sshkey: Rename variables that conflict with function argument
[strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2019 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
62
63 #ifdef ME
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
66 #endif
67
68 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
69 "CREATED",
70 "CONNECTING",
71 "ESTABLISHED",
72 "PASSIVE",
73 "REKEYING",
74 "REKEYED",
75 "DELETING",
76 "DESTROYING",
77 );
78
79 typedef struct private_ike_sa_t private_ike_sa_t;
80 typedef struct attribute_entry_t attribute_entry_t;
81
82 /**
83 * Private data of an ike_sa_t object.
84 */
85 struct private_ike_sa_t {
86
87 /**
88 * Public members
89 */
90 ike_sa_t public;
91
92 /**
93 * Identifier for the current IKE_SA.
94 */
95 ike_sa_id_t *ike_sa_id;
96
97 /**
98 * IKE version of this SA.
99 */
100 ike_version_t version;
101
102 /**
103 * unique numerical ID for this IKE_SA.
104 */
105 uint32_t unique_id;
106
107 /**
108 * Current state of the IKE_SA
109 */
110 ike_sa_state_t state;
111
112 /**
113 * IKE configuration used to set up this IKE_SA
114 */
115 ike_cfg_t *ike_cfg;
116
117 /**
118 * Peer and authentication information to establish IKE_SA.
119 */
120 peer_cfg_t *peer_cfg;
121
122 /**
123 * currently used authentication ruleset, local
124 */
125 auth_cfg_t *my_auth;
126
127 /**
128 * currently used authentication constraints, remote
129 */
130 auth_cfg_t *other_auth;
131
132 /**
133 * Array of completed local authentication rounds (as auth_cfg_t)
134 */
135 array_t *my_auths;
136
137 /**
138 * Array of completed remote authentication rounds (as auth_cfg_t)
139 */
140 array_t *other_auths;
141
142 /**
143 * Selected IKE proposal
144 */
145 proposal_t *proposal;
146
147 /**
148 * Juggles tasks to process messages
149 */
150 task_manager_t *task_manager;
151
152 /**
153 * Address of local host
154 */
155 host_t *my_host;
156
157 /**
158 * Address of remote host
159 */
160 host_t *other_host;
161
162 #ifdef ME
163 /**
164 * Are we mediation server
165 */
166 bool is_mediation_server;
167
168 /**
169 * Server reflexive host
170 */
171 host_t *server_reflexive_host;
172
173 /**
174 * Connect ID
175 */
176 chunk_t connect_id;
177 #endif /* ME */
178
179 /**
180 * Identification used for us
181 */
182 identification_t *my_id;
183
184 /**
185 * Identification used for other
186 */
187 identification_t *other_id;
188
189 /**
190 * set of extensions the peer supports
191 */
192 ike_extension_t extensions;
193
194 /**
195 * set of condition flags currently enabled for this IKE_SA
196 */
197 ike_condition_t conditions;
198
199 /**
200 * Array containing the child sa's of the current IKE_SA.
201 */
202 array_t *child_sas;
203
204 /**
205 * keymat of this IKE_SA
206 */
207 keymat_t *keymat;
208
209 /**
210 * Virtual IPs on local host
211 */
212 array_t *my_vips;
213
214 /**
215 * Virtual IPs on remote host
216 */
217 array_t *other_vips;
218
219 /**
220 * List of configuration attributes (attribute_entry_t)
221 */
222 array_t *attributes;
223
224 /**
225 * list of peer's addresses, additional ones transmitted via MOBIKE
226 */
227 array_t *peer_addresses;
228
229 /**
230 * previously value of received DESTINATION_IP hash
231 */
232 chunk_t nat_detection_dest;
233
234 /**
235 * NAT keep alive interval
236 */
237 uint32_t keepalive_interval;
238
239 /**
240 * The schedueld keep alive job, if any
241 */
242 send_keepalive_job_t *keepalive_job;
243
244 /**
245 * interval for retries during initiation (e.g. if DNS resolution failed),
246 * 0 to disable (default)
247 */
248 uint32_t retry_initiate_interval;
249
250 /**
251 * TRUE if a retry_initiate_job has been queued
252 */
253 bool retry_initiate_queued;
254
255 /**
256 * Timestamps for this IKE_SA
257 */
258 uint32_t stats[STAT_MAX];
259
260 /**
261 * how many times we have retried so far (keyingtries)
262 */
263 uint32_t keyingtry;
264
265 /**
266 * local host address to be used for IKE, set via MIGRATE kernel message
267 */
268 host_t *local_host;
269
270 /**
271 * remote host address to be used for IKE, set via MIGRATE kernel message
272 */
273 host_t *remote_host;
274
275 /**
276 * Flush auth configs once established?
277 */
278 bool flush_auth_cfg;
279
280 /**
281 * Maximum length of a single fragment, 0 for address-specific defaults
282 */
283 size_t fragment_size;
284
285 /**
286 * Whether to follow IKEv2 redirects
287 */
288 bool follow_redirects;
289
290 /**
291 * Original gateway address from which we got redirected
292 */
293 host_t *redirected_from;
294
295 /**
296 * Timestamps of redirect attempts to handle loops
297 */
298 array_t *redirected_at;
299
300 /**
301 * Inbound interface ID
302 */
303 uint32_t if_id_in;
304
305 /**
306 * Outbound interface ID
307 */
308 uint32_t if_id_out;
309 };
310
311 /**
312 * Entry to maintain install configuration attributes during IKE_SA lifetime
313 */
314 struct attribute_entry_t {
315 /** handler used to install this attribute */
316 attribute_handler_t *handler;
317 /** attribute type */
318 configuration_attribute_type_t type;
319 /** attribute data */
320 chunk_t data;
321 };
322
323 /**
324 * get the time of the latest traffic processed by the kernel
325 */
326 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
327 {
328 enumerator_t *enumerator;
329 child_sa_t *child_sa;
330 time_t use_time, current;
331
332 if (inbound)
333 {
334 use_time = this->stats[STAT_INBOUND];
335 }
336 else
337 {
338 use_time = this->stats[STAT_OUTBOUND];
339 }
340
341 enumerator = array_create_enumerator(this->child_sas);
342 while (enumerator->enumerate(enumerator, &child_sa))
343 {
344 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
345 use_time = max(use_time, current);
346 }
347 enumerator->destroy(enumerator);
348
349 return use_time;
350 }
351
352 METHOD(ike_sa_t, get_unique_id, uint32_t,
353 private_ike_sa_t *this)
354 {
355 return this->unique_id;
356 }
357
358 METHOD(ike_sa_t, get_name, char*,
359 private_ike_sa_t *this)
360 {
361 if (this->peer_cfg)
362 {
363 return this->peer_cfg->get_name(this->peer_cfg);
364 }
365 return "(unnamed)";
366 }
367
368 METHOD(ike_sa_t, get_statistic, uint32_t,
369 private_ike_sa_t *this, statistic_t kind)
370 {
371 if (kind < STAT_MAX)
372 {
373 return this->stats[kind];
374 }
375 return 0;
376 }
377
378 METHOD(ike_sa_t, set_statistic, void,
379 private_ike_sa_t *this, statistic_t kind, uint32_t value)
380 {
381 if (kind < STAT_MAX)
382 {
383 this->stats[kind] = value;
384 }
385 }
386
387 METHOD(ike_sa_t, get_my_host, host_t*,
388 private_ike_sa_t *this)
389 {
390 return this->my_host;
391 }
392
393 METHOD(ike_sa_t, set_my_host, void,
394 private_ike_sa_t *this, host_t *me)
395 {
396 DESTROY_IF(this->my_host);
397 this->my_host = me;
398 }
399
400 METHOD(ike_sa_t, get_other_host, host_t*,
401 private_ike_sa_t *this)
402 {
403 return this->other_host;
404 }
405
406 METHOD(ike_sa_t, set_other_host, void,
407 private_ike_sa_t *this, host_t *other)
408 {
409 DESTROY_IF(this->other_host);
410 this->other_host = other;
411 }
412
413 METHOD(ike_sa_t, get_redirected_from, host_t*,
414 private_ike_sa_t *this)
415 {
416 return this->redirected_from;
417 }
418
419 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
420 private_ike_sa_t *this)
421 {
422 return this->peer_cfg;
423 }
424
425 METHOD(ike_sa_t, set_peer_cfg, void,
426 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
427 {
428 peer_cfg->get_ref(peer_cfg);
429 DESTROY_IF(this->peer_cfg);
430 this->peer_cfg = peer_cfg;
431
432 if (!this->ike_cfg)
433 {
434 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
435 this->ike_cfg->get_ref(this->ike_cfg);
436 }
437
438 this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE);
439 this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE);
440 allocate_unique_if_ids(&this->if_id_in, &this->if_id_out);
441 }
442
443 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
444 private_ike_sa_t *this, bool local)
445 {
446 if (local)
447 {
448 return this->my_auth;
449 }
450 return this->other_auth;
451 }
452
453 METHOD(ike_sa_t, add_auth_cfg, void,
454 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
455 {
456 if (local)
457 {
458 array_insert(this->my_auths, ARRAY_TAIL, cfg);
459 }
460 else
461 {
462 array_insert(this->other_auths, ARRAY_TAIL, cfg);
463 }
464 }
465
466 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
467 private_ike_sa_t *this, bool local)
468 {
469 if (local)
470 {
471 return array_create_enumerator(this->my_auths);
472 }
473 return array_create_enumerator(this->other_auths);
474 }
475
476 /**
477 * Flush the stored authentication round information
478 */
479 static void flush_auth_cfgs(private_ike_sa_t *this)
480 {
481 auth_cfg_t *cfg;
482
483 this->my_auth->purge(this->my_auth, FALSE);
484 this->other_auth->purge(this->other_auth, FALSE);
485
486 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
487 {
488 cfg->destroy(cfg);
489 }
490 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
491 {
492 cfg->destroy(cfg);
493 }
494 }
495
496 METHOD(ike_sa_t, verify_peer_certificate, bool,
497 private_ike_sa_t *this)
498 {
499 enumerator_t *e1, *e2, *certs;
500 auth_cfg_t *cfg, *cfg_done;
501 certificate_t *peer, *cert;
502 public_key_t *key;
503 auth_cfg_t *auth;
504 auth_cfg_wrapper_t *wrapper;
505 time_t not_before, not_after;
506 bool valid = TRUE, found;
507
508 if (this->state != IKE_ESTABLISHED)
509 {
510 DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
511 ike_sa_state_names, this->state);
512 return FALSE;
513 }
514
515 if (!this->flush_auth_cfg &&
516 lib->settings->get_bool(lib->settings,
517 "%s.flush_auth_cfg", FALSE, lib->ns))
518 { /* we can do this check only once if auth configs are flushed */
519 DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
520 "information has been flushed");
521 return FALSE;
522 }
523 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
524 FALSE);
525
526 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
