Set ISAKMP SA state to rekeying after triggering reauthentication
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2011 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/quick_mode.h>
24 #include <sa/ikev1/tasks/quick_delete.h>
25 #include <sa/ikev1/tasks/xauth.h>
26 #include <sa/ikev1/tasks/mode_config.h>
27 #include <sa/ikev1/tasks/informational.h>
28 #include <sa/ikev1/tasks/isakmp_natd.h>
29 #include <sa/ikev1/tasks/isakmp_vendor.h>
30 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
31 #include <sa/ikev1/tasks/isakmp_cert_post.h>
32 #include <sa/ikev1/tasks/isakmp_delete.h>
33 #include <processing/jobs/retransmit_job.h>
34 #include <processing/jobs/delete_ike_sa_job.h>
35
36 /**
37 * Number of old messages hashes we keep for retransmission.
38 *
39 * In Main Mode, we must ignore messages from a previous message pair if
40 * we already continued to the next. Otherwise a late retransmission
41 * could be considered as a reply to the newer request.
42 */
43 #define MAX_OLD_HASHES 2
44
45 /**
46 * First sequence number of responding packets.
47 *
48 * To distinguish retransmission jobs for initiating and responding packets,
49 * we split up the sequence counter and use the upper half for responding.
50 */
51 #define RESPONDING_SEQ INT_MAX
52
53 typedef struct exchange_t exchange_t;
54
55 /**
56 * An exchange in the air, used do detect and handle retransmission
57 */
58 struct exchange_t {
59
60 /**
61 * Message ID used for this transaction
62 */
63 u_int32_t mid;
64
65 /**
66 * generated packet for retransmission
67 */
68 packet_t *packet;
69 };
70
71 typedef struct private_task_manager_t private_task_manager_t;
72
73 /**
74 * private data of the task manager
75 */
76 struct private_task_manager_t {
77
78 /**
79 * public functions
80 */
81 task_manager_v1_t public;
82
83 /**
84 * associated IKE_SA we are serving
85 */
86 ike_sa_t *ike_sa;
87
88 /**
89 * RNG to create message IDs
90 */
91 rng_t *rng;
92
93 /**
94 * Exchange we are currently handling as responder
95 */
96 struct {
97 /**
98 * Message ID of the last response
99 */
100 u_int32_t mid;
101
102 /**
103 * Hash of a previously received message
104 */
105 u_int32_t hash;
106
107 /**
108 * packet for retransmission
109 */
110 packet_t *packet;
111
112 /**
113 * Sequence number of the last sent message
114 */
115 u_int32_t seqnr;
116
117 /**
118 * how many times we have retransmitted so far
119 */
120 u_int retransmitted;
121
122 } responding;
123
124 /**
125 * Exchange we are currently handling as initiator
126 */
127 struct {
128 /**
129 * Message ID of the exchange
130 */
131 u_int32_t mid;
132
133 /**
134 * Hashes of old responses we can ignore
135 */
136 u_int32_t old_hashes[MAX_OLD_HASHES];
137
138 /**
139 * Position in old hash array
140 */
141 int old_hash_pos;
142
143 /**
144 * Sequence number of the last sent message
145 */
146 u_int32_t seqnr;
147
148 /**
149 * how many times we have retransmitted so far
150 */
151 u_int retransmitted;
152
153 /**
154 * packet for retransmission
155 */
156 packet_t *packet;
157
158 /**
159 * type of the initated exchange
160 */
161 exchange_type_t type;
162
163 } initiating;
164
165 /**
166 * List of queued tasks not yet in action
167 */
168 linked_list_t *queued_tasks;
169
170 /**
171 * List of active tasks, initiated by ourselve
172 */
173 linked_list_t *active_tasks;
174
175 /**
176 * List of tasks initiated by peer
177 */
178 linked_list_t *passive_tasks;
179
180 /**
181 * Queued messages not yet ready to process
182 */
183 message_t *queued;
184
185 /**
186 * Number of times we retransmit messages before giving up
187 */
188 u_int retransmit_tries;
189
190 /**
191 * Retransmission timeout
192 */
193 double retransmit_timeout;
194
195 /**
196 * Base to calculate retransmission timeout
197 */
198 double retransmit_base;
199 };
200
201 /**
202 * Flush a single task queue
203 */
204 static void flush_queue(private_task_manager_t *this, linked_list_t *list)
205 {
206 task_t *task;
207
208 if (this->queued)
209 {
210 this->queued->destroy(this->queued);
211 this->queued = NULL;
212 }
213 while (list->remove_last(list, (void**)&task) == SUCCESS)
214 {
215 task->destroy(task);
216 }
217 }
218
219 /**
220 * flush all tasks in the task manager
221 */
222 static void flush(private_task_manager_t *this)
223 {
224 flush_queue(this, this->queued_tasks);
225 flush_queue(this, this->passive_tasks);
226 flush_queue(this, this->active_tasks);
227 }
228
229 /**
230 * move a task of a specific type from the queue to the active list
231 */
232 static bool activate_task(private_task_manager_t *this, task_type_t type)
233 {
234 enumerator_t *enumerator;
