task-manager: Only trigger retransmit cleared alert if there was at least one retransmit
[strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2016 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_vendor.h>
38 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
39 #include <sa/ikev2/tasks/child_create.h>
40 #include <sa/ikev2/tasks/child_rekey.h>
41 #include <sa/ikev2/tasks/child_delete.h>
42 #include <encoding/payloads/delete_payload.h>
43 #include <encoding/payloads/unknown_payload.h>
44 #include <processing/jobs/retransmit_job.h>
45 #include <processing/jobs/delete_ike_sa_job.h>
46 #include <processing/jobs/initiate_tasks_job.h>
47
48 #ifdef ME
49 #include <sa/ikev2/tasks/ike_me.h>
50 #endif
51
52 typedef struct private_task_manager_t private_task_manager_t;
53 typedef struct queued_task_t queued_task_t;
54
55 /**
56 * private data of the task manager
57 */
58 struct private_task_manager_t {
59
60 /**
61 * public functions
62 */
63 task_manager_v2_t public;
64
65 /**
66 * associated IKE_SA we are serving
67 */
68 ike_sa_t *ike_sa;
69
70 /**
71 * Exchange we are currently handling as responder
72 */
73 struct {
74 /**
75 * Message ID of the exchange
76 */
77 uint32_t mid;
78
79 /**
80 * packet(s) for retransmission
81 */
82 array_t *packets;
83
84 /**
85 * Helper to defragment the request
86 */
87 message_t *defrag;
88
89 } responding;
90
91 /**
92 * Exchange we are currently handling as initiator
93 */
94 struct {
95 /**
96 * Message ID of the exchange
97 */
98 uint32_t mid;
99
100 /**
101 * how many times we have retransmitted so far
102 */
103 u_int retransmitted;
104
105 /**
106 * packet(s) for retransmission
107 */
108 array_t *packets;
109
110 /**
111 * type of the initated exchange
112 */
113 exchange_type_t type;
114
115 /**
116 * TRUE if exchange was deferred because no path was available
117 */
118 bool deferred;
119
120 /**
121 * Helper to defragment the response
122 */
123 message_t *defrag;
124
125 } initiating;
126
127 /**
128 * Array of queued tasks not yet in action
129 */
130 array_t *queued_tasks;
131
132 /**
133 * Array of active tasks, initiated by ourselve
134 */
135 array_t *active_tasks;
136
137 /**
138 * Array of tasks initiated by peer
139 */
140 array_t *passive_tasks;
141
142 /**
143 * the task manager has been reset
144 */
145 bool reset;
146
147 /**
148 * Number of times we retransmit messages before giving up
149 */
150 u_int retransmit_tries;
151
152 /**
153 * Retransmission timeout
154 */
155 double retransmit_timeout;
156
157 /**
158 * Base to calculate retransmission timeout
159 */
160 double retransmit_base;
161
162 /**
163 * Use make-before-break instead of break-before-make reauth?
164 */
165 bool make_before_break;
166 };
167
168 /**
169 * Queued tasks
170 */
171 struct queued_task_t {
172
173 /**
174 * Queued task
175 */
176 task_t *task;
177
178 /**
179 * Time before which the task is not to be initiated
180 */
181 timeval_t time;
182 };
183
184 /**
185 * Reset retransmission packet list
186 */
187 static void clear_packets(array_t *array)
188 {
189 packet_t *packet;
190
191 while (array_remove(array, ARRAY_TAIL, &packet))
192 {
193 packet->destroy(packet);
194 }
195 }
196
197 METHOD(task_manager_t, flush_queue, void,
198 private_task_manager_t *this, task_queue_t queue)
199 {
200 array_t *array;
201 task_t *task;
202
203 switch (queue)
204 {
205 case TASK_QUEUE_ACTIVE:
206 array = this->active_tasks;
207 break;
208 case TASK_QUEUE_PASSIVE:
209 array = this->passive_tasks;
210 break;
211 case TASK_QUEUE_QUEUED:
212 array = this->queued_tasks;
213 break;
214 default:
215 return;
216 }
217 while (array_remove(array, ARRAY_TAIL, &task))
218 {
219 if (queue == TASK_QUEUE_QUEUED)
220 {
221 queued_task_t *queued = (queued_task_t*)task;
222 task = queued->task;
223 free(queued);
224 }
225 task->destroy(task);
226 }
227 }
228
229 METHOD(task_manager_t, flush, void,
230 private_task_manager_t *this)
231 {
232 flush_queue(this, TASK_QUEUE_QUEUED);
233 flush_queue(this, TASK_QUEUE_PASSIVE);
234 flush_queue(this, TASK_QUEUE_ACTIVE);
235 }
236
237 /**
238 * Move a task of a specific type from the queue to the active list, if it is
239 * not delayed.
240 */
241 static bool activate_task(private_task_manager_t *this, task_type_t type)
242 {
243 enumerator_t *enumerator;
244 queued_task_t *queued;
245 timeval_t now;
246 bool found = FALSE;
247
248 time_monotonic(&now);
249
250 enumerator = array_create_enumerator(this->queued_tasks);
251 while (enumerator->enumerate(enumerator, (void**)&queued))
252 {
253 if (queued->task->get_type(queued->task) == type &&
254 !timercmp(&now, &queued->time, <))
255 {
256 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
257 array_remove_at(this->queued_tasks, enumerator);
258 array_insert(this->active_tasks, ARRAY_TAIL, queued->task);
259 free(queued);
260 found = TRUE;
261 break;
262 }
263 }
264 enumerator->destroy(enumerator);
265 return found;
266 }
267
268 /**
269 * Send packets in the given array (they get cloned). Optionally, the
270 * source and destination addresses are changed before sending it.
