298167703cbf5c914c964aa3e172e7a910d4cf3b
[strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2014 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_delete.h>
34 #include <sa/ikev2/tasks/ike_config.h>
35 #include <sa/ikev2/tasks/ike_dpd.h>
36 #include <sa/ikev2/tasks/ike_vendor.h>
37 #include <sa/ikev2/tasks/child_create.h>
38 #include <sa/ikev2/tasks/child_rekey.h>
39 #include <sa/ikev2/tasks/child_delete.h>
40 #include <encoding/payloads/delete_payload.h>
41 #include <encoding/payloads/unknown_payload.h>
42 #include <processing/jobs/retransmit_job.h>
43 #include <processing/jobs/delete_ike_sa_job.h>
44
45 #ifdef ME
46 #include <sa/ikev2/tasks/ike_me.h>
47 #endif
48
49 typedef struct exchange_t exchange_t;
50
51 /**
52 * An exchange in the air, used do detect and handle retransmission
53 */
54 struct exchange_t {
55
56 /**
57 * Message ID used for this transaction
58 */
59 u_int32_t mid;
60
61 /**
62 * generated packet for retransmission
63 */
64 packet_t *packet;
65 };
66
67 typedef struct private_task_manager_t private_task_manager_t;
68
69 /**
70 * private data of the task manager
71 */
72 struct private_task_manager_t {
73
74 /**
75 * public functions
76 */
77 task_manager_v2_t public;
78
79 /**
80 * associated IKE_SA we are serving
81 */
82 ike_sa_t *ike_sa;
83
84 /**
85 * Exchange we are currently handling as responder
86 */
87 struct {
88 /**
89 * Message ID of the exchange
90 */
91 u_int32_t mid;
92
93 /**
94 * packet(s) for retransmission
95 */
96 array_t *packets;
97
98 /**
99 * Helper to defragment the request
100 */
101 message_t *defrag;
102
103 } responding;
104
105 /**
106 * Exchange we are currently handling as initiator
107 */
108 struct {
109 /**
110 * Message ID of the exchange
111 */
112 u_int32_t mid;
113
114 /**
115 * how many times we have retransmitted so far
116 */
117 u_int retransmitted;
118
119 /**
120 * packet(s) for retransmission
121 */
122 array_t *packets;
123
124 /**
125 * type of the initated exchange
126 */
127 exchange_type_t type;
128
129 /**
130 * TRUE if exchange was deferred because no path was available
131 */
132 bool deferred;
133
134 /**
135 * Helper to defragment the response
136 */
137 message_t *defrag;
138
139 } initiating;
140
141 /**
142 * Array of queued tasks not yet in action
143 */
144 array_t *queued_tasks;
145
146 /**
147 * Array of active tasks, initiated by ourselve
148 */
149 array_t *active_tasks;
150
151 /**
152 * Array of tasks initiated by peer
153 */
154 array_t *passive_tasks;
155
156 /**
157 * the task manager has been reset
158 */
159 bool reset;
160
161 /**
162 * Number of times we retransmit messages before giving up
163 */
164 u_int retransmit_tries;
165
166 /**
167 * Retransmission timeout
168 */
169 double retransmit_timeout;
170
171 /**
172 * Base to calculate retransmission timeout
173 */
174 double retransmit_base;
175
176 /**
177 * Use make-before-break instead of break-before-make reauth?
178 */
179 bool make_before_break;
180 };
181
182 /**
183 * Reset retransmission packet list
184 */
185 static void clear_packets(array_t *array)
186 {
187 packet_t *packet;
188
189 while (array_remove(array, ARRAY_TAIL, &packet))
190 {
191 packet->destroy(packet);
192 }
193 }
194
195 METHOD(task_manager_t, flush_queue, void,
196 private_task_manager_t *this, task_queue_t queue)
197 {
198 array_t *array;
199 task_t *task;
200
201 switch (queue)
202 {
203 case TASK_QUEUE_ACTIVE:
204 array = this->active_tasks;
205 break;
206 case TASK_QUEUE_PASSIVE:
207 array = this->passive_tasks;
208 break;
209 case TASK_QUEUE_QUEUED:
210 array = this->queued_tasks;
211 break;
212 default:
213 return;
214 }
215 while (array_remove(array, ARRAY_TAIL, &task))
216 {
217 task->destroy(task);
218 }
219 }
220
221 METHOD(task_manager_t, flush, void,
222 private_task_manager_t *this)
223 {
224 flush_queue(this, TASK_QUEUE_QUEUED);
225 flush_queue(this, TASK_QUEUE_PASSIVE);
226 flush_queue(this, TASK_QUEUE_ACTIVE);
227 }
228
229 /**
230 * move a task of a specific type from the queue to the active list
231 */
232 static bool activate_task(private_task_manager_t *this, task_type_t type)
233 {
234 enumerator_t *enumerator;
235 task_t *task;
236 bool found = FALSE;
237
238 enumerator = array_create_enumerator(this->queued_tasks);
239 while (enumerator->enumerate(enumerator, (void**)&task))
240 {
241 if (task->get_type(task) == type)
242 {
243 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
244 array_remove_at(this->queued_tasks, enumerator);
245 array_insert(this->active_tasks, ARRAY_TAIL, task);
246 found = TRUE;
247 break;
248 }
249 }
250 enumerator->destroy(enumerator);
251 return found;
252 }
253
254 /**
255 * Send packets in the given array (they get cloned). Optionally, the
256 * source and destination addresses are changed before sending it.
