projects / strongswan.git / blob
? search:


fbe125987279519d0605d012bc171bc6589bdc9e
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2011 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 #include <string.h>
20 #include <sys/stat.h>
21 #include <errno.h>
22 #include <time.h>
23
24 #include "ike_sa.h"
25
26 #include <library.h>
27 #include <hydra.h>
28 #include <daemon.h>
29 #include <utils/linked_list.h>
30 #include <utils/lexparser.h>
31 #include <processing/jobs/retransmit_job.h>
32 #include <processing/jobs/delete_ike_sa_job.h>
33 #include <processing/jobs/send_dpd_job.h>
34 #include <processing/jobs/send_keepalive_job.h>
35 #include <processing/jobs/rekey_ike_sa_job.h>
36
37 #ifdef ME
38 #include <sa/ikev2/tasks/ike_me.h>
39 #include <processing/jobs/initiate_mediation_job.h>
40 #endif
41
42 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
43 "CREATED",
44 "CONNECTING",
45 "ESTABLISHED",
46 "PASSIVE",
47 "REKEYING",
48 "DELETING",
49 "DESTROYING",
50 );
51
52 typedef struct private_ike_sa_t private_ike_sa_t;
53 typedef struct attribute_entry_t attribute_entry_t;
54
55 /**
56 * Private data of an ike_sa_t object.
57 */
58 struct private_ike_sa_t {
59
60 /**
61 * Public members
62 */
63 ike_sa_t public;
64
65 /**
66 * Identifier for the current IKE_SA.
67 */
68 ike_sa_id_t *ike_sa_id;
69
70 /**
71 * IKE version of this SA.
72 */
73 ike_version_t version;
74
75 /**
76 * unique numerical ID for this IKE_SA.
77 */
78 u_int32_t unique_id;
79
80 /**
81 * Current state of the IKE_SA
82 */
83 ike_sa_state_t state;
84
85 /**
86 * IKE configuration used to set up this IKE_SA
87 */
88 ike_cfg_t *ike_cfg;
89
90 /**
91 * Peer and authentication information to establish IKE_SA.
92 */
93 peer_cfg_t *peer_cfg;
94
95 /**
96 * currently used authentication ruleset, local (as auth_cfg_t)
97 */
98 auth_cfg_t *my_auth;
99
100 /**
101 * list of completed local authentication rounds
102 */
103 linked_list_t *my_auths;
104
105 /**
106 * list of completed remote authentication rounds
107 */
108 linked_list_t *other_auths;
109
110 /**
111 * currently used authentication constraints, remote (as auth_cfg_t)
112 */
113 auth_cfg_t *other_auth;
114
115 /**
116 * Selected IKE proposal
117 */
118 proposal_t *proposal;
119
120 /**
121 * Juggles tasks to process messages
122 */
123 task_manager_t *task_manager;
124
125 /**
126 * Address of local host
127 */
128 host_t *my_host;
129
130 /**
131 * Address of remote host
132 */
133 host_t *other_host;
134
135 #ifdef ME
136 /**
137 * Are we mediation server
138 */
139 bool is_mediation_server;
140
141 /**
142 * Server reflexive host
143 */
144 host_t *server_reflexive_host;
145
146 /**
147 * Connect ID
148 */
149 chunk_t connect_id;
150 #endif /* ME */
151
152 /**
153 * Identification used for us
154 */
155 identification_t *my_id;
156
157 /**
158 * Identification used for other
159 */
160 identification_t *other_id;
161
162 /**
163 * set of extensions the peer supports
164 */
165 ike_extension_t extensions;
166
167 /**
168 * set of condition flags currently enabled for this IKE_SA
169 */
170 ike_condition_t conditions;
171
172 /**
173 * Linked List containing the child sa's of the current IKE_SA.
174 */
175 linked_list_t *child_sas;
176
177 /**
178 * keymat of this IKE_SA
179 */
180 keymat_t *keymat;
181
182 /**
183 * Virtual IP on local host, if any
184 */
185 host_t *my_virtual_ip;
186
187 /**
188 * Virtual IP on remote host, if any
189 */
190 host_t *other_virtual_ip;
191
192 /**
193 * List of configuration attributes (attribute_entry_t)
194 */
195 linked_list_t *attributes;
196
197 /**
198 * list of peers additional addresses, transmitted via MOBIKE
199 */
200 linked_list_t *additional_addresses;
201
202 /**
203 * previously value of received DESTINATION_IP hash
204 */
205 chunk_t nat_detection_dest;
206
207 /**
208 * number pending UPDATE_SA_ADDRESS (MOBIKE)
209 */
210 u_int32_t pending_updates;
211
212 /**
213 * NAT keep alive interval
214 */
215 u_int32_t keepalive_interval;
216
217 /**
218 * Timestamps for this IKE_SA
219 */
220 u_int32_t stats[STAT_MAX];
221
222 /**
223 * how many times we have retried so far (keyingtries)
224 */
225 u_int32_t keyingtry;
226
227 /**
228 * local host address to be used for IKE, set via MIGRATE kernel message
229 */
230 host_t *local_host;
231
232 /**
233 * remote host address to be used for IKE, set via MIGRATE kernel message
234 */
235 host_t *remote_host;
236
237 /**
238 * Flush auth configs once established?
239 */
240 bool flush_auth_cfg;
241 };
242
243 /**
244 * Entry to maintain install configuration attributes during IKE_SA lifetime
245 */
246 struct attribute_entry_t {
247 /** handler used to install this attribute */
248 attribute_handler_t *handler;
249 /** attribute type */
250 configuration_attribute_type_t type;
251 /** attribute data */
252 chunk_t data;
253 };
254
255 /**
256 * get the time of the latest traffic processed by the kernel
257 */
258 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
259 {
260 enumerator_t *enumerator;
261 child_sa_t *child_sa;
262 time_t use_time, current;
263
264 if (inbound)
265 {
266 use_time = this->stats[STAT_INBOUND];
267 }
268 else
269 {
270 use_time = this->stats[STAT_OUTBOUND];
271 }
272 enumerator = this->child_sas->create_enumerator(this->child_sas);
273 while (enumerator->enumerate(enumerator, &child_sa))
274 {
275 child_sa->get_usestats(child_sa, inbound, &current, NULL);
276 use_time = max(use_time, current);
277 }
278 enumerator->destroy(enumerator);
279
280 return use_time;
281 }
282
283 METHOD(ike_sa_t, get_unique_id, u_int32_t,
284 private_ike_sa_t *this)
285 {
286 return this->unique_id;
287 }
288
289 METHOD(ike_sa_t, get_name, char*,
290 private_ike_sa_t *this)
291 {
292 if (this->peer_cfg)
293 {
294 return this->peer_cfg->get_name(this->peer_cfg);
295 }
296 return "(unnamed)";
297 }
298
299 METHOD(ike_sa_t, get_statistic, u_int32_t,
300 private_ike_sa_t *this, statistic_t kind)
301 {
302 if (kind < STAT_MAX)
303 {
304 return this->stats[kind];
305 }
306 return 0;
307 }
308
309 METHOD(ike_sa_t, set_statistic, void,
310 private_ike_sa_t *this, statistic_t kind, u_int32_t value)
311 {
312 if (kind < STAT_MAX)
313 {
314 this->stats[kind] = value;
315 }
316 }
317
318 METHOD(ike_sa_t, get_my_host, host_t*,
319 private_ike_sa_t *this)
320 {
321 return this->my_host;
322 }
323
324 METHOD(ike_sa_t, set_my_host, void,
325 private_ike_sa_t *this, host_t *me)
326 {
327 DESTROY_IF(this->my_host);
328 this->my_host = me;
329 }
330
331 METHOD(ike_sa_t, get_other_host, host_t*,
332 private_ike_sa_t *this)
333 {
334 return this->other_host;
335 }
336
337 METHOD(ike_sa_t, set_other_host, void,
338 private_ike_sa_t *this, host_t *other)
339 {
340 DESTROY_IF(this->other_host);
341 this->other_host = other;
342 }
343
344 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
345 private_ike_sa_t *this)
346 {
347 return this->peer_cfg;
348 }
349
