3b0c1cfd1b63941f3d4224f7630e0bbdb5fb83f0
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2016 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/aggressive_mode.h>
24 #include <sa/ikev1/tasks/quick_mode.h>
25 #include <sa/ikev1/tasks/quick_delete.h>
26 #include <sa/ikev1/tasks/xauth.h>
27 #include <sa/ikev1/tasks/mode_config.h>
28 #include <sa/ikev1/tasks/informational.h>
29 #include <sa/ikev1/tasks/isakmp_natd.h>
30 #include <sa/ikev1/tasks/isakmp_vendor.h>
31 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
32 #include <sa/ikev1/tasks/isakmp_cert_post.h>
33 #include <sa/ikev1/tasks/isakmp_delete.h>
34 #include <sa/ikev1/tasks/isakmp_dpd.h>
35
36 #include <processing/jobs/retransmit_job.h>
37 #include <processing/jobs/delete_ike_sa_job.h>
38 #include <processing/jobs/dpd_timeout_job.h>
39 #include <processing/jobs/process_message_job.h>
40
41 #include <collections/array.h>
42
43 /**
44 * Number of old messages hashes we keep for retransmission.
45 *
46 * In Main Mode, we must ignore messages from a previous message pair if
47 * we already continued to the next. Otherwise a late retransmission
48 * could be considered as a reply to the newer request.
49 */
50 #define MAX_OLD_HASHES 2
51
52 /**
53 * First sequence number of responding packets.
54 *
55 * To distinguish retransmission jobs for initiating and responding packets,
56 * we split up the sequence counter and use the upper half for responding.
57 */
58 #define RESPONDING_SEQ INT_MAX
59
60 typedef struct exchange_t exchange_t;
61
62 /**
63 * An exchange in the air, used do detect and handle retransmission
64 */
65 struct exchange_t {
66
67 /**
68 * Message ID used for this transaction
69 */
70 uint32_t mid;
71
72 /**
73 * generated packet for retransmission
74 */
75 packet_t *packet;
76 };
77
78 typedef struct private_task_manager_t private_task_manager_t;
79
80 /**
81 * private data of the task manager
82 */
83 struct private_task_manager_t {
84
85 /**
86 * public functions
87 */
88 task_manager_v1_t public;
89
90 /**
91 * associated IKE_SA we are serving
92 */
93 ike_sa_t *ike_sa;
94
95 /**
96 * RNG to create message IDs
97 */
98 rng_t *rng;
99
100 /**
101 * Exchange we are currently handling as responder
102 */
103 struct {
104 /**
105 * Message ID of the last response
106 */
107 uint32_t mid;
108
109 /**
110 * Hash of a previously received message
111 */
112 uint32_t hash;
113
114 /**
115 * packet(s) for retransmission
116 */
117 array_t *packets;
118
119 /**
120 * Sequence number of the last sent message
121 */
122 uint32_t seqnr;
123
124 /**
125 * how many times we have retransmitted so far
126 */
127 u_int retransmitted;
128
129 } responding;
130
131 /**
132 * Exchange we are currently handling as initiator
133 */
134 struct {
135 /**
136 * Message ID of the exchange
137 */
138 uint32_t mid;
139
140 /**
141 * Hashes of old responses we can ignore
142 */
143 uint32_t old_hashes[MAX_OLD_HASHES];
144
145 /**
146 * Position in old hash array
147 */
148 int old_hash_pos;
149
150 /**
151 * Sequence number of the last sent message
152 */
153 uint32_t seqnr;
154
155 /**
156 * how many times we have retransmitted so far
157 */
158 u_int retransmitted;
159
160 /**
161 * packet(s) for retransmission
162 */
163 array_t *packets;
164
165 /**
166 * type of the initiated exchange
167 */
168 exchange_type_t type;
169
170 } initiating;
171
172 /**
173 * Message we are currently defragmenting, if any (only one at a time)
174 */
175 message_t *defrag;
176
177 /**
178 * List of queued tasks not yet in action
179 */
180 linked_list_t *queued_tasks;
181
182 /**
183 * List of active tasks, initiated by ourselves
184 */
185 linked_list_t *active_tasks;
186
187 /**
188 * List of tasks initiated by peer
189 */
190 linked_list_t *passive_tasks;
191
192 /**
193 * Queued messages not yet ready to process
194 */
195 message_t *queued;
196
197 /**
198 * Number of times we retransmit messages before giving up
199 */
200 u_int retransmit_tries;
201
202 /**
203 * Retransmission timeout
204 */
205 double retransmit_timeout;
206
207 /**
208 * Base to calculate retransmission timeout
209 */
210 double retransmit_base;
211
212 /**
213 * Sequence number for sending DPD requests
214 */
215 uint32_t dpd_send;
216
217 /**
218 * Sequence number for received DPD requests
219 */
220 uint32_t dpd_recv;
221 };
222
223 /**
224 * Reset retransmission packet list
225 */
226 static void clear_packets(array_t *array)
227 {
228 packet_t *packet;
229
230 while (array_remove(array, ARRAY_TAIL, &packet))
231 {
232 packet->destroy(packet);
233 }
234 }
235
236 METHOD(task_manager_t, flush_queue, void,
237 private_task_manager_t *this, task_queue_t queue)
238 {
239 linked_list_t *list;
240 task_t *task;
241
242 if (this->queued)
243 {
244 this->queued->destroy(this->queued);
245 this->queued = NULL;
246 }
247 switch (queue)
248 {
249 case TASK_QUEUE_ACTIVE:
250 list = this->active_tasks;
251 /* cancel pending retransmits */
252 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
253 clear_packets(this->initiating.packets);
254 break;
255 case TASK_QUEUE_PASSIVE:
256 list = this->passive_tasks;
257 break;
258 case TASK_QUEUE_QUEUED:
259 list = this->queued_tasks;
260 break;
261 default:
262 return;
263 }
264 while (list->remove_last(list, (void**)&task) == SUCCESS)
265 {
266 task->destroy(task);
267 }
268 }
269
270 METHOD(task_manager_t, flush, void,
271 private_task_manager_t *this)
272 {
273 flush_queue(this, TASK_QUEUE_QUEUED);
274 flush_queue(this, TASK_QUEUE_PASSIVE);
275 flush_queue(this, TASK_QUEUE_ACTIVE);
276 }
277
278 /**
279 * move a task of a specific type from the queue to the active list
280 */
281 static bool activate_task(private_task_manager_t *this, task_type_t type)
282 {
283 enumerator_t *enumerator;
284 task_t *task;
285 bool found = FALSE;
286
287 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
288 while (enumerator->enumerate(enumerator, (void**)&task))
289 {
290 if (task->get_type(task) == type)
291 {
292 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
293 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
294 this->active_tasks->insert_last(this->active_tasks, task);
295 found = TRUE;
296 break;
297 }
298 }
299 enumerator->destroy(enumerator);
300 return found;
301 }
302
303 /**
304 * Send packets in the given array (they get cloned)
305 */
306 static void send_packets(private_task_manager_t *this, array_t *packets)
307 {
308 enumerator_t *enumerator;
309 packet_t *packet;
310
311 enumerator = array_create_enumerator(packets);
312 while (enumerator->enumerate(enumerator, &packet))
313 {
314 charon->sender->send(charon->sender, packet->clone(packet));
315 }
316 enumerator->destroy(enumerator);
317 }
318
319 /**
320 * Generates the given message and stores packet(s) in the given array
321 */
322 static bool generate_message(private_task_manager_t *this, message_t *message,
323 array_t **packets)
324 {
325 enumerator_t *fragments;
326 packet_t *fragment;
327
328 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
329 &fragments) != SUCCESS)
330 {
331 return FALSE;
332 }
333 while (fragments->enumerate(fragments, &fragment))
334 {