257 */
258 static void send_packets(private_task_manager_t *this, array_t *packets,
259 host_t *src, host_t *dst)
260 {
261 packet_t *packet, *clone;
262 int i;
263
264 for (i = 0; i < array_count(packets); i++)
265 {
266 array_get(packets, i, &packet);
267 clone = packet->clone(packet);
268 if (src)
269 {
270 clone->set_source(clone, src->clone(src));
271 }
272 if (dst)
273 {
274 clone->set_destination(clone, dst->clone(dst));
275 }
276 charon->sender->send(charon->sender, clone);
277 }
278 }
279
280 /**
281 * Generates the given message and stores packet(s) in the given array
282 */
283 static bool generate_message(private_task_manager_t *this, message_t *message,
284 array_t **packets)
285 {
286 enumerator_t *fragments;
287 packet_t *fragment;
288
289 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
290 &fragments) != SUCCESS)
291 {
292 return FALSE;
293 }
294 while (fragments->enumerate(fragments, &fragment))
295 {
296 array_insert_create(packets, ARRAY_TAIL, fragment);
297 }
298 fragments->destroy(fragments);
299 array_compress(*packets);
300 return TRUE;
301 }
302
303 METHOD(task_manager_t, retransmit, status_t,
304 private_task_manager_t *this, u_int32_t message_id)
305 {
306 if (message_id == this->initiating.mid &&
307 array_count(this->initiating.packets))
308 {
309 u_int32_t timeout;
310 job_t *job;
311 enumerator_t *enumerator;
312 packet_t *packet;
313 task_t *task;
314 ike_mobike_t *mobike = NULL;
315
316 array_get(this->initiating.packets, 0, &packet);
317
318 /* check if we are retransmitting a MOBIKE routability check */
319 if (this->initiating.type == INFORMATIONAL)
320 {
321 enumerator = array_create_enumerator(this->active_tasks);
322 while (enumerator->enumerate(enumerator, (void*)&task))
323 {
324 if (task->get_type(task) == TASK_IKE_MOBIKE)
325 {
326 mobike = (ike_mobike_t*)task;
327 break;
328 }
329 }
330 enumerator->destroy(enumerator);
331 }
332
333 if (!mobike || !mobike->is_probing(mobike))
334 {
335 if (this->initiating.retransmitted <= this->retransmit_tries)
336 {
337 timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
338 pow(this->retransmit_base, this->initiating.retransmitted));
339 }
340 else
341 {
342 DBG1(DBG_IKE, "giving up after %d retransmits",
343 this->initiating.retransmitted - 1);
344 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
345 packet);
346 return DESTROY_ME;
347 }
348
349 if (this->initiating.retransmitted)
350 {
351 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
352 this->initiating.retransmitted, message_id);
353 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
354 }
355 if (!mobike)
356 {
357 send_packets(this, this->initiating.packets,
358 this->ike_sa->get_my_host(this->ike_sa),
359 this->ike_sa->get_other_host(this->ike_sa));
360 }
361 else
362 {
363 if (!mobike->transmit(mobike, packet))
364 {
365 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
366 "deferred");
367 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
368 this->initiating.deferred = TRUE;
369 return SUCCESS;
370 }
371 else if (mobike->is_probing(mobike))
372 {
373 timeout = ROUTEABILITY_CHECK_INTERVAL;
374 }
375 }
376 }
377 else
378 { /* for routeability checks, we use a more aggressive behavior */
379 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
380 {
381 timeout = ROUTEABILITY_CHECK_INTERVAL;
382 }
383 else
384 {
385 DBG1(DBG_IKE, "giving up after %d path probings",
386 this->initiating.retransmitted - 1);
387 return DESTROY_ME;
388 }
389
390 if (this->initiating.retransmitted)
391 {
392 DBG1(DBG_IKE, "path probing attempt %d",
393 this->initiating.retransmitted);
394 }
395 /* TODO-FRAG: presumably these small packets are not fragmented,
396 * we should maybe ensure this is the case when generating them */
397 if (!mobike->transmit(mobike, packet))
398 {
399 DBG1(DBG_IKE, "no route found to reach peer, path probing "
400 "deferred");
401 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
402 this->initiating.deferred = TRUE;
403 return SUCCESS;
404 }
405 }
406
407 this->initiating.retransmitted++;
408 job = (job_t*)retransmit_job_create(this->initiating.mid,
409 this->ike_sa->get_id(this->ike_sa));
410 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
411 }
412 return SUCCESS;
413 }
414
415 METHOD(task_manager_t, initiate, status_t,
416 private_task_manager_t *this)
417 {
418 enumerator_t *enumerator;
419 task_t *task;
420 message_t *message;
421 host_t *me, *other;
422 exchange_type_t exchange = 0;
423
424 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
425 {
426 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
427 exchange_type_names, this->initiating.type);
428 /* do not initiate if we already have a message in the air */
429 if (this->initiating.deferred)
430 { /* re-initiate deferred exchange */
431 this->initiating.deferred = FALSE;
432 this->initiating.retransmitted = 0;
433 return retransmit(this, this->initiating.mid);
434 }
435 return SUCCESS;
436 }
437
438 if (array_count(this->active_tasks) == 0)
439 {
440 DBG2(DBG_IKE, "activating new tasks");
441 switch (this->ike_sa->get_state(this->ike_sa))
442 {
443 case IKE_CREATED:
444 activate_task(this, TASK_IKE_VENDOR);
445 if (activate_task(this, TASK_IKE_INIT))
446 {
447 this->initiating.mid = 0;
448 exchange = IKE_SA_INIT;
449 activate_task(this, TASK_IKE_NATD);
450 activate_task(this, TASK_IKE_CERT_PRE);
451 #ifdef ME
452 /* this task has to be activated before the TASK_IKE_AUTH
453 * task, because that task pregenerates the packet after
454 * which no payloads can be added to the message anymore.