235 task_t *task;
236 bool found = FALSE;
237
238 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
239 while (enumerator->enumerate(enumerator, (void**)&task))
240 {
241 if (task->get_type(task) == type)
242 {
243 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
244 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
245 this->active_tasks->insert_last(this->active_tasks, task);
246 found = TRUE;
247 break;
248 }
249 }
250 enumerator->destroy(enumerator);
251 return found;
252 }
253
254 /**
255 * Retransmit a packet, either as initiator or as responder
256 */
257 static status_t retransmit_packet(private_task_manager_t *this, u_int32_t seqnr,
258 u_int mid, u_int retransmitted, packet_t *packet)
259 {
260 u_int32_t t;
261
262 if (retransmitted > this->retransmit_tries)
263 {
264 DBG1(DBG_IKE, "giving up after %u retransmits", retransmitted - 1);
265 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
266 {
267 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
268 }
269 return DESTROY_ME;
270 }
271 t = (u_int32_t)(this->retransmit_timeout * 1000.0 *
272 pow(this->retransmit_base, retransmitted));
273 if (retransmitted)
274 {
275 DBG1(DBG_IKE, "sending retransmit %u of %s message ID %u, seq %u",
276 retransmitted, seqnr < RESPONDING_SEQ ? "request" : "response",
277 mid, seqnr < RESPONDING_SEQ ? seqnr : seqnr - RESPONDING_SEQ);
278 }
279 charon->sender->send(charon->sender, packet->clone(packet));
280 lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
281 retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
282 return NEED_MORE;
283 }
284
285 METHOD(task_manager_t, retransmit, status_t,
286 private_task_manager_t *this, u_int32_t seqnr)
287 {
288 status_t status = SUCCESS;
289
290 if (seqnr == this->initiating.seqnr && this->initiating.packet)
291 {
292 status = retransmit_packet(this, seqnr, this->initiating.mid,
293 this->initiating.retransmitted, this->initiating.packet);
294 if (status == NEED_MORE)
295 {
296 this->initiating.retransmitted++;
297 status = SUCCESS;
298 }
299 }
300 if (seqnr == this->responding.seqnr && this->responding.packet)
301 {
302 status = retransmit_packet(this, seqnr, this->responding.mid,
303 this->responding.retransmitted, this->responding.packet);
304 if (status == NEED_MORE)
305 {
306 this->responding.retransmitted++;
307 status = SUCCESS;
308 }
309 }
310 return status;
311 }
312
313 METHOD(task_manager_t, initiate, status_t,
314 private_task_manager_t *this)
315 {
316 enumerator_t *enumerator;
317 task_t *task;
318 message_t *message;
319 host_t *me, *other;
320 status_t status;
321 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
322 bool new_mid = FALSE, expect_response = FALSE, flushed = FALSE;
323
324 if (!this->rng)
325 {
326 DBG1(DBG_IKE, "no RNG supported");
327 return FAILED;
328 }
329
330 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
331 {
332 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
333 exchange_type_names, this->initiating.type);
334 /* do not initiate if we already have a message in the air */
335 return SUCCESS;
336 }
337
338 if (this->active_tasks->get_count(this->active_tasks) == 0)
339 {
340 DBG2(DBG_IKE, "activating new tasks");
341 switch (this->ike_sa->get_state(this->ike_sa))
342 {
343 case IKE_CREATED:
344 activate_task(this, TASK_ISAKMP_VENDOR);
345 activate_task(this, TASK_ISAKMP_CERT_PRE);
346 if (activate_task(this, TASK_MAIN_MODE))
347 {
348 exchange = ID_PROT;
349 activate_task(this, TASK_ISAKMP_CERT_POST);
350 activate_task(this, TASK_ISAKMP_NATD);
351 }
352 break;
353 case IKE_CONNECTING:
354 if (activate_task(this, TASK_ISAKMP_DELETE))
355 {
356 exchange = INFORMATIONAL_V1;
357 new_mid = TRUE;
358 break;
359 }
360 if (activate_task(this, TASK_XAUTH))
361 {
362 exchange = TRANSACTION;
363 new_mid = TRUE;
364 break;
365 }
366 if (activate_task(this, TASK_INFORMATIONAL))
367 {
368 exchange = INFORMATIONAL_V1;
369 new_mid = TRUE;
370 break;
371 }
372 break;
373 case IKE_ESTABLISHED:
374 if (activate_task(this, TASK_MODE_CONFIG))
375 {
376 exchange = TRANSACTION;
377 new_mid = TRUE;
378 break;
379 }
380 if (activate_task(this, TASK_QUICK_MODE))
381 {
382 exchange = QUICK_MODE;
383 new_mid = TRUE;
384 break;
385 }
386 if (activate_task(this, TASK_INFORMATIONAL))
387 {
388 exchange = INFORMATIONAL_V1;
389 new_mid = TRUE;
390 break;
391 }
392 if (activate_task(this, TASK_QUICK_DELETE))
393 {
394 exchange = INFORMATIONAL_V1;
395 new_mid = TRUE;
396 break;
397 }
398 if (activate_task(this, TASK_ISAKMP_DELETE))
399 {
400 exchange = INFORMATIONAL_V1;
401 new_mid = TRUE;
402 break;
403 }
404 break;
405 default:
406 break;
407 }
408 }
409 else
410 {
