Queue IKEv1 INFORMATIONALS with higher priority to process notifies first
[strongswan.git] / src / libcharon / sa / ikev1 / task_manager_v1.c
1 /*
2 * Copyright (C) 2007-2011 Tobias Brunner
3 * Copyright (C) 2007-2011 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v1.h"
18
19 #include <math.h>
20
21 #include <daemon.h>
22 #include <sa/ikev1/tasks/main_mode.h>
23 #include <sa/ikev1/tasks/quick_mode.h>
24 #include <sa/ikev1/tasks/quick_delete.h>
25 #include <sa/ikev1/tasks/xauth.h>
26 #include <sa/ikev1/tasks/mode_config.h>
27 #include <sa/ikev1/tasks/informational.h>
28 #include <sa/ikev1/tasks/isakmp_natd.h>
29 #include <sa/ikev1/tasks/isakmp_vendor.h>
30 #include <sa/ikev1/tasks/isakmp_cert_pre.h>
31 #include <sa/ikev1/tasks/isakmp_cert_post.h>
32 #include <sa/ikev1/tasks/isakmp_delete.h>
33 #include <processing/jobs/retransmit_job.h>
34 #include <processing/jobs/delete_ike_sa_job.h>
35
36 /**
37 * Number of old messages hashes we keep for retransmission.
38 *
39 * In Main Mode, we must ignore messages from a previous message pair if
40 * we already continued to the next. Otherwise a late retransmission
41 * could be considered as a reply to the newer request.
42 */
43 #define MAX_OLD_HASHES 2
44
45 typedef struct exchange_t exchange_t;
46
47 /**
48 * An exchange in the air, used do detect and handle retransmission
49 */
50 struct exchange_t {
51
52 /**
53 * Message ID used for this transaction
54 */
55 u_int32_t mid;
56
57 /**
58 * generated packet for retransmission
59 */
60 packet_t *packet;
61 };
62
63 typedef struct private_task_manager_t private_task_manager_t;
64
65 /**
66 * private data of the task manager
67 */
68 struct private_task_manager_t {
69
70 /**
71 * public functions
72 */
73 task_manager_v1_t public;
74
75 /**
76 * associated IKE_SA we are serving
77 */
78 ike_sa_t *ike_sa;
79
80 /**
81 * RNG to create message IDs
82 */
83 rng_t *rng;
84
85 /**
86 * Exchange we are currently handling as responder
87 */
88 struct {
89 /**
90 * Hash of a previously received message
91 */
92 u_int32_t hash;
93
94 /**
95 * packet for retransmission
96 */
97 packet_t *packet;
98
99 } responding;
100
101 /**
102 * Exchange we are currently handling as initiator
103 */
104 struct {
105 /**
106 * Message ID of the exchange
107 */
108 u_int32_t mid;
109
110 /**
111 * Hashes of old responses we can ignore
112 */
113 u_int32_t old_hashes[MAX_OLD_HASHES];
114
115 /**
116 * Position in old hash array
117 */
118 int old_hash_pos;
119
120 /**
121 * Sequence number of the last sent message
122 */
123 u_int32_t seqnr;
124
125 /**
126 * how many times we have retransmitted so far
127 */
128 u_int retransmitted;
129
130 /**
131 * packet for retransmission
132 */
133 packet_t *packet;
134
135 /**
136 * type of the initated exchange
137 */
138 exchange_type_t type;
139
140 } initiating;
141
142 /**
143 * List of queued tasks not yet in action
144 */
145 linked_list_t *queued_tasks;
146
147 /**
148 * List of active tasks, initiated by ourselve
149 */
150 linked_list_t *active_tasks;
151
152 /**
153 * List of tasks initiated by peer
154 */
155 linked_list_t *passive_tasks;
156
157 /**
158 * Queued messages not yet ready to process
159 */
160 message_t *queued;
161
162 /**
163 * Number of times we retransmit messages before giving up
164 */
165 u_int retransmit_tries;
166
167 /**
168 * Retransmission timeout
169 */
170 double retransmit_timeout;
171
172 /**
173 * Base to calculate retransmission timeout
174 */
175 double retransmit_base;
176 };
177
178 /**
179 * Flush a single task queue
180 */
181 static void flush_queue(private_task_manager_t *this, linked_list_t *list)
182 {
183 task_t *task;
184
185 if (this->queued)
186 {
187 this->queued->destroy(this->queued);
188 this->queued = NULL;
189 }
190 while (list->remove_last(list, (void**)&task) == SUCCESS)
191 {
192 task->destroy(task);
193 }
194 }
195
196 /**
197 * flush all tasks in the task manager
198 */
199 static void flush(private_task_manager_t *this)
200 {
201 flush_queue(this, this->queued_tasks);
202 flush_queue(this, this->passive_tasks);
203 flush_queue(this, this->active_tasks);
204 }
205
206 /**
207 * move a task of a specific type from the queue to the active list
208 */
209 static bool activate_task(private_task_manager_t *this, task_type_t type)
210 {
211 enumerator_t *enumerator;
212 task_t *task;
213 bool found = FALSE;
214
215 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
