ikev1: Move fragment generation to message_t
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2014 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/aggressive_mode.h>
24 #include <sa/ikev1/tasks/quick_mode.h>
25 #include <sa/ikev1/tasks/quick_delete.h>
26 #include <sa/ikev1/tasks/xauth.h>
27 #include <sa/ikev1/tasks/mode_config.h>
28 #include <sa/ikev1/tasks/informational.h>
29 #include <sa/ikev1/tasks/isakmp_natd.h>
30 #include <sa/ikev1/tasks/isakmp_vendor.h>
31 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
32 #include <sa/ikev1/tasks/isakmp_cert_post.h>
33 #include <sa/ikev1/tasks/isakmp_delete.h>
34 #include <sa/ikev1/tasks/isakmp_dpd.h>
35
36 #include <processing/jobs/retransmit_job.h>
37 #include <processing/jobs/delete_ike_sa_job.h>
38 #include <processing/jobs/dpd_timeout_job.h>
39 #include <processing/jobs/process_message_job.h>
40
41 #include <encoding/payloads/fragment_payload.h>
42 #include <bio/bio_writer.h>
43 #include <collections/array.h>
44
45 /**
46 * Number of old messages hashes we keep for retransmission.
47 *
48 * In Main Mode, we must ignore messages from a previous message pair if
49 * we already continued to the next. Otherwise a late retransmission
50 * could be considered as a reply to the newer request.
51 */
52 #define MAX_OLD_HASHES 2
53
54 /**
55 * Maximum packet size for fragmented packets (same as in sockets)
56 */
57 #define MAX_PACKET 10000
58
59 /**
60 * First sequence number of responding packets.
61 *
62 * To distinguish retransmission jobs for initiating and responding packets,
63 * we split up the sequence counter and use the upper half for responding.
64 */
65 #define RESPONDING_SEQ INT_MAX
66
67 typedef struct exchange_t exchange_t;
68
69 /**
70 * An exchange in the air, used do detect and handle retransmission
71 */
72 struct exchange_t {
73
74 /**
75 * Message ID used for this transaction
76 */
77 u_int32_t mid;
78
79 /**
80 * generated packet for retransmission
81 */
82 packet_t *packet;
83 };
84
85 typedef struct private_task_manager_t private_task_manager_t;
86
87 /**
88 * private data of the task manager
89 */
90 struct private_task_manager_t {
91
92 /**
93 * public functions
94 */
95 task_manager_v1_t public;
96
97 /**
98 * associated IKE_SA we are serving
99 */
100 ike_sa_t *ike_sa;
101
102 /**
103 * RNG to create message IDs
104 */
105 rng_t *rng;
106
107 /**
108 * Exchange we are currently handling as responder
109 */
110 struct {
111 /**
112 * Message ID of the last response
113 */
114 u_int32_t mid;
115
116 /**
117 * Hash of a previously received message
118 */
119 u_int32_t hash;
120
121 /**
122 * packet(s) for retransmission
123 */
124 array_t *packets;
125
126 /**
127 * Sequence number of the last sent message
128 */
129 u_int32_t seqnr;
130
131 /**
132 * how many times we have retransmitted so far
133 */
134 u_int retransmitted;
135
136 } responding;
137
138 /**
139 * Exchange we are currently handling as initiator
140 */
141 struct {
142 /**
143 * Message ID of the exchange
144 */
145 u_int32_t mid;
146
147 /**
148 * Hashes of old responses we can ignore
149 */
150 u_int32_t old_hashes[MAX_OLD_HASHES];
151
152 /**
153 * Position in old hash array
154 */
155 int old_hash_pos;
156
157 /**
158 * Sequence number of the last sent message
159 */
160 u_int32_t seqnr;
161
162 /**
163 * how many times we have retransmitted so far
164 */
165 u_int retransmitted;
166
167 /**
168 * packet(s) for retransmission
169 */
170 array_t *packets;
171
172 /**
173 * type of the initiated exchange
174 */
175 exchange_type_t type;
176
177 } initiating;
178
179 /**
180 * Data used to reassemble a fragmented message
181 */
182 struct {
183
184 /**
185 * Fragment ID (currently only one is supported at a time)
186 */
187 u_int16_t id;
188
189 /**
190 * The number of the last fragment (in case we receive the fragments out
191 * of order), since the first starts with 1 this defines the number of
192 * fragments we expect
193 */
194 u_int8_t last;
195
196 /**
197 * List of fragments (fragment_t*)
198 */
199 linked_list_t *list;
200
201 /**
202 * Length of all currently received fragments
203 */
204 size_t len;
205
206 /**
207 * Maximum length of a fragmented packet
208 */
209 size_t max_packet;
210
211 /**
212 * Maximum length of a single fragment (when sending)
213 */
214 size_t size;
215
216 /**
217 * The exchange type we use for fragments. Always the initial type even
218 * for fragmented quick mode or transaction messages (i.e. either
219 * ID_PROT or AGGRESSIVE)
220 */
221 exchange_type_t exchange;
222
223 } frag;
224
225 /**
226 * List of queued tasks not yet in action
227 */
228 linked_list_t *queued_tasks;
229
230 /**
231 * List of active tasks, initiated by ourselves
232 */
233 linked_list_t *active_tasks;
234
235 /**
236 * List of tasks initiated by peer
237 */
238 linked_list_t *passive_tasks;
239
240 /**
241 * Queued messages not yet ready to process
242 */
243 message_t *queued;
244
245 /**
246 * Number of times we retransmit messages before giving up
247 */
248 u_int retransmit_tries;
249
250 /**
251 * Retransmission timeout
252 */
253 double retransmit_timeout;
254
255 /**
256 * Base to calculate retransmission timeout
257 */
258 double retransmit_base;
259
260 /**
261 * Sequence number for sending DPD requests
262 */
263 u_int32_t dpd_send;
264
265 /**
266 * Sequence number for received DPD requests
267 */
268 u_int32_t dpd_recv;
269 };
270
271 /**
272 * A single fragment within a fragmented message
273 */
274 typedef struct {
275
276 /** fragment number */
277 u_int8_t num;
278
279 /** fragment data */
280 chunk_t data;
281
282 } fragment_t;
283
284 static void fragment_destroy(fragment_t *this)
285 {
286 chunk_free(&this->data);
287 free(this);
288 }
289
290 static void clear_fragments(private_task_manager_t *this, u_int16_t id)
291 {
292 DESTROY_FUNCTION_IF(this->frag.list, (void*)fragment_destroy);
293 this->frag.list = NULL;
294 this->frag.last = 0;
295 this->frag.len = 0;
296 this->frag.id = id;
297 }
298
299 /**
300 * Reset retransmission packet list
301 */
302 static void clear_packets(array_t *array)
303 {
304 packet_t *packet;
305
306 while (array_remove(array, ARRAY_TAIL, &packet))
307 {
308 packet->destroy(packet);
309 }
310 }
311
312 METHOD(task_manager_t, flush_queue, void,
313 private_task_manager_t *this, task_queue_t queue)
314 {
315 linked_list_t *list;
316 task_t *task;
317
318 if (this->queued)
319 {
320 this->queued->destroy(this->queued);
321 this->queued = NULL;
322 }
323 switch (queue)
324 {
325 case TASK_QUEUE_ACTIVE:
326 list = this->active_tasks;
327 /* cancel pending retransmits */
328 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
329 clear_packets(this->initiating.packets);
330 break;
331 case TASK_QUEUE_PASSIVE:
332 list = this->passive_tasks;
333 break;
334 case TASK_QUEUE_QUEUED:
335 list = this->queued_tasks;
336 break;
337 default:
338 return;
339 }
340 while (list->remove_last(list, (void**)&task) == SUCCESS)
341 {
342 task->destroy(task);
343 }
344 }
345
346 METHOD(task_manager_t, flush, void,
347 private_task_manager_t *this)
348 {
349 flush_queue(this, TASK_QUEUE_QUEUED);