350 METHOD(ike_sa_t, set_peer_cfg, void,
351 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
352 {
353 peer_cfg->get_ref(peer_cfg);
354 DESTROY_IF(this->peer_cfg);
355 this->peer_cfg = peer_cfg;
356
357 if (this->ike_cfg == NULL)
358 {
359 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
360 this->ike_cfg->get_ref(this->ike_cfg);
361 }
362 }
363
364 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
365 private_ike_sa_t *this, bool local)
366 {
367 if (local)
368 {
369 return this->my_auth;
370 }
371 return this->other_auth;
372 }
373
374 METHOD(ike_sa_t, add_auth_cfg, void,
375 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
376 {
377 if (local)
378 {
379 this->my_auths->insert_last(this->my_auths, cfg);
380 }
381 else
382 {
383 this->other_auths->insert_last(this->other_auths, cfg);
384 }
385 }
386
387 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
388 private_ike_sa_t *this, bool local)
389 {
390 if (local)
391 {
392 return this->my_auths->create_enumerator(this->my_auths);
393 }
394 return this->other_auths->create_enumerator(this->other_auths);
395 }
396
397 /**
398 * Flush the stored authentication round information
399 */
400 static void flush_auth_cfgs(private_ike_sa_t *this)
401 {
402 auth_cfg_t *cfg;
403
404 this->my_auth->purge(this->my_auth, FALSE);
405 this->other_auth->purge(this->other_auth, FALSE);
406
407 while (this->my_auths->remove_last(this->my_auths,
408 (void**)&cfg) == SUCCESS)
409 {
410 cfg->destroy(cfg);
411 }
412 while (this->other_auths->remove_last(this->other_auths,
413 (void**)&cfg) == SUCCESS)
414 {
415 cfg->destroy(cfg);
416 }
417 }
418
419 METHOD(ike_sa_t, get_proposal, proposal_t*,
420 private_ike_sa_t *this)
421 {
422 return this->proposal;
423 }
424
425 METHOD(ike_sa_t, set_proposal, void,
426 private_ike_sa_t *this, proposal_t *proposal)
427 {
428 DESTROY_IF(this->proposal);
429 this->proposal = proposal->clone(proposal);
430 }
431
432 METHOD(ike_sa_t, set_message_id, void,
433 private_ike_sa_t *this, bool initiate, u_int32_t mid)
434 {
435 if (initiate)
436 {
437 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
438 }
439 else
440 {
441 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
442 }
443 }
444
445 METHOD(ike_sa_t, send_keepalive, void,
446 private_ike_sa_t *this)
447 {
448 send_keepalive_job_t *job;
449 time_t last_out, now, diff;
450
451 if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0)
452 { /* disable keep alives if we are not NATed anymore */
453 return;
454 }
455
456 last_out = get_use_time(this, FALSE);
457 now = time_monotonic(NULL);
458
459 diff = now - last_out;
460
461 if (diff >= this->keepalive_interval)
462 {
463 packet_t *packet;
464 chunk_t data;
465
466 packet = packet_create();
467 packet->set_source(packet, this->my_host->clone(this->my_host));
468 packet->set_destination(packet, this->other_host->clone(this->other_host));
469 data.ptr = malloc(1);
470 data.ptr[0] = 0xFF;
471 data.len = 1;
472 packet->set_data(packet, data);
473 DBG1(DBG_IKE, "sending keep alive");
474 charon->sender->send(charon->sender, packet);
475 diff = 0;
476 }
477 job = send_keepalive_job_create(this->ike_sa_id);
478 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
479 this->keepalive_interval - diff);
480 }
481
482 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
483 private_ike_sa_t *this)
484 {
485 return this->ike_cfg;
486 }
487
488 METHOD(ike_sa_t, set_ike_cfg, void,
489 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
490 {
491 ike_cfg->get_ref(ike_cfg);
492 this->ike_cfg = ike_cfg;
493 }
494
495 METHOD(ike_sa_t, enable_extension, void,
496 private_ike_sa_t *this, ike_extension_t extension)
497 {
498 this->extensions |= extension;
499 }
500
501 METHOD(ike_sa_t, supports_extension, bool,
502 private_ike_sa_t *this, ike_extension_t extension)
503 {
504 return (this->extensions & extension) != FALSE;
505 }
506
507 METHOD(ike_sa_t, has_condition, bool,
508 private_ike_sa_t *this, ike_condition_t condition)
509 {
510 return (this->conditions & condition) != FALSE;
511 }
512
513 METHOD(ike_sa_t, set_condition, void,
514 private_ike_sa_t *this, ike_condition_t condition, bool enable)
515 {
516 if (has_condition(this, condition) != enable)
517 {
518 if (enable)
519 {
520 this->conditions |= condition;
521 switch (condition)
522 {
523 case COND_NAT_HERE:
524 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
525 this->conditions |= COND_NAT_ANY;
526 send_keepalive(this);
527 break;
528 case COND_NAT_THERE:
529 DBG1(DBG_IKE, "remote host is behind NAT");
530 this->conditions |= COND_NAT_ANY;
531 break;
532 case COND_NAT_FAKE:
533 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
534 this->conditions |= COND_NAT_ANY;
535 break;
536 default:
537 break;
538 }
539 }
540 else
541 {
542 this->conditions &= ~condition;
543 switch (condition)
544 {
545 case COND_NAT_HERE:
546 case COND_NAT_FAKE:
547 case COND_NAT_THERE:
548 set_condition(this, COND_NAT_ANY,
549 has_condition(this, COND_NAT_HERE) ||
550 has_condition(this, COND_NAT_THERE) ||
551 has_condition(this, COND_NAT_FAKE));
552 break;
553 default:
554 break;
555 }
556 }
557 }
558 }
559
560 METHOD(ike_sa_t, send_dpd, status_t,
561 private_ike_sa_t *this)
562 {
563 job_t *job;
564 time_t diff, delay;
565
566 if (this->state == IKE_PASSIVE)
567 {
568 return INVALID_STATE;
569 }
570 delay = this->peer_cfg->get_dpd(this->peer_cfg);
571 if (this->task_manager->busy(this->task_manager))
572 {
573 /* an exchange is in the air, no need to start a DPD check */
574 diff = 0;
575 }
576 else
577 {
578 /* check if there was any inbound traffic */
579 time_t last_in, now;
580 last_in = get_use_time(this, TRUE);
581 now = time_monotonic(NULL);
582 diff = now - last_in;
583 if (!delay || diff >= delay)
584 {
585 /* to long ago, initiate dead peer detection */
586 DBG1(DBG_IKE, "sending DPD request");
587 this->task_manager->queue_dpd(this->task_manager);
588 diff = 0;
589 }
590 }
591 /* recheck in "interval" seconds */
592 if (delay)
593 {
594 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
595 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
596 }
597 return this->task_manager->initiate(this->task_manager);
598 }
599
600 METHOD(ike_sa_t, get_state, ike_sa_state_t,
601 private_ike_sa_t *this)
602 {
603 return this->state;
604 }
605
606 METHOD(ike_sa_t, set_state, void,
607 private_ike_sa_t *this, ike_sa_state_t state)
608 {
609 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
610 get_name(this), this->unique_id,
611 ike_sa_state_names, this->state,
612 ike_sa_state_names, state);
613
614 switch (state)
615 {
616 case IKE_ESTABLISHED:
617 {
618 if (this->state == IKE_CONNECTING ||
619 this->state == IKE_PASSIVE)
620 {
621 job_t *job;
622 u_int32_t t;
623
624 /* calculate rekey, reauth and lifetime */
625 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
626
627 /* schedule rekeying if we have a time which is smaller than
628 * an already scheduled rekeying */