411 DBG2(DBG_IKE, "reinitiating already active tasks");
412 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
413 while (enumerator->enumerate(enumerator, (void**)&task))
414 {
415 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
416 switch (task->get_type(task))
417 {
418 case TASK_MAIN_MODE:
419 exchange = ID_PROT;
420 break;
421 case TASK_QUICK_MODE:
422 exchange = QUICK_MODE;
423 break;
424 case TASK_XAUTH:
425 exchange = TRANSACTION;
426 new_mid = TRUE;
427 break;
428 default:
429 continue;
430 }
431 break;
432 }
433 enumerator->destroy(enumerator);
434 }
435
436 if (exchange == EXCHANGE_TYPE_UNDEFINED)
437 {
438 DBG2(DBG_IKE, "nothing to initiate");
439 /* nothing to do yet... */
440 return SUCCESS;
441 }
442
443 me = this->ike_sa->get_my_host(this->ike_sa);
444 other = this->ike_sa->get_other_host(this->ike_sa);
445
446 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
447 if (new_mid)
448 {
449 this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
450 (void*)&this->initiating.mid);
451 }
452 message->set_message_id(message, this->initiating.mid);
453 message->set_source(message, me->clone(me));
454 message->set_destination(message, other->clone(other));
455 message->set_exchange_type(message, exchange);
456 this->initiating.type = exchange;
457 this->initiating.retransmitted = 0;
458
459 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
460 while (enumerator->enumerate(enumerator, (void*)&task))
461 {
462 switch (task->build(task, message))
463 {
464 case SUCCESS:
465 /* task completed, remove it */
466 this->active_tasks->remove_at(this->active_tasks, enumerator);
467 task->destroy(task);
468 continue;
469 case NEED_MORE:
470 expect_response = TRUE;
471 /* processed, but task needs another exchange */
472 continue;
473 case ALREADY_DONE:
474 flush_queue(this, this->active_tasks);
475 flushed = TRUE;
476 break;
477 case FAILED:
478 default:
479 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
480 {
481 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
482 }
483 /* FALL */
484 case DESTROY_ME:
485 /* critical failure, destroy IKE_SA */
486 enumerator->destroy(enumerator);
487 message->destroy(message);
488 flush(this);
489 return DESTROY_ME;
490 }
491 break;
492 }
493 enumerator->destroy(enumerator);
494
495 if (this->active_tasks->get_count(this->active_tasks) == 0)
496 { /* tasks completed, no exchange active anymore */
497 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
498 }
499 if (flushed)
500 {
501 message->destroy(message);
502 return initiate(this);
503 }
504
505 DESTROY_IF(this->initiating.packet);
506 status = this->ike_sa->generate_message(this->ike_sa, message,
507 &this->initiating.packet);
508 if (status != SUCCESS)
509 {
510 /* message generation failed. There is nothing more to do than to
511 * close the SA */
512 message->destroy(message);
513 flush(this);
514 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
515 return DESTROY_ME;
516 }
517
518 this->initiating.seqnr++;
519 if (expect_response)
520 {
521 message->destroy(message);
522 return retransmit(this, this->initiating.seqnr);
523 }
524 if (message->get_exchange_type(message) == QUICK_MODE)
525 { /* keep the packet for retransmission in quick mode. The responder
526 * might request a retransmission */
527 charon->sender->send(charon->sender,
528 this->initiating.packet->clone(this->initiating.packet));
529 }
530 else
531 {
532 charon->sender->send(charon->sender, this->initiating.packet);
533 this->initiating.packet = NULL;
534 }
535 message->destroy(message);
536
537 if (exchange == INFORMATIONAL_V1)
538 {
539 switch (this->ike_sa->get_state(this->ike_sa))
540 {
541 case IKE_CONNECTING:
542 /* close after sending an INFORMATIONAL when unestablished */
543 return FAILED;
544 case IKE_DELETING:
545 /* close after sending a DELETE */
546 return DESTROY_ME;
547 default:
548 break;
549 }
550 }
551 return initiate(this);
552 }
553
554 /**
555 * build a response depending on the "passive" task list
556 */
557 static status_t build_response(private_task_manager_t *this, message_t *request)
558 {
559 enumerator_t *enumerator;
560 task_t *task;
561 message_t *message;
562 host_t *me, *other;
563 bool delete = FALSE, flushed = FALSE, expect_request = FALSE;
564 status_t status;
565
566 me = request->get_destination(request);
567 other = request->get_source(request);
568
569 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
570 message->set_exchange_type(message, request->get_exchange_type(request));
571 /* send response along the path the request came in */
572 message->set_source(message, me->clone(me));