350 flush_queue(this, TASK_QUEUE_PASSIVE);
351 flush_queue(this, TASK_QUEUE_ACTIVE);
352 }
353
354 /**
355 * move a task of a specific type from the queue to the active list
356 */
357 static bool activate_task(private_task_manager_t *this, task_type_t type)
358 {
359 enumerator_t *enumerator;
360 task_t *task;
361 bool found = FALSE;
362
363 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
364 while (enumerator->enumerate(enumerator, (void**)&task))
365 {
366 if (task->get_type(task) == type)
367 {
368 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
369 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
370 this->active_tasks->insert_last(this->active_tasks, task);
371 found = TRUE;
372 break;
373 }
374 }
375 enumerator->destroy(enumerator);
376 return found;
377 }
378
379 /**
380 * Send packets in the given array (they get cloned)
381 */
382 static void send_packets(private_task_manager_t *this, array_t *packets)
383 {
384 enumerator_t *enumerator;
385 packet_t *packet;
386
387 enumerator = array_create_enumerator(packets);
388 while (enumerator->enumerate(enumerator, &packet))
389 {
390 charon->sender->send(charon->sender, packet->clone(packet));
391 }
392 enumerator->destroy(enumerator);
393 }
394
395 /**
396 * Generates the given message and stores packet(s) in the given array
397 */
398 static bool generate_message(private_task_manager_t *this, message_t *message,
399 array_t **packets)
400 {
401 bool use_frags = FALSE, result = TRUE;
402 ike_cfg_t *ike_cfg;
403 enumerator_t *fragments;
404 message_t *fragment;
405 packet_t *packet;
406 status_t status;
407
408 if (this->ike_sa->generate_message(this->ike_sa, message,
409 &packet) != SUCCESS)
410 {
411 return FALSE;
412 }
413
414 ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
415 if (ike_cfg)
416 {
417 switch (ike_cfg->fragmentation(ike_cfg))
418 {
419 case FRAGMENTATION_FORCE:
420 use_frags = TRUE;
421 break;
422 case FRAGMENTATION_YES:
423 use_frags = this->ike_sa->supports_extension(this->ike_sa,
424 EXT_IKE_FRAGMENTATION);
425 break;
426 default:
427 break;
428 }
429 }
430
431 if (!use_frags)
432 {
433 array_insert_create(packets, ARRAY_TAIL, packet);
434 return TRUE;
435 }
436 /* other implementations seem to just use 0 as message ID, so here we go */
437 message->set_message_id(message, 0);
438 /* always use the initial message type for fragments */
439 message->set_exchange_type(message, this->frag.exchange);
440 status = message->fragment(message, this->frag.size, &fragments);
441 if (status == ALREADY_DONE)
442 {
443 array_insert_create(packets, ARRAY_TAIL, packet);
444 return TRUE;
445 }
446 else if (status != SUCCESS)
447 {
448 packet->destroy(packet);
449 return FALSE;
450 }
451 packet->destroy(packet);
452
453 while (fragments->enumerate(fragments, &fragment))
454 {
455 status = this->ike_sa->generate_message(this->ike_sa, fragment,
456 &packet);
457 if (status != SUCCESS)
458 {
459 DBG1(DBG_IKE, "failed to generate IKE fragment");
460 result = FALSE;
461 break;
462 }
463 array_insert_create(packets, ARRAY_TAIL, packet);
464 }
465 fragments->destroy(fragments);
466 return result;
467 }
468
469 /**
470 * Retransmit a packet (or its fragments)
471 */
472 static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
473 u_int mid, u_int retransmitted, array_t *packets)
474 {
475 packet_t *packet;
476 u_int32_t t;
477
478 array_get(packets, 0, &packet);
479 if (retransmitted > this->retransmit_tries)
480 {
481 DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
482 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, packet);
483 return DESTROY_ME;
484 }
485 t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
486 pow(this->retransmit_base, retransmitted));
487 if (retransmitted)
488 {
489 DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
490 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
491 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
492 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
493 }
494 send_packets(this, packets);
495 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
496 retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
497 return NEED_MORE;
498 }
499
500 METHOD(task_manager_t, retransmit, status_t,
501 private_task_manager_t *this, u_int32_t seqnr)
502 {
503 status_t status = SUCCESS;
504
505 if (seqnr == this->initiating.seqnr &&
506 array_count(this->initiating.packets))
507 {
508 status = retransmit_packet(this, seqnr, this->initiating.mid,
509 this->initiating.retransmitted, this->initiating.packets);
510 if (status == NEED_MORE)
511 {
512 this->initiating.retransmitted++;
513 status = SUCCESS;
514 }
515 }
516 if (seqnr == this->responding.seqnr &&
517 array_count(this->responding.packets))
518 {
519 status = retransmit_packet(this, seqnr, this->responding.mid,
520 this->responding.retransmitted, this->responding.packets);
521 if (status == NEED_MORE)
522 {
523 this->responding.retransmitted++;
524 status = SUCCESS;
525 }
526 }
527 return status;
528 }
529
530 /**
531 * Check if we have to wait for a mode config before starting a quick mode
532 */
533 static bool mode_config_expected(private_task_manager_t *this)
534 {
535 enumerator_t *enumerator;
536 peer_cfg_t *peer_cfg;
537 char *pool;
538 bool local;
539 host_t *host;
540
541 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
542 if (peer_cfg)
543 {
544 if (peer_cfg->use_pull_mode(peer_cfg))
545 {
546 enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
547 if (!enumerator->enumerate(enumerator, &pool))
548 { /* no pool configured */
549 enumerator->destroy(enumerator);
550 return FALSE;
551 }
552 enumerator->destroy(enumerator);
553
554 local = FALSE;
555 }
556 else
557 {
558 enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
559 if (!enumerator->enumerate(enumerator, &host))
560 { /* not requesting a vip */
561 enumerator->destroy(enumerator);
562 return FALSE;
563 }
564 enumerator->destroy(enumerator);
565
566 local = TRUE;
567 }
568 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
569 local);
570 if (!enumerator->enumerate(enumerator, &host))
571 { /* expecting a VIP exchange, but no VIP assigned yet */
572 enumerator->destroy(enumerator);
573 return TRUE;
574 }
575 enumerator->destroy(enumerator);
576 }
577 return FALSE;
578 }
579
580 METHOD(task_manager_t, initiate, status_t,
581 private_task_manager_t *this)
582 {
583 enumerator_t *enumerator;
584 task_t *task;
585 message_t *message;
586 host_t *me, *other;
587 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
588 bool new_mid = FALSE, expect_response = FALSE, cancelled = FALSE, keep = FALSE;
589
590 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED &&
591 this->initiating.type != INFORMATIONAL_V1)
592 {
593 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
594 exchange_type_names, this->initiating.type);
595 /* do not initiate if we already have a message in the air */
596 return SUCCESS;
597 }
598
599 if (this->active_tasks->get_count(this->active_tasks) == 0)
600 {
601 DBG2(DBG_IKE, "activating new tasks");
602 switch (this->ike_sa->get_state(this->ike_sa))
603 {
604 case IKE_CREATED:
605 activate_task(this, TASK_ISAKMP_VENDOR);