216 while (enumerator->enumerate(enumerator, (void**)&task))
217 {
218 if (task->get_type(task) == type)
219 {
220 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
221 this->queued_tasks->remove_at(this->queued_tasks, enumerator);
222 this->active_tasks->insert_last(this->active_tasks, task);
223 found = TRUE;
224 break;
225 }
226 }
227 enumerator->destroy(enumerator);
228 return found;
229 }
230
231 METHOD(task_manager_t, retransmit, status_t,
232 private_task_manager_t *this, u_int32_t message_seqnr)
233 {
234 /* this.initiating packet used as marker for received response */
235 if (message_seqnr == this->initiating.seqnr && this->initiating.packet )
236 {
237 u_int32_t timeout;
238 packet_t *packet;
239 job_t *job;
240
241 if (this->initiating.retransmitted <= this->retransmit_tries)
242 {
243 timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
244 pow(this->retransmit_base, this->initiating.retransmitted));
245 }
246 else
247 {
248 DBG1(DBG_IKE, "giving up after %d retransmits",
249 this->initiating.retransmitted - 1);
250 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
251 {
252 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
253 }
254 return DESTROY_ME;
255 }
256
257 if (this->initiating.retransmitted)
258 {
259 DBG1(DBG_IKE, "retransmit %d of request with message ID %u seqnr (%d)",
260 this->initiating.retransmitted, this->initiating.mid, message_seqnr);
261 }
262 packet = this->initiating.packet->clone(this->initiating.packet);
263 charon->sender->send(charon->sender, packet);
264
265 this->initiating.retransmitted++;
266 job = (job_t*)retransmit_job_create(this->initiating.seqnr,
267 this->ike_sa->get_id(this->ike_sa));
268 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
269 }
270 return SUCCESS;
271 }
272
273 METHOD(task_manager_t, initiate, status_t,
274 private_task_manager_t *this)
275 {
276 enumerator_t *enumerator;
277 task_t *task;
278 message_t *message;
279 host_t *me, *other;
280 status_t status;
281 exchange_type_t exchange = EXCHANGE_TYPE_UNDEFINED;
282 bool new_mid = FALSE, expect_response = FALSE, flushed = FALSE;
283
284 if (!this->rng)
285 {
286 DBG1(DBG_IKE, "no RNG supported");
287 return FAILED;
288 }
289
290 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
291 {
292 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
293 exchange_type_names, this->initiating.type);
294 /* do not initiate if we already have a message in the air */
295 return SUCCESS;
296 }
297
298 if (this->active_tasks->get_count(this->active_tasks) == 0)
299 {
300 DBG2(DBG_IKE, "activating new tasks");
301 switch (this->ike_sa->get_state(this->ike_sa))
302 {
303 case IKE_CREATED:
304 activate_task(this, TASK_ISAKMP_VENDOR);
305 activate_task(this, TASK_ISAKMP_CERT_PRE);
306 if (activate_task(this, TASK_MAIN_MODE))
307 {
308 exchange = ID_PROT;
309 activate_task(this, TASK_ISAKMP_CERT_POST);
310 activate_task(this, TASK_ISAKMP_NATD);
311 }
312 break;
313 case IKE_CONNECTING:
314 if (activate_task(this, TASK_ISAKMP_DELETE))
315 {
316 exchange = INFORMATIONAL_V1;
317 new_mid = TRUE;
318 break;
319 }
320 if (activate_task(this, TASK_XAUTH))
321 {
322 exchange = TRANSACTION;
323 new_mid = TRUE;
324 break;
325 }
326 if (activate_task(this, TASK_INFORMATIONAL))
327 {
328 exchange = INFORMATIONAL_V1;
329 new_mid = TRUE;
330 break;
331 }
332 break;
333 case IKE_ESTABLISHED:
334 if (activate_task(this, TASK_MODE_CONFIG))
335 {
336 exchange = TRANSACTION;
337 new_mid = TRUE;
338 break;
339 }
340 if (activate_task(this, TASK_QUICK_MODE))
341 {
342 exchange = QUICK_MODE;
343 new_mid = TRUE;
344 break;
345 }
346 if (activate_task(this, TASK_INFORMATIONAL))
347 {
348 exchange = INFORMATIONAL_V1;
349 new_mid = TRUE;
350 break;
351 }
352 if (activate_task(this, TASK_QUICK_DELETE))
353 {
354 exchange = INFORMATIONAL_V1;
355 new_mid = TRUE;
356 break;
357 }
358 if (activate_task(this, TASK_ISAKMP_DELETE))
359 {
360 exchange = INFORMATIONAL_V1;
361 new_mid = TRUE;
362 break;
363 }
364 break;
365 default:
366 break;
367 }
368 }
369 else
370 {
371 DBG2(DBG_IKE, "reinitiating already active tasks");
372 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
373 while (enumerator->enumerate(enumerator, (void**)&task))
374 {
375 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
376 switch (task->get_type(task))
377 {
378 case TASK_MAIN_MODE:
379 exchange = ID_PROT;
380 break;
381 case TASK_QUICK_MODE:
382 exchange = QUICK_MODE;
383 break;
384 case TASK_XAUTH:
385 exchange = TRANSACTION;
386 new_mid = TRUE;
387 break;
388 default:
389 continue;
390 }
391 break;
392 }
393 enumerator->destroy(enumerator);
394 }
395
396 if (exchange == EXCHANGE_TYPE_UNDEFINED)
397 {
398 DBG2(DBG_IKE, "nothing to initiate");
399 /* nothing to do yet... */
400 return SUCCESS;
401 }
402
403 me = this->ike_sa->get_my_host(this->ike_sa);
404 other = this->ike_sa->get_other_host(this->ike_sa);
405
406 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
407 if (new_mid)
408 {
409 this->rng->get_bytes(this->rng, sizeof(this->initiating.mid),
410 (void*)&this->initiating.mid);
411 }
412 message->set_message_id(message, this->initiating.mid);
413 message->set_source(message, me->clone(me));
414 message->set_destination(message, other->clone(other));
415 message->set_exchange_type(message, exchange);
416 this->initiating.type = exchange;
417 this->initiating.retransmitted = 0;
418
419 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
420 while (enumerator->enumerate(enumerator, (void*)&task))
421 {
422 switch (task->build(task, message))
423 {
424 case SUCCESS:
425 /* task completed, remove it */
426 this->active_tasks->remove_at(this->active_tasks, enumerator);
427 task->destroy(task);
428 continue;
429 case NEED_MORE:
430 expect_response = TRUE;
431 /* processed, but task needs another exchange */
432 continue;
433 case ALREADY_DONE:
434 flush_queue(this, this->active_tasks);
435 flushed = TRUE;
436 break;
437 case FAILED:
438 default:
439 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
440 {
441 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
442 }
443 /* FALL */
444 case DESTROY_ME:
445 /* critical failure, destroy IKE_SA */
446 enumerator->destroy(enumerator);
447 message->destroy(message);
448 flush(this);
449 return DESTROY_ME;
450 }
451 break;
452 }
453 enumerator->destroy(enumerator);
454
455 if (this->active_tasks->get_count(this->active_tasks) == 0)
456 { /* tasks completed, no exchange active anymore */
457 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
458 }
459 if (flushed)
460 {
461 message->destroy(message);
462 return initiate(this);
463 }
464 this->initiating.seqnr++;
465
466 status = this->ike_sa->generate_message(this->ike_sa, message,
467 &this->initiating.packet);
468 if (status != SUCCESS)
469 {
470 /* message generation failed. There is nothing more to do than to
471 * close the SA */
472 message->destroy(message);
473 flush(this);
474 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
475 return DESTROY_ME;
476 }
477 message->destroy(message);
478
479 if (expect_response)
480 {
481 return retransmit(this, this->initiating.seqnr);
482 }
483 charon->sender->send(charon->sender,
484 this->initiating.packet->clone(this->initiating.packet));
485 this->initiating.packet->destroy(this->initiating.packet);
486 this->initiating.packet = NULL;
487
488 if (exchange == INFORMATIONAL_V1)
489 {
490 switch (this->ike_sa->get_state(this->ike_sa))
491 {
492 case IKE_CONNECTING:
493 /* close after sending an INFORMATIONAL when unestablished */
494 return FAILED;
495 case IKE_DELETING:
496 /* close after sending a DELETE */
497 return DESTROY_ME;
498 default:
499 break;
500 }
501 }
502 return initiate(this);
503 }
504
505 /**
506 * handle exchange collisions
507 */
508 static bool handle_collisions(private_task_manager_t *this, task_t *task)
509 {
510 return FALSE;
511 }
512
513 /**
514 * build a response depending on the "passive" task list
515 */
516 static status_t build_response(private_task_manager_t *this, message_t *request)
517 {
518 enumerator_t *enumerator;
519 task_t *task;
520 message_t *message;
521 host_t *me, *other;
522 bool delete = FALSE, flushed = FALSE;
523 status_t status;
524
525 me = request->get_destination(request);
526 other = request->get_source(request);
527
528 message = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
529 message->set_exchange_type(message, request->get_exchange_type(request));
530 /* send response along the path the request came in */
531 message->set_source(message, me->clone(me));
532 message->set_destination(message, other->clone(other));
533 message->set_message_id(message, request->get_message_id(request));
534 message->set_request(message, FALSE);
535
536 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
537 while (enumerator->enumerate(enumerator, (void*)&task))
538 {
539 switch (task->build(task, message))
540 {
541 case SUCCESS:
542 /* task completed, remove it */
543 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
544 if (!handle_collisions(this, task))
545 {
546 task->destroy(task);
547 }
548 continue;
549 case NEED_MORE:
550 /* processed, but task needs another exchange */
551 if (handle_collisions(this, task))
552 {
553 this->passive_tasks->remove_at(this->passive_tasks,
554 enumerator);
555 }
556 continue;
557 case ALREADY_DONE:
558 flush_queue(this, this->passive_tasks);
559 flushed = TRUE;
560 break;
561 case FAILED:
562 default:
563 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
564 /* FALL */
565 case DESTROY_ME:
566 /* destroy IKE_SA, but SEND response first */
567 delete = TRUE;
568 break;
569 }
570 break;
571 }
572 enumerator->destroy(enumerator);
573
574 DESTROY_IF(this->responding.packet);
575 this->responding.packet = NULL;
576 if (flushed)
577 {
578 message->destroy(message);
579 return initiate(this);
580 }
581 status = this->ike_sa->generate_message(this->ike_sa, message,
582 &this->responding.packet);
583 message->destroy(message);
584 if (status != SUCCESS)
585 {
586 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
587 return DESTROY_ME;
588 }
589
590 charon->sender->send(charon->sender,
591 this->responding.packet->clone(this->responding.packet));
592 if (delete)
593 {
594 return DESTROY_ME;
595 }
596 return SUCCESS;
597 }
598
599 /**
600 * Send a notify in a separate INFORMATIONAL exchange back to the sender.
601 * The notify protocol_id is set to ISAKMP
602 */
603 static void send_notify(private_task_manager_t *this, message_t *request,
604 notify_type_t type)
605 {
606 message_t *response;
607 packet_t *packet;
608 host_t *me, *other;
609 u_int32_t mid;
610
611 if (request && request->get_exchange_type(request) == INFORMATIONAL_V1)
612 { /* don't respond to INFORMATIONAL requests to avoid a notify war */
613 DBG1(DBG_IKE, "ignore malformed INFORMATIONAL request");
614 return;
615 }
616
617 response = message_create(IKEV1_MAJOR_VERSION, IKEV1_MINOR_VERSION);
618 response->set_exchange_type(response, INFORMATIONAL_V1);
619 response->set_request(response, TRUE);
620 this->rng->get_bytes(this->rng, sizeof(mid), (void*)&mid);
621 response->set_message_id(response, mid);
622 response->add_payload(response, (payload_t*)
623 notify_payload_create_from_protocol_and_type(NOTIFY_V1,
624 PROTO_IKE, type));
625
626 me = this->ike_sa->get_my_host(this->ike_sa);
627 if (me->is_anyaddr(me))
628 {
629 me = request->get_destination(request);
630 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
631 }
632 other = this->ike_sa->get_other_host(this->ike_sa);
633 if (other->is_anyaddr(other))
634 {
635 other = request->get_source(request);
636 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
637 }
638 response->set_source(response, me->clone(me));
639 response->set_destination(response, other->clone(other));
640 if (this->ike_sa->generate_message(this->ike_sa, response,
641 &packet) == SUCCESS)
642 {
643 charon->sender->send(charon->sender, packet);
644 }
645 response->destroy(response);
646 }
647
648 /**
649 * handle an incoming request message
650 */
651 static status_t process_request(private_task_manager_t *this,
652 message_t *message)
653 {
654 enumerator_t *enumerator;
655 task_t *task = NULL;
656 bool send_response = FALSE;
657
658 if (message->get_exchange_type(message) == INFORMATIONAL_V1 ||
659 this->passive_tasks->get_count(this->passive_tasks) == 0)
660 { /* create tasks depending on request type, if not already some queued */
661 switch (message->get_exchange_type(message))
662 {
663 case ID_PROT:
664 task = (task_t *)isakmp_vendor_create(this->ike_sa, FALSE);
665 this->passive_tasks->insert_last(this->passive_tasks, task);
666 task = (task_t*)isakmp_cert_pre_create(this->ike_sa, FALSE);
667 this->passive_tasks->insert_last(this->passive_tasks, task);
668 task = (task_t *)main_mode_create(this->ike_sa, FALSE);
669 this->passive_tasks->insert_last(this->passive_tasks, task);
670 task = (task_t*)isakmp_cert_post_create(this->ike_sa, FALSE);
671 this->passive_tasks->insert_last(this->passive_tasks, task);
672 task = (task_t *)isakmp_natd_create(this->ike_sa, FALSE);
673 this->passive_tasks->insert_last(this->passive_tasks, task);
674 break;
675 case AGGRESSIVE:
676 /* TODO-IKEv1: agressive mode */
677 return FAILED;
678 case QUICK_MODE:
679 if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
680 {
681 DBG1(DBG_IKE, "received quick mode request for "