455 */
456 activate_task(this, TASK_IKE_ME);
457 #endif /* ME */
458 activate_task(this, TASK_IKE_AUTH);
459 activate_task(this, TASK_IKE_CERT_POST);
460 activate_task(this, TASK_IKE_CONFIG);
461 activate_task(this, TASK_CHILD_CREATE);
462 activate_task(this, TASK_IKE_AUTH_LIFETIME);
463 activate_task(this, TASK_IKE_MOBIKE);
464 }
465 break;
466 case IKE_ESTABLISHED:
467 if (activate_task(this, TASK_IKE_MOBIKE))
468 {
469 exchange = INFORMATIONAL;
470 break;
471 }
472 if (activate_task(this, TASK_IKE_DELETE))
473 {
474 exchange = INFORMATIONAL;
475 break;
476 }
477 if (activate_task(this, TASK_CHILD_DELETE))
478 {
479 exchange = INFORMATIONAL;
480 break;
481 }
482 if (activate_task(this, TASK_IKE_REAUTH))
483 {
484 exchange = INFORMATIONAL;
485 break;
486 }
487 if (activate_task(this, TASK_CHILD_CREATE))
488 {
489 exchange = CREATE_CHILD_SA;
490 break;
491 }
492 if (activate_task(this, TASK_CHILD_REKEY))
493 {
494 exchange = CREATE_CHILD_SA;
495 break;
496 }
497 if (activate_task(this, TASK_IKE_REKEY))
498 {
499 exchange = CREATE_CHILD_SA;
500 break;
501 }
502 if (activate_task(this, TASK_IKE_DPD))
503 {
504 exchange = INFORMATIONAL;
505 break;
506 }
507 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
508 {
509 exchange = INFORMATIONAL;
510 break;
511 }
512 #ifdef ME
513 if (activate_task(this, TASK_IKE_ME))
514 {
515 exchange = ME_CONNECT;
516 break;
517 }
518 #endif /* ME */
519 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
520 {
521 exchange = INFORMATIONAL;
522 break;
523 }
524 case IKE_REKEYING:
525 if (activate_task(this, TASK_IKE_DELETE))
526 {
527 exchange = INFORMATIONAL;
528 break;
529 }
530 case IKE_DELETING:
531 default:
532 break;
533 }
534 }
535 else
536 {
537 DBG2(DBG_IKE, "reinitiating already active tasks");
538 enumerator = array_create_enumerator(this->active_tasks);
539 while (enumerator->enumerate(enumerator, &task))
540 {
541 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
542 switch (task->get_type(task))
543 {
544 case TASK_IKE_INIT:
545 exchange = IKE_SA_INIT;
546 break;
547 case TASK_IKE_AUTH:
548 exchange = IKE_AUTH;
549 break;
550 case TASK_CHILD_CREATE:
551 case TASK_CHILD_REKEY:
552 case TASK_IKE_REKEY:
553 exchange = CREATE_CHILD_SA;
554 break;
555 case TASK_IKE_MOBIKE:
556 exchange = INFORMATIONAL;
557 break;
558 default:
559 continue;
560 }
561 break;
562 }
563 enumerator->destroy(enumerator);
564 }
565
566 if (exchange == 0)
567 {
568 DBG2(DBG_IKE, "nothing to initiate");
569 /* nothing to do yet... */
570 return SUCCESS;
571 }
572
573 me = this->ike_sa->get_my_host(this->ike_sa);
574 other = this->ike_sa->get_other_host(this->ike_sa);
575
576 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
577 message->set_message_id(message, this->initiating.mid);
578 message->set_source(message, me->clone(me));
579 message->set_destination(message, other->clone(other));
580 message->set_exchange_type(message, exchange);
581 this->initiating.type = exchange;
582 this->initiating.retransmitted = 0;
583 this->initiating.deferred = FALSE;
584
585 enumerator = array_create_enumerator(this->active_tasks);
586 while (enumerator->enumerate(enumerator, &task))
587 {
588 switch (task->build(task, message))
589 {
590 case SUCCESS:
591 /* task completed, remove it */
592 array_remove_at(this->active_tasks, enumerator);
593 task->destroy(task);
594 break;
595 case NEED_MORE:
596 /* processed, but task needs another exchange */
597 break;
598 case FAILED:
599 default:
600 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
601 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
602 {
603 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
604 }
605 /* FALL */
606 case DESTROY_ME:
607 /* critical failure, destroy IKE_SA */
608 enumerator->destroy(enumerator);
609 message->destroy(message);
610 flush(this);
611 return DESTROY_ME;
612 }
613 }
614 enumerator->destroy(enumerator);
615
616 /* update exchange type if a task changed it */
617 this->initiating.type = message->get_exchange_type(message);
618 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
619 {
620 message->destroy(message);
621 return SUCCESS;
622 }
623
624 if (!generate_message(this, message, &this->initiating.packets))
625 {
626 /* message generation failed. There is nothing more to do than to
627 * close the SA */
628 message->destroy(message);
629 flush(this);
630 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
631 return DESTROY_ME;
632 }
633 message->destroy(message);
634
635 array_compress(this->active_tasks);
636 array_compress(this->queued_tasks);
637
638 return retransmit(this, this->initiating.mid);
639 }
640
641 /**
642 * handle an incoming response message
643 */
644 static status_t process_response(private_task_manager_t *this,
645 message_t *message)
646 {
647 enumerator_t *enumerator;
648 task_t *task;
649
650 if (message->get_exchange_type(message) != this->initiating.type)
651 {
652 DBG1(DBG_IKE, "received %N response, but expected %N",
653 exchange_type_names, message->get_exchange_type(message),
654 exchange_type_names, this->initiating.type);
655 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
656 return DESTROY_ME;
657 }
658
659 /* catch if we get resetted while processing */
660 this->reset = FALSE;
661 enumerator = array_create_enumerator(this->active_tasks);
662 while (enumerator->enumerate(enumerator, &task))
663 {
664 switch (task->process(task, message))
665 {
666 case SUCCESS:
667 /* task completed, remove it */
668 array_remove_at(this->active_tasks, enumerator);
669 task->destroy(task);
670 break;
671 case NEED_MORE:
672 /* processed, but task needs another exchange */
673 break;
674 case FAILED:
675 default:
676 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
677 /* FALL */
678 case DESTROY_ME:
679 /* critical failure, destroy IKE_SA */
680 array_remove_at(this->active_tasks, enumerator);
681 enumerator->destroy(enumerator);
682 task->destroy(task);
683 return DESTROY_ME;
684 }
685 if (this->reset)
686 { /* start all over again if we were reset */
687 this->reset = FALSE;
688 enumerator->destroy(enumerator);
689 return initiate(this);
690 }
691 }
692 enumerator->destroy(enumerator);
693
694 this->initiating.mid++;
695 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
696 clear_packets(this->initiating.packets);
697
698 array_compress(this->active_tasks);
699
700 return initiate(this);
701 }
702
703 /**
704 * handle exchange collisions
705 */
706 static bool handle_collisions(private_task_manager_t *this, task_t *task)
707 {
708 enumerator_t *enumerator;
709 task_t *active;
710 task_type_t type;
711
712 type = task->get_type(task);
713
714 /* do we have to check */
715 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
716 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE ||
717 type == TASK_IKE_REAUTH)
718 {
719 /* find an exchange collision, and notify these tasks */
720 enumerator = array_create_enumerator(this->active_tasks);
721 while (enumerator->enumerate(enumerator, &active))
722 {
723 switch (active->get_type(active))
724 {
725 case TASK_IKE_REKEY:
726 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE ||
727 type == TASK_IKE_REAUTH)
728 {
729 ike_rekey_t *rekey = (ike_rekey_t*)active;
730 rekey->collide(rekey, task);
731 break;
732 }
733 continue;
734 case TASK_CHILD_REKEY:
735 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
736 {
737 child_rekey_t *rekey = (child_rekey_t*)active;