527 e2 = array_create_enumerator(this->other_auths);
528 while (e1->enumerate(e1, &cfg))
529 {
530 if (!e2->enumerate(e2, &cfg_done))
531 { /* this should not happen as the authentication should never have
532 * succeeded */
533 valid = FALSE;
534 break;
535 }
536 if ((uintptr_t)cfg_done->get(cfg_done,
537 AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
538 {
539 continue;
540 }
541 peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
542 if (!peer)
543 {
544 DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
545 "verification");
546 continue;
547 }
548 if (!peer->get_validity(peer, NULL, &not_before, &not_after))
549 {
550 DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
551 &not_before, FALSE, &not_after, FALSE);
552 valid = FALSE;
553 break;
554 }
555 key = peer->get_public_key(peer);
556 if (!key)
557 {
558 DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
559 "verification");
560 continue;
561 }
562 DBG1(DBG_IKE, "verifying peer certificate");
563 /* serve received certificates */
564 wrapper = auth_cfg_wrapper_create(cfg_done);
565 lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
566 certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
567 key->get_type(key), peer->get_subject(peer), TRUE);
568 key->destroy(key);
569
570 found = FALSE;
571 while (certs->enumerate(certs, &cert, &auth))
572 {
573 if (peer->equals(peer, cert))
574 {
575 cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
576 FALSE);
577 cfg_done->merge(cfg_done, auth, FALSE);
578 valid = cfg_done->complies(cfg_done, cfg, TRUE);
579 found = TRUE;
580 break;
581 }
582 }
583 certs->destroy(certs);
584 lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
585 wrapper->destroy(wrapper);
586 if (!found || !valid)
587 {
588 valid = FALSE;
589 break;
590 }
591 }
592 e1->destroy(e1);
593 e2->destroy(e2);
594
595 if (this->flush_auth_cfg)
596 {
597 this->flush_auth_cfg = FALSE;
598 flush_auth_cfgs(this);
599 }
600 return valid;
601 }
602
603 METHOD(ike_sa_t, get_proposal, proposal_t*,
604 private_ike_sa_t *this)
605 {
606 return this->proposal;
607 }
608
609 METHOD(ike_sa_t, set_proposal, void,
610 private_ike_sa_t *this, proposal_t *proposal)
611 {
612 DESTROY_IF(this->proposal);
613 this->proposal = proposal->clone(proposal, 0);
614 }
615
616 METHOD(ike_sa_t, set_message_id, void,
617 private_ike_sa_t *this, bool initiate, uint32_t mid)
618 {
619 if (initiate)
620 {
621 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
622 }
623 else
624 {
625 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
626 }
627 }
628
629 METHOD(ike_sa_t, get_message_id, uint32_t,
630 private_ike_sa_t *this, bool initiate)
631 {
632 return this->task_manager->get_mid(this->task_manager, initiate);
633 }
634
635 METHOD(ike_sa_t, send_keepalive, void,
636 private_ike_sa_t *this, bool scheduled)
637 {
638 time_t last_out, now, diff;
639
640 if (scheduled)
641 {
642 this->keepalive_job = NULL;
643 }
644 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
645 { /* keepalives disabled either by configuration or for passive IKE_SAs */
646 return;
647 }
648 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
649 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
650 return;
651 }
652
653 last_out = get_use_time(this, FALSE);
654 now = time_monotonic(NULL);
655
656 diff = now - last_out;
657
658 if (diff >= this->keepalive_interval)
659 {
660 packet_t *packet;
661 chunk_t data;
662
663 packet = packet_create();
664 packet->set_source(packet, this->my_host->clone(this->my_host));
665 packet->set_destination(packet, this->other_host->clone(this->other_host));
666 data.ptr = malloc(1);
667 data.ptr[0] = 0xFF;
668 data.len = 1;
669 packet->set_data(packet, data);
670 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
671 charon->sender->send_no_marker(charon->sender, packet);
672 diff = 0;
673 }
674 if (!this->keepalive_job)
675 {
676 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
677 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
678 this->keepalive_interval - diff);
679 }
680 }
681
682 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
683 private_ike_sa_t *this)
684 {
685 return this->ike_cfg;
686 }
687
688 METHOD(ike_sa_t, set_ike_cfg, void,
689 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
690 {
691 DESTROY_IF(this->ike_cfg);
692 ike_cfg->get_ref(ike_cfg);
693 this->ike_cfg = ike_cfg;
694 }
695
696 METHOD(ike_sa_t, enable_extension, void,
697 private_ike_sa_t *this, ike_extension_t extension)
698 {
699 this->extensions |= extension;
700 }
701
702 METHOD(ike_sa_t, supports_extension, bool,
703 private_ike_sa_t *this, ike_extension_t extension)
704 {
705 return (this->extensions & extension) != FALSE;
706 }
707
708 METHOD(ike_sa_t, has_condition, bool,
709 private_ike_sa_t *this, ike_condition_t condition)
710 {
711 return (this->conditions & condition) != FALSE;
712 }
713
714 METHOD(ike_sa_t, set_condition, void,
715 private_ike_sa_t *this, ike_condition_t condition, bool enable)
716 {
717 if (has_condition(this, condition) != enable)
718 {
719 if (enable)
720 {
721 this->conditions |= condition;
722 switch (condition)
723 {
724 case COND_NAT_HERE:
725 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
726 this->conditions |= COND_NAT_ANY;
727 send_keepalive(this, FALSE);
728 break;
729 case COND_NAT_THERE:
730 DBG1(DBG_IKE, "remote host is behind NAT");
731 this->conditions |= COND_NAT_ANY;
732 break;
733 case COND_NAT_FAKE:
734 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
735 this->conditions |= COND_NAT_ANY;
736 break;
737 default:
738 break;
739 }
740 }
741 else
742 {
743 this->conditions &= ~condition;
744 switch (condition)
745 {
746 case COND_NAT_HERE:
747 case COND_NAT_THERE:
748 DBG1(DBG_IKE, "%s host is not behind NAT anymore",
749 condition == COND_NAT_HERE ? "local" : "remote");
750 /* fall-through */
751 case COND_NAT_FAKE:
752 set_condition(this, COND_NAT_ANY,
753 has_condition(this, COND_NAT_HERE) ||
754 has_condition(this, COND_NAT_THERE) ||
755 has_condition(this, COND_NAT_FAKE));
756 break;
757 case COND_STALE:
758 send_keepalive(this, FALSE);
759 break;
760 default:
761 break;
762 }
763 }
764 }
765 }
766
767 METHOD(ike_sa_t, send_dpd, status_t,
768 private_ike_sa_t *this)
769 {
770 job_t *job;
771 time_t diff, delay;
772 bool task_queued = FALSE;
773
774 if (this->state == IKE_PASSIVE)
775 {
776 return INVALID_STATE;
777 }
778 if (this->version == IKEV1 && this->state == IKE_REKEYING)
779 { /* don't send DPDs for rekeyed IKEv1 SAs */
780 return SUCCESS;
781 }
782 delay = this->peer_cfg->get_dpd(this->peer_cfg);
783 if (this->task_manager->busy(this->task_manager))
784 {
785 /* an exchange is in the air, no need to start a DPD check */
786 diff = 0;
787 }
788 else
789 {
790 /* check if there was any inbound traffic */
791 time_t last_in, now;
792 last_in = get_use_time(this, TRUE);
793 now = time_monotonic(NULL);
794 diff = now - last_in;
795 if (!delay || diff >= delay)
796 {
797 /* too long ago, initiate dead peer detection */
798 DBG1(DBG_IKE, "sending DPD request");
799 this->task_manager->queue_dpd(this->task_manager);
800 task_queued = TRUE;
801 diff = 0;
802 }
803 }
804 /* recheck in "interval" seconds */
805 if (delay)
806 {
807 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
808 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
809 }
810 if (task_queued)
811 {
812 return this->task_manager->initiate(this->task_manager);
813 }
814 return SUCCESS;
815 }
816
817 METHOD(ike_sa_t, get_state, ike_sa_state_t,
818 private_ike_sa_t *this)
819 {
820 return this->state;
821 }
822
823 METHOD(ike_sa_t, set_state, void,
824 private_ike_sa_t *this, ike_sa_state_t state)
825 {
826 bool trigger_dpd = FALSE, keepalives = FALSE;
827
828 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
829 get_name(this), this->unique_id,
830 ike_sa_state_names, this->state,
831 ike_sa_state_names, state);
832
833 switch (state)
834 {
835 case IKE_ESTABLISHED:
836 {
837 if (this->state == IKE_CONNECTING ||
838 this->state == IKE_PASSIVE)
839 {
840 job_t *job;
841 uint32_t t;
842
843 /* calculate rekey, reauth and lifetime */
844 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
845
846 /* schedule rekeying if we have a time which is smaller than
847 * an already scheduled rekeying */
848 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
849 if (t && (this->stats[STAT_REKEY] == 0 ||
850 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
851 {
852 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
853 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
854 lib->scheduler->schedule_job(lib->scheduler, job, t);
855 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
856 }
857 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
858 if (t && (this->stats[STAT_REAUTH] == 0 ||
859 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
860 {
861 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
862 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
863 lib->scheduler->schedule_job(lib->scheduler, job, t);
864 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
865 }
866 t = this->peer_cfg->get_over_time(this->peer_cfg);
867 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
868 {
869 if (this->stats[STAT_REAUTH] == 0)
870 {
871 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
872 }
873 else if (this->stats[STAT_REKEY] == 0)
874 {
875 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
876 }
877 else
878 {
879 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
880 this->stats[STAT_REAUTH]);
881 }
882 this->stats[STAT_DELETE] += t;
883 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
884 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
885 lib->scheduler->schedule_job(lib->scheduler, job, t);
886 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
887 }
888 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
889 if (trigger_dpd)
890 {
891 /* Some peers delay the DELETE after rekeying an IKE_SA.