606 activate_task(this, TASK_ISAKMP_CERT_PRE);
607 if (activate_task(this, TASK_MAIN_MODE))
608 {
609 exchange = ID_PROT;
610 }
611 else if (activate_task(this, TASK_AGGRESSIVE_MODE))
612 {
613 exchange = AGGRESSIVE;
614 }
615 activate_task(this, TASK_ISAKMP_CERT_POST);
616 activate_task(this, TASK_ISAKMP_NATD);
617 break;
618 case IKE_CONNECTING:
619 if (activate_task(this, TASK_ISAKMP_DELETE))
620 {
621 exchange = INFORMATIONAL_V1;
622 new_mid = TRUE;
623 break;
624 }
625 if (activate_task(this, TASK_XAUTH))
626 {
627 exchange = TRANSACTION;
628 new_mid = TRUE;
629 break;
630 }
631 if (activate_task(this, TASK_INFORMATIONAL))
632 {
633 exchange = INFORMATIONAL_V1;
634 new_mid = TRUE;
635 break;
636 }
637 break;
638 case IKE_ESTABLISHED:
639 if (activate_task(this, TASK_MODE_CONFIG))
640 {
641 exchange = TRANSACTION;
642 new_mid = TRUE;
643 break;
644 }
645 if (!mode_config_expected(this) &&
646 activate_task(this, TASK_QUICK_MODE))
647 {
648 exchange = QUICK_MODE;
649 new_mid = TRUE;
650 break;
651 }
652 if (activate_task(this, TASK_INFORMATIONAL))
653 {
654 exchange = INFORMATIONAL_V1;
655 new_mid = TRUE;
656 break;
657 }
658 if (activate_task(this, TASK_QUICK_DELETE))
659 {
660 exchange = INFORMATIONAL_V1;
661 new_mid = TRUE;
662 break;
663 }
664 if (activate_task(this, TASK_ISAKMP_DELETE))
665 {
666 exchange = INFORMATIONAL_V1;
667 new_mid = TRUE;
668 break;
669 }
670 if (activate_task(this, TASK_ISAKMP_DPD))
671 {
672 exchange = INFORMATIONAL_V1;
673 new_mid = TRUE;
674 break;
675 }
676 break;
677 default:
678 break;
679 }
680 }
681 else
682 {
683 DBG2(DBG_IKE, "reinitiating already active tasks");
684 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
685 while (enumerator->enumerate(enumerator, (void**)&task))
686 {
687 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
688 switch (task->get_type(task))
689 {
690 case TASK_MAIN_MODE:
691 exchange = ID_PROT;
692 break;
693 case TASK_AGGRESSIVE_MODE:
694 exchange = AGGRESSIVE;
695 break;
696 case TASK_QUICK_MODE:
697 exchange = QUICK_MODE;
698 break;
699 case TASK_XAUTH:
700 exchange = TRANSACTION;
701 new_mid = TRUE;
702 break;
703 default:
704 continue;
705 }
706 break;
707 }
708 enumerator->destroy(enumerator);
709 }
710
711 if (exchange == EXCHANGE_TYPE_UNDEFINED)
712 {
713 DBG2(DBG_IKE, "nothing to initiate");
714 /* nothing to do yet... */
715 return SUCCESS;
716 }
717
718 me = this->ike_sa->get_my_host(this->ike_sa);
719 other = this->ike_sa->get_other_host(this->ike_sa);
720
721 if (new_mid)
722 {
723 if (!this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
724 (void*)&this->initiating.mid))
725 {
726 DBG1(DBG_IKE, "failed to allocate message ID, destroying IKE_SA");
727 flush(this);
728 return DESTROY_ME;
729 }
730 }
731 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
732 message->set_message_id(message, this->initiating.mid);
733 message->set_source(message, me->clone(me));
734 message->set_destination(message, other->clone(other));
735 message->set_exchange_type(message, exchange);
736 this->initiating.type = exchange;
737 this->initiating.retransmitted = 0;
738
739 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
740 while (enumerator->enumerate(enumerator, (void*)&task))
741 {
742 switch (task->build(task, message))
743 {
744 case SUCCESS:
745 /* task completed, remove it */
746 this->active_tasks->remove_at(this->active_tasks, enumerator);
747 if (task->get_type(task) == TASK_AGGRESSIVE_MODE ||
748 task->get_type(task) == TASK_QUICK_MODE)
749 { /* last message of three message exchange */
750 keep = TRUE;
751 }
752 task->destroy(task);
753 continue;
754 case NEED_MORE:
755 expect_response = TRUE;
756 /* processed, but task needs another exchange */
757 continue;
758 case ALREADY_DONE:
759 cancelled = TRUE;
760 break;
761 case FAILED:
762 default:
763 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
764 {
765 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
766 }
767 /* FALL */
768 case DESTROY_ME:
769 /* critical failure, destroy IKE_SA */
770 enumerator->destroy(enumerator);
771 message->destroy(message);
772 flush(this);
773 return DESTROY_ME;
774 }
775 break;
776 }
777 enumerator->destroy(enumerator);
778
779 if (this->active_tasks->get_count(this->active_tasks) == 0 &&
780 (exchange == QUICK_MODE || exchange == AGGRESSIVE))
781 { /* tasks completed, no exchange active anymore */
782 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
783 }
784 if (cancelled)
785 {
786 message->destroy(message);
787 return initiate(this);
788 }
789
790 clear_packets(this->initiating.packets);
791 if (!generate_message(this, message, &this->initiating.packets))
792 {
793 /* message generation failed. There is nothing more to do than to
794 * close the SA */
795 message->destroy(message);
796 flush(this);
797 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
798 return DESTROY_ME;
799 }
800
801 this->initiating.seqnr++;
802 if (expect_response)
803 {
804 message->destroy(message);
805 return retransmit(this, this->initiating.seqnr);
806 }
807 if (keep)
808 { /* keep the packet for retransmission, the responder might request it */
809 send_packets(this, this->initiating.packets);
810 }
811 else
812 {
813 send_packets(this, this->initiating.packets);
814 clear_packets(this->initiating.packets);
815 }
816 message->destroy(message);
817
818 if (exchange == INFORMATIONAL_V1)
819 {
820 switch (this->ike_sa->get_state(this->ike_sa))
821 {
822 case IKE_CONNECTING:
823 /* close after sending an INFORMATIONAL when unestablished */
824 return FAILED;
825 case IKE_DELETING:
826 /* close after sending a DELETE */
827 return DESTROY_ME;
828 default:
829 break;
830 }
831 }
832 return initiate(this);
833 }
834
835 /**
836 * build a response depending on the "passive" task list
837 */
838 static status_t build_response(private_task_manager_t *this, message_t *request)
839 {
840 enumerator_t *enumerator;
841 task_t *task;
842 message_t *message;
843 host_t *me, *other;
844 bool delete = FALSE, cancelled = FALSE, expect_request = FALSE;
845
846 me = request->get_destination(request);
847 other = request->get_source(request);
848
849 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
850 message->set_exchange_type(message, request->get_exchange_type(request));
851 /* send response along the path the request came in */
852 message->set_source(message, me->clone(me));
853 message->set_destination(message, other->clone(other));
854 message->set_message_id(message, request->get_message_id(request));
855 message->set_request(message, FALSE);
856
857 this->responding.mid = request->get_message_id(request);
858 this->responding.retransmitted = 0;
859 this->responding.seqnr++;
860
861 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
862 while (enumerator->enumerate(enumerator, (void*)&task))
863 {
864 switch (task->build(task, message))
865 {
866 case SUCCESS:
867 /* task completed, remove it */
868 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
869 task->destroy(task);
870 continue;
871 case NEED_MORE:
872 /* processed, but task needs another exchange */
873 if (task->get_type(task) == TASK_QUICK_MODE ||