682 "unestablished IKE_SA, ignored");
683 return FAILED;
684 }
685 task = (task_t *)quick_mode_create(this->ike_sa, NULL,
686 NULL, NULL);
687 this->passive_tasks->insert_last(this->passive_tasks, task);
688 break;
689 case INFORMATIONAL_V1:
690 task = (task_t *)informational_create(this->ike_sa, NULL);
691 this->passive_tasks->insert_first(this->passive_tasks, task);
692 break;
693 case TRANSACTION:
694 if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
695 {
696 task = (task_t *)mode_config_create(this->ike_sa, FALSE);
697 }
698 else
699 {
700 task = (task_t *)xauth_create(this->ike_sa, FALSE);
701 }
702 this->passive_tasks->insert_last(this->passive_tasks, task);
703 break;
704 default:
705 return FAILED;
706 }
707 }
708 /* let the tasks process the message */
709 enumerator = this->passive_tasks->create_enumerator(this->passive_tasks);
710 while (enumerator->enumerate(enumerator, (void*)&task))
711 {
712 switch (task->process(task, message))
713 {
714 case SUCCESS:
715 /* task completed, remove it */
716 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
717 task->destroy(task);
718 continue;
719 case NEED_MORE:
720 /* processed, but task needs at least another call to build() */
721 send_response = TRUE;
722 continue;
723 case ALREADY_DONE:
724 send_response = FALSE;
725 flush_queue(this, this->passive_tasks);
726 break;
727 case FAILED:
728 default:
729 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
730 /* FALL */
731 case DESTROY_ME:
732 /* critical failure, destroy IKE_SA */
733 this->passive_tasks->remove_at(this->passive_tasks, enumerator);
734 enumerator->destroy(enumerator);
735 task->destroy(task);
736 return DESTROY_ME;
737 }
738 break;
739 }
740 enumerator->destroy(enumerator);
741
742 if (send_response)
743 {
744 if (build_response(this, message) != SUCCESS)
745 {
746 return DESTROY_ME;
747 }
748 }
749 else
750 { /* We don't send a response, so don't retransmit one if we get
751 * the same message again. */
752 DESTROY_IF(this->responding.packet);
753 this->responding.packet = NULL;
754 }
755 if (this->passive_tasks->get_count(this->passive_tasks) == 0 &&
756 this->queued_tasks->get_count(this->queued_tasks) > 0)
757 {
758 /* passive tasks completed, check if an active task has been queued,
759 * such as XAUTH or modeconfig push */
760 return initiate(this);
761 }
762 return SUCCESS;
763 }
764
765 /**
766 * handle an incoming response message
767 */
768 static status_t process_response(private_task_manager_t *this,
769 message_t *message)
770 {
771 enumerator_t *enumerator;
772 status_t status;
773 task_t *task;
774
775 if (message->get_exchange_type(message) != this->initiating.type)
776 {
777 DBG1(DBG_IKE, "received %N response, but expected %N",
778 exchange_type_names, message->get_exchange_type(message),
779 exchange_type_names, this->initiating.type);
780 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
781 return DESTROY_ME;
782 }
783
784 enumerator = this->active_tasks->create_enumerator(this->active_tasks);
785 while (enumerator->enumerate(enumerator, (void*)&task))
786 {
787 switch (task->process(task, message))
788 {
789 case SUCCESS:
790 /* task completed, remove it */
791 this->active_tasks->remove_at(this->active_tasks, enumerator);
792 task->destroy(task);
793 continue;
794 case NEED_MORE:
795 /* processed, but task needs another exchange */
796 continue;
797 case ALREADY_DONE:
798 flush_queue(this, this->active_tasks);
799 break;
800 case FAILED:
801 default:
802 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
803 /* FALL */
804 case DESTROY_ME:
805 /* critical failure, destroy IKE_SA */
806 this->active_tasks->remove_at(this->active_tasks, enumerator);
807 enumerator->destroy(enumerator);
808 task->destroy(task);
809 return DESTROY_ME;
810 }
811 break;
812 }
813 enumerator->destroy(enumerator);
814
815 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
816 this->initiating.packet->destroy(this->initiating.packet);
817 this->initiating.packet = NULL;
818
819 if (this->queued && this->active_tasks->get_count(this->active_tasks) == 0)
820 {
821 status = this->public.task_manager.process_message(
822 &this->public.task_manager, this->queued);
823 this->queued->destroy(this->queued);
824 this->queued = NULL;
825 if (status == DESTROY_ME)
826 {
827 return status;
828 }
829 }
830
831 return initiate(this);
832 }
833
834 /**
835 * Parse the given message and verify that it is valid.