629 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
630 if (t && (this->stats[STAT_REKEY] == 0 ||
631 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
632 {
633 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
634 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
635 lib->scheduler->schedule_job(lib->scheduler, job, t);
636 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
637 }
638 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
639 if (t && (this->stats[STAT_REAUTH] == 0 ||
640 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
641 {
642 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
643 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
644 lib->scheduler->schedule_job(lib->scheduler, job, t);
645 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
646 }
647 t = this->peer_cfg->get_over_time(this->peer_cfg);
648 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
649 {
650 if (this->stats[STAT_REAUTH] == 0)
651 {
652 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
653 }
654 else if (this->stats[STAT_REKEY] == 0)
655 {
656 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
657 }
658 else
659 {
660 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
661 this->stats[STAT_REAUTH]);
662 }
663 this->stats[STAT_DELETE] += t;
664 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
665 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
666 lib->scheduler->schedule_job(lib->scheduler, job, t);
667 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
668 }
669
670 /* start DPD checks */
671 if (this->peer_cfg->get_dpd(this->peer_cfg))
672 {
673 send_dpd(this);
674 }
675 }
676 break;
677 }
678 case IKE_DELETING:
679 {
680 /* delete may fail if a packet gets lost, so set a timeout */
681 job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
682 lib->scheduler->schedule_job(lib->scheduler, job,
683 HALF_OPEN_IKE_SA_TIMEOUT);
684 break;
685 }
686 default:
687 break;
688 }
689 charon->bus->ike_state_change(charon->bus, &this->public, state);
690 this->state = state;
691 }
692
693 METHOD(ike_sa_t, reset, void,
694 private_ike_sa_t *this)
695 {
696 /* the responder ID is reset, as peer may choose another one */
697 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
698 {
699 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
700 }
701
702 set_state(this, IKE_CREATED);
703
704 flush_auth_cfgs(this);
705
706 this->keymat->destroy(this->keymat);
707 this->keymat = keymat_create(this->version,
708 this->ike_sa_id->is_initiator(this->ike_sa_id));
709
710 this->task_manager->reset(this->task_manager, 0, 0);
711 }
712
713 METHOD(ike_sa_t, get_keymat, keymat_t*,
714 private_ike_sa_t *this)
715 {
716 return this->keymat;
717 }
718
719 METHOD(ike_sa_t, set_virtual_ip, void,
720 private_ike_sa_t *this, bool local, host_t *ip)
721 {
722 if (local)
723 {
724 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
725 if (hydra->kernel_interface->add_ip(hydra->kernel_interface, ip,
726 this->my_host) == SUCCESS)
727 {
728 if (this->my_virtual_ip)
729 {
730 DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
731 hydra->kernel_interface->del_ip(hydra->kernel_interface,
732 this->my_virtual_ip);
733 }
734 DESTROY_IF(this->my_virtual_ip);
735 this->my_virtual_ip = ip->clone(ip);
736 }
737 else
738 {
739 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
740 this->my_virtual_ip = NULL;
741 }
742 }
743 else
744 {
745 DESTROY_IF(this->other_virtual_ip);
746 this->other_virtual_ip = ip->clone(ip);
747 }
748 }
749
750 METHOD(ike_sa_t, get_virtual_ip, host_t*,
751 private_ike_sa_t *this, bool local)
752 {
753 if (local)
754 {
755 return this->my_virtual_ip;
756 }
757 else
758 {
759 return this->other_virtual_ip;
760 }
761 }
762
763 METHOD(ike_sa_t, add_additional_address, void,
764 private_ike_sa_t *this, host_t *host)
765 {
766 this->additional_addresses->insert_last(this->additional_addresses, host);
767 }
768
769 METHOD(ike_sa_t, create_additional_address_enumerator, enumerator_t*,
770 private_ike_sa_t *this)
771 {
772 return this->additional_addresses->create_enumerator(
773 this->additional_addresses);
774 }
775
776 METHOD(ike_sa_t, remove_additional_addresses, void,
777 private_ike_sa_t *this)
778 {
779 enumerator_t *enumerator = create_additional_address_enumerator(this);
780 host_t *host;
781 while (enumerator->enumerate(enumerator, (void**)&host))
782 {
783 this->additional_addresses->remove_at(this->additional_addresses,
784 enumerator);
785 host->destroy(host);
786 }
787 enumerator->destroy(enumerator);
788 }
789
790 METHOD(ike_sa_t, has_mapping_changed, bool,
791 private_ike_sa_t *this, chunk_t hash)
792 {
793 if (this->nat_detection_dest.ptr == NULL)
794 {
795 this->nat_detection_dest = chunk_clone(hash);
796 return FALSE;
797 }
798 if (chunk_equals(hash, this->nat_detection_dest))
799 {
800 return FALSE;
801 }
802 free(this->nat_detection_dest.ptr);
803 this->nat_detection_dest = chunk_clone(hash);
804 return TRUE;
805 }
806
807 METHOD(ike_sa_t, set_pending_updates, void,
808 private_ike_sa_t *this, u_int32_t updates)
809 {
810 this->pending_updates = updates;
811 }
812
813 METHOD(ike_sa_t, get_pending_updates, u_int32_t,
814 private_ike_sa_t *this)
815 {
816 return this->pending_updates;
817 }
818
819 METHOD(ike_sa_t, float_ports, void,
820 private_ike_sa_t *this)
821 {
822 /* do not switch if we have a custom port from MOBIKE/NAT */
823 if (this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
824 {
825 this->my_host->set_port(this->my_host, IKEV2_NATT_PORT);
826 }
827 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT)
828 {
829 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
830 }
831 }
832
833 METHOD(ike_sa_t, update_hosts, void,
834 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
835 {
836 bool update = FALSE;
837
838 if (me == NULL)
839 {
840 me = this->my_host;
841 }
842 if (other == NULL)
843 {
844 other = this->other_host;
845 }
846
847 /* apply hosts on first received message */
848 if (this->my_host->is_anyaddr(this->my_host) ||
849 this->other_host->is_anyaddr(this->other_host))
850 {
851 set_my_host(this, me->clone(me));
852 set_other_host(this, other->clone(other));
853 update = TRUE;
854 }
855 else
856 {
857 /* update our address in any case */
858 if (!me->equals(me, this->my_host))
859 {
860 set_my_host(this, me->clone(me));
861 update = TRUE;
862 }
863
864 if (!other->equals(other, this->other_host))
865 {
866 /* update others address if we are NOT NATed */
867 if (force || !has_condition(this, COND_NAT_HERE))
868 {
869 set_other_host(this, other->clone(other));
870 update = TRUE;
871 }
872 }
873 }
874
875 /* update all associated CHILD_SAs, if required */
876 if (update)
877 {
878 enumerator_t *enumerator;
879 child_sa_t *child_sa;
880
881 enumerator = this->child_sas->create_enumerator(this->child_sas);
882 while (enumerator->enumerate(enumerator, (void**)&child_sa))
883 {