335 array_insert_create(packets, ARRAY_TAIL, fragment);
336 }
337 fragments->destroy(fragments);
338 return TRUE;
339 }
340
341 /**
342 * Retransmit a packet (or its fragments)
343 */
344 static status_t retransmit_packet(private_task_manager_t *this, uint32_t seqnr,
345 u_int mid, u_int retransmitted, array_t *packets)
346 {
347 packet_t *packet;
348 uint32_t t;
349
350 array_get(packets, 0, &packet);
351 if (retransmitted > this->retransmit_tries)
352 {
353 DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
354 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
355 return DESTROY_ME;
356 }
357 t = (uint32_t)(this->retransmit_timeout * 1000.0 *
358 pow(this->retransmit_base, retransmitted));
359 if (retransmitted)
360 {
361 DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
362 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
363 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
364 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
365 retransmitted);
366 }
367 send_packets(this, packets);
368 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
369 retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
370 return NEED_MORE;
371 }
372
373 METHOD(task_manager_t, retransmit, status_t,
374 private_task_manager_t *this, uint32_t seqnr)
375 {
376 status_t status = SUCCESS;
377
378 if (seqnr == this->initiating.seqnr &&
379 array_count(this->initiating.packets))
380 {
381 status = retransmit_packet(this, seqnr, this->initiating.mid,
382 this->initiating.retransmitted, this->initiating.packets);
383 if (status == NEED_MORE)
384 {
385 this->initiating.retransmitted++;
386 status = SUCCESS;
387 }
388 }
389 if (seqnr == this->responding.seqnr &&
390 array_count(this->responding.packets))
391 {
392 status = retransmit_packet(this, seqnr, this->responding.mid,
393 this->responding.retransmitted, this->responding.packets);
394 if (status == NEED_MORE)
395 {
396 this->responding.retransmitted++;
397 status = SUCCESS;
398 }
399 }
400 return status;
401 }
402
403 /**
404 * Check if we have to wait for a mode config before starting a quick mode
405 */
406 static bool mode_config_expected(private_task_manager_t *this)
407 {
408 enumerator_t *enumerator;
409 peer_cfg_t *peer_cfg;
410 char *pool;
411 bool local;
412 host_t *host;
413
414 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
415 if (peer_cfg)
416 {
417 if (peer_cfg->use_pull_mode(peer_cfg))
418 {
419 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
420 if (!enumerator->enumerate(enumerator, &pool))
421 { /* no pool configured */
422 enumerator->destroy(enumerator);
423 return FALSE;
424 }
425 enumerator->destroy(enumerator);
426
427 local = FALSE;
428 }
429 else
430 {
431 enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
432 if (!enumerator->enumerate(enumerator, &host))
433 { /* not requesting a vip */
434 enumerator->destroy(enumerator);
435 return FALSE;
436 }
437 enumerator->destroy(enumerator);
438
439 local = TRUE;
440 }
441 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
442 local);
443 if (!enumerator->enumerate(enumerator, &host))
444 { /* expecting a VIP exchange, but no VIP assigned yet */
445 enumerator->destroy(enumerator);
446 return TRUE;
447 }
448 enumerator->destroy(enumerator);
449 }
450 return FALSE;
451 }
452
453 METHOD(task_manager_t, initiate, status_t,
454 private_task_manager_t *this)
455 {
456 enumerator_t *enumerator;
457 task_t *task;
458 message_t *message;
459 host_t *me, *other;
460 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
461 bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
462
463 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
464 this->initiating.type != INFORMATIONAL_V1)
465 {
466 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
467 exchange_type_names, this->initiating.type);
468 /* do not initiate if we already have a message in the air */
469 return SUCCESS;
470 }
471
472 if (this->active_tasks->get_count(this->active_tasks) == 0)
473 {
474 DBG2(DBG_IKE, "activating new tasks");
475 switch (this->ike_sa->get_state(this->ike_sa))
476 {
477 case IKE_CREATED:
478 activate_task(this, TASK_ISAKMP_VENDOR);
479 activate_task(this, TASK_ISAKMP_CERT_PRE);
480 if (activate_task(this, TASK_MAIN_MODE))
481 {
482 exchange = ID_PROT;
483 }
484 else if (activate_task(this, TASK_AGGRESSIVE_MODE))
485 {
486 exchange = AGGRESSIVE;
487 }
488 activate_task(this, TASK_ISAKMP_CERT_POST);
489 activate_task(this, TASK_ISAKMP_NATD);
490 break;
491 case IKE_CONNECTING:
492 if (activate_task(this, TASK_ISAKMP_DELETE))
493 {
494 exchange = INFORMATIONAL_V1;
495 new_mid = TRUE;
496 break;
497 }
498 if (activate_task(this, TASK_XAUTH))
499 {
500 exchange = TRANSACTION;
501 new_mid = TRUE;
502 break;
503 }
504 if (activate_task(this, TASK_INFORMATIONAL))
505 {
506 exchange = INFORMATIONAL_V1;
507 new_mid = TRUE;
508 break;
509 }
510 break;
511 case IKE_ESTABLISHED:
512 if (activate_task(this, TASK_MODE_CONFIG))
513 {
514 exchange = TRANSACTION;
515 new_mid = TRUE;
516 break;
517 }
518 if (activate_task(this, TASK_QUICK_DELETE))
519 {
520 exchange = INFORMATIONAL_V1;
521 new_mid = TRUE;
522 break;
523 }
524 if (activate_task(this, TASK_ISAKMP_DELETE))
525 {
526 exchange = INFORMATIONAL_V1;
527 new_mid = TRUE;
528 break;
529 }
530 if (!mode_config_expected(this) &&
531 activate_task(this, TASK_QUICK_MODE))
532 {
533 exchange = QUICK_MODE;
534 new_mid = TRUE;
535 break;
536 }
537 if (activate_task(this, TASK_INFORMATIONAL))
538 {
539 exchange = INFORMATIONAL_V1;
540 new_mid = TRUE;
541 break;
542 }
543 if (activate_task(this, TASK_ISAKMP_DPD))
544 {
545 exchange = INFORMATIONAL_V1;
546 new_mid = TRUE;
547 break;
548 }
549 break;
550 case IKE_REKEYING:
551 if (activate_task(this, TASK_ISAKMP_DELETE))
552 {
553 exchange = INFORMATIONAL_V1;
554 new_mid = TRUE;
555 break;
556 }
557 break;
558 default:
559 break;
560 }
561 }
562 else
563 {
564 DBG2(DBG_IKE, "reinitiating already active tasks");
565 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
566 while (enumerator->enumerate(enumerator, (void**)&task))
567 {
568 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
569 switch (task->get_type(task))
570 {
571 case TASK_MAIN_MODE:
572 exchange = ID_PROT;
573 break;
574 case TASK_AGGRESSIVE_MODE:
575 exchange = AGGRESSIVE;
576 break;
577 case TASK_QUICK_MODE:
578 exchange = QUICK_MODE;
579 break;
580 case TASK_XAUTH:
581 exchange = TRANSACTION;
582 new_mid = TRUE;
583 break;
584 default:
585 continue;
586 }
587 break;
588 }
589 enumerator->destroy(enumerator);
590 }
591
592 if (exchange == EXCHANGE_TYPE_UNDEFINED)
593 {
594 DBG2(DBG_IKE, "nothing to initiate");
595 /* nothing to do yet... */
596 return SUCCESS;
597 }
598
599 me = this->ike_sa->get_my_host(this->ike_sa);
600 other = this->ike_sa->get_other_host(this->ike_sa);
601
602 if (new_mid)
603 {
604 if (!this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
605 (void*)&this->initiating.mid))
606 {
607 DBG1(DBG_IKE, "failed to allocate message ID, destroying IKE_SA");
608 flush(this);
609 return DESTROY_ME;
610 }
611 }
612 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
613 message->set_message_id(message, this->initiating.mid);