836 */
837 static status_t parse_message(private_task_manager_t *this, message_t *msg)
838 {
839 status_t status;
840
841 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
842
843 if (status != SUCCESS)
844 {
845 switch (status)
846 {
847 case NOT_SUPPORTED:
848 DBG1(DBG_IKE, "unsupported exchange type");
849 send_notify(this, msg, INVALID_EXCHANGE_TYPE);
850 break;
851 case PARSE_ERROR:
852 DBG1(DBG_IKE, "message parsing failed");
853 send_notify(this, msg, PAYLOAD_MALFORMED);
854 break;
855 case VERIFY_ERROR:
856 DBG1(DBG_IKE, "message verification failed");
857 send_notify(this, msg, PAYLOAD_MALFORMED);
858 break;
859 case FAILED:
860 DBG1(DBG_IKE, "integrity check failed");
861 send_notify(this, msg, INVALID_HASH_INFORMATION);
862 break;
863 case INVALID_STATE:
864 DBG1(DBG_IKE, "found encrypted message, but no keys available");
865 send_notify(this, msg, PAYLOAD_MALFORMED);
866 default:
867 break;
868 }
869 DBG1(DBG_IKE, "%N %s with message ID %u processing failed",
870 exchange_type_names, msg->get_exchange_type(msg),
871 msg->get_request(msg) ? "request" : "response",
872 msg->get_message_id(msg));
873
874 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
875 { /* invalid initiation attempt, close SA */
876 return DESTROY_ME;
877 }
878 }
879 return status;
880 }
881
882 METHOD(task_manager_t, process_message, status_t,
883 private_task_manager_t *this, message_t *msg)
884 {
885 u_int32_t hash, mid, i;
886 host_t *me, *other;
887 status_t status;
888
889 /* TODO-IKEv1: update hosts more selectively */
890 me = msg->get_destination(msg);
891 other = msg->get_source(msg);
892 mid = msg->get_message_id(msg);
893 hash = chunk_hash(msg->get_packet_data(msg));
894 for (i = 0; i < MAX_OLD_HASHES; i++)
895 {
896 if (this->initiating.old_hashes[i] == hash)
897 {
898 DBG1(DBG_IKE, "received retransmit of response with ID %u, "
899 "but next request already sent", mid);
900 return SUCCESS;
901 }
902 }
903
904 if ((mid && mid == this->initiating.mid) ||
905 (this->initiating.mid == 0 &&
906 msg->get_exchange_type(msg) == this->initiating.type &&
907 this->active_tasks->get_count(this->active_tasks)))
908 {
909 msg->set_request(msg, FALSE);
910 status = parse_message(this, msg);
911 if (status != SUCCESS)
912 {
913 return status;
914 }
915 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
916 time_monotonic(NULL));
917 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
918 charon->bus->message(charon->bus, msg, FALSE);
919 if (process_response(this, msg) != SUCCESS)
920 {
921 flush(this);
922 return DESTROY_ME;
923 }
924 this->initiating.old_hashes[(this->initiating.old_hash_pos++) %
925 MAX_OLD_HASHES] = hash;
926 }
927 else
928 {
929 if (hash == this->responding.hash)
930 {
931 if (this->responding.packet)
932 {
933 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
934 "retransmitting response", mid);
935 charon->sender->send(charon->sender,
936 this->responding.packet->clone(this->responding.packet));
937 }
938 else
939 {
940 DBG1(DBG_IKE, "received retransmit of request with ID %u, "
941 "but no response to retransmit", mid);
942 }
943 return SUCCESS;
944 }
945 if (msg->get_exchange_type(msg) == TRANSACTION &&
946 this->active_tasks->get_count(this->active_tasks))
947 { /* main mode not yet complete, queue XAuth/Mode config tasks */
948 if (this->queued)
949 {
950 DBG1(DBG_IKE, "ignoring additional %N request, queue full",
951 exchange_type_names, TRANSACTION);
952 return SUCCESS;
953 }
954 this->queued = message_create_from_packet(msg->get_packet(msg));
955 if (this->queued->parse_header(this->queued) != SUCCESS)
956 {
957 this->queued->destroy(this->queued);
958 this->queued = NULL;
959 return FAILED;
960 }
961 DBG1(DBG_IKE, "queueing %N request as tasks still active",
962 exchange_type_names, TRANSACTION);
963 return SUCCESS;
964 }
965
966 msg->set_request(msg, TRUE);
967 status = parse_message(this, msg);
968 if (status != SUCCESS)
969 {
970 return status;
971 }
972 /* if this IKE_SA is virgin, we check for a config */
973 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
974 {
975 ike_sa_id_t *ike_sa_id;
976 ike_cfg_t *ike_cfg;
977 job_t *job;
978 ike_cfg = charon->backends->get_ike_cfg(charon->backends, me, other);
979 if (ike_cfg == NULL)
980 {
981 /* no config found for these hosts, destroy */
982 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