892 * If this delay is longer than our DPD delay, we would
893 * send a DPD request here. The IKE_SA is not ready to do
894 * so yet, so prevent that. */
895 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
896 }
897 if (this->state == IKE_PASSIVE)
898 {
899 keepalives = TRUE;
900 }
901 DESTROY_IF(this->redirected_from);
902 this->redirected_from = NULL;
903 }
904 break;
905 }
906 default:
907 break;
908 }
909 charon->bus->ike_state_change(charon->bus, &this->public, state);
910 this->state = state;
911
912 if (trigger_dpd)
913 {
914 if (supports_extension(this, EXT_DPD))
915 {
916 send_dpd(this);
917 }
918 else
919 {
920 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
921 }
922 }
923 if (keepalives)
924 {
925 send_keepalive(this, FALSE);
926 }
927 }
928
929 METHOD(ike_sa_t, reset, void,
930 private_ike_sa_t *this, bool new_spi)
931 {
932 /* reset the initiator SPI if requested */
933 if (new_spi)
934 {
935 charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager,
936 &this->public);
937 }
938 /* the responder ID is reset, as peer may choose another one */
939 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
940 {
941 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
942 }
943
944 set_state(this, IKE_CREATED);
945
946 flush_auth_cfgs(this);
947
948 this->keymat->destroy(this->keymat);
949 this->keymat = keymat_create(this->version,
950 this->ike_sa_id->is_initiator(this->ike_sa_id));
951
952 this->task_manager->reset(this->task_manager, 0, 0);
953 this->task_manager->queue_ike(this->task_manager);
954 }
955
956 METHOD(ike_sa_t, get_keymat, keymat_t*,
957 private_ike_sa_t *this)
958 {
959 return this->keymat;
960 }
961
962 METHOD(ike_sa_t, add_virtual_ip, void,
963 private_ike_sa_t *this, bool local, host_t *ip)
964 {
965 if (local)
966 {
967 char *iface;
968
969 if (charon->kernel->get_interface(charon->kernel, this->my_host,
970 &iface))
971 {
972 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
973 if (charon->kernel->add_ip(charon->kernel, ip, -1,
974 iface) == SUCCESS)
975 {
976 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
977 }
978 else
979 {
980 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
981 }
982 free(iface);
983 }
984 else
985 {
986 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
987 }
988 }
989 else
990 {
991 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
992 }
993 }
994
995
996 METHOD(ike_sa_t, clear_virtual_ips, void,
997 private_ike_sa_t *this, bool local)
998 {
999 array_t *vips;
1000 host_t *vip;
1001
1002 vips = local ? this->my_vips : this->other_vips;
1003 if (!local && array_count(vips))
1004 {
1005 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
1006 }
1007 while (array_remove(vips, ARRAY_HEAD, &vip))
1008 {
1009 if (local)
1010 {
1011 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
1012 }
1013 vip->destroy(vip);
1014 }
1015 }
1016
1017 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
1018 private_ike_sa_t *this, bool local)
1019 {
1020 if (local)
1021 {
1022 return array_create_enumerator(this->my_vips);
1023 }
1024 return array_create_enumerator(this->other_vips);
1025 }
1026
1027 METHOD(ike_sa_t, add_peer_address, void,
1028 private_ike_sa_t *this, host_t *host)
1029 {
1030 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
1031 }
1032
1033 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
1034 private_ike_sa_t *this)
1035 {
1036 if (this->peer_addresses)
1037 {
1038 return array_create_enumerator(this->peer_addresses);
1039 }
1040 /* in case we don't have MOBIKE */
1041 return enumerator_create_single(this->other_host, NULL);
1042 }
1043
1044 METHOD(ike_sa_t, clear_peer_addresses, void,
1045 private_ike_sa_t *this)
1046 {
1047 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
1048 this->peer_addresses = NULL;
1049 }
1050
1051 METHOD(ike_sa_t, has_mapping_changed, bool,
1052 private_ike_sa_t *this, chunk_t hash)
1053 {
1054 if (this->nat_detection_dest.ptr == NULL)
1055 {
1056 this->nat_detection_dest = chunk_clone(hash);
1057 return FALSE;
1058 }
1059 if (chunk_equals(hash, this->nat_detection_dest))
1060 {
1061 return FALSE;
1062 }
1063 free(this->nat_detection_dest.ptr);
1064 this->nat_detection_dest = chunk_clone(hash);
1065 return TRUE;
1066 }
1067
1068 METHOD(ike_sa_t, float_ports, void,
1069 private_ike_sa_t *this)
1070 {
1071 /* even if the remote port is not 500 (e.g. because the response was natted)
1072 * we switch the remote port if we used port 500 */
1073 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
1074 this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
1075 {
1076 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
1077 }
1078 if (this->my_host->get_port(this->my_host) ==
1079 charon->socket->get_port(charon->socket, FALSE))
1080 {
1081 this->my_host->set_port(this->my_host,
1082 charon->socket->get_port(charon->socket, TRUE));
1083 }
1084 }
1085
1086 METHOD(ike_sa_t, update_hosts, void,
1087 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
1088 {
1089 bool update = FALSE;
1090
1091 if (me == NULL)
1092 {
1093 me = this->my_host;
1094 }
1095 if (other == NULL)
1096 {
1097 other = this->other_host;
1098 }
1099
1100 /* apply hosts on first received message */
1101 if (this->my_host->is_anyaddr(this->my_host) ||
1102 this->other_host->is_anyaddr(this->other_host))
1103 {
1104 set_my_host(this, me->clone(me));
1105 set_other_host(this, other->clone(other));
1106 update = TRUE;
1107 }
1108 else
1109 {
1110 /* update our address in any case */
1111 if (force && !me->equals(me, this->my_host))
1112 {
1113 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
1114 set_my_host(this, me->clone(me));
1115 update = TRUE;
1116 }
1117
1118 if (!other->equals(other, this->other_host) &&
1119 (force || has_condition(this, COND_NAT_THERE)))
1120 {
1121 /* only update other's address if we are behind a static NAT,
1122 * which we assume is the case if we are not initiator */
1123 if (force ||
1124 (!has_condition(this, COND_NAT_HERE) ||
1125 !has_condition(this, COND_ORIGINAL_INITIATOR)))
1126 {
1127 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
1128 set_other_host(this, other->clone(other));
1129 update = TRUE;
1130 }
1131 }
1132 }
1133
1134 /* update all associated CHILD_SAs, if required */
1135 if (update)
1136 {
1137 enumerator_t *enumerator;
1138 child_sa_t *child_sa;
1139 linked_list_t *vips;
1140
1141 vips = linked_list_create_from_enumerator(
1142 array_create_enumerator(this->my_vips));
1143
1144 enumerator = array_create_enumerator(this->child_sas);
1145 while (enumerator->enumerate(enumerator, &child_sa))
1146 {
1147 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1148 charon->child_sa_manager->add(charon->child_sa_manager,
1149 child_sa, &this->public);
1150
1151 if (child_sa->update(child_sa, this->my_host, this->other_host,
1152 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1153 {
1154 this->public.rekey_child_sa(&this->public,
1155 child_sa->get_protocol(child_sa),
1156 child_sa->get_spi(child_sa, TRUE));
1157 }
1158
1159 }
1160 enumerator->destroy(enumerator);
1161
1162 vips->destroy(vips);
1163 }
1164 }
1165
1166 /**
1167 * Set configured DSCP value on packet
1168 */
1169 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1170 {
1171 ike_cfg_t *ike_cfg;
1172
1173 /* prefer IKE config on peer_cfg, as its selection is more accurate
1174 * then the initial IKE config */
1175 if (this->peer_cfg)
1176 {
1177 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1178 }
1179 else
1180 {
1181 ike_cfg = this->ike_cfg;
1182 }
1183 if (ike_cfg)
1184 {
1185 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1186 }
1187 }
1188
1189 METHOD(ike_sa_t, generate_message, status_t,
1190 private_ike_sa_t *this, message_t *message, packet_t **packet)
1191 {
1192 status_t status;
1193
1194 if (message->is_encoded(message))
1195 { /* already encoded in task, but set DSCP value */
1196 *packet = message->get_packet(message);
1197 set_dscp(this, *packet);
1198 return SUCCESS;
1199 }
1200 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1201 message->set_ike_sa_id(message, this->ike_sa_id);
1202 charon->bus->message(charon->bus, message, FALSE, TRUE);
1203 status = message->generate(message, this->keymat, packet);
1204 if (status == SUCCESS)
1205 {
1206 set_dscp(this, *packet);
1207 charon->bus->message(charon->bus, message, FALSE, FALSE);
1208 }
1209 return status;
1210 }
1211
1212 CALLBACK(filter_fragments, bool,
1213 private_ike_sa_t *this, enumerator_t *orig, va_list args)
1214 {
1215 packet_t *fragment, **packet;
1216
1217 VA_ARGS_VGET(args, packet);
1218
1219 if (orig->enumerate(orig, &fragment))
1220 {
1221 *packet = fragment->clone(fragment);
1222 set_dscp(this, *packet);
1223 return TRUE;
1224 }
1225 return FALSE;
1226 }
1227
1228 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1229 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1230 {
1231 enumerator_t *fragments;
1232 packet_t *packet;
1233 status_t status;
1234 bool use_frags = FALSE;
1235 bool pre_generated = FALSE;
1236
1237 if (this->ike_cfg)
1238 {
1239 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1240 {
1241 case FRAGMENTATION_FORCE:
1242 use_frags = TRUE;
1243 break;
1244 case FRAGMENTATION_YES:
1245 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1246 if (use_frags && this->version == IKEV1 &&
1247 supports_extension(this, EXT_MS_WINDOWS))
1248 {
1249 /* It seems Windows 7 and 8 peers only accept proprietary
1250 * fragmented messages if they expect certificates. */
1251 use_frags = message->get_payload(message,
1252 PLV1_CERTIFICATE) != NULL;
1253 }
1254 break;
1255 default:
1256 break;
1257 }
1258 }
1259 if (!use_frags)
1260 {
1261 status = generate_message(this, message, &packet);
1262 if (status != SUCCESS)
1263 {
1264 return status;
1265 }
1266 *packets = enumerator_create_single(packet, NULL);
1267 return SUCCESS;
1268 }
1269
1270 pre_generated = message->is_encoded(message);
1271 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1272 message->set_ike_sa_id(message, this->ike_sa_id);
1273 if (!pre_generated)
1274 {
1275 charon->bus->message(charon->bus, message, FALSE, TRUE);
1276 }
1277 status = message->fragment(message, this->keymat, this->fragment_size,
1278 &fragments);
1279 if (status == SUCCESS)
1280 {
1281 if (!pre_generated)
1282 {
1283 charon->bus->message(charon->bus, message, FALSE, FALSE);
1284 }
1285 *packets = enumerator_create_filter(fragments, filter_fragments,
1286 this, NULL);
1287 }
1288 return status;
1289 }
1290
1291 METHOD(ike_sa_t, set_kmaddress, void,
1292 private_ike_sa_t *this, host_t *local, host_t *remote)
1293 {
1294 DESTROY_IF(this->local_host);
1295 DESTROY_IF(this->remote_host);
1296 this->local_host = local->clone(local);
1297 this->remote_host = remote->clone(remote);
1298 }
1299
1300 #ifdef ME
1301 METHOD(ike_sa_t, act_as_mediation_server, void,
1302 private_ike_sa_t *this)
1303 {
1304 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1305 this->other_id, this->ike_sa_id);
1306 this->is_mediation_server = TRUE;
1307 }
1308
1309 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1310 private_ike_sa_t *this)
1311 {
1312 return this->server_reflexive_host;
1313 }
1314
1315 METHOD(ike_sa_t, set_server_reflexive_host, void,
1316 private_ike_sa_t *this, host_t *host)
1317 {
1318 DESTROY_IF(this->server_reflexive_host);
1319 this->server_reflexive_host = host;
