ikev1: Delete Quick Mode SAs before the ISAKMP SA
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2016 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/aggressive_mode.h>
24 #include <sa/ikev1/tasks/quick_mode.h>
25 #include <sa/ikev1/tasks/quick_delete.h>
26 #include <sa/ikev1/tasks/xauth.h>
27 #include <sa/ikev1/tasks/mode_config.h>
28 #include <sa/ikev1/tasks/informational.h>
29 #include <sa/ikev1/tasks/isakmp_natd.h>
30 #include <sa/ikev1/tasks/isakmp_vendor.h>
31 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
32 #include <sa/ikev1/tasks/isakmp_cert_post.h>
33 #include <sa/ikev1/tasks/isakmp_delete.h>
34 #include <sa/ikev1/tasks/isakmp_dpd.h>
35
36 #include <processing/jobs/retransmit_job.h>
37 #include <processing/jobs/delete_ike_sa_job.h>
38 #include <processing/jobs/dpd_timeout_job.h>
39 #include <processing/jobs/process_message_job.h>
40
41 #include <collections/array.h>
42
43 /**
44 * Number of old messages hashes we keep for retransmission.
45 *
46 * In Main Mode, we must ignore messages from a previous message pair if
47 * we already continued to the next. Otherwise a late retransmission
48 * could be considered as a reply to the newer request.
49 */
50 #define MAX_OLD_HASHES 2
51
52 /**
53 * First sequence number of responding packets.
54 *
55 * To distinguish retransmission jobs for initiating and responding packets,
56 * we split up the sequence counter and use the upper half for responding.
57 */
58 #define RESPONDING_SEQ INT_MAX
59
60 typedef struct exchange_t exchange_t;
61
62 /**
63 * An exchange in the air, used do detect and handle retransmission
64 */
65 struct exchange_t {
66
67 /**
68 * Message ID used for this transaction
69 */
70 uint32_t mid;
71
72 /**
73 * generated packet for retransmission
74 */
75 packet_t *packet;
76 };
77
78 typedef struct private_task_manager_t private_task_manager_t;
79
80 /**
81 * private data of the task manager
82 */
83 struct private_task_manager_t {
84
85 /**
86 * public functions
87 */
88 task_manager_v1_t public;
89
90 /**
91 * associated IKE_SA we are serving
92 */
93 ike_sa_t *ike_sa;
94
95 /**
96 * RNG to create message IDs
97 */
98 rng_t *rng;
99
100 /**
101 * Exchange we are currently handling as responder
102 */
103 struct {
104 /**
105 * Message ID of the last response
106 */
107 uint32_t mid;
108
109 /**
110 * Hash of a previously received message
111 */
112 uint32_t hash;
113
114 /**
115 * packet(s) for retransmission
116 */
117 array_t *packets;
118
119 /**
120 * Sequence number of the last sent message
121 */
122 uint32_t seqnr;
123
124 /**
125 * how many times we have retransmitted so far
126 */
127 u_int retransmitted;
128
129 } responding;
130
131 /**
132 * Exchange we are currently handling as initiator
133 */
134 struct {
135 /**
136 * Message ID of the exchange
137 */
138 uint32_t mid;
139
140 /**
141 * Hashes of old responses we can ignore
142 */
143 uint32_t old_hashes[MAX_OLD_HASHES];
144
145 /**
146 * Position in old hash array
147 */
148 int old_hash_pos;
149
150 /**
151 * Sequence number of the last sent message
152 */
153 uint32_t seqnr;
154
155 /**
156 * how many times we have retransmitted so far
157 */
158 u_int retransmitted;
159
160 /**
161 * packet(s) for retransmission
162 */
163 array_t *packets;
164
165 /**
166 * type of the initiated exchange
167 */
168 exchange_type_t type;
169
170 } initiating;
171
172 /**
173 * Message we are currently defragmenting, if any (only one at a time)
174 */
175 message_t *defrag;
176
177 /**
178 * List of queued tasks not yet in action
179 */
180 linked_list_t *queued_tasks;
181
182 /**
183 * List of active tasks, initiated by ourselves
184 */
185 linked_list_t *active_tasks;
186
187 /**
188 * List of tasks initiated by peer
189 */
190 linked_list_t *passive_tasks;
191
192 /**
193 * Queued messages not yet ready to process
194 */
195 message_t *queued;
196
197 /**
198 * Number of times we retransmit messages before giving up
199 */
200 u_int retransmit_tries;
201
202 /**
203 * Retransmission timeout
204 */
205 double retransmit_timeout;
206
207 /**
208 * Base to calculate retransmission timeout
209 */
210 double retransmit_base;
211
212 /**
213 * Sequence number for sending DPD requests
214 */
215 uint32_t dpd_send;
216
217 /**
218 * Sequence number for received DPD requests
219 */
220 uint32_t dpd_recv;
221 };
222
223 /**
224 * Reset retransmission packet list
225 */
226 static void clear_packets(array_t *array)
227 {
228 packet_t *packet;
229
230 while (array_remove(array, ARRAY_TAIL, &packet))
231 {
232 packet->destroy(packet);
233 }
234 }
235
236 METHOD(task_manager_t, flush_queue, void,
237 private_task_manager_t *this, task_queue_t queue)
238 {
239 linked_list_t *list;
240 task_t *task;
241
242 if (this->queued)
243 {
244 this->queued->destroy(this->queued);
245 this->queued = NULL;
246 }
247 switch (queue)
248 {
249 case TASK_QUEUE_ACTIVE:
250 list = this->active_tasks;
251 /* cancel pending retransmits */
252 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
253 clear_packets(this->initiating.packets);
254 break;
255 case TASK_QUEUE_PASSIVE:
256 list = this->passive_tasks;
257 break;
258 case TASK_QUEUE_QUEUED:
259 list = this->queued_tasks;
260 break;
261 default:
262 return;
263 }
264 while (list->remove_last(list, (void**)&task) == SUCCESS)
265 {
266 task->destroy(task);
267 }
268 }
269
270 METHOD(task_manager_t, flush, void,
271 private_task_manager_t *this)
272 {
273 flush_queue(this, TASK_QUEUE_QUEUED);
274 flush_queue(this, TASK_QUEUE_PASSIVE);
275 flush_queue(this, TASK_QUEUE_ACTIVE);
276 }
277
278 /**
279 * move a task of a specific type from the queue to the active list
280 */
281 static bool activate_task(private_task_manager_t *this, task_type_t type)
282 {
283 enumerator_t *enumerator;
284 task_t *task;
285 bool found = FALSE;
286
287 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
288 while (enumerator->enumerate(enumerator, (void**)&task))
289 {
290 if (task->get_type(task) == type)
291 {
292 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
293 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
294 this->active_tasks->insert_last(this->active_tasks, task);
295 found = TRUE;
296 break;
297 }
298 }
299 enumerator->destroy(enumerator);
300 return found;
301 }
302
303 /**
304 * Send packets in the given array (they get cloned)
305 */
306 static void send_packets(private_task_manager_t *this, array_t *packets)
307 {
308 enumerator_t *enumerator;
309 packet_t *packet;
310
311 enumerator = array_create_enumerator(packets);
312 while (enumerator->enumerate(enumerator, &packet))
313 {
314 charon->sender->send(charon->sender, packet->clone(packet));
315 }
316 enumerator->destroy(enumerator);
317 }
318
319 /**
320 * Generates the given message and stores packet(s) in the given array
321 */
322 static bool generate_message(private_task_manager_t *this, message_t *message,
323 array_t **packets)
324 {
325 enumerator_t *fragments;
326 packet_t *fragment;
327
328 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
329 &fragments) != SUCCESS)
330 {
331 return FALSE;
332 }
333 while (fragments->enumerate(fragments, &fragment))