614 message->set_source(message, me->clone(me));
615 message->set_destination(message, other->clone(other));
616 message->set_exchange_type(message, exchange);
617 this->initiating.type = exchange;
618 this->initiating.retransmitted = 0;
619
620 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
621 while (enumerator->enumerate(enumerator, (void*)&task))
622 {
623 switch (task->build(task, message))
624 {
625 case SUCCESS:
626 /* task completed, remove it */
627 this->active_tasks->remove_at(this->active_tasks, enumerator);
628 if (task->get_type(task) == TASK_AGGRESSIVE_MODE ||
629 task->get_type(task) == TASK_QUICK_MODE)
630 { /* last message of three message exchange */
631 keep = TRUE;
632 }
633 task->destroy(task);
634 continue;
635 case NEED_MORE:
636 expect_response = TRUE;
637 /* processed, but task needs another exchange */
638 continue;
639 case ALREADY_DONE:
640 cancelled = TRUE;
641 break;
642 case FAILED:
643 default:
644 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
645 {
646 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
647 }
648 /* FALL */
649 case DESTROY_ME:
650 /* critical failure, destroy IKE_SA */
651 enumerator->destroy(enumerator);
652 message->destroy(message);
653 flush(this);
654 return DESTROY_ME;
655 }
656 break;
657 }
658 enumerator->destroy(enumerator);
659
660 if (this->active_tasks->get_count(this->active_tasks) == 0 &&
661 (exchange == QUICK_MODE || exchange == AGGRESSIVE))
662 { /* tasks completed, no exchange active anymore */
663 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
664 }
665 if (cancelled)
666 {
667 message->destroy(message);
668 return initiate(this);
669 }
670
671 clear_packets(this->initiating.packets);
672 if (!generate_message(this, message, &this->initiating.packets))
673 {
674 /* message generation failed. There is nothing more to do than to
675 * close the SA */
676 message->destroy(message);
677 flush(this);
678 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
679 return DESTROY_ME;
680 }
681
682 this->initiating.seqnr++;
683 if (expect_response)
684 {
685 message->destroy(message);
686 return retransmit(this, this->initiating.seqnr);
687 }
688 if (keep)
689 { /* keep the packet for retransmission, the responder might request it */
690 send_packets(this, this->initiating.packets);
691 }
692 else
693 {
694 send_packets(this, this->initiating.packets);
695 clear_packets(this->initiating.packets);
696 }
697 message->destroy(message);
698
699 if (exchange == INFORMATIONAL_V1)
700 {
701 switch (this->ike_sa->get_state(this->ike_sa))
702 {
703 case IKE_CONNECTING:
704 /* close after sending an INFORMATIONAL when unestablished */
705 return FAILED;
706 case IKE_DELETING:
707 /* close after sending a DELETE */
708 return DESTROY_ME;
709 default:
710 break;
711 }
712 }
713 return initiate(this);
714 }
715
716 /**
717 * build a response depending on the "passive" task list
718 */
719 static status_t build_response(private_task_manager_t *this, message_t *request)
720 {
721 enumerator_t *enumerator;
722 task_t *task;
723 message_t *message;
724 host_t *me, *other;
725 bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
726
727 me = request->get_destination(request);
728 other = request->get_source(request);
729
730 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
731 message->set_exchange_type(message, request->get_exchange_type(request));
732 /* send response along the path the request came in */
733 message->set_source(message, me->clone(me));
734 message->set_destination(message, other->clone(other));
735 message->set_message_id(message, request->get_message_id(request));
736 message->set_request(message, FALSE);
737
738 this->responding.mid = request->get_message_id(request);
739 this->responding.retransmitted = 0;
740 this->responding.seqnr++;
741
742 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
743 while (enumerator->enumerate(enumerator, (void*)&task))
744 {
745 switch (task->build(task, message))
746 {
747 case SUCCESS:
748 /* task completed, remove it */
749 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
750 task->destroy(task);
751 continue;
752 case NEED_MORE:
753 /* processed, but task needs another exchange */
754 if (task->get_type(task) == TASK_QUICK_MODE ||
755 task->get_type(task) == TASK_AGGRESSIVE_MODE)
756 { /* we rely on initiator retransmission, except for
757 * three-message exchanges */
758 expect_request = TRUE;
759 }
760 continue;
761 case ALREADY_DONE:
762 cancelled = TRUE;
763 break;
764 case INVALID_ARG:
765 if (task->get_type(task) == TASK_QUICK_MODE)
766 { /* not responsible for this exchange */
767 continue;
768 }
769 /* FALL */
770 case FAILED:
771 default:
772 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
773 /* FALL */
774 case DESTROY_ME:
775 /* destroy IKE_SA, but SEND response first */
776 delete = TRUE;
777 break;
778 }
779 break;
780 }
781 enumerator->destroy(enumerator);
782
783 clear_packets(this->responding.packets);
784 if (cancelled)
785 {
786 message->destroy(message);
787 return initiate(this);
788 }
789 if (!generate_message(this, message, &this->responding.packets))
790 {
791 message->destroy(message);
792 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
793 return DESTROY_ME;
794 }
795 message->destroy(message);
796
797 if (expect_request && !delete)
798 {
799 return retransmit(this, this->responding.seqnr);
800 }
801 send_packets(this, this->responding.packets);
802 if (delete)
803 {
804 return DESTROY_ME;
805 }
806 return SUCCESS;
807 }
808
809 /**
810 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
811 * The notify protocol_id is set to ISAKMP
812 */
813 static void send_notify(private_task_manager_t *this, message_t *request,
814 notify_type_t type)
815 {
816 message_t *response;
817 array_t *packets = NULL;
818 host_t *me, *other;
819 uint32_t mid;
820
821 if (request->get_exchange_type(request) == INFORMATIONAL_V1)
822 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
823 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
824 return;
825 }
826 if (!this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid))
827 {
828 DBG1(DBG_IKE, "failed to allocate message ID");
829 return;
830 }
831 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
832 response->set_exchange_type(response, INFORMATIONAL_V1);
833 response->set_request(response, TRUE);
834 response->set_message_id(response, mid);
835 response->add_payload(response, (payload_t*)
836 notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
837 PROTO_IKE, type));
838
839 me = this->ike_sa->get_my_host(this->ike_sa);
840 if (me->is_anyaddr(me))
841 {
842 me = request->get_destination(request);
843 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
844 }
845 other = this->ike_sa->get_other_host(this->ike_sa);
846 if (other->is_anyaddr(other))
847 {
848 other = request->get_source(request);
849 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
850 }
851 response->set_source(response, me->clone(me));
852 response->set_destination(response, other->clone(other));
853 if (generate_message(this, response, &packets))
854 {
855 send_packets(this, packets);