738 rekey->collide(rekey, task);
739 break;
740 }
741 continue;
742 default:
743 continue;
744 }
745 enumerator->destroy(enumerator);
746 return TRUE;
747 }
748 enumerator->destroy(enumerator);
749 }
750 return FALSE;
751 }
752
753 /**
754 * build a response depending on the "passive" task list
755 */
756 static status_t build_response(private_task_manager_t *this, message_t *request)
757 {
758 enumerator_t *enumerator;
759 task_t *task;
760 message_t *message;
761 host_t *me, *other;
762 bool delete = FALSE, hook = FALSE;
763 ike_sa_id_t *id = NULL;
764 u_int64_t responder_spi = 0;
765 bool result;
766
767 me = request->get_destination(request);
768 other = request->get_source(request);
769
770 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
771 message->set_exchange_type(message, request->get_exchange_type(request));
772 /* send response along the path the request came in */
773 message->set_source(message, me->clone(me));
774 message->set_destination(message, other->clone(other));
775 message->set_message_id(message, this->responding.mid);
776 message->set_request(message, FALSE);
777
778 enumerator = array_create_enumerator(this->passive_tasks);
779 while (enumerator->enumerate(enumerator, (void*)&task))
780 {
781 switch (task->build(task, message))
782 {
783 case SUCCESS:
784 /* task completed, remove it */
785 array_remove_at(this->passive_tasks, enumerator);
786 if (!handle_collisions(this, task))
787 {
788 task->destroy(task);
789 }
790 break;
791 case NEED_MORE:
792 /* processed, but task needs another exchange */
793 if (handle_collisions(this, task))
794 {
795 array_remove_at(this->passive_tasks, enumerator);
796 }
797 break;
798 case FAILED:
799 default:
800 hook = TRUE;
801 /* FALL */
802 case DESTROY_ME:
803 /* destroy IKE_SA, but SEND response first */
804 delete = TRUE;
805 break;
806 }
807 if (delete)
808 {
809 break;
810 }
811 }
812 enumerator->destroy(enumerator);
813
814 /* RFC 5996, section 2.6 mentions that in the event of a failure during
815 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
816 * actually explicitly allows it to be non-zero. Since we use the responder
817 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
818 * zero temporarily, otherwise checking the SA in would fail. */
819 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
820 {
821 id = this->ike_sa->get_id(this->ike_sa);
822 responder_spi = id->get_responder_spi(id);
823 id->set_responder_spi(id, 0);
824 }
825
826 /* message complete, send it */
827 clear_packets(this->responding.packets);
828 result = generate_message(this, message, &this->responding.packets);
829 message->destroy(message);
830 if (id)
831 {
832 id->set_responder_spi(id, responder_spi);
833 }
834 if (!result)
835 {
836 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
837 return DESTROY_ME;
838 }
839
840 send_packets(this, this->responding.packets, NULL, NULL);
841 if (delete)
842 {
843 if (hook)
844 {
845 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
846 }
847 return DESTROY_ME;
848 }
849
850 array_compress(this->passive_tasks);
851
852 return SUCCESS;
853 }
854
855 /**
856 * handle an incoming request message
857 */
858 static status_t process_request(private_task_manager_t *this,
859 message_t *message)
860 {
861 enumerator_t *enumerator;
862 task_t *task = NULL;
863 payload_t *payload;
864 notify_payload_t *notify;
865 delete_payload_t *delete;
866
867 if (array_count(this->passive_tasks) == 0)
868 { /* create tasks depending on request type, if not already some queued */
869 switch (message->get_exchange_type(message))
870 {
871 case IKE_SA_INIT:
872 {
873 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
874 array_insert(this->passive_tasks, ARRAY_TAIL, task);
875 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
876 array_insert(this->passive_tasks, ARRAY_TAIL, task);
877 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
878 array_insert(this->passive_tasks, ARRAY_TAIL, task);
879 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
880 array_insert(this->passive_tasks, ARRAY_TAIL, task);
881 #ifdef ME
882 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
883 array_insert(this->passive_tasks, ARRAY_TAIL, task);
884 #endif /* ME */
885 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
886 array_insert(this->passive_tasks, ARRAY_TAIL, task);
887 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
888 array_insert(this->passive_tasks, ARRAY_TAIL, task);
889 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
890 array_insert(this->passive_tasks, ARRAY_TAIL, task);
891 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
892 NULL, NULL);
893 array_insert(this->passive_tasks, ARRAY_TAIL, task);
894 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
895 array_insert(this->passive_tasks, ARRAY_TAIL, task);
896 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
897 array_insert(this->passive_tasks, ARRAY_TAIL, task);
898 break;
899 }
900 case CREATE_CHILD_SA:
901 { /* FIXME: we should prevent this on mediation connections */
902 bool notify_found = FALSE, ts_found = FALSE;
903
904 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
905 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
906 {
907 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
908 "unestablished IKE_SA, rejected");
909 return FAILED;
910 }
911
912 enumerator = message->create_payload_enumerator(message);
913 while (enumerator->enumerate(enumerator, &payload))
914 {
915 switch (payload->get_type(payload))
916 {
917 case PLV2_NOTIFY:
918 { /* if we find a rekey notify, its CHILD_SA rekeying */
919 notify = (notify_payload_t*)payload;
920 if (notify->get_notify_type(notify) == REKEY_SA &&
921 (notify->get_protocol_id(notify) == PROTO_AH ||
922 notify->get_protocol_id(notify) == PROTO_ESP))
923 {
924 notify_found = TRUE;
925 }
926 break;
927 }
928 case PLV2_TS_INITIATOR:
929 case PLV2_TS_RESPONDER:
930 { /* if we don't find a TS, its IKE rekeying */
931 ts_found = TRUE;
932 break;
933 }
934 default:
935 break;
936 }
937 }
938 enumerator->destroy(enumerator);
939
940 if (ts_found)
941 {
942 if (notify_found)
943 {
944 task = (task_t*)child_rekey_create(this->ike_sa,
945 PROTO_NONE, 0);
946 }
947 else
948 {
949 task = (task_t*)child_create_create(this->ike_sa, NULL,
950 FALSE, NULL, NULL);
951 }
952 }
953 else
954 {
955 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
956 }
957 array_insert(this->passive_tasks, ARRAY_TAIL, task);
958 break;
959 }
960 case INFORMATIONAL:
961 {
962 enumerator = message->create_payload_enumerator(message);
963 while (enumerator->enumerate(enumerator, &payload))
964 {
965 switch (payload->get_type(payload))
966 {
967 case PLV2_NOTIFY:
968 {
969 notify = (notify_payload_t*)payload;
970 switch (notify->get_notify_type(notify))
971 {
972 case ADDITIONAL_IP4_ADDRESS:
973 case ADDITIONAL_IP6_ADDRESS:
974 case NO_ADDITIONAL_ADDRESSES:
975 case UPDATE_SA_ADDRESSES:
976 case NO_NATS_ALLOWED:
977 case UNACCEPTABLE_ADDRESSES:
978 case UNEXPECTED_NAT_DETECTED:
979 case COOKIE2:
980 case NAT_DETECTION_SOURCE_IP:
981 case NAT_DETECTION_DESTINATION_IP:
982 task = (task_t*)ike_mobike_create(
983 this->ike_sa, FALSE);
984 break;
985 case AUTH_LIFETIME:
986 task = (task_t*)ike_auth_lifetime_create(
987 this->ike_sa, FALSE);
988 break;
989 case AUTHENTICATION_FAILED:
990 /* initiator failed to authenticate us.