1320 }
1321
1322 METHOD(ike_sa_t, get_connect_id, chunk_t,
1323 private_ike_sa_t *this)
1324 {
1325 return this->connect_id;
1326 }
1327
1328 METHOD(ike_sa_t, respond, status_t,
1329 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1330 {
1331 ike_me_t *task = ike_me_create(&this->public, TRUE);
1332 task->respond(task, peer_id, connect_id);
1333 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1334 return this->task_manager->initiate(this->task_manager);
1335 }
1336
1337 METHOD(ike_sa_t, callback, status_t,
1338 private_ike_sa_t *this, identification_t *peer_id)
1339 {
1340 ike_me_t *task = ike_me_create(&this->public, TRUE);
1341 task->callback(task, peer_id);
1342 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1343 return this->task_manager->initiate(this->task_manager);
1344 }
1345
1346 METHOD(ike_sa_t, relay, status_t,
1347 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1348 chunk_t connect_key, linked_list_t *endpoints, bool response)
1349 {
1350 ike_me_t *task = ike_me_create(&this->public, TRUE);
1351 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1352 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1353 return this->task_manager->initiate(this->task_manager);
1354 }
1355
1356 METHOD(ike_sa_t, initiate_mediation, status_t,
1357 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1358 {
1359 ike_me_t *task = ike_me_create(&this->public, TRUE);
1360 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1361 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1362 return this->task_manager->initiate(this->task_manager);
1363 }
1364
1365 METHOD(ike_sa_t, initiate_mediated, status_t,
1366 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1367 {
1368 set_my_host(this, me->clone(me));
1369 set_other_host(this, other->clone(other));
1370 chunk_free(&this->connect_id);
1371 this->connect_id = chunk_clone(connect_id);
1372 return this->task_manager->initiate(this->task_manager);
1373 }
1374 #endif /* ME */
1375
1376 /**
1377 * Resolve DNS host in configuration
1378 */
1379 static void resolve_hosts(private_ike_sa_t *this)
1380 {
1381 host_t *host;
1382 int family = AF_UNSPEC;
1383
1384 switch (charon->socket->supported_families(charon->socket))
1385 {
1386 case SOCKET_FAMILY_IPV4:
1387 family = AF_INET;
1388 break;
1389 case SOCKET_FAMILY_IPV6:
1390 family = AF_INET6;
1391 break;
1392 case SOCKET_FAMILY_BOTH:
1393 case SOCKET_FAMILY_NONE:
1394 break;
1395 }
1396
1397 /* if an IP address is set locally, use the same family to resolve remote */
1398 if (family == AF_UNSPEC && !this->remote_host)
1399 {
1400 if (this->local_host)
1401 {
1402 family = this->local_host->get_family(this->local_host);
1403 }
1404 else
1405 {
1406 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1407 }
1408 }
1409
1410 if (this->remote_host)
1411 {
1412 host = this->remote_host->clone(this->remote_host);
1413 host->set_port(host, IKEV2_UDP_PORT);
1414 }
1415 else
1416 {
1417 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1418 }
1419 if (host)
1420 {
1421 if (!host->is_anyaddr(host) ||
1422 this->other_host->is_anyaddr(this->other_host))
1423 { /* don't set to %any if we currently have an address, but the
1424 * address family might have changed */
1425 set_other_host(this, host);
1426 }
1427 else
1428 { /* reuse the original port as some implementations might not like
1429 * initial IKE messages on other ports */
1430 this->other_host->set_port(this->other_host, host->get_port(host));
1431 host->destroy(host);
1432 }
1433 }
1434
1435 if (this->local_host)
1436 {
1437 host = this->local_host->clone(this->local_host);
1438 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1439 }
1440 else
1441 {
1442 /* use same address family as for other */
1443 if (!this->other_host->is_anyaddr(this->other_host))
1444 {
1445 family = this->other_host->get_family(this->other_host);
1446 }
1447 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1448
1449 if (host && host->is_anyaddr(host) &&
1450 !this->other_host->is_anyaddr(this->other_host))
1451 {
1452 host->destroy(host);
1453 host = charon->kernel->get_source_addr(charon->kernel,
1454 this->other_host, NULL);
1455 if (host)
1456 {
1457 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1458 }
1459 else
1460 { /* fallback to address family specific %any(6), if configured */
1461 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1462 }
1463 }
1464 }
1465 if (host)
1466 {
1467 set_my_host(this, host);
1468 }
1469 }
1470
1471 METHOD(ike_sa_t, initiate, status_t,
1472 private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid,
1473 traffic_selector_t *tsi, traffic_selector_t *tsr)
1474 {
1475 bool defer_initiate = FALSE;
1476
1477 if (this->state == IKE_CREATED)
1478 {
1479 if (this->my_host->is_anyaddr(this->my_host) ||
1480 this->other_host->is_anyaddr(this->other_host))
1481 {
1482 resolve_hosts(this);
1483 }
1484
1485 if (this->other_host->is_anyaddr(this->other_host)
1486 #ifdef ME
1487 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1488 #endif /* ME */
1489 )
1490 {
1491 char *addr;
1492
1493 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1494 if (!this->retry_initiate_interval)
1495 {
1496 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1497 addr);
1498 DESTROY_IF(child_cfg);
1499 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1500 return DESTROY_ME;
1501 }
1502 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1503 addr, this->retry_initiate_interval);
1504 defer_initiate = TRUE;
1505 }
1506
1507 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1508 this->task_manager->queue_ike(this->task_manager);
1509 }
1510
1511 #ifdef ME
1512 if (this->peer_cfg->is_mediation(this->peer_cfg))
1513 {
1514 if (this->state == IKE_ESTABLISHED)
1515 {
1516 /* mediation connection is already established, retrigger state
1517 * change to notify bus listeners */
1518 DBG1(DBG_IKE, "mediation connection is already up");
1519 set_state(this, IKE_ESTABLISHED);
1520 }
1521 DESTROY_IF(child_cfg);
1522 }
1523 else
1524 #endif /* ME */
1525 if (child_cfg)
1526 {
1527 /* normal IKE_SA with CHILD_SA */
1528 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1529 tsi, tsr);
1530 #ifdef ME
1531 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1532 {
1533 /* mediated connection, initiate mediation process */
1534 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1535 lib->processor->queue_job(lib->processor, job);
1536 return SUCCESS;
1537 }
1538 #endif /* ME */
1539 }
1540
1541 if (defer_initiate)
1542 {
1543 if (!this->retry_initiate_queued)
1544 {
1545 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1546 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1547 this->retry_initiate_interval);
1548 this->retry_initiate_queued = TRUE;
1549 }
1550 return SUCCESS;
1551 }
1552 this->retry_initiate_queued = FALSE;
1553 return this->task_manager->initiate(this->task_manager);
1554 }
1555
1556 METHOD(ike_sa_t, retry_initiate, status_t,
1557 private_ike_sa_t *this)
1558 {
1559 if (this->retry_initiate_queued)
1560 {
1561 this->retry_initiate_queued = FALSE;
1562 return initiate(this, NULL, 0, NULL, NULL);
1563 }
1564 return SUCCESS;
1565 }
1566
1567 METHOD(ike_sa_t, process_message, status_t,
1568 private_ike_sa_t *this, message_t *message)
1569 {
1570 status_t status;
1571
1572 if (this->state == IKE_PASSIVE)
1573 { /* do not handle messages in passive state */
1574 return FAILED;
1575 }
1576 if (message->get_major_version(message) != this->version)
1577 {
1578 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1579 exchange_type_names, message->get_exchange_type(message),
1580 message->get_major_version(message),
1581 ike_version_names, this->version);
1582 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1583 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1584 return FAILED;
1585 }
1586 status = this->task_manager->process_message(this->task_manager, message);
1587 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1588 {
1589 /* authentication completed but if the online validation is suspended we
1590 * need the auth cfgs until we did the delayed verification, we flush
1591 * them afterwards */
1592 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
1593 {
1594 this->flush_auth_cfg = FALSE;
1595 flush_auth_cfgs(this);
1596 }
1597 }
1598 return status;
1599 }
1600
1601 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1602 private_ike_sa_t *this)
1603 {
1604 return this->ike_sa_id;
1605 }
1606
1607 METHOD(ike_sa_t, get_version, ike_version_t,
1608 private_ike_sa_t *this)
1609 {
1610 return this->version;
1611 }
1612
1613 METHOD(ike_sa_t, get_my_id, identification_t*,
1614 private_ike_sa_t *this)
1615 {
1616 return this->my_id;
1617 }
1618
1619 METHOD(ike_sa_t, set_my_id, void,
1620 private_ike_sa_t *this, identification_t *me)
1621 {
1622 DESTROY_IF(this->my_id);
1623 this->my_id = me;
1624 }
1625
1626 METHOD(ike_sa_t, get_other_id, identification_t*,
1627 private_ike_sa_t *this)
1628 {
1629 return this->other_id;
1630 }
1631
1632 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1633 private_ike_sa_t *this)
1634 {
1635 identification_t *id = NULL, *current;
1636 enumerator_t *enumerator;
1637 auth_cfg_t *cfg;
1638
1639 enumerator = array_create_enumerator(this->other_auths);
1640 while (enumerator->enumerate(enumerator, &cfg))
1641 {
1642 /* prefer EAP-Identity of last round */
1643 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1644 if (!current || current->get_type(current) == ID_ANY)
1645 {
1646 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1647 }
1648 if (!current || current->get_type(current) == ID_ANY)
1649 {
1650 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1651 }
1652 if (current && current->get_type(current) != ID_ANY)
1653 {
1654 id = current;
1655 continue;
1656 }
1657 }
1658 enumerator->destroy(enumerator);
1659 if (id)
1660 {
1661 return id;
1662 }
1663 return this->other_id;
1664 }
1665
1666 METHOD(ike_sa_t, set_other_id, void,
1667 private_ike_sa_t *this, identification_t *other)
1668 {
1669 DESTROY_IF(this->other_id);
1670 this->other_id = other;
1671 }
1672
1673 METHOD(ike_sa_t, get_if_id, uint32_t,
1674 private_ike_sa_t *this, bool inbound)
1675 {
1676 return inbound ? this->if_id_in : this->if_id_out;
1677 }
1678
1679 METHOD(ike_sa_t, add_child_sa, void,
1680 private_ike_sa_t *this, child_sa_t *child_sa)
1681 {
1682 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1683 charon->child_sa_manager->add(charon->child_sa_manager,
1684 child_sa, &this->public);
1685 }
1686
1687 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1688 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
1689 {
1690 enumerator_t *enumerator;
1691 child_sa_t *current, *found = NULL;
1692
1693 enumerator = array_create_enumerator(this->child_sas);
1694 while (enumerator->enumerate(enumerator, (void**)&current))
1695 {
1696 if (current->get_spi(current, inbound) == spi &&
1697 current->get_protocol(current) == protocol)
1698 {
1699 found = current;
1700 }
1701 }
1702 enumerator->destroy(enumerator);
1703 return found;
1704 }
1705
1706 METHOD(ike_sa_t, get_child_count, int,
1707 private_ike_sa_t *this)
1708 {
1709 return array_count(this->child_sas);
1710 }
1711
1712 /**
1713 * Private data of a create_child_sa_enumerator()
1714 */
1715 typedef struct {
1716 /** implements enumerator */