573 message->set_destination(message, other->clone(other));
574 message->set_message_id(message, request->get_message_id(request));
575 message->set_request(message, FALSE);
576
577 this->responding.mid = request->get_message_id(request);
578 this->responding.retransmitted = 0;
579 this->responding.seqnr++;
580
581 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
582 while (enumerator->enumerate(enumerator, (void*)&task))
583 {
584 switch (task->build(task, message))
585 {
586 case SUCCESS:
587 /* task completed, remove it */
588 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
589 task->destroy(task);
590 continue;
591 case NEED_MORE:
592 /* processed, but task needs another exchange */
593 if (task->get_type(task) == TASK_QUICK_MODE)
594 { /* we rely on initiator retransmission, except for
595 * three-message exchanges */
596 expect_request = TRUE;
597 }
598 continue;
599 case ALREADY_DONE:
600 flush_queue(this, this->passive_tasks);
601 flushed = TRUE;
602 break;
603 case FAILED:
604 default:
605 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
606 /* FALL */
607 case DESTROY_ME:
608 /* destroy IKE_SA, but SEND response first */
609 delete = TRUE;
610 break;
611 }
612 break;
613 }
614 enumerator->destroy(enumerator);
615
616 DESTROY_IF(this->responding.packet);
617 this->responding.packet = NULL;
618 if (flushed)
619 {
620 message->destroy(message);
621 return initiate(this);
622 }
623 status = this->ike_sa->generate_message(this->ike_sa, message,
624 &this->responding.packet);
625 message->destroy(message);
626 if (status != SUCCESS)
627 {
628 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
629 return DESTROY_ME;
630 }
631
632 if (expect_request && !delete)
633 {
634 return retransmit(this, this->responding.seqnr);
635 }
636 charon->sender->send(charon->sender,
637 this->responding.packet->clone(this->responding.packet));
638 if (delete)
639 {
640 return DESTROY_ME;
641 }
642 return SUCCESS;
643 }
644
645 /**
646 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
647 * The notify protocol_id is set to ISAKMP
648 */
649 static void send_notify(private_task_manager_t *this, message_t *request,
650 notify_type_t type)
651 {
652 message_t *response;
653 packet_t *packet;
654 host_t *me, *other;
655 u_int32_t mid;
656
657 if (request && request->get_exchange_type(request) == INFORMATIONAL_V1)
658 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
659 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
660 return;
661 }
662
663 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
664 response->set_exchange_type(response, INFORMATIONAL_V1);
665 response->set_request(response, TRUE);
666 this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid);
667 response->set_message_id(response, mid);
668 response->add_payload(response, (payload_t*)
669 notify_payload_create_from_protocol_and_type(NOTIFY_V1,
670 PROTO_IKE, type));
671
672 me = this->ike_sa->get_my_host(this->ike_sa);
673 if (me->is_anyaddr(me))
674 {
675 me = request->get_destination(request);
676 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
677 }
678 other = this->ike_sa->get_other_host(this->ike_sa);
679 if (other->is_anyaddr(other))
680 {
681 other = request->get_source(request);
682 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
683 }
684 response->set_source(response, me->clone(me));
685 response->set_destination(response, other->clone(other));
686 if (this->ike_sa->generate_message(this->ike_sa, response,
687 &packet) == SUCCESS)
688 {
689 charon->sender->send(charon->sender, packet);
690 }
691 response->destroy(response);
692 }
693
694 /**
695 * handle an incoming request message
696 */
697 static status_t process_request(private_task_manager_t *this,
698 message_t *message)
699 {
700 enumerator_t *enumerator;
701 task_t *task = NULL;
702 bool send_response = FALSE;
703
704 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
705 this->passive_tasks->get_count(this->passive_tasks) == 0)
706 { /* create tasks depending on request type, if not already some queued */
707 switch (message->get_exchange_type(message))
708 {
709 case ID_PROT:
710 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
711 this->passive_tasks->insert_last(this->passive_tasks, task);
712 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
713 this->passive_tasks->insert_last(this->passive_tasks, task);
714 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
715 this->passive_tasks->insert_last(this->passive_tasks, task);
716 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
717 this->passive_tasks->insert_last(this->passive_tasks, task);
718 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