991 * We use ike_delete to handle this, which
992 * invokes all the required hooks. */
993 task = (task_t*)ike_delete_create(
994 this->ike_sa, FALSE);
995 default:
996 break;
997 }
998 break;
999 }
1000 case PLV2_DELETE:
1001 {
1002 delete = (delete_payload_t*)payload;
1003 if (delete->get_protocol_id(delete) == PROTO_IKE)
1004 {
1005 task = (task_t*)ike_delete_create(this->ike_sa,
1006 FALSE);
1007 }
1008 else
1009 {
1010 task = (task_t*)child_delete_create(this->ike_sa,
1011 PROTO_NONE, 0, FALSE);
1012 }
1013 break;
1014 }
1015 default:
1016 break;
1017 }
1018 if (task)
1019 {
1020 break;
1021 }
1022 }
1023 enumerator->destroy(enumerator);
1024
1025 if (task == NULL)
1026 {
1027 task = (task_t*)ike_dpd_create(FALSE);
1028 }
1029 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1030 break;
1031 }
1032 #ifdef ME
1033 case ME_CONNECT:
1034 {
1035 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1036 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1037 }
1038 #endif /* ME */
1039 default:
1040 break;
1041 }
1042 }
1043
1044 /* let the tasks process the message */
1045 enumerator = array_create_enumerator(this->passive_tasks);
1046 while (enumerator->enumerate(enumerator, (void*)&task))
1047 {
1048 switch (task->process(task, message))
1049 {
1050 case SUCCESS:
1051 /* task completed, remove it */
1052 array_remove_at(this->passive_tasks, enumerator);
1053 task->destroy(task);
1054 break;
1055 case NEED_MORE:
1056 /* processed, but task needs at least another call to build() */
1057 break;
1058 case FAILED:
1059 default:
1060 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1061 /* FALL */
1062 case DESTROY_ME:
1063 /* critical failure, destroy IKE_SA */
1064 array_remove_at(this->passive_tasks, enumerator);
1065 enumerator->destroy(enumerator);
1066 task->destroy(task);
1067 return DESTROY_ME;
1068 }
1069 }
1070 enumerator->destroy(enumerator);
1071
1072 return build_response(this, message);
1073 }
1074
1075 METHOD(task_manager_t, incr_mid, void,
1076 private_task_manager_t *this, bool initiate)
1077 {
1078 if (initiate)
1079 {
1080 this->initiating.mid++;
1081 }
1082 else
1083 {
1084 this->responding.mid++;
1085 }
1086 }
1087
1088 /**
1089 * Handle the given IKE fragment, if it is one.
1090 *
1091 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1092 * handled properly. Error states are returned if the fragment was invalid or
1093 * the reassembled message could not have been processed properly.
1094 */
1095 static status_t handle_fragment(private_task_manager_t *this,
1096 message_t **defrag, message_t *msg)
1097 {
1098 message_t *reassembled;
1099 status_t status;
1100
1101 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1102 {
1103 return SUCCESS;
1104 }
1105 if (!*defrag)
1106 {
1107 *defrag = message_create_defrag(msg);
1108 if (!*defrag)
1109 {
1110 return FAILED;
1111 }
1112 }
1113 status = (*defrag)->add_fragment(*defrag, msg);
1114 if (status == SUCCESS)
1115 {
1116 /* reinject the reassembled message */
1117 reassembled = *defrag;
1118 *defrag = NULL;
1119 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1120 if (status == SUCCESS)
1121 {
1122 /* avoid processing the last fragment */
1123 status = NEED_MORE;
1124 }
1125 reassembled->destroy(reassembled);
1126 }
1127 return status;
1128 }
1129
1130 /**
1131 * Send a notify back to the sender
1132 */
1133 static void send_notify_response(private_task_manager_t *this,
1134 message_t *request, notify_type_t type,
1135 chunk_t data)
1136 {
1137 message_t *response;
1138 packet_t *packet;
1139 host_t *me, *other;
1140
1141 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1142 response->set_exchange_type(response, request->get_exchange_type(request));
1143 response->set_request(response, FALSE);
1144 response->set_message_id(response, request->get_message_id(request));
1145 response->add_notify(response, FALSE, type, data);
1146 me = this->ike_sa->get_my_host(this->ike_sa);
1147 if (me->is_anyaddr(me))
1148 {
1149 me = request->get_destination(request);
1150 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1151 }
1152 other = this->ike_sa->get_other_host(this->ike_sa);
1153 if (other->is_anyaddr(other))
1154 {
1155 other = request->get_source(request);
1156 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1157 }
1158 response->set_source(response, me->clone(me));
1159 response->set_destination(response, other->clone(other));
1160 if (this->ike_sa->generate_message(this->ike_sa, response,
1161 &packet) == SUCCESS)
1162 {
1163 charon->sender->send(charon->sender, packet);
1164 }
1165 response->destroy(response);
1166 }
1167
1168 /**
1169 * Parse the given message and verify that it is valid.