271 */
272 static void send_packets(private_task_manager_t *this, array_t *packets,
273 host_t *src, host_t *dst)
274 {
275 packet_t *packet, *clone;
276 int i;
277
278 for (i = 0; i < array_count(packets); i++)
279 {
280 array_get(packets, i, &packet);
281 clone = packet->clone(packet);
282 if (src)
283 {
284 clone->set_source(clone, src->clone(src));
285 }
286 if (dst)
287 {
288 clone->set_destination(clone, dst->clone(dst));
289 }
290 charon->sender->send(charon->sender, clone);
291 }
292 }
293
294 /**
295 * Generates the given message and stores packet(s) in the given array
296 */
297 static bool generate_message(private_task_manager_t *this, message_t *message,
298 array_t **packets)
299 {
300 enumerator_t *fragments;
301 packet_t *fragment;
302
303 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
304 &fragments) != SUCCESS)
305 {
306 return FALSE;
307 }
308 while (fragments->enumerate(fragments, &fragment))
309 {
310 array_insert_create(packets, ARRAY_TAIL, fragment);
311 }
312 fragments->destroy(fragments);
313 array_compress(*packets);
314 return TRUE;
315 }
316
317 METHOD(task_manager_t, retransmit, status_t,
318 private_task_manager_t *this, uint32_t message_id)
319 {
320 if (message_id == this->initiating.mid &&
321 array_count(this->initiating.packets))
322 {
323 uint32_t timeout;
324 job_t *job;
325 enumerator_t *enumerator;
326 packet_t *packet;
327 task_t *task;
328 ike_mobike_t *mobike = NULL;
329
330 array_get(this->initiating.packets, 0, &packet);
331
332 /* check if we are retransmitting a MOBIKE routability check */
333 if (this->initiating.type == INFORMATIONAL)
334 {
335 enumerator = array_create_enumerator(this->active_tasks);
336 while (enumerator->enumerate(enumerator, (void*)&task))
337 {
338 if (task->get_type(task) == TASK_IKE_MOBIKE)
339 {
340 mobike = (ike_mobike_t*)task;
341 break;
342 }
343 }
344 enumerator->destroy(enumerator);
345 }
346
347 if (!mobike || !mobike->is_probing(mobike))
348 {
349 if (this->initiating.retransmitted <= this->retransmit_tries)
350 {
351 timeout = (uint32_t)(this->retransmit_timeout * 1000.0 *
352 pow(this->retransmit_base, this->initiating.retransmitted));
353 }
354 else
355 {
356 DBG1(DBG_IKE, "giving up after %d retransmits",
357 this->initiating.retransmitted - 1);
358 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
359 packet);
360 return DESTROY_ME;
361 }
362
363 if (this->initiating.retransmitted)
364 {
365 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
366 this->initiating.retransmitted, message_id);
367 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
368 this->initiating.retransmitted);
369 }
370 if (!mobike)
371 {
372 send_packets(this, this->initiating.packets,
373 this->ike_sa->get_my_host(this->ike_sa),
374 this->ike_sa->get_other_host(this->ike_sa));
375 }
376 else
377 {
378 if (!mobike->transmit(mobike, packet))
379 {
380 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
381 "deferred");
382 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
383 this->initiating.deferred = TRUE;
384 return SUCCESS;
385 }
386 else if (mobike->is_probing(mobike))
387 {
388 timeout = ROUTEABILITY_CHECK_INTERVAL;
389 }
390 }
391 }
392 else
393 { /* for routeability checks, we use a more aggressive behavior */
394 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
395 {
396 timeout = ROUTEABILITY_CHECK_INTERVAL;
397 }
398 else
399 {
400 DBG1(DBG_IKE, "giving up after %d path probings",
401 this->initiating.retransmitted - 1);
402 return DESTROY_ME;
403 }
404
405 if (this->initiating.retransmitted)
406 {
407 DBG1(DBG_IKE, "path probing attempt %d",
408 this->initiating.retransmitted);
409 }
410 /* TODO-FRAG: presumably these small packets are not fragmented,
411 * we should maybe ensure this is the case when generating them */
412 if (!mobike->transmit(mobike, packet))
413 {
414 DBG1(DBG_IKE, "no route found to reach peer, path probing "
415 "deferred");
416 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
417 this->initiating.deferred = TRUE;
418 return SUCCESS;
419 }
420 }
421
422 this->initiating.retransmitted++;
423 job = (job_t*)retransmit_job_create(this->initiating.mid,
424 this->ike_sa->get_id(this->ike_sa));
425 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
426 }
427 return SUCCESS;
428 }
429
430 METHOD(task_manager_t, initiate, status_t,
431 private_task_manager_t *this)
432 {
433 enumerator_t *enumerator;
434 task_t *task;
435 message_t *message;
436 host_t *me, *other;
437 exchange_type_t exchange = 0;
438
439 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
440 {
441 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
442 exchange_type_names, this->initiating.type);
443 /* do not initiate if we already have a message in the air */
444 if (this->initiating.deferred)
445 { /* re-initiate deferred exchange */
446 this->initiating.deferred = FALSE;
447 this->initiating.retransmitted = 0;
448 return retransmit(this, this->initiating.mid);
449 }
450 return SUCCESS;
451 }
452
453 if (array_count(this->active_tasks) == 0)
454 {
455 DBG2(DBG_IKE, "activating new tasks");
456 switch (this->ike_sa->get_state(this->ike_sa))
457 {
458 case IKE_CREATED:
459 activate_task(this, TASK_IKE_VENDOR);
460 if (activate_task(this, TASK_IKE_INIT))
461 {
462 this->initiating.mid = 0;
463 exchange = IKE_SA_INIT;
464 activate_task(this, TASK_IKE_NATD);
465 activate_task(this, TASK_IKE_CERT_PRE);
466 #ifdef ME
467 /* this task has to be activated before the TASK_IKE_AUTH
468 * task, because that task pregenerates the packet after
469 * which no payloads can be added to the message anymore.
470 */
471 activate_task(this, TASK_IKE_ME);
472 #endif /* ME */
473 activate_task(this, TASK_IKE_AUTH);
474 activate_task(this, TASK_IKE_CERT_POST);
475 activate_task(this, TASK_IKE_CONFIG);
476 activate_task(this, TASK_CHILD_CREATE);
477 activate_task(this, TASK_IKE_AUTH_LIFETIME);
478 activate_task(this, TASK_IKE_MOBIKE);
479 }
480 break;
481 case IKE_ESTABLISHED:
482 if (activate_task(this, TASK_IKE_MOBIKE))
483 {
484 exchange = INFORMATIONAL;
485 break;
486 }
487 if (activate_task(this, TASK_IKE_DELETE))
488 {
489 exchange = INFORMATIONAL;
490 break;
491 }
492 if (activate_task(this, TASK_IKE_REDIRECT))
493 {
494 exchange = INFORMATIONAL;
495 break;
496 }
497 if (activate_task(this, TASK_CHILD_DELETE))
498 {
499 exchange = INFORMATIONAL;
500 break;
501 }
502 if (activate_task(this, TASK_IKE_REAUTH))
503 {
504 exchange = INFORMATIONAL;
505 break;
506 }
507 if (activate_task(this, TASK_CHILD_CREATE))
508 {
509 exchange = CREATE_CHILD_SA;
510 break;
511 }
512 if (activate_task(this, TASK_CHILD_REKEY))
513 {
514 exchange = CREATE_CHILD_SA;
515 break;
516 }
517 if (activate_task(this, TASK_IKE_REKEY))
518 {
519 exchange = CREATE_CHILD_SA;
520 break;
521 }
522 if (activate_task(this, TASK_IKE_DPD))
523 {
524 exchange = INFORMATIONAL;
525 break;
526 }
527 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
528 {
529 exchange = INFORMATIONAL;
530 break;
531 }
532 #ifdef ME
533 if (activate_task(this, TASK_IKE_ME))
534 {
535 exchange = ME_CONNECT;
536 break;
537 }
538 #endif /* ME */
539 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
540 {
541 exchange = INFORMATIONAL;
542 break;
543 }
544 if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
545 {