856 }
857 clear_packets(packets);
858 array_destroy(packets);
859 response->destroy(response);
860 }
861
862 /**
863 * Process a DPD request/response
864 */
865 static bool process_dpd(private_task_manager_t *this, message_t *message)
866 {
867 notify_payload_t *notify;
868 notify_type_t type;
869 uint32_t seq;
870 chunk_t data;
871
872 type = DPD_R_U_THERE;
873 notify = message->get_notify(message, type);
874 if (!notify)
875 {
876 type = DPD_R_U_THERE_ACK;
877 notify = message->get_notify(message, type);
878 }
879 if (!notify)
880 {
881 return FALSE;
882 }
883 data = notify->get_notification_data(notify);
884 if (data.len != 4)
885 {
886 return FALSE;
887 }
888 seq = untoh32(data.ptr);
889
890 if (type == DPD_R_U_THERE)
891 {
892 if (this->dpd_recv == 0 || seq == this->dpd_recv)
893 { /* check sequence validity */
894 this->dpd_recv = seq + 1;
895 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
896 time_monotonic(NULL));
897 }
898 /* but respond anyway */
899 this->ike_sa->queue_task(this->ike_sa,
900 &isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE_ACK, seq)->task);
901 }
902 else /* DPD_R_U_THERE_ACK */
903 {
904 if (seq == this->dpd_send - 1)
905 {
906 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
907 time_monotonic(NULL));
908 }
909 else
910 {
911 DBG1(DBG_IKE, "received invalid DPD sequence number %u "
912 "(expected %u), ignored", seq, this->dpd_send - 1);
913 }
914 }
915 return TRUE;
916 }
917
918 /**
919 * Check if we already have a quick mode task queued for the exchange with the
920 * given message ID
921 */
922 static bool have_quick_mode_task(private_task_manager_t *this, uint32_t mid)
923 {
924 enumerator_t *enumerator;
925 quick_mode_t *qm;
926 task_t *task;
927 bool found = FALSE;
928
929 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
930 while (enumerator->enumerate(enumerator, &task))
931 {
932 if (task->get_type(task) == TASK_QUICK_MODE)
933 {
934 qm = (quick_mode_t*)task;
935 if (qm->get_mid(qm) == mid)
936 {
937 found = TRUE;
938 break;
939 }
940 }
941 }
942 enumerator->destroy(enumerator);
943 return found;
944 }
945
946 /**
947 * Check if we still have a specific task queued
948 */
949 static bool have_task_queued(private_task_manager_t *this, task_type_t type)
950 {
951 enumerator_t *enumerator;
952 task_t *task;
953 bool found = FALSE;
954
955 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
956 while (enumerator->enumerate(enumerator, &task))
957 {
958 if (task->get_type(task) == type)
959 {
960 found = TRUE;
961 break;
962 }
963 }
964 enumerator->destroy(enumerator);
965 return found;
966 }
967
968 /**
969 * handle an incoming request message
970 */
971 static status_t process_request(private_task_manager_t *this,
972 message_t *message)
973 {
974 enumerator_t *enumerator;
975 task_t *task = NULL;
976 bool send_response = FALSE, dpd = FALSE;
977
978 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
979 message->get_exchange_type(message) == QUICK_MODE ||
980 this->passive_tasks->get_count(this->passive_tasks) == 0)
981 { /* create tasks depending on request type, if not already some queued */
982 switch (message->get_exchange_type(message))
983 {
984 case ID_PROT:
985 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
986 this->passive_tasks->insert_last(this->passive_tasks, task);
987 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
988 this->passive_tasks->insert_last(this->passive_tasks, task);
989 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
990 this->passive_tasks->insert_last(this->passive_tasks, task);
991 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
992 this->passive_tasks->insert_last(this->passive_tasks, task);
993 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
994 this->passive_tasks->insert_last(this->passive_tasks, task);
995 break;
996 case AGGRESSIVE:
997 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
998 this->passive_tasks->insert_last(this->passive_tasks, task);
999 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
1000 this->passive_tasks->insert_last(this->passive_tasks, task);
1001 task = (task_t *)aggressive_mode_create(this->ike_sa, FALSE);
1002 this->passive_tasks->insert_last(this->passive_tasks, task);
1003 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
1004 this->passive_tasks->insert_last(this->passive_tasks, task);
1005 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
1006 this->passive_tasks->insert_last(this->passive_tasks, task);
1007 break;
1008 case QUICK_MODE:
1009 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1010 {
1011 DBG1(DBG_IKE, "received quick mode request for "
1012 "unestablished IKE_SA, ignored");
1013 return FAILED;
1014 }
1015 if (have_quick_mode_task(this, message->get_message_id(message)))
1016 {
1017 break;
1018 }
1019 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
1020 NULL, NULL);
1021 this->passive_tasks->insert_last(this->passive_tasks, task);
1022 break;
1023 case INFORMATIONAL_V1:
1024 if (process_dpd(this, message))
1025 {
1026 dpd = TRUE;
1027 }
1028 else
1029 {
1030 task = (task_t *)informational_create(this->ike_sa, NULL);
1031 this->passive_tasks->insert_first(this->passive_tasks, task);
1032 }
1033 break;
1034 case TRANSACTION:
1035 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
1036 {
1037 task = (task_t *)mode_config_create(this->ike_sa,
1038 FALSE, TRUE);
1039 }
1040 else
1041 {
1042 task = (task_t *)xauth_create(this->ike_sa, FALSE);
1043 }
1044 this->passive_tasks->insert_last(this->passive_tasks, task);
1045 break;
1046 default:
1047 return FAILED;
1048 }
1049 }
1050 if (dpd)
1051 {
1052 return initiate(this);
1053 }
1054 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL));
1055
1056 /* let the tasks process the message */
1057 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
1058 while (enumerator->enumerate(enumerator, (void*)&task))
1059 {
1060 switch (task->process(task, message))
1061 {
1062 case SUCCESS:
1063 /* task completed, remove it */
1064 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1065 task->destroy(task);
1066 continue;
1067 case NEED_MORE:
1068 /* processed, but task needs at least another call to build() */
1069 send_response = TRUE;
1070 continue;
1071 case ALREADY_DONE:
1072 send_response = FALSE;
1073 break;
1074 case INVALID_ARG:
1075 if (task->get_type(task) == TASK_QUICK_MODE)
1076 { /* not responsible for this exchange */
1077 continue;
1078 }
1079 /* FALL */
1080 case FAILED:
1081 default:
1082 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1083 /* FALL */
1084 case DESTROY_ME:
1085 /* critical failure, destroy IKE_SA */
1086 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1087 enumerator->destroy(enumerator);
1088 task->destroy(task);
1089 return DESTROY_ME;
1090 }
1091 break;
1092 }
1093 enumerator->destroy(enumerator);
1094
1095 if (send_response)
1096 {
1097 if (build_response(this, message) != SUCCESS)
1098 {
1099 return DESTROY_ME;
1100 }
1101 }
1102 else
1103 { /* We don't send a response, so don't retransmit one if we get
1104 * the same message again. */
1105 clear_packets(this->responding.packets);
1106 }