983 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
984 send_notify(this, msg, NO_PROPOSAL_CHOSEN);
985 return DESTROY_ME;
986 }
987 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
988 ike_cfg->destroy(ike_cfg);
989 /* add a timeout if peer does not establish it completely */
990 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
991 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
992 lib->scheduler->schedule_job(lib->scheduler, job,
993 lib->settings->get_int(lib->settings,
994 "charon.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT));
995 }
996 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
997 time_monotonic(NULL));
998 this->ike_sa->update_hosts(this->ike_sa, me, other, TRUE);
999 charon->bus->message(charon->bus, msg, TRUE);
1000 if (process_request(this, msg) != SUCCESS)
1001 {
1002 flush(this);
1003 return DESTROY_ME;
1004 }
1005 this->responding.hash = hash;
1006 }
1007 return SUCCESS;
1008 }
1009
1010 METHOD(task_manager_t, queue_task, void,
1011 private_task_manager_t *this, task_t *task)
1012 {
1013 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1014 this->queued_tasks->insert_last(this->queued_tasks, task);
1015 }
1016
1017 /**
1018 * Check if a given task has been queued already
1019 */
1020 static bool has_queued(private_task_manager_t *this, task_type_t type)
1021 {
1022 enumerator_t *enumerator;
1023 bool found = FALSE;
1024 task_t *task;
1025
1026 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1027 while (enumerator->enumerate(enumerator, &task))
1028 {
1029 if (task->get_type(task) == type)
1030 {
1031 found = TRUE;
1032 break;
1033 }
1034 }
1035 enumerator->destroy(enumerator);
1036 return found;
1037 }
1038
1039 METHOD(task_manager_t, queue_ike, void,
1040 private_task_manager_t *this)
1041 {
1042 if (!has_queued(this, TASK_ISAKMP_VENDOR))
1043 {
1044 queue_task(this, (task_t*)isakmp_vendor_create(this->ike_sa, TRUE));
1045 }
1046 if (!has_queued(this, TASK_ISAKMP_CERT_PRE))
1047 {
1048 queue_task(this, (task_t*)isakmp_cert_pre_create(this->ike_sa, TRUE));
1049 }
1050 if (!has_queued(this, TASK_MAIN_MODE))
1051 {
1052 queue_task(this, (task_t*)main_mode_create(this->ike_sa, TRUE));
1053 }
1054 if (!has_queued(this, TASK_ISAKMP_CERT_POST))
1055 {
1056 queue_task(this, (task_t*)isakmp_cert_post_create(this->ike_sa, TRUE));
1057 }
1058 if (!has_queued(this, TASK_ISAKMP_NATD))
1059 {
1060 queue_task(this, (task_t*)isakmp_natd_create(this->ike_sa, TRUE));
1061 }
1062 }
1063
1064 METHOD(task_manager_t, queue_ike_rekey, void,
1065 private_task_manager_t *this)
1066 {
1067 /* TODO-IKEv1: IKE_SA rekeying */
1068 }
1069
1070 METHOD(task_manager_t, queue_ike_reauth, void,
1071 private_task_manager_t *this)
1072 {
1073 /* TODO-IKEv1: IKE_SA reauth */
1074 }
1075
1076 METHOD(task_manager_t, queue_ike_delete, void,
1077 private_task_manager_t *this)
1078 {
1079 enumerator_t *enumerator;
1080 child_sa_t *child_sa;
1081
1082 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1083 while (enumerator->enumerate(enumerator, &child_sa))
1084 {
1085 queue_task(this, (task_t*)
1086 quick_delete_create(this->ike_sa, child_sa->get_protocol(child_sa),
1087 child_sa->get_spi(child_sa, TRUE), FALSE));
1088 }
1089 enumerator->destroy(enumerator);
1090
1091 queue_task(this, (task_t*)isakmp_delete_create(this->ike_sa, TRUE));
1092 }
1093
1094 METHOD(task_manager_t, queue_mobike, void,
1095 private_task_manager_t *this, bool roam, bool address)
1096 {
1097 /* Not supported in IKEv1 */
1098 }
1099
1100 METHOD(task_manager_t, queue_child, void,
1101 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1102 traffic_selector_t *tsi, traffic_selector_t *tsr)
1103 {
1104 queue_task(this, (task_t*)quick_mode_create(this->ike_sa, cfg, tsi, tsr));
1105 }
1106
1107 METHOD(task_manager_t, queue_child_rekey, void,
1108 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1109 {
1110 /* TODO-IKEv1: CHILD rekeying */
1111 }
1112
1113 METHOD(task_manager_t, queue_child_delete, void,
1114 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1115 {
1116 queue_task(this, (task_t*)quick_delete_create(this->ike_sa, protocol,
1117 spi, FALSE));
1118 }
1119
1120 METHOD(task_manager_t, queue_dpd, void,
1121 private_task_manager_t *this)
1122 {
1123 /* TODO-IKEv1: DPD checking */
1124 }
1125
1126 METHOD(task_manager_t, adopt_tasks, void,