546 exchange = INFORMATIONAL;
547 break;
548 }
549 case IKE_REKEYING:
550 case IKE_REKEYED:
551 if (activate_task(this, TASK_IKE_DELETE))
552 {
553 exchange = INFORMATIONAL;
554 break;
555 }
556 case IKE_DELETING:
557 default:
558 break;
559 }
560 }
561 else
562 {
563 DBG2(DBG_IKE, "reinitiating already active tasks");
564 enumerator = array_create_enumerator(this->active_tasks);
565 while (enumerator->enumerate(enumerator, &task))
566 {
567 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
568 switch (task->get_type(task))
569 {
570 case TASK_IKE_INIT:
571 exchange = IKE_SA_INIT;
572 break;
573 case TASK_IKE_AUTH:
574 exchange = IKE_AUTH;
575 break;
576 case TASK_CHILD_CREATE:
577 case TASK_CHILD_REKEY:
578 case TASK_IKE_REKEY:
579 exchange = CREATE_CHILD_SA;
580 break;
581 case TASK_IKE_MOBIKE:
582 exchange = INFORMATIONAL;
583 break;
584 default:
585 continue;
586 }
587 break;
588 }
589 enumerator->destroy(enumerator);
590 }
591
592 if (exchange == 0)
593 {
594 DBG2(DBG_IKE, "nothing to initiate");
595 /* nothing to do yet... */
596 return SUCCESS;
597 }
598
599 me = this->ike_sa->get_my_host(this->ike_sa);
600 other = this->ike_sa->get_other_host(this->ike_sa);
601
602 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
603 message->set_message_id(message, this->initiating.mid);
604 message->set_source(message, me->clone(me));
605 message->set_destination(message, other->clone(other));
606 message->set_exchange_type(message, exchange);
607 this->initiating.type = exchange;
608 this->initiating.retransmitted = 0;
609 this->initiating.deferred = FALSE;
610
611 enumerator = array_create_enumerator(this->active_tasks);
612 while (enumerator->enumerate(enumerator, &task))
613 {
614 switch (task->build(task, message))
615 {
616 case SUCCESS:
617 /* task completed, remove it */
618 array_remove_at(this->active_tasks, enumerator);
619 task->destroy(task);
620 break;
621 case NEED_MORE:
622 /* processed, but task needs another exchange */
623 break;
624 case FAILED:
625 default:
626 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
627 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
628 this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED)
629 {
630 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
631 }
632 /* FALL */
633 case DESTROY_ME:
634 /* critical failure, destroy IKE_SA */
635 enumerator->destroy(enumerator);
636 message->destroy(message);
637 flush(this);
638 return DESTROY_ME;
639 }
640 }
641 enumerator->destroy(enumerator);
642
643 /* update exchange type if a task changed it */
644 this->initiating.type = message->get_exchange_type(message);
645 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
646 {
647 message->destroy(message);
648 return initiate(this);
649 }
650
651 if (!generate_message(this, message, &this->initiating.packets))
652 {
653 /* message generation failed. There is nothing more to do than to
654 * close the SA */
655 message->destroy(message);
656 flush(this);
657 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
658 return DESTROY_ME;
659 }
660 message->destroy(message);
661
662 array_compress(this->active_tasks);
663 array_compress(this->queued_tasks);
664
665 return retransmit(this, this->initiating.mid);
666 }
667
668 /**
669 * handle an incoming response message
670 */
671 static status_t process_response(private_task_manager_t *this,
672 message_t *message)
673 {
674 enumerator_t *enumerator;
675 task_t *task;
676
677 if (message->get_exchange_type(message) != this->initiating.type)
678 {
679 DBG1(DBG_IKE, "received %N response, but expected %N",
680 exchange_type_names, message->get_exchange_type(message),
681 exchange_type_names, this->initiating.type);
682 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
683 return DESTROY_ME;
684 }
685
686 enumerator = array_create_enumerator(this->active_tasks);
687 while (enumerator->enumerate(enumerator, &task))
688 {
689 if (!task->pre_process)
690 {
691 continue;
692 }
693 switch (task->pre_process(task, message))
694 {
695 case SUCCESS:
696 break;
697 case FAILED:
698 default:
699 /* just ignore the message */
700 DBG1(DBG_IKE, "ignore invalid %N response",
701 exchange_type_names, message->get_exchange_type(message));
702 enumerator->destroy(enumerator);
703 return SUCCESS;
704 case DESTROY_ME:
705 /* critical failure, destroy IKE_SA */
706 enumerator->destroy(enumerator);
707 return DESTROY_ME;
708 }
709 }
710 enumerator->destroy(enumerator);
711
712 if (this->initiating.retransmitted > 1)
713 {
714 packet_t *packet = NULL;
715 array_get(this->initiating.packets, 0, &packet);
716 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
717 }
718
719 /* catch if we get resetted while processing */
720 this->reset = FALSE;
721 enumerator = array_create_enumerator(this->active_tasks);
722 while (enumerator->enumerate(enumerator, &task))
723 {
724 switch (task->process(task, message))
725 {
726 case SUCCESS:
727 /* task completed, remove it */
728 array_remove_at(this->active_tasks, enumerator);
729 task->destroy(task);
730 break;
731 case NEED_MORE:
732 /* processed, but task needs another exchange */
733 break;
734 case FAILED:
735 default:
736 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
737 /* FALL */
738 case DESTROY_ME:
739 /* critical failure, destroy IKE_SA */
740 array_remove_at(this->active_tasks, enumerator);
741 enumerator->destroy(enumerator);
742 task->destroy(task);
743 return DESTROY_ME;
744 }
745 if (this->reset)
746 { /* start all over again if we were reset */
747 this->reset = FALSE;
748 enumerator->destroy(enumerator);
749 return initiate(this);
750 }
751 }
752 enumerator->destroy(enumerator);
753
754 this->initiating.mid++;
755 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
756 clear_packets(this->initiating.packets);
757
758 array_compress(this->active_tasks);
759
760 return initiate(this);
761 }
762
763 /**
764 * handle exchange collisions
765 */
766 static bool handle_collisions(private_task_manager_t *this, task_t *task)
767 {
768 enumerator_t *enumerator;
769 task_t *active;
770 task_type_t type;
771
772 type = task->get_type(task);
773
774 /* do we have to check */
775 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
776 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE)
777 {
778 /* find an exchange collision, and notify these tasks */
779 enumerator = array_create_enumerator(this->active_tasks);
780 while (enumerator->enumerate(enumerator, &active))
781 {
782 switch (active->get_type(active))
783 {
784 case TASK_IKE_REKEY:
785 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE)
786 {
787 ike_rekey_t *rekey = (ike_rekey_t*)active;
788 rekey->collide(rekey, task);
789 break;
790 }
791 continue;
792 case TASK_CHILD_REKEY:
793 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
794 {
795 child_rekey_t *rekey = (child_rekey_t*)active;
796 rekey->collide(rekey, task);
797 break;
798 }
799 continue;
800 default:
801 continue;
802 }
803 enumerator->destroy(enumerator);
804 return TRUE;
805 }
806 enumerator->destroy(enumerator);
807 }
808 return FALSE;
809 }
810
811 /**
812 * build a response depending on the "passive" task list
813 */
814 static status_t build_response(private_task_manager_t *this, message_t *request)
815 {
816 enumerator_t *enumerator;
817 task_t *task;
818 message_t *message;