874 task->get_type(task) == TASK_AGGRESSIVE_MODE)
875 { /* we rely on initiator retransmission, except for
876 * three-message exchanges */
877 expect_request = TRUE;
878 }
879 continue;
880 case ALREADY_DONE:
881 cancelled = TRUE;
882 break;
883 case FAILED:
884 default:
885 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
886 /* FALL */
887 case DESTROY_ME:
888 /* destroy IKE_SA, but SEND response first */
889 delete = TRUE;
890 break;
891 }
892 break;
893 }
894 enumerator->destroy(enumerator);
895
896 clear_packets(this->responding.packets);
897 if (cancelled)
898 {
899 message->destroy(message);
900 return initiate(this);
901 }
902 if (!generate_message(this, message, &this->responding.packets))
903 {
904 message->destroy(message);
905 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
906 return DESTROY_ME;
907 }
908 message->destroy(message);
909
910 if (expect_request && !delete)
911 {
912 return retransmit(this, this->responding.seqnr);
913 }
914 send_packets(this, this->responding.packets);
915 if (delete)
916 {
917 return DESTROY_ME;
918 }
919 return SUCCESS;
920 }
921
922 /**
923 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
924 * The notify protocol_id is set to ISAKMP
925 */
926 static void send_notify(private_task_manager_t *this, message_t *request,
927 notify_type_t type)
928 {
929 message_t *response;
930 array_t *packets = NULL;
931 host_t *me, *other;
932 u_int32_t mid;
933
934 if (request->get_exchange_type(request) == INFORMATIONAL_V1)
935 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
936 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
937 return;
938 }
939 if (!this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid))
940 {
941 DBG1(DBG_IKE, "failed to allocate message ID");
942 return;
943 }
944 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
945 response->set_exchange_type(response, INFORMATIONAL_V1);
946 response->set_request(response, TRUE);
947 response->set_message_id(response, mid);
948 response->add_payload(response, (payload_t*)
949 notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
950 PROTO_IKE, type));
951
952 me = this->ike_sa->get_my_host(this->ike_sa);
953 if (me->is_anyaddr(me))
954 {
955 me = request->get_destination(request);
956 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
957 }
958 other = this->ike_sa->get_other_host(this->ike_sa);
959 if (other->is_anyaddr(other))
960 {
961 other = request->get_source(request);
962 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
963 }
964 response->set_source(response, me->clone(me));
965 response->set_destination(response, other->clone(other));
966 if (generate_message(this, response, &packets))
967 {
968 send_packets(this, packets);
969 }
970 clear_packets(packets);
971 array_destroy(packets);
972 response->destroy(response);
973 }
974
975 /**
976 * Process a DPD request/response
977 */
978 static bool process_dpd(private_task_manager_t *this, message_t *message)
979 {
980 notify_payload_t *notify;
981 notify_type_t type;
982 u_int32_t seq;
983 chunk_t data;
984
985 type = DPD_R_U_THERE;
986 notify = message->get_notify(message, type);
987 if (!notify)
988 {
989 type = DPD_R_U_THERE_ACK;
990 notify = message->get_notify(message, type);
991 }
992 if (!notify)
993 {
994 return FALSE;
995 }
996 data = notify->get_notification_data(notify);
997 if (data.len != 4)
998 {
999 return FALSE;
1000 }
1001 seq = untoh32(data.ptr);
1002
1003 if (type == DPD_R_U_THERE)
1004 {
1005 if (this->dpd_recv == 0 || seq == this->dpd_recv)
1006 { /* check sequence validity */
1007 this->dpd_recv = seq + 1;
1008 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1009 time_monotonic(NULL));
1010 }
1011 /* but respond anyway */
1012 this->ike_sa->queue_task(this->ike_sa,
1013 &isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE_ACK, seq)->task);
1014 }
1015 else /* DPD_R_U_THERE_ACK */
1016 {
1017 if (seq == this->dpd_send - 1)
1018 {
1019 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1020 time_monotonic(NULL));
1021 }
1022 else
1023 {
1024 DBG1(DBG_IKE, "received invalid DPD sequence number %u "
1025 "(expected %u), ignored", seq, this->dpd_send - 1);
1026 }
1027 }
1028 return TRUE;
1029 }
1030
1031 /**
1032 * handle an incoming request message
1033 */
1034 static status_t process_request(private_task_manager_t *this,
1035 message_t *message)
1036 {
1037 enumerator_t *enumerator;
1038 task_t *task = NULL;
1039 bool send_response = FALSE, dpd = FALSE;
1040
1041 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
1042 this->passive_tasks->get_count(this->passive_tasks) == 0)
1043 { /* create tasks depending on request type, if not already some queued */
1044 switch (message->get_exchange_type(message))
1045 {
1046 case ID_PROT:
1047 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
1048 this->passive_tasks->insert_last(this->passive_tasks, task);
1049 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
1050 this->passive_tasks->insert_last(this->passive_tasks, task);
1051 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
1052 this->passive_tasks->insert_last(this->passive_tasks, task);
1053 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
1054 this->passive_tasks->insert_last(this->passive_tasks, task);
1055 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
1056 this->passive_tasks->insert_last(this->passive_tasks, task);
1057 break;
1058 case AGGRESSIVE:
1059 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
1060 this->passive_tasks->insert_last(this->passive_tasks, task);
1061 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
1062 this->passive_tasks->insert_last(this->passive_tasks, task);
1063 task = (task_t *)aggressive_mode_create(this->ike_sa, FALSE);
1064 this->passive_tasks->insert_last(this->passive_tasks, task);
1065 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
1066 this->passive_tasks->insert_last(this->passive_tasks, task);
1067 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
1068 this->passive_tasks->insert_last(this->passive_tasks, task);
1069 this->frag.exchange = AGGRESSIVE;
1070 break;
1071 case QUICK_MODE:
1072 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
1073 {
1074 DBG1(DBG_IKE, "received quick mode request for "
1075 "unestablished IKE_SA, ignored");
1076 return FAILED;
1077 }
1078 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
1079 NULL, NULL);
1080 this->passive_tasks->insert_last(this->passive_tasks, task);
1081 break;
1082 case INFORMATIONAL_V1:
1083 if (process_dpd(this, message))
1084 {
1085 dpd = TRUE;
1086 }
1087 else
1088 {
1089 task = (task_t *)informational_create(this->ike_sa, NULL);
1090 this->passive_tasks->insert_first(this->passive_tasks, task);
1091 }
1092 break;
1093 case TRANSACTION:
1094 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
1095 {
1096 task = (task_t *)mode_config_create(this->ike_sa,
1097 FALSE, TRUE);
1098 }
1099 else
1100 {
1101 task = (task_t *)xauth_create(this->ike_sa, FALSE);
1102 }
1103 this->passive_tasks->insert_last(this->passive_tasks, task);
1104 break;
1105 default:
1106 return FAILED;
1107 }
1108 }
1109 if (dpd)
1110 {
1111 return initiate(this);