1127 private_task_manager_t *this, task_manager_t *other_public)
1128 {
1129 private_task_manager_t *other = (private_task_manager_t*)other_public;
1130 task_t *task;
1131
1132 /* move queued tasks from other to this */
1133 while (other->queued_tasks->remove_last(other->queued_tasks,
1134 (void**)&task) == SUCCESS)
1135 {
1136 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1137 task->migrate(task, this->ike_sa);
1138 this->queued_tasks->insert_first(this->queued_tasks, task);
1139 }
1140 }
1141
1142 METHOD(task_manager_t, busy, bool,
1143 private_task_manager_t *this)
1144 {
1145 return (this->active_tasks->get_count(this->active_tasks) > 0);
1146 }
1147
1148 METHOD(task_manager_t, incr_mid, void,
1149 private_task_manager_t *this, bool initiate)
1150 {
1151 }
1152
1153 METHOD(task_manager_t, reset, void,
1154 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1155 {
1156 enumerator_t *enumerator;
1157 task_t *task;
1158
1159 /* reset message counters and retransmit packets */
1160 DESTROY_IF(this->responding.packet);
1161 DESTROY_IF(this->initiating.packet);
1162 this->responding.packet = NULL;
1163 this->initiating.packet = NULL;
1164 this->initiating.mid = 0;
1165 this->initiating.seqnr = 0;
1166 this->initiating.retransmitted = 0;
1167 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1168
1169 /* reset queued tasks */
1170 enumerator = this->queued_tasks->create_enumerator(this->queued_tasks);
1171 while (enumerator->enumerate(enumerator, &task))
1172 {
1173 task->migrate(task, this->ike_sa);
1174 }
1175 enumerator->destroy(enumerator);
1176
1177 /* reset active tasks */
1178 while (this->active_tasks->remove_last(this->active_tasks,
1179 (void**)&task) == SUCCESS)
1180 {
1181 task->migrate(task, this->ike_sa);
1182 this->queued_tasks->insert_first(this->queued_tasks, task);
1183 }
1184 }
1185
1186 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1187 private_task_manager_t *this, task_queue_t queue)
1188 {
1189 switch (queue)
1190 {
1191 case TASK_QUEUE_ACTIVE:
1192 return this->active_tasks->create_enumerator(this->active_tasks);
1193 case TASK_QUEUE_PASSIVE:
1194 return this->passive_tasks->create_enumerator(this->passive_tasks);
1195 case TASK_QUEUE_QUEUED:
1196 return this->queued_tasks->create_enumerator(this->queued_tasks);
1197 default:
1198 return enumerator_create_empty();
1199 }
1200 }
1201
1202 METHOD(task_manager_t, destroy, void,
1203 private_task_manager_t *this)
1204 {
1205 flush(this);
1206
1207 this->active_tasks->destroy(this->active_tasks);
1208 this->queued_tasks->destroy(this->queued_tasks);
1209 this->passive_tasks->destroy(this->passive_tasks);
1210
1211 DESTROY_IF(this->queued);
1212 DESTROY_IF(this->responding.packet);
1213 DESTROY_IF(this->initiating.packet);
1214 DESTROY_IF(this->rng);
1215 free(this);
1216 }
1217
1218 /*
1219 * see header file
1220 */
1221 task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
1222 {
1223 private_task_manager_t *this;
1224
1225 INIT(this,
1226 .public = {
1227 .task_manager = {
1228 .process_message = _process_message,
1229 .queue_task = _queue_task,
1230 .queue_ike = _queue_ike,
1231 .queue_ike_rekey = _queue_ike_rekey,
1232 .queue_ike_reauth = _queue_ike_reauth,
1233 .queue_ike_delete = _queue_ike_delete,
1234 .queue_mobike = _queue_mobike,
1235 .queue_child = _queue_child,
1236 .queue_child_rekey = _queue_child_rekey,
1237 .queue_child_delete = _queue_child_delete,
1238 .queue_dpd = _queue_dpd,
1239 .initiate = _initiate,
1240 .retransmit = _retransmit,
1241 .incr_mid = _incr_mid,
1242 .reset = _reset,
1243 .adopt_tasks = _adopt_tasks,
1244 .busy = _busy,
1245 .create_task_enumerator = _create_task_enumerator,
1246 .destroy = _destroy,
1247 },
1248 },
1249 .ike_sa = ike_sa,
1250 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
1251 .rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
1252 .queued_tasks = linked_list_create(),
1253 .active_tasks = linked_list_create(),
1254 .passive_tasks = linked_list_create(),
1255 .retransmit_tries = lib->settings->get_int(lib->settings,
1256 "charon.retransmit_tries", RETRANSMIT_TRIES),
1257 .retransmit_timeout = lib->settings->get_double(lib->settings,
1258 "charon.retransmit_timeout", RETRANSMIT_TIMEOUT),
1259 .retransmit_base = lib->settings->get_double(lib->settings,
1260 "charon.retransmit_base", RETRANSMIT_BASE),
1261 );
1262
1263 return &this->public;
1264 }