819 host_t *me, *other;
820 bool delete = FALSE, hook = FALSE;
821 ike_sa_id_t *id = NULL;
822 uint64_t responder_spi = 0;
823 bool result;
824
825 me = request->get_destination(request);
826 other = request->get_source(request);
827
828 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
829 message->set_exchange_type(message, request->get_exchange_type(request));
830 /* send response along the path the request came in */
831 message->set_source(message, me->clone(me));
832 message->set_destination(message, other->clone(other));
833 message->set_message_id(message, this->responding.mid);
834 message->set_request(message, FALSE);
835
836 enumerator = array_create_enumerator(this->passive_tasks);
837 while (enumerator->enumerate(enumerator, (void*)&task))
838 {
839 switch (task->build(task, message))
840 {
841 case SUCCESS:
842 /* task completed, remove it */
843 array_remove_at(this->passive_tasks, enumerator);
844 if (!handle_collisions(this, task))
845 {
846 task->destroy(task);
847 }
848 break;
849 case NEED_MORE:
850 /* processed, but task needs another exchange */
851 if (handle_collisions(this, task))
852 {
853 array_remove_at(this->passive_tasks, enumerator);
854 }
855 break;
856 case FAILED:
857 default:
858 hook = TRUE;
859 /* FALL */
860 case DESTROY_ME:
861 /* destroy IKE_SA, but SEND response first */
862 if (handle_collisions(this, task))
863 {
864 array_remove_at(this->passive_tasks, enumerator);
865 }
866 delete = TRUE;
867 break;
868 }
869 if (delete)
870 {
871 break;
872 }
873 }
874 enumerator->destroy(enumerator);
875
876 /* RFC 5996, section 2.6 mentions that in the event of a failure during
877 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
878 * actually explicitly allows it to be non-zero. Since we use the responder
879 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
880 * zero temporarily, otherwise checking the SA in would fail. */
881 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
882 {
883 id = this->ike_sa->get_id(this->ike_sa);
884 responder_spi = id->get_responder_spi(id);
885 id->set_responder_spi(id, 0);
886 }
887
888 /* message complete, send it */
889 clear_packets(this->responding.packets);
890 result = generate_message(this, message, &this->responding.packets);
891 message->destroy(message);
892 if (id)
893 {
894 id->set_responder_spi(id, responder_spi);
895 }
896 if (!result)
897 {
898 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
899 return DESTROY_ME;
900 }
901
902 send_packets(this, this->responding.packets, NULL, NULL);
903 if (delete)
904 {
905 if (hook)
906 {
907 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
908 }
909 return DESTROY_ME;
910 }
911
912 array_compress(this->passive_tasks);
913
914 return SUCCESS;
915 }
916
917 /**
918 * handle an incoming request message
919 */
920 static status_t process_request(private_task_manager_t *this,
921 message_t *message)
922 {
923 enumerator_t *enumerator;
924 task_t *task = NULL;
925 payload_t *payload;
926 notify_payload_t *notify;
927 delete_payload_t *delete;
928 ike_sa_state_t state;
929
930 if (array_count(this->passive_tasks) == 0)
931 { /* create tasks depending on request type, if not already some queued */
932 state = this->ike_sa->get_state(this->ike_sa);
933 switch (message->get_exchange_type(message))
934 {
935 case IKE_SA_INIT:
936 {
937 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
938 array_insert(this->passive_tasks, ARRAY_TAIL, task);
939 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
940 array_insert(this->passive_tasks, ARRAY_TAIL, task);
941 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
942 array_insert(this->passive_tasks, ARRAY_TAIL, task);
943 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
944 array_insert(this->passive_tasks, ARRAY_TAIL, task);
945 #ifdef ME
946 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
947 array_insert(this->passive_tasks, ARRAY_TAIL, task);
948 #endif /* ME */
949 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
950 array_insert(this->passive_tasks, ARRAY_TAIL, task);
951 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
952 array_insert(this->passive_tasks, ARRAY_TAIL, task);
953 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
954 array_insert(this->passive_tasks, ARRAY_TAIL, task);
955 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
956 NULL, NULL);
957 array_insert(this->passive_tasks, ARRAY_TAIL, task);
958 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
959 array_insert(this->passive_tasks, ARRAY_TAIL, task);
960 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
961 array_insert(this->passive_tasks, ARRAY_TAIL, task);
962 break;
963 }
964 case CREATE_CHILD_SA:
965 { /* FIXME: we should prevent this on mediation connections */
966 bool notify_found = FALSE, ts_found = FALSE;
967
968 if (state == IKE_CREATED ||
969 state == IKE_CONNECTING)
970 {
971 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
972 "unestablished IKE_SA, rejected");
973 return FAILED;
974 }
975
976 enumerator = message->create_payload_enumerator(message);
977 while (enumerator->enumerate(enumerator, &payload))
978 {
979 switch (payload->get_type(payload))
980 {
981 case PLV2_NOTIFY:
982 { /* if we find a rekey notify, its CHILD_SA rekeying */
983 notify = (notify_payload_t*)payload;
984 if (notify->get_notify_type(notify) == REKEY_SA &&
985 (notify->get_protocol_id(notify) == PROTO_AH ||
986 notify->get_protocol_id(notify) == PROTO_ESP))
987 {
988 notify_found = TRUE;
989 }
990 break;
991 }
992 case PLV2_TS_INITIATOR:
993 case PLV2_TS_RESPONDER:
994 { /* if we don't find a TS, its IKE rekeying */
995 ts_found = TRUE;
996 break;
997 }
998 default:
999 break;
1000 }
1001 }
1002 enumerator->destroy(enumerator);
1003
1004 if (ts_found)
1005 {
1006 if (notify_found)
1007 {
1008 task = (task_t*)child_rekey_create(this->ike_sa,
1009 PROTO_NONE, 0);
1010 }
1011 else
1012 {
1013 task = (task_t*)child_create_create(this->ike_sa, NULL,
1014 FALSE, NULL, NULL);
1015 }
1016 }
1017 else
1018 {
1019 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
1020 }
1021 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1022 break;
1023 }
1024 case INFORMATIONAL:
1025 {
1026 enumerator = message->create_payload_enumerator(message);
1027 while (enumerator->enumerate(enumerator, &payload))
1028 {
1029 switch (payload->get_type(payload))
1030 {
1031 case PLV2_NOTIFY:
1032 {
1033 notify = (notify_payload_t*)payload;
1034 if (state == IKE_REKEYED)
1035 {
1036 DBG1(DBG_IKE, "received unexpected notify %N "
1037 "for rekeyed IKE_SA, ignored",
1038 notify_type_names,
1039 notify->get_notify_type(notify));
1040 break;
1041 }
1042 switch (notify->get_notify_type(notify))
1043 {
1044 case ADDITIONAL_IP4_ADDRESS:
1045 case ADDITIONAL_IP6_ADDRESS:
1046 case NO_ADDITIONAL_ADDRESSES:
1047 case UPDATE_SA_ADDRESSES:
1048 case NO_NATS_ALLOWED:
1049 case UNACCEPTABLE_ADDRESSES:
1050 case UNEXPECTED_NAT_DETECTED:
1051 case COOKIE2:
1052 case NAT_DETECTION_SOURCE_IP:
1053 case NAT_DETECTION_DESTINATION_IP:
1054 task = (task_t*)ike_mobike_create(
1055 this->ike_sa, FALSE);
1056 break;
1057 case AUTH_LIFETIME:
1058 task = (task_t*)ike_auth_lifetime_create(
1059 this->ike_sa, FALSE);
1060 break;
1061 case AUTHENTICATION_FAILED:
1062 /* initiator failed to authenticate us.
