payload: Use common prefixes for all payload type identifiers
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2013 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/aggressive_mode.h>
24 #include <sa/ikev1/tasks/quick_mode.h>
25 #include <sa/ikev1/tasks/quick_delete.h>
26 #include <sa/ikev1/tasks/xauth.h>
27 #include <sa/ikev1/tasks/mode_config.h>
28 #include <sa/ikev1/tasks/informational.h>
29 #include <sa/ikev1/tasks/isakmp_natd.h>
30 #include <sa/ikev1/tasks/isakmp_vendor.h>
31 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
32 #include <sa/ikev1/tasks/isakmp_cert_post.h>
33 #include <sa/ikev1/tasks/isakmp_delete.h>
34 #include <sa/ikev1/tasks/isakmp_dpd.h>
35
36 #include <processing/jobs/retransmit_job.h>
37 #include <processing/jobs/delete_ike_sa_job.h>
38 #include <processing/jobs/dpd_timeout_job.h>
39 #include <processing/jobs/process_message_job.h>
40
41 #include <encoding/payloads/fragment_payload.h>
42 #include <bio/bio_writer.h>
43
44 /**
45 * Number of old messages hashes we keep for retransmission.
46 *
47 * In Main Mode, we must ignore messages from a previous message pair if
48 * we already continued to the next. Otherwise a late retransmission
49 * could be considered as a reply to the newer request.
50 */
51 #define MAX_OLD_HASHES 2
52
53 /**
54 * Maximum packet size for fragmented packets (same as in sockets)
55 */
56 #define MAX_PACKET 10000
57
58 /**
59 * Maximum size of fragment data when sending packets (currently the same is
60 * used for IPv4 and IPv6, even though the latter has a higher minimum datagram
61 * size). 576 (= min. IPv4) - 20 (= IP header) - 8 (= UDP header) -
62 * - 28 (= IKE header) - 8 (= fragment header) = 512
63 * This is reduced by 4 in case of NAT-T (due to the non-ESP marker).
64 */
65 #define MAX_FRAGMENT_SIZE 512
66
67 /**
68 * First sequence number of responding packets.
69 *
70 * To distinguish retransmission jobs for initiating and responding packets,
71 * we split up the sequence counter and use the upper half for responding.
72 */
73 #define RESPONDING_SEQ INT_MAX
74
75 typedef struct exchange_t exchange_t;
76
77 /**
78 * An exchange in the air, used do detect and handle retransmission
79 */
80 struct exchange_t {
81
82 /**
83 * Message ID used for this transaction
84 */
85 u_int32_t mid;
86
87 /**
88 * generated packet for retransmission
89 */
90 packet_t *packet;
91 };
92
93 typedef struct private_task_manager_t private_task_manager_t;
94
95 /**
96 * private data of the task manager
97 */
98 struct private_task_manager_t {
99
100 /**
101 * public functions
102 */
103 task_manager_v1_t public;
104
105 /**
106 * associated IKE_SA we are serving
107 */
108 ike_sa_t *ike_sa;
109
110 /**
111 * RNG to create message IDs
112 */
113 rng_t *rng;
114
115 /**
116 * Exchange we are currently handling as responder
117 */
118 struct {
119 /**
120 * Message ID of the last response
121 */
122 u_int32_t mid;
123
124 /**
125 * Hash of a previously received message
126 */
127 u_int32_t hash;
128
129 /**
130 * packet for retransmission
131 */
132 packet_t *packet;
133
134 /**
135 * Sequence number of the last sent message
136 */
137 u_int32_t seqnr;
138
139 /**
140 * how many times we have retransmitted so far
141 */
142 u_int retransmitted;
143
144 } responding;
145
146 /**
147 * Exchange we are currently handling as initiator
148 */
149 struct {
150 /**
151 * Message ID of the exchange
152 */
153 u_int32_t mid;
154
155 /**
156 * Hashes of old responses we can ignore
157 */
158 u_int32_t old_hashes[MAX_OLD_HASHES];
159
160 /**
161 * Position in old hash array
162 */
163 int old_hash_pos;
164
165 /**
166 * Sequence number of the last sent message
167 */
168 u_int32_t seqnr;
169
170 /**
171 * how many times we have retransmitted so far
172 */
173 u_int retransmitted;
174
175 /**
176 * packet for retransmission
177 */
178 packet_t *packet;
179
180 /**
181 * type of the initiated exchange
182 */
183 exchange_type_t type;
184
185 } initiating;
186
187 /**
188 * Data used to reassemble a fragmented message
189 */
190 struct {
191
192 /**
193 * Fragment ID (currently only one is supported at a time)
194 */
195 u_int16_t id;
196
197 /**
198 * The number of the last fragment (in case we receive the fragments out
199 * of order), since the first starts with 1 this defines the number of
200 * fragments we expect
201 */
202 u_int8_t last;
203
204 /**
205 * List of fragments (fragment_t*)
206 */
207 linked_list_t *list;
208
209 /**
210 * Length of all currently received fragments
211 */
212 size_t len;
213
214 /**
215 * Maximum length of a fragmented packet
216 */
217 size_t max_packet;
218
219 /**
220 * Maximum length of a single fragment (when sending)
221 */
222 size_t size;
223
224 /**
225 * The exchange type we use for fragments. Always the initial type even
226 * for fragmented quick mode or transaction messages (i.e. either
227 * ID_PROT or AGGRESSIVE)
228 */
229 exchange_type_t exchange;
230
231 } frag;
232
233 /**
234 * List of queued tasks not yet in action
235 */
236 linked_list_t *queued_tasks;
237
238 /**
239 * List of active tasks, initiated by ourselves
240 */
241 linked_list_t *active_tasks;
242
243 /**
244 * List of tasks initiated by peer
245 */
246 linked_list_t *passive_tasks;
247
248 /**
249 * Queued messages not yet ready to process
250 */
251 message_t *queued;
252
253 /**
254 * Number of times we retransmit messages before giving up
255 */
256 u_int retransmit_tries;
257
258 /**
259 * Retransmission timeout
260 */
261 double retransmit_timeout;
262
263 /**
264 * Base to calculate retransmission timeout
265 */
266 double retransmit_base;
267
268 /**
269 * Sequence number for sending DPD requests
270 */
271 u_int32_t dpd_send;
272
273 /**
274 * Sequence number for received DPD requests
275 */
276 u_int32_t dpd_recv;
277 };
278
279 /**
280 * A single fragment within a fragmented message
281 */
282 typedef struct {
283
284 /** fragment number */
285 u_int8_t num;
286
287 /** fragment data */
288 chunk_t data;
289
290 } fragment_t;
291
292 static void fragment_destroy(fragment_t *this)
293 {
294 chunk_free(&this->data);
295 free(this);
296 }
297
298 static void clear_fragments(private_task_manager_t *this, u_int16_t id)
299 {
300 DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
301 this->frag.list = NULL;
302 this->frag.last = 0;
303 this->frag.len = 0;
304 this->frag.id = id;
305 }
306
307 METHOD(task_manager_t, flush_queue, void,
308 private_task_manager_t *this, task_queue_t queue)
309 {
310 linked_list_t *list;
311 task_t *task;
312
313 if (this->queued)
314 {
315 this->queued->destroy(this->queued);
316 this->queued = NULL;
317 }
318 switch (queue)
319 {
320 case TASK_QUEUE_ACTIVE:
321 list = this->active_tasks;
322 /* cancel pending retransmits */
323 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
324 DESTROY_IF(this->initiating.packet);
325 this->initiating.packet = NULL;
326 break;
327 case TASK_QUEUE_PASSIVE:
328 list = this->passive_tasks;
329 break;
330 case TASK_QUEUE_QUEUED:
331 list = this->queued_tasks;
332 break;
333 default:
334 return;
335 }
336 while (list->remove_last(list, (void**)&task) == SUCCESS)
337 {
338 task->destroy(task);
339 }
340 }
341
342 METHOD(task_manager_t, flush, void,
343 private_task_manager_t *this)
344 {
345 flush_queue(this, TASK_QUEUE_QUEUED);