1170 */
1171 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1172 {
1173 status_t status;
1174 u_int8_t type = 0;
1175
1176 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1177
1178 if (status == SUCCESS)
1179 { /* check for unsupported critical payloads */
1180 enumerator_t *enumerator;
1181 unknown_payload_t *unknown;
1182 payload_t *payload;
1183
1184 enumerator = msg->create_payload_enumerator(msg);
1185 while (enumerator->enumerate(enumerator, &payload))
1186 {
1187 unknown = (unknown_payload_t*)payload;
1188 type = payload->get_type(payload);
1189 if (!payload_is_known(type, msg->get_major_version(msg)) &&
1190 unknown->is_critical(unknown))
1191 {
1192 DBG1(DBG_ENC, "payload type %N is not supported, "
1193 "but its critical!", payload_type_names, type);
1194 status = NOT_SUPPORTED;
1195 break;
1196 }
1197 }
1198 enumerator->destroy(enumerator);
1199 }
1200
1201 if (status != SUCCESS)
1202 {
1203 bool is_request = msg->get_request(msg);
1204
1205 switch (status)
1206 {
1207 case NOT_SUPPORTED:
1208 DBG1(DBG_IKE, "critical unknown payloads found");
1209 if (is_request)
1210 {
1211 send_notify_response(this, msg,
1212 UNSUPPORTED_CRITICAL_PAYLOAD,
1213 chunk_from_thing(type));
1214 incr_mid(this, FALSE);
1215 }
1216 break;
1217 case PARSE_ERROR:
1218 DBG1(DBG_IKE, "message parsing failed");
1219 if (is_request)
1220 {
1221 send_notify_response(this, msg,
1222 INVALID_SYNTAX, chunk_empty);
1223 incr_mid(this, FALSE);
1224 }
1225 break;
1226 case VERIFY_ERROR:
1227 DBG1(DBG_IKE, "message verification failed");
1228 if (is_request)
1229 {
1230 send_notify_response(this, msg,
1231 INVALID_SYNTAX, chunk_empty);
1232 incr_mid(this, FALSE);
1233 }
1234 break;
1235 case FAILED:
1236 DBG1(DBG_IKE, "integrity check failed");
1237 /* ignored */
1238 break;
1239 case INVALID_STATE:
1240 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1241 default:
1242 break;
1243 }
1244 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1245 exchange_type_names, msg->get_exchange_type(msg),
1246 is_request ? "request" : "response",
1247 msg->get_message_id(msg));
1248
1249 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1250
1251 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1252 { /* invalid initiation attempt, close SA */
1253 return DESTROY_ME;
1254 }
1255 }
1256 return status;
1257 }
1258
1259
1260 METHOD(task_manager_t, process_message, status_t,
1261 private_task_manager_t *this, message_t *msg)
1262 {
1263 host_t *me, *other;
1264 status_t status;
1265 u_int32_t mid;
1266 bool schedule_delete_job = FALSE;
1267
1268 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1269 status = parse_message(this, msg);
1270 if (status != SUCCESS)
1271 {
1272 return status;
1273 }
1274
1275 me = msg->get_destination(msg);
1276 other = msg->get_source(msg);
1277
1278 /* if this IKE_SA is virgin, we check for a config */
1279 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1280 {
1281 ike_cfg_t *ike_cfg;
1282
1283 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1284 me, other, IKEV2);
1285 if (ike_cfg == NULL)
1286 {
1287 /* no config found for these hosts, destroy */
1288 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1289 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1290 send_notify_response(this, msg,
1291 NO_PROPOSAL_CHOSEN, chunk_empty);
1292 return DESTROY_ME;
1293 }
1294 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1295 ike_cfg->destroy(ike_cfg);
1296 /* add a timeout if peer does not establish it completely */
1297 schedule_delete_job = TRUE;
1298 }
1299 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1300 time_monotonic(NULL));
1301
1302 mid = msg->get_message_id(msg);
1303 if (msg->get_request(msg))
1304 {
1305 if (mid == this->responding.mid)
1306 {
1307 /* reject initial messages if not received in specific states */
1308 if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
1309 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
1310 (msg->get_exchange_type(msg) == IKE_AUTH &&
1311 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
1312 {
1313 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
1314 exchange_type_names, msg->get_exchange_type(msg),
1315 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
1316 return FAILED;
1317 }
1318 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1319 { /* with MOBIKE, we do no implicit updates */
1320 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1321 }
1322 status = handle_fragment(this, &this->responding.defrag, msg);
1323 if (status != SUCCESS)
1324 {
1325 return status;
1326 }
1327 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1328 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1329 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1330 return SUCCESS;
1331 }
1332 if (process_request(this, msg) != SUCCESS)
1333 {
1334 flush(this);
1335 return DESTROY_ME;
1336 }
1337 this->responding.mid++;
1338 }
1339 else if ((mid == this->responding.mid - 1) &&
1340 array_count(this->responding.packets))
1341 {
1342 status = handle_fragment(this, &this->responding.defrag, msg);
1343 if (status != SUCCESS)
1344 {
1345 return status;
1346 }
1347 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1348 "retransmitting response", mid);
1349 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1350 send_packets(this, this->responding.packets,
1351 msg->get_destination(msg), msg->get_source(msg));
1352 }
1353 else
1354 {
1355 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1356 mid, this->responding.mid);
1357 }
1358 }
1359 else
1360 {
1361 if (mid == this->initiating.mid)
1362 {
1363 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1364 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1365 msg->get_exchange_type(msg) != IKE_SA_INIT)
1366 { /* only do updates based on verified messages (or initial ones) */
1367 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1368 { /* with MOBIKE, we do no implicit updates. we force an
1369 * update of the local address on IKE_SA_INIT, but never
1370 * for the remote address */
1371 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1372 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1373 }
1374 }
1375 status = handle_fragment(this, &this->initiating.defrag, msg);
1376 if (status != SUCCESS)
1377 {
1378 return status;
1379 }
1380 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1381 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1382 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1383 return SUCCESS;
1384 }
1385 if (process_response(this, msg) != SUCCESS)
1386 {
1387 flush(this);
1388 return DESTROY_ME;
1389 }
1390 }
1391 else
1392 {
1393 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1394 mid, this->initiating.mid);
1395 return SUCCESS;
1396 }
1397 }
1398
1399 if (schedule_delete_job)
1400 {
