Store inbound IKE fragments and reassemble the message when all fragments are received
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2012 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/aggressive_mode.h>
24 #include <sa/ikev1/tasks/quick_mode.h>
25 #include <sa/ikev1/tasks/quick_delete.h>
26 #include <sa/ikev1/tasks/xauth.h>
27 #include <sa/ikev1/tasks/mode_config.h>
28 #include <sa/ikev1/tasks/informational.h>
29 #include <sa/ikev1/tasks/isakmp_natd.h>
30 #include <sa/ikev1/tasks/isakmp_vendor.h>
31 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
32 #include <sa/ikev1/tasks/isakmp_cert_post.h>
33 #include <sa/ikev1/tasks/isakmp_delete.h>
34 #include <sa/ikev1/tasks/isakmp_dpd.h>
35
36 #include <processing/jobs/retransmit_job.h>
37 #include <processing/jobs/delete_ike_sa_job.h>
38 #include <processing/jobs/dpd_timeout_job.h>
39 #include <processing/jobs/process_message_job.h>
40
41 #include <encoding/payloads/fragment_payload.h>
42
43 /**
44 * Number of old messages hashes we keep for retransmission.
45 *
46 * In Main Mode, we must ignore messages from a previous message pair if
47 * we already continued to the next. Otherwise a late retransmission
48 * could be considered as a reply to the newer request.
49 */
50 #define MAX_OLD_HASHES 2
51
52 /**
53 * First sequence number of responding packets.
54 *
55 * To distinguish retransmission jobs for initiating and responding packets,
56 * we split up the sequence counter and use the upper half for responding.
57 */
58 #define RESPONDING_SEQ INT_MAX
59
60 typedef struct exchange_t exchange_t;
61
62 /**
63 * An exchange in the air, used do detect and handle retransmission
64 */
65 struct exchange_t {
66
67 /**
68 * Message ID used for this transaction
69 */
70 u_int32_t mid;
71
72 /**
73 * generated packet for retransmission
74 */
75 packet_t *packet;
76 };
77
78 typedef struct private_task_manager_t private_task_manager_t;
79
80 /**
81 * private data of the task manager
82 */
83 struct private_task_manager_t {
84
85 /**
86 * public functions
87 */
88 task_manager_v1_t public;
89
90 /**
91 * associated IKE_SA we are serving
92 */
93 ike_sa_t *ike_sa;
94
95 /**
96 * RNG to create message IDs
97 */
98 rng_t *rng;
99
100 /**
101 * Exchange we are currently handling as responder
102 */
103 struct {
104 /**
105 * Message ID of the last response
106 */
107 u_int32_t mid;
108
109 /**
110 * Hash of a previously received message
111 */
112 u_int32_t hash;
113
114 /**
115 * packet for retransmission
116 */
117 packet_t *packet;
118
119 /**
120 * Sequence number of the last sent message
121 */
122 u_int32_t seqnr;
123
124 /**
125 * how many times we have retransmitted so far
126 */
127 u_int retransmitted;
128
129 } responding;
130
131 /**
132 * Exchange we are currently handling as initiator
133 */
134 struct {
135 /**
136 * Message ID of the exchange
137 */
138 u_int32_t mid;
139
140 /**
141 * Hashes of old responses we can ignore
142 */
143 u_int32_t old_hashes[MAX_OLD_HASHES];
144
145 /**
146 * Position in old hash array
147 */
148 int old_hash_pos;
149
150 /**
151 * Sequence number of the last sent message
152 */
153 u_int32_t seqnr;
154
155 /**
156 * how many times we have retransmitted so far
157 */
158 u_int retransmitted;
159
160 /**
161 * packet for retransmission
162 */
163 packet_t *packet;
164
165 /**
166 * type of the initiated exchange
167 */
168 exchange_type_t type;
169
170 } initiating;
171
172 /**
173 * Data used to reassemble a fragmented message
174 */
175 struct {
176
177 /**
178 * Fragment ID (currently only one is supported at a time)
179 */
180 u_int16_t id;
181
182 /**
183 * The number of the last fragment (in case we receive the fragments out
184 * of order), since the first starts with 1 this defines the number of
185 * fragments we expect
186 */
187 u_int8_t last;
188
189 /**
190 * List of fragments (fragment_t*)
191 */
192 linked_list_t *list;
193
194 } frag;
195
196 /**
197 * List of queued tasks not yet in action
198 */
199 linked_list_t *queued_tasks;
200
201 /**
202 * List of active tasks, initiated by ourselves
203 */
204 linked_list_t *active_tasks;
205
206 /**
207 * List of tasks initiated by peer
208 */
209 linked_list_t *passive_tasks;
210
211 /**
212 * Queued messages not yet ready to process
213 */
214 message_t *queued;
215
216 /**
217 * Number of times we retransmit messages before giving up
218 */
219 u_int retransmit_tries;
220
221 /**
222 * Retransmission timeout
223 */
224 double retransmit_timeout;
225
226 /**
227 * Base to calculate retransmission timeout
228 */
229 double retransmit_base;
230
231 /**
232 * Sequence number for sending DPD requests
233 */
234 u_int32_t dpd_send;
235
236 /**
237 * Sequence number for received DPD requests
238 */
239 u_int32_t dpd_recv;
240 };
241
242 /**
243 * A single fragment within a fragmented message
244 */
245 typedef struct {
246
247 /** fragment number */
248 u_int8_t num;
249
250 /** fragment data */
251 chunk_t data;
252
253 } fragment_t;
254
255 static void fragment_destroy(fragment_t *this)
256 {
257 chunk_free(&this->data);
258 free(this);
259 }
260
261 static void clear_fragments(private_task_manager_t *this, u_int16_t id)
262 {
263 DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
264 this->frag.list = NULL;
265 this->frag.last = 0;
266 this->frag.id = id;
267 }
268
269 METHOD(task_manager_t, flush_queue, void,
270 private_task_manager_t *this, task_queue_t queue)
271 {
272 linked_list_t *list;
273 task_t *task;
274
275 if (this->queued)
276 {
277 this->queued->destroy(this->queued);
278 this->queued = NULL;
279 }
280 switch (queue)
281 {
282 case TASK_QUEUE_ACTIVE:
283 list = this->active_tasks;
284 /* cancel pending retransmits */
285 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
286 DESTROY_IF(this->initiating.packet);
287 this->initiating.packet = NULL;
288 break;
289 case TASK_QUEUE_PASSIVE:
290 list = this->passive_tasks;
291 break;
292 case TASK_QUEUE_QUEUED:
293 list = this->queued_tasks;
294 break;
295 default:
296 return;
297 }
298 while (list->remove_last(list, (void**)&task) == SUCCESS)
299 {
300 task->destroy(task);
301 }
302 }
303
304 /**
305 * flush all tasks in the task manager
306 */
307 static void flush(private_task_manager_t *this)
308 {