1063 * We use ike_delete to handle this, which
1064 * invokes all the required hooks. */
1065 task = (task_t*)ike_delete_create(
1066 this->ike_sa, FALSE);
1067 break;
1068 case REDIRECT:
1069 task = (task_t*)ike_redirect_create(
1070 this->ike_sa, NULL);
1071 break;
1072 default:
1073 break;
1074 }
1075 break;
1076 }
1077 case PLV2_DELETE:
1078 {
1079 delete = (delete_payload_t*)payload;
1080 if (delete->get_protocol_id(delete) == PROTO_IKE)
1081 {
1082 task = (task_t*)ike_delete_create(this->ike_sa,
1083 FALSE);
1084 }
1085 else
1086 {
1087 task = (task_t*)child_delete_create(this->ike_sa,
1088 PROTO_NONE, 0, FALSE);
1089 }
1090 break;
1091 }
1092 default:
1093 break;
1094 }
1095 if (task)
1096 {
1097 break;
1098 }
1099 }
1100 enumerator->destroy(enumerator);
1101
1102 if (task == NULL)
1103 {
1104 task = (task_t*)ike_dpd_create(FALSE);
1105 }
1106 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1107 break;
1108 }
1109 #ifdef ME
1110 case ME_CONNECT:
1111 {
1112 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1113 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1114 }
1115 #endif /* ME */
1116 default:
1117 break;
1118 }
1119 }
1120
1121 enumerator = array_create_enumerator(this->passive_tasks);
1122 while (enumerator->enumerate(enumerator, &task))
1123 {
1124 if (!task->pre_process)
1125 {
1126 continue;
1127 }
1128 switch (task->pre_process(task, message))
1129 {
1130 case SUCCESS:
1131 break;
1132 case FAILED:
1133 default:
1134 /* just ignore the message */
1135 DBG1(DBG_IKE, "ignore invalid %N request",
1136 exchange_type_names, message->get_exchange_type(message));
1137 enumerator->destroy(enumerator);
1138 switch (message->get_exchange_type(message))
1139 {
1140 case IKE_SA_INIT:
1141 /* no point in keeping the SA when it was created with
1142 * an invalid IKE_SA_INIT message */
1143 return DESTROY_ME;
1144 default:
1145 /* remove tasks we queued for this request */
1146 flush_queue(this, TASK_QUEUE_PASSIVE);
1147 /* fall-through */
1148 case IKE_AUTH:
1149 return NEED_MORE;
1150 }
1151 case DESTROY_ME:
1152 /* critical failure, destroy IKE_SA */
1153 enumerator->destroy(enumerator);
1154 return DESTROY_ME;
1155 }
1156 }
1157 enumerator->destroy(enumerator);
1158
1159 /* let the tasks process the message */
1160 enumerator = array_create_enumerator(this->passive_tasks);
1161 while (enumerator->enumerate(enumerator, (void*)&task))
1162 {
1163 switch (task->process(task, message))
1164 {
1165 case SUCCESS:
1166 /* task completed, remove it */
1167 array_remove_at(this->passive_tasks, enumerator);
1168 task->destroy(task);
1169 break;
1170 case NEED_MORE:
1171 /* processed, but task needs at least another call to build() */
1172 break;
1173 case FAILED:
1174 default:
1175 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1176 /* FALL */
1177 case DESTROY_ME:
1178 /* critical failure, destroy IKE_SA */
1179 array_remove_at(this->passive_tasks, enumerator);
1180 enumerator->destroy(enumerator);
1181 task->destroy(task);
1182 return DESTROY_ME;
1183 }
1184 }
1185 enumerator->destroy(enumerator);
1186
1187 return build_response(this, message);
1188 }
1189
1190 METHOD(task_manager_t, incr_mid, void,
1191 private_task_manager_t *this, bool initiate)
1192 {
1193 if (initiate)
1194 {
1195 this->initiating.mid++;
1196 }
1197 else
1198 {
1199 this->responding.mid++;
1200 }
1201 }
1202
1203 /**
1204 * Handle the given IKE fragment, if it is one.
1205 *
1206 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1207 * handled properly. Error states are returned if the fragment was invalid or
1208 * the reassembled message could not have been processed properly.
1209 */
1210 static status_t handle_fragment(private_task_manager_t *this,
1211 message_t **defrag, message_t *msg)
1212 {
1213 message_t *reassembled;
1214 status_t status;
1215
1216 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1217 {
1218 return SUCCESS;
1219 }
1220 if (!*defrag)
1221 {
1222 *defrag = message_create_defrag(msg);
1223 if (!*defrag)
1224 {
1225 return FAILED;
1226 }
1227 }
1228 status = (*defrag)->add_fragment(*defrag, msg);
1229 if (status == SUCCESS)
1230 {
1231 /* reinject the reassembled message */
1232 reassembled = *defrag;
1233 *defrag = NULL;
1234 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1235 if (status == SUCCESS)
1236 {
1237 /* avoid processing the last fragment */
1238 status = NEED_MORE;
1239 }
1240 reassembled->destroy(reassembled);
1241 }
1242 return status;
1243 }
1244
1245 /**
1246 * Send a notify back to the sender
1247 */
1248 static void send_notify_response(private_task_manager_t *this,
1249 message_t *request, notify_type_t type,
1250 chunk_t data)
1251 {
1252 message_t *response;
1253 packet_t *packet;
1254 host_t *me, *other;
1255
1256 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1257 response->set_exchange_type(response, request->get_exchange_type(request));
1258 response->set_request(response, FALSE);
1259 response->set_message_id(response, request->get_message_id(request));
1260 response->add_notify(response, FALSE, type, data);
1261 me = this->ike_sa->get_my_host(this->ike_sa);
1262 if (me->is_anyaddr(me))
1263 {
1264 me = request->get_destination(request);
1265 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1266 }
1267 other = this->ike_sa->get_other_host(this->ike_sa);
1268 if (other->is_anyaddr(other))
1269 {
1270 other = request->get_source(request);
1271 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1272 }
1273 response->set_source(response, me->clone(me));
1274 response->set_destination(response, other->clone(other));
1275 if (this->ike_sa->generate_message(this->ike_sa, response,
1276 &packet) == SUCCESS)
1277 {
1278 charon->sender->send(charon->sender, packet);
1279 }
1280 response->destroy(response);
1281 }
1282
1283 /**
1284 * Parse the given message and verify that it is valid.