719 this->passive_tasks->insert_last(this->passive_tasks, task);
720 break;
721 case AGGRESSIVE:
722 /* TODO-IKEv1: agressive mode */
723 return FAILED;
724 case QUICK_MODE:
725 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
726 {
727 DBG1(DBG_IKE, "received quick mode request for "
728 "unestablished IKE_SA, ignored");
729 return FAILED;
730 }
731 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
732 NULL, NULL);
733 this->passive_tasks->insert_last(this->passive_tasks, task);
734 break;
735 case INFORMATIONAL_V1:
736 task = (task_t *)informational_create(this->ike_sa, NULL);
737 this->passive_tasks->insert_first(this->passive_tasks, task);
738 break;
739 case TRANSACTION:
740 if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
741 {
742 task = (task_t *)mode_config_create(this->ike_sa, FALSE);
743 }
744 else
745 {
746 task = (task_t *)xauth_create(this->ike_sa, FALSE);
747 }
748 this->passive_tasks->insert_last(this->passive_tasks, task);
749 break;
750 default:
751 return FAILED;
752 }
753 }
754 /* let the tasks process the message */
755 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
756 while (enumerator->enumerate(enumerator, (void*)&task))
757 {
758 switch (task->process(task, message))
759 {
760 case SUCCESS:
761 /* task completed, remove it */
762 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
763 task->destroy(task);
764 continue;
765 case NEED_MORE:
766 /* processed, but task needs at least another call to build() */
767 send_response = TRUE;
768 continue;
769 case ALREADY_DONE:
770 send_response = FALSE;
771 flush_queue(this, this->passive_tasks);
772 break;
773 case FAILED:
774 default:
775 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
776 /* FALL */
777 case DESTROY_ME:
778 /* critical failure, destroy IKE_SA */
779 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
780 enumerator->destroy(enumerator);
781 task->destroy(task);
782 return DESTROY_ME;
783 }
784 break;
785 }
786 enumerator->destroy(enumerator);
787
788 if (send_response)
789 {
790 if (build_response(this, message) != SUCCESS)
791 {
792 return DESTROY_ME;
793 }
794 }
795 else
796 { /* We don't send a response, so don't retransmit one if we get
797 * the same message again. */
798 DESTROY_IF(this->responding.packet);
799 this->responding.packet = NULL;
800 }
801 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
802 this->queued_tasks->get_count(this->queued_tasks) > 0)
803 {
804 /* passive tasks completed, check if an active task has been queued,
805 * such as XAUTH or modeconfig push */
806 return initiate(this);
807 }
808 return SUCCESS;
809 }
810
811 /**
812 * handle an incoming response message
813 */
814 static status_t process_response(private_task_manager_t *this,
815 message_t *message)
816 {
817 enumerator_t *enumerator;
818 status_t status;
819 task_t *task;
820
821 if (message->get_exchange_type(message) != this->initiating.type)
822 {
823 DBG1(DBG_IKE, "received %N response, but expected %N",
824 exchange_type_names, message->get_exchange_type(message),
825 exchange_type_names, this->initiating.type);
826 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
827 return DESTROY_ME;
828 }
829
830 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
831 while (enumerator->enumerate(enumerator, (void*)&task))
832 {
833 switch (task->process(task, message))
834 {
835 case SUCCESS:
836 /* task completed, remove it */
837 this->active_tasks->remove_at(this->active_tasks, enumerator);
838 task->destroy(task);
839 continue;
840 case NEED_MORE:
841 /* processed, but task needs another exchange */
842 continue;
843 case ALREADY_DONE:
844 flush_queue(this, this->active_tasks);
845 break;
846 case FAILED:
847 default:
848 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
849 /* FALL */
850 case DESTROY_ME:
851 /* critical failure, destroy IKE_SA */
852 this->active_tasks->remove_at(this->active_tasks, enumerator);
853 enumerator->destroy(enumerator);
854 task->destroy(task);
855 return DESTROY_ME;
856 }
857 break;
858 }
859 enumerator->destroy(enumerator);
860
861 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
862 this->initiating.packet->destroy(this->initiating.packet);
863 this->initiating.packet = NULL;
864
865 if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
866 {
867 status = this->public.task_manager.process_message(
868 &this->public.task_manager, this->queued);
869 this->queued->destroy(this->queued);
870 this->queued = NULL;
871 if (status == DESTROY_ME)
872 {
873 return status;
874 }
875 }
876
877 return initiate(this);
878 }
879
880 /**
881 * Parse the given message and verify that it is valid.