309 flush_queue(this, TASK_QUEUE_QUEUED);
310 flush_queue(this, TASK_QUEUE_PASSIVE);
311 flush_queue(this, TASK_QUEUE_ACTIVE);
312 }
313
314 /**
315 * move a task of a specific type from the queue to the active list
316 */
317 static bool activate_task(private_task_manager_t *this, task_type_t type)
318 {
319 enumerator_t *enumerator;
320 task_t *task;
321 bool found = FALSE;
322
323 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
324 while (enumerator->enumerate(enumerator, (void**)&task))
325 {
326 if (task->get_type(task) == type)
327 {
328 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
329 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
330 this->active_tasks->insert_last(this->active_tasks, task);
331 found = TRUE;
332 break;
333 }
334 }
335 enumerator->destroy(enumerator);
336 return found;
337 }
338
339 /**
340 * Retransmit a packet, either as initiator or as responder
341 */
342 static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
343 u_int mid, u_int retransmitted, packet_t *packet)
344 {
345 u_int32_t t;
346
347 if (retransmitted > this->retransmit_tries)
348 {
349 DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
350 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
351 return DESTROY_ME;
352 }
353 t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
354 pow(this->retransmit_base, retransmitted));
355 if (retransmitted)
356 {
357 DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
358 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
359 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
360 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
361 }
362 charon->sender->send(charon->sender, packet->clone(packet));
363 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
364 retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
365 return NEED_MORE;
366 }
367
368 METHOD(task_manager_t, retransmit, status_t,
369 private_task_manager_t *this, u_int32_t seqnr)
370 {
371 status_t status = SUCCESS;
372
373 if (seqnr == this->initiating.seqnr && this->initiating.packet)
374 {
375 status = retransmit_packet(this, seqnr, this->initiating.mid,
376 this->initiating.retransmitted, this->initiating.packet);
377 if (status == NEED_MORE)
378 {
379 this->initiating.retransmitted++;
380 status = SUCCESS;
381 }
382 }
383 if (seqnr == this->responding.seqnr && this->responding.packet)
384 {
385 status = retransmit_packet(this, seqnr, this->responding.mid,
386 this->responding.retransmitted, this->responding.packet);
387 if (status == NEED_MORE)
388 {
389 this->responding.retransmitted++;
390 status = SUCCESS;
391 }
392 }
393 return status;
394 }
395
396 /**
397 * Check if we have to wait for a mode config before starting a quick mode
398 */
399 static bool mode_config_expected(private_task_manager_t *this)
400 {
401 enumerator_t *enumerator;
402 peer_cfg_t *peer_cfg;
403 char *pool;
404 host_t *host;
405
406 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
407 if (peer_cfg)
408 {
409 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
410 if (!enumerator->enumerate(enumerator, &pool))
411 { /* no pool configured */
412 enumerator->destroy(enumerator);
413 return FALSE;
414 }
415 enumerator->destroy(enumerator);
416
417 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
418 FALSE);
419 if (!enumerator->enumerate(enumerator, &host))
420 { /* have a pool, but no VIP assigned yet */
421 enumerator->destroy(enumerator);
422 return TRUE;
423 }
424 enumerator->destroy(enumerator);
425 }
426 return FALSE;
427 }
428
429 METHOD(task_manager_t, initiate, status_t,
430 private_task_manager_t *this)
431 {
432 enumerator_t *enumerator;
433 task_t *task;
434 message_t *message;
435 host_t *me, *other;
436 status_t status;
437 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
438 bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
439
440 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
441 this->initiating.type != INFORMATIONAL_V1)
442 {
443 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
444 exchange_type_names, this->initiating.type);
445 /* do not initiate if we already have a message in the air */
446 return SUCCESS;
447 }
448
449 if (this->active_tasks->get_count(this->active_tasks) == 0)
450 {
451 DBG2(DBG_IKE, "activating new tasks");
452 switch (this->ike_sa->get_state(this->ike_sa))
453 {
454 case IKE_CREATED:
455 activate_task(this, TASK_ISAKMP_VENDOR);
456 activate_task(this, TASK_ISAKMP_CERT_PRE);
457 if (activate_task(this, TASK_MAIN_MODE))
458 {
459 exchange = ID_PROT;
460 }
461 else if (activate_task(this, TASK_AGGRESSIVE_MODE))
462 {
463 exchange = AGGRESSIVE;
464 }
465 activate_task(this, TASK_ISAKMP_CERT_POST);
466 activate_task(this, TASK_ISAKMP_NATD);
467 break;
468 case IKE_CONNECTING:
469 if (activate_task(this, TASK_ISAKMP_DELETE))
470 {
471 exchange = INFORMATIONAL_V1;
472 new_mid = TRUE;
473 break;
474 }
475 if (activate_task(this, TASK_XAUTH))
476 {
477 exchange = TRANSACTION;
478 new_mid = TRUE;
479 break;
480 }
481 if (activate_task(this, TASK_INFORMATIONAL))
482 {
483 exchange = INFORMATIONAL_V1;
484 new_mid = TRUE;
485 break;
486 }
487 break;
488 case IKE_ESTABLISHED:
489 if (activate_task(this, TASK_MODE_CONFIG))
490 {
491 exchange = TRANSACTION;
492 new_mid = TRUE;
493 break;
494 }
495 if (!mode_config_expected(this) &&
496 activate_task(this, TASK_QUICK_MODE))
497 {
498 exchange = QUICK_MODE;
499 new_mid = TRUE;
500 break;
501 }
502 if (activate_task(this, TASK_INFORMATIONAL))
503 {
504 exchange = INFORMATIONAL_V1;
505 new_mid = TRUE;
506 break;
507 }
508 if (activate_task(this, TASK_QUICK_DELETE))
509 {
510 exchange = INFORMATIONAL_V1;
511 new_mid = TRUE;
512 break;
513 }
514 if (activate_task(this, TASK_ISAKMP_DELETE))
515 {
516 exchange = INFORMATIONAL_V1;
517 new_mid = TRUE;
518 break;
519 }
520 if (activate_task(this, TASK_ISAKMP_DPD))
521 {
522 exchange = INFORMATIONAL_V1;
523 new_mid = TRUE;
524 break;
525 }
526 break;
527 default:
528 break;
529 }
530 }
531 else
532 {
533 DBG2(DBG_IKE, "reinitiating already active tasks");
534 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
535 while (enumerator->enumerate(enumerator, (void**)&task))
536 {
537 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
538 switch (task->get_type(task))
539 {
