lib->scheduler,
2021 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2022 lib->scheduler->schedule_job(lib->scheduler,
2023 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2024 }
2025 }
2026
2027 METHOD(ike_sa_t, destroy, void,
2028 private_ike_sa_t *this)
2029 {
2030 attribute_entry_t *entry;
2031
2032 charon->bus->set_sa(charon->bus, &this->public);
2033
2034 set_state(this, IKE_DESTROYING);
2035 this->task_manager->destroy(this->task_manager);
2036
2037 /* remove attributes first, as we pass the IKE_SA to the handler */
2038 while (this->attributes->remove_last(this->attributes,
2039 (void**)&entry) == SUCCESS)
2040 {
2041 hydra->attributes->release(hydra->attributes, entry->handler,
2042 this->other_id, entry->type, entry->data);
2043 free(entry->data.ptr);
2044 free(entry);
2045 }
2046 this->attributes->destroy(this->attributes);
2047
2048 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
2049
2050 /* unset SA after here to avoid usage by the listeners */
2051 charon->bus->set_sa(charon->bus, NULL);
2052
2053 this->keymat->destroy(this->keymat);
2054
2055 if (this->my_virtual_ip)
2056 {
2057 hydra->kernel_interface->del_ip(hydra->kernel_interface,
2058 this->my_virtual_ip);
2059 this->my_virtual_ip->destroy(this->my_virtual_ip);
2060 }
2061 if (this->other_virtual_ip)
2062 {
2063 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
2064 {
2065 hydra->attributes->release_address(hydra->attributes,
2066 this->peer_cfg->get_pool(this->peer_cfg),
2067 this->other_virtual_ip, get_other_eap_id(this));
2068 }
2069 this->other_virtual_ip->destroy(this->other_virtual_ip);
2070 }
2071 this->additional_addresses->destroy_offset(this->additional_addresses,
2072 offsetof(host_t, destroy));
2073 #ifdef ME
2074 if (this->is_mediation_server)
2075 {
2076 charon->mediation_manager->remove(charon->mediation_manager,
2077 this->ike_sa_id);
2078 }
2079 DESTROY_IF(this->server_reflexive_host);
2080 chunk_free(&this->connect_id);
2081 #endif /* ME */
2082 free(this->nat_detection_dest.ptr);
2083
2084 DESTROY_IF(this->my_host);
2085 DESTROY_IF(this->other_host);
2086 DESTROY_IF(this->my_id);
2087 DESTROY_IF(this->other_id);
2088 DESTROY_IF(this->local_host);
2089 DESTROY_IF(this->remote_host);
2090
2091 DESTROY_IF(this->ike_cfg);
2092 DESTROY_IF(this->peer_cfg);
2093 DESTROY_IF(this->proposal);
2094 this->my_auth->destroy(this->my_auth);
2095 this->other_auth->destroy(this->other_auth);
2096 this->my_auths->destroy_offset(this->my_auths,
2097 offsetof(auth_cfg_t, destroy));
2098 this->other_auths->destroy_offset(this->other_auths,
2099 offsetof(auth_cfg_t, destroy));
2100
2101 this->ike_sa_id->destroy(this->ike_sa_id);
2102 free(this);
2103 }
2104
2105 /*
2106 * Described in header.