1717 enumerator_t public;
1718 /** inner array enumerator */
1719 enumerator_t *inner;
1720 /** current item */
1721 child_sa_t *current;
1722 } child_enumerator_t;
1723
1724 METHOD(enumerator_t, child_enumerate, bool,
1725 child_enumerator_t *this, va_list args)
1726 {
1727 child_sa_t **child_sa;
1728
1729 VA_ARGS_VGET(args, child_sa);
1730 if (this->inner->enumerate(this->inner, &this->current))
1731 {
1732 *child_sa = this->current;
1733 return TRUE;
1734 }
1735 return FALSE;
1736 }
1737
1738 METHOD(enumerator_t, child_enumerator_destroy, void,
1739 child_enumerator_t *this)
1740 {
1741 this->inner->destroy(this->inner);
1742 free(this);
1743 }
1744
1745 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1746 private_ike_sa_t *this)
1747 {
1748 child_enumerator_t *enumerator;
1749
1750 INIT(enumerator,
1751 .public = {
1752 .enumerate = enumerator_enumerate_default,
1753 .venumerate = _child_enumerate,
1754 .destroy = _child_enumerator_destroy,
1755 },
1756 .inner = array_create_enumerator(this->child_sas),
1757 );
1758 return &enumerator->public;
1759 }
1760
1761 METHOD(ike_sa_t, remove_child_sa, void,
1762 private_ike_sa_t *this, enumerator_t *enumerator)
1763 {
1764 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1765
1766 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1767 array_remove_at(this->child_sas, ce->inner);
1768 }
1769
1770 METHOD(ike_sa_t, rekey_child_sa, status_t,
1771 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1772 {
1773 if (this->state == IKE_PASSIVE)
1774 {
1775 return INVALID_STATE;
1776 }
1777 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1778 return this->task_manager->initiate(this->task_manager);
1779 }
1780
1781 METHOD(ike_sa_t, delete_child_sa, status_t,
1782 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
1783 {
1784 if (this->state == IKE_PASSIVE)
1785 {
1786 return INVALID_STATE;
1787 }
1788 this->task_manager->queue_child_delete(this->task_manager,
1789 protocol, spi, expired);
1790 return this->task_manager->initiate(this->task_manager);
1791 }
1792
1793 METHOD(ike_sa_t, destroy_child_sa, status_t,
1794 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1795 {
1796 enumerator_t *enumerator;
1797 child_sa_t *child_sa;
1798 status_t status = NOT_FOUND;
1799
1800 enumerator = create_child_sa_enumerator(this);
1801 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1802 {
1803 if (child_sa->get_protocol(child_sa) == protocol &&
1804 child_sa->get_spi(child_sa, TRUE) == spi)
1805 {
1806 remove_child_sa(this, enumerator);
1807 child_sa->destroy(child_sa);
1808 status = SUCCESS;
1809 break;
1810 }
1811 }
1812 enumerator->destroy(enumerator);
1813 return status;
1814 }
1815
1816 METHOD(ike_sa_t, delete_, status_t,
1817 private_ike_sa_t *this, bool force)
1818 {
1819 status_t status = DESTROY_ME;
1820
1821 switch (this->state)
1822 {
1823 case IKE_ESTABLISHED:
1824 case IKE_REKEYING:
1825 if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
1826 !(this->version == IKEV1 && this->state == IKE_REKEYING))
1827 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1828 * IKEv1 SAs */
1829 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1830 }
1831 this->task_manager->queue_ike_delete(this->task_manager);
1832 status = this->task_manager->initiate(this->task_manager);
1833 break;
1834 case IKE_CREATED:
1835 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1836 break;
1837 case IKE_PASSIVE:
1838 break;
1839 default:
1840 DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1841 ike_sa_state_names, this->state);
1842 force = TRUE;
1843 break;
1844 }
1845
1846 if (force)
1847 {
1848 status = DESTROY_ME;
1849
1850 if (this->version == IKEV2)
1851 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1852 switch (this->state)
1853 {
1854 case IKE_ESTABLISHED:
1855 case IKE_REKEYING:
1856 case IKE_DELETING:
1857 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1858 default:
1859 break;
1860 }
1861 }
1862 }
1863 return status;
1864 }
1865
1866 METHOD(ike_sa_t, rekey, status_t,
1867 private_ike_sa_t *this)
1868 {
1869 if (this->state == IKE_PASSIVE)
1870 {
1871 return INVALID_STATE;
1872 }
1873 this->task_manager->queue_ike_rekey(this->task_manager);
1874 return this->task_manager->initiate(this->task_manager);
1875 }
1876
1877 METHOD(ike_sa_t, reauth, status_t,
1878 private_ike_sa_t *this)
1879 {
1880 if (this->state == IKE_PASSIVE)
1881 {
1882 return INVALID_STATE;
1883 }
1884 if (this->state == IKE_CONNECTING)
1885 {
1886 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1887 get_name(this), this->unique_id);
1888 reset(this, TRUE);
1889 return this->task_manager->initiate(this->task_manager);
1890 }
1891 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1892 * If the peer does not support RFC4478, there is no way to keep the
1893 * IKE_SA up. */
1894 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1895 {
1896 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1897 if (array_count(this->other_vips) != 0 ||
1898 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1899 has_condition(this, COND_EAP_AUTHENTICATED)
1900 #ifdef ME
1901 /* as mediation server we too cannot reauth the IKE_SA */
1902 || this->is_mediation_server
1903 #endif /* ME */
1904 )
1905 {
1906 time_t del, now;
1907
1908 del = this->stats[STAT_DELETE];
1909 now = time_monotonic(NULL);
1910 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1911 get_name(this), this->unique_id, &now, &del);
1912 return FAILED;
1913 }
1914 else
1915 {
1916 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1917 get_name(this), this->unique_id);
1918 }
1919 }
1920 else
1921 {
1922 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1923 get_name(this), this->unique_id);
1924 }
1925 set_condition(this, COND_REAUTHENTICATING, TRUE);
1926 this->task_manager->queue_ike_reauth(this->task_manager);
1927 return this->task_manager->initiate(this->task_manager);
1928 }
1929
1930 /**
1931 * Check if tasks to create CHILD_SAs are queued in the given queue
1932 */
1933 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1934 {
1935 enumerator_t *enumerator;
1936 task_t *task;
1937 bool found = FALSE;
1938
1939 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1940 queue);
1941 while (enumerator->enumerate(enumerator, &task))
1942 {
1943 if (task->get_type(task) == TASK_CHILD_CREATE ||
1944 task->get_type(task) == TASK_QUICK_MODE)
1945 {
1946 found = TRUE;
1947 break;
1948 }
1949 }
1950 enumerator->destroy(enumerator);
1951 return found;
1952 }
1953
1954 /**
1955 * Reestablish CHILD_SAs and migrate queued tasks.
1956 *
1957 * If force is true all SAs are restarted, otherwise their close/dpd_action
1958 * is followed.
1959 */
1960 static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
1961 bool force)
1962 {
1963 enumerator_t *enumerator;
1964 child_sa_t *child_sa;
1965 child_cfg_t *child_cfg;
1966 action_t action;
1967 status_t status = FAILED;
1968
1969 /* handle existing CHILD_SAs */
1970 enumerator = create_child_sa_enumerator(this);
1971 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1972 {
1973 switch (child_sa->get_state(child_sa))
1974 {
1975 case CHILD_REKEYED:
1976 case CHILD_DELETED:
1977 /* ignore CHILD_SAs in these states */
1978 continue;
1979 default:
1980 break;
1981 }
1982 if (force)
1983 {
1984 action = ACTION_RESTART;
1985 }
1986 else
1987 { /* only restart CHILD_SAs that are configured accordingly */
1988 if (this->state == IKE_DELETING)
1989 {
1990 action = child_sa->get_close_action(child_sa);
1991 }
1992 else
1993 {
1994 action = child_sa->get_dpd_action(child_sa);
1995 }
1996 }
1997 switch (action)
1998 {
1999 case ACTION_RESTART:
2000 child_cfg = child_sa->get_config(child_sa);
2001 DBG1(DBG_IKE, "restarting CHILD_SA %s",
2002 child_cfg->get_name(child_cfg));
2003 child_cfg->get_ref(child_cfg);
2004 status = new->initiate(new, child_cfg,
2005 child_sa->get_reqid(child_sa), NULL, NULL);
2006 break;
2007 default:
2008 continue;
2009 }
2010 if (status == DESTROY_ME)
2011 {
2012 break;
2013 }
2014 }
2015 enumerator->destroy(enumerator);
2016 /* adopt any active or queued CHILD-creating tasks */
2017 if (status != DESTROY_ME)
2018 {
2019 new->adopt_child_tasks(new, &this->public);
2020 if (new->get_state(new) == IKE_CREATED)
2021 {
2022 status = new->initiate(new, NULL, 0, NULL, NULL);
2023 }
2024 }
2025 return status;
2026 }
2027
2028 METHOD(ike_sa_t, reestablish, status_t,
2029 private_ike_sa_t *this)
2030 {
2031 ike_sa_t *new;
2032 host_t *host;
2033 action_t action;
2034 enumerator_t *enumerator;
2035 child_sa_t *child_sa;
2036 bool restart = FALSE;
2037 status_t status = FAILED;
2038
2039 if (has_condition(this, COND_REAUTHENTICATING))
2040 { /* only reauthenticate if we have children */
2041 if (array_count(this->child_sas) == 0
2042 #ifdef ME
2043 /* allow reauth of mediation connections without CHILD_SAs */
2044 && !this->peer_cfg->is_mediation(this->peer_cfg)
2045 #endif /* ME */
2046 )
2047 {
2048 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2049 "to recreate");
2050 }
2051 else
2052 {
2053 restart = TRUE;
2054 }
2055 }
2056 else
2057 { /* check if we have children to keep up at all */
2058 enumerator = array_create_enumerator(this->child_sas);
2059 while (enumerator->enumerate(enumerator, (void**)&child_sa))
2060 {
2061 switch (child_sa->get_state(child_sa))
2062 {
2063 case CHILD_REKEYED:
2064 case CHILD_DELETED:
2065 /* ignore CHILD_SAs in these states */
2066 continue;
2067 default:
2068 break;
2069 }
2070 if (this->state == IKE_DELETING)
2071 {
2072 action = child_sa->get_close_action(child_sa);
2073 }
2074 else
2075 {
2076 action = child_sa->get_dpd_action(child_sa);
2077 }
2078 switch (action)
2079 {
2080 case ACTION_RESTART:
2081 restart = TRUE;
2082 break;
2083 case ACTION_ROUTE:
2084 charon->traps->install(charon->traps, this->peer_cfg,
2085 child_sa->get_config(child_sa));
2086 break;
2087 default:
2088 break;
2089 }
2090 }
2091 enumerator->destroy(enumerator);
2092 /* check if we have tasks that recreate children */
2093 if (!restart)
2094 {
2095 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
2096 is_child_queued(this, TASK_QUEUE_QUEUED);
2097 }
2098 #ifdef ME
2099 /* mediation connections have no children, keep them up anyway */
2100 if (this->peer_cfg->is_mediation(this->peer_cfg))
2101 {
2102 restart = TRUE;
2103 }
2104 #endif /* ME */
2105 }
2106 if (!restart)
2107 {
2108 return FAILED;
2109 }
2110
2111 /* check if we are able to reestablish this IKE_SA */
2112 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2113 (array_count(this->other_vips) != 0 ||
2114 has_condition(this, COND_EAP_AUTHENTICATED)
2115 #ifdef ME
2116 || this->is_mediation_server
2117 #endif /* ME */
2118 ))
2119 {
2120 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
2121 return FAILED;
2122 }
2123
2124 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2125 this->version, TRUE);
2126 if (!new)
2127 {
2128 return FAILED;
2129 }
2130 new->set_peer_cfg(new, this->peer_cfg);
2131 host = this->other_host;
2132 new->set_other_host(new, host->clone(host));
2133 host = this->my_host;
2134 new->set_my_host(new, host->clone(host));
2135 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2136 if (!has_condition(this, COND_REAUTHENTICATING))
2137 { /* reauthenticate to the same addresses, but resolve hosts if
2138 * reestablishing (old addresses serve as fallback) */