540 case TASK_MAIN_MODE:
541 exchange = ID_PROT;
542 break;
543 case TASK_AGGRESSIVE_MODE:
544 exchange = AGGRESSIVE;
545 break;
546 case TASK_QUICK_MODE:
547 exchange = QUICK_MODE;
548 break;
549 case TASK_XAUTH:
550 exchange = TRANSACTION;
551 new_mid = TRUE;
552 break;
553 default:
554 continue;
555 }
556 break;
557 }
558 enumerator->destroy(enumerator);
559 }
560
561 if (exchange == EXCHANGE_TYPE_UNDEFINED)
562 {
563 DBG2(DBG_IKE, "nothing to initiate");
564 /* nothing to do yet... */
565 return SUCCESS;
566 }
567
568 me = this->ike_sa->get_my_host(this->ike_sa);
569 other = this->ike_sa->get_other_host(this->ike_sa);
570
571 if (new_mid)
572 {
573 if (!this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
574 (void*)&this->initiating.mid))
575 {
576 DBG1(DBG_IKE, "failed to allocate message ID, destroying IKE_SA");
577 flush(this);
578 return DESTROY_ME;
579 }
580 }
581 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
582 message->set_message_id(message, this->initiating.mid);
583 message->set_source(message, me->clone(me));
584 message->set_destination(message, other->clone(other));
585 message->set_exchange_type(message, exchange);
586 this->initiating.type = exchange;
587 this->initiating.retransmitted = 0;
588
589 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
590 while (enumerator->enumerate(enumerator, (void*)&task))
591 {
592 switch (task->build(task, message))
593 {
594 case SUCCESS:
595 /* task completed, remove it */
596 this->active_tasks->remove_at(this->active_tasks, enumerator);
597 if (task->get_type(task) == TASK_AGGRESSIVE_MODE ||
598 task->get_type(task) == TASK_QUICK_MODE)
599 { /* last message of three message exchange */
600 keep = TRUE;
601 }
602 task->destroy(task);
603 continue;
604 case NEED_MORE:
605 expect_response = TRUE;
606 /* processed, but task needs another exchange */
607 continue;
608 case ALREADY_DONE:
609 cancelled = TRUE;
610 break;
611 case FAILED:
612 default:
613 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
614 {
615 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
616 }
617 /* FALL */
618 case DESTROY_ME:
619 /* critical failure, destroy IKE_SA */
620 enumerator->destroy(enumerator);
621 message->destroy(message);
622 flush(this);
623 return DESTROY_ME;
624 }
625 break;
626 }
627 enumerator->destroy(enumerator);
628
629 if (this->active_tasks->get_count(this->active_tasks) == 0 &&
630 (exchange == QUICK_MODE || exchange == AGGRESSIVE))
631 { /* tasks completed, no exchange active anymore */
632 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
633 }
634 if (cancelled)
635 {
636 message->destroy(message);
637 return initiate(this);
638 }
639
640 DESTROY_IF(this->initiating.packet);
641 status = this->ike_sa->generate_message(this->ike_sa, message,
642 &this->initiating.packet);
643 if (status != SUCCESS)
644 {
645 /* message generation failed. There is nothing more to do than to
646 * close the SA */
647 message->destroy(message);
648 flush(this);
649 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
650 return DESTROY_ME;
651 }
652
653 this->initiating.seqnr++;
654 if (expect_response)
655 {
656 message->destroy(message);
657 return retransmit(this, this->initiating.seqnr);
658 }
659 if (keep)
660 { /* keep the packet for retransmission, the responder might request it */
661 charon->sender->send(charon->sender,
662 this->initiating.packet->clone(this->initiating.packet));
663 }
664 else
665 {
666 charon->sender->send(charon->sender, this->initiating.packet);
667 this->initiating.packet = NULL;
668 }
669 message->destroy(message);
670
671 if (exchange == INFORMATIONAL_V1)
672 {
673 switch (this->ike_sa->get_state(this->ike_sa))
674 {
675 case IKE_CONNECTING:
676 /* close after sending an INFORMATIONAL when unestablished */
677 return FAILED;
678 case IKE_DELETING:
679 /* close after sending a DELETE */
680 return DESTROY_ME;
681 default:
682 break;
683 }
684 }
685 return initiate(this);
686 }
687
688 /**
689 * build a response depending on the "passive" task list
690 */
691 static status_t build_response(private_task_manager_t *this, message_t *request)
692 {
693 enumerator_t *enumerator;
694 task_t *task;
695 message_t *message;
696 host_t *me, *other;
697 bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
698 status_t status;
699
700 me = request->get_destination(request);
701 other = request->get_source(request);
702
703 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
704 message->set_exchange_type(message, request->get_exchange_type(request));
705 /* send response along the path the request came in */
706 message->set_source(message, me->clone(me));
707 message->set_destination(message, other->clone(other));
708 message->set_message_id(message, request->get_message_id(request));
709 message->set_request(message, FALSE);
710
711 this->responding.mid = request->get_message_id(request);
712 this->responding.retransmitted = 0;
713 this->responding.seqnr++;
714
715 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
716 while (enumerator->enumerate(enumerator, (void*)&task))
717 {
718 switch (task->build(task, message))
719 {
720 case SUCCESS:
721 /* task completed, remove it */
722 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
723 task->destroy(task);
724 continue;
725 case NEED_MORE:
726 /* processed, but task needs another exchange */
727 if (task->get_type(task) == TASK_QUICK_MODE ||
728 task->get_type(task) == TASK_AGGRESSIVE_MODE)
729 { /* we rely on initiator retransmission, except for
730 * three-message exchanges */
731 expect_request = TRUE;
732 }
733 continue;
734 case ALREADY_DONE:
735 cancelled = TRUE;
736 break;
737 case FAILED:
738 default:
739 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
740 /* FALL */
741 case DESTROY_ME:
742 /* destroy IKE_SA, but SEND response first */
743 delete = TRUE;
744 break;
745 }
746 break;
747 }
748 enumerator->destroy(enumerator);
749
750 DESTROY_IF(this->responding.packet);
751 this->responding.packet = NULL;
752 if (cancelled)
753 {
754 message->destroy(message);
755 return initiate(this);
756 }
757 status = this->ike_sa->generate_message(this->ike_sa, message,
758 &this->responding.packet);
759 message->destroy(message);
760 if (status != SUCCESS)
761 {