1107 if (this->queued &&
1108 this->queued->get_exchange_type(this->queued) == INFORMATIONAL_V1)
1109 {
1110 message_t *queued;
1111 status_t status;
1112
1113 queued = this->queued;
1114 this->queued = NULL;
1115 status = this->public.task_manager.process_message(
1116 &this->public.task_manager, queued);
1117 queued->destroy(queued);
1118 if (status == DESTROY_ME)
1119 {
1120 return status;
1121 }
1122 }
1123 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
1124 this->queued_tasks->get_count(this->queued_tasks) > 0)
1125 {
1126 /* passive tasks completed, check if an active task has been queued,
1127 * such as XAUTH or modeconfig push */
1128 return initiate(this);
1129 }
1130 return SUCCESS;
1131 }
1132
1133 /**
1134 * handle an incoming response message
1135 */
1136 static status_t process_response(private_task_manager_t *this,
1137 message_t *message)
1138 {
1139 enumerator_t *enumerator;
1140 message_t *queued;
1141 status_t status;
1142 task_t *task;
1143
1144 if (message->get_exchange_type(message) != this->initiating.type)
1145 {
1146 /* Windows server sends a fourth quick mode message having an initial
1147 * contact notify. Ignore this message for compatibility. */
1148 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED &&
1149 message->get_exchange_type(message) == QUICK_MODE &&
1150 message->get_notify(message, INITIAL_CONTACT))
1151 {
1152 DBG1(DBG_IKE, "ignoring fourth Quick Mode message");
1153 return SUCCESS;
1154 }
1155 DBG1(DBG_IKE, "received %N response, but expected %N",
1156 exchange_type_names, message->get_exchange_type(message),
1157 exchange_type_names, this->initiating.type);
1158 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1159 return DESTROY_ME;
1160 }
1161
1162 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
1163 while (enumerator->enumerate(enumerator, (void*)&task))
1164 {
1165 switch (task->process(task, message))
1166 {
1167 case SUCCESS:
1168 /* task completed, remove it */
1169 this->active_tasks->remove_at(this->active_tasks, enumerator);
1170 task->destroy(task);
1171 continue;
1172 case NEED_MORE:
1173 /* processed, but task needs another exchange */
1174 continue;
1175 case ALREADY_DONE:
1176 break;
1177 case FAILED:
1178 default:
1179 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1180 /* FALL */
1181 case DESTROY_ME:
1182 /* critical failure, destroy IKE_SA */
1183 this->active_tasks->remove_at(this->active_tasks, enumerator);
1184 enumerator->destroy(enumerator);
1185 task->destroy(task);
1186 return DESTROY_ME;
1187 }
1188 break;
1189 }
1190 enumerator->destroy(enumerator);
1191
1192 if (this->initiating.retransmitted > 1)
1193 {
1194 packet_t *packet = NULL;
1195 array_get(this->initiating.packets, 0, &packet);
1196 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
1197 }
1198 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1199 clear_packets(this->initiating.packets);
1200
1201 if (this->queued && !this->active_tasks->get_count(this->active_tasks) &&
1202 this->queued->get_exchange_type(this->queued) == TRANSACTION)
1203 {
1204 queued = this->queued;
1205 this->queued = NULL;
1206 status = this->public.task_manager.process_message(
1207 &this->public.task_manager, queued);
1208 queued->destroy(queued);
1209 if (status == DESTROY_ME)
1210 {
1211 return status;
1212 }
1213 }
1214
1215 return initiate(this);
1216 }
1217
1218 static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
1219 {
1220 status_t status;
1221
1222 if (!this->defrag)
1223 {
1224 this->defrag = message_create_defrag(msg);
1225 if (!this->defrag)
1226 {
1227 return FAILED;
1228 }
1229 }
1230 status = this->defrag->add_fragment(this->defrag, msg);
1231 if (status == SUCCESS)
1232 {
1233 lib->processor->queue_job(lib->processor,
1234 (job_t*)process_message_job_create(this->defrag));
1235 this->defrag = NULL;
1236 /* do not process the last fragment */
1237 status = NEED_MORE;
1238 }
1239 return status;
1240 }
1241
1242 /**
1243 * Parse the given message and verify that it is valid.
1244 */
1245 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1246 {
1247 status_t status;
1248
1249 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1250
1251 if (status != SUCCESS)
1252 {
1253 switch (status)
1254 {
1255 case NOT_SUPPORTED:
1256 DBG1(DBG_IKE, "unsupported exchange type");
1257 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
1258 break;
1259 case PARSE_ERROR:
1260 DBG1(DBG_IKE, "message parsing failed");
1261 send_notify(this, msg, PAYLOAD_MALFORMED);
1262 break;
1263 case VERIFY_ERROR:
1264 DBG1(DBG_IKE, "message verification failed");
1265 send_notify(this, msg, PAYLOAD_MALFORMED);
1266 break;
1267 case FAILED:
1268 DBG1(DBG_IKE, "integrity check failed");
1269 send_notify(this, msg, INVALID_HASH_INFORMATION);
1270 break;
1271 case INVALID_STATE:
1272 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1273 send_notify(this, msg, PAYLOAD_MALFORMED);
1274 default:
1275 break;
1276 }
1277 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
1278 exchange_type_names, msg->get_exchange_type(msg),
1279 msg->get_request(msg) ? "request" : "response",
1280 msg->get_message_id(msg));
1281
1282 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1283
1284 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1285 { /* invalid initiation attempt, close SA */
1286 return DESTROY_ME;
1287 }
1288 }
1289
1290 if (msg->get_first_payload_type(msg) == PLV1_FRAGMENT)
1291 {
1292 return handle_fragment(this, msg);
1293 }
1294 return status;
1295 }
1296
1297 /**
1298 * Queue the given message if possible
1299 */
1300 static status_t queue_message(private_task_manager_t *this, message_t *msg)
1301 {
1302 if (this->queued)
1303 {
1304 DBG1(DBG_IKE, "ignoring %N request, queue full",
1305 exchange_type_names, msg->get_exchange_type(msg));
1306 return FAILED;
1307 }
1308 this->queued = message_create_from_packet(msg->get_packet(msg));
1309 if (this->queued->parse_header(this->queued) != SUCCESS)
1310 {
1311 this->queued->destroy(this->queued);
1312 this->queued = NULL;
1313 return FAILED;
1314 }
1315 DBG1(DBG_IKE, "queueing %N request as tasks still active",
1316 exchange_type_names, msg->get_exchange_type(msg));
1317 return SUCCESS;
1318 }
1319
1320 METHOD(task_manager_t, process_message, status_t,
1321 private_task_manager_t *this, message_t *msg)
1322 {
1323 uint32_t hash, mid, i;
1324 host_t *me, *other;
1325 status_t status;
1326
1327 /* TODO-IKEv1: update hosts more selectively */
1328 me = msg->get_destination(msg);
1329 other = msg->get_source(msg);
1330 mid = msg->get_message_id(msg);
1331 hash = chunk_hash(msg->get_packet_data(msg));
1332 for (i = 0; i < MAX_OLD_HASHES; i++)
1333 {
1334 if (this->initiating.old_hashes[i] == hash)
1335 {
1336 if (array_count(this->initiating.packets) &&
1337 i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
1338 (msg->get_exchange_type(msg) == QUICK_MODE ||
1339 msg->get_exchange_type(msg) == AGGRESSIVE))
1340 {
1341 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1342 "resending last request", mid);
1343 send_packets(this, this->initiating.packets);
1344 return SUCCESS;
1345 }