334 {
335 array_insert_create(packets, ARRAY_TAIL, fragment);
336 }
337 fragments->destroy(fragments);
338 return TRUE;
339 }
340
341 /**
342 * Retransmit a packet (or its fragments)
343 */
344 static status_t retransmit_packet(private_task_manager_t *this, uint32_t seqnr,
345 u_int mid, u_int retransmitted, array_t *packets)
346 {
347 packet_t *packet;
348 uint32_t t;
349
350 array_get(packets, 0, &packet);
351 if (retransmitted > this->retransmit_tries)
352 {
353 DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
354 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
355 return DESTROY_ME;
356 }
357 t = (uint32_t)(this->retransmit_timeout * 1000.0 *
358 pow(this->retransmit_base, retransmitted));
359 if (retransmitted)
360 {
361 DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
362 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
363 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
364 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
365 retransmitted);
366 }
367 send_packets(this, packets);
368 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
369 retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
370 return NEED_MORE;
371 }
372
373 METHOD(task_manager_t, retransmit, status_t,
374 private_task_manager_t *this, uint32_t seqnr)
375 {
376 status_t status = SUCCESS;
377
378 if (seqnr == this->initiating.seqnr &&
379 array_count(this->initiating.packets))
380 {
381 status = retransmit_packet(this, seqnr, this->initiating.mid,
382 this->initiating.retransmitted, this->initiating.packets);
383 if (status == NEED_MORE)
384 {
385 this->initiating.retransmitted++;
386 status = SUCCESS;
387 }
388 }
389 if (seqnr == this->responding.seqnr &&
390 array_count(this->responding.packets))
391 {
392 status = retransmit_packet(this, seqnr, this->responding.mid,
393 this->responding.retransmitted, this->responding.packets);
394 if (status == NEED_MORE)
395 {
396 this->responding.retransmitted++;
397 status = SUCCESS;
398 }
399 }
400 return status;
401 }
402
403 /**
404 * Check if we have to wait for a mode config before starting a quick mode
405 */
406 static bool mode_config_expected(private_task_manager_t *this)
407 {
408 enumerator_t *enumerator;
409 peer_cfg_t *peer_cfg;
410 char *pool;
411 bool local;
412 host_t *host;
413
414 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
415 if (peer_cfg)
416 {
417 if (peer_cfg->use_pull_mode(peer_cfg))
418 {
419 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
420 if (!enumerator->enumerate(enumerator, &pool))
421 { /* no pool configured */
422 enumerator->destroy(enumerator);
423 return FALSE;
424 }
425 enumerator->destroy(enumerator);
426
427 local = FALSE;
428 }
429 else
430 {
431 enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
432 if (!enumerator->enumerate(enumerator, &host))
433 { /* not requesting a vip */
434 enumerator->destroy(enumerator);
435 return FALSE;
436 }
437 enumerator->destroy(enumerator);
438
439 local = TRUE;
440 }
441 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
442 local);
443 if (!enumerator->enumerate(enumerator, &host))
444 { /* expecting a VIP exchange, but no VIP assigned yet */
445 enumerator->destroy(enumerator);
446 return TRUE;
447 }
448 enumerator->destroy(enumerator);
449 }
450 return FALSE;
451 }
452
453 METHOD(task_manager_t, initiate, status_t,
454 private_task_manager_t *this)
455 {
456 enumerator_t *enumerator;
457 task_t *task;
458 message_t *message;
459 host_t *me, *other;
460 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
461 bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
462
463 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
464 this->initiating.type != INFORMATIONAL_V1)
465 {
466 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
467 exchange_type_names, this->initiating.type);
468 /* do not initiate if we already have a message in the air */
469 return SUCCESS;
470 }
471
472 if (this->active_tasks->get_count(this->active_tasks) == 0)
473 {
474 DBG2(DBG_IKE, "activating new tasks");
475 switch (this->ike_sa->get_state(this->ike_sa))
476 {
477 case IKE_CREATED:
478 activate_task(this, TASK_ISAKMP_VENDOR);
479 activate_task(this, TASK_ISAKMP_CERT_PRE);
480 if (activate_task(this, TASK_MAIN_MODE))
481 {
482 exchange = ID_PROT;
483 }
484 else if (activate_task(this, TASK_AGGRESSIVE_MODE))
485 {
486 exchange = AGGRESSIVE;
487 }
488 activate_task(this, TASK_ISAKMP_CERT_POST);
489 activate_task(this, TASK_ISAKMP_NATD);
490 break;
491 case IKE_CONNECTING:
492 if (activate_task(this, TASK_ISAKMP_DELETE))
493 {
494 exchange = INFORMATIONAL_V1;
495 new_mid = TRUE;
496 break;
497 }
498 if (activate_task(this, TASK_XAUTH))
499 {
500 exchange = TRANSACTION;
501 new_mid = TRUE;
502 break;
503 }
504 if (activate_task(this, TASK_INFORMATIONAL))
505 {
506 exchange = INFORMATIONAL_V1;
507 new_mid = TRUE;
508 break;
509 }
510 break;
511 case IKE_ESTABLISHED:
512 if (activate_task(this, TASK_MODE_CONFIG))
513 {
514 exchange = TRANSACTION;
515 new_mid = TRUE;
516 break;
517 }
518 if (activate_task(this, TASK_QUICK_DELETE))
519 {
520 exchange = INFORMATIONAL_V1;
521 new_mid = TRUE;
522 break;
523 }
524 if (activate_task(this, TASK_ISAKMP_DELETE))
525 {
526 exchange = INFORMATIONAL_V1;
527 new_mid = TRUE;
528 break;
529 }
530 if (!mode_config_expected(this) &&
531 activate_task(this, TASK_QUICK_MODE))
532 {
533 exchange = QUICK_MODE;
534 new_mid = TRUE;
535 break;
536 }
537 if (activate_task(this, TASK_INFORMATIONAL))
538 {
539 exchange = INFORMATIONAL_V1;
540 new_mid = TRUE;
541 break;
542 }
543 if (activate_task(this, TASK_ISAKMP_DPD))
544 {
545 exchange = INFORMATIONAL_V1;
546 new_mid = TRUE;
547 break;
548 }
549 break;
550 default:
551 break;
552 }
553 }
554 else
555 {
556 DBG2(DBG_IKE, "reinitiating already active tasks");
557 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
558 while (enumerator->enumerate(enumerator, (void**)&task))
559 {
560 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
561 switch (task->get_type(task))
562 {
563 case TASK_MAIN_MODE:
564 exchange = ID_PROT;
565 break;
566 case TASK_AGGRESSIVE_MODE:
567 exchange = AGGRESSIVE;
568 break;
569 case TASK_QUICK_MODE:
570 exchange = QUICK_MODE;
571 break;
572 case TASK_XAUTH:
573 exchange = TRANSACTION;
574 new_mid = TRUE;
575 break;
576 default:
577 continue;
578 }
579 break;
580 }
581 enumerator->destroy(enumerator);
582 }
583
584 if (exchange == EXCHANGE_TYPE_UNDEFINED)
585 {
586 DBG2(DBG_IKE, "nothing to initiate");
587 /* nothing to do yet... */
588 return SUCCESS;
589 }
590
591 me = this->ike_sa->get_my_host(this->ike_sa);
592 other = this->ike_sa->get_other_host(this->ike_sa);
593
594 if (new_mid)
595 {
596 if (!this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
597 (void*)&this->initiating.mid))
598 {
599 DBG1(DBG_IKE, "failed to allocate message ID, destroying IKE_SA");
600 flush(this);
601 return DESTROY_ME;
602 }
603 }
604 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
605 message->set_message_id(message, this->initiating.mid);
606 message->set_source(message, me->clone(me));
607 message->set_destination(message, other->clone(other));