884 if (child_sa->update(child_sa, this->my_host,
885 this->other_host, this->my_virtual_ip,
886 has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
887 {
888 this->public.rekey_child_sa(&this->public,
889 child_sa->get_protocol(child_sa),
890 child_sa->get_spi(child_sa, TRUE));
891 }
892 }
893 enumerator->destroy(enumerator);
894 }
895 }
896
897 METHOD(ike_sa_t, generate_message, status_t,
898 private_ike_sa_t *this, message_t *message, packet_t **packet)
899 {
900 if (message->is_encoded(message))
901 { /* already done */
902 *packet = message->get_packet(message);
903 return SUCCESS;
904 }
905 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
906 message->set_ike_sa_id(message, this->ike_sa_id);
907 charon->bus->message(charon->bus, message, FALSE);
908 return message->generate(message, this->keymat, packet);
909 }
910
911 METHOD(ike_sa_t, set_kmaddress, void,
912 private_ike_sa_t *this, host_t *local, host_t *remote)
913 {
914 DESTROY_IF(this->local_host);
915 DESTROY_IF(this->remote_host);
916 this->local_host = local->clone(local);
917 this->remote_host = remote->clone(remote);
918 }
919
920 #ifdef ME
921 METHOD(ike_sa_t, act_as_mediation_server, void,
922 private_ike_sa_t *this)
923 {
924 charon->mediation_manager->update_sa_id(charon->mediation_manager,
925 this->other_id, this->ike_sa_id);
926 this->is_mediation_server = TRUE;
927 }
928
929 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
930 private_ike_sa_t *this)
931 {
932 return this->server_reflexive_host;
933 }
934
935 METHOD(ike_sa_t, set_server_reflexive_host, void,
936 private_ike_sa_t *this, host_t *host)
937 {
938 DESTROY_IF(this->server_reflexive_host);
939 this->server_reflexive_host = host;
940 }
941
942 METHOD(ike_sa_t, get_connect_id, chunk_t,
943 private_ike_sa_t *this)
944 {
945 return this->connect_id;
946 }
947
948 METHOD(ike_sa_t, respond, status_t,
949 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
950 {
951 ike_me_t *task = ike_me_create(&this->public, TRUE);
952 task->respond(task, peer_id, connect_id);
953 this->task_manager->queue_task(this->task_manager, (task_t*)task);
954 return this->task_manager->initiate(this->task_manager);
955 }
956
957 METHOD(ike_sa_t, callback, status_t,
958 private_ike_sa_t *this, identification_t *peer_id)
959 {
960 ike_me_t *task = ike_me_create(&this->public, TRUE);
961 task->callback(task, peer_id);
962 this->task_manager->queue_task(this->task_manager, (task_t*)task);
963 return this->task_manager->initiate(this->task_manager);
964 }
965
966 METHOD(ike_sa_t, relay, status_t,
967 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
968 chunk_t connect_key, linked_list_t *endpoints, bool response)
969 {
970 ike_me_t *task = ike_me_create(&this->public, TRUE);
971 task->relay(task, requester, connect_id, connect_key, endpoints, response);
972 this->task_manager->queue_task(this->task_manager, (task_t*)task);
973 return this->task_manager->initiate(this->task_manager);
974 }
975
976 METHOD(ike_sa_t, initiate_mediation, status_t,
977 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
978 {
979 ike_me_t *task = ike_me_create(&this->public, TRUE);
980 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
981 this->task_manager->queue_task(this->task_manager, (task_t*)task);
982 return this->task_manager->initiate(this->task_manager);
983 }
984
985 METHOD(ike_sa_t, initiate_mediated, status_t,
986 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
987 {
988 set_my_host(this, me->clone(me));
989 set_other_host(this, other->clone(other));
990 chunk_free(&this->connect_id);
991 this->connect_id = chunk_clone(connect_id);
992 return this->task_manager->initiate(this->task_manager);
993 }
994 #endif /* ME */
995
996 /**
997 * Resolve DNS host in configuration
998 */
999 static void resolve_hosts(private_ike_sa_t *this)
1000 {
1001 host_t *host;
1002
1003 if (this->remote_host)
1004 {
1005 host = this->remote_host->clone(this->remote_host);
1006 host->set_port(host, IKEV2_UDP_PORT);
1007 }
1008 else
1009 {
1010 host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg),
1011 0, this->ike_cfg->get_other_port(this->ike_cfg));
1012 }
1013 if (host)
1014 {
1015 set_other_host(this, host);
1016 }
1017
1018 if (this->local_host)
1019 {
1020 host = this->local_host->clone(this->local_host);
1021 host->set_port(host, IKEV2_UDP_PORT);
1022 }
1023 else
1024 {
1025 int family = 0;
1026
1027 /* use same address family as for other */
1028 if (!this->other_host->is_anyaddr(this->other_host))
1029 {
1030 family = this->other_host->get_family(this->other_host);
1031 }
1032 host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg),
1033 family, this->ike_cfg->get_my_port(this->ike_cfg));
1034
1035 if (host && host->is_anyaddr(host) &&
1036 !this->other_host->is_anyaddr(this->other_host))
1037 {
1038 host->destroy(host);
1039 host = hydra->kernel_interface->get_source_addr(
1040 hydra->kernel_interface, this->other_host, NULL);
1041 if (host)
1042 {
1043 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1044 }
1045 else
1046 { /* fallback to address family specific %any(6), if configured */
1047 host = host_create_from_dns(
1048 this->ike_cfg->get_my_addr(this->ike_cfg),
1049 0, this->ike_cfg->get_my_port(this->ike_cfg));
1050 }
1051 }
1052 }
1053 if (host)
1054 {
1055 set_my_host(this, host);
1056 }
1057 }
1058
1059 METHOD(ike_sa_t, initiate, status_t,
1060 private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid,
1061 traffic_selector_t *tsi, traffic_selector_t *tsr)
1062 {
1063 if (this->state == IKE_CREATED)
1064 {
1065 resolve_hosts(this);
1066
1067 if (this->other_host->is_anyaddr(this->other_host)
1068 #ifdef ME
1069 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1070 #endif /* ME */
1071 )
1072 {
1073 DESTROY_IF(child_cfg);
1074 DBG1(DBG_IKE, "unable to initiate to %%any");
1075 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1076 return DESTROY_ME;
1077 }
1078
1079 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1080 this->task_manager->queue_ike(this->task_manager);
1081 }
1082
1083 #ifdef ME
1084 if (this->peer_cfg->is_mediation(this->peer_cfg))
1085 {
1086 if (this->state == IKE_ESTABLISHED)
1087 {
1088 /* mediation connection is already established, retrigger state
1089 * change to notify bus listeners */
1090 DBG1(DBG_IKE, "mediation connection is already up");
1091 set_state(this, IKE_ESTABLISHED);
1092 }
1093 DESTROY_IF(child_cfg);
1094 }
1095 else
1096 #endif /* ME */
1097 if (child_cfg)
1098 {
1099 /* normal IKE_SA with CHILD_SA */
1100 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1101 tsi, tsr);
1102 #ifdef ME
1103 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1104 {
1105 /* mediated connection, initiate mediation process */
1106 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1107 lib->processor->queue_job(lib->processor, job);
1108 return SUCCESS;
1109 }
1110 #endif /* ME */
1111 }
1112