2107 */
2108 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
2109 {
2110 private_ike_sa_t *this;
2111 static u_int32_t unique_id = 0;
2112
2113 INIT(this,
2114 .public = {
2115 .get_state = _get_state,
2116 .set_state = _set_state,
2117 .get_name = _get_name,
2118 .get_statistic = _get_statistic,
2119 .process_message = _process_message,
2120 .initiate = _initiate,
2121 .get_ike_cfg = _get_ike_cfg,
2122 .set_ike_cfg = _set_ike_cfg,
2123 .get_peer_cfg = _get_peer_cfg,
2124 .set_peer_cfg = _set_peer_cfg,
2125 .get_auth_cfg = _get_auth_cfg,
2126 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
2127 .add_auth_cfg = _add_auth_cfg,
2128 .get_proposal = _get_proposal,
2129 .set_proposal = _set_proposal,
2130 .get_id = _get_id,
2131 .get_my_host = _get_my_host,
2132 .set_my_host = _set_my_host,
2133 .get_other_host = _get_other_host,
2134 .set_other_host = _set_other_host,
2135 .set_message_id = _set_message_id,
2136 .float_ports = _float_ports,
2137 .update_hosts = _update_hosts,
2138 .get_my_id = _get_my_id,
2139 .set_my_id = _set_my_id,
2140 .get_other_id = _get_other_id,
2141 .set_other_id = _set_other_id,
2142 .get_other_eap_id = _get_other_eap_id,
2143 .enable_extension = _enable_extension,
2144 .supports_extension = _supports_extension,
2145 .set_condition = _set_condition,
2146 .has_condition = _has_condition,
2147 .set_pending_updates = _set_pending_updates,
2148 .get_pending_updates = _get_pending_updates,
2149 .create_additional_address_enumerator = _create_additional_address_enumerator,
2150 .add_additional_address = _add_additional_address,
2151 .remove_additional_addresses = _remove_additional_addresses,
2152 .has_mapping_changed = _has_mapping_changed,
2153 .retransmit = _retransmit,
2154 .delete = _delete_,
2155 .destroy = _destroy,
2156 .send_dpd = _send_dpd,
2157 .send_keepalive = _send_keepalive,
2158 .get_keymat = _get_keymat,
2159 .add_child_sa = _add_child_sa,
2160 .get_child_sa = _get_child_sa,
2161 .get_child_count = _get_child_count,
2162 .create_child_sa_enumerator = _create_child_sa_enumerator,
2163 .remove_child_sa = _remove_child_sa,
2164 .rekey_child_sa = _rekey_child_sa,
2165 .delete_child_sa = _delete_child_sa,
2166 .destroy_child_sa = _destroy_child_sa,
2167 .rekey = _rekey,
2168 .reauth = _reauth,
2169 .reestablish = _reestablish,
2170 .set_auth_lifetime = _set_auth_lifetime,
2171 .roam = _roam,
2172 .inherit = _inherit,
2173 .generate_message = _generate_message,
2174 .reset = _reset,
2175 .get_unique_id = _get_unique_id,
2176 .set_virtual_ip = _set_virtual_ip,
2177 .get_virtual_ip = _get_virtual_ip,
2178 .add_configuration_attribute = _add_configuration_attribute,
2179 .set_kmaddress = _set_kmaddress,
2180 .create_task_enumerator = _create_task_enumerator,
2181 #ifdef ME
2182 .act_as_mediation_server = _act_as_mediation_server,
2183 .get_server_reflexive_host = _get_server_reflexive_host,
2184 .set_server_reflexive_host = _set_server_reflexive_host,
2185 .get_connect_id = _get_connect_id,
2186 .initiate_mediation = _initiate_mediation,
2187 .initiate_mediated = _initiate_mediated,
2188 .relay = _relay,
2189 .callback = _callback,
2190 .respond = _respond,
2191 #endif /* ME */
2192 },
2193 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2194 .child_sas = linked_list_create(),
2195 .my_host = host_create_any(AF_INET),
2196 .other_host = host_create_any(AF_INET),
2197 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2198 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2199 .state = IKE_CREATED,
2200 .stats[STAT_INBOUND] = time_monotonic(NULL),
2201 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2202 .my_auth = auth_cfg_create(),
2203 .other_auth = auth_cfg_create(),
2204 .my_auths = linked_list_create(),
2205 .other_auths = linked_list_create(),
2206 .unique_id = ++unique_id,
2207 .additional_addresses = linked_list_create(),
2208 .attributes = linked_list_create(),
2209 .keepalive_interval = lib->settings->get_time(lib->settings,
2210 "charon.keep_alive", KEEPALIVE_INTERVAL),
2211 );
2212 this->keymat = &(keymat_v2_create(ike_sa_id->is_initiator(ike_sa_id))->keymat);
2213 this->task_manager = &(task_manager_v2_create(&this->public)->task_manager);
2214 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2215
2216 return &this->public;
2217 }