2139 resolve_hosts((private_ike_sa_t*)new);
2140 }
2141 /* if we already have a virtual IP, we reuse it */
2142 enumerator = array_create_enumerator(this->my_vips);
2143 while (enumerator->enumerate(enumerator, &host))
2144 {
2145 new->add_virtual_ip(new, TRUE, host);
2146 }
2147 enumerator->destroy(enumerator);
2148
2149 #ifdef ME
2150 if (this->peer_cfg->is_mediation(this->peer_cfg))
2151 {
2152 status = new->initiate(new, NULL, 0, NULL, NULL);
2153 }
2154 else
2155 #endif /* ME */
2156 {
2157 status = reestablish_children(this, new,
2158 has_condition(this, COND_REAUTHENTICATING));
2159 }
2160
2161 if (status == DESTROY_ME)
2162 {
2163 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2164 FALSE);
2165 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2166 status = FAILED;
2167 }
2168 else
2169 {
2170 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2171 TRUE);
2172 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2173 status = SUCCESS;
2174 }
2175 charon->bus->set_sa(charon->bus, &this->public);
2176 return status;
2177 }
2178
2179 /**
2180 * Resolve the given gateway ID
2181 */
2182 static host_t *resolve_gateway_id(identification_t *gateway)
2183 {
2184 char gw[BUF_LEN];
2185 host_t *addr;
2186
2187 snprintf(gw, sizeof(gw), "%Y", gateway);
2188 gw[sizeof(gw)-1] = '\0';
2189 addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2190 if (!addr)
2191 {
2192 DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2193 gateway);
2194 }
2195 return addr;
2196 }
2197
2198 /**
2199 * Redirect the current SA to the given target host
2200 */
2201 static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2202 {
2203 private_ike_sa_t *new_priv;
2204 ike_sa_t *new;
2205 host_t *other;
2206 time_t redirect;
2207
2208 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2209 this->version, TRUE);
2210 if (!new)
2211 {
2212 return FALSE;
2213 }
2214 new_priv = (private_ike_sa_t*)new;
2215 new->set_peer_cfg(new, this->peer_cfg);
2216 new_priv->redirected_from = this->other_host->clone(this->other_host);
2217 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2218 other = resolve_gateway_id(to);
2219 if (other)
2220 {
2221 set_my_host(new_priv, this->my_host->clone(this->my_host));
2222 /* this allows us to force the remote address while we still properly
2223 * resolve the local address */
2224 new_priv->remote_host = other;
2225 resolve_hosts(new_priv);
2226 new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2227 while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2228 {
2229 array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2230 }
2231 if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2232 {
2233 #ifdef USE_IKEV2
2234 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2235 this->ike_sa_id));
2236 #endif
2237 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2238 TRUE);
2239 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2240 charon->bus->set_sa(charon->bus, &this->public);
2241 return TRUE;
2242 }
2243 }
2244 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2245 FALSE);
2246 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2247 charon->bus->set_sa(charon->bus, &this->public);
2248 return FALSE;
2249 }
2250
2251 /**
2252 * Redirect the current connecting SA to the given target host
2253 */
2254 static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2255 {
2256 host_t *other;
2257
2258 other = resolve_gateway_id(to);
2259 if (!other)
2260 {
2261 return FALSE;
2262 }
2263 reset(this, TRUE);
2264 DESTROY_IF(this->redirected_from);
2265 this->redirected_from = this->other_host->clone(this->other_host);
2266 DESTROY_IF(this->remote_host);
2267 /* this allows us to force the remote address while we still properly
2268 * resolve the local address */
2269 this->remote_host = other;
2270 resolve_hosts(this);
2271 return TRUE;
2272 }
2273
2274 /**
2275 * Check if the current redirect exceeds the limits for redirects
2276 */
2277 static bool redirect_count_exceeded(private_ike_sa_t *this)
2278 {
2279 time_t now, redirect;
2280
2281 now = time_monotonic(NULL);
2282 /* remove entries outside the defined period */
2283 while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2284 now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2285 {
2286 array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2287 }
2288 if (array_count(this->redirected_at) < MAX_REDIRECTS)
2289 {
2290 if (!this->redirected_at)
2291 {
2292 this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2293 }
2294 array_insert(this->redirected_at, ARRAY_TAIL, &now);
2295 return FALSE;
2296 }
2297 return TRUE;
2298 }
2299
2300 METHOD(ike_sa_t, handle_redirect, bool,
2301 private_ike_sa_t *this, identification_t *gateway)
2302 {
2303 DBG1(DBG_IKE, "redirected to %Y", gateway);
2304 if (!this->follow_redirects)
2305 {
2306 DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2307 return FALSE;
2308 }
2309 if (redirect_count_exceeded(this))
2310 {
2311 DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2312 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2313 return FALSE;
2314 }
2315
2316 switch (this->state)
2317 {
2318 case IKE_CONNECTING:
2319 return redirect_connecting(this, gateway);
2320 case IKE_ESTABLISHED:
2321 return redirect_established(this, gateway);
2322 default:
2323 DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2324 ike_sa_state_names, this->state);
2325 return FALSE;
2326 }
2327 }
2328
2329 METHOD(ike_sa_t, redirect, status_t,
2330 private_ike_sa_t *this, identification_t *gateway)
2331 {
2332 switch (this->state)
2333 {
2334 case IKE_CONNECTING:
2335 case IKE_ESTABLISHED:
2336 case IKE_REKEYING:
2337 if (has_condition(this, COND_REDIRECTED))
2338 { /* IKE_SA already got redirected */
2339 return SUCCESS;
2340 }
2341 if (has_condition(this, COND_ORIGINAL_INITIATOR))
2342 {
2343 DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2344 return FAILED;
2345 }
2346 if (this->version == IKEV1)
2347 {
2348 DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2349 return FAILED;
2350 }
2351 if (!supports_extension(this, EXT_IKE_REDIRECTION))
2352 {
2353 DBG1(DBG_IKE, "client does not support IKE redirection");
2354 return FAILED;
2355 }
2356 #ifdef USE_IKEV2
2357 this->task_manager->queue_task(this->task_manager,
2358 (task_t*)ike_redirect_create(&this->public, gateway));
2359 #endif
2360 return this->task_manager->initiate(this->task_manager);
2361 default:
2362 DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2363 ike_sa_state_names, this->state);
2364 return INVALID_STATE;
2365 }
2366 }
2367
2368 METHOD(ike_sa_t, retransmit, status_t,
2369 private_ike_sa_t *this, uint32_t message_id)
2370 {
2371 if (this->state == IKE_PASSIVE)
2372 {
2373 return INVALID_STATE;
2374 }
2375 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2376 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
2377 {
2378 /* send a proper signal to brief interested bus listeners */
2379 switch (this->state)
2380 {
2381 case IKE_CONNECTING:
2382 {
2383 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2384 uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2385 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2386 this->keyingtry);
2387 this->keyingtry++;
2388 if (tries == 0 || tries > this->keyingtry)
2389 {
2390 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2391 this->keyingtry + 1, tries);
2392 reset(this, TRUE);
2393 resolve_hosts(this);
2394 return this->task_manager->initiate(this->task_manager);
2395 }
2396 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2397
2398 if (this->version == IKEV1 && array_count(this->child_sas))
2399 {
2400 enumerator_t *enumerator;
2401 child_sa_t *child_sa;
2402
2403 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2404 * in this state with CHILD_SAs), try again from scratch */
2405 DBG1(DBG_IKE, "reauthentication failed, trying to "
2406 "reestablish IKE_SA");
2407 reestablish(this);
2408 /* trigger down events for the CHILD_SAs, as no down event
2409 * is triggered below for IKE SAs in this state */
2410 enumerator = array_create_enumerator(this->child_sas);
2411 while (enumerator->enumerate(enumerator, &child_sa))
2412 {
2413 if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
2414 child_sa->get_state(child_sa) != CHILD_DELETED)
2415 {
2416 charon->bus->child_updown(charon->bus, child_sa,
2417 FALSE);
2418 }
2419 }
2420 enumerator->destroy(enumerator);
2421 }
2422 break;
2423 }
2424 case IKE_DELETING:
2425 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2426 if (has_condition(this, COND_REAUTHENTICATING) &&
2427 !lib->settings->get_bool(lib->settings,
2428 "%s.make_before_break", FALSE, lib->ns))
2429 {
2430 DBG1(DBG_IKE, "delete during reauthentication failed, "
2431 "trying to reestablish IKE_SA anyway");
2432 reestablish(this);
2433 }
2434 break;
2435 case IKE_REKEYING:
2436 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2437 /* FALL */
2438 default:
2439 reestablish(this);
2440 break;
2441 }
2442 if (this->state != IKE_CONNECTING &&
2443 this->state != IKE_REKEYED)
2444 {
2445 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2446 }
2447 return DESTROY_ME;
2448 }
2449 return SUCCESS;
2450 }
2451
2452 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2453 private_ike_sa_t *this, uint32_t lifetime)
2454 {
2455 uint32_t diff, hard, soft, now;
2456 bool send_update;
2457
2458 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2459 now = time_monotonic(NULL);
2460 hard = now + lifetime;
2461 soft = hard - diff;
2462
2463 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2464 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2465 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2466 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2467 (array_count(this->other_vips) != 0 ||
2468 has_condition(this, COND_EAP_AUTHENTICATED));
2469
2470 if (lifetime < diff)
2471 {
2472 this->stats[STAT_REAUTH] = now;
2473
2474 if (!send_update)
2475 {
2476 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2477 "starting reauthentication", lifetime);
2478 lib->processor->queue_job(lib->processor,
2479 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2480 }
2481 }
2482 else if (this->stats[STAT_REAUTH] == 0 ||
2483 this->stats[STAT_REAUTH] > soft)
2484 {
2485 this->stats[STAT_REAUTH] = soft;
2486 if (!send_update)
2487 {
2488 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2489 "reauthentication in %ds", lifetime, lifetime - diff);
2490 lib->scheduler->schedule_job(lib->scheduler,
2491 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2492 lifetime - diff);
2493 }
2494 }
2495 else
2496 {
2497 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2498 "reauthentication already scheduled in %ds", lifetime,
2499 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2500 send_update = FALSE;
2501 }
2502 /* give at least some seconds to reauthenticate */
2503 this->stats[STAT_DELETE] = max(hard, now + 10);
2504
2505 #ifdef USE_IKEV2
2506 if (send_update)
2507 {
2508 ike_auth_lifetime_t *task;
2509
2510 task = ike_auth_lifetime_create(&this->public, TRUE);
2511 this->task_manager->queue_task(this->task_manager, &task->task);
2512 return this->task_manager->initiate(this->task_manager);
2513 }
2514 #endif
2515 return SUCCESS;
2516 }
2517
2518 /**
2519 * Check if the current combination of source and destination address is still
2520 * valid.