1112 }
1113 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, time_monotonic(NULL));
1114
1115 /* let the tasks process the message */
1116 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
1117 while (enumerator->enumerate(enumerator, (void*)&task))
1118 {
1119 switch (task->process(task, message))
1120 {
1121 case SUCCESS:
1122 /* task completed, remove it */
1123 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1124 task->destroy(task);
1125 continue;
1126 case NEED_MORE:
1127 /* processed, but task needs at least another call to build() */
1128 send_response = TRUE;
1129 continue;
1130 case ALREADY_DONE:
1131 send_response = FALSE;
1132 break;
1133 case FAILED:
1134 default:
1135 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1136 /* FALL */
1137 case DESTROY_ME:
1138 /* critical failure, destroy IKE_SA */
1139 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
1140 enumerator->destroy(enumerator);
1141 task->destroy(task);
1142 return DESTROY_ME;
1143 }
1144 break;
1145 }
1146 enumerator->destroy(enumerator);
1147
1148 if (send_response)
1149 {
1150 if (build_response(this, message) != SUCCESS)
1151 {
1152 return DESTROY_ME;
1153 }
1154 }
1155 else
1156 { /* We don't send a response, so don't retransmit one if we get
1157 * the same message again. */
1158 clear_packets(this->responding.packets);
1159 }
1160 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
1161 this->queued_tasks->get_count(this->queued_tasks) > 0)
1162 {
1163 /* passive tasks completed, check if an active task has been queued,
1164 * such as XAUTH or modeconfig push */
1165 return initiate(this);
1166 }
1167 return SUCCESS;
1168 }
1169
1170 /**
1171 * handle an incoming response message
1172 */
1173 static status_t process_response(private_task_manager_t *this,
1174 message_t *message)
1175 {
1176 enumerator_t *enumerator;
1177 message_t *queued;
1178 status_t status;
1179 task_t *task;
1180
1181 if (message->get_exchange_type(message) != this->initiating.type)
1182 {
1183 /* Windows server sends a fourth quick mode message having an initial
1184 * contact notify. Ignore this message for compatibility. */
1185 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED &&
1186 message->get_exchange_type(message) == QUICK_MODE &&
1187 message->get_notify(message, INITIAL_CONTACT))
1188 {
1189 DBG1(DBG_IKE, "ignoring fourth Quick Mode message");
1190 return SUCCESS;
1191 }
1192 DBG1(DBG_IKE, "received %N response, but expected %N",
1193 exchange_type_names, message->get_exchange_type(message),
1194 exchange_type_names, this->initiating.type);
1195 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1196 return DESTROY_ME;
1197 }
1198
1199 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
1200 while (enumerator->enumerate(enumerator, (void*)&task))
1201 {
1202 switch (task->process(task, message))
1203 {
1204 case SUCCESS:
1205 /* task completed, remove it */
1206 this->active_tasks->remove_at(this->active_tasks, enumerator);
1207 task->destroy(task);
1208 continue;
1209 case NEED_MORE:
1210 /* processed, but task needs another exchange */
1211 continue;
1212 case ALREADY_DONE:
1213 break;
1214 case FAILED:
1215 default:
1216 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1217 /* FALL */
1218 case DESTROY_ME:
1219 /* critical failure, destroy IKE_SA */
1220 this->active_tasks->remove_at(this->active_tasks, enumerator);
1221 enumerator->destroy(enumerator);
1222 task->destroy(task);
1223 return DESTROY_ME;
1224 }
1225 break;
1226 }
1227 enumerator->destroy(enumerator);
1228
1229 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1230 clear_packets(this->initiating.packets);
1231
1232 if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
1233 {
1234 queued = this->queued;
1235 this->queued = NULL;
1236 status = this->public.task_manager.process_message(
1237 &this->public.task_manager, queued);
1238 queued->destroy(queued);
1239 if (status == DESTROY_ME)
1240 {
1241 return status;
1242 }
1243 }
1244
1245 return initiate(this);
1246 }
1247
1248 static status_t handle_fragment(private_task_manager_t *this, message_t *msg)
1249 {
1250 fragment_payload_t *payload;
1251 enumerator_t *enumerator;
1252 fragment_t *fragment;
1253 status_t status = SUCCESS;
1254 chunk_t data;
1255 u_int8_t num;
1256
1257 payload = (fragment_payload_t*)msg->get_payload(msg, PLV1_FRAGMENT);
1258 if (!payload)
1259 {
1260 return FAILED;
1261 }
1262
1263 if (!this->frag.list || this->frag.id != payload->get_id(payload))
1264 {
1265 clear_fragments(this, payload->get_id(payload));
1266 this->frag.list = linked_list_create();
1267 }
1268
1269 num = payload->get_number(payload);
1270 if (!this->frag.last && payload->is_last(payload))
1271 {
1272 this->frag.last = num;
1273 }
1274
1275 enumerator = this->frag.list->create_enumerator(this->frag.list);
1276 while (enumerator->enumerate(enumerator, &fragment))
1277 {
1278 if (fragment->num == num)
1279 { /* ignore a duplicate fragment */
1280 DBG1(DBG_IKE, "received duplicate fragment #%hhu", num);
1281 enumerator->destroy(enumerator);
1282 return NEED_MORE;
1283 }
1284 if (fragment->num > num)
1285 {
1286 break;
1287 }
1288 }
1289
1290 data = payload->get_data(payload);
1291 this->frag.len += data.len;
1292 if (this->frag.len > this->frag.max_packet)
1293 {
1294 DBG1(DBG_IKE, "fragmented IKE message is too large");
1295 enumerator->destroy(enumerator);
1296 clear_fragments(this, 0);
1297 return FAILED;
1298 }
1299
1300 INIT(fragment,
1301 .num = num,
1302 .data = chunk_clone(data),
1303 );
1304
1305 this->frag.list->insert_before(this->frag.list, enumerator, fragment);
1306 enumerator->destroy(enumerator);
1307
1308 if (this->frag.list->get_count(this->frag.list) == this->frag.last)
1309 {
1310 message_t *message;
1311 packet_t *pkt;
1312 host_t *src, *dst;
1313 bio_writer_t *writer;
1314
1315 writer = bio_writer_create(this->frag.len);
1316 DBG1(DBG_IKE, "received fragment #%hhu, reassembling fragmented IKE "
1317 "message", num);
1318 enumerator = this->frag.list->create_enumerator(this->frag.list);
1319 while (enumerator->enumerate(enumerator, &fragment))
1320 {
1321 writer->write_data(writer, fragment->data);
1322 }
1323 enumerator->destroy(enumerator);
1324
1325 src = msg->get_source(msg);
1326 dst = msg->get_destination(msg);
1327 pkt = packet_create_from_data(src->clone(src), dst->clone(dst),
1328 writer->extract_buf(writer));
1329 writer->destroy(writer);
1330
1331 message = message_create_from_packet(pkt);
1332 if (message->parse_header(message) != SUCCESS)
1333 {
1334 DBG1(DBG_IKE, "failed to parse header of reassembled IKE message");
1335 message->destroy(message);
1336 status = FAILED;
1337 }
1338 else
1339 {
1340 lib->processor->queue_job(lib->processor,
1341 (job_t*)process_message_job_create(message));
1342 status = NEED_MORE;
1343
1344 }
1345 clear_fragments(this, 0);
1346 }
1347 else
1348 { /* there are some fragments missing */
1349 DBG1(DBG_IKE, "received fragment #%hhu, waiting for complete IKE "
1350 "message", num);
1351 status = NEED_MORE;
1352 }
1353 return status;
1354 }
1355
1356 /**
1357 * Parse the given message and verify that it is valid.