1401 ike_sa_id_t *ike_sa_id;
1402 job_t *job;
1403
1404 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1405 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1406 lib->scheduler->schedule_job(lib->scheduler, job,
1407 lib->settings->get_int(lib->settings,
1408 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1409 lib->ns));
1410 }
1411 return SUCCESS;
1412 }
1413
1414 METHOD(task_manager_t, queue_task, void,
1415 private_task_manager_t *this, task_t *task)
1416 {
1417 if (task->get_type(task) == TASK_IKE_MOBIKE)
1418 { /* there is no need to queue more than one mobike task */
1419 enumerator_t *enumerator;
1420 task_t *current;
1421
1422 enumerator = array_create_enumerator(this->queued_tasks);
1423 while (enumerator->enumerate(enumerator, &current))
1424 {
1425 if (current->get_type(current) == TASK_IKE_MOBIKE)
1426 {
1427 enumerator->destroy(enumerator);
1428 task->destroy(task);
1429 return;
1430 }
1431 }
1432 enumerator->destroy(enumerator);
1433 }
1434 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1435 array_insert(this->queued_tasks, ARRAY_TAIL, task);
1436 }
1437
1438 /**
1439 * Check if a given task has been queued already
1440 */
1441 static bool has_queued(private_task_manager_t *this, task_type_t type)
1442 {
1443 enumerator_t *enumerator;
1444 bool found = FALSE;
1445 task_t *task;
1446
1447 enumerator = array_create_enumerator(this->queued_tasks);
1448 while (enumerator->enumerate(enumerator, &task))
1449 {
1450 if (task->get_type(task) == type)
1451 {
1452 found = TRUE;
1453 break;
1454 }
1455 }
1456 enumerator->destroy(enumerator);
1457 return found;
1458 }
1459
1460 METHOD(task_manager_t, queue_ike, void,
1461 private_task_manager_t *this)
1462 {
1463 if (!has_queued(this, TASK_IKE_VENDOR))
1464 {
1465 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1466 }
1467 if (!has_queued(this, TASK_IKE_INIT))
1468 {
1469 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1470 }
1471 if (!has_queued(this, TASK_IKE_NATD))
1472 {
1473 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1474 }
1475 if (!has_queued(this, TASK_IKE_CERT_PRE))
1476 {
1477 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1478 }
1479 if (!has_queued(this, TASK_IKE_AUTH))
1480 {
1481 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1482 }
1483 if (!has_queued(this, TASK_IKE_CERT_POST))
1484 {
1485 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1486 }
1487 if (!has_queued(this, TASK_IKE_CONFIG))
1488 {
1489 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1490 }
1491 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1492 {
1493 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1494 }
1495 if (!has_queued(this, TASK_IKE_MOBIKE))
1496 {
1497 peer_cfg_t *peer_cfg;
1498
1499 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1500 if (peer_cfg->use_mobike(peer_cfg))
1501 {
1502 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1503 }
1504 }
1505 #ifdef ME
1506 if (!has_queued(this, TASK_IKE_ME))
1507 {
1508 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1509 }
1510 #endif /* ME */
1511 }
1512
1513 METHOD(task_manager_t, queue_ike_rekey, void,
1514 private_task_manager_t *this)
1515 {
1516 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1517 }
1518
1519 /**
1520 * Start reauthentication using make-before-break
1521 */
1522 static void trigger_mbb_reauth(private_task_manager_t *this)
1523 {
1524 enumerator_t *enumerator;
1525 child_sa_t *child_sa;
1526 child_cfg_t *cfg;
1527 ike_sa_t *new;
1528 host_t *host;
1529 task_t *task;
1530
1531 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1532 this->ike_sa->get_version(this->ike_sa), TRUE);
1533 if (!new)
1534 { /* shouldn't happen */
1535 return;
1536 }
1537
1538 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1539 host = this->ike_sa->get_other_host(this->ike_sa);
1540 new->set_other_host(new, host->clone(host));
1541 host = this->ike_sa->get_my_host(this->ike_sa);
1542 new->set_my_host(new, host->clone(host));
1543 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1544 while (enumerator->enumerate(enumerator, &host))
1545 {
1546 new->add_virtual_ip(new, TRUE, host);
1547 }
1548 enumerator->destroy(enumerator);
1549
1550 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1551 while (enumerator->enumerate(enumerator, &child_sa))
1552 {
1553 cfg = child_sa->get_config(child_sa);
1554 new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
1555 FALSE, NULL, NULL)->task);
1556 }
1557 enumerator->destroy(enumerator);
1558
1559 enumerator = array_create_enumerator(this->queued_tasks);
1560 while (enumerator->enumerate(enumerator, &task))
1561 {
1562 if (task->get_type(task) == TASK_CHILD_CREATE)
1563 {
1564 task->migrate(task, new);
1565 new->queue_task(new, task);
1566 array_remove_at(this->queued_tasks, enumerator);
1567 }
1568 }
1569 enumerator->destroy(enumerator);
1570
1571 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1572 {
1573 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1574 this->ike_sa->get_id(this->ike_sa)));
1575 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1576 }
1577 else
1578 {
1579 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1580 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1581 }
1582 charon->bus->set_sa(charon->bus, this->ike_sa);
1583 }
1584
1585 METHOD(task_manager_t, queue_ike_reauth, void,
1586 private_task_manager_t *this)
1587 {
1588 if (this->make_before_break)
1589 {
1590 return trigger_mbb_reauth(this);
1591 }
1592 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1593 }
1594
1595 METHOD(task_manager_t, queue_ike_delete, void,
1596 private_task_manager_t *this)
1597 {
1598 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1599 }
1600
1601 METHOD(task_manager_t, queue_mobike, void,
1602 private_task_manager_t *this, bool roam, bool address)
1603 {
1604 ike_mobike_t *mobike;
1605
1606 mobike = ike_mobike_create(this->ike_sa, TRUE);
1607 if (roam)
1608 {
1609 enumerator_t *enumerator;
1610 task_t *current;
1611
1612 mobike->roam(mobike, address);
1613
1614 /* enable path probing for a currently active MOBIKE task. This might
1615 * not be the case if an address appeared on a new interface while the
1616 * current address is not working but has not yet disappeared. */
1617 enumerator = array_create_enumerator(this->active_tasks);
1618 while (enumerator->enumerate(enumerator, &current))
1619 {
1620 if (current->get_type(current) == TASK_IKE_MOBIKE)
1621 {
1622 ike_mobike_t *active = (ike_mobike_t*)current;
1623 active->enable_probing(active);
1624 break;
1625 }
1626 }
1627 enumerator->destroy(enumerator);
1628 }
1629 else
1630 {
1631 mobike->addresses(mobike);
1632 }
1633 queue_task(this, &mobike->task);
1634 }
1635
1636 METHOD(task_manager_t, queue_child, void,
1637 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1638 traffic_selector_t *tsi, traffic_selector_t *tsr)