608 message->set_exchange_type(message, exchange);
609 this->initiating.type = exchange;
610 this->initiating.retransmitted = 0;
611
612 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
613 while (enumerator->enumerate(enumerator, (void*)&task))
614 {
615 switch (task->build(task, message))
616 {
617 case SUCCESS:
618 /* task completed, remove it */
619 this->active_tasks->remove_at(this->active_tasks, enumerator);
620 if (task->get_type(task) == TASK_AGGRESSIVE_MODE ||
621 task->get_type(task) == TASK_QUICK_MODE)
622 { /* last message of three message exchange */
623 keep = TRUE;
624 }
625 task->destroy(task);
626 continue;
627 case NEED_MORE:
628 expect_response = TRUE;
629 /* processed, but task needs another exchange */
630 continue;
631 case ALREADY_DONE:
632 cancelled = TRUE;
633 break;
634 case FAILED:
635 default:
636 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
637 {
638 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
639 }
640 /* FALL */
641 case DESTROY_ME:
642 /* critical failure, destroy IKE_SA */
643 enumerator->destroy(enumerator);
644 message->destroy(message);
645 flush(this);
646 return DESTROY_ME;
647 }
648 break;
649 }
650 enumerator->destroy(enumerator);
651
652 if (this->active_tasks->get_count(this->active_tasks) == 0 &&
653 (exchange == QUICK_MODE || exchange == AGGRESSIVE))
654 { /* tasks completed, no exchange active anymore */
655 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
656 }
657 if (cancelled)
658 {
659 message->destroy(message);
660 return initiate(this);
661 }
662
663 clear_packets(this->initiating.packets);
664 if (!generate_message(this, message, &this->initiating.packets))
665 {
666 /* message generation failed. There is nothing more to do than to
667 * close the SA */
668 message->destroy(message);
669 flush(this);
670 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
671 return DESTROY_ME;
672 }
673
674 this->initiating.seqnr++;
675 if (expect_response)
676 {
677 message->destroy(message);
678 return retransmit(this, this->initiating.seqnr);
679 }
680 if (keep)
681 { /* keep the packet for retransmission, the responder might request it */
682 send_packets(this, this->initiating.packets);
683 }
684 else
685 {
686 send_packets(this, this->initiating.packets);
687 clear_packets(this->initiating.packets);
688 }
689 message->destroy(message);
690
691 if (exchange == INFORMATIONAL_V1)
692 {
693 switch (this->ike_sa->get_state(this->ike_sa))
694 {
695 case IKE_CONNECTING:
696 /* close after sending an INFORMATIONAL when unestablished */
697 return FAILED;
698 case IKE_DELETING:
699 /* close after sending a DELETE */
700 return DESTROY_ME;
701 default:
702 break;
703 }
704 }
705 return initiate(this);
706 }
707
708 /**
709 * build a response depending on the "passive" task list
710 */
711 static status_t build_response(private_task_manager_t *this, message_t *request)
712 {
713 enumerator_t *enumerator;
714 task_t *task;
715 message_t *message;
716 host_t *me, *other;
717 bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
718
719 me = request->get_destination(request);
720 other = request->get_source(request);
721
722 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
723 message->set_exchange_type(message, request->get_exchange_type(request));
724 /* send response along the path the request came in */
725 message->set_source(message, me->clone(me));
726 message->set_destination(message, other->clone(other));
727 message->set_message_id(message, request->get_message_id(request));
728 message->set_request(message, FALSE);
729
730 this->responding.mid = request->get_message_id(request);
731 this->responding.retransmitted = 0;
732 this->responding.seqnr++;
733
734 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
735 while (enumerator->enumerate(enumerator, (void*)&task))
736 {
737 switch (task->build(task, message))
738 {
739 case SUCCESS:
740 /* task completed, remove it */
741 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
742 task->destroy(task);
743 continue;
744 case NEED_MORE:
745 /* processed, but task needs another exchange */
746 if (task->get_type(task) == TASK_QUICK_MODE ||
747 task->get_type(task) == TASK_AGGRESSIVE_MODE)
748 { /* we rely on initiator retransmission, except for
749 * three-message exchanges */
750 expect_request = TRUE;
751 }
752 continue;
753 case ALREADY_DONE:
754 cancelled = TRUE;
755 break;
756 case INVALID_ARG:
757 if (task->get_type(task) == TASK_QUICK_MODE)
758 { /* not responsible for this exchange */
759 continue;
760 }
761 /* FALL */
762 case FAILED:
763 default:
764 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
765 /* FALL */
766 case DESTROY_ME:
767 /* destroy IKE_SA, but SEND response first */
768 delete = TRUE;
769 break;
770 }
771 break;
772 }
773 enumerator->destroy(enumerator);
774
775 clear_packets(this->responding.packets);
776 if (cancelled)
777 {
778 message->destroy(message);
779 return initiate(this);
780 }
781 if (!generate_message(this, message, &this->responding.packets))
782 {
783 message->destroy(message);
784 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
785 return DESTROY_ME;
786 }
787 message->destroy(message);
788
789 if (expect_request && !delete)
790 {
791 return retransmit(this, this->responding.seqnr);
792 }
793 send_packets(this, this->responding.packets);
794 if (delete)
795 {
796 return DESTROY_ME;
797 }
798 return SUCCESS;
799 }
800
801 /**
802 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
803 * The notify protocol_id is set to ISAKMP
804 */
805 static void send_notify(private_task_manager_t *this, message_t *request,
806 notify_type_t type)
807 {
808 message_t *response;
809 array_t *packets = NULL;
810 host_t *me, *other;
811 uint32_t mid;
812
813 if (request->get_exchange_type(request) == INFORMATIONAL_V1)
814 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
815 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
816 return;
817 }
818 if (!this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid))
819 {
820 DBG1(DBG_IKE, "failed to allocate message ID");
821 return;
822 }
823 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
824 response->set_exchange_type(response, INFORMATIONAL_V1);
825 response->set_request(response, TRUE);
826 response->set_message_id(response, mid);
827 response->add_payload(response, (payload_t*)
828 notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
829 PROTO_IKE, type));
830
831 me = this->ike_sa->get_my_host(this->ike_sa);
832 if (me->is_anyaddr(me))
833 {
834 me = request->get_destination(request);
835 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
836 }
837 other = this->ike_sa->get_other_host(this->ike_sa);
838 if (other->is_anyaddr(other))
839 {
840 other = request->get_source(request);
841 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
842 }
843 response->set_source(response, me->clone(me));
844 response->set_destination(response, other->clone(other));
845 if (generate_message(this, response, &packets))
846 {
847 send_packets(this, packets);
848 }
849 clear_packets(packets);
850 array_destroy(packets);
851 response->destroy(response);