346 flush_queue(this, TASK_QUEUE_PASSIVE);
347 flush_queue(this, TASK_QUEUE_ACTIVE);
348 }
349
350 /**
351 * move a task of a specific type from the queue to the active list
352 */
353 static bool activate_task(private_task_manager_t *this, task_type_t type)
354 {
355 enumerator_t *enumerator;
356 task_t *task;
357 bool found = FALSE;
358
359 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
360 while (enumerator->enumerate(enumerator, (void**)&task))
361 {
362 if (task->get_type(task) == type)
363 {
364 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
365 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
366 this->active_tasks->insert_last(this->active_tasks, task);
367 found = TRUE;
368 break;
369 }
370 }
371 enumerator->destroy(enumerator);
372 return found;
373 }
374
375 /**
376 * Send a single fragment with the given data
377 */
378 static bool send_fragment(private_task_manager_t *this, bool request,
379 host_t *src, host_t *dst, fragment_payload_t *fragment)
380 {
381 message_t *message;
382 packet_t *packet;
383 status_t status;
384
385 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
386 /* other implementations seem to just use 0 as message ID, so here we go */
387 message->set_message_id(message, 0);
388 message->set_request(message, request);
389 message->set_source(message, src->clone(src));
390 message->set_destination(message, dst->clone(dst));
391 message->set_exchange_type(message, this->frag.exchange);
392 message->add_payload(message, (payload_t*)fragment);
393
394 status = this->ike_sa->generate_message(this->ike_sa, message, &packet);
395 if (status != SUCCESS)
396 {
397 DBG1(DBG_IKE, "failed to generate IKE fragment");
398 message->destroy(message);
399 return FALSE;
400 }
401 charon->sender->send(charon->sender, packet);
402 message->destroy(message);
403 return TRUE;
404 }
405
406 /**
407 * Send a packet, if supported and required do so in fragments
408 */
409 static bool send_packet(private_task_manager_t *this, bool request,
410 packet_t *packet)
411 {
412 bool use_frags = FALSE;
413 ike_cfg_t *ike_cfg;
414 chunk_t data;
415
416 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
417 if (ike_cfg)
418 {
419 switch (ike_cfg->fragmentation(ike_cfg))
420 {
421 case FRAGMENTATION_FORCE:
422 use_frags = TRUE;
423 break;
424 case FRAGMENTATION_YES:
425 use_frags = this->ike_sa->supports_extension(this->ike_sa,
426 EXT_IKE_FRAGMENTATION);
427 break;
428 default:
429 break;
430 }
431 }
432 data = packet->get_data(packet);
433 if (data.len > this->frag.size && use_frags)
434 {
435 fragment_payload_t *fragment;
436 u_int8_t num, count;
437 size_t len, frag_size;
438 host_t *src, *dst;
439
440 src = packet->get_source(packet);
441 dst = packet->get_destination(packet);
442
443 frag_size = this->frag.size;
444 if (dst->get_port(dst) != IKEV2_UDP_PORT &&
445 src->get_port(src) != IKEV2_UDP_PORT)
446 { /* reduce size due to non-ESP marker */
447 frag_size -= 4;
448 }
449 count = data.len / frag_size + (data.len % frag_size ? 1 : 0);
450
451 DBG1(DBG_IKE, "sending IKE message with length of %zu bytes in "
452 "%hhu fragments", data.len, count);
453 for (num = 1; num <= count; num++)
454 {
455 len = min(data.len, frag_size);
456 fragment = fragment_payload_create_from_data(num, num == count,
457 chunk_create(data.ptr, len));
458 if (!send_fragment(this, request, src, dst, fragment))
459 {
460 packet->destroy(packet);
461 return FALSE;
462 }
463 data = chunk_skip(data, len);
464 }
465 packet->destroy(packet);
466 return TRUE;
467 }
468 charon->sender->send(charon->sender, packet);
469 return TRUE;
470 }
471
472 /**
473 * Retransmit a packet, either as initiator or as responder
474 */
475 static status_t retransmit_packet(private_task_manager_t *this, bool request,
476 u_int32_t seqnr, u_int mid, u_int retransmitted, packet_t *packet)
477 {
478 u_int32_t t;
479
480 if (retransmitted > this->retransmit_tries)
481 {
482 DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
483 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
484 return DESTROY_ME;
485 }
486 t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
487 pow(this->retransmit_base, retransmitted));
488 if (retransmitted)
489 {
490 DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
491 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
492 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
493 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
494 }
495 if (!send_packet(this, request, packet->clone(packet)))
496 {
497 return DESTROY_ME;
498 }
499 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
500 retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
501 return NEED_MORE;
502 }
503
504 METHOD(task_manager_t, retransmit, status_t,
505 private_task_manager_t *this, u_int32_t seqnr)
506 {
507 status_t status = SUCCESS;
508
509 if (seqnr == this->initiating.seqnr && this->initiating.packet)
510 {
511 status = retransmit_packet(this, TRUE, seqnr, this->initiating.mid,
512 this->initiating.retransmitted, this->initiating.packet);
513 if (status == NEED_MORE)
514 {
515 this->initiating.retransmitted++;
516 status = SUCCESS;
517 }
518 }
519 if (seqnr == this->responding.seqnr && this->responding.packet)
520 {
521 status = retransmit_packet(this, FALSE, seqnr, this->responding.mid,
522 this->responding.retransmitted, this->responding.packet);
523 if (status == NEED_MORE)
524 {
525 this->responding.retransmitted++;
526 status = SUCCESS;
527 }
528 }
529 return status;
530 }
531
532 /**
533 * Check if we have to wait for a mode config before starting a quick mode
534 */
535 static bool mode_config_expected(private_task_manager_t *this)
536 {
537 enumerator_t *enumerator;
538 peer_cfg_t *peer_cfg;
539 char *pool;
540 bool local;
541 host_t *host;
542
543 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
544 if (peer_cfg)
545 {
546 if (peer_cfg->use_pull_mode(peer_cfg))
547 {
548 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
549 if (!enumerator->enumerate(enumerator, &pool))
550 { /* no pool configured */
551 enumerator->destroy(enumerator);
552 return FALSE;
553 }
554 enumerator->destroy(enumerator);
555
556 local = FALSE;
557 }
558 else
559 {
560 enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
561 if (!enumerator->enumerate(enumerator, &host))
562 { /* not requesting a vip */
563 enumerator->destroy(enumerator);
564 return FALSE;
565 }
566 enumerator->destroy(enumerator);
567
568 local = TRUE;
569 }
570 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
571 local);
572 if (!enumerator->enumerate(enumerator, &host))
573 { /* expecting a VIP exchange, but no VIP assigned yet */
574 enumerator->destroy(enumerator);
575 return TRUE;
576 }
577 enumerator->destroy(enumerator);
578 }
579 return FALSE;
580 }
581
582 METHOD(task_manager_t, initiate, status_t,
583 private_task_manager_t *this)
584 {
585 enumerator_t *enumerator;
586 task_t *task;
587 message_t *message;
588 host_t *me, *other;
589 status_t status;
590 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
591 bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
592
593 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
594 this->initiating.type != INFORMATIONAL_V1)
595 {
596 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
597 exchange_type_names, this->initiating.type);