1113 return this->task_manager->initiate(this->task_manager);
1114 }
1115
1116 METHOD(ike_sa_t, process_message, status_t,
1117 private_ike_sa_t *this, message_t *message)
1118 {
1119 status_t status;
1120
1121 if (this->state == IKE_PASSIVE)
1122 { /* do not handle messages in passive state */
1123 return FAILED;
1124 }
1125 if (message->get_major_version(message) != this->version)
1126 {
1127 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1128 exchange_type_names, message->get_exchange_type(message),
1129 message->get_major_version(message),
1130 ike_version_names, this->version);
1131 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1132 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1133 return FAILED;
1134 }
1135 status = this->task_manager->process_message(this->task_manager, message);
1136 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1137 {
1138 /* authentication completed */
1139 this->flush_auth_cfg = FALSE;
1140 flush_auth_cfgs(this);
1141 }
1142 return status;
1143 }
1144
1145 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1146 private_ike_sa_t *this)
1147 {
1148 return this->ike_sa_id;
1149 }
1150
1151 METHOD(ike_sa_t, get_version, ike_version_t,
1152 private_ike_sa_t *this)
1153 {
1154 return this->version;
1155 }
1156
1157 METHOD(ike_sa_t, get_my_id, identification_t*,
1158 private_ike_sa_t *this)
1159 {
1160 return this->my_id;
1161 }
1162
1163 METHOD(ike_sa_t, set_my_id, void,
1164 private_ike_sa_t *this, identification_t *me)
1165 {
1166 DESTROY_IF(this->my_id);
1167 this->my_id = me;
1168 }
1169
1170 METHOD(ike_sa_t, get_other_id, identification_t*,
1171 private_ike_sa_t *this)
1172 {
1173 return this->other_id;
1174 }
1175
1176 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1177 private_ike_sa_t *this)
1178 {
1179 identification_t *id = NULL, *current;
1180 enumerator_t *enumerator;
1181 auth_cfg_t *cfg;
1182
1183 enumerator = this->other_auths->create_enumerator(this->other_auths);
1184 while (enumerator->enumerate(enumerator, &cfg))
1185 {
1186 /* prefer EAP-Identity of last round */
1187 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1188 if (!current || current->get_type(current) == ID_ANY)
1189 {
1190 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1191 }
1192 if (!current || current->get_type(current) == ID_ANY)
1193 {
1194 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1195 }
1196 if (current && current->get_type(current) != ID_ANY)
1197 {
1198 id = current;
1199 continue;
1200 }
1201 }
1202 enumerator->destroy(enumerator);
1203 if (id)
1204 {
1205 return id;
1206 }
1207 return this->other_id;
1208 }
1209
1210 METHOD(ike_sa_t, set_other_id, void,
1211 private_ike_sa_t *this, identification_t *other)
1212 {
1213 DESTROY_IF(this->other_id);
1214 this->other_id = other;
1215 }
1216
1217 METHOD(ike_sa_t, add_child_sa, void,
1218 private_ike_sa_t *this, child_sa_t *child_sa)
1219 {
1220 this->child_sas->insert_last(this->child_sas, child_sa);
1221 }
1222
1223 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1224 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound)
1225 {
1226 enumerator_t *enumerator;
1227 child_sa_t *current, *found = NULL;
1228
1229 enumerator = this->child_sas->create_enumerator(this->child_sas);
1230 while (enumerator->enumerate(enumerator, (void**)&current))
1231 {
1232 if (current->get_spi(current, inbound) == spi &&
1233 current->get_protocol(current) == protocol)
1234 {
1235 found = current;
1236 }
1237 }
1238 enumerator->destroy(enumerator);
1239 return found;
1240 }
1241
1242 METHOD(ike_sa_t, get_child_count, int,
1243 private_ike_sa_t *this)
1244 {
1245 return this->child_sas->get_count(this->child_sas);
1246 }
1247
1248 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1249 private_ike_sa_t *this)
1250 {
1251 return this->child_sas->create_enumerator(this->child_sas);
1252 }
1253
1254 METHOD(ike_sa_t, remove_child_sa, void,
1255 private_ike_sa_t *this, enumerator_t *enumerator)
1256 {
1257 this->child_sas->remove_at(this->child_sas, enumerator);
1258 }
1259
1260 METHOD(ike_sa_t, rekey_child_sa, status_t,
1261 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1262 {
1263 if (this->state == IKE_PASSIVE)
1264 {
1265 return INVALID_STATE;
1266 }
1267 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1268 return this->task_manager->initiate(this->task_manager);
1269 }
1270
1271 METHOD(ike_sa_t, delete_child_sa, status_t,
1272 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool expired)
1273 {
1274 if (this->state == IKE_PASSIVE)
1275 {
1276 return INVALID_STATE;
1277 }
1278 this->task_manager->queue_child_delete(this->task_manager,
1279 protocol, spi, expired);
1280 return this->task_manager->initiate(this->task_manager);
1281 }
1282
1283 METHOD(ike_sa_t, destroy_child_sa, status_t,
1284 private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
1285 {
1286 enumerator_t *enumerator;
1287 child_sa_t *child_sa;
1288 status_t status = NOT_FOUND;
1289
1290 enumerator = this->child_sas->create_enumerator(this->child_sas);
1291 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1292 {
1293 if (child_sa->get_protocol(child_sa) == protocol &&
1294 child_sa->get_spi(child_sa, TRUE) == spi)
1295 {
1296 this->child_sas->remove_at(this->child_sas, enumerator);
1297 child_sa->destroy(child_sa);
1298 status = SUCCESS;
1299 break;
1300 }
1301 }
1302 enumerator->destroy(enumerator);
1303 return status;
1304 }
1305
1306 METHOD(ike_sa_t, delete_, status_t,
1307 private_ike_sa_t *this)
1308 {
1309 switch (this->state)
1310 {
1311 case IKE_REKEYING:
1312 if (this->version == IKEV1)
1313 { /* SA has been reauthenticated, delete */
1314 break;
1315 }
1316 /* FALL */
1317 case IKE_ESTABLISHED:
1318 this->task_manager->queue_ike_delete(this->task_manager);
1319 return this->task_manager->initiate(this->task_manager);
1320 case IKE_CREATED:
1321 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1322 break;
1323 case IKE_PASSIVE:
1324 break;
1325 default:
1326 DBG1(DBG_IKE, "destroying IKE_SA in state %N "
1327 "without notification", ike_sa_state_names, this->state);
1328 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1329 break;
1330 }
1331 return DESTROY_ME;
1332 }
1333
1334 METHOD(ike_sa_t, rekey, status_t,
1335 private_ike_sa_t *this)
1336 {
1337 if (this->state == IKE_PASSIVE)
1338 {
1339 return INVALID_STATE;
1340 }
1341 this->task_manager->queue_ike_rekey(this->task_manager);
1342 return this->task_manager->initiate(this->task_manager);
1343 }
1344
1345 METHOD(ike_sa_t, reauth, status_t,
1346 private_ike_sa_t *this)
1347 {
1348 if (this->state == IKE_PASSIVE)
1349 {
1350 return INVALID_STATE;
1351 }
1352 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1353 * If the peer does not support RFC4478, there is no way to keep the
1354 * IKE_SA up. */
1355 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1356 {
1357 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1358 if (this->other_virtual_ip != NULL ||