1346 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1347 "but next request already sent", mid);
1348 return SUCCESS;
1349 }
1350 }
1351
1352 if ((mid && mid == this->initiating.mid) ||
1353 (this->initiating.mid == 0 &&
1354 msg->get_exchange_type(msg) == this->initiating.type &&
1355 this->active_tasks->get_count(this->active_tasks)))
1356 {
1357 msg->set_request(msg, FALSE);
1358 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1359 status = parse_message(this, msg);
1360 if (status == NEED_MORE)
1361 {
1362 return SUCCESS;
1363 }
1364 if (status != SUCCESS)
1365 {
1366 return status;
1367 }
1368 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1369 time_monotonic(NULL));
1370 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1371 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1372 if (process_response(this, msg) != SUCCESS)
1373 {
1374 flush(this);
1375 return DESTROY_ME;
1376 }
1377 this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
1378 MAX_OLD_HASHES] = hash;
1379 }
1380 else
1381 {
1382 if (hash == this->responding.hash)
1383 {
1384 if (array_count(this->responding.packets))
1385 {
1386 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1387 "retransmitting response", mid);
1388 send_packets(this, this->responding.packets);
1389 }
1390 else if (array_count(this->initiating.packets) &&
1391 this->initiating.type == INFORMATIONAL_V1)
1392 {
1393 DBG1(DBG_IKE, "received retransmit of DPD request, "
1394 "retransmitting response");
1395 send_packets(this, this->initiating.packets);
1396 }
1397 else
1398 {
1399 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1400 "but no response to retransmit", mid);
1401 }
1402 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1403 return SUCCESS;
1404 }
1405
1406 /* reject Main/Aggressive Modes once established */
1407 if (msg->get_exchange_type(msg) == ID_PROT ||
1408 msg->get_exchange_type(msg) == AGGRESSIVE)
1409 {
1410 if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
1411 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
1412 msg->get_first_payload_type(msg) != PLV1_FRAGMENT)
1413 {
1414 DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
1415 exchange_type_names, msg->get_exchange_type(msg));
1416 return FAILED;
1417 }
1418 }
1419
1420 /* drop XAuth/Mode Config/Quick Mode messages until we received the last
1421 * Aggressive Mode message. since Informational messages are not
1422 * retransmitted we queue them. */
1423 if (have_task_queued(this, TASK_AGGRESSIVE_MODE))
1424 {
1425 if (msg->get_exchange_type(msg) == INFORMATIONAL_V1)
1426 {
1427 return queue_message(this, msg);
1428 }
1429 else if (msg->get_exchange_type(msg) != AGGRESSIVE)
1430 {
1431 DBG1(DBG_IKE, "ignoring %N request while phase 1 is incomplete",
1432 exchange_type_names, msg->get_exchange_type(msg));
1433 return FAILED;
1434 }
1435 }
1436
1437 /* queue XAuth/Mode Config messages unless the Main Mode exchange we
1438 * initiated is complete */
1439 if (msg->get_exchange_type(msg) == TRANSACTION &&
1440 this->active_tasks->get_count(this->active_tasks))
1441 {
1442 return queue_message(this, msg);
1443 }
1444
1445 /* some peers send INITIAL_CONTACT notifies during XAuth, cache it */
1446 if (have_task_queued(this, TASK_XAUTH) &&
1447 msg->get_exchange_type(msg) == INFORMATIONAL_V1)
1448 {
1449 return queue_message(this, msg);
1450 }
1451
1452 msg->set_request(msg, TRUE);
1453 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1454 status = parse_message(this, msg);
1455 if (status == NEED_MORE)
1456 {
1457 return SUCCESS;
1458 }
1459 if (status != SUCCESS)
1460 {
1461 return status;
1462 }
1463 /* if this IKE_SA is virgin, we check for a config */
1464 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1465 {
1466 ike_sa_id_t *ike_sa_id;
1467 ike_cfg_t *ike_cfg;
1468 job_t *job;
1469
1470 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1471 me, other, IKEV1);
1472 if (ike_cfg == NULL)
1473 {
1474 /* no config found for these hosts, destroy */
1475 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1476 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1477 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
1478 return DESTROY_ME;
1479 }
1480 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1481 ike_cfg->destroy(ike_cfg);
1482 /* add a timeout if peer does not establish it completely */
1483 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1484 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1485 lib->scheduler->schedule_job(lib->scheduler, job,
1486 lib->settings->get_int(lib->settings,
1487 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1488 lib->ns));
1489 }
1490 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1491 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1492 if (process_request(this, msg) != SUCCESS)
1493 {
1494 flush(this);
1495 return DESTROY_ME;
1496 }
1497 this->responding.hash = hash;
1498 }
1499 return SUCCESS;
1500 }
1501
1502 /**
1503 * Check if a given task has been queued already
1504 */
1505 static bool has_queued(private_task_manager_t *this, task_type_t type)
1506 {
1507 enumerator_t *enumerator;
1508 bool found = FALSE;
1509 task_t *task;
1510
1511 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1512 while (enumerator->enumerate(enumerator, &task))
1513 {
1514 if (task->get_type(task) == type)
1515 {
1516 found = TRUE;
1517 break;
1518 }
1519 }
1520 enumerator->destroy(enumerator);
1521 return found;
1522 }
1523
1524 METHOD(task_manager_t, queue_task_delayed, void,
1525 private_task_manager_t *this, task_t *task, uint32_t delay)
1526 {
1527 task_type_t type = task->get_type(task);
1528
1529 switch (type)
1530 {
1531 case TASK_MODE_CONFIG:
1532 case TASK_XAUTH:
1533 if (has_queued(this, type))
1534 {
1535 task->destroy(task);
1536 return;
1537 }
1538 break;
1539 default:
1540 break;
1541 }
1542 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1543 this->queued_tasks->insert_last(this->queued_tasks, task);
1544 }
1545
1546 METHOD(task_manager_t, queue_task, void,
1547 private_task_manager_t *this, task_t *task)
1548 {
1549 queue_task_delayed(this, task, 0);
1550 }
1551
1552 METHOD(task_manager_t, queue_ike, void,
1553 private_task_manager_t *this)
1554 {
1555 peer_cfg_t *peer_cfg;
1556
1557 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1558 {
1559 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1560 }
1561 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1562 {
1563 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1564 }
1565 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1566 if (peer_cfg->use_aggressive(peer_cfg))
1567 {
1568 if (!has_queued(this, TASK_AGGRESSIVE_MODE))
1569 {
1570 queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
1571 }
1572 }
1573 else
1574 {
1575 if (!has_queued(this, TASK_MAIN_MODE))
1576 {
1577 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1578 }
1579 }
1580 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1581 {
1582 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1583 }
1584 if (!has_queued(this, TASK_ISAKMP_NATD))
1585 {
1586 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1587 }
1588 }
1589