1285 */
1286 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1287 {
1288 status_t status;
1289 uint8_t type = 0;
1290
1291 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1292
1293 if (status == SUCCESS)
1294 { /* check for unsupported critical payloads */
1295 enumerator_t *enumerator;
1296 unknown_payload_t *unknown;
1297 payload_t *payload;
1298
1299 enumerator = msg->create_payload_enumerator(msg);
1300 while (enumerator->enumerate(enumerator, &payload))
1301 {
1302 if (payload->get_type(payload) == PL_UNKNOWN)
1303 {
1304 unknown = (unknown_payload_t*)payload;
1305 if (unknown->is_critical(unknown))
1306 {
1307 type = unknown->get_type(unknown);
1308 DBG1(DBG_ENC, "payload type %N is not supported, "
1309 "but its critical!", payload_type_names, type);
1310 status = NOT_SUPPORTED;
1311 break;
1312 }
1313 }
1314 }
1315 enumerator->destroy(enumerator);
1316 }
1317
1318 if (status != SUCCESS)
1319 {
1320 bool is_request = msg->get_request(msg);
1321
1322 switch (status)
1323 {
1324 case NOT_SUPPORTED:
1325 DBG1(DBG_IKE, "critical unknown payloads found");
1326 if (is_request)
1327 {
1328 send_notify_response(this, msg,
1329 UNSUPPORTED_CRITICAL_PAYLOAD,
1330 chunk_from_thing(type));
1331 incr_mid(this, FALSE);
1332 }
1333 break;
1334 case PARSE_ERROR:
1335 DBG1(DBG_IKE, "message parsing failed");
1336 if (is_request)
1337 {
1338 send_notify_response(this, msg,
1339 INVALID_SYNTAX, chunk_empty);
1340 incr_mid(this, FALSE);
1341 }
1342 break;
1343 case VERIFY_ERROR:
1344 DBG1(DBG_IKE, "message verification failed");
1345 if (is_request)
1346 {
1347 send_notify_response(this, msg,
1348 INVALID_SYNTAX, chunk_empty);
1349 incr_mid(this, FALSE);
1350 }
1351 break;
1352 case FAILED:
1353 DBG1(DBG_IKE, "integrity check failed");
1354 /* ignored */
1355 break;
1356 case INVALID_STATE:
1357 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1358 default:
1359 break;
1360 }
1361 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1362 exchange_type_names, msg->get_exchange_type(msg),
1363 is_request ? "request" : "response",
1364 msg->get_message_id(msg));
1365
1366 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1367
1368 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1369 { /* invalid initiation attempt, close SA */
1370 return DESTROY_ME;
1371 }
1372 }
1373 return status;
1374 }
1375
1376
1377 METHOD(task_manager_t, process_message, status_t,
1378 private_task_manager_t *this, message_t *msg)
1379 {
1380 host_t *me, *other;
1381 status_t status;
1382 uint32_t mid;
1383 bool schedule_delete_job = FALSE;
1384 ike_sa_state_t state;
1385 exchange_type_t type;
1386
1387 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1388 status = parse_message(this, msg);
1389 if (status != SUCCESS)
1390 {
1391 return status;
1392 }
1393
1394 me = msg->get_destination(msg);
1395 other = msg->get_source(msg);
1396
1397 /* if this IKE_SA is virgin, we check for a config */
1398 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1399 {
1400 ike_cfg_t *ike_cfg;
1401
1402 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1403 me, other, IKEV2);
1404 if (ike_cfg == NULL)
1405 {
1406 /* no config found for these hosts, destroy */
1407 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1408 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1409 send_notify_response(this, msg,
1410 NO_PROPOSAL_CHOSEN, chunk_empty);
1411 return DESTROY_ME;
1412 }
1413 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1414 ike_cfg->destroy(ike_cfg);
1415 /* add a timeout if peer does not establish it completely */
1416 schedule_delete_job = TRUE;
1417 }
1418 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1419 time_monotonic(NULL));
1420
1421 mid = msg->get_message_id(msg);
1422 if (msg->get_request(msg))
1423 {
1424 if (mid == this->responding.mid)
1425 {
1426 /* reject initial messages if not received in specific states,
1427 * after rekeying we only expect a DELETE in an INFORMATIONAL */
1428 type = msg->get_exchange_type(msg);
1429 state = this->ike_sa->get_state(this->ike_sa);
1430 if ((type == IKE_SA_INIT && state != IKE_CREATED) ||
1431 (type == IKE_AUTH && state != IKE_CONNECTING) ||
1432 (state == IKE_REKEYED && type != INFORMATIONAL))
1433 {
1434 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
1435 exchange_type_names, type, ike_sa_state_names, state);
1436 return FAILED;
1437 }
1438 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1439 { /* with MOBIKE, we do no implicit updates */
1440 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1441 }
1442 status = handle_fragment(this, &this->responding.defrag, msg);
1443 if (status != SUCCESS)
1444 {
1445 return status;
1446 }
1447 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1448 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1449 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1450 return SUCCESS;
1451 }
1452 switch (process_request(this, msg))
1453 {
1454 case SUCCESS:
1455 this->responding.mid++;
1456 break;
1457 case NEED_MORE:
1458 break;
1459 default:
1460 flush(this);
1461 return DESTROY_ME;
1462 }
1463 }
1464 else if ((mid == this->responding.mid - 1) &&
1465 array_count(this->responding.packets))
1466 {
1467 status = handle_fragment(this, &this->responding.defrag, msg);
1468 if (status != SUCCESS)
1469 {
1470 return status;
1471 }
1472 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1473 "retransmitting response", mid);
1474 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1475 send_packets(this, this->responding.packets,
1476 msg->get_destination(msg), msg->get_source(msg));
1477 }
1478 else
1479 {
1480 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1481 mid, this->responding.mid);
1482 }
1483 }
1484 else
1485 {
1486 if (mid == this->initiating.mid)
1487 {
1488 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1489 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1490 msg->get_exchange_type(msg) != IKE_SA_INIT)
1491 { /* only do updates based on verified messages (or initial ones) */
1492 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1493 { /* with MOBIKE, we do no implicit updates. we force an
1494 * update of the local address on IKE_SA_INIT, but never
1495 * for the remote address */
1496 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1497 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1498 }
1499 }
1500 status = handle_fragment(this, &this->initiating.defrag, msg);
1501 if (status != SUCCESS)
1502 {
1503 return status;
1504 }
1505 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1506 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1507 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1508 return SUCCESS;
1509 }
1510 if (process_response(this, msg) != SUCCESS)
1511 {
1512 flush(this);
1513 return DESTROY_ME;
1514 }
1515 }
1516 else
1517 {
1518 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1519 mid, this->initiating.mid);
1520 return SUCCESS;
1521 }
1522 }
1523
1524 if (schedule_delete_job)
1525 {
1526 ike_sa_id_t *ike_sa_id;
1527 job_t *job;
1528
1529 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1530 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1531 lib->scheduler->schedule_job(lib->scheduler, job,
1532 lib->settings->get_int(lib->settings,
1533 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1534 lib->ns));
1535 }
1536 return SUCCESS;
1537 }
1538
1539 METHOD(task_manager_t, queue_task_delayed, void,
1540 private_task_manager_t *this, task_t *task, uint32_t delay)
1541 {
1542 enumerator_t *enumerator;
1543 queued_task_t *queued;
1544 timeval_t time;
1545
1546 if (task->get_type(task) == TASK_IKE_MOBIKE)
1547 { /* there is no need to queue more than one mobike task */