852 }
853
854 /**
855 * Process a DPD request/response
856 */
857 static bool process_dpd(private_task_manager_t *this, message_t *message)
858 {
859 notify_payload_t *notify;
860 notify_type_t type;
861 uint32_t seq;
862 chunk_t data;
863
864 type = DPD_R_U_THERE;
865 notify = message->get_notify(message, type);
866 if (!notify)
867 {
868 type = DPD_R_U_THERE_ACK;
869 notify = message->get_notify(message, type);
870 }
871 if (!notify)
872 {
873 return FALSE;
874 }
875 data = notify->get_notification_data(notify);
876 if (data.len != 4)
877 {
878 return FALSE;
879 }
880 seq = untoh32(data.ptr);
881
882 if (type == DPD_R_U_THERE)
883 {
884 if (this->dpd_recv == 0 || seq == this->dpd_recv)
885 { /* check sequence validity */
886 this->dpd_recv = seq + 1;
887 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
888 time_monotonic(NULL));
889 }
890 /* but respond anyway */
891 this->ike_sa->queue_task(this->ike_sa,
892 &isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE_ACK, seq)->task);
893 }
894 else /* DPD_R_U_THERE_ACK */
895 {
896 if (seq == this->dpd_send - 1)
897 {
898 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
899 time_monotonic(NULL));
900 }
901 else
902 {
903 DBG1(DBG_IKE, "received invalid DPD sequence number %u "
904 "(expected %u), ignored", seq, this->dpd_send - 1);
905 }
906 }
907 return TRUE;
908 }
909
910 /**
911 * Check if we already have a quick mode task queued for the exchange with the
912 * given message ID
913 */
914 static bool have_quick_mode_task(private_task_manager_t *this, uint32_t mid)
915 {
916 enumerator_t *enumerator;
917 quick_mode_t *qm;
918 task_t *task;
919 bool found = FALSE;
920
921 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
922 while (enumerator->enumerate(enumerator, &task))
923 {
924 if (task->get_type(task) == TASK_QUICK_MODE)
925 {
926 qm = (quick_mode_t*)task;
927 if (qm->get_mid(qm) == mid)
928 {
929 found = TRUE;
930 break;
931 }
932 }
933 }
934 enumerator->destroy(enumerator);
935 return found;
936 }
937
938 /**
939 * Check if we still have a specific task queued
940 */
941 static bool have_task_queued(private_task_manager_t *this, task_type_t type)
942 {
943 enumerator_t *enumerator;
944 task_t *task;
945 bool found = FALSE;
946
947 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
948 while (enumerator->enumerate(enumerator, &task))
949 {
950 if (task->get_type(task) == type)
951 {
952 found = TRUE;
953 break;
954 }
955 }
956 enumerator->destroy(enumerator);
957 return found;
958 }
959
960 /**
961 * handle an incoming request message
962 */
963 static status_t process_request(private_task_manager_t *this,
964 message_t *message)
965 {
966 enumerator_t *enumerator;
967 task_t *task = NULL;
968 bool send_response = FALSE, dpd = FALSE;
969
970 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
971 message->get_exchange_type(message) == QUICK_MODE ||
972 this->passive_tasks->get_count(this->passive_tasks) == 0)
973 { /* create tasks depending on request type, if not already some queued */
974 switch (message->get_exchange_type(message))
975 {
976 case ID_PROT:
977 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
978 this->passive_tasks->insert_last(this->passive_tasks, task);
979 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
980 this->passive_tasks->insert_last(this->passive_tasks, task);
981 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
982 this->passive_tasks->insert_last(this->passive_tasks, task);
983 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
984 this->passive_tasks->insert_last(this->passive_tasks, task);
985 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
986 this->passive_tasks->insert_last(this->passive_tasks, task);
987 break;
988 case AGGRESSIVE:
989 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
990 this->passive_tasks->insert_last(this->passive_tasks, task);
991 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
992 this->passive_tasks->insert_last(this->passive_tasks, task);
993 task = (task_t *)aggressive_mode_create(this->ike_sa, FALSE);
994 this->passive_tasks->insert_last(this->passive_tasks, task);
995 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
996 this->passive_tasks->insert_last(this->passive_tasks, task);
997 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
998 this->passive_tasks->insert_last(this->passive_tasks, task);
999 break;
1000 case QUICK_MODE:
1001 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1002 {
1003 DBG1(DBG_IKE, "received quick mode request for "
1004 "unestablished IKE_SA, ignored");
1005 return FAILED;
1006 }
1007 if (have_quick_mode_task(this, message->get_message_id(message)))
1008 {
1009 break;
1010 }
1011 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
1012 NULL, NULL);
1013 this->passive_tasks->insert_last(this->passive_tasks, task);
1014 break;
1015 case INFORMATIONAL_V1:
1016 if (process_dpd(this, message))
1017 {
1018 dpd = TRUE;
1019 }
1020 else
1021 {
1022 task = (task_t *)informational_create(this->ike_sa, NULL);
1023 this->passive_tasks->insert_first(this->passive_tasks, task);
1024 }
1025 break;
1026 case TRANSACTION:
1027 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
1028 {
1029 task = (task_t *)mode_config_create(this->ike_sa,
1030 FALSE, TRUE);
1031 }
1032 else
1033 {
1034 task = (task_t *)xauth_create(this->ike_sa, FALSE);
1035 }
1036 this->passive_tasks->insert_last(this->passive_tasks, task);
1037 break;
1038 default:
1039 return FAILED;
1040 }
1041 }
1042 if (dpd)
1043 {
1044 return initiate(this);
1045 }
1046 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL));
1047
1048 /* let the tasks process the message */
1049 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
1050 while (enumerator->enumerate(enumerator, (void*)&task))
1051 {
1052 switch (task->process(task, message))
1053 {
1054 case SUCCESS:
1055 /* task completed, remove it */
1056 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1057 task->destroy(task);
1058 continue;
1059 case NEED_MORE:
1060 /* processed, but task needs at least another call to build() */
1061 send_response = TRUE;
1062 continue;
1063 case ALREADY_DONE:
1064 send_response = FALSE;
1065 break;
1066 case INVALID_ARG:
1067 if (task->get_type(task) == TASK_QUICK_MODE)
1068 { /* not responsible for this exchange */
1069 continue;
1070 }
1071 /* FALL */
1072 case FAILED:
1073 default:
1074 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1075 /* FALL */
1076 case DESTROY_ME:
1077 /* critical failure, destroy IKE_SA */
1078 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1079 enumerator->destroy(enumerator);
1080 task->destroy(task);
1081 return DESTROY_ME;
1082 }
1083 break;
1084 }
1085 enumerator->destroy(enumerator);
1086
1087 if (send_response)
1088 {
1089 if (build_response(this, message) != SUCCESS)
1090 {
1091 return DESTROY_ME;
1092 }
1093 }
1094 else
1095 { /* We don't send a response, so don't retransmit one if we get
1096 * the same message again. */
1097 clear_packets(this->responding.packets);
1098 }
1099 if (this->queued &&
1100 this->queued->get_exchange_type(this->queued) == INFORMATIONAL_V1)