598 /* do not initiate if we already have a message in the air */
599 return SUCCESS;
600 }
601
602 if (this->active_tasks->get_count(this->active_tasks) == 0)
603 {
604 DBG2(DBG_IKE, "activating new tasks");
605 switch (this->ike_sa->get_state(this->ike_sa))
606 {
607 case IKE_CREATED:
608 activate_task(this, TASK_ISAKMP_VENDOR);
609 activate_task(this, TASK_ISAKMP_CERT_PRE);
610 if (activate_task(this, TASK_MAIN_MODE))
611 {
612 exchange = ID_PROT;
613 }
614 else if (activate_task(this, TASK_AGGRESSIVE_MODE))
615 {
616 exchange = AGGRESSIVE;
617 }
618 activate_task(this, TASK_ISAKMP_CERT_POST);
619 activate_task(this, TASK_ISAKMP_NATD);
620 break;
621 case IKE_CONNECTING:
622 if (activate_task(this, TASK_ISAKMP_DELETE))
623 {
624 exchange = INFORMATIONAL_V1;
625 new_mid = TRUE;
626 break;
627 }
628 if (activate_task(this, TASK_XAUTH))
629 {
630 exchange = TRANSACTION;
631 new_mid = TRUE;
632 break;
633 }
634 if (activate_task(this, TASK_INFORMATIONAL))
635 {
636 exchange = INFORMATIONAL_V1;
637 new_mid = TRUE;
638 break;
639 }
640 break;
641 case IKE_ESTABLISHED:
642 if (activate_task(this, TASK_MODE_CONFIG))
643 {
644 exchange = TRANSACTION;
645 new_mid = TRUE;
646 break;
647 }
648 if (!mode_config_expected(this) &&
649 activate_task(this, TASK_QUICK_MODE))
650 {
651 exchange = QUICK_MODE;
652 new_mid = TRUE;
653 break;
654 }
655 if (activate_task(this, TASK_INFORMATIONAL))
656 {
657 exchange = INFORMATIONAL_V1;
658 new_mid = TRUE;
659 break;
660 }
661 if (activate_task(this, TASK_QUICK_DELETE))
662 {
663 exchange = INFORMATIONAL_V1;
664 new_mid = TRUE;
665 break;
666 }
667 if (activate_task(this, TASK_ISAKMP_DELETE))
668 {
669 exchange = INFORMATIONAL_V1;
670 new_mid = TRUE;
671 break;
672 }
673 if (activate_task(this, TASK_ISAKMP_DPD))
674 {
675 exchange = INFORMATIONAL_V1;
676 new_mid = TRUE;
677 break;
678 }
679 break;
680 default:
681 break;
682 }
683 }
684 else
685 {
686 DBG2(DBG_IKE, "reinitiating already active tasks");
687 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
688 while (enumerator->enumerate(enumerator, (void**)&task))
689 {
690 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
691 switch (task->get_type(task))
692 {
693 case TASK_MAIN_MODE:
694 exchange = ID_PROT;
695 break;
696 case TASK_AGGRESSIVE_MODE:
697 exchange = AGGRESSIVE;
698 break;
699 case TASK_QUICK_MODE:
700 exchange = QUICK_MODE;
701 break;
702 case TASK_XAUTH:
703 exchange = TRANSACTION;
704 new_mid = TRUE;
705 break;
706 default:
707 continue;
708 }
709 break;
710 }
711 enumerator->destroy(enumerator);
712 }
713
714 if (exchange == EXCHANGE_TYPE_UNDEFINED)
715 {
716 DBG2(DBG_IKE, "nothing to initiate");
717 /* nothing to do yet... */
718 return SUCCESS;
719 }
720
721 me = this->ike_sa->get_my_host(this->ike_sa);
722 other = this->ike_sa->get_other_host(this->ike_sa);
723
724 if (new_mid)
725 {
726 if (!this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
727 (void*)&this->initiating.mid))
728 {
729 DBG1(DBG_IKE, "failed to allocate message ID, destroying IKE_SA");
730 flush(this);
731 return DESTROY_ME;
732 }
733 }
734 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
735 message->set_message_id(message, this->initiating.mid);
736 message->set_source(message, me->clone(me));
737 message->set_destination(message, other->clone(other));
738 message->set_exchange_type(message, exchange);
739 this->initiating.type = exchange;
740 this->initiating.retransmitted = 0;
741
742 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
743 while (enumerator->enumerate(enumerator, (void*)&task))
744 {
745 switch (task->build(task, message))
746 {
747 case SUCCESS:
748 /* task completed, remove it */
749 this->active_tasks->remove_at(this->active_tasks, enumerator);
750 if (task->get_type(task) == TASK_AGGRESSIVE_MODE ||
751 task->get_type(task) == TASK_QUICK_MODE)
752 { /* last message of three message exchange */
753 keep = TRUE;
754 }
755 task->destroy(task);
756 continue;
757 case NEED_MORE:
758 expect_response = TRUE;
759 /* processed, but task needs another exchange */
760 continue;
761 case ALREADY_DONE:
762 cancelled = TRUE;
763 break;
764 case FAILED:
765 default:
766 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
767 {
768 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
769 }
770 /* FALL */
771 case DESTROY_ME:
772 /* critical failure, destroy IKE_SA */
773 enumerator->destroy(enumerator);
774 message->destroy(message);
775 flush(this);
776 return DESTROY_ME;
777 }
778 break;
779 }
780 enumerator->destroy(enumerator);
781
782 if (this->active_tasks->get_count(this->active_tasks) == 0 &&
783 (exchange == QUICK_MODE || exchange == AGGRESSIVE))
784 { /* tasks completed, no exchange active anymore */
785 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
786 }
787 if (cancelled)
788 {
789 message->destroy(message);
790 return initiate(this);
791 }
792
793 DESTROY_IF(this->initiating.packet);
794 status = this->ike_sa->generate_message(this->ike_sa, message,
795 &this->initiating.packet);
796 if (status != SUCCESS)
797 {
798 /* message generation failed. There is nothing more to do than to
799 * close the SA */
800 message->destroy(message);
801 flush(this);
802 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
803 return DESTROY_ME;
804 }
805
806 this->initiating.seqnr++;
807 if (expect_response)
808 {
809 message->destroy(message);
810 return retransmit(this, this->initiating.seqnr);
811 }
812 if (keep)
813 { /* keep the packet for retransmission, the responder might request it */
814 send_packet(this, TRUE,
815 this->initiating.packet->clone(this->initiating.packet));
816 }
817 else
818 {
819 send_packet(this, TRUE, this->initiating.packet);
820 this->initiating.packet = NULL;
821 }
822 message->destroy(message);
823
824 if (exchange == INFORMATIONAL_V1)
825 {
826 switch (this->ike_sa->get_state(this->ike_sa))
827 {
828 case IKE_CONNECTING:
829 /* close after sending an INFORMATIONAL when unestablished */
830 return FAILED;
831 case IKE_DELETING:
832 /* close after sending a DELETE */
833 return DESTROY_ME;
834 default:
835 break;
836 }
837 }
838 return initiate(this);
839 }
840
841 /**
842 * build a response depending on the "passive" task list
843 */
844 static status_t build_response(private_task_manager_t *this, message_t *request)
845 {
846 enumerator_t *enumerator;
847 task_t *task;
848 message_t *message;
849 host_t *me, *other;
850 bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
851 status_t status;
852
853 me = request->get_destination(request);
854 other = request->get_source(request);
855
856 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
857 message->set_exchange_type(message, request->get_exchange_type(request));
858 /* send response along the path the request came in */
859 message->set_source(message, me->clone(me));
860 message->set_destination(message, other->clone(other));
861 message->set_message_id(message, request->get_message_id(request));
862 message->set_request(message, FALSE);
863
864 this->responding.mid = request->get_message_id(request);
865 this->responding.retransmitted = 0;
866 this->responding.seqnr++;
867
868 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
869 while (enumerator->enumerate(enumerator, (void*)&task))
870 {
871 switch (task->build(task, message))
872 {
873 case SUCCESS:
