6bafd42e0d8119a9a1f7e08d4fe64a443ec8065e
[strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2018 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_mid_sync.h>
38 #include <sa/ikev2/tasks/ike_vendor.h>
39 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
40 #include <sa/ikev2/tasks/child_create.h>
41 #include <sa/ikev2/tasks/child_rekey.h>
42 #include <sa/ikev2/tasks/child_delete.h>
43 #include <encoding/payloads/delete_payload.h>
44 #include <encoding/payloads/unknown_payload.h>
45 #include <processing/jobs/retransmit_job.h>
46 #include <processing/jobs/delete_ike_sa_job.h>
47 #include <processing/jobs/initiate_tasks_job.h>
48
49 #ifdef ME
50 #include <sa/ikev2/tasks/ike_me.h>
51 #endif
52
53 typedef struct private_task_manager_t private_task_manager_t;
54 typedef struct queued_task_t queued_task_t;
55
56 /**
57 * private data of the task manager
58 */
59 struct private_task_manager_t {
60
61 /**
62 * public functions
63 */
64 task_manager_v2_t public;
65
66 /**
67 * associated IKE_SA we are serving
68 */
69 ike_sa_t *ike_sa;
70
71 /**
72 * Exchange we are currently handling as responder
73 */
74 struct {
75 /**
76 * Message ID of the exchange
77 */
78 uint32_t mid;
79
80 /**
81 * packet(s) for retransmission
82 */
83 array_t *packets;
84
85 /**
86 * Helper to defragment the request
87 */
88 message_t *defrag;
89
90 } responding;
91
92 /**
93 * Exchange we are currently handling as initiator
94 */
95 struct {
96 /**
97 * Message ID of the exchange
98 */
99 uint32_t mid;
100
101 /**
102 * how many times we have retransmitted so far
103 */
104 u_int retransmitted;
105
106 /**
107 * packet(s) for retransmission
108 */
109 array_t *packets;
110
111 /**
112 * type of the initiated exchange
113 */
114 exchange_type_t type;
115
116 /**
117 * TRUE if exchange was deferred because no path was available
118 */
119 bool deferred;
120
121 /**
122 * Helper to defragment the response
123 */
124 message_t *defrag;
125
126 } initiating;
127
128 /**
129 * Array of queued tasks not yet in action
130 */
131 array_t *queued_tasks;
132
133 /**
134 * Array of active tasks, initiated by ourselves
135 */
136 array_t *active_tasks;
137
138 /**
139 * Array of tasks initiated by peer
140 */
141 array_t *passive_tasks;
142
143 /**
144 * the task manager has been reset
145 */
146 bool reset;
147
148 /**
149 * Number of times we retransmit messages before giving up
150 */
151 u_int retransmit_tries;
152
153 /**
154 * Retransmission timeout
155 */
156 double retransmit_timeout;
157
158 /**
159 * Base to calculate retransmission timeout
160 */
161 double retransmit_base;
162
163 /**
164 * Jitter to apply to calculated retransmit timeout (in percent)
165 */
166 u_int retransmit_jitter;
167
168 /**
169 * Limit retransmit timeout to this value
170 */
171 uint32_t retransmit_limit;
172
173 /**
174 * Use make-before-break instead of break-before-make reauth?
175 */
176 bool make_before_break;
177 };
178
179 /**
180 * Queued tasks
181 */
182 struct queued_task_t {
183
184 /**
185 * Queued task
186 */
187 task_t *task;
188
189 /**
190 * Time before which the task is not to be initiated
191 */
192 timeval_t time;
193 };
194
195 /**
196 * Reset retransmission packet list
197 */
198 static void clear_packets(array_t *array)
199 {
200 packet_t *packet;
201
202 while (array_remove(array, ARRAY_TAIL, &packet))
203 {
204 packet->destroy(packet);
205 }
206 }
207
208 METHOD(task_manager_t, flush_queue, void,
209 private_task_manager_t *this, task_queue_t queue)
210 {
211 array_t *array;
212 task_t *task;
213
214 switch (queue)
215 {
216 case TASK_QUEUE_ACTIVE:
217 array = this->active_tasks;
218 break;
219 case TASK_QUEUE_PASSIVE:
220 array = this->passive_tasks;
221 break;
222 case TASK_QUEUE_QUEUED:
223 array = this->queued_tasks;
224 break;
225 default:
226 return;
227 }
228 while (array_remove(array, ARRAY_TAIL, &task))
229 {
230 if (queue == TASK_QUEUE_QUEUED)
231 {
232 queued_task_t *queued = (queued_task_t*)task;
233 task = queued->task;
234 free(queued);
235 }
236 task->destroy(task);
237 }
238 }
239
240 METHOD(task_manager_t, flush, void,
241 private_task_manager_t *this)
242 {
243 flush_queue(this, TASK_QUEUE_QUEUED);
244 flush_queue(this, TASK_QUEUE_PASSIVE);
245 flush_queue(this, TASK_QUEUE_ACTIVE);
246 }
247
248 /**
249 * Move a task of a specific type from the queue to the active list, if it is
250 * not delayed.