1101 {
1102 message_t *queued;
1103 status_t status;
1104
1105 queued = this->queued;
1106 this->queued = NULL;
1107 status = this->public.task_manager.process_message(
1108 &this->public.task_manager, queued);
1109 queued->destroy(queued);
1110 if (status == DESTROY_ME)
1111 {
1112 return status;
1113 }
1114 }
1115 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
1116 this->queued_tasks->get_count(this->queued_tasks) > 0)
1117 {
1118 /* passive tasks completed, check if an active task has been queued,
1119 * such as XAUTH or modeconfig push */
1120 return initiate(this);
1121 }
1122 return SUCCESS;
1123 }
1124
1125 /**
1126 * handle an incoming response message
1127 */
1128 static status_t process_response(private_task_manager_t *this,
1129 message_t *message)
1130 {
1131 enumerator_t *enumerator;
1132 message_t *queued;
1133 status_t status;
1134 task_t *task;
1135
1136 if (message->get_exchange_type(message) != this->initiating.type)
1137 {
1138 /* Windows server sends a fourth quick mode message having an initial
1139 * contact notify. Ignore this message for compatibility. */
1140 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED &&
1141 message->get_exchange_type(message) == QUICK_MODE &&
1142 message->get_notify(message, INITIAL_CONTACT))
1143 {
1144 DBG1(DBG_IKE, "ignoring fourth Quick Mode message");
1145 return SUCCESS;
1146 }
1147 DBG1(DBG_IKE, "received %N response, but expected %N",
1148 exchange_type_names, message->get_exchange_type(message),
1149 exchange_type_names, this->initiating.type);
1150 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1151 return DESTROY_ME;
1152 }
1153
1154 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
1155 while (enumerator->enumerate(enumerator, (void*)&task))
1156 {
1157 switch (task->process(task, message))
1158 {
1159 case SUCCESS:
1160 /* task completed, remove it */
1161 this->active_tasks->remove_at(this->active_tasks, enumerator);
1162 task->destroy(task);
1163 continue;
1164 case NEED_MORE:
1165 /* processed, but task needs another exchange */
1166 continue;
1167 case ALREADY_DONE:
1168 break;
1169 case FAILED:
1170 default:
1171 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1172 /* FALL */
1173 case DESTROY_ME:
1174 /* critical failure, destroy IKE_SA */
1175 this->active_tasks->remove_at(this->active_tasks, enumerator);
1176 enumerator->destroy(enumerator);
1177 task->destroy(task);
1178 return DESTROY_ME;
1179 }
1180 break;
1181 }
1182 enumerator->destroy(enumerator);
1183
1184 if (this->initiating.retransmitted)
1185 {
1186 packet_t *packet = NULL;
1187 array_get(this->initiating.packets, 0, &packet);
1188 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
1189 }
1190 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1191 clear_packets(this->initiating.packets);
1192
1193 if (this->queued && !this->active_tasks->get_count(this->active_tasks) &&
1194 this->queued->get_exchange_type(this->queued) == TRANSACTION)
1195 {
1196 queued = this->queued;
1197 this->queued = NULL;
1198 status = this->public.task_manager.process_message(
1199 &this->public.task_manager, queued);
1200 queued->destroy(queued);
1201 if (status == DESTROY_ME)
1202 {
1203 return status;
1204 }
1205 }
1206
1207 return initiate(this);
1208 }
1209
1210 static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
1211 {
1212 status_t status;
1213
1214 if (!this->defrag)
1215 {
1216 this->defrag = message_create_defrag(msg);
1217 if (!this->defrag)
1218 {
1219 return FAILED;
1220 }
1221 }
1222 status = this->defrag->add_fragment(this->defrag, msg);
1223 if (status == SUCCESS)
1224 {
1225 lib->processor->queue_job(lib->processor,
1226 (job_t*)process_message_job_create(this->defrag));
1227 this->defrag = NULL;
1228 /* do not process the last fragment */
1229 status = NEED_MORE;
1230 }
1231 return status;
1232 }
1233
1234 /**
1235 * Parse the given message and verify that it is valid.
1236 */
1237 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1238 {
1239 status_t status;
1240
1241 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1242
1243 if (status != SUCCESS)
1244 {
1245 switch (status)
1246 {
1247 case NOT_SUPPORTED:
1248 DBG1(DBG_IKE, "unsupported exchange type");
1249 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
1250 break;
1251 case PARSE_ERROR:
1252 DBG1(DBG_IKE, "message parsing failed");
1253 send_notify(this, msg, PAYLOAD_MALFORMED);
1254 break;
1255 case VERIFY_ERROR:
1256 DBG1(DBG_IKE, "message verification failed");
1257 send_notify(this, msg, PAYLOAD_MALFORMED);
1258 break;
1259 case FAILED:
1260 DBG1(DBG_IKE, "integrity check failed");
1261 send_notify(this, msg, INVALID_HASH_INFORMATION);
1262 break;
1263 case INVALID_STATE:
1264 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1265 send_notify(this, msg, PAYLOAD_MALFORMED);
1266 default:
1267 break;
1268 }
1269 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
1270 exchange_type_names, msg->get_exchange_type(msg),
1271 msg->get_request(msg) ? "request" : "response",
1272 msg->get_message_id(msg));
1273
1274 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1275
1276 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1277 { /* invalid initiation attempt, close SA */
1278 return DESTROY_ME;
1279 }
1280 }
1281
1282 if (msg->get_first_payload_type(msg) == PLV1_FRAGMENT)
1283 {
1284 return handle_fragment(this, msg);
1285 }
1286 return status;
1287 }
1288
1289 /**
1290 * Queue the given message if possible
1291 */
1292 static status_t queue_message(private_task_manager_t *this, message_t *msg)
1293 {
1294 if (this->queued)
1295 {
1296 DBG1(DBG_IKE, "ignoring %N request, queue full",
1297 exchange_type_names, msg->get_exchange_type(msg));
1298 return FAILED;
1299 }
1300 this->queued = message_create_from_packet(msg->get_packet(msg));
1301 if (this->queued->parse_header(this->queued) != SUCCESS)
1302 {
1303 this->queued->destroy(this->queued);
1304 this->queued = NULL;
1305 return FAILED;
1306 }
1307 DBG1(DBG_IKE, "queueing %N request as tasks still active",
1308 exchange_type_names, msg->get_exchange_type(msg));
1309 return SUCCESS;
1310 }
1311
1312 METHOD(task_manager_t, process_message, status_t,
1313 private_task_manager_t *this, message_t *msg)
1314 {
1315 uint32_t hash, mid, i;
1316 host_t *me, *other;
1317 status_t status;
1318
1319 /* TODO-IKEv1: update hosts more selectively */
1320 me = msg->get_destination(msg);
1321 other = msg->get_source(msg);
1322 mid = msg->get_message_id(msg);
1323 hash = chunk_hash(msg->get_packet_data(msg));
1324 for (i = 0; i < MAX_OLD_HASHES; i++)
1325 {
1326 if (this->initiating.old_hashes[i] == hash)
1327 {
1328 if (array_count(this->initiating.packets) &&
1329 i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
1330 (msg->get_exchange_type(msg) == QUICK_MODE ||
1331 msg->get_exchange_type(msg) == AGGRESSIVE))
1332 {
1333 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1334 "resending last request", mid);
1335 send_packets(this, this->initiating.packets);
1336 return SUCCESS;
1337 }
1338 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1339 "but next request already sent", mid);