874 /* task completed, remove it */
875 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
876 task->destroy(task);
877 continue;
878 case NEED_MORE:
879 /* processed, but task needs another exchange */
880 if (task->get_type(task) == TASK_QUICK_MODE ||
881 task->get_type(task) == TASK_AGGRESSIVE_MODE)
882 { /* we rely on initiator retransmission, except for
883 * three-message exchanges */
884 expect_request = TRUE;
885 }
886 continue;
887 case ALREADY_DONE:
888 cancelled = TRUE;
889 break;
890 case FAILED:
891 default:
892 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
893 /* FALL */
894 case DESTROY_ME:
895 /* destroy IKE_SA, but SEND response first */
896 delete = TRUE;
897 break;
898 }
899 break;
900 }
901 enumerator->destroy(enumerator);
902
903 DESTROY_IF(this->responding.packet);
904 this->responding.packet = NULL;
905 if (cancelled)
906 {
907 message->destroy(message);
908 return initiate(this);
909 }
910 status = this->ike_sa->generate_message(this->ike_sa, message,
911 &this->responding.packet);
912 message->destroy(message);
913 if (status != SUCCESS)
914 {
915 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
916 return DESTROY_ME;
917 }
918
919 if (expect_request && !delete)
920 {
921 return retransmit(this, this->responding.seqnr);
922 }
923 send_packet(this, FALSE,
924 this->responding.packet->clone(this->responding.packet));
925 if (delete)
926 {
927 return DESTROY_ME;
928 }
929 return SUCCESS;
930 }
931
932 /**
933 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
934 * The notify protocol_id is set to ISAKMP
935 */
936 static void send_notify(private_task_manager_t *this, message_t *request,
937 notify_type_t type)
938 {
939 message_t *response;
940 packet_t *packet;
941 host_t *me, *other;
942 u_int32_t mid;
943
944 if (request->get_exchange_type(request) == INFORMATIONAL_V1)
945 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
946 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
947 return;
948 }
949 if (!this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid))
950 {
951 DBG1(DBG_IKE, "failed to allocate message ID");
952 return;
953 }
954 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
955 response->set_exchange_type(response, INFORMATIONAL_V1);
956 response->set_request(response, TRUE);
957 response->set_message_id(response, mid);
958 response->add_payload(response, (payload_t*)
959 notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
960 PROTO_IKE, type));
961
962 me = this->ike_sa->get_my_host(this->ike_sa);
963 if (me->is_anyaddr(me))
964 {
965 me = request->get_destination(request);
966 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
967 }
968 other = this->ike_sa->get_other_host(this->ike_sa);
969 if (other->is_anyaddr(other))
970 {
971 other = request->get_source(request);
972 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
973 }
974 response->set_source(response, me->clone(me));
975 response->set_destination(response, other->clone(other));
976 if (this->ike_sa->generate_message(this->ike_sa, response,
977 &packet) == SUCCESS)
978 {
979 send_packet(this, TRUE, packet);
980 }
981 response->destroy(response);
982 }
983
984 /**
985 * Process a DPD request/response
986 */
987 static bool process_dpd(private_task_manager_t *this, message_t *message)
988 {
989 notify_payload_t *notify;
990 notify_type_t type;
991 u_int32_t seq;
992 chunk_t data;
993
994 type = DPD_R_U_THERE;
995 notify = message->get_notify(message, type);
996 if (!notify)
997 {
998 type = DPD_R_U_THERE_ACK;
999 notify = message->get_notify(message, type);
1000 }
1001 if (!notify)
1002 {
1003 return FALSE;
1004 }
1005 data = notify->get_notification_data(notify);
1006 if (data.len != 4)
1007 {
1008 return FALSE;
1009 }
1010 seq = untoh32(data.ptr);
1011
1012 if (type == DPD_R_U_THERE)
1013 {
1014 if (this->dpd_recv == 0 || seq == this->dpd_recv)
1015 { /* check sequence validity */
1016 this->dpd_recv = seq + 1;
1017 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1018 time_monotonic(NULL));
1019 }
1020 /* but respond anyway */
1021 this->ike_sa->queue_task(this->ike_sa,
1022 &isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE_ACK, seq)->task);
1023 }
1024 else /* DPD_R_U_THERE_ACK */
1025 {
1026 if (seq == this->dpd_send - 1)
1027 {
1028 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1029 time_monotonic(NULL));
1030 }
1031 else
1032 {
1033 DBG1(DBG_IKE, "received invalid DPD sequence number %u "
1034 "(expected %u), ignored", seq, this->dpd_send - 1);
1035 }
1036 }
1037 return TRUE;
1038 }
1039
1040 /**
1041 * handle an incoming request message
1042 */
1043 static status_t process_request(private_task_manager_t *this,
1044 message_t *message)
1045 {
1046 enumerator_t *enumerator;
1047 task_t *task = NULL;
1048 bool send_response = FALSE, dpd = FALSE;
1049
1050 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
1051 this->passive_tasks->get_count(this->passive_tasks) == 0)
1052 { /* create tasks depending on request type, if not already some queued */
1053 switch (message->get_exchange_type(message))
1054 {
1055 case ID_PROT:
1056 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
1057 this->passive_tasks->insert_last(this->passive_tasks, task);
1058 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
1059 this->passive_tasks->insert_last(this->passive_tasks, task);
1060 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
1061 this->passive_tasks->insert_last(this->passive_tasks, task);
1062 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
1063 this->passive_tasks->insert_last(this->passive_tasks, task);
1064 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
1065 this->passive_tasks->insert_last(this->passive_tasks, task);
1066 break;
1067 case AGGRESSIVE:
1068 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
1069 this->passive_tasks->insert_last(this->passive_tasks, task);
1070 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
1071 this->passive_tasks->insert_last(this->passive_tasks, task);
1072 task = (task_t *)aggressive_mode_create(this->ike_sa, FALSE);
1073 this->passive_tasks->insert_last(this->passive_tasks, task);
1074 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
1075 this->passive_tasks->insert_last(this->passive_tasks, task);
1076 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
1077 this->passive_tasks->insert_last(this->passive_tasks, task);
1078 this->frag.exchange = AGGRESSIVE;
1079 break;
1080 case QUICK_MODE:
1081 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1082 {
1083 DBG1(DBG_IKE, "received quick mode request for "
1084 "unestablished IKE_SA, ignored");
1085 return FAILED;
1086 }
1087 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
1088 NULL, NULL);
1089 this->passive_tasks->insert_last(this->passive_tasks, task);
1090 break;
1091 case INFORMATIONAL_V1:
1092 if (process_dpd(this, message))
1093 {
1094 dpd = TRUE;
1095 }
1096 else
1097 {
1098 task = (task_t *)informational_create(this->ike_sa, NULL);
1099 this->passive_tasks->insert_first(this->passive_tasks, task);
1100 }
1101 break;
1102 case TRANSACTION:
1103 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
1104 {
1105 task = (task_t *)mode_config_create(this->ike_sa,
1106 FALSE, TRUE);
1107 }
1108 else
1109 {
1110 task = (task_t *)xauth_create(this->ike_sa, FALSE);