1590 METHOD(task_manager_t, queue_ike_reauth, void,
1591 private_task_manager_t *this)
1592 {
1593 enumerator_t *enumerator;
1594 child_sa_t *child_sa;
1595 ike_sa_t *new;
1596 host_t *host;
1597
1598 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1599 this->ike_sa->get_version(this->ike_sa), TRUE);
1600 if (!new)
1601 { /* shouldn't happen */
1602 return;
1603 }
1604
1605 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1606 host = this->ike_sa->get_other_host(this->ike_sa);
1607 new->set_other_host(new, host->clone(host));
1608 host = this->ike_sa->get_my_host(this->ike_sa);
1609 new->set_my_host(new, host->clone(host));
1610 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1611 while (enumerator->enumerate(enumerator, &host))
1612 {
1613 new->add_virtual_ip(new, TRUE, host);
1614 }
1615 enumerator->destroy(enumerator);
1616
1617 charon->bus->children_migrate(charon->bus, new->get_id(new),
1618 new->get_unique_id(new));
1619 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1620 while (enumerator->enumerate(enumerator, &child_sa))
1621 {
1622 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
1623 new->add_child_sa(new, child_sa);
1624 }
1625 enumerator->destroy(enumerator);
1626 charon->bus->set_sa(charon->bus, new);
1627 charon->bus->children_migrate(charon->bus, NULL, 0);
1628 charon->bus->set_sa(charon->bus, this->ike_sa);
1629
1630 if (!new->get_child_count(new))
1631 { /* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */
1632 task_t *task;
1633
1634 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1635 while (enumerator->enumerate(enumerator, &task))
1636 {
1637 if (task->get_type(task) == TASK_QUICK_MODE)
1638 {
1639 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
1640 task->migrate(task, new);
1641 new->queue_task(new, task);
1642 }
1643 }
1644 enumerator->destroy(enumerator);
1645 }
1646
1647 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1648 {
1649 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1650 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
1651 }
1652 else
1653 {
1654 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1655 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1656 }
1657 charon->bus->set_sa(charon->bus, this->ike_sa);
1658 }
1659
1660 METHOD(task_manager_t, queue_ike_rekey, void,
1661 private_task_manager_t *this)
1662 {
1663 queue_ike_reauth(this);
1664 }
1665
1666 METHOD(task_manager_t, queue_ike_delete, void,
1667 private_task_manager_t *this)
1668 {
1669 enumerator_t *enumerator;
1670 child_sa_t *child_sa;
1671
1672 /* cancel any currently active task to get the DELETE done quickly */
1673 flush_queue(this, TASK_QUEUE_ACTIVE);
1674
1675 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1676 while (enumerator->enumerate(enumerator, &child_sa))
1677 {
1678 queue_task(this, (task_t*)
1679 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1680 child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
1681 }
1682 enumerator->destroy(enumerator);
1683
1684 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1685 }
1686
1687 METHOD(task_manager_t, queue_mobike, void,
1688 private_task_manager_t *this, bool roam, bool address)
1689 {
1690 /* Not supported in IKEv1 */
1691 }
1692
1693 METHOD(task_manager_t, queue_child, void,
1694 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
1695 traffic_selector_t *tsi, traffic_selector_t *tsr)
1696 {
1697 quick_mode_t *task;
1698
1699 task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
1700 task->use_reqid(task, reqid);
1701
1702 queue_task(this, &task->task);
1703 }
1704
1705 /**
1706 * Check if two CHILD_SAs have the same traffic selector
1707 */
1708 static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
1709 {
1710 enumerator_t *e1, *e2;
1711 traffic_selector_t *ts1, *ts2;
1712 bool equal = FALSE;
1713
1714 e1 = child1->create_ts_enumerator(child1, local);
1715 e2 = child2->create_ts_enumerator(child2, local);
1716 if (e1->enumerate(e1, &ts1) && e2->enumerate(e2, &ts2))
1717 {
1718 equal = ts1->equals(ts1, ts2);
1719 }
1720 e2->destroy(e2);
1721 e1->destroy(e1);
1722
1723 return equal;
1724 }
1725
1726 /**
1727 * Check if a CHILD_SA is redundant and we should delete instead of rekey
1728 */
1729 static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
1730 {
1731 enumerator_t *enumerator;
1732 child_sa_t *current;
1733 bool redundant = FALSE;
1734
1735 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1736 while (enumerator->enumerate(enumerator, &current))
1737 {
1738 if (current->get_state(current) == CHILD_INSTALLED &&
1739 streq(current->get_name(current), child_sa->get_name(child_sa)) &&
1740 have_equal_ts(current, child_sa, TRUE) &&
1741 have_equal_ts(current, child_sa, FALSE) &&
1742 current->get_lifetime(current, FALSE) >
1743 child_sa->get_lifetime(child_sa, FALSE))
1744 {
1745 DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
1746 child_sa->get_name(child_sa),
1747 child_sa->get_unique_id(child_sa));
1748 redundant = TRUE;
1749 break;
1750 }
1751 }
1752 enumerator->destroy(enumerator);
1753
1754 return redundant;
1755 }
1756
1757 /**
1758 * Get the first traffic selector of a CHILD_SA, local or remote
1759 */
1760 static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
1761 {
1762 traffic_selector_t *ts = NULL;
1763 enumerator_t *enumerator;
1764
1765 enumerator = child_sa->create_ts_enumerator(child_sa, local);
1766 enumerator->enumerate(enumerator, &ts);
1767 enumerator->destroy(enumerator);
1768
1769 return ts;
1770 }
1771
1772 METHOD(task_manager_t, queue_child_rekey, void,
1773 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
1774 {
1775 child_sa_t *child_sa;
1776 child_cfg_t *cfg;
1777 quick_mode_t *task;
1778
1779 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
1780 if (!child_sa)
1781 {
1782 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
1783 }
1784 if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
1785 {
1786 if (is_redundant(this, child_sa))
1787 {
1788 child_sa->set_state(child_sa, CHILD_REKEYED);
1789 queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
1790 protocol, spi, FALSE, FALSE));
1791 }
1792 else
1793 {
1794 child_sa->set_state(child_sa, CHILD_REKEYING);
1795 cfg = child_sa->get_config(child_sa);
1796 task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
1797 get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
1798 task->use_reqid(task, child_sa->get_reqid(child_sa));
1799 task->use_marks(task, child_sa->get_mark(child_sa, TRUE).value,
1800 child_sa->get_mark(child_sa, FALSE).value);
1801 task->rekey(task, child_sa->get_spi(child_sa, TRUE));
1802
1803 queue_task(this, &task->task);
1804 }
1805 }
1806 }
1807
1808 METHOD(task_manager_t, queue_child_delete, void,
1809 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
1810 bool expired)
1811 {
1812 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1813 spi, FALSE, expired));
1814 }
1815
1816 METHOD(task_manager_t, queue_dpd, void,
1817 private_task_manager_t *this)
1818 {
1819 peer_cfg_t *peer_cfg;
1820 uint32_t t, retransmit;
1821
1822 queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
1823 this->dpd_send++));