882 */
883 static status_t parse_message(private_task_manager_t *this, message_t *msg)
884 {
885 status_t status;
886
887 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
888
889 if (status != SUCCESS)
890 {
891 switch (status)
892 {
893 case NOT_SUPPORTED:
894 DBG1(DBG_IKE, "unsupported exchange type");
895 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
896 break;
897 case PARSE_ERROR:
898 DBG1(DBG_IKE, "message parsing failed");
899 send_notify(this, msg, PAYLOAD_MALFORMED);
900 break;
901 case VERIFY_ERROR:
902 DBG1(DBG_IKE, "message verification failed");
903 send_notify(this, msg, PAYLOAD_MALFORMED);
904 break;
905 case FAILED:
906 DBG1(DBG_IKE, "integrity check failed");
907 send_notify(this, msg, INVALID_HASH_INFORMATION);
908 break;
909 case INVALID_STATE:
910 DBG1(DBG_IKE, "found encrypted message, but no keys available");
911 send_notify(this, msg, PAYLOAD_MALFORMED);
912 default:
913 break;
914 }
915 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
916 exchange_type_names, msg->get_exchange_type(msg),
917 msg->get_request(msg) ? "request" : "response",
918 msg->get_message_id(msg));
919
920 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
921 { /* invalid initiation attempt, close SA */
922 return DESTROY_ME;
923 }
924 }
925 return status;
926 }
927
928 METHOD(task_manager_t, process_message, status_t,
929 private_task_manager_t *this, message_t *msg)
930 {
931 u_int32_t hash, mid, i;
932 host_t *me, *other;
933 status_t status;
934
935 /* TODO-IKEv1: update hosts more selectively */
936 me = msg->get_destination(msg);
937 other = msg->get_source(msg);
938 mid = msg->get_message_id(msg);
939 hash = chunk_hash(msg->get_packet_data(msg));
940 for (i = 0; i < MAX_OLD_HASHES; i++)
941 {
942 if (this->initiating.old_hashes[i] == hash)
943 {
944 if (this->initiating.packet &&
945 i == (this->initiating.old_hash_pos % MAX_OLD_HASHES) &&
946 msg->get_exchange_type(msg) == QUICK_MODE)
947 {
948 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
949 "resending last request", mid);
950 charon->sender->send(charon->sender,
951 this->initiating.packet->clone(this->initiating.packet));
952 return SUCCESS;
953 }
954 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
955 "but next request already sent", mid);
956 return SUCCESS;
957 }
958 }
959
960 if ((mid && mid == this->initiating.mid) ||
961 (this->initiating.mid == 0 &&
962 msg->get_exchange_type(msg) == this->initiating.type &&
963 this->active_tasks->get_count(this->active_tasks)))
964 {
965 msg->set_request(msg, FALSE);
966 status = parse_message(this, msg);
967 if (status != SUCCESS)
968 {
969 return status;
970 }
971 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
972 time_monotonic(NULL));
973 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
974 charon->bus->message(charon->bus, msg, FALSE);
975 if (process_response(this, msg) != SUCCESS)
976 {
977 flush(this);
978 return DESTROY_ME;
979 }
980 this->initiating.old_hashes[(++this->initiating.old_hash_pos) %
981 MAX_OLD_HASHES] = hash;
982 }
983 else
984 {
985 if (hash == this->responding.hash)
986 {
987 if (this->responding.packet)
988 {
989 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
990 "retransmitting response", mid);
991 charon->sender->send(charon->sender,
992 this->responding.packet->clone(this->responding.packet));
993 }
994 else
995 {
996 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
997 "but no response to retransmit", mid);
998 }
999 return SUCCESS;
1000 }
1001 if (msg->get_exchange_type(msg) == TRANSACTION &&
1002 this->active_tasks->get_count(this->active_tasks))
1003 { /* main mode not yet complete, queue XAuth/Mode config tasks */
1004 if (this->queued)
1005 {
1006 DBG1(DBG_IKE, "ignoring additional %N request, queue full",
1007 exchange_type_names, TRANSACTION);
1008 return SUCCESS;
1009 }
1010 this->queued = message_create_from_packet(msg->get_packet(msg));
1011 if (this->queued->parse_header(this->queued) != SUCCESS)
1012 {
1013 this->queued->destroy(this->queued);
1014 this->queued = NULL;
1015 return FAILED;
1016 }
1017 DBG1(DBG_IKE, "queueing %N request as tasks still active",
1018 exchange_type_names, TRANSACTION);
1019 return SUCCESS;
1020 }
1021
1022 msg->set_request(msg, TRUE);
1023 status = parse_message(this, msg);
1024 if (status != SUCCESS)
1025 {
1026 return status;
1027 }
1028 /* if this IKE_SA is virgin, we check for a config */
1029 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1030 {
1031 ike_sa_id_t *ike_sa_id;
1032 ike_cfg_t *ike_cfg;
1033 job_t *job;
1034
1035 ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other);
1036 if (ike_cfg == NULL)
1037 {
1038 /* no config found for these hosts, destroy */
1039 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1040 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1041 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
1042 return DESTROY_ME;
1043 }
1044 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1045 ike_cfg->destroy(ike_cfg);
1046 /* add a timeout if peer does not establish it completely */
1047 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1048 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1049 lib->scheduler->schedule_job(lib->scheduler, job,