1548 enumerator = array_create_enumerator(this->queued_tasks);
1549 while (enumerator->enumerate(enumerator, &queued))
1550 {
1551 if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
1552 {
1553 enumerator->destroy(enumerator);
1554 task->destroy(task);
1555 return;
1556 }
1557 }
1558 enumerator->destroy(enumerator);
1559 }
1560 time_monotonic(&time);
1561 if (delay)
1562 {
1563 job_t *job;
1564
1565 DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names,
1566 task->get_type(task), delay);
1567 time.tv_sec += delay;
1568
1569 job = (job_t*)initiate_tasks_job_create(
1570 this->ike_sa->get_id(this->ike_sa));
1571 lib->scheduler->schedule_job_tv(lib->scheduler, job, time);
1572 }
1573 else
1574 {
1575 DBG2(DBG_IKE, "queueing %N task", task_type_names,
1576 task->get_type(task));
1577 }
1578 INIT(queued,
1579 .task = task,
1580 .time = time,
1581 );
1582 array_insert(this->queued_tasks, ARRAY_TAIL, queued);
1583 }
1584
1585 METHOD(task_manager_t, queue_task, void,
1586 private_task_manager_t *this, task_t *task)
1587 {
1588 queue_task_delayed(this, task, 0);
1589 }
1590
1591 /**
1592 * Check if a given task has been queued already
1593 */
1594 static bool has_queued(private_task_manager_t *this, task_type_t type)
1595 {
1596 enumerator_t *enumerator;
1597 bool found = FALSE;
1598 queued_task_t *queued;
1599
1600 enumerator = array_create_enumerator(this->queued_tasks);
1601 while (enumerator->enumerate(enumerator, &queued))
1602 {
1603 if (queued->task->get_type(queued->task) == type)
1604 {
1605 found = TRUE;
1606 break;
1607 }
1608 }
1609 enumerator->destroy(enumerator);
1610 return found;
1611 }
1612
1613 METHOD(task_manager_t, queue_ike, void,
1614 private_task_manager_t *this)
1615 {
1616 if (!has_queued(this, TASK_IKE_VENDOR))
1617 {
1618 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1619 }
1620 if (!has_queued(this, TASK_IKE_INIT))
1621 {
1622 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1623 }
1624 if (!has_queued(this, TASK_IKE_NATD))
1625 {
1626 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1627 }
1628 if (!has_queued(this, TASK_IKE_CERT_PRE))
1629 {
1630 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1631 }
1632 if (!has_queued(this, TASK_IKE_AUTH))
1633 {
1634 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1635 }
1636 if (!has_queued(this, TASK_IKE_CERT_POST))
1637 {
1638 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1639 }
1640 if (!has_queued(this, TASK_IKE_CONFIG))
1641 {
1642 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1643 }
1644 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1645 {
1646 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1647 }
1648 if (!has_queued(this, TASK_IKE_MOBIKE))
1649 {
1650 peer_cfg_t *peer_cfg;
1651
1652 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1653 if (peer_cfg->use_mobike(peer_cfg))
1654 {
1655 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1656 }
1657 }
1658 #ifdef ME
1659 if (!has_queued(this, TASK_IKE_ME))
1660 {
1661 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1662 }
1663 #endif /* ME */
1664 }
1665
1666 METHOD(task_manager_t, queue_ike_rekey, void,
1667 private_task_manager_t *this)
1668 {
1669 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1670 }
1671
1672 /**
1673 * Start reauthentication using make-before-break
1674 */
1675 static void trigger_mbb_reauth(private_task_manager_t *this)
1676 {
1677 enumerator_t *enumerator;
1678 child_sa_t *child_sa;
1679 child_cfg_t *cfg;
1680 ike_sa_t *new;
1681 host_t *host;
1682 queued_task_t *queued;
1683
1684 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1685 this->ike_sa->get_version(this->ike_sa), TRUE);
1686 if (!new)
1687 { /* shouldn't happen */
1688 return;
1689 }
1690
1691 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1692 host = this->ike_sa->get_other_host(this->ike_sa);
1693 new->set_other_host(new, host->clone(host));
1694 host = this->ike_sa->get_my_host(this->ike_sa);
1695 new->set_my_host(new, host->clone(host));
1696 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1697 while (enumerator->enumerate(enumerator, &host))
1698 {
1699 new->add_virtual_ip(new, TRUE, host);
1700 }
1701 enumerator->destroy(enumerator);
1702
1703 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1704 while (enumerator->enumerate(enumerator, &child_sa))
1705 {
1706 cfg = child_sa->get_config(child_sa);
1707 new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
1708 FALSE, NULL, NULL)->task);
1709 }
1710 enumerator->destroy(enumerator);
1711
1712 enumerator = array_create_enumerator(this->queued_tasks);
1713 while (enumerator->enumerate(enumerator, &queued))
1714 {
1715 if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE)
1716 {
1717 queued->task->migrate(queued->task, new);
1718 new->queue_task(new, queued->task);
1719 array_remove_at(this->queued_tasks, enumerator);
1720 free(queued);
1721 }
1722 }
1723 enumerator->destroy(enumerator);
1724
1725 /* suspend online revocation checking until the SA is established */
1726 new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
1727
1728 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1729 {
1730 new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
1731 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1732 this->ike_sa->get_id(this->ike_sa)));
1733 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1734 }
1735 else
1736 {
1737 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1738 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1739 }
1740 charon->bus->set_sa(charon->bus, this->ike_sa);
1741 }
1742
1743 METHOD(task_manager_t, queue_ike_reauth, void,
1744 private_task_manager_t *this)
1745 {
1746 if (this->make_before_break)
1747 {
1748 return trigger_mbb_reauth(this);
1749 }
1750 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1751 }
1752
1753 METHOD(task_manager_t, queue_ike_delete, void,
1754 private_task_manager_t *this)
1755 {
1756 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1757 }
1758
1759 METHOD(task_manager_t, queue_mobike, void,
1760 private_task_manager_t *this, bool roam, bool address)
1761 {
1762 ike_mobike_t *mobike;
1763
1764 mobike = ike_mobike_create(this->ike_sa, TRUE);
1765 if (roam)
1766 {
1767 enumerator_t *enumerator;
1768 task_t *current;
1769
1770 mobike->roam(mobike, address);
1771
1772 /* enable path probing for a currently active MOBIKE task. This might
1773 * not be the case if an address appeared on a new interface while the
1774 * current address is not working but has not yet disappeared. */
1775 enumerator = array_create_enumerator(this->active_tasks);
1776 while (enumerator->enumerate(enumerator, &current))
1777 {
1778 if (current->get_type(current) == TASK_IKE_MOBIKE)
1779 {
1780 ike_mobike_t *active = (ike_mobike_t*)current;
1781 active->enable_probing(active);
1782 break;
1783 }
1784 }
1785 enumerator->destroy(enumerator);
1786 }
1787 else
1788 {
1789 mobike->addresses(mobike);
1790 }
1791 queue_task(this, &mobike->task);
1792 }
1793
1794 METHOD(task_manager_t, queue_child, void,
1795 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
1796 traffic_selector_t *tsi, traffic_selector_t *tsr)
1797 {
1798 child_create_t *task;
1799
1800 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
1801 if (reqid)
1802 {
1803 task->use_reqid(task, reqid);
1804 }
1805 queue_task(this, &task->task);
1806 }
1807
1808 METHOD(task_manager_t, queue_child_rekey, void,
1809 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
1810 {
1811 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
1812 }
1813
1814 METHOD(task_manager_t, queue_child_delete, void,