1358 */
1359 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1360 {
1361 status_t status;
1362
1363 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1364
1365 if (status != SUCCESS)
1366 {
1367 switch (status)
1368 {
1369 case NOT_SUPPORTED:
1370 DBG1(DBG_IKE, "unsupported exchange type");
1371 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
1372 break;
1373 case PARSE_ERROR:
1374 DBG1(DBG_IKE, "message parsing failed");
1375 send_notify(this, msg, PAYLOAD_MALFORMED);
1376 break;
1377 case VERIFY_ERROR:
1378 DBG1(DBG_IKE, "message verification failed");
1379 send_notify(this, msg, PAYLOAD_MALFORMED);
1380 break;
1381 case FAILED:
1382 DBG1(DBG_IKE, "integrity check failed");
1383 send_notify(this, msg, INVALID_HASH_INFORMATION);
1384 break;
1385 case INVALID_STATE:
1386 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1387 send_notify(this, msg, PAYLOAD_MALFORMED);
1388 default:
1389 break;
1390 }
1391 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
1392 exchange_type_names, msg->get_exchange_type(msg),
1393 msg->get_request(msg) ? "request" : "response",
1394 msg->get_message_id(msg));
1395
1396 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1397
1398 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1399 { /* invalid initiation attempt, close SA */
1400 return DESTROY_ME;
1401 }
1402 }
1403
1404 if (msg->get_first_payload_type(msg) == PLV1_FRAGMENT)
1405 {
1406 return handle_fragment(this, msg);
1407 }
1408 return status;
1409 }
1410
1411 METHOD(task_manager_t, process_message, status_t,
1412 private_task_manager_t *this, message_t *msg)
1413 {
1414 u_int32_t hash, mid, i;
1415 host_t *me, *other;
1416 status_t status;
1417
1418 /* TODO-IKEv1: update hosts more selectively */
1419 me = msg->get_destination(msg);
1420 other = msg->get_source(msg);
1421 mid = msg->get_message_id(msg);
1422 hash = chunk_hash(msg->get_packet_data(msg));
1423 for (i = 0; i < MAX_OLD_HASHES; i++)
1424 {
1425 if (this->initiating.old_hashes[i] == hash)
1426 {
1427 if (array_count(this->initiating.packets) &&
1428 i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
1429 (msg->get_exchange_type(msg) == QUICK_MODE ||
1430 msg->get_exchange_type(msg) == AGGRESSIVE))
1431 {
1432 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1433 "resending last request", mid);
1434 send_packets(this, this->initiating.packets);
1435 return SUCCESS;
1436 }
1437 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
1438 "but next request already sent", mid);
1439 return SUCCESS;
1440 }
1441 }
1442
1443 if ((mid && mid == this->initiating.mid) ||
1444 (this->initiating.mid == 0 &&
1445 msg->get_exchange_type(msg) == this->initiating.type &&
1446 this->active_tasks->get_count(this->active_tasks)))
1447 {
1448 msg->set_request(msg, FALSE);
1449 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1450 status = parse_message(this, msg);
1451 if (status == NEED_MORE)
1452 {
1453 return SUCCESS;
1454 }
1455 if (status != SUCCESS)
1456 {
1457 return status;
1458 }
1459 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1460 time_monotonic(NULL));
1461 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1462 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1463 if (process_response(this, msg) != SUCCESS)
1464 {
1465 flush(this);
1466 return DESTROY_ME;
1467 }
1468 this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
1469 MAX_OLD_HASHES] = hash;
1470 }
1471 else
1472 {
1473 if (hash == this->responding.hash)
1474 {
1475 if (array_count(this->responding.packets))
1476 {
1477 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1478 "retransmitting response", mid);
1479 send_packets(this, this->responding.packets);
1480 }
1481 else if (array_count(this->initiating.packets) &&
1482 this->initiating.type == INFORMATIONAL_V1)
1483 {
1484 DBG1(DBG_IKE, "received retransmit of DPD request, "
1485 "retransmitting response");
1486 send_packets(this, this->initiating.packets);
1487 }
1488 else
1489 {
1490 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
1491 "but no response to retransmit", mid);
1492 }
1493 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1494 return SUCCESS;
1495 }
1496
1497 /* reject Main/Aggressive Modes once established */
1498 if (msg->get_exchange_type(msg) == ID_PROT ||
1499 msg->get_exchange_type(msg) == AGGRESSIVE)
1500 {
1501 if (this->ike_sa->get_state(this->ike_sa) != IKE_CREATED &&
1502 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
1503 msg->get_first_payload_type(msg) != PLV1_FRAGMENT)
1504 {
1505 DBG1(DBG_IKE, "ignoring %N in established IKE_SA state",
1506 exchange_type_names, msg->get_exchange_type(msg));
1507 return FAILED;
1508 }
1509 }
1510
1511 if (msg->get_exchange_type(msg) == TRANSACTION &&
1512 this->active_tasks->get_count(this->active_tasks))
1513 { /* main mode not yet complete, queue XAuth/Mode config tasks */
1514 if (this->queued)
1515 {
1516 DBG1(DBG_IKE, "ignoring additional %N request, queue full",
1517 exchange_type_names, TRANSACTION);
1518 return SUCCESS;
1519 }
1520 this->queued = message_create_from_packet(msg->get_packet(msg));
1521 if (this->queued->parse_header(this->queued) != SUCCESS)
1522 {
1523 this->queued->destroy(this->queued);
1524 this->queued = NULL;
1525 return FAILED;
1526 }
1527 DBG1(DBG_IKE, "queueing %N request as tasks still active",
1528 exchange_type_names, TRANSACTION);
1529 return SUCCESS;
1530 }
1531
1532 msg->set_request(msg, TRUE);
1533 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1534 status = parse_message(this, msg);
1535 if (status == NEED_MORE)
1536 {
1537 return SUCCESS;
1538 }
1539 if (status != SUCCESS)
1540 {
1541 return status;
1542 }
1543 /* if this IKE_SA is virgin, we check for a config */
1544 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1545 {
1546 ike_sa_id_t *ike_sa_id;
1547 ike_cfg_t *ike_cfg;
1548 job_t *job;
1549
1550 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1551 me, other, IKEV1);
1552 if (ike_cfg == NULL)
1553 {
1554 /* no config found for these hosts, destroy */
1555 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1556 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1557 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
1558 return DESTROY_ME;
1559 }
1560 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1561 ike_cfg->destroy(ike_cfg);
1562 /* add a timeout if peer does not establish it completely */
1563 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1564 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1565 lib->scheduler->schedule_job(lib->scheduler, job,
1566 lib->settings->get_int(lib->settings,
1567 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1568 lib->ns));
1569 }
1570 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1571 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1572 if (process_request(this, msg) != SUCCESS)
1573 {
1574 flush(this);
1575 return DESTROY_ME;
1576 }
1577 this->responding.hash = hash;
1578 }
1579 return SUCCESS;
1580 }
1581
1582 /**
1583 * Check if a given task has been queued already
1584 */
1585 static bool has_queued(private_task_manager_t *this, task_type_t type)
1586 {
1587 enumerator_t *enumerator;
1588 bool found = FALSE;
1589 task_t *task;
1590
1591 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1592 while (enumerator->enumerate(enumerator, &task))
1593 {
1594 if (task->get_type(task) == type)
1595 {
1596 found = TRUE;
1597 break;
1598 }
1599 }
1600 enumerator->destroy(enumerator);
1601 return found;
1602 }
1603
1604 METHOD(task_manager_t, queue_task, void,
1605 private_task_manager_t *this, task_t *task)
1606 {
1607 task_type_t type = task->get_type(task);
1608
1609 switch (type)