762 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
763 return DESTROY_ME;
764 }
765
766 if (expect_request && !delete)
767 {
768 return retransmit(this, this->responding.seqnr);
769 }
770 charon->sender->send(charon->sender,
771 this->responding.packet->clone(this->responding.packet));
772 if (delete)
773 {
774 return DESTROY_ME;
775 }
776 return SUCCESS;
777 }
778
779 /**
780 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
781 * The notify protocol_id is set to ISAKMP
782 */
783 static void send_notify(private_task_manager_t *this, message_t *request,
784 notify_type_t type)
785 {
786 message_t *response;
787 packet_t *packet;
788 host_t *me, *other;
789 u_int32_t mid;
790
791 if (request->get_exchange_type(request) == INFORMATIONAL_V1)
792 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
793 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
794 return;
795 }
796 if (!this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid))
797 {
798 DBG1(DBG_IKE, "failed to allocate message ID");
799 return;
800 }
801 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
802 response->set_exchange_type(response, INFORMATIONAL_V1);
803 response->set_request(response, TRUE);
804 response->set_message_id(response, mid);
805 response->add_payload(response, (payload_t*)
806 notify_payload_create_from_protocol_and_type(NOTIFY_V1,
807 PROTO_IKE, type));
808
809 me = this->ike_sa->get_my_host(this->ike_sa);
810 if (me->is_anyaddr(me))
811 {
812 me = request->get_destination(request);
813 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
814 }
815 other = this->ike_sa->get_other_host(this->ike_sa);
816 if (other->is_anyaddr(other))
817 {
818 other = request->get_source(request);
819 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
820 }
821 response->set_source(response, me->clone(me));
822 response->set_destination(response, other->clone(other));
823 if (this->ike_sa->generate_message(this->ike_sa, response,
824 &packet) == SUCCESS)
825 {
826 charon->sender->send(charon->sender, packet);
827 }
828 response->destroy(response);
829 }
830
831 /**
832 * Process a DPD request/response
833 */
834 static bool process_dpd(private_task_manager_t *this, message_t *message)
835 {
836 notify_payload_t *notify;
837 notify_type_t type;
838 u_int32_t seq;
839 chunk_t data;
840
841 type = DPD_R_U_THERE;
842 notify = message->get_notify(message, type);
843 if (!notify)
844 {
845 type = DPD_R_U_THERE_ACK;
846 notify = message->get_notify(message, type);
847 }
848 if (!notify)
849 {
850 return FALSE;
851 }
852 data = notify->get_notification_data(notify);
853 if (data.len != 4)
854 {
855 return FALSE;
856 }
857 seq = untoh32(data.ptr);
858
859 if (type == DPD_R_U_THERE)
860 {
861 if (this->dpd_recv == 0 || seq == this->dpd_recv)
862 { /* check sequence validity */
863 this->dpd_recv = seq + 1;
864 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
865 time_monotonic(NULL));
866 }
867 /* but respond anyway */
868 this->ike_sa->queue_task(this->ike_sa,
869 &isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE_ACK, seq)->task);
870 }
871 else /* DPD_R_U_THERE_ACK */
872 {
873 if (seq == this->dpd_send - 1)
874 {
875 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
876 time_monotonic(NULL));
877 }
878 else
879 {
880 DBG1(DBG_IKE, "received invalid DPD sequence number %u "
881 "(expected %u), ignored", seq, this->dpd_send - 1);
882 }
883 }
884 return TRUE;
885 }
886
887 /**
888 * handle an incoming request message
889 */
890 static status_t process_request(private_task_manager_t *this,
891 message_t *message)
892 {
893 enumerator_t *enumerator;
894 task_t *task = NULL;
895 bool send_response = FALSE, dpd = FALSE;
896
897 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
898 this->passive_tasks->get_count(this->passive_tasks) == 0)
899 { /* create tasks depending on request type, if not already some queued */
900 switch (message->get_exchange_type(message))
901 {
902 case ID_PROT:
903 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
904 this->passive_tasks->insert_last(this->passive_tasks, task);
905 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
906 this->passive_tasks->insert_last(this->passive_tasks, task);
907 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
908 this->passive_tasks->insert_last(this->passive_tasks, task);
909 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
910 this->passive_tasks->insert_last(this->passive_tasks, task);
911 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
912 this->passive_tasks->insert_last(this->passive_tasks, task);
913 break;
914 case AGGRESSIVE:
915 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
916 this->passive_tasks->insert_last(this->passive_tasks, task);
917 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
918 this->passive_tasks->insert_last(this->passive_tasks, task);
919 task = (task_t *)aggressive_mode_create(this->ike_sa, FALSE);
920 this->passive_tasks->insert_last(this->passive_tasks, task);
921 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
922 this->passive_tasks->insert_last(this->passive_tasks, task);
923 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
924 this->passive_tasks->insert_last(this->passive_tasks, task);
925 break;
926 case QUICK_MODE:
927 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
928 {
929 DBG1(DBG_IKE, "received quick mode request for "
930 "unestablished IKE_SA, ignored");
931 return FAILED;
932 }
933 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
934 NULL, NULL);
935 this->passive_tasks->insert_last(this->passive_tasks, task);
936 break;
937 case INFORMATIONAL_V1:
938 if (process_dpd(this, message))
939 {
940 dpd = TRUE;
941 }
942 else
943 {
944 task = (task_t *)informational_create(this->ike_sa, NULL);
945 this->passive_tasks->insert_first(this->passive_tasks, task);
946 }
947 break;
948 case TRANSACTION:
949 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
950 {
951 task = (task_t *)mode_config_create(this->ike_sa, FALSE);
952 }
953 else
954 {
955 task = (task_t *)xauth_create(this->ike_sa, FALSE);
956 }
957 this->passive_tasks->insert_last(this->passive_tasks, task);
958 break;
959 default:
960 return FAILED;
961 }
962 }
963 if (dpd)
964 {
965 return initiate(this);
966 }