1050 lib->settings->get_int(lib->settings,
1051 "charon.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT));
1052 }
1053 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1054 time_monotonic(NULL));
1055 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
1056 charon->bus->message(charon->bus, msg, TRUE);
1057 if (process_request(this, msg) != SUCCESS)
1058 {
1059 flush(this);
1060 return DESTROY_ME;
1061 }
1062 this->responding.hash = hash;
1063 }
1064 return SUCCESS;
1065 }
1066
1067 METHOD(task_manager_t, queue_task, void,
1068 private_task_manager_t *this, task_t *task)
1069 {
1070 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1071 this->queued_tasks->insert_last(this->queued_tasks, task);
1072 }
1073
1074 /**
1075 * Check if a given task has been queued already
1076 */
1077 static bool has_queued(private_task_manager_t *this, task_type_t type)
1078 {
1079 enumerator_t *enumerator;
1080 bool found = FALSE;
1081 task_t *task;
1082
1083 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1084 while (enumerator->enumerate(enumerator, &task))
1085 {
1086 if (task->get_type(task) == type)
1087 {
1088 found = TRUE;
1089 break;
1090 }
1091 }
1092 enumerator->destroy(enumerator);
1093 return found;
1094 }
1095
1096 METHOD(task_manager_t, queue_ike, void,
1097 private_task_manager_t *this)
1098 {
1099 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1100 {
1101 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1102 }
1103 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1104 {
1105 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1106 }
1107 if (!has_queued(this, TASK_MAIN_MODE))
1108 {
1109 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1110 }
1111 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1112 {
1113 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1114 }
1115 if (!has_queued(this, TASK_ISAKMP_NATD))
1116 {
1117 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1118 }
1119 }
1120
1121 METHOD(task_manager_t, queue_ike_reauth, void,
1122 private_task_manager_t *this)
1123 {
1124 enumerator_t *enumerator;
1125 child_sa_t *child_sa;
1126 ike_sa_t *new;
1127 host_t *host;
1128
1129 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1130 this->ike_sa->get_version(this->ike_sa), TRUE);
1131 if (!new)
1132 { /* shouldn't happen */
1133 return;
1134 }
1135
1136 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1137 host = this->ike_sa->get_other_host(this->ike_sa);
1138 new->set_other_host(new, host->clone(host));
1139 host = this->ike_sa->get_my_host(this->ike_sa);
1140 new->set_my_host(new, host->clone(host));
1141 host = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
1142 if (host)
1143 {
1144 new->set_virtual_ip(new, TRUE, host);
1145 }
1146
1147 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1148 while (enumerator->enumerate(enumerator, &child_sa))
1149 {
1150 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
1151 new->add_child_sa(new, child_sa);
1152 }
1153 enumerator->destroy(enumerator);
1154
1155 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1156 {
1157 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1158 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
1159 }
1160 else
1161 {
1162 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1163 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1164 }
1165 charon->bus->set_sa(charon->bus, this->ike_sa);
1166 }
1167
1168 METHOD(task_manager_t, queue_ike_rekey, void,
1169 private_task_manager_t *this)
1170 {
1171 queue_ike_reauth(this);
1172 }
1173
1174 METHOD(task_manager_t, queue_ike_delete, void,
1175 private_task_manager_t *this)
1176 {
1177 enumerator_t *enumerator;
1178 child_sa_t *child_sa;
1179
1180 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1181 while (enumerator->enumerate(enumerator, &child_sa))
1182 {
1183 queue_task(this, (task_t*)
1184 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1185 child_sa->get_spi(child_sa, TRUE), FALSE, FALSE));
1186 }
1187 enumerator->destroy(enumerator);
1188
1189 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1190 }
1191
1192 METHOD(task_manager_t, queue_mobike, void,
1193 private_task_manager_t *this, bool roam, bool address)
1194 {
1195 /* Not supported in IKEv1 */
1196 }
1197
1198 METHOD(task_manager_t, queue_child, void,
1199 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1200 traffic_selector_t *tsi, traffic_selector_t *tsr)
1201 {
1202 quick_mode_t *task;
1203
1204 task = quick_mode_create(this->ike_sa, cfg, tsi, tsr);
1205 task->use_reqid(task, reqid);
1206
1207 queue_task(this, &task->task);
1208 }
1209
1210 METHOD(task_manager_t, queue_child_rekey, void,
1211 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1212 {
1213 child_sa_t *child_sa;
1214 child_cfg_t *cfg;
1215 quick_mode_t *task;
1216
1217 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, TRUE);
1218 if (!child_sa)
1219 {
1220 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol, spi, FALSE);
1221 }
1222 if (child_sa && child_sa->get_state(child_sa) == CHILD_INSTALLED)
1223 {
1224 child_sa->set_state(child_sa, CHILD_REKEYING);