1340 return SUCCESS;
1341 }
1342 }
1343
1344 if ((mid && mid == this->initiating.mid) ||
1345 (this->initiating.mid == 0 &&
1346 msg->get_exchange_type(msg) == this->initiating.type &&
1347 this->active_tasks->get_count(this->active_tasks)))
1348 {
1349 msg->set_request(msg, FALSE);
1350 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1351 status = parse_message(this, msg);
1352 if (status == NEED_MORE)
1353 {
1354 return SUCCESS;
1355 }
1356 if (status != SUCCESS)
1357 {
1358 return status;
1359 }
1360 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1361 time_monotonic(NULL));
1362 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1363 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1364 if (process_response(this, msg) != SUCCESS)
1365 {
1366 flush(this);
1367 return DESTROY_ME;
1368 }
1369 this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
1370 MAX_OLD_HASHES] = hash;
1371 }
1372 else
1373 {
1374 if (hash == this->responding.hash)
1375 {
1376 if (array_count(this->responding.packets))
1377 {
1378 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1379 "retransmitting response", mid);
1380 send_packets(this, this->responding.packets);
1381 }
1382 else if (array_count(this->initiating.packets) &&
1383 this->initiating.type == INFORMATIONAL_V1)
1384 {
1385 DBG1(DBG_IKE, "received retransmit of DPD request, "
1386 "retransmitting response");
1387 send_packets(this, this->initiating.packets);
1388 }
1389 else
1390 {
1391 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1392 "but no response to retransmit", mid);
1393 }
1394 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1395 return SUCCESS;
1396 }
1397
1398 /* reject Main/Aggressive Modes once established */
1399 if (msg->get_exchange_type(msg) == ID_PROT ||
1400 msg->get_exchange_type(msg) == AGGRESSIVE)
1401 {
1402 if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
1403 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
1404 msg->get_first_payload_type(msg) != PLV1_FRAGMENT)
1405 {
1406 DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
1407 exchange_type_names, msg->get_exchange_type(msg));
1408 return FAILED;
1409 }
1410 }
1411
1412 /* drop XAuth/Mode Config/Quick Mode messages until we received the last
1413 * Aggressive Mode message. since Informational messages are not
1414 * retransmitted we queue them. */
1415 if (have_task_queued(this, TASK_AGGRESSIVE_MODE))
1416 {
1417 if (msg->get_exchange_type(msg) == INFORMATIONAL_V1)
1418 {
1419 return queue_message(this, msg);
1420 }
1421 else if (msg->get_exchange_type(msg) != AGGRESSIVE)
1422 {
1423 DBG1(DBG_IKE, "ignoring %N request while phase 1 is incomplete",
1424 exchange_type_names, msg->get_exchange_type(msg));
1425 return FAILED;
1426 }
1427 }
1428
1429 /* queue XAuth/Mode Config messages unless the Main Mode exchange we
1430 * initiated is complete */
1431 if (msg->get_exchange_type(msg) == TRANSACTION &&
1432 this->active_tasks->get_count(this->active_tasks))
1433 {
1434 return queue_message(this, msg);
1435 }
1436
1437 /* some peers send INITIAL_CONTACT notifies during XAuth, cache it */
1438 if (have_task_queued(this, TASK_XAUTH) &&
1439 msg->get_exchange_type(msg) == INFORMATIONAL_V1)
1440 {
1441 return queue_message(this, msg);
1442 }
1443
1444 msg->set_request(msg, TRUE);
1445 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1446 status = parse_message(this, msg);
1447 if (status == NEED_MORE)
1448 {
1449 return SUCCESS;
1450 }
1451 if (status != SUCCESS)
1452 {
1453 return status;
1454 }
1455 /* if this IKE_SA is virgin, we check for a config */
1456 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1457 {
1458 ike_sa_id_t *ike_sa_id;
1459 ike_cfg_t *ike_cfg;
1460 job_t *job;
1461
1462 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1463 me, other, IKEV1);
1464 if (ike_cfg == NULL)
1465 {
1466 /* no config found for these hosts, destroy */
1467 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1468 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1469 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
1470 return DESTROY_ME;
1471 }
1472 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1473 ike_cfg->destroy(ike_cfg);
1474 /* add a timeout if peer does not establish it completely */
1475 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1476 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1477 lib->scheduler->schedule_job(lib->scheduler, job,
1478 lib->settings->get_int(lib->settings,
1479 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1480 lib->ns));
1481 }
1482 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1483 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1484 if (process_request(this, msg) != SUCCESS)
1485 {
1486 flush(this);
1487 return DESTROY_ME;
1488 }
1489 this->responding.hash = hash;
1490 }
1491 return SUCCESS;
1492 }
1493
1494 /**
1495 * Check if a given task has been queued already
1496 */
1497 static bool has_queued(private_task_manager_t *this, task_type_t type)
1498 {
1499 enumerator_t *enumerator;
1500 bool found = FALSE;
1501 task_t *task;
1502
1503 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1504 while (enumerator->enumerate(enumerator, &task))
1505 {
1506 if (task->get_type(task) == type)
1507 {
1508 found = TRUE;
1509 break;
1510 }
1511 }
1512 enumerator->destroy(enumerator);
1513 return found;
1514 }
1515
1516 METHOD(task_manager_t, queue_task_delayed, void,
1517 private_task_manager_t *this, task_t *task, uint32_t delay)
1518 {
1519 task_type_t type = task->get_type(task);
1520
1521 switch (type)
1522 {
1523 case TASK_MODE_CONFIG:
1524 case TASK_XAUTH:
1525 if (has_queued(this, type))
1526 {
1527 task->destroy(task);
1528 return;
1529 }
1530 break;
1531 default:
1532 break;
1533 }
1534 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1535 this->queued_tasks->insert_last(this->queued_tasks, task);
1536 }
1537
1538 METHOD(task_manager_t, queue_task, void,
1539 private_task_manager_t *this, task_t *task)
1540 {
1541 queue_task_delayed(this, task, 0);
1542 }
1543
1544 METHOD(task_manager_t, queue_ike, void,
1545 private_task_manager_t *this)
1546 {
1547 peer_cfg_t *peer_cfg;
1548
1549 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1550 {
1551 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1552 }
1553 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1554 {
1555 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1556 }
1557 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1558 if (peer_cfg->use_aggressive(peer_cfg))
1559 {
1560 if (!has_queued(this, TASK_AGGRESSIVE_MODE))
1561 {
1562 queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
1563 }
1564 }
1565 else
1566 {
1567 if (!has_queued(this, TASK_MAIN_MODE))
1568 {
1569 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1570 }
1571 }
1572 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1573 {
1574 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1575 }
1576 if (!has_queued(this, TASK_ISAKMP_NATD))
1577 {
1578 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1579 }
1580 }
1581
1582 METHOD(task_manager_t, queue_ike_reauth, void,