251 */
252 static bool activate_task(private_task_manager_t *this, task_type_t type)
253 {
254 enumerator_t *enumerator;
255 queued_task_t *queued;
256 timeval_t now;
257 bool found = FALSE;
258
259 time_monotonic(&now);
260
261 enumerator = array_create_enumerator(this->queued_tasks);
262 while (enumerator->enumerate(enumerator, (void**)&queued))
263 {
264 if (queued->task->get_type(queued->task) == type &&
265 !timercmp(&now, &queued->time, <))
266 {
267 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
268 array_remove_at(this->queued_tasks, enumerator);
269 array_insert(this->active_tasks, ARRAY_TAIL, queued->task);
270 free(queued);
271 found = TRUE;
272 break;
273 }
274 }
275 enumerator->destroy(enumerator);
276 return found;
277 }
278
279 /**
280 * Send packets in the given array (they get cloned). Optionally, the
281 * source and destination addresses are changed before sending it.
282 */
283 static void send_packets(private_task_manager_t *this, array_t *packets,
284 host_t *src, host_t *dst)
285 {
286 packet_t *packet, *clone;
287 int i;
288
289 for (i = 0; i < array_count(packets); i++)
290 {
291 array_get(packets, i, &packet);
292 clone = packet->clone(packet);
293 if (src)
294 {
295 clone->set_source(clone, src->clone(src));
296 }
297 if (dst)
298 {
299 clone->set_destination(clone, dst->clone(dst));
300 }
301 charon->sender->send(charon->sender, clone);
302 }
303 }
304
305 /**
306 * Generates the given message and stores packet(s) in the given array
307 */
308 static bool generate_message(private_task_manager_t *this, message_t *message,
309 array_t **packets)
310 {
311 enumerator_t *fragments;
312 packet_t *fragment;
313
314 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
315 &fragments) != SUCCESS)
316 {
317 return FALSE;
318 }
319 while (fragments->enumerate(fragments, &fragment))
320 {
321 array_insert_create(packets, ARRAY_TAIL, fragment);
322 }
323 fragments->destroy(fragments);
324 array_compress(*packets);
325 return TRUE;
326 }
327
328 METHOD(task_manager_t, retransmit, status_t,
329 private_task_manager_t *this, uint32_t message_id)
330 {
331 if (message_id == this->initiating.mid &&
332 array_count(this->initiating.packets))
333 {
334 uint32_t timeout, max_jitter;
335 job_t *job;
336 enumerator_t *enumerator;
337 packet_t *packet;
338 task_t *task;
339 ike_mobike_t *mobike = NULL;
340
341 array_get(this->initiating.packets, 0, &packet);
342
343 /* check if we are retransmitting a MOBIKE routability check */
344 if (this->initiating.type == INFORMATIONAL)
345 {
346 enumerator = array_create_enumerator(this->active_tasks);
347 while (enumerator->enumerate(enumerator, (void*)&task))
348 {
349 if (task->get_type(task) == TASK_IKE_MOBIKE)
350 {
351 mobike = (ike_mobike_t*)task;
352 break;
353 }
354 }
355 enumerator->destroy(enumerator);
356 }
357
358 if (!mobike || !mobike->is_probing(mobike))
359 {
360 if (this->initiating.retransmitted <= this->retransmit_tries)
361 {
362 timeout = (uint32_t)(this->retransmit_timeout * 1000.0 *
363 pow(this->retransmit_base, this->initiating.retransmitted));
364
365 if (this->retransmit_limit)
366 {
367 timeout = min(timeout, this->retransmit_limit);
368 }
369 if (this->retransmit_jitter)
370 {
371 max_jitter = (timeout / 100.0) * this->retransmit_jitter;
372 timeout -= max_jitter * (random() / (RAND_MAX + 1.0));
373 }
374 }
375 else
376 {
377 DBG1(DBG_IKE, "giving up after %d retransmits",
378 this->initiating.retransmitted - 1);
379 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
380 packet);
381 return DESTROY_ME;