1610 {
1611 case TASK_MODE_CONFIG:
1612 case TASK_XAUTH:
1613 if (has_queued(this, type))
1614 {
1615 task->destroy(task);
1616 return;
1617 }
1618 break;
1619 default:
1620 break;
1621 }
1622 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1623 this->queued_tasks->insert_last(this->queued_tasks, task);
1624 }
1625
1626 METHOD(task_manager_t, queue_ike, void,
1627 private_task_manager_t *this)
1628 {
1629 peer_cfg_t *peer_cfg;
1630
1631 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1632 {
1633 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1634 }
1635 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1636 {
1637 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1638 }
1639 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1640 if (peer_cfg->use_aggressive(peer_cfg))
1641 {
1642 if (!has_queued(this, TASK_AGGRESSIVE_MODE))
1643 {
1644 queue_task(this, (task_t*)aggressive_mode_create(this->ike_sa, TRUE));
1645 }
1646 this->frag.exchange = AGGRESSIVE;
1647 }
1648 else
1649 {
1650 if (!has_queued(this, TASK_MAIN_MODE))
1651 {
1652 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1653 }
1654 }
1655 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1656 {
1657 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1658 }
1659 if (!has_queued(this, TASK_ISAKMP_NATD))
1660 {
1661 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1662 }
1663 }
1664
1665 METHOD(task_manager_t, queue_ike_reauth, void,
1666 private_task_manager_t *this)
1667 {
1668 enumerator_t *enumerator;
1669 child_sa_t *child_sa;
1670 ike_sa_t *new;
1671 host_t *host;
1672
1673 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1674 this->ike_sa->get_version(this->ike_sa), TRUE);
1675 if (!new)
1676 { /* shouldn't happen */
1677 return;
1678 }
1679
1680 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1681 host = this->ike_sa->get_other_host(this->ike_sa);
1682 new->set_other_host(new, host->clone(host));
1683 host = this->ike_sa->get_my_host(this->ike_sa);
1684 new->set_my_host(new, host->clone(host));
1685 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1686 while (enumerator->enumerate(enumerator, &host))
1687 {
1688 new->add_virtual_ip(new, TRUE, host);
1689 }
1690 enumerator->destroy(enumerator);
1691
1692 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1693 while (enumerator->enumerate(enumerator, &child_sa))
1694 {
1695 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
1696 new->add_child_sa(new, child_sa);
1697 }
1698 enumerator->destroy(enumerator);
1699
1700 if (!new->get_child_count(new))
1701 { /* check if a Quick Mode task is queued (UNITY_LOAD_BALANCE case) */
1702 task_t *task;
1703
1704 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1705 while (enumerator->enumerate(enumerator, &task))
1706 {
1707 if (task->get_type(task) == TASK_QUICK_MODE)
1708 {
1709 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
1710 task->migrate(task, new);
1711 new->queue_task(new, task);
1712 }
1713 }
1714 enumerator->destroy(enumerator);
1715 }
1716
1717 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1718 {
1719 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1720 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
1721 }
1722 else
1723 {
1724 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1725 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1726 }
1727 charon->bus->set_sa(charon->bus, this->ike_sa);
1728 }
1729
1730 METHOD(task_manager_t, queue_ike_rekey, void,
1731 private_task_manager_t *this)
1732 {
1733 queue_ike_reauth(this);
1734 }
1735
1736 METHOD(task_manager_t, queue_ike_delete, void,
1737 private_task_manager_t *this)
1738 {
1739 enumerator_t *enumerator;
1740 child_sa_t *child_sa;
1741
1742 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1743 while (enumerator->enumerate(enumerator, &child_sa))
1744 {
1745 queue_task(this, (task_t*)
1746 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1747 child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
1748 }
1749 enumerator->destroy(enumerator);
1750
1751 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1752 }
1753
1754 METHOD(task_manager_t, queue_mobike, void,
1755 private_task_manager_t *this, bool roam, bool address)
1756 {
1757 /* Not supported in IKEv1 */
1758 }
1759
1760 METHOD(task_manager_t, queue_child, void,
1761 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1762 traffic_selector_t *tsi, traffic_selector_t *tsr)
1763 {
1764 quick_mode_t *task;
1765
1766 task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
1767 task->use_reqid(task, reqid);
1768
1769 queue_task(this, &task->task);
1770 }
1771
1772 /**
1773 * Check if two CHILD_SAs have the same traffic selector
1774 */
1775 static bool have_equal_ts(child_sa_t *child1, child_sa_t *child2, bool local)
1776 {
1777 enumerator_t *e1, *e2;
1778 traffic_selector_t *ts1, *ts2;
1779 bool equal = FALSE;
1780
1781 e1 = child1->create_ts_enumerator(child1, local);
1782 e2 = child2->create_ts_enumerator(child2, local);
1783 if (e1->enumerate(e1, &ts1) && e2->enumerate(e2, &ts2))
1784 {
1785 equal = ts1->equals(ts1, ts2);
1786 }
1787 e2->destroy(e2);
1788 e1->destroy(e1);
1789
1790 return equal;
1791 }
1792
1793 /**
1794 * Check if a CHILD_SA is redundant and we should delete instead of rekey
1795 */
1796 static bool is_redundant(private_task_manager_t *this, child_sa_t *child_sa)
1797 {
1798 enumerator_t *enumerator;
1799 child_sa_t *current;
1800 bool redundant = FALSE;
1801
1802 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1803 while (enumerator->enumerate(enumerator, &current))
1804 {
1805 if (current->get_state(current) == CHILD_INSTALLED &&
1806 streq(current->get_name(current), child_sa->get_name(child_sa)) &&
1807 have_equal_ts(current, child_sa, TRUE) &&
1808 have_equal_ts(current, child_sa, FALSE) &&
1809 current->get_lifetime(current, FALSE) >
1810 child_sa->get_lifetime(child_sa, FALSE))
1811 {
1812 DBG1(DBG_IKE, "deleting redundant CHILD_SA %s{%d}",
1813 child_sa->get_name(child_sa), child_sa->get_reqid(child_sa));
1814 redundant = TRUE;
1815 break;
1816 }
1817 }
1818 enumerator->destroy(enumerator);
1819
1820 return redundant;
1821 }
1822
1823 /**
1824 * Get the first traffic selector of a CHILD_SA, local or remote
1825 */
1826 static traffic_selector_t* get_first_ts(child_sa_t *child_sa, bool local)
1827 {
1828 traffic_selector_t *ts = NULL;
1829 enumerator_t *enumerator;
1830
1831 enumerator = child_sa->create_ts_enumerator(child_sa, local);
1832 enumerator->enumerate(enumerator, &ts);
1833 enumerator->destroy(enumerator);
1834
1835 return ts;
1836 }
1837
1838 METHOD(task_manager_t, queue_child_rekey, void,
1839 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1840 {
1841 child_sa_t *child_sa;
1842 child_cfg_t *cfg;
1843 quick_mode_t *task;
1844
1845 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
1846 if (!child_sa)
1847 {
1848 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
1849 }
1850 if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
1851 {
1852 if (is_redundant(this, child_sa))
1853 {
1854 queue_task(this, (task_t*)quick_delete_create(this->ike_sa,
1855 protocol, spi, FALSE, FALSE));
1856 }
1857 else
1858 {
1859 child_sa->set_state(child_sa, CHILD_REKEYING);
1860 cfg = child_sa->get_config(child_sa);
1861 task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg),
1862 get_first_ts(child_sa, TRUE), get_first_ts(child_sa, FALSE));
1863 task->use_reqid(task, child_sa->get_reqid(child_sa));
1864 task->rekey(task, child_sa->get_spi(child_sa, TRUE));
1865
1866 queue_task(this, &task->task);
1867 }
1868 }
1869 }
1870
1871 METHOD(task_manager_t, queue_child_delete, void,