2521 */
2522 static bool is_current_path_valid(private_ike_sa_t *this)
2523 {
2524 bool valid = FALSE;
2525 host_t *src;
2526
2527 if (supports_extension(this, EXT_MOBIKE) &&
2528 lib->settings->get_bool(lib->settings,
2529 "%s.prefer_best_path", FALSE, lib->ns))
2530 {
2531 /* check if the current path is the best path; migrate otherwise */
2532 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2533 NULL);
2534 if (src)
2535 {
2536 valid = src->ip_equals(src, this->my_host);
2537 src->destroy(src);
2538 }
2539 if (!valid)
2540 {
2541 DBG1(DBG_IKE, "old path is not preferred anymore");
2542 }
2543 return valid;
2544 }
2545 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2546 this->my_host);
2547 if (src)
2548 {
2549 if (src->ip_equals(src, this->my_host))
2550 {
2551 valid = TRUE;
2552 }
2553 src->destroy(src);
2554 }
2555 if (!valid)
2556 {
2557 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2558 }
2559 return valid;
2560 }
2561
2562 /**
2563 * Check if we have any path available for this IKE SA.
2564 */
2565 static bool is_any_path_valid(private_ike_sa_t *this)
2566 {
2567 bool valid = FALSE;
2568 enumerator_t *enumerator;
2569 host_t *src = NULL, *addr;
2570 int family = AF_UNSPEC;
2571
2572 switch (charon->socket->supported_families(charon->socket))
2573 {
2574 case SOCKET_FAMILY_IPV4:
2575 family = AF_INET;
2576 break;
2577 case SOCKET_FAMILY_IPV6:
2578 family = AF_INET6;
2579 break;
2580 case SOCKET_FAMILY_BOTH:
2581 case SOCKET_FAMILY_NONE:
2582 break;
2583 }
2584
2585 enumerator = create_peer_address_enumerator(this);
2586 while (enumerator->enumerate(enumerator, &addr))
2587 {
2588 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2589 {
2590 continue;
2591 }
2592 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2593 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2594 if (src)
2595 {
2596 break;
2597 }
2598 }
2599 enumerator->destroy(enumerator);
2600 if (src)
2601 {
2602 valid = TRUE;
2603 src->destroy(src);
2604 }
2605 return valid;
2606 }
2607
2608 METHOD(ike_sa_t, roam, status_t,
2609 private_ike_sa_t *this, bool address)
2610 {
2611 switch (this->state)
2612 {
2613 case IKE_CREATED:
2614 case IKE_DELETING:
2615 case IKE_DESTROYING:
2616 case IKE_PASSIVE:
2617 case IKE_REKEYED:
2618 return SUCCESS;
2619 default:
2620 break;
2621 }
2622
2623 if (!this->ike_cfg)
2624 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2625 * without config assigned */
2626 return SUCCESS;
2627 }
2628 if (this->version == IKEV1)
2629 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2630 * have to reestablish from scratch (reauth is not enough) */
2631 return SUCCESS;
2632 }
2633
2634 /* ignore roam events if MOBIKE is not supported/enabled and the local
2635 * address is statically configured */
2636 if (!supports_extension(this, EXT_MOBIKE) &&
2637 ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
2638 {
2639 DBG2(DBG_IKE, "keeping statically configured path %H - %H",
2640 this->my_host, this->other_host);
2641 return SUCCESS;
2642 }
2643
2644 /* keep existing path if possible */
2645 if (is_current_path_valid(this))
2646 {
2647 DBG2(DBG_IKE, "keeping connection path %H - %H",
2648 this->my_host, this->other_host);
2649 set_condition(this, COND_STALE, FALSE);
2650
2651 if (supports_extension(this, EXT_MOBIKE) && address)
2652 { /* if any addresses changed, send an updated list */
2653 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2654 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2655 return this->task_manager->initiate(this->task_manager);
2656 }
2657 return SUCCESS;
2658 }
2659
2660 if (!is_any_path_valid(this))
2661 {
2662 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2663 this->other_host);
2664 set_condition(this, COND_STALE, TRUE);
2665 return SUCCESS;
2666 }
2667 set_condition(this, COND_STALE, FALSE);
2668
2669 /* update addresses with mobike, if supported ... */
2670 if (supports_extension(this, EXT_MOBIKE))
2671 {
2672 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2673 { /* responder updates the peer about changed address config */
2674 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2675 "implicitly requesting an address change");
2676 address = TRUE;
2677 }
2678 else
2679 {
2680 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2681 }
2682 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2683 return this->task_manager->initiate(this->task_manager);
2684 }
2685
2686 /* ... reauth if not */
2687 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2688 { /* responder does not reauthenticate */
2689 set_condition(this, COND_STALE, TRUE);
2690 return SUCCESS;
2691 }
2692 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2693 /* since our previous path is not valid anymore, try and find a new one */
2694 resolve_hosts(this);
2695 return reauth(this);
2696 }
2697
2698 METHOD(ike_sa_t, add_configuration_attribute, void,
2699 private_ike_sa_t *this, attribute_handler_t *handler,
2700 configuration_attribute_type_t type, chunk_t data)
2701 {
2702 attribute_entry_t entry = {
2703 .handler = handler,
2704 .type = type,
2705 .data = chunk_clone(data),
2706 };
2707 array_insert(this->attributes, ARRAY_TAIL, &entry);
2708 }
2709
2710 CALLBACK(filter_attribute, bool,
2711 void *null, enumerator_t *orig, va_list args)
2712 {
2713 attribute_entry_t *entry;
2714 configuration_attribute_type_t *type;
2715 chunk_t *data;
2716 bool *handled;
2717
2718 VA_ARGS_VGET(args, type, data, handled);
2719
2720 if (orig->enumerate(orig, &entry))
2721 {
2722 *type = entry->type;
2723 *data = entry->data;
2724 *handled = entry->handler != NULL;
2725 return TRUE;
2726 }
2727 return FALSE;
2728 }
2729
2730 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2731 private_ike_sa_t *this)
2732 {
2733 return enumerator_create_filter(array_create_enumerator(this->attributes),
2734 filter_attribute, NULL, NULL);
2735 }
2736
2737 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2738 private_ike_sa_t *this, task_queue_t queue)
2739 {
2740 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2741 }
2742
2743 METHOD(ike_sa_t, remove_task, void,
2744 private_ike_sa_t *this, enumerator_t *enumerator)
2745 {
2746 return this->task_manager->remove_task(this->task_manager, enumerator);
2747 }
2748
2749 METHOD(ike_sa_t, flush_queue, void,
2750 private_ike_sa_t *this, task_queue_t queue)
2751 {
2752 this->task_manager->flush_queue(this->task_manager, queue);
2753 }
2754
2755 METHOD(ike_sa_t, queue_task, void,
2756 private_ike_sa_t *this, task_t *task)
2757 {
2758 this->task_manager->queue_task(this->task_manager, task);
2759 }
2760
2761 METHOD(ike_sa_t, queue_task_delayed, void,
2762 private_ike_sa_t *this, task_t *task, uint32_t delay)
2763 {
2764 this->task_manager->queue_task_delayed(this->task_manager, task, delay);
2765 }
2766
2767 /**
2768 * Migrate and queue child-creating tasks from another IKE_SA
2769 */
2770 static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
2771 task_queue_t queue)
2772 {
2773 enumerator_t *enumerator;
2774 task_t *task;
2775
2776 enumerator = other->create_task_enumerator(other, queue);
2777 while (enumerator->enumerate(enumerator, &task))
2778 {
2779 if (task->get_type(task) == TASK_CHILD_CREATE ||
2780 task->get_type(task) == TASK_QUICK_MODE)
2781 {
2782 other->remove_task(other, enumerator);
2783 task->migrate(task, &this->public);
2784 queue_task(this, task);
2785 }
2786 }
2787 enumerator->destroy(enumerator);
2788 }
2789
2790 METHOD(ike_sa_t, adopt_child_tasks, void,
2791 private_ike_sa_t *this, ike_sa_t *other)
2792 {
2793 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
2794 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
2795 }
2796
2797 METHOD(ike_sa_t, inherit_pre, void,
2798 private_ike_sa_t *this, ike_sa_t *other_public)
2799 {
2800 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2801
2802 /* apply config and hosts */
2803 set_peer_cfg(this, other->peer_cfg);
2804 set_my_host(this, other->my_host->clone(other->my_host));
2805 set_other_host(this, other->other_host->clone(other->other_host));
2806
2807 /* apply extensions and conditions with a few exceptions */
2808 this->extensions = other->extensions;
2809 this->conditions = other->conditions;
2810 this->conditions &= ~COND_STALE;
2811 this->conditions &= ~COND_REAUTHENTICATING;
2812 }
2813
2814 METHOD(ike_sa_t, inherit_post, void,
2815 private_ike_sa_t *this, ike_sa_t *other_public)
2816 {
2817 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2818 child_sa_t *child_sa;
2819 enumerator_t *enumerator;
2820 attribute_entry_t entry;
2821 auth_cfg_t *cfg;
2822 host_t *vip;
2823
2824 /* apply hosts and ids */
2825 this->my_host->destroy(this->my_host);
2826 this->other_host->destroy(this->other_host);
2827 this->my_id->destroy(this->my_id);
2828 this->other_id->destroy(this->other_id);
2829 this->my_host = other->my_host->clone(other->my_host);
2830 this->other_host = other->other_host->clone(other->other_host);
2831 this->my_id = other->my_id->clone(other->my_id);
2832 this->other_id = other->other_id->clone(other->other_id);
2833 this->if_id_in = other->if_id_in;
2834 this->if_id_out = other->if_id_out;
2835
2836 /* apply assigned virtual IPs... */
2837 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2838 {
2839 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2840 }
2841 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2842 {
2843 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2844 }
2845
2846 /* MOBIKE additional addresses */
2847 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2848 {
2849 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2850 }
2851
2852 /* authentication information */
2853 enumerator = array_create_enumerator(other->my_auths);
2854 while (enumerator->enumerate(enumerator, &cfg))
2855 {
2856 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2857 }
2858 enumerator->destroy(enumerator);
2859 enumerator = array_create_enumerator(other->other_auths);
2860 while (enumerator->enumerate(enumerator, &cfg))
2861 {
2862 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2863 }
2864 enumerator->destroy(enumerator);
2865
2866 /* ... and configuration attributes */
2867 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2868 {
2869 array_insert(this->attributes, ARRAY_TAIL, &entry);
2870 }
2871
2872 /* inherit all conditions */
2873 this->conditions = other->conditions;