1111 }
1112 this->passive_tasks->insert_last(this->passive_tasks, task);
1113 break;
1114 default:
1115 return FAILED;
1116 }
1117 }
1118 if (dpd)
1119 {
1120 return initiate(this);
1121 }
1122 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL));
1123
1124 /* let the tasks process the message */
1125 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
1126 while (enumerator->enumerate(enumerator, (void*)&task))
1127 {
1128 switch (task->process(task, message))
1129 {
1130 case SUCCESS:
1131 /* task completed, remove it */
1132 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1133 task->destroy(task);
1134 continue;
1135 case NEED_MORE:
1136 /* processed, but task needs at least another call to build() */
1137 send_response = TRUE;
1138 continue;
1139 case ALREADY_DONE:
1140 send_response = FALSE;
1141 break;
1142 case FAILED:
1143 default:
1144 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1145 /* FALL */
1146 case DESTROY_ME:
1147 /* critical failure, destroy IKE_SA */
1148 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1149 enumerator->destroy(enumerator);
1150 task->destroy(task);
1151 return DESTROY_ME;
1152 }
1153 break;
1154 }
1155 enumerator->destroy(enumerator);
1156
1157 if (send_response)
1158 {
1159 if (build_response(this, message) != SUCCESS)
1160 {
1161 return DESTROY_ME;
1162 }
1163 }
1164 else
1165 { /* We don't send a response, so don't retransmit one if we get
1166 * the same message again. */
1167 DESTROY_IF(this->responding.packet);
1168 this->responding.packet = NULL;
1169 }
1170 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
1171 this->queued_tasks->get_count(this->queued_tasks) > 0)
1172 {
1173 /* passive tasks completed, check if an active task has been queued,
1174 * such as XAUTH or modeconfig push */
1175 return initiate(this);
1176 }
1177 return SUCCESS;
1178 }
1179
1180 /**
1181 * handle an incoming response message
1182 */
1183 static status_t process_response(private_task_manager_t *this,
1184 message_t *message)
1185 {
1186 enumerator_t *enumerator;
1187 message_t *queued;
1188 status_t status;
1189 task_t *task;
1190
1191 if (message->get_exchange_type(message) != this->initiating.type)
1192 {
1193 /* Windows server sends a fourth quick mode message having an initial
1194 * contact notify. Ignore this message for compatibility. */
1195 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED &&
1196 message->get_exchange_type(message) == QUICK_MODE &&
1197 message->get_notify(message, INITIAL_CONTACT))
1198 {
1199 DBG1(DBG_IKE, "ignoring fourth Quick Mode message");
1200 return SUCCESS;
1201 }
1202 DBG1(DBG_IKE, "received %N response, but expected %N",
1203 exchange_type_names, message->get_exchange_type(message),
1204 exchange_type_names, this->initiating.type);
1205 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1206 return DESTROY_ME;
1207 }
1208
1209 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
1210 while (enumerator->enumerate(enumerator, (void*)&task))
1211 {
1212 switch (task->process(task, message))
1213 {
1214 case SUCCESS:
1215 /* task completed, remove it */
1216 this->active_tasks->remove_at(this->active_tasks, enumerator);
1217 task->destroy(task);
1218 continue;
1219 case NEED_MORE:
1220 /* processed, but task needs another exchange */
1221 continue;
1222 case ALREADY_DONE:
1223 break;
1224 case FAILED:
1225 default:
1226 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1227 /* FALL */
1228 case DESTROY_ME:
1229 /* critical failure, destroy IKE_SA */
1230 this->active_tasks->remove_at(this->active_tasks, enumerator);
1231 enumerator->destroy(enumerator);
1232 task->destroy(task);
1233 return DESTROY_ME;
1234 }
1235 break;
1236 }
1237 enumerator->destroy(enumerator);
1238
1239 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1240 DESTROY_IF(this->initiating.packet);
1241 this->initiating.packet = NULL;
1242
1243 if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
1244 {
1245 queued = this->queued;
1246 this->queued = NULL;
1247 status = this->public.task_manager.process_message(
1248 &this->public.task_manager, queued);
1249 queued->destroy(queued);
1250 if (status == DESTROY_ME)
1251 {
1252 return status;
1253 }
1254 }
1255
1256 return initiate(this);
1257 }
1258
1259 static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
1260 {
1261 fragment_payload_t *payload;
1262 enumerator_t *enumerator;
1263 fragment_t *fragment;
1264 status_t status = SUCCESS;
1265 chunk_t data;
1266 u_int8_t num;
1267
1268 payload = (fragment_payload_t*)msg->get_payload(msg, PLV1_FRAGMENT);
1269 if (!payload)
1270 {
1271 return FAILED;
1272 }
1273
1274 if (!this->frag.list || this->frag.id != payload->get_id(payload))
1275 {
1276 clear_fragments(this, payload->get_id(payload));
1277 this->frag.list = linked_list_create();
1278 }
1279
1280 num = payload->get_number(payload);
1281 if (!this->frag.last && payload->is_last(payload))
1282 {
1283 this->frag.last = num;
1284 }
1285
1286 enumerator = this->frag.list->create_enumerator(this->frag.list);
1287 while (enumerator->enumerate(enumerator, &fragment))
1288 {
1289 if (fragment->num == num)
1290 { /* ignore a duplicate fragment */
1291 DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
1292 enumerator->destroy(enumerator);
1293 return NEED_MORE;
1294 }
1295 if (fragment->num > num)
1296 {
1297 break;
1298 }
1299 }
1300
1301 data = payload->get_data(payload);
1302 this->frag.len += data.len;
1303 if (this->frag.len > this->frag.max_packet)
1304 {
1305 DBG1(DBG_IKE, "fragmented IKE message is too large");
1306 enumerator->destroy(enumerator);
1307 clear_fragments(this, 0);
1308 return FAILED;
1309 }
1310
1311 INIT(fragment,
1312 .num = num,
1313 .data = chunk_clone(data),
1314 );
1315
1316 this->frag.list->insert_before(this->frag.list, enumerator, fragment);
1317 enumerator->destroy(enumerator);
1318
1319 if (this->frag.list->get_count(this->frag.list) == this->frag.last)
1320 {
1321 message_t *message;
1322 packet_t *pkt;
1323 host_t *src, *dst;
1324 bio_writer_t *writer;
1325
1326 writer = bio_writer_create(this->frag.len);
1327 DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
1328 "message", num);
1329 enumerator = this->frag.list->create_enumerator(this->frag.list);
1330 while (enumerator->enumerate(enumerator, &fragment))
1331 {
1332 writer->write_data(writer, fragment->data);
1333 }
1334 enumerator->destroy(enumerator);
1335
1336 src = msg->get_source(msg);
1337 dst = msg->get_destination(msg);
1338 pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
1339 writer->extract_buf(writer));
1340 writer->destroy(writer);
1341
1342 message = message_create_from_packet(pkt);
1343 if (message->parse_header(message) != SUCCESS)
1344 {
1345 DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
1346 message->destroy(message);
1347 status = FAILED;
1348 }
1349 else
1350 {
1351 lib->processor->queue_job(lib->processor,
1352 (job_t*)process_message_job_create(message));
1353 status = NEED_MORE;
1354
1355 }
1356 clear_fragments(this, 0);
1357 }
1358 else
1359 { /* there are some fragments missing */
1360 DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
1361 "message", num);
1362 status = NEED_MORE;
1363 }
1364 return status;
1365 }
1366
1367 /**
1368 * Parse the given message and verify that it is valid.