1225 cfg = child_sa->get_config(child_sa);
1226 task = quick_mode_create(this->ike_sa, cfg->get_ref(cfg), NULL, NULL);
1227 task->use_reqid(task, child_sa->get_reqid(child_sa));
1228
1229 queue_task(this, &task->task);
1230 }
1231 }
1232
1233 METHOD(task_manager_t, queue_child_delete, void,
1234 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1235 bool expired)
1236 {
1237 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1238 spi, FALSE, expired));
1239 }
1240
1241 METHOD(task_manager_t, queue_dpd, void,
1242 private_task_manager_t *this)
1243 {
1244 /* TODO-IKEv1: DPD checking */
1245 }
1246
1247 METHOD(task_manager_t, adopt_tasks, void,
1248 private_task_manager_t *this, task_manager_t *other_public)
1249 {
1250 private_task_manager_t *other = (private_task_manager_t*)other_public;
1251 task_t *task;
1252
1253 /* move queued tasks from other to this */
1254 while (other->queued_tasks->remove_last(other->queued_tasks,
1255 (void**)&task) == SUCCESS)
1256 {
1257 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1258 task->migrate(task, this->ike_sa);
1259 this->queued_tasks->insert_first(this->queued_tasks, task);
1260 }
1261 }
1262
1263 METHOD(task_manager_t, busy, bool,
1264 private_task_manager_t *this)
1265 {
1266 return (this->active_tasks->get_count(this->active_tasks) > 0);
1267 }
1268
1269 METHOD(task_manager_t, incr_mid, void,
1270 private_task_manager_t *this, bool initiate)
1271 {
1272 }
1273
1274 METHOD(task_manager_t, reset, void,
1275 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1276 {
1277 enumerator_t *enumerator;
1278 task_t *task;
1279
1280 /* reset message counters and retransmit packets */
1281 DESTROY_IF(this->responding.packet);
1282 DESTROY_IF(this->initiating.packet);
1283 this->responding.packet = NULL;
1284 this->responding.seqnr = RESPONDING_SEQ;
1285 this->responding.retransmitted = 0;
1286 this->initiating.packet = NULL;
1287 this->initiating.mid = 0;
1288 this->initiating.seqnr = 0;
1289 this->initiating.retransmitted = 0;
1290 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1291
1292 /* reset queued tasks */
1293 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1294 while (enumerator->enumerate(enumerator, &task))
1295 {
1296 task->migrate(task, this->ike_sa);
1297 }
1298 enumerator->destroy(enumerator);
1299
1300 /* reset active tasks */
1301 while (this->active_tasks->remove_last(this->active_tasks,
1302 (void**)&task) == SUCCESS)
1303 {
1304 task->migrate(task, this->ike_sa);
1305 this->queued_tasks->insert_first(this->queued_tasks, task);
1306 }
1307 }
1308
1309 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1310 private_task_manager_t *this, task_queue_t queue)
1311 {
1312 switch (queue)
1313 {
1314 case TASK_QUEUE_ACTIVE:
1315 return this->active_tasks->create_enumerator(this->active_tasks);
1316 case TASK_QUEUE_PASSIVE:
1317 return this->passive_tasks->create_enumerator(this->passive_tasks);
1318 case TASK_QUEUE_QUEUED:
1319 return this->queued_tasks->create_enumerator(this->queued_tasks);
1320 default:
1321 return enumerator_create_empty();
1322 }
1323 }
1324
1325 METHOD(task_manager_t, destroy, void,
1326 private_task_manager_t *this)
1327 {
1328 flush(this);
1329
1330 this->active_tasks->destroy(this->active_tasks);
1331 this->queued_tasks->destroy(this->queued_tasks);
1332 this->passive_tasks->destroy(this->passive_tasks);
1333
1334 DESTROY_IF(this->queued);
1335 DESTROY_IF(this->responding.packet);
1336 DESTROY_IF(this->initiating.packet);
1337 DESTROY_IF(this->rng);
1338 free(this);
1339 }
1340
1341 /*
1342 * see header file
1343 */
1344 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
1345 {
1346 private_task_manager_t *this;
1347
1348 INIT(this,
1349 .public = {
1350 .task_manager = {
1351 .process_message = _process_message,
1352 .queue_task = _queue_task,
1353 .queue_ike = _queue_ike,
1354 .queue_ike_rekey = _queue_ike_rekey,
1355 .queue_ike_reauth = _queue_ike_reauth,
1356 .queue_ike_delete = _queue_ike_delete,
1357 .queue_mobike = _queue_mobike,
1358 .queue_child = _queue_child,
1359 .queue_child_rekey = _queue_child_rekey,
1360 .queue_child_delete = _queue_child_delete,
1361 .queue_dpd = _queue_dpd,
1362 .initiate = _initiate,
1363 .retransmit = _retransmit,
1364 .incr_mid = _incr_mid,
1365 .reset = _reset,
1366 .adopt_tasks = _adopt_tasks,
1367 .busy = _busy,
1368 .create_task_enumerator = _create_task_enumerator,
1369 .destroy = _destroy,
1370 },
1371 },
1372 .ike_sa = ike_sa,
1373 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
1374 .responding.seqnr = RESPONDING_SEQ,
1375 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
1376 .queued_tasks = linked_list_create(),
1377 .active_tasks = linked_list_create(),
1378 .passive_tasks = linked_list_create(),
1379 .retransmit_tries = lib->settings->get_int(lib->settings,
1380 "charon.retransmit_tries", RETRANSMIT_TRIES),
1381 .retransmit_timeout = lib->settings->get_double(lib->settings,
1382 "charon.retransmit_timeout", RETRANSMIT_TIMEOUT),
1383 .retransmit_base = lib->settings->get_double(lib->settings,
1384 "charon.retransmit_base", RETRANSMIT_BASE),
1385 );
1386
1387 return &this->public;
1388 }