1872 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1873 bool expired)
1874 {
1875 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1876 spi, FALSE, expired));
1877 }
1878
1879 METHOD(task_manager_t, queue_dpd, void,
1880 private_task_manager_t *this)
1881 {
1882 peer_cfg_t *peer_cfg;
1883 u_int32_t t, retransmit;
1884
1885 queue_task(this, (task_t*)isakmp_dpd_create(this->ike_sa, DPD_R_U_THERE,
1886 this->dpd_send++));
1887 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1888
1889 /* compute timeout in milliseconds */
1890 t = 1000 * peer_cfg->get_dpd_timeout(peer_cfg);
1891 if (t == 0)
1892 {
1893 /* use the same timeout as a retransmitting IKE message would have */
1894 for (retransmit = 0; retransmit <= this->retransmit_tries; retransmit++)
1895 {
1896 t += (u_int32_t)(this->retransmit_timeout * 1000.0 *
1897 pow(this->retransmit_base, retransmit));
1898 }
1899 }
1900
1901 /* schedule DPD timeout job */
1902 lib->scheduler->schedule_job_ms(lib->scheduler,
1903 (job_t*)dpd_timeout_job_create(this->ike_sa->get_id(this->ike_sa)), t);
1904 }
1905
1906 METHOD(task_manager_t, adopt_tasks, void,
1907 private_task_manager_t *this, task_manager_t *other_public)
1908 {
1909 private_task_manager_t *other = (private_task_manager_t*)other_public;
1910 task_t *task;
1911
1912 /* move queued tasks from other to this */
1913 while (other->queued_tasks->remove_last(other->queued_tasks,
1914 (void**)&task) == SUCCESS)
1915 {
1916 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1917 task->migrate(task, this->ike_sa);
1918 this->queued_tasks->insert_first(this->queued_tasks, task);
1919 }
1920 }
1921
1922 /**
1923 * Migrates child-creating tasks from src to dst
1924 */
1925 static void migrate_child_tasks(private_task_manager_t *this,
1926 linked_list_t *src, linked_list_t *dst)
1927 {
1928 enumerator_t *enumerator;
1929 task_t *task;
1930
1931 enumerator = src->create_enumerator(src);
1932 while (enumerator->enumerate(enumerator, &task))
1933 {
1934 if (task->get_type(task) == TASK_QUICK_MODE)
1935 {
1936 src->remove_at(src, enumerator);
1937 task->migrate(task, this->ike_sa);
1938 dst->insert_last(dst, task);
1939 }
1940 }
1941 enumerator->destroy(enumerator);
1942 }
1943
1944 METHOD(task_manager_t, adopt_child_tasks, void,
1945 private_task_manager_t *this, task_manager_t *other_public)
1946 {
1947 private_task_manager_t *other = (private_task_manager_t*)other_public;
1948
1949 /* move active child tasks from other to this */
1950 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1951 /* do the same for queued tasks */
1952 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1953 }
1954
1955 METHOD(task_manager_t, busy, bool,
1956 private_task_manager_t *this)
1957 {
1958 return (this->active_tasks->get_count(this->active_tasks) > 0);
1959 }
1960
1961 METHOD(task_manager_t, incr_mid, void,
1962 private_task_manager_t *this, bool initiate)
1963 {
1964 }
1965
1966 METHOD(task_manager_t, reset, void,
1967 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1968 {
1969 enumerator_t *enumerator;
1970 task_t *task;
1971
1972 /* reset message counters and retransmit packets */
1973 clear_packets(this->responding.packets);
1974 clear_packets(this->initiating.packets);
1975 this->responding.seqnr = RESPONDING_SEQ;
1976 this->responding.retransmitted = 0;
1977 this->initiating.mid = 0;
1978 this->initiating.seqnr = 0;
1979 this->initiating.retransmitted = 0;
1980 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1981 clear_fragments(this, 0);
1982 if (initiate != UINT_MAX)
1983 {
1984 this->dpd_send = initiate;
1985 }
1986 if (respond != UINT_MAX)
1987 {
1988 this->dpd_recv = respond;
1989 }
1990
1991 /* reset queued tasks */
1992 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1993 while (enumerator->enumerate(enumerator, &task))
1994 {
1995 task->migrate(task, this->ike_sa);
1996 }
1997 enumerator->destroy(enumerator);
1998
1999 /* reset active tasks */
2000 while (this->active_tasks->remove_last(this->active_tasks,
2001 (void**)&task) == SUCCESS)
2002 {
2003 task->migrate(task, this->ike_sa);
2004 this->queued_tasks->insert_first(this->queued_tasks, task);
2005 }
2006 }
2007
2008 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
2009 private_task_manager_t *this, task_queue_t queue)
2010 {
2011 switch (queue)
2012 {
2013 case TASK_QUEUE_ACTIVE:
2014 return this->active_tasks->create_enumerator(this->active_tasks);
2015 case TASK_QUEUE_PASSIVE:
2016 return this->passive_tasks->create_enumerator(this->passive_tasks);
2017 case TASK_QUEUE_QUEUED:
2018 return this->queued_tasks->create_enumerator(this->queued_tasks);
2019 default:
2020 return enumerator_create_empty();
2021 }
2022 }
2023
2024 METHOD(task_manager_t, destroy, void,
2025 private_task_manager_t *this)
2026 {
2027 flush(this);
2028
2029 this->active_tasks->destroy(this->active_tasks);
2030 this->queued_tasks->destroy(this->queued_tasks);
2031 this->passive_tasks->destroy(this->passive_tasks);
2032 clear_fragments(this, 0);
2033
2034 DESTROY_IF(this->queued);
2035 clear_packets(this->responding.packets);
2036 array_destroy(this->responding.packets);
2037 clear_packets(this->initiating.packets);
2038 array_destroy(this->initiating.packets);
2039 DESTROY_IF(this->rng);
2040 free(this);
2041 }
2042
2043 /*
2044 * see header file
2045 */
2046 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
2047 {
2048 private_task_manager_t *this;
2049
2050 INIT(this,
2051 .public = {
2052 .task_manager = {
2053 .process_message = _process_message,
2054 .queue_task = _queue_task,
2055 .queue_ike = _queue_ike,
2056 .queue_ike_rekey = _queue_ike_rekey,
2057 .queue_ike_reauth = _queue_ike_reauth,
2058 .queue_ike_delete = _queue_ike_delete,
2059 .queue_mobike = _queue_mobike,
2060 .queue_child = _queue_child,
2061 .queue_child_rekey = _queue_child_rekey,
2062 .queue_child_delete = _queue_child_delete,
2063 .queue_dpd = _queue_dpd,
2064 .initiate = _initiate,
2065 .retransmit = _retransmit,
2066 .incr_mid = _incr_mid,
2067 .reset = _reset,
2068 .adopt_tasks = _adopt_tasks,
2069 .adopt_child_tasks = _adopt_child_tasks,
2070 .busy = _busy,
2071 .create_task_enumerator = _create_task_enumerator,
2072 .flush = _flush,
2073 .flush_queue = _flush_queue,
2074 .destroy = _destroy,
2075 },
2076 },
2077 .initiating = {
2078 .type = EXCHANGE_TYPE_UNDEFINED,
2079 },
2080 .responding = {
2081 .seqnr = RESPONDING_SEQ,
2082 },
2083 .frag = {
2084 .exchange = ID_PROT,
2085 .max_packet = lib->settings->get_int(lib->settings,
2086 "%s.max_packet", MAX_PACKET, lib->ns),
2087 .size = lib->settings->get_int(lib->settings,
2088 "%s.fragment_size", 0, lib->ns),
2089 },
2090 .ike_sa = ike_sa,
2091 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
2092 .queued_tasks = linked_list_create(),
2093 .active_tasks = linked_list_create(),
2094 .passive_tasks = linked_list_create(),
2095 .retransmit_tries = lib->settings->get_int(lib->settings,
2096 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2097 .retransmit_timeout = lib->settings->get_double(lib->settings,
2098 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2099 .retransmit_base = lib->settings->get_double(lib->settings,
2100 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2101 );
2102
2103 if (!this->rng)
2104 {
2105 DBG1(DBG_IKE, "no RNG found, unable to create IKE_SA");
2106 destroy(this);
2107 return NULL;
2108 }
2109 if (!this->rng->get_bytes(this->rng, sizeof(this->dpd_send),
2110 (void*)&this->dpd_send))
2111 {
2112 DBG1(DBG_IKE, "failed to allocate message ID, unable to create IKE_SA");
2113 destroy(this);
2114 return NULL;
2115 }
2116 this->dpd_send &= 0x7FFFFFFF;
2117
2118 return &this->public;
2119 }