2874 if (this->conditions & COND_NAT_HERE)
2875 {
2876 send_keepalive(this, FALSE);
2877 }
2878
2879 #ifdef ME
2880 if (other->is_mediation_server)
2881 {
2882 act_as_mediation_server(this);
2883 }
2884 else if (other->server_reflexive_host)
2885 {
2886 this->server_reflexive_host = other->server_reflexive_host->clone(
2887 other->server_reflexive_host);
2888 }
2889 #endif /* ME */
2890
2891 /* adopt all children */
2892 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2893 {
2894 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2895 add_child_sa(this, child_sa);
2896 }
2897
2898 /* move pending tasks to the new IKE_SA */
2899 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2900
2901 /* reauthentication timeout survives a rekeying */
2902 if (other->stats[STAT_REAUTH])
2903 {
2904 time_t reauth, delete, now = time_monotonic(NULL);
2905
2906 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2907 reauth = this->stats[STAT_REAUTH] - now;
2908 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2909 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2910 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2911 "lifetime reduced to %ds", reauth, delete);
2912 lib->scheduler->schedule_job(lib->scheduler,
2913 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2914 lib->scheduler->schedule_job(lib->scheduler,
2915 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2916 }
2917 }
2918
2919 METHOD(ike_sa_t, destroy, void,
2920 private_ike_sa_t *this)
2921 {
2922 attribute_entry_t entry;
2923 child_sa_t *child_sa;
2924 host_t *vip;
2925
2926 charon->bus->set_sa(charon->bus, &this->public);
2927
2928 set_state(this, IKE_DESTROYING);
2929 if (this->task_manager)
2930 {
2931 this->task_manager->flush(this->task_manager);
2932 }
2933
2934 /* remove attributes first, as we pass the IKE_SA to the handler */
2935 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2936 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2937 {
2938 if (entry.handler)
2939 {
2940 charon->attributes->release(charon->attributes, entry.handler,
2941 &this->public, entry.type, entry.data);
2942 }
2943 free(entry.data.ptr);
2944 }
2945 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2946 * routes that the CHILD_SA tries to uninstall. */
2947 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2948 {
2949 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2950 child_sa->destroy(child_sa);
2951 }
2952 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2953 {
2954 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
2955 vip->destroy(vip);
2956 }
2957 if (array_count(this->other_vips))
2958 {
2959 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2960 }
2961 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2962 {
2963 if (this->peer_cfg)
2964 {
2965 linked_list_t *pools;
2966
2967 pools = linked_list_create_from_enumerator(
2968 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
2969 charon->attributes->release_address(charon->attributes,
2970 pools, vip, &this->public);
2971 pools->destroy(pools);
2972 }
2973 vip->destroy(vip);
2974 }
2975
2976 /* unset SA after here to avoid usage by the listeners */
2977 charon->bus->set_sa(charon->bus, NULL);
2978
2979 array_destroy(this->child_sas);
2980 DESTROY_IF(this->task_manager);
2981 DESTROY_IF(this->keymat);
2982 array_destroy(this->attributes);
2983 array_destroy(this->my_vips);
2984 array_destroy(this->other_vips);
2985 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
2986 #ifdef ME
2987 if (this->is_mediation_server)
2988 {
2989 charon->mediation_manager->remove(charon->mediation_manager,
2990 this->ike_sa_id);
2991 }
2992 DESTROY_IF(this->server_reflexive_host);
2993 chunk_free(&this->connect_id);
2994 #endif /* ME */
2995 free(this->nat_detection_dest.ptr);
2996
2997 DESTROY_IF(this->my_host);
2998 DESTROY_IF(this->other_host);
2999 DESTROY_IF(this->my_id);
3000 DESTROY_IF(this->other_id);
3001 DESTROY_IF(this->local_host);
3002 DESTROY_IF(this->remote_host);
3003 DESTROY_IF(this->redirected_from);
3004 array_destroy(this->redirected_at);
3005
3006 DESTROY_IF(this->ike_cfg);
3007 DESTROY_IF(this->peer_cfg);
3008 DESTROY_IF(this->proposal);
3009 this->my_auth->destroy(this->my_auth);
3010 this->other_auth->destroy(this->other_auth);
3011 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
3012 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
3013
3014 this->ike_sa_id->destroy(this->ike_sa_id);
3015 free(this);
3016 }
3017
3018 /*
3019 * Described in header.
3020 */
3021 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
3022 ike_version_t version)
3023 {
3024 private_ike_sa_t *this;
3025 static refcount_t unique_id = 0;
3026
3027 if (version == IKE_ANY)
3028 { /* prefer IKEv2 if protocol not specified */
3029 #ifdef USE_IKEV2
3030 version = IKEV2;
3031 #else
3032 version = IKEV1;
3033 #endif
3034 }
3035
3036 INIT(this,
3037 .public = {
3038 .get_version = _get_version,
3039 .get_state = _get_state,
3040 .set_state = _set_state,
3041 .get_name = _get_name,
3042 .get_statistic = _get_statistic,
3043 .set_statistic = _set_statistic,
3044 .process_message = _process_message,
3045 .initiate = _initiate,
3046 .retry_initiate = _retry_initiate,
3047 .get_ike_cfg = _get_ike_cfg,
3048 .set_ike_cfg = _set_ike_cfg,
3049 .get_peer_cfg = _get_peer_cfg,
3050 .set_peer_cfg = _set_peer_cfg,
3051 .get_auth_cfg = _get_auth_cfg,
3052 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
3053 .verify_peer_certificate = _verify_peer_certificate,
3054 .add_auth_cfg = _add_auth_cfg,
3055 .get_proposal = _get_proposal,
3056 .set_proposal = _set_proposal,
3057 .get_id = _get_id,
3058 .get_my_host = _get_my_host,
3059 .set_my_host = _set_my_host,
3060 .get_other_host = _get_other_host,
3061 .set_other_host = _set_other_host,
3062 .set_message_id = _set_message_id,
3063 .get_message_id = _get_message_id,
3064 .float_ports = _float_ports,
3065 .update_hosts = _update_hosts,
3066 .get_my_id = _get_my_id,
3067 .set_my_id = _set_my_id,
3068 .get_other_id = _get_other_id,
3069 .set_other_id = _set_other_id,
3070 .get_other_eap_id = _get_other_eap_id,
3071 .enable_extension = _enable_extension,
3072 .supports_extension = _supports_extension,
3073 .set_condition = _set_condition,
3074 .has_condition = _has_condition,
3075 .create_peer_address_enumerator = _create_peer_address_enumerator,
3076 .add_peer_address = _add_peer_address,
3077 .clear_peer_addresses = _clear_peer_addresses,
3078 .has_mapping_changed = _has_mapping_changed,
3079 .retransmit = _retransmit,
3080 .delete = _delete_,
3081 .destroy = _destroy,
3082 .send_dpd = _send_dpd,
3083 .send_keepalive = _send_keepalive,
3084 .redirect = _redirect,
3085 .handle_redirect = _handle_redirect,
3086 .get_redirected_from = _get_redirected_from,
3087 .get_keymat = _get_keymat,
3088 .add_child_sa = _add_child_sa,
3089 .get_child_sa = _get_child_sa,
3090 .get_child_count = _get_child_count,
3091 .create_child_sa_enumerator = _create_child_sa_enumerator,
3092 .remove_child_sa = _remove_child_sa,
3093 .rekey_child_sa = _rekey_child_sa,
3094 .delete_child_sa = _delete_child_sa,
3095 .destroy_child_sa = _destroy_child_sa,
3096 .rekey = _rekey,
3097 .reauth = _reauth,
3098 .reestablish = _reestablish,
3099 .set_auth_lifetime = _set_auth_lifetime,
3100 .roam = _roam,
3101 .inherit_pre = _inherit_pre,
3102 .inherit_post = _inherit_post,
3103 .generate_message = _generate_message,
3104 .generate_message_fragmented = _generate_message_fragmented,
3105 .reset = _reset,
3106 .get_unique_id = _get_unique_id,
3107 .add_virtual_ip = _add_virtual_ip,
3108 .clear_virtual_ips = _clear_virtual_ips,
3109 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
3110 .add_configuration_attribute = _add_configuration_attribute,
3111 .create_attribute_enumerator = _create_attribute_enumerator,
3112 .get_if_id = _get_if_id,
3113 .set_kmaddress = _set_kmaddress,
3114 .create_task_enumerator = _create_task_enumerator,
3115 .remove_task = _remove_task,
3116 .flush_queue = _flush_queue,
3117 .queue_task = _queue_task,
3118 .queue_task_delayed = _queue_task_delayed,
3119 .adopt_child_tasks = _adopt_child_tasks,
3120 #ifdef ME
3121 .act_as_mediation_server = _act_as_mediation_server,
3122 .get_server_reflexive_host = _get_server_reflexive_host,
3123 .set_server_reflexive_host = _set_server_reflexive_host,
3124 .get_connect_id = _get_connect_id,
3125 .initiate_mediation = _initiate_mediation,
3126 .initiate_mediated = _initiate_mediated,
3127 .relay = _relay,
3128 .callback = _callback,
3129 .respond = _respond,
3130 #endif /* ME */
3131 },
3132 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
3133 .version = version,
3134 .my_host = host_create_any(AF_INET),
3135 .other_host = host_create_any(AF_INET),
3136 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3137 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3138 .keymat = keymat_create(version, initiator),
3139 .state = IKE_CREATED,
3140 .stats[STAT_INBOUND] = time_monotonic(NULL),
3141 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
3142 .my_auth = auth_cfg_create(),
3143 .other_auth = auth_cfg_create(),
3144 .my_auths = array_create(0, 0),
3145 .other_auths = array_create(0, 0),
3146 .attributes = array_create(sizeof(attribute_entry_t), 0),
3147 .unique_id = ref_get(&unique_id),
3148 .keepalive_interval = lib->settings->get_time(lib->settings,
3149 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
3150 .retry_initiate_interval = lib->settings->get_time(lib->settings,
3151 "%s.retry_initiate_interval", 0, lib->ns),
3152 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
3153 "%s.flush_auth_cfg", FALSE, lib->ns),
3154 .fragment_size = lib->settings->get_int(lib->settings,
3155 "%s.fragment_size", 1280, lib->ns),
3156 .follow_redirects = lib->settings->get_bool(lib->settings,
3157 "%s.follow_redirects", TRUE, lib->ns),
3158 );
3159
3160 if (version == IKEV2)
3161 { /* always supported with IKEv2 */
3162 enable_extension(this, EXT_DPD);
3163 }
3164
3165 this->task_manager = task_manager_create(&this->public);
3166 this->my_host->set_port(this->my_host,
3167 charon->socket->get_port(charon->socket, FALSE));
3168
3169 if (!this->task_manager || !this->keymat)
3170 {
3171 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
3172 destroy(this);
3173 return NULL;
3174 }
3175 return &this->public;
3176 }