1359 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1360 has_condition(this, COND_EAP_AUTHENTICATED)
1361 #ifdef ME
1362 /* as mediation server we too cannot reauth the IKE_SA */
1363 || this->is_mediation_server
1364 #endif /* ME */
1365 )
1366 {
1367 time_t now = time_monotonic(NULL);
1368
1369 DBG1(DBG_IKE, "IKE_SA will timeout in %V",
1370 &now, &this->stats[STAT_DELETE]);
1371 return FAILED;
1372 }
1373 else
1374 {
1375 DBG1(DBG_IKE, "reauthenticating actively");
1376 }
1377 }
1378 this->task_manager->queue_ike_reauth(this->task_manager);
1379 return this->task_manager->initiate(this->task_manager);
1380 }
1381
1382 METHOD(ike_sa_t, reestablish, status_t,
1383 private_ike_sa_t *this)
1384 {
1385 ike_sa_t *new;
1386 host_t *host;
1387 action_t action;
1388 enumerator_t *enumerator;
1389 child_sa_t *child_sa;
1390 child_cfg_t *child_cfg;
1391 bool restart = FALSE;
1392 status_t status = FAILED;
1393
1394 /* check if we have children to keep up at all */
1395 enumerator = this->child_sas->create_enumerator(this->child_sas);
1396 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1397 {
1398 if (this->state == IKE_DELETING)
1399 {
1400 action = child_sa->get_close_action(child_sa);
1401 }
1402 else
1403 {
1404 action = child_sa->get_dpd_action(child_sa);
1405 }
1406 switch (action)
1407 {
1408 case ACTION_RESTART:
1409 restart = TRUE;
1410 break;
1411 case ACTION_ROUTE:
1412 charon->traps->install(charon->traps, this->peer_cfg,
1413 child_sa->get_config(child_sa));
1414 break;
1415 default:
1416 break;
1417 }
1418 }
1419 enumerator->destroy(enumerator);
1420 #ifdef ME
1421 /* mediation connections have no children, keep them up anyway */
1422 if (this->peer_cfg->is_mediation(this->peer_cfg))
1423 {
1424 restart = TRUE;
1425 }
1426 #endif /* ME */
1427 if (!restart)
1428 {
1429 return FAILED;
1430 }
1431
1432 /* check if we are able to reestablish this IKE_SA */
1433 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
1434 (this->other_virtual_ip != NULL ||
1435 has_condition(this, COND_EAP_AUTHENTICATED)
1436 #ifdef ME
1437 || this->is_mediation_server
1438 #endif /* ME */
1439 ))
1440 {
1441 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
1442 return FAILED;
1443 }
1444
1445 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1446 this->version, TRUE);
1447 if (!new)
1448 {
1449 return FAILED;
1450 }
1451 new->set_peer_cfg(new, this->peer_cfg);
1452 host = this->other_host;
1453 new->set_other_host(new, host->clone(host));
1454 host = this->my_host;
1455 new->set_my_host(new, host->clone(host));
1456 /* if we already have a virtual IP, we reuse it */
1457 host = this->my_virtual_ip;
1458 if (host)
1459 {
1460 new->set_virtual_ip(new, TRUE, host);
1461 }
1462
1463 #ifdef ME
1464 if (this->peer_cfg->is_mediation(this->peer_cfg))
1465 {
1466 status = new->initiate(new, NULL, 0, NULL, NULL);
1467 }
1468 else
1469 #endif /* ME */
1470 {
1471 enumerator = this->child_sas->create_enumerator(this->child_sas);
1472 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1473 {
1474 if (this->state == IKE_DELETING)
1475 {
1476 action = child_sa->get_close_action(child_sa);
1477 }
1478 else
1479 {
1480 action = child_sa->get_dpd_action(child_sa);
1481 }
1482 switch (action)
1483 {
1484 case ACTION_RESTART:
1485 child_cfg = child_sa->get_config(child_sa);
1486 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1487 child_cfg->get_name(child_cfg));
1488 child_cfg->get_ref(child_cfg);
1489 status = new->initiate(new, child_cfg, 0, NULL, NULL);
1490 break;
1491 default:
1492 continue;
1493 }
1494 if (status == DESTROY_ME)
1495 {
1496 break;
1497 }
1498 }
1499 enumerator->destroy(enumerator);
1500 }
1501
1502 if (status == DESTROY_ME)
1503 {
1504 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1505 status = FAILED;
1506 }
1507 else
1508 {
1509 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1510 status = SUCCESS;
1511 }
1512 charon->bus->set_sa(charon->bus, &this->public);
1513 return status;
1514 }
1515
1516 METHOD(ike_sa_t, retransmit, status_t,
1517 private_ike_sa_t *this, u_int32_t message_id)
1518 {
1519 if (this->state == IKE_PASSIVE)
1520 {
1521 return INVALID_STATE;
1522 }
1523 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1524 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
1525 {
1526 /* send a proper signal to brief interested bus listeners */
1527 switch (this->state)
1528 {
1529 case IKE_CONNECTING:
1530 {
1531 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
1532 u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
1533 this->keyingtry++;
1534 if (tries == 0 || tries > this->keyingtry)
1535 {
1536 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
1537 this->keyingtry + 1, tries);
1538 reset(this);
1539 this->task_manager->queue_ike(this->task_manager);
1540 return this->task_manager->initiate(this->task_manager);
1541 }
1542 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
1543 break;
1544 }
1545 case IKE_DELETING:
1546 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
1547 break;
1548 case IKE_REKEYING:
1549 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
1550 /* FALL */
1551 default:
1552 reestablish(this);
1553 break;
1554 }
1555 return DESTROY_ME;
1556 }
1557 return SUCCESS;
1558 }
1559
1560 METHOD(ike_sa_t, set_auth_lifetime, void,
1561 private_ike_sa_t *this, u_int32_t lifetime)
1562 {
1563 u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg);
1564 u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
1565
1566 if (lifetime < reduction)
1567 {
1568 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
1569 lifetime);
1570 lib->processor->queue_job(lib->processor,
1571 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
1572 }
1573 else if (this->stats[STAT_REAUTH] == 0 ||
1574 this->stats[STAT_REAUTH] > reauth_time)
1575 {
1576 this->stats[STAT_REAUTH] = reauth_time;
1577 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
1578 " in %ds", lifetime, lifetime - reduction);
1579 lib->scheduler->schedule_job(lib->scheduler,
1580 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
1581 lifetime - reduction);
1582 }
1583 else
1584 {
1585 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
1586 "reauthentication already scheduled in %ds", lifetime,
1587 this->stats[STAT_REAUTH] - time_monotonic(NULL));
1588 }
1589 }
1590
1591 /**
1592 * Check if the current combination of source and destination address is still
1593 * valid.
1594 */
1595 static bool is_current_path_valid(private_ike_sa_t *this)
1596 {
1597 bool valid = FALSE;
1598 host_t *src;
1599 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1600 this->other_host, this->my_host);
1601 if (src)
1602 {
1603 if (src->ip_equals(src, this->my_host))
1604 {
1605 valid = TRUE;
1606 }
1607 src->destroy(src);
1608 }
1609 return valid;
1610 }
1611
1612 /**
1613 * Check if we have any path avialable for this IKE SA.