1639 {
1640 child_create_t *task;
1641
1642 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
1643 if (reqid)
1644 {
1645 task->use_reqid(task, reqid);
1646 }
1647 queue_task(this, &task->task);
1648 }
1649
1650 METHOD(task_manager_t, queue_child_rekey, void,
1651 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1652 {
1653 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
1654 }
1655
1656 METHOD(task_manager_t, queue_child_delete, void,
1657 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1658 bool expired)
1659 {
1660 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
1661 protocol, spi, expired));
1662 }
1663
1664 METHOD(task_manager_t, queue_dpd, void,
1665 private_task_manager_t *this)
1666 {
1667 ike_mobike_t *mobike;
1668
1669 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
1670 this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
1671 {
1672 /* use mobike enabled DPD to detect NAT mapping changes */
1673 mobike = ike_mobike_create(this->ike_sa, TRUE);
1674 mobike->dpd(mobike);
1675 queue_task(this, &mobike->task);
1676 }
1677 else
1678 {
1679 queue_task(this, (task_t*)ike_dpd_create(TRUE));
1680 }
1681 }
1682
1683 METHOD(task_manager_t, adopt_tasks, void,
1684 private_task_manager_t *this, task_manager_t *other_public)
1685 {
1686 private_task_manager_t *other = (private_task_manager_t*)other_public;
1687 task_t *task;
1688
1689 /* move queued tasks from other to this */
1690 while (array_remove(other->queued_tasks, ARRAY_TAIL, &task))
1691 {
1692 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1693 task->migrate(task, this->ike_sa);
1694 array_insert(this->queued_tasks, ARRAY_HEAD, task);
1695 }
1696 }
1697
1698 /**
1699 * Migrates child-creating tasks from src to dst
1700 */
1701 static void migrate_child_tasks(private_task_manager_t *this,
1702 array_t *src, array_t *dst)
1703 {
1704 enumerator_t *enumerator;
1705 task_t *task;
1706
1707 enumerator = array_create_enumerator(src);
1708 while (enumerator->enumerate(enumerator, &task))
1709 {
1710 if (task->get_type(task) == TASK_CHILD_CREATE)
1711 {
1712 array_remove_at(src, enumerator);
1713 task->migrate(task, this->ike_sa);
1714 array_insert(dst, ARRAY_TAIL, task);
1715 }
1716 }
1717 enumerator->destroy(enumerator);
1718 }
1719
1720 METHOD(task_manager_t, adopt_child_tasks, void,
1721 private_task_manager_t *this, task_manager_t *other_public)
1722 {
1723 private_task_manager_t *other = (private_task_manager_t*)other_public;
1724
1725 /* move active child tasks from other to this */
1726 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1727 /* do the same for queued tasks */
1728 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1729 }
1730
1731 METHOD(task_manager_t, busy, bool,
1732 private_task_manager_t *this)
1733 {
1734 return array_count(this->active_tasks) > 0;
1735 }
1736
1737 METHOD(task_manager_t, reset, void,
1738 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1739 {
1740 enumerator_t *enumerator;
1741 task_t *task;
1742
1743 /* reset message counters and retransmit packets */
1744 clear_packets(this->responding.packets);
1745 clear_packets(this->initiating.packets);
1746 DESTROY_IF(this->responding.defrag);
1747 DESTROY_IF(this->initiating.defrag);
1748 this->responding.defrag = NULL;
1749 this->initiating.defrag = NULL;
1750 if (initiate != UINT_MAX)
1751 {
1752 this->initiating.mid = initiate;
1753 }
1754 if (respond != UINT_MAX)
1755 {
1756 this->responding.mid = respond;
1757 }
1758 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1759
1760 /* reset queued tasks */
1761 enumerator = array_create_enumerator(this->queued_tasks);
1762 while (enumerator->enumerate(enumerator, &task))
1763 {
1764 task->migrate(task, this->ike_sa);
1765 }
1766 enumerator->destroy(enumerator);
1767
1768 /* reset active tasks */
1769 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
1770 {
1771 task->migrate(task, this->ike_sa);
1772 array_insert(this->queued_tasks, ARRAY_HEAD, task);
1773 }
1774
1775 this->reset = TRUE;
1776 }
1777
1778 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1779 private_task_manager_t *this, task_queue_t queue)
1780 {
1781 switch (queue)
1782 {
1783 case TASK_QUEUE_ACTIVE:
1784 return array_create_enumerator(this->active_tasks);
1785 case TASK_QUEUE_PASSIVE:
1786 return array_create_enumerator(this->passive_tasks);
1787 case TASK_QUEUE_QUEUED:
1788 return array_create_enumerator(this->queued_tasks);
1789 default:
1790 return enumerator_create_empty();
1791 }
1792 }
1793
1794 METHOD(task_manager_t, destroy, void,
1795 private_task_manager_t *this)
1796 {
1797 flush(this);
1798
1799 array_destroy(this->active_tasks);
1800 array_destroy(this->queued_tasks);
1801 array_destroy(this->passive_tasks);
1802
1803 clear_packets(this->responding.packets);
1804 array_destroy(this->responding.packets);
1805 clear_packets(this->initiating.packets);
1806 array_destroy(this->initiating.packets);
1807 DESTROY_IF(this->responding.defrag);
1808 DESTROY_IF(this->initiating.defrag);
1809 free(this);
1810 }
1811
1812 /*
1813 * see header file
1814 */
1815 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
1816 {
1817 private_task_manager_t *this;
1818
1819 INIT(this,
1820 .public = {
1821 .task_manager = {
1822 .process_message = _process_message,
1823 .queue_task = _queue_task,
1824 .queue_ike = _queue_ike,
1825 .queue_ike_rekey = _queue_ike_rekey,
1826 .queue_ike_reauth = _queue_ike_reauth,
1827 .queue_ike_delete = _queue_ike_delete,
1828 .queue_mobike = _queue_mobike,
1829 .queue_child = _queue_child,
1830 .queue_child_rekey = _queue_child_rekey,
1831 .queue_child_delete = _queue_child_delete,
1832 .queue_dpd = _queue_dpd,
1833 .initiate = _initiate,
1834 .retransmit = _retransmit,
1835 .incr_mid = _incr_mid,
1836 .reset = _reset,
1837 .adopt_tasks = _adopt_tasks,
1838 .adopt_child_tasks = _adopt_child_tasks,
1839 .busy = _busy,
1840 .create_task_enumerator = _create_task_enumerator,
1841 .flush = _flush,
1842 .flush_queue = _flush_queue,
1843 .destroy = _destroy,
1844 },
1845 },
1846 .ike_sa = ike_sa,
1847 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
1848 .queued_tasks = array_create(0, 0),
1849 .active_tasks = array_create(0, 0),
1850 .passive_tasks = array_create(0, 0),
1851 .retransmit_tries = lib->settings->get_int(lib->settings,
1852 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
1853 .retransmit_timeout = lib->settings->get_double(lib->settings,
1854 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
1855 .retransmit_base = lib->settings->get_double(lib->settings,
1856 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
1857 .make_before_break = lib->settings->get_bool(lib->settings,
1858 "%s.make_before_break", FALSE, lib->ns),
1859 );
1860
1861 return &this->public;
1862 }