1369 */
1370 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1371 {
1372 status_t status;
1373
1374 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1375
1376 if (status != SUCCESS)
1377 {
1378 switch (status)
1379 {
1380 case NOT_SUPPORTED:
1381 DBG1(DBG_IKE, "unsupported exchange type");
1382 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
1383 break;
1384 case PARSE_ERROR:
1385 DBG1(DBG_IKE, "message parsing failed");
1386 send_notify(this, msg, PAYLOAD_MALFORMED);
1387 break;
1388 case VERIFY_ERROR:
1389 DBG1(DBG_IKE, "message verification failed");
1390 send_notify(this, msg, PAYLOAD_MALFORMED);
1391 break;
1392 case FAILED:
1393 DBG1(DBG_IKE, "integrity check failed");
1394 send_notify(this, msg, INVALID_HASH_INFORMATION);
1395 break;
1396 case INVALID_STATE:
1397 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1398 send_notify(this, msg, PAYLOAD_MALFORMED);
1399 default:
1400 break;
1401 }
1402 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
1403 exchange_type_names, msg->get_exchange_type(msg),
1404 msg->get_request(msg) ? "request" : "response",
1405 msg->get_message_id(msg));
1406
1407 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1408
1409 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1410 { /* invalid initiation attempt, close SA */
1411 return DESTROY_ME;
1412 }
1413 }
1414
1415 if (msg->get_first_payload_type(msg) == PLV1_FRAGMENT)
1416 {
1417 return handle_fragment(this, msg);
1418 }
1419 return status;
1420 }
1421
1422 METHOD(task_manager_t, process_message, status_t,
1423 private_task_manager_t *this, message_t *msg)
1424 {
1425 u_int32_t hash, mid, i;
1426 host_t *me, *other;
1427 status_t status;
1428
1429 /* TODO-IKEv1: update hosts more selectively */
1430 me = msg->get_destination(msg);
1431 other = msg->get_source(msg);
1432 mid = msg->get_message_id(msg);
1433 hash = chunk_hash(msg->get_packet_data(msg));
1434 for (i = 0; i < MAX_OLD_HASHES; i++)
1435 {
1436 if (this->initiating.old_hashes[i] == hash)
1437 {
1438 if (this->initiating.packet &&
1439 i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
1440 (msg->get_exchange_type(msg) == QUICK_MODE ||
1441 msg->get_exchange_type(msg) == AGGRESSIVE))
1442 {
1443 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1444 "resending last request", mid);
1445 send_packet(this, TRUE,
1446 this->initiating.packet->clone(this->initiating.packet));
1447 return SUCCESS;
1448 }
1449 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1450 "but next request already sent", mid);
1451 return SUCCESS;
1452 }
1453 }
1454
1455 if ((mid && mid == this->initiating.mid) ||
1456 (this->initiating.mid == 0 &&
1457 msg->get_exchange_type(msg) == this->initiating.type &&
1458 this->active_tasks->get_count(this->active_tasks)))
1459 {
1460 msg->set_request(msg, FALSE);
1461 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1462 status = parse_message(this, msg);
1463 if (status == NEED_MORE)
1464 {
1465 return SUCCESS;
1466 }
1467 if (status != SUCCESS)
1468 {
1469 return status;
1470 }
1471 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1472 time_monotonic(NULL));
1473 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1474 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1475 if (process_response(this, msg) != SUCCESS)
1476 {
1477 flush(this);
1478 return DESTROY_ME;
1479 }
1480 this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
1481 MAX_OLD_HASHES] = hash;
1482 }
1483 else
1484 {
1485 if (hash == this->responding.hash)
1486 {
1487 if (this->responding.packet)
1488 {
1489 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1490 "retransmitting response", mid);
1491 send_packet(this, FALSE,
1492 this->responding.packet->clone(this->responding.packet));
1493 }
1494 else if (this->initiating.packet &&
1495 this->initiating.type == INFORMATIONAL_V1)
1496 {
1497 DBG1(DBG_IKE, "received retransmit of DPD request, "
1498 "retransmitting response");
1499 send_packet(this, TRUE,
1500 this->initiating.packet->clone(this->initiating.packet));
1501 }
1502 else
1503 {
1504 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1505 "but no response to retransmit", mid);
1506 }
1507 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1508 return SUCCESS;
1509 }
1510
1511 /* reject Main/Aggressive Modes once established */
1512 if (msg->get_exchange_type(msg) == ID_PROT ||
1513 msg->get_exchange_type(msg) == AGGRESSIVE)
1514 {
1515 if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
1516 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
1517 msg->get_first_payload_type(msg) != PLV1_FRAGMENT)
1518 {
1519 DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
1520 exchange_type_names, msg->get_exchange_type(msg));
1521 return FAILED;
1522 }
1523 }
1524
1525 if (msg->get_exchange_type(msg) == TRANSACTION &&
1526 this->active_tasks->get_count(this->active_tasks))
1527 { /* main mode not yet complete, queue XAuth/Mode config tasks */
1528 if (this->queued)
1529 {
1530 DBG1(DBG_IKE, "ignoring additional %N request, queue full",
1531 exchange_type_names, TRANSACTION);
1532 return SUCCESS;
1533 }
1534 this->queued = message_create_from_packet(msg->get_packet(msg));
1535 if (this->queued->parse_header(this->queued) != SUCCESS)
1536 {
1537 this->queued->destroy(this->queued);
1538 this->queued = NULL;
1539 return FAILED;
1540 }
1541 DBG1(DBG_IKE, "queueing %N request as tasks still active",
1542 exchange_type_names, TRANSACTION);
1543 return SUCCESS;
1544 }
1545
1546 msg->set_request(msg, TRUE);
1547 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1548 status = parse_message(this, msg);
1549 if (status == NEED_MORE)
1550 {
1551 return SUCCESS;
1552 }
1553 if (status != SUCCESS)
1554 {
1555 return status;
1556 }
1557 /* if this IKE_SA is virgin, we check for a config */
1558 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1559 {
1560 ike_sa_id_t *ike_sa_id;
1561 ike_cfg_t *ike_cfg;
1562 job_t *job;
1563
1564 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1565 me, other, IKEV1);
1566 if (ike_cfg == NULL)
1567 {
1568 /* no config found for these hosts, destroy */
1569 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1570 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1571 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
1572 return DESTROY_ME;
1573 }
1574 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1575 ike_cfg->destroy(ike_cfg);
1576 /* add a timeout if peer does not establish it completely */
1577 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1578 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1579 lib->scheduler->schedule_job(lib->scheduler, job,
1580 lib->settings->get_int(lib->settings,
1581 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1582 lib->ns));
1583 }
1584 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1585 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1586 if (process_request(this, msg) != SUCCESS)
1587 {
1588 flush(this);
1589 return DESTROY_ME;
1590 }
1591 this->responding.hash = hash;
1592 }
1593 return SUCCESS;
1594 }
1595
1596 METHOD(task_manager_t, queue_task, void,
1597 private_task_manager_t *this, task_t *task)
1598 {
1599 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1600 this->queued_tasks->insert_last(this->queued_tasks, task);
1601 }
1602
1603 /**
1604 * Check if a given task has been queued already
1605 */
1606 static bool has_queued(private_task_manager_t *this, task_type_t type)
1607 {
1608 enumerator_t *enumerator;
1609 bool found = FALSE;
1610 task_t *task;
1611