1614 */
1615 static bool is_any_path_valid(private_ike_sa_t *this)
1616 {
1617 bool valid = FALSE;
1618 enumerator_t *enumerator;
1619 host_t *src, *addr;
1620 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
1621 src = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
1622 this->other_host, NULL);
1623 if (!src)
1624 {
1625 enumerator = this->additional_addresses->create_enumerator(
1626 this->additional_addresses);
1627 while (enumerator->enumerate(enumerator, &addr))
1628 {
1629 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
1630 src = hydra->kernel_interface->get_source_addr(
1631 hydra->kernel_interface, addr, NULL);
1632 if (src)
1633 {
1634 break;
1635 }
1636 }
1637 enumerator->destroy(enumerator);
1638 }
1639 if (src)
1640 {
1641 valid = TRUE;
1642 src->destroy(src);
1643 }
1644 return valid;
1645 }
1646
1647 METHOD(ike_sa_t, roam, status_t,
1648 private_ike_sa_t *this, bool address)
1649 {
1650 switch (this->state)
1651 {
1652 case IKE_CREATED:
1653 case IKE_DELETING:
1654 case IKE_DESTROYING:
1655 case IKE_PASSIVE:
1656 return SUCCESS;
1657 default:
1658 break;
1659 }
1660
1661 /* keep existing path if possible */
1662 if (is_current_path_valid(this))
1663 {
1664 DBG2(DBG_IKE, "keeping connection path %H - %H",
1665 this->my_host, this->other_host);
1666 set_condition(this, COND_STALE, FALSE);
1667
1668 if (supports_extension(this, EXT_MOBIKE) && address)
1669 { /* if any addresses changed, send an updated list */
1670 DBG1(DBG_IKE, "sending address list update using MOBIKE");
1671 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
1672 return this->task_manager->initiate(this->task_manager);
1673 }
1674 return SUCCESS;
1675 }
1676
1677 if (!is_any_path_valid(this))
1678 {
1679 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
1680 this->other_host);
1681 set_condition(this, COND_STALE, TRUE);
1682 return SUCCESS;
1683 }
1684 set_condition(this, COND_STALE, FALSE);
1685
1686 /* update addresses with mobike, if supported ... */
1687 if (supports_extension(this, EXT_MOBIKE))
1688 {
1689 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1690 { /* responder updates the peer about changed address config */
1691 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
1692 "implicitly requesting an address change");
1693 address = TRUE;
1694 }
1695 else
1696 {
1697 DBG1(DBG_IKE, "requesting address change using MOBIKE");
1698 }
1699 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
1700 return this->task_manager->initiate(this->task_manager);
1701 }
1702
1703 /* ... reauth if not */
1704 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1705 { /* responder does not reauthenticate */
1706 set_condition(this, COND_STALE, TRUE);
1707 return SUCCESS;
1708 }
1709 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
1710 return reauth(this);
1711 }
1712
1713 METHOD(ike_sa_t, add_configuration_attribute, void,
1714 private_ike_sa_t *this, attribute_handler_t *handler,
1715 configuration_attribute_type_t type, chunk_t data)
1716 {
1717 attribute_entry_t *entry = malloc_thing(attribute_entry_t);
1718
1719 entry->handler = handler;
1720 entry->type = type;
1721 entry->data = chunk_clone(data);
1722
1723 this->attributes->insert_last(this->attributes, entry);
1724 }
1725
1726 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
1727 private_ike_sa_t *this, task_queue_t queue)
1728 {
1729 return this->task_manager->create_task_enumerator(this->task_manager, queue);
1730 }
1731
1732 METHOD(ike_sa_t, queue_task, void,
1733 private_ike_sa_t *this, task_t *task)
1734 {
1735 this->task_manager->queue_task(this->task_manager, task);
1736 }
1737
1738 METHOD(ike_sa_t, inherit, void,
1739 private_ike_sa_t *this, ike_sa_t *other_public)
1740 {
1741 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
1742 child_sa_t *child_sa;
1743 attribute_entry_t *entry;
1744 enumerator_t *enumerator;
1745 auth_cfg_t *cfg;
1746
1747 /* apply hosts and ids */
1748 this->my_host->destroy(this->my_host);
1749 this->other_host->destroy(this->other_host);
1750 this->my_id->destroy(this->my_id);
1751 this->other_id->destroy(this->other_id);
1752 this->my_host = other->my_host->clone(other->my_host);
1753 this->other_host = other->other_host->clone(other->other_host);
1754 this->my_id = other->my_id->clone(other->my_id);
1755 this->other_id = other->other_id->clone(other->other_id);
1756
1757 /* apply virtual assigned IPs... */
1758 if (other->my_virtual_ip)
1759 {
1760 this->my_virtual_ip = other->my_virtual_ip;
1761 other->my_virtual_ip = NULL;
1762 }
1763 if (other->other_virtual_ip)
1764 {
1765 this->other_virtual_ip = other->other_virtual_ip;
1766 other->other_virtual_ip = NULL;
1767 }
1768
1769 /* authentication information */
1770 enumerator = other->my_auths->create_enumerator(other->my_auths);
1771 while (enumerator->enumerate(enumerator, &cfg))
1772 {
1773 this->my_auths->insert_last(this->my_auths, cfg->clone(cfg));
1774 }
1775 enumerator->destroy(enumerator);
1776 enumerator = other->other_auths->create_enumerator(other->other_auths);
1777 while (enumerator->enumerate(enumerator, &cfg))
1778 {
1779 this->other_auths->insert_last(this->other_auths, cfg->clone(cfg));
1780 }
1781 enumerator->destroy(enumerator);
1782
1783 /* ... and configuration attributes */
1784 while (other->attributes->remove_last(other->attributes,
1785 (void**)&entry) == SUCCESS)
1786 {
1787 this->attributes->insert_first(this->attributes, entry);
1788 }
1789
1790 /* inherit all conditions */
1791 this->conditions = other->conditions;
1792 if (this->conditions & COND_NAT_HERE)
1793 {
1794 send_keepalive(this);
1795 }
1796
1797 #ifdef ME
1798 if (other->is_mediation_server)
1799 {
1800 act_as_mediation_server(this);
1801 }
1802 else if (other->server_reflexive_host)
1803 {
1804 this->server_reflexive_host = other->server_reflexive_host->clone(
1805 other->server_reflexive_host);
1806 }
1807 #endif /* ME */
1808
1809 /* adopt all children */
1810 while (other->child_sas->remove_last(other->child_sas,
1811 (void**)&child_sa) == SUCCESS)
1812 {
1813 this->child_sas->insert_first(this->child_sas, (void*)child_sa);
1814 }
1815
1816 /* move pending tasks to the new IKE_SA */
1817 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
1818
1819 /* reauthentication timeout survives a rekeying */
1820 if (other->stats[STAT_REAUTH])
1821 {
1822 time_t reauth, delete, now = time_monotonic(NULL);
1823
1824 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
1825 reauth = this->stats[STAT_REAUTH] - now;
1826 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
1827 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
1828 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
1829 "lifetime reduced to %ds", reauth, delete);
1830 lib->scheduler->schedule_job(lib->scheduler,
1831 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
1832 lib->scheduler->schedule_job(lib->scheduler,
1833 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
1834 }
1835 }
1836
1837 METHOD(ike_sa_t, destroy, void,
1838 private_ike_sa_t *this)
1839 {
1840 attribute_entry_t *entry;
1841
1842 charon->bus->set_sa(charon->bus, &this->public);
1843
1844 set_state(this, IKE_DESTROYING);
1845 DESTROY_IF(this->task_manager);
1846
1847 /* remove attributes first, as we pass the IKE_SA to the handler */
1848 while (this->attributes->remove_last(this->attributes,
1849 (void**)&entry) == SUCCESS)
1850 {
1851 hydra->attributes->release(hydra->attributes, entry->handler,
1852 this->other_id, entry->type, entry->data);
1853 free(entry->data.ptr);
1854 free(entry);
1855 }
1856 this->attributes->destroy(this->attributes);
1857
1858 this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
1859
1860 /* unset SA after here to avoid usage by the listeners */
1861 charon->bus->set_sa(charon->bus, NULL);
1862
1863 DESTROY_IF(this->keymat);
1864
1865 if (this->my_virtual_ip)
1866 {
1867 hydra->kernel_interface->del_ip(hydra->kernel_interface,
1868 this->my_virtual_ip);
1869 this->my_virtual_ip->destroy(this->my_virtual_ip);
1870 }
1871 if (this->other_virtual_ip)
1872 {
1873 if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
1874 {
1875 hydra->attributes->release_address(hydra->attributes,
1876 this->peer_cfg->get_pool(this->peer_cfg),
1877 this->other_virtual_ip, get_other_eap_id(this));
1878 }
1879 this->other_virtual_ip->destroy(this->other_virtual_ip);
1880 }
1881 this->additional_addresses->destroy_offset(this->additional_addresses,
1882 offsetof(host_t, destroy));
1883 #ifdef ME
1884 if (this->is_mediation_server)
1885 {
1886 charon->mediation_manager->remove(charon->mediation_manager,
1887 this->ike_sa_id);
1888 }
1889 DESTROY_IF(this->server_reflexive_host);
1890 chunk_free(&this->connect_id);
1891 #endif /* ME */
1892 free(this->nat_detection_dest.ptr);
1893
1894 DESTROY_IF(this->my_host);
1895 DESTROY_IF(this->other_host);
1896 DESTROY_IF(this->my_id);
1897 DESTROY_IF(this->other_id);
1898 DESTROY_IF(this->local_host);
1899 DESTROY_IF(this->remote_host);
1900
1901 DESTROY_IF(this->ike_cfg);
1902 DESTROY_IF(this->peer_cfg);
1903 DESTROY_IF(this->proposal);
1904 this->my_auth->destroy(this->my_auth);
1905 this->other_auth->destroy(this->other_auth);
1906 this->my_auths->destroy_offset(this->my_auths,
1907 offsetof(auth_cfg_t, destroy));
1908 this->other_auths->destroy_offset(this->other_auths,
1909 offsetof(auth_cfg_t, destroy));
1910
1911 this->ike_sa_id->destroy(this->ike_sa_id);
1912 free(this);
1913 }
1914
1915 /*
1916 * Described in header.