1583 private_task_manager_t *this)
1584 {
1585 enumerator_t *enumerator;
1586 child_sa_t *child_sa;
1587 ike_sa_t *new;
1588 host_t *host;
1589
1590 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1591 this->ike_sa->get_version(this->ike_sa), TRUE);
1592 if (!new)
1593 { /* shouldn't happen */
1594 return;
1595 }
1596
1597 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1598 host = this->ike_sa->get_other_host(this->ike_sa);
1599 new->set_other_host(new, host->clone(host));
1600 host = this->ike_sa->get_my_host(this->ike_sa);
1601 new->set_my_host(new, host->clone(host));
1602 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1603 while (enumerator->enumerate(enumerator, &host))
1604 {
1605 new->add_virtual_ip(new, TRUE, host);
1606 }
1607 enumerator->destroy(enumerator);
1608
1609 charon->bus->children_migrate(charon->bus, new->get_id(new),
1610 new->get_unique_id(new));
1611 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1612 while (enumerator->enumerate(enumerator, &child_sa))
1613 {
1614 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
1615 new->add_child_sa(new, child_sa);
1616 }
1617 enumerator->destroy(enumerator);
1618 charon->bus->set_sa(charon->bus, new);
1619 charon->bus->children_migrate(charon->bus, NULL, 0);
1620 charon->bus->set_sa(charon->bus, this->ike_sa);
1621
1622 if (!new->get_child_count(new))
1623 { /* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */
1624 task_t *task;
1625
1626 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1627 while (enumerator->enumerate(enumerator, &task))
1628 {
1629 if (task->get_type(task) == TASK_QUICK_MODE)
1630 {
1631 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
1632 task->migrate(task, new);
1633 new->queue_task(new, task);
1634 }
1635 }
1636 enumerator->destroy(enumerator);
1637 }
1638
1639 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1640 {
1641 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1642 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
1643 }
1644 else
1645 {
1646 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1647 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1648 }
1649 charon->bus->set_sa(charon->bus, this->ike_sa);
1650 }
1651
1652 METHOD(task_manager_t, queue_ike_rekey, void,
1653 private_task_manager_t *this)
1654 {
1655 queue_ike_reauth(this);
1656 }
1657
1658 METHOD(task_manager_t, queue_ike_delete, void,
1659 private_task_manager_t *this)
1660 {
1661 enumerator_t *enumerator;
1662 child_sa_t *child_sa;
1663
1664 /* cancel any currently active task to get the DELETE done quickly */
1665 flush_queue(this, TASK_QUEUE_ACTIVE);
1666
1667 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1668 while (enumerator->enumerate(enumerator, &child_sa))
1669 {
1670 queue_task(this, (task_t*)
1671 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1672 child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
1673 }
1674 enumerator->destroy(enumerator);
1675
1676 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1677 }
1678
1679 METHOD(task_manager_t, queue_mobike, void,
1680 private_task_manager_t *this, bool roam, bool address)
1681 {
1682 /* Not supported in IKEv1 */
1683 }
1684
1685 METHOD(task_manager_t, queue_child, void,
1686 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
1687 traffic_selector_t *tsi, traffic_selector_t *tsr)
1688 {
1689 quick_mode_t *task;
1690
1691 task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
1692 task->use_reqid(task, reqid);
1693
1694 queue_task(this, &task->task);
1695 }
1696
1697 /**
1698 * Check if two CHILD_SAs have the same traffic selector
1699 */
1700 static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
1701 {
1702 enumerator_t *e1, *e2;
1703 traffic_selector_t *ts1, *ts2;
1704 bool equal = FALSE;
1705
1706 e1 = child1->create_ts_enumerator(child1, local);
1707 e2 = child2->create_ts_enumerator(child2, local);
1708 if (e1->enumerate(e1, &ts1) && e2->enumerate(e2, &ts2))
1709 {
1710 equal = ts1->equals(ts1, ts2);
1711 }
1712 e2->destroy(e2);
1713 e1->destroy(e1);
1714
1715 return equal;
1716 }
1717
1718 /**
1719 * Check if a CHILD_SA is redundant and we should delete instead of rekey
1720 */
1721 static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
1722 {
1723 enumerator_t *enumerator;
1724 child_sa_t *current;
1725 bool redundant = FALSE;
1726
1727 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1728 while (enumerator->enumerate(enumerator, &current))
1729 {
1730 if (current->get_state(current) == CHILD_INSTALLED &&
1731 streq(current->get_name(current), child_sa->get_name(child_sa)) &&
1732 have_equal_ts(current, child_sa, TRUE) &&
1733 have_equal_ts(current, child_sa, FALSE) &&
1734 current->get_lifetime(current, FALSE) >
1735 child_sa->get_lifetime(child_sa, FALSE))
1736 {
1737 DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
1738 child_sa->get_name(child_sa),
1739 child_sa->get_unique_id(child_sa));
1740 redundant = TRUE;
1741 break;
1742 }
1743 }
1744 enumerator->destroy(enumerator);
1745
1746 return redundant;
1747 }
1748
1749 /**
1750 * Get the first traffic selector of a CHILD_SA, local or remote
1751 */
1752 static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
1753 {
1754 traffic_selector_t *ts = NULL;
1755 enumerator_t *enumerator;
1756
1757 enumerator = child_sa->create_ts_enumerator(child_sa, local);
1758 enumerator->enumerate(enumerator, &ts);
1759 enumerator->destroy(enumerator);
1760
1761 return ts;
1762 }
1763
1764 METHOD(task_manager_t, queue_child_rekey, void,
1765 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
1766 {
1767 child_sa_t *child_sa;
1768 child_cfg_t *cfg;
1769 quick_mode_t *task;
1770
1771 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
1772 if (!child_sa)
1773 {
1774 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
1775 }
1776 if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
1777 {
1778 if (is_redundant(this, child_sa))
1779 {
1780 child_sa->set_state(child_sa, CHILD_REKEYED);
1781 queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
1782 protocol, spi, FALSE, FALSE));
1783 }
1784 else
1785 {
1786 child_sa->set_state(child_sa, CHILD_REKEYING);
1787 cfg = child_sa->get_config(child_sa);
1788 task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
1789 get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
1790 task->use_reqid(task, child_sa->get_reqid(child_sa));
1791 task->use_marks(task, child_sa->get_mark(child_sa, TRUE).value,
1792 child_sa->get_mark(child_sa, FALSE).value);
1793 task->rekey(task, child_sa->get_spi(child_sa, TRUE));
1794
1795 queue_task(this, &task->task);
1796 }
1797 }
1798 }
1799
1800 METHOD(task_manager_t, queue_child_delete, void,
1801 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
1802 bool expired)
1803 {
1804 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1805 spi, FALSE, expired));
1806 }
1807
1808 METHOD(task_manager_t, queue_dpd, void,
1809 private_task_manager_t *this)
1810 {
1811 peer_cfg_t *peer_cfg;
1812 uint32_t t, retransmit;
1813
1814 queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
1815 this->dpd_send++));