1824 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1825
1826 /* compute timeout in milliseconds */
1827 t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
1828 if (t == 0)
1829 {
1830 /* use the same timeout as a retransmitting IKE message would have */
1831 for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
1832 {
1833 t += (uint32_t)(this->retransmit_timeout * 1000.0 *
1834 pow(this->retransmit_base, retransmit));
1835 }
1836 }
1837 /* compensate for the already elapsed dpd delay */
1838 t -= 1000 * peer_cfg->get_dpd(peer_cfg);
1839
1840 /* schedule DPD timeout job */
1841 lib->scheduler->schedule_job_ms(lib->scheduler,
1842 (job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
1843 }
1844
1845 METHOD(task_manager_t, adopt_tasks, void,
1846 private_task_manager_t *this, task_manager_t *other_public)
1847 {
1848 private_task_manager_t *other = (private_task_manager_t*)other_public;
1849 task_t *task;
1850
1851 /* move queued tasks from other to this */
1852 while (other->queued_tasks->remove_last(other->queued_tasks,
1853 (void**)&task) == SUCCESS)
1854 {
1855 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1856 task->migrate(task, this->ike_sa);
1857 this->queued_tasks->insert_first(this->queued_tasks, task);
1858 }
1859 }
1860
1861 /**
1862 * Migrates child-creating tasks from src to dst
1863 */
1864 static void migrate_child_tasks(private_task_manager_t *this,
1865 linked_list_t *src, linked_list_t *dst)
1866 {
1867 enumerator_t *enumerator;
1868 task_t *task;
1869
1870 enumerator = src->create_enumerator(src);
1871 while (enumerator->enumerate(enumerator, &task))
1872 {
1873 if (task->get_type(task) == TASK_QUICK_MODE)
1874 {
1875 src->remove_at(src, enumerator);
1876 task->migrate(task, this->ike_sa);
1877 dst->insert_last(dst, task);
1878 }
1879 }
1880 enumerator->destroy(enumerator);
1881 }
1882
1883 METHOD(task_manager_t, adopt_child_tasks, void,
1884 private_task_manager_t *this, task_manager_t *other_public)
1885 {
1886 private_task_manager_t *other = (private_task_manager_t*)other_public;
1887
1888 /* move active child tasks from other to this */
1889 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1890 /* do the same for queued tasks */
1891 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1892 }
1893
1894 METHOD(task_manager_t, busy, bool,
1895 private_task_manager_t *this)
1896 {
1897 return (this->active_tasks->get_count(this->active_tasks) > 0);
1898 }
1899
1900 METHOD(task_manager_t, incr_mid, void,
1901 private_task_manager_t *this, bool initiate)
1902 {
1903 }
1904
1905 METHOD(task_manager_t, reset, void,
1906 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
1907 {
1908 enumerator_t *enumerator;
1909 task_t *task;
1910
1911 /* reset message counters and retransmit packets */
1912 clear_packets(this->responding.packets);
1913 clear_packets(this->initiating.packets);
1914 this->responding.seqnr = RESPONDING_SEQ;
1915 this->responding.retransmitted = 0;
1916 this->initiating.mid = 0;
1917 this->initiating.seqnr = 0;
1918 this->initiating.retransmitted = 0;
1919 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1920 DESTROY_IF(this->defrag);
1921 this->defrag = NULL;
1922 if (initiate != UINT_MAX)
1923 {
1924 this->dpd_send = initiate;
1925 }
1926 if (respond != UINT_MAX)
1927 {
1928 this->dpd_recv = respond;
1929 }
1930
1931 /* reset queued tasks */
1932 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1933 while (enumerator->enumerate(enumerator, &task))
1934 {
1935 task->migrate(task, this->ike_sa);
1936 }
1937 enumerator->destroy(enumerator);
1938
1939 /* reset active tasks */
1940 while (this->active_tasks->remove_last(this->active_tasks,
1941 (void**)&task) == SUCCESS)
1942 {
1943 task->migrate(task, this->ike_sa);
1944 this->queued_tasks->insert_first(this->queued_tasks, task);
1945 }
1946 }
1947
1948 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1949 private_task_manager_t *this, task_queue_t queue)
1950 {
1951 switch (queue)
1952 {
1953 case TASK_QUEUE_ACTIVE:
1954 return this->active_tasks->create_enumerator(this->active_tasks);
1955 case TASK_QUEUE_PASSIVE:
1956 return this->passive_tasks->create_enumerator(this->passive_tasks);
1957 case TASK_QUEUE_QUEUED:
1958 return this->queued_tasks->create_enumerator(this->queued_tasks);
1959 default:
1960 return enumerator_create_empty();
1961 }
1962 }
1963
1964 METHOD(task_manager_t, destroy, void,
1965 private_task_manager_t *this)
1966 {
1967 flush(this);
1968
1969 this->active_tasks->destroy(this->active_tasks);
1970 this->queued_tasks->destroy(this->queued_tasks);
1971 this->passive_tasks->destroy(this->passive_tasks);
1972 DESTROY_IF(this->defrag);
1973
1974 DESTROY_IF(this->queued);
1975 clear_packets(this->responding.packets);
1976 array_destroy(this->responding.packets);
1977 clear_packets(this->initiating.packets);
1978 array_destroy(this->initiating.packets);
1979 DESTROY_IF(this->rng);
1980 free(this);
1981 }
1982
1983 /*
1984 * see header file
1985 */
1986 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
1987 {
1988 private_task_manager_t *this;
1989
1990 INIT(this,
1991 .public = {
1992 .task_manager = {
1993 .process_message = _process_message,
1994 .queue_task = _queue_task,
1995 .queue_task_delayed = _queue_task_delayed,
1996 .queue_ike = _queue_ike,
1997 .queue_ike_rekey = _queue_ike_rekey,
1998 .queue_ike_reauth = _queue_ike_reauth,
1999 .queue_ike_delete = _queue_ike_delete,
2000 .queue_mobike = _queue_mobike,
2001 .queue_child = _queue_child,
2002 .queue_child_rekey = _queue_child_rekey,
2003 .queue_child_delete = _queue_child_delete,
2004 .queue_dpd = _queue_dpd,
2005 .initiate = _initiate,
2006 .retransmit = _retransmit,
2007 .incr_mid = _incr_mid,
2008 .reset = _reset,
2009 .adopt_tasks = _adopt_tasks,
2010 .adopt_child_tasks = _adopt_child_tasks,
2011 .busy = _busy,
2012 .create_task_enumerator = _create_task_enumerator,
2013 .flush = _flush,
2014 .flush_queue = _flush_queue,
2015 .destroy = _destroy,
2016 },
2017 },
2018 .initiating = {
2019 .type = EXCHANGE_TYPE_UNDEFINED,
2020 },
2021 .responding = {
2022 .seqnr = RESPONDING_SEQ,
2023 },
2024 .ike_sa = ike_sa,
2025 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
2026 .queued_tasks = linked_list_create(),
2027 .active_tasks = linked_list_create(),
2028 .passive_tasks = linked_list_create(),
2029 .retransmit_tries = lib->settings->get_int(lib->settings,
2030 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2031 .retransmit_timeout = lib->settings->get_double(lib->settings,
2032 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2033 .retransmit_base = lib->settings->get_double(lib->settings,
2034 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2035 );
2036
2037 if (!this->rng)
2038 {
2039 DBG1(DBG_IKE, "no RNG found, unable to create IKE_SA");
2040 destroy(this);
2041 return NULL;
2042 }
2043 if (!this->rng->get_bytes(this->rng, sizeof(this->dpd_send),
2044 (void*)&this->dpd_send))
2045 {
2046 DBG1(DBG_IKE, "failed to allocate message ID, unable to create IKE_SA");
2047 destroy(this);
2048 return NULL;
2049 }
2050 this->dpd_send &= 0x7FFFFFFF;
2051
2052 return &this->public;
2053 }