967 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL));
968
969 /* let the tasks process the message */
970 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
971 while (enumerator->enumerate(enumerator, (void*)&task))
972 {
973 switch (task->process(task, message))
974 {
975 case SUCCESS:
976 /* task completed, remove it */
977 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
978 task->destroy(task);
979 continue;
980 case NEED_MORE:
981 /* processed, but task needs at least another call to build() */
982 send_response = TRUE;
983 continue;
984 case ALREADY_DONE:
985 send_response = FALSE;
986 break;
987 case FAILED:
988 default:
989 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
990 /* FALL */
991 case DESTROY_ME:
992 /* critical failure, destroy IKE_SA */
993 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
994 enumerator->destroy(enumerator);
995 task->destroy(task);
996 return DESTROY_ME;
997 }
998 break;
999 }
1000 enumerator->destroy(enumerator);
1001
1002 if (send_response)
1003 {
1004 if (build_response(this, message) != SUCCESS)
1005 {
1006 return DESTROY_ME;
1007 }
1008 }
1009 else
1010 { /* We don't send a response, so don't retransmit one if we get
1011 * the same message again. */
1012 DESTROY_IF(this->responding.packet);
1013 this->responding.packet = NULL;
1014 }
1015 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
1016 this->queued_tasks->get_count(this->queued_tasks) > 0)
1017 {
1018 /* passive tasks completed, check if an active task has been queued,
1019 * such as XAUTH or modeconfig push */
1020 return initiate(this);
1021 }
1022 return SUCCESS;
1023 }
1024
1025 /**
1026 * handle an incoming response message
1027 */
1028 static status_t process_response(private_task_manager_t *this,
1029 message_t *message)
1030 {
1031 enumerator_t *enumerator;
1032 message_t *queued;
1033 status_t status;
1034 task_t *task;
1035
1036 if (message->get_exchange_type(message) != this->initiating.type)
1037 {
1038 DBG1(DBG_IKE, "received %N response, but expected %N",
1039 exchange_type_names, message->get_exchange_type(message),
1040 exchange_type_names, this->initiating.type);
1041 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1042 return DESTROY_ME;
1043 }
1044
1045 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
1046 while (enumerator->enumerate(enumerator, (void*)&task))
1047 {
1048 switch (task->process(task, message))
1049 {
1050 case SUCCESS:
1051 /* task completed, remove it */
1052 this->active_tasks->remove_at(this->active_tasks, enumerator);
1053 task->destroy(task);
1054 continue;
1055 case NEED_MORE:
1056 /* processed, but task needs another exchange */
1057 continue;
1058 case ALREADY_DONE:
1059 break;
1060 case FAILED:
1061 default:
1062 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1063 /* FALL */
1064 case DESTROY_ME:
1065 /* critical failure, destroy IKE_SA */
1066 this->active_tasks->remove_at(this->active_tasks, enumerator);
1067 enumerator->destroy(enumerator);
1068 task->destroy(task);
1069 return DESTROY_ME;
1070 }
1071 break;
1072 }
1073 enumerator->destroy(enumerator);
1074
1075 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1076 DESTROY_IF(this->initiating.packet);
1077 this->initiating.packet = NULL;
1078
1079 if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
1080 {
1081 queued = this->queued;
1082 this->queued = NULL;
1083 status = this->public.task_manager.process_message(
1084 &this->public.task_manager, queued);
1085 queued->destroy(queued);
1086 if (status == DESTROY_ME)
1087 {
1088 return status;
1089 }
1090 }
1091
1092 return initiate(this);
1093 }
1094
1095 static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
1096 {
1097 fragment_payload_t *payload;
1098 enumerator_t *enumerator;
1099 fragment_t *fragment;
1100 status_t status = SUCCESS;
1101 u_int8_t num;
1102
1103 payload = (fragment_payload_t*)msg->get_payload(msg, FRAGMENT_V1);
1104 if (!payload)
1105 {
1106 return FAILED;
1107 }
1108
1109 if (this->frag.id != payload->get_id(payload))
1110 {
1111 clear_fragments(this, payload->get_id(payload));
1112 this->frag.list = linked_list_create();
1113 }
1114
1115 num = payload->get_number(payload);
1116 if (!this->frag.last && payload->is_last(payload))
1117 {
1118 this->frag.last = num;
1119 }
1120
1121 enumerator = this->frag.list->create_enumerator(this->frag.list);
1122 while (enumerator->enumerate(enumerator, &fragment))
1123 {
1124 if (fragment->num == num)
1125 { /* ignore a duplicate fragment */
1126 DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
1127 enumerator->destroy(enumerator);
1128 return NEED_MORE;
1129 }
1130 if (fragment->num > num)
1131 {
1132 break;
1133 }
1134 }
1135
1136 INIT(fragment,
1137 .num = num,
1138 .data = chunk_clone(payload->get_data(payload)),
1139 );
1140
1141 this->frag.list->insert_before(this->frag.list, enumerator, fragment);
1142 enumerator->destroy(enumerator);
1143
1144 if (this->frag.list->get_count(this->frag.list) == this->frag.last)
1145 {
1146 message_t *message;
1147 packet_t *pkt;
1148 chunk_t data = chunk_empty;
1149 host_t *src, *dst;
1150
1151 DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
1152 "message", num);
1153 enumerator = this->frag.list->create_enumerator(this->frag.list);
1154 while (enumerator->enumerate(enumerator, &fragment))
1155 {
1156 data = chunk_cat("mc", data, fragment->data);
1157 }
1158 enumerator->destroy(enumerator);
1159
1160 src = msg->get_source(msg);
1161 dst = msg->get_destination(msg);
1162 pkt = packet_create_from_data(src->clone(src), dst->clone(dst), data);
1163
1164 message = message_create_from_packet(pkt);
1165 if (message->parse_header(message) != SUCCESS)
1166 {
1167 DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
1168 message->destroy(message);
1169 status = FAILED;
1170 }
1171 else
1172 {
1173 lib->processor->queue_job(lib->processor,
1174 (job_t*)process_message_job_create(message));
1175 status = NEED_MORE;
1176
1177 }
1178 clear_fragments(this, 0);
1179 }
1180 else
1181 { /* there are some fragments missing */
1182 DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
1183 "message", num);
1184 status = NEED_MORE;
1185 }
1186 return status;
1187 }
1188
1189 /**
1190 * Parse the given message and verify that it is valid.