1815 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
1816 bool expired)
1817 {
1818 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
1819 protocol, spi, expired));
1820 }
1821
1822 METHOD(task_manager_t, queue_dpd, void,
1823 private_task_manager_t *this)
1824 {
1825 ike_mobike_t *mobike;
1826
1827 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
1828 this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
1829 {
1830 #ifdef ME
1831 peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1832 if (cfg->get_peer_id(cfg) ||
1833 this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
1834 #else
1835 if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
1836 #endif
1837 {
1838 /* use mobike enabled DPD to detect NAT mapping changes */
1839 mobike = ike_mobike_create(this->ike_sa, TRUE);
1840 mobike->dpd(mobike);
1841 queue_task(this, &mobike->task);
1842 return;
1843 }
1844 }
1845 queue_task(this, (task_t*)ike_dpd_create(TRUE));
1846 }
1847
1848 METHOD(task_manager_t, adopt_tasks, void,
1849 private_task_manager_t *this, task_manager_t *other_public)
1850 {
1851 private_task_manager_t *other = (private_task_manager_t*)other_public;
1852 queued_task_t *queued;
1853 timeval_t now;
1854
1855 time_monotonic(&now);
1856
1857 /* move queued tasks from other to this */
1858 while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued))
1859 {
1860 DBG2(DBG_IKE, "migrating %N task", task_type_names,
1861 queued->task->get_type(queued->task));
1862 queued->task->migrate(queued->task, this->ike_sa);
1863 /* don't delay tasks on the new IKE_SA */
1864 queued->time = now;
1865 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
1866 }
1867 }
1868
1869 /**
1870 * Migrates child-creating tasks from other to this
1871 */
1872 static void migrate_child_tasks(private_task_manager_t *this,
1873 private_task_manager_t *other,
1874 task_queue_t queue)
1875 {
1876 enumerator_t *enumerator;
1877 array_t *array;
1878 task_t *task;
1879
1880 switch (queue)
1881 {
1882 case TASK_QUEUE_ACTIVE:
1883 array = other->active_tasks;
1884 break;
1885 case TASK_QUEUE_QUEUED:
1886 array = other->queued_tasks;
1887 break;
1888 default:
1889 return;
1890 }
1891
1892 enumerator = array_create_enumerator(array);
1893 while (enumerator->enumerate(enumerator, &task))
1894 {
1895 queued_task_t *queued = NULL;
1896
1897 if (queue == TASK_QUEUE_QUEUED)
1898 {
1899 queued = (queued_task_t*)task;
1900 task = queued->task;
1901 }
1902 if (task->get_type(task) == TASK_CHILD_CREATE)
1903 {
1904 array_remove_at(array, enumerator);
1905 task->migrate(task, this->ike_sa);
1906 queue_task(this, task);
1907 free(queued);
1908 }
1909 }
1910 enumerator->destroy(enumerator);
1911 }
1912
1913 METHOD(task_manager_t, adopt_child_tasks, void,
1914 private_task_manager_t *this, task_manager_t *other_public)
1915 {
1916 private_task_manager_t *other = (private_task_manager_t*)other_public;
1917
1918 /* move active child tasks from other to this */
1919 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
1920 /* do the same for queued tasks */
1921 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
1922 }
1923
1924 METHOD(task_manager_t, busy, bool,
1925 private_task_manager_t *this)
1926 {
1927 return array_count(this->active_tasks) > 0;
1928 }
1929
1930 METHOD(task_manager_t, reset, void,
1931 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
1932 {
1933 enumerator_t *enumerator;
1934 queued_task_t *queued;
1935 task_t *task;
1936 timeval_t now;
1937
1938 /* reset message counters and retransmit packets */
1939 clear_packets(this->responding.packets);
1940 clear_packets(this->initiating.packets);
1941 DESTROY_IF(this->responding.defrag);
1942 DESTROY_IF(this->initiating.defrag);
1943 this->responding.defrag = NULL;
1944 this->initiating.defrag = NULL;
1945 if (initiate != UINT_MAX)
1946 {
1947 this->initiating.mid = initiate;
1948 }
1949 if (respond != UINT_MAX)
1950 {
1951 this->responding.mid = respond;
1952 }
1953 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1954
1955 time_monotonic(&now);
1956 /* reset queued tasks */
1957 enumerator = array_create_enumerator(this->queued_tasks);
1958 while (enumerator->enumerate(enumerator, &queued))
1959 {
1960 queued->time = now;
1961 queued->task->migrate(queued->task, this->ike_sa);
1962 }
1963 enumerator->destroy(enumerator);
1964
1965 /* reset active tasks */
1966 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
1967 {
1968 task->migrate(task, this->ike_sa);
1969 INIT(queued,
1970 .task = task,
1971 .time = now,
1972 );
1973 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
1974 }
1975
1976 this->reset = TRUE;
1977 }
1978
1979 /**
1980 * Filter queued tasks
1981 */
1982 static bool filter_queued(void *unused, queued_task_t **queued, task_t **task)
1983 {
1984 *task = (*queued)->task;
1985 return TRUE;
1986 }
1987
1988 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1989 private_task_manager_t *this, task_queue_t queue)
1990 {
1991 switch (queue)
1992 {
1993 case TASK_QUEUE_ACTIVE:
1994 return array_create_enumerator(this->active_tasks);
1995 case TASK_QUEUE_PASSIVE:
1996 return array_create_enumerator(this->passive_tasks);
1997 case TASK_QUEUE_QUEUED:
1998 return enumerator_create_filter(
1999 array_create_enumerator(this->queued_tasks),
2000 (void*)filter_queued, NULL, NULL);
2001 default:
2002 return enumerator_create_empty();
2003 }
2004 }
2005
2006 METHOD(task_manager_t, destroy, void,
2007 private_task_manager_t *this)
2008 {
2009 flush(this);
2010
2011 array_destroy(this->active_tasks);
2012 array_destroy(this->queued_tasks);
2013 array_destroy(this->passive_tasks);
2014
2015 clear_packets(this->responding.packets);
2016 array_destroy(this->responding.packets);
2017 clear_packets(this->initiating.packets);
2018 array_destroy(this->initiating.packets);
2019 DESTROY_IF(this->responding.defrag);
2020 DESTROY_IF(this->initiating.defrag);
2021 free(this);
2022 }
2023
2024 /*
2025 * see header file
2026 */
2027 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
2028 {
2029 private_task_manager_t *this;
2030
2031 INIT(this,
2032 .public = {
2033 .task_manager = {
2034 .process_message = _process_message,
2035 .queue_task = _queue_task,
2036 .queue_task_delayed = _queue_task_delayed,
2037 .queue_ike = _queue_ike,
2038 .queue_ike_rekey = _queue_ike_rekey,
2039 .queue_ike_reauth = _queue_ike_reauth,
2040 .queue_ike_delete = _queue_ike_delete,
2041 .queue_mobike = _queue_mobike,
2042 .queue_child = _queue_child,
2043 .queue_child_rekey = _queue_child_rekey,
2044 .queue_child_delete = _queue_child_delete,
2045 .queue_dpd = _queue_dpd,
2046 .initiate = _initiate,
2047 .retransmit = _retransmit,
2048 .incr_mid = _incr_mid,
2049 .reset = _reset,
2050 .adopt_tasks = _adopt_tasks,
2051 .adopt_child_tasks = _adopt_child_tasks,
2052 .busy = _busy,
2053 .create_task_enumerator = _create_task_enumerator,
2054 .flush = _flush,
2055 .flush_queue = _flush_queue,
2056 .destroy = _destroy,
2057 },
2058 },
2059 .ike_sa = ike_sa,
2060 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
2061 .queued_tasks = array_create(0, 0),
2062 .active_tasks = array_create(0, 0),
2063 .passive_tasks = array_create(0, 0),
2064 .retransmit_tries = lib->settings->get_int(lib->settings,
2065 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2066 .retransmit_timeout = lib->settings->get_double(lib->settings,
2067 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2068 .retransmit_base = lib->settings->get_double(lib->settings,
2069 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2070 .make_before_break = lib->settings->get_bool(lib->settings,
2071 "%s.make_before_break", FALSE, lib->ns),
2072 );
2073
2074 return &this->public;
2075 }