1917 */
1918 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1919 ike_version_t version)
1920 {
1921 private_ike_sa_t *this;
1922 static u_int32_t unique_id = 0;
1923
1924 if (version == IKE_ANY)
1925 { /* prefer IKEv2 if protocol not specified */
1926 #ifdef USE_IKEV2
1927 version = IKEV2;
1928 #else
1929 version = IKEV1;
1930 #endif
1931 }
1932
1933 INIT(this,
1934 .public = {
1935 .get_version = _get_version,
1936 .get_state = _get_state,
1937 .set_state = _set_state,
1938 .get_name = _get_name,
1939 .get_statistic = _get_statistic,
1940 .set_statistic = _set_statistic,
1941 .process_message = _process_message,
1942 .initiate = _initiate,
1943 .get_ike_cfg = _get_ike_cfg,
1944 .set_ike_cfg = _set_ike_cfg,
1945 .get_peer_cfg = _get_peer_cfg,
1946 .set_peer_cfg = _set_peer_cfg,
1947 .get_auth_cfg = _get_auth_cfg,
1948 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
1949 .add_auth_cfg = _add_auth_cfg,
1950 .get_proposal = _get_proposal,
1951 .set_proposal = _set_proposal,
1952 .get_id = _get_id,
1953 .get_my_host = _get_my_host,
1954 .set_my_host = _set_my_host,
1955 .get_other_host = _get_other_host,
1956 .set_other_host = _set_other_host,
1957 .set_message_id = _set_message_id,
1958 .float_ports = _float_ports,
1959 .update_hosts = _update_hosts,
1960 .get_my_id = _get_my_id,
1961 .set_my_id = _set_my_id,
1962 .get_other_id = _get_other_id,
1963 .set_other_id = _set_other_id,
1964 .get_other_eap_id = _get_other_eap_id,
1965 .enable_extension = _enable_extension,
1966 .supports_extension = _supports_extension,
1967 .set_condition = _set_condition,
1968 .has_condition = _has_condition,
1969 .set_pending_updates = _set_pending_updates,
1970 .get_pending_updates = _get_pending_updates,
1971 .create_additional_address_enumerator = _create_additional_address_enumerator,
1972 .add_additional_address = _add_additional_address,
1973 .remove_additional_addresses = _remove_additional_addresses,
1974 .has_mapping_changed = _has_mapping_changed,
1975 .retransmit = _retransmit,
1976 .delete = _delete_,
1977 .destroy = _destroy,
1978 .send_dpd = _send_dpd,
1979 .send_keepalive = _send_keepalive,
1980 .get_keymat = _get_keymat,
1981 .add_child_sa = _add_child_sa,
1982 .get_child_sa = _get_child_sa,
1983 .get_child_count = _get_child_count,
1984 .create_child_sa_enumerator = _create_child_sa_enumerator,
1985 .remove_child_sa = _remove_child_sa,
1986 .rekey_child_sa = _rekey_child_sa,
1987 .delete_child_sa = _delete_child_sa,
1988 .destroy_child_sa = _destroy_child_sa,
1989 .rekey = _rekey,
1990 .reauth = _reauth,
1991 .reestablish = _reestablish,
1992 .set_auth_lifetime = _set_auth_lifetime,
1993 .roam = _roam,
1994 .inherit = _inherit,
1995 .generate_message = _generate_message,
1996 .reset = _reset,
1997 .get_unique_id = _get_unique_id,
1998 .set_virtual_ip = _set_virtual_ip,
1999 .get_virtual_ip = _get_virtual_ip,
2000 .add_configuration_attribute = _add_configuration_attribute,
2001 .set_kmaddress = _set_kmaddress,
2002 .create_task_enumerator = _create_task_enumerator,
2003 .queue_task = _queue_task,
2004 #ifdef ME
2005 .act_as_mediation_server = _act_as_mediation_server,
2006 .get_server_reflexive_host = _get_server_reflexive_host,
2007 .set_server_reflexive_host = _set_server_reflexive_host,
2008 .get_connect_id = _get_connect_id,
2009 .initiate_mediation = _initiate_mediation,
2010 .initiate_mediated = _initiate_mediated,
2011 .relay = _relay,
2012 .callback = _callback,
2013 .respond = _respond,
2014 #endif /* ME */
2015 },
2016 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
2017 .version = version,
2018 .child_sas = linked_list_create(),
2019 .my_host = host_create_any(AF_INET),
2020 .other_host = host_create_any(AF_INET),
2021 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2022 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
2023 .keymat = keymat_create(version, initiator),
2024 .state = IKE_CREATED,
2025 .stats[STAT_INBOUND] = time_monotonic(NULL),
2026 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
2027 .my_auth = auth_cfg_create(),
2028 .other_auth = auth_cfg_create(),
2029 .my_auths = linked_list_create(),
2030 .other_auths = linked_list_create(),
2031 .unique_id = ++unique_id,
2032 .additional_addresses = linked_list_create(),
2033 .attributes = linked_list_create(),
2034 .keepalive_interval = lib->settings->get_time(lib->settings,
2035 "charon.keep_alive", KEEPALIVE_INTERVAL),
2036 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
2037 "charon.flush_auth_cfg", FALSE),
2038 );
2039
2040 this->task_manager = task_manager_create(&this->public);
2041 this->my_host->set_port(this->my_host, IKEV2_UDP_PORT);
2042
2043 if (!this->task_manager || !this->keymat)
2044 {
2045 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
2046 destroy(this);
2047 return NULL;
2048 }
2049 return &this->public;
2050 }
strongSwan - IPsec VPN