1191 */
1192 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1193 {
1194 status_t status;
1195
1196 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1197
1198 if (status != SUCCESS)
1199 {
1200 switch (status)
1201 {
1202 case NOT_SUPPORTED:
1203 DBG1(DBG_IKE, "unsupported exchange type");
1204 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
1205 break;
1206 case PARSE_ERROR:
1207 DBG1(DBG_IKE, "message parsing failed");
1208 send_notify(this, msg, PAYLOAD_MALFORMED);
1209 break;
1210 case VERIFY_ERROR:
1211 DBG1(DBG_IKE, "message verification failed");
1212 send_notify(this, msg, PAYLOAD_MALFORMED);
1213 break;
1214 case FAILED:
1215 DBG1(DBG_IKE, "integrity check failed");
1216 send_notify(this, msg, INVALID_HASH_INFORMATION);
1217 break;
1218 case INVALID_STATE:
1219 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1220 send_notify(this, msg, PAYLOAD_MALFORMED);
1221 default:
1222 break;
1223 }
1224 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
1225 exchange_type_names, msg->get_exchange_type(msg),
1226 msg->get_request(msg) ? "request" : "response",
1227 msg->get_message_id(msg));
1228
1229 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1230
1231 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1232 { /* invalid initiation attempt, close SA */
1233 return DESTROY_ME;
1234 }
1235 }
1236
1237 if (msg->get_first_payload_type(msg) == FRAGMENT_V1)
1238 {
1239 return handle_fragment(this, msg);
1240 }
1241 return status;
1242 }
1243
1244 METHOD(task_manager_t, process_message, status_t,
1245 private_task_manager_t *this, message_t *msg)
1246 {
1247 u_int32_t hash, mid, i;
1248 host_t *me, *other;
1249 status_t status;
1250
1251 /* TODO-IKEv1: update hosts more selectively */
1252 me = msg->get_destination(msg);
1253 other = msg->get_source(msg);
1254 mid = msg->get_message_id(msg);
1255 hash = chunk_hash(msg->get_packet_data(msg));
1256 for (i = 0; i < MAX_OLD_HASHES; i++)
1257 {
1258 if (this->initiating.old_hashes[i] == hash)
1259 {
1260 if (this->initiating.packet &&
1261 i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
1262 (msg->get_exchange_type(msg) == QUICK_MODE ||
1263 msg->get_exchange_type(msg) == AGGRESSIVE))
1264 {
1265 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1266 "resending last request", mid);
1267 charon->sender->send(charon->sender,
1268 this->initiating.packet->clone(this->initiating.packet));
1269 return SUCCESS;
1270 }
1271 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1272 "but next request already sent", mid);
1273 return SUCCESS;
1274 }
1275 }
1276
1277 if ((mid && mid == this->initiating.mid) ||
1278 (this->initiating.mid == 0 &&
1279 msg->get_exchange_type(msg) == this->initiating.type &&
1280 this->active_tasks->get_count(this->active_tasks)))
1281 {
1282 msg->set_request(msg, FALSE);
1283 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1284 status = parse_message(this, msg);
1285 if (status == NEED_MORE)
1286 {
1287 return SUCCESS;
1288 }
1289 if (status != SUCCESS)
1290 {
1291 return status;
1292 }
1293 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1294 time_monotonic(NULL));
1295 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1296 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1297 if (process_response(this, msg) != SUCCESS)
1298 {
1299 flush(this);
1300 return DESTROY_ME;
1301 }
1302 this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
1303 MAX_OLD_HASHES] = hash;
1304 }
1305 else
1306 {
1307 if (hash == this->responding.hash)
1308 {
1309 if (this->responding.packet)
1310 {
1311 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1312 "retransmitting response", mid);
1313 charon->sender->send(charon->sender,
1314 this->responding.packet->clone(this->responding.packet));
1315 }
1316 else if (this->initiating.packet &&
1317 this->initiating.type == INFORMATIONAL_V1)
1318 {
1319 DBG1(DBG_IKE, "received retransmit of DPD request, "
1320 "retransmitting response");
1321 charon->sender->send(charon->sender,
1322 this->initiating.packet->clone(this->initiating.packet));
1323 }
1324 else
1325 {
1326 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1327 "but no response to retransmit", mid);
1328 }
1329 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1330 return SUCCESS;
1331 }
1332 if (msg->get_exchange_type(msg) == TRANSACTION &&
1333 this->active_tasks->get_count(this->active_tasks))
1334 { /* main mode not yet complete, queue XAuth/Mode config tasks */
1335 if (this->queued)
1336 {
1337 DBG1(DBG_IKE, "ignoring additional %N request, queue full",
1338 exchange_type_names, TRANSACTION);
1339 return SUCCESS;
1340 }
1341 this->queued = message_create_from_packet(msg->get_packet(msg));
1342 if (this->queued->parse_header(this->queued) != SUCCESS)
1343 {
1344 this->queued->destroy(this->queued);
1345 this->queued = NULL;
1346 return FAILED;
1347 }
1348 DBG1(DBG_IKE, "queueing %N request as tasks still active",
1349 exchange_type_names, TRANSACTION);
1350 return SUCCESS;
1351 }
1352
1353 msg->set_request(msg, TRUE);
1354 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1355 status = parse_message(this, msg);
1356 if (status == NEED_MORE)
1357 {
1358 return SUCCESS;
1359 }
1360 if (status != SUCCESS)
1361 {
1362 return status;
1363 }
1364 /* if this IKE_SA is virgin, we check for a config */
1365 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1366 {
1367 ike_sa_id_t *ike_sa_id;
1368 ike_cfg_t *ike_cfg;
1369 job_t *job;
1370
1371 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1372 me, other, IKEV1);
1373 if (ike_cfg == NULL)
1374 {
1375 /* no config found for these hosts, destroy */
1376 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1377 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1378 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
1379 return DESTROY_ME;
1380 }
1381 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1382 ike_cfg->destroy(ike_cfg);
1383 /* add a timeout if peer does not establish it completely */
1384 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1385 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1386 lib->scheduler->schedule_job(lib->scheduler, job,
1387 lib->settings->get_int(lib->settings,
1388 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1389 charon->name));
1390 }
1391 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1392 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1393 if (process_request(this, msg) != SUCCESS)
1394 {
1395 flush(this);
1396 return DESTROY_ME;
1397 }
1398 this->responding.hash = hash;
1399 }
1400 return SUCCESS;
1401 }
1402
1403 METHOD(task_manager_t, queue_task, void,
1404 private_task_manager_t *this, task_t *task)
1405 {
1406 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1407 this->queued_tasks->insert_last(this->queued_tasks, task);
1408 }
1409
1410 /**
1411 * Check if a given task has been queued already
1412 */
1413 static bool has_queued(private_task_manager_t *this, task_type_t type)