1612 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1613 while (enumerator->enumerate(enumerator, &task))
1614 {
1615 if (task->get_type(task) == type)
1616 {
1617 found = TRUE;
1618 break;
1619 }
1620 }
1621 enumerator->destroy(enumerator);
1622 return found;
1623 }
1624
1625 METHOD(task_manager_t, queue_ike, void,
1626 private_task_manager_t *this)
1627 {
1628 peer_cfg_t *peer_cfg;
1629
1630 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1631 {
1632 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1633 }
1634 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1635 {
1636 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1637 }
1638 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1639 if (peer_cfg->use_aggressive(peer_cfg))
1640 {
1641 if (!has_queued(this, TASK_AGGRESSIVE_MODE))
1642 {
1643 queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
1644 }
1645 this->frag.exchange = AGGRESSIVE;
1646 }
1647 else
1648 {
1649 if (!has_queued(this, TASK_MAIN_MODE))
1650 {
1651 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1652 }
1653 }
1654 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1655 {
1656 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1657 }
1658 if (!has_queued(this, TASK_ISAKMP_NATD))
1659 {
1660 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1661 }
1662 }
1663
1664 METHOD(task_manager_t, queue_ike_reauth, void,
1665 private_task_manager_t *this)
1666 {
1667 enumerator_t *enumerator;
1668 child_sa_t *child_sa;
1669 ike_sa_t *new;
1670 host_t *host;
1671
1672 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1673 this->ike_sa->get_version(this->ike_sa), TRUE);
1674 if (!new)
1675 { /* shouldn't happen */
1676 return;
1677 }
1678
1679 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1680 host = this->ike_sa->get_other_host(this->ike_sa);
1681 new->set_other_host(new, host->clone(host));
1682 host = this->ike_sa->get_my_host(this->ike_sa);
1683 new->set_my_host(new, host->clone(host));
1684 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1685 while (enumerator->enumerate(enumerator, &host))
1686 {
1687 new->add_virtual_ip(new, TRUE, host);
1688 }
1689 enumerator->destroy(enumerator);
1690
1691 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1692 while (enumerator->enumerate(enumerator, &child_sa))
1693 {
1694 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
1695 new->add_child_sa(new, child_sa);
1696 }
1697 enumerator->destroy(enumerator);
1698
1699 if (!new->get_child_count(new))
1700 { /* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */
1701 task_t *task;
1702
1703 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1704 while (enumerator->enumerate(enumerator, &task))
1705 {
1706 if (task->get_type(task) == TASK_QUICK_MODE)
1707 {
1708 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
1709 task->migrate(task, new);
1710 new->queue_task(new, task);
1711 }
1712 }
1713 enumerator->destroy(enumerator);
1714 }
1715
1716 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1717 {
1718 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1719 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
1720 }
1721 else
1722 {
1723 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1724 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1725 }
1726 charon->bus->set_sa(charon->bus, this->ike_sa);
1727 }
1728
1729 METHOD(task_manager_t, queue_ike_rekey, void,
1730 private_task_manager_t *this)
1731 {
1732 queue_ike_reauth(this);
1733 }
1734
1735 METHOD(task_manager_t, queue_ike_delete, void,
1736 private_task_manager_t *this)
1737 {
1738 enumerator_t *enumerator;
1739 child_sa_t *child_sa;
1740
1741 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1742 while (enumerator->enumerate(enumerator, &child_sa))
1743 {
1744 queue_task(this, (task_t*)
1745 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1746 child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
1747 }
1748 enumerator->destroy(enumerator);
1749
1750 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1751 }
1752
1753 METHOD(task_manager_t, queue_mobike, void,
1754 private_task_manager_t *this, bool roam, bool address)
1755 {
1756 /* Not supported in IKEv1 */
1757 }
1758
1759 METHOD(task_manager_t, queue_child, void,
1760 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1761 traffic_selector_t *tsi, traffic_selector_t *tsr)
1762 {
1763 quick_mode_t *task;
1764
1765 task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
1766 task->use_reqid(task, reqid);
1767
1768 queue_task(this, &task->task);
1769 }
1770
1771 /**
1772 * Check if two CHILD_SAs have the same traffic selector
1773 */
1774 static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
1775 {
1776 enumerator_t *e1, *e2;
1777 traffic_selector_t *ts1, *ts2;
1778 bool equal = FALSE;
1779
1780 e1 = child1->create_ts_enumerator(child1, local);
1781 e2 = child2->create_ts_enumerator(child2, local);
1782 if (e1->enumerate(e1, &ts1) && e2->enumerate(e2, &ts2))
1783 {
1784 equal = ts1->equals(ts1, ts2);
1785 }
1786 e2->destroy(e2);
1787 e1->destroy(e1);
1788
1789 return equal;
1790 }
1791
1792 /**
1793 * Check if a CHILD_SA is redundant and we should delete instead of rekey
1794 */
1795 static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
1796 {
1797 enumerator_t *enumerator;
1798 child_sa_t *current;
1799 bool redundant = FALSE;
1800
1801 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1802 while (enumerator->enumerate(enumerator, &current))
1803 {
1804 if (current->get_state(current) == CHILD_INSTALLED &&
1805 streq(current->get_name(current), child_sa->get_name(child_sa)) &&
1806 have_equal_ts(current, child_sa, TRUE) &&
1807 have_equal_ts(current, child_sa, FALSE) &&
1808 current->get_lifetime(current, FALSE) >
1809 child_sa->get_lifetime(child_sa, FALSE))
1810 {
1811 DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
1812 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
1813 redundant = TRUE;
1814 break;
1815 }
1816 }
1817 enumerator->destroy(enumerator);
1818
1819 return redundant;
1820 }
1821
1822 /**
1823 * Get the first traffic selector of a CHILD_SA, local or remote
1824 */
1825 static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
1826 {
1827 traffic_selector_t *ts = NULL;
1828 enumerator_t *enumerator;
1829
1830 enumerator = child_sa->create_ts_enumerator(child_sa, local);
1831 enumerator->enumerate(enumerator, &ts);
1832 enumerator->destroy(enumerator);
1833
1834 return ts;
1835 }
1836
1837 METHOD(task_manager_t, queue_child_rekey, void,
1838 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1839 {
1840 child_sa_t *child_sa;
1841 child_cfg_t *cfg;
1842 quick_mode_t *task;
1843
1844 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
1845 if (!child_sa)
1846 {
1847 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
1848 }
1849 if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
1850 {
1851 if (is_redundant(this, child_sa))
1852 {
1853 queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
1854 protocol, spi, FALSE, FALSE));
1855 }
1856 else
1857 {
1858 child_sa->set_state(child_sa, CHILD_REKEYING);
1859 cfg = child_sa->get_config(child_sa);
1860 task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
1861 get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
1862 task->use_reqid(task, child_sa->get_reqid(child_sa));
1863 task->rekey(task, child_sa->get_spi(child_sa, TRUE));
1864
1865 queue_task(this, &task->task);
1866 }
1867 }
1868 }
1869
1870 METHOD(task_manager_t, queue_child_delete, void,
1871 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1872 bool expired)