1816 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1817
1818 /* compute timeout in milliseconds */
1819 t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
1820 if (t == 0)
1821 {
1822 /* use the same timeout as a retransmitting IKE message would have */
1823 for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
1824 {
1825 t += (uint32_t)(this->retransmit_timeout * 1000.0 *
1826 pow(this->retransmit_base, retransmit));
1827 }
1828 }
1829 /* compensate for the already elapsed dpd delay */
1830 t -= 1000 * peer_cfg->get_dpd(peer_cfg);
1831
1832 /* schedule DPD timeout job */
1833 lib->scheduler->schedule_job_ms(lib->scheduler,
1834 (job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
1835 }
1836
1837 METHOD(task_manager_t, adopt_tasks, void,
1838 private_task_manager_t *this, task_manager_t *other_public)
1839 {
1840 private_task_manager_t *other = (private_task_manager_t*)other_public;
1841 task_t *task;
1842
1843 /* move queued tasks from other to this */
1844 while (other->queued_tasks->remove_last(other->queued_tasks,
1845 (void**)&task) == SUCCESS)
1846 {
1847 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1848 task->migrate(task, this->ike_sa);
1849 this->queued_tasks->insert_first(this->queued_tasks, task);
1850 }
1851 }
1852
1853 /**
1854 * Migrates child-creating tasks from src to dst
1855 */
1856 static void migrate_child_tasks(private_task_manager_t *this,
1857 linked_list_t *src, linked_list_t *dst)
1858 {
1859 enumerator_t *enumerator;
1860 task_t *task;
1861
1862 enumerator = src->create_enumerator(src);
1863 while (enumerator->enumerate(enumerator, &task))
1864 {
1865 if (task->get_type(task) == TASK_QUICK_MODE)
1866 {
1867 src->remove_at(src, enumerator);
1868 task->migrate(task, this->ike_sa);
1869 dst->insert_last(dst, task);
1870 }
1871 }
1872 enumerator->destroy(enumerator);
1873 }
1874
1875 METHOD(task_manager_t, adopt_child_tasks, void,
1876 private_task_manager_t *this, task_manager_t *other_public)
1877 {
1878 private_task_manager_t *other = (private_task_manager_t*)other_public;
1879
1880 /* move active child tasks from other to this */
1881 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1882 /* do the same for queued tasks */
1883 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1884 }
1885
1886 METHOD(task_manager_t, busy, bool,
1887 private_task_manager_t *this)
1888 {
1889 return (this->active_tasks->get_count(this->active_tasks) > 0);
1890 }
1891
1892 METHOD(task_manager_t, incr_mid, void,
1893 private_task_manager_t *this, bool initiate)
1894 {
1895 }
1896
1897 METHOD(task_manager_t, reset, void,
1898 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
1899 {
1900 enumerator_t *enumerator;
1901 task_t *task;
1902
1903 /* reset message counters and retransmit packets */
1904 clear_packets(this->responding.packets);
1905 clear_packets(this->initiating.packets);
1906 this->responding.seqnr = RESPONDING_SEQ;
1907 this->responding.retransmitted = 0;
1908 this->initiating.mid = 0;
1909 this->initiating.seqnr = 0;
1910 this->initiating.retransmitted = 0;
1911 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1912 DESTROY_IF(this->defrag);
1913 this->defrag = NULL;
1914 if (initiate != UINT_MAX)
1915 {
1916 this->dpd_send = initiate;
1917 }
1918 if (respond != UINT_MAX)
1919 {
1920 this->dpd_recv = respond;
1921 }
1922
1923 /* reset queued tasks */
1924 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1925 while (enumerator->enumerate(enumerator, &task))
1926 {
1927 task->migrate(task, this->ike_sa);
1928 }
1929 enumerator->destroy(enumerator);
1930
1931 /* reset active tasks */
1932 while (this->active_tasks->remove_last(this->active_tasks,
1933 (void**)&task) == SUCCESS)
1934 {
1935 task->migrate(task, this->ike_sa);
1936 this->queued_tasks->insert_first(this->queued_tasks, task);
1937 }
1938 }
1939
1940 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1941 private_task_manager_t *this, task_queue_t queue)
1942 {
1943 switch (queue)
1944 {
1945 case TASK_QUEUE_ACTIVE:
1946 return this->active_tasks->create_enumerator(this->active_tasks);
1947 case TASK_QUEUE_PASSIVE:
1948 return this->passive_tasks->create_enumerator(this->passive_tasks);
1949 case TASK_QUEUE_QUEUED:
1950 return this->queued_tasks->create_enumerator(this->queued_tasks);
1951 default:
1952 return enumerator_create_empty();
1953 }
1954 }
1955
1956 METHOD(task_manager_t, destroy, void,
1957 private_task_manager_t *this)
1958 {
1959 flush(this);
1960
1961 this->active_tasks->destroy(this->active_tasks);
1962 this->queued_tasks->destroy(this->queued_tasks);
1963 this->passive_tasks->destroy(this->passive_tasks);
1964 DESTROY_IF(this->defrag);
1965
1966 DESTROY_IF(this->queued);
1967 clear_packets(this->responding.packets);
1968 array_destroy(this->responding.packets);
1969 clear_packets(this->initiating.packets);
1970 array_destroy(this->initiating.packets);
1971 DESTROY_IF(this->rng);
1972 free(this);
1973 }
1974
1975 /*
1976 * see header file
1977 */
1978 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
1979 {
1980 private_task_manager_t *this;
1981
1982 INIT(this,
1983 .public = {
1984 .task_manager = {
1985 .process_message = _process_message,
1986 .queue_task = _queue_task,
1987 .queue_task_delayed = _queue_task_delayed,
1988 .queue_ike = _queue_ike,
1989 .queue_ike_rekey = _queue_ike_rekey,
1990 .queue_ike_reauth = _queue_ike_reauth,
1991 .queue_ike_delete = _queue_ike_delete,
1992 .queue_mobike = _queue_mobike,
1993 .queue_child = _queue_child,
1994 .queue_child_rekey = _queue_child_rekey,
1995 .queue_child_delete = _queue_child_delete,
1996 .queue_dpd = _queue_dpd,
1997 .initiate = _initiate,
1998 .retransmit = _retransmit,
1999 .incr_mid = _incr_mid,
2000 .reset = _reset,
2001 .adopt_tasks = _adopt_tasks,
2002 .adopt_child_tasks = _adopt_child_tasks,
2003 .busy = _busy,
2004 .create_task_enumerator = _create_task_enumerator,
2005 .flush = _flush,
2006 .flush_queue = _flush_queue,
2007 .destroy = _destroy,
2008 },
2009 },
2010 .initiating = {
2011 .type = EXCHANGE_TYPE_UNDEFINED,
2012 },
2013 .responding = {
2014 .seqnr = RESPONDING_SEQ,
2015 },
2016 .ike_sa = ike_sa,
2017 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
2018 .queued_tasks = linked_list_create(),
2019 .active_tasks = linked_list_create(),
2020 .passive_tasks = linked_list_create(),
2021 .retransmit_tries = lib->settings->get_int(lib->settings,
2022 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2023 .retransmit_timeout = lib->settings->get_double(lib->settings,
2024 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2025 .retransmit_base = lib->settings->get_double(lib->settings,
2026 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2027 );
2028
2029 if (!this->rng)
2030 {
2031 DBG1(DBG_IKE, "no RNG found, unable to create IKE_SA");
2032 destroy(this);
2033 return NULL;
2034 }
2035 if (!this->rng->get_bytes(this->rng, sizeof(this->dpd_send),
2036 (void*)&this->dpd_send))
2037 {
2038 DBG1(DBG_IKE, "failed to allocate message ID, unable to create IKE_SA");
2039 destroy(this);
2040 return NULL;
2041 }
2042 this->dpd_send &= 0x7FFFFFFF;
2043
2044 return &this->public;
2045 }