1414 {
1415 enumerator_t *enumerator;
1416 bool found = FALSE;
1417 task_t *task;
1418
1419 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1420 while (enumerator->enumerate(enumerator, &task))
1421 {
1422 if (task->get_type(task) == type)
1423 {
1424 found = TRUE;
1425 break;
1426 }
1427 }
1428 enumerator->destroy(enumerator);
1429 return found;
1430 }
1431
1432 METHOD(task_manager_t, queue_ike, void,
1433 private_task_manager_t *this)
1434 {
1435 peer_cfg_t *peer_cfg;
1436
1437 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1438 {
1439 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1440 }
1441 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1442 {
1443 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1444 }
1445 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1446 if (peer_cfg->use_aggressive(peer_cfg))
1447 {
1448 if (!has_queued(this, TASK_AGGRESSIVE_MODE))
1449 {
1450 queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
1451 }
1452 }
1453 else
1454 {
1455 if (!has_queued(this, TASK_MAIN_MODE))
1456 {
1457 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1458 }
1459 }
1460 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1461 {
1462 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1463 }
1464 if (!has_queued(this, TASK_ISAKMP_NATD))
1465 {
1466 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1467 }
1468 }
1469
1470 METHOD(task_manager_t, queue_ike_reauth, void,
1471 private_task_manager_t *this)
1472 {
1473 enumerator_t *enumerator;
1474 child_sa_t *child_sa;
1475 ike_sa_t *new;
1476 host_t *host;
1477
1478 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1479 this->ike_sa->get_version(this->ike_sa), TRUE);
1480 if (!new)
1481 { /* shouldn't happen */
1482 return;
1483 }
1484
1485 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1486 host = this->ike_sa->get_other_host(this->ike_sa);
1487 new->set_other_host(new, host->clone(host));
1488 host = this->ike_sa->get_my_host(this->ike_sa);
1489 new->set_my_host(new, host->clone(host));
1490 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1491 while (enumerator->enumerate(enumerator, &host))
1492 {
1493 new->add_virtual_ip(new, TRUE, host);
1494 }
1495 enumerator->destroy(enumerator);
1496
1497 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1498 while (enumerator->enumerate(enumerator, &child_sa))
1499 {
1500 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
1501 new->add_child_sa(new, child_sa);
1502 }
1503 enumerator->destroy(enumerator);
1504
1505 if (!new->get_child_count(new))
1506 { /* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */
1507 task_t *task;
1508
1509 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1510 while (enumerator->enumerate(enumerator, &task))
1511 {
1512 if (task->get_type(task) == TASK_QUICK_MODE)
1513 {
1514 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
1515 task->migrate(task, new);
1516 new->queue_task(new, task);
1517 }
1518 }
1519 enumerator->destroy(enumerator);
1520 }
1521
1522 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1523 {
1524 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1525 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
1526 }
1527 else
1528 {
1529 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1530 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1531 }
1532 charon->bus->set_sa(charon->bus, this->ike_sa);
1533 }
1534
1535 METHOD(task_manager_t, queue_ike_rekey, void,
1536 private_task_manager_t *this)
1537 {
1538 queue_ike_reauth(this);
1539 }
1540
1541 METHOD(task_manager_t, queue_ike_delete, void,
1542 private_task_manager_t *this)
1543 {
1544 enumerator_t *enumerator;
1545 child_sa_t *child_sa;
1546
1547 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1548 while (enumerator->enumerate(enumerator, &child_sa))
1549 {
1550 queue_task(this, (task_t*)
1551 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1552 child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
1553 }
1554 enumerator->destroy(enumerator);
1555
1556 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1557 }
1558
1559 METHOD(task_manager_t, queue_mobike, void,
1560 private_task_manager_t *this, bool roam, bool address)
1561 {
1562 /* Not supported in IKEv1 */
1563 }
1564
1565 METHOD(task_manager_t, queue_child, void,
1566 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1567 traffic_selector_t *tsi, traffic_selector_t *tsr)
1568 {
1569 quick_mode_t *task;
1570
1571 task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
1572 task->use_reqid(task, reqid);
1573
1574 queue_task(this, &task->task);
1575 }
1576
1577 /**
1578 * Check if two CHILD_SAs have the same traffic selector
1579 */
1580 static bool have_equal_ts(child_sa_t *a, child_sa_t *b, bool local)
1581 {
1582 linked_list_t *list;
1583 traffic_selector_t *ts_a, *ts_b;
1584
1585 list = a->get_traffic_selectors(a, local);
1586 if (list->get_first(list, (void**)&ts_a) == SUCCESS)
1587 {
1588 list = b->get_traffic_selectors(b, local);
1589 if (list->get_first(list, (void**)&ts_b) == SUCCESS)
1590 {
1591 return ts_a->equals(ts_a, ts_b);
1592 }
1593 }
1594 return FALSE;
1595 }
1596
1597 /**
1598 * Check if a CHILD_SA is redundant and we should delete instead of rekey
1599 */
1600 static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
1601 {
1602 enumerator_t *enumerator;
1603 child_sa_t *current;
1604 bool redundant = FALSE;
1605
1606 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1607 while (enumerator->enumerate(enumerator, &current))
1608 {
1609 if (current->get_state(current) == CHILD_INSTALLED &&
1610 streq(current->get_name(current), child_sa->get_name(child_sa)) &&
1611 have_equal_ts(current, child_sa, TRUE) &&
1612 have_equal_ts(current, child_sa, FALSE) &&
1613 current->get_lifetime(current, FALSE) >
1614 child_sa->get_lifetime(child_sa, FALSE))
1615 {
1616 DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
1617 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
1618 redundant = TRUE;
1619 break;
1620 }
1621 }
1622 enumerator->destroy(enumerator);
1623
1624 return redundant;
1625 }
1626
1627 /**
1628 * Get the first traffic selector of a CHILD_SA, local or remote
1629 */
1630 static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
1631 {
1632 traffic_selector_t *ts = NULL;
1633 linked_list_t *list;
1634
1635 list = child_sa->get_traffic_selectors(child_sa, local);
1636 if (list->get_first(list, (void**)&ts) == SUCCESS)
1637 {
1638 return ts;
1639 }
1640 return NULL;
1641 }
1642
1643 METHOD(task_manager_t, queue_child_rekey, void,
1644 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1645 {
1646 child_sa_t *child_sa;
1647 child_cfg_t *cfg;
1648 quick_mode_t *task;
1649
1650 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
1651 if (!child_sa)
1652 {
1653 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
1654 }
1655 if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