1873 {
1874 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1875 spi, FALSE, expired));
1876 }
1877
1878 METHOD(task_manager_t, queue_dpd, void,
1879 private_task_manager_t *this)
1880 {
1881 peer_cfg_t *peer_cfg;
1882 u_int32_t t, retransmit;
1883
1884 queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
1885 this->dpd_send++));
1886 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1887
1888 /* compute timeout in milliseconds */
1889 t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
1890 if (t == 0)
1891 {
1892 /* use the same timeout as a retransmitting IKE message would have */
1893 for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
1894 {
1895 t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
1896 pow(this->retransmit_base, retransmit));
1897 }
1898 }
1899
1900 /* schedule DPD timeout job */
1901 lib->scheduler->schedule_job_ms(lib->scheduler,
1902 (job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
1903 }
1904
1905 METHOD(task_manager_t, adopt_tasks, void,
1906 private_task_manager_t *this, task_manager_t *other_public)
1907 {
1908 private_task_manager_t *other = (private_task_manager_t*)other_public;
1909 task_t *task;
1910
1911 /* move queued tasks from other to this */
1912 while (other->queued_tasks->remove_last(other->queued_tasks,
1913 (void**)&task) == SUCCESS)
1914 {
1915 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1916 task->migrate(task, this->ike_sa);
1917 this->queued_tasks->insert_first(this->queued_tasks, task);
1918 }
1919 }
1920
1921 /**
1922 * Migrates child-creating tasks from src to dst
1923 */
1924 static void migrate_child_tasks(private_task_manager_t *this,
1925 linked_list_t *src, linked_list_t *dst)
1926 {
1927 enumerator_t *enumerator;
1928 task_t *task;
1929
1930 enumerator = src->create_enumerator(src);
1931 while (enumerator->enumerate(enumerator, &task))
1932 {
1933 if (task->get_type(task) == TASK_QUICK_MODE)
1934 {
1935 src->remove_at(src, enumerator);
1936 task->migrate(task, this->ike_sa);
1937 dst->insert_last(dst, task);
1938 }
1939 }
1940 enumerator->destroy(enumerator);
1941 }
1942
1943 METHOD(task_manager_t, adopt_child_tasks, void,
1944 private_task_manager_t *this, task_manager_t *other_public)
1945 {
1946 private_task_manager_t *other = (private_task_manager_t*)other_public;
1947
1948 /* move active child tasks from other to this */
1949 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1950 /* do the same for queued tasks */
1951 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1952 }
1953
1954 METHOD(task_manager_t, busy, bool,
1955 private_task_manager_t *this)
1956 {
1957 return (this->active_tasks->get_count(this->active_tasks) > 0);
1958 }
1959
1960 METHOD(task_manager_t, incr_mid, void,
1961 private_task_manager_t *this, bool initiate)
1962 {
1963 }
1964
1965 METHOD(task_manager_t, reset, void,
1966 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1967 {
1968 enumerator_t *enumerator;
1969 task_t *task;
1970
1971 /* reset message counters and retransmit packets */
1972 DESTROY_IF(this->responding.packet);
1973 DESTROY_IF(this->initiating.packet);
1974 this->responding.packet = NULL;
1975 this->responding.seqnr = RESPONDING_SEQ;
1976 this->responding.retransmitted = 0;
1977 this->initiating.packet = NULL;
1978 this->initiating.mid = 0;
1979 this->initiating.seqnr = 0;
1980 this->initiating.retransmitted = 0;
1981 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1982 clear_fragments(this, 0);
1983 if (initiate != UINT_MAX)
1984 {
1985 this->dpd_send = initiate;
1986 }
1987 if (respond != UINT_MAX)
1988 {
1989 this->dpd_recv = respond;
1990 }
1991
1992 /* reset queued tasks */
1993 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1994 while (enumerator->enumerate(enumerator, &task))
1995 {
1996 task->migrate(task, this->ike_sa);
1997 }
1998 enumerator->destroy(enumerator);
1999
2000 /* reset active tasks */
2001 while (this->active_tasks->remove_last(this->active_tasks,
2002 (void**)&task) == SUCCESS)
2003 {
2004 task->migrate(task, this->ike_sa);
2005 this->queued_tasks->insert_first(this->queued_tasks, task);
2006 }
2007 }
2008
2009 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
2010 private_task_manager_t *this, task_queue_t queue)
2011 {
2012 switch (queue)
2013 {
2014 case TASK_QUEUE_ACTIVE:
2015 return this->active_tasks->create_enumerator(this->active_tasks);
2016 case TASK_QUEUE_PASSIVE:
2017 return this->passive_tasks->create_enumerator(this->passive_tasks);
2018 case TASK_QUEUE_QUEUED:
2019 return this->queued_tasks->create_enumerator(this->queued_tasks);
2020 default:
2021 return enumerator_create_empty();
2022 }
2023 }
2024
2025 METHOD(task_manager_t, destroy, void,
2026 private_task_manager_t *this)
2027 {
2028 flush(this);
2029
2030 this->active_tasks->destroy(this->active_tasks);
2031 this->queued_tasks->destroy(this->queued_tasks);
2032 this->passive_tasks->destroy(this->passive_tasks);
2033 clear_fragments(this, 0);
2034
2035 DESTROY_IF(this->queued);
2036 DESTROY_IF(this->responding.packet);
2037 DESTROY_IF(this->initiating.packet);
2038 DESTROY_IF(this->rng);
2039 free(this);
2040 }
2041
2042 /*
2043 * see header file
2044 */
2045 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
2046 {
2047 private_task_manager_t *this;
2048
2049 INIT(this,
2050 .public = {
2051 .task_manager = {
2052 .process_message = _process_message,
2053 .queue_task = _queue_task,
2054 .queue_ike = _queue_ike,
2055 .queue_ike_rekey = _queue_ike_rekey,
2056 .queue_ike_reauth = _queue_ike_reauth,
2057 .queue_ike_delete = _queue_ike_delete,
2058 .queue_mobike = _queue_mobike,
2059 .queue_child = _queue_child,
2060 .queue_child_rekey = _queue_child_rekey,
2061 .queue_child_delete = _queue_child_delete,
2062 .queue_dpd = _queue_dpd,
2063 .initiate = _initiate,
2064 .retransmit = _retransmit,
2065 .incr_mid = _incr_mid,
2066 .reset = _reset,
2067 .adopt_tasks = _adopt_tasks,
2068 .adopt_child_tasks = _adopt_child_tasks,
2069 .busy = _busy,
2070 .create_task_enumerator = _create_task_enumerator,
2071 .flush = _flush,
2072 .flush_queue = _flush_queue,
2073 .destroy = _destroy,
2074 },
2075 },
2076 .initiating = {
2077 .type = EXCHANGE_TYPE_UNDEFINED,
2078 },
2079 .responding = {
2080 .seqnr = RESPONDING_SEQ,
2081 },
2082 .frag = {
2083 .exchange = ID_PROT,
2084 .max_packet = lib->settings->get_int(lib->settings,
2085 "%s.max_packet", MAX_PACKET, lib->ns),
2086 .size = lib->settings->get_int(lib->settings,
2087 "%s.fragment_size", MAX_FRAGMENT_SIZE, lib->ns),
2088 },
2089 .ike_sa = ike_sa,
2090 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
2091 .queued_tasks = linked_list_create(),
2092 .active_tasks = linked_list_create(),
2093 .passive_tasks = linked_list_create(),
2094 .retransmit_tries = lib->settings->get_int(lib->settings,
2095 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2096 .retransmit_timeout = lib->settings->get_double(lib->settings,
2097 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2098 .retransmit_base = lib->settings->get_double(lib->settings,
2099 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2100 );
2101
2102 if (!this->rng)
2103 {
2104 DBG1(DBG_IKE, "no RNG found, unable to create IKE_SA");
2105 destroy(this);
2106 return NULL;
2107 }
2108 if (!this->rng->get_bytes(this->rng, sizeof(this->dpd_send),
2109 (void*)&this->dpd_send))
2110 {
2111 DBG1(DBG_IKE, "failed to allocate message ID, unable to create IKE_SA");
2112 destroy(this);
2113 return NULL;
2114 }
2115 this->dpd_send &= 0x7FFFFFFF;
2116
2117 return &this->public;
2118 }