1656 {
1657 if (is_redundant(this, child_sa))
1658 {
1659 queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
1660 protocol, spi, FALSE, FALSE));
1661 }
1662 else
1663 {
1664 child_sa->set_state(child_sa, CHILD_REKEYING);
1665 cfg = child_sa->get_config(child_sa);
1666 task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
1667 get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
1668 task->use_reqid(task, child_sa->get_reqid(child_sa));
1669 task->rekey(task, child_sa->get_spi(child_sa, TRUE));
1670
1671 queue_task(this, &task->task);
1672 }
1673 }
1674 }
1675
1676 METHOD(task_manager_t, queue_child_delete, void,
1677 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1678 bool expired)
1679 {
1680 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1681 spi, FALSE, expired));
1682 }
1683
1684 METHOD(task_manager_t, queue_dpd, void,
1685 private_task_manager_t *this)
1686 {
1687 peer_cfg_t *peer_cfg;
1688 u_int32_t t, retransmit;
1689
1690 queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
1691 this->dpd_send++));
1692 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1693
1694 /* compute timeout in milliseconds */
1695 t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
1696 if (t == 0)
1697 {
1698 /* use the same timeout as a retransmitting IKE message would have */
1699 for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
1700 {
1701 t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
1702 pow(this->retransmit_base, retransmit));
1703 }
1704 }
1705
1706 /* schedule DPD timeout job */
1707 lib->scheduler->schedule_job_ms(lib->scheduler,
1708 (job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
1709 }
1710
1711 METHOD(task_manager_t, adopt_tasks, void,
1712 private_task_manager_t *this, task_manager_t *other_public)
1713 {
1714 private_task_manager_t *other = (private_task_manager_t*)other_public;
1715 task_t *task;
1716
1717 /* move queued tasks from other to this */
1718 while (other->queued_tasks->remove_last(other->queued_tasks,
1719 (void**)&task) == SUCCESS)
1720 {
1721 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1722 task->migrate(task, this->ike_sa);
1723 this->queued_tasks->insert_first(this->queued_tasks, task);
1724 }
1725 }
1726
1727 METHOD(task_manager_t, busy, bool,
1728 private_task_manager_t *this)
1729 {
1730 return (this->active_tasks->get_count(this->active_tasks) > 0);
1731 }
1732
1733 METHOD(task_manager_t, incr_mid, void,
1734 private_task_manager_t *this, bool initiate)
1735 {
1736 }
1737
1738 METHOD(task_manager_t, reset, void,
1739 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1740 {
1741 enumerator_t *enumerator;
1742 task_t *task;
1743
1744 /* reset message counters and retransmit packets */
1745 DESTROY_IF(this->responding.packet);
1746 DESTROY_IF(this->initiating.packet);
1747 this->responding.packet = NULL;
1748 this->responding.seqnr = RESPONDING_SEQ;
1749 this->responding.retransmitted = 0;
1750 this->initiating.packet = NULL;
1751 this->initiating.mid = 0;
1752 this->initiating.seqnr = 0;
1753 this->initiating.retransmitted = 0;
1754 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1755 clear_fragments(this, 0);
1756 if (initiate != UINT_MAX)
1757 {
1758 this->dpd_send = initiate;
1759 }
1760 if (respond != UINT_MAX)
1761 {
1762 this->dpd_recv = respond;
1763 }
1764
1765 /* reset queued tasks */
1766 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1767 while (enumerator->enumerate(enumerator, &task))
1768 {
1769 task->migrate(task, this->ike_sa);
1770 }
1771 enumerator->destroy(enumerator);
1772
1773 /* reset active tasks */
1774 while (this->active_tasks->remove_last(this->active_tasks,
1775 (void**)&task) == SUCCESS)
1776 {
1777 task->migrate(task, this->ike_sa);
1778 this->queued_tasks->insert_first(this->queued_tasks, task);
1779 }
1780 }
1781
1782 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1783 private_task_manager_t *this, task_queue_t queue)
1784 {
1785 switch (queue)
1786 {
1787 case TASK_QUEUE_ACTIVE:
1788 return this->active_tasks->create_enumerator(this->active_tasks);
1789 case TASK_QUEUE_PASSIVE:
1790 return this->passive_tasks->create_enumerator(this->passive_tasks);
1791 case TASK_QUEUE_QUEUED:
1792 return this->queued_tasks->create_enumerator(this->queued_tasks);
1793 default:
1794 return enumerator_create_empty();
1795 }
1796 }
1797
1798 METHOD(task_manager_t, destroy, void,
1799 private_task_manager_t *this)
1800 {
1801 flush(this);
1802
1803 this->active_tasks->destroy(this->active_tasks);
1804 this->queued_tasks->destroy(this->queued_tasks);
1805 this->passive_tasks->destroy(this->passive_tasks);
1806 clear_fragments(this, 0);
1807
1808 DESTROY_IF(this->queued);
1809 DESTROY_IF(this->responding.packet);
1810 DESTROY_IF(this->initiating.packet);
1811 DESTROY_IF(this->rng);
1812 free(this);
1813 }
1814
1815 /*
1816 * see header file
1817 */
1818 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
1819 {
1820 private_task_manager_t *this;
1821
1822 INIT(this,
1823 .public = {
1824 .task_manager = {
1825 .process_message = _process_message,
1826 .queue_task = _queue_task,
1827 .queue_ike = _queue_ike,
1828 .queue_ike_rekey = _queue_ike_rekey,
1829 .queue_ike_reauth = _queue_ike_reauth,
1830 .queue_ike_delete = _queue_ike_delete,
1831 .queue_mobike = _queue_mobike,
1832 .queue_child = _queue_child,
1833 .queue_child_rekey = _queue_child_rekey,
1834 .queue_child_delete = _queue_child_delete,
1835 .queue_dpd = _queue_dpd,
1836 .initiate = _initiate,
1837 .retransmit = _retransmit,
1838 .incr_mid = _incr_mid,
1839 .reset = _reset,
1840 .adopt_tasks = _adopt_tasks,
1841 .busy = _busy,
1842 .create_task_enumerator = _create_task_enumerator,
1843 .flush_queue = _flush_queue,
1844 .destroy = _destroy,
1845 },
1846 },
1847 .initiating = {
1848 .type = EXCHANGE_TYPE_UNDEFINED,
1849 },
1850 .responding = {
1851 .seqnr = RESPONDING_SEQ,
1852 },
1853 .ike_sa = ike_sa,
1854 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
1855 .queued_tasks = linked_list_create(),
1856 .active_tasks = linked_list_create(),
1857 .passive_tasks = linked_list_create(),
1858 .retransmit_tries = lib->settings->get_int(lib->settings,
1859 "%s.retransmit_tries", RETRANSMIT_TRIES, charon->name),
1860 .retransmit_timeout = lib->settings->get_double(lib->settings,
1861 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, charon->name),
1862 .retransmit_base = lib->settings->get_double(lib->settings,
1863 "%s.retransmit_base", RETRANSMIT_BASE, charon->name),
1864 );
1865
1866 if (!this->rng)
1867 {
1868 DBG1(DBG_IKE, "no RNG found, unable to create IKE_SA");
1869 destroy(this);
1870 return NULL;
1871 }
1872 if (!this->rng->get_bytes(this->rng, sizeof(this->dpd_send),
1873 (void*)&this->dpd_send))
1874 {
1875 DBG1(DBG_IKE, "failed to allocate message ID, unable to create IKE_SA");
1876 destroy(this);
1877 return NULL;
1878 }
1879 this->dpd_send &= 0x7FFFFFFF;
1880
1881 return &this->public;
1882 }
1883