382 }
383
384 if (this->initiating.retransmitted)
385 {
386 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
387 this->initiating.retransmitted, message_id);
388 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
389 this->initiating.retransmitted);
390 }
391 if (!mobike)
392 {
393 send_packets(this, this->initiating.packets,
394 this->ike_sa->get_my_host(this->ike_sa),
395 this->ike_sa->get_other_host(this->ike_sa));
396 }
397 else
398 {
399 if (!mobike->transmit(mobike, packet))
400 {
401 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
402 "deferred");
403 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
404 this->initiating.deferred = TRUE;
405 return SUCCESS;
406 }
407 else if (mobike->is_probing(mobike))
408 {
409 timeout = ROUTEABILITY_CHECK_INTERVAL;
410 }
411 }
412 }
413 else
414 { /* for routeability checks, we use a more aggressive behavior */
415 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
416 {
417 timeout = ROUTEABILITY_CHECK_INTERVAL;
418 }
419 else
420 {
421 DBG1(DBG_IKE, "giving up after %d path probings",
422 this->initiating.retransmitted - 1);
423 return DESTROY_ME;
424 }
425
426 if (this->initiating.retransmitted)
427 {
428 DBG1(DBG_IKE, "path probing attempt %d",
429 this->initiating.retransmitted);
430 }
431 /* TODO-FRAG: presumably these small packets are not fragmented,
432 * we should maybe ensure this is the case when generating them */
433 if (!mobike->transmit(mobike, packet))
434 {
435 DBG1(DBG_IKE, "no route found to reach peer, path probing "
436 "deferred");
437 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
438 this->initiating.deferred = TRUE;
439 return SUCCESS;
440 }
441 }
442
443 this->initiating.retransmitted++;
444 job = (job_t*)retransmit_job_create(this->initiating.mid,
445 this->ike_sa->get_id(this->ike_sa));
446 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
447 }
448 return SUCCESS;
449 }
450
451 METHOD(task_manager_t, initiate, status_t,
452 private_task_manager_t *this)
453 {
454 enumerator_t *enumerator;
455 task_t *task;
456 message_t *message;
457 host_t *me, *other;
458 exchange_type_t exchange = 0;
459
460 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
461 {
462 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
463 exchange_type_names, this->initiating.type);
464 /* do not initiate if we already have a message in the air */
465 if (this->initiating.deferred)
466 { /* re-initiate deferred exchange */
467 this->initiating.deferred = FALSE;
468 this->initiating.retransmitted = 0;
469 return retransmit(this, this->initiating.mid);
470 }
471 return SUCCESS;
472 }
473
474 if (array_count(this->active_tasks) == 0)
475 {
476 DBG2(DBG_IKE, "activating new tasks");
477 switch (this->ike_sa->get_state(this->ike_sa))
478 {
479 case IKE_CREATED:
480 activate_task(this, TASK_IKE_VENDOR);
481 if (activate_task(this, TASK_IKE_INIT))
482 {
483 this->initiating.mid = 0;
484 exchange = IKE_SA_INIT;
485 activate_task(this, TASK_IKE_NATD);
486 activate_task(this, TASK_IKE_CERT_PRE);
487 #ifdef ME
488 /* this task has to be activated before the TASK_IKE_AUTH
489 * task, because that task pregenerates the packet after
490 * which no payloads can be added to the message anymore.
491 */
492 activate_task(this, TASK_IKE_ME);
493 #endif /* ME */
494 activate_task(this, TASK_IKE_AUTH);
495 activate_task(this, TASK_IKE_CERT_POST);
496 activate_task(this, TASK_IKE_CONFIG);
497 activate_task(this, TASK_CHILD_CREATE);
498 activate_task(this, TASK_IKE_AUTH_LIFETIME);
499 activate_task(this, TASK_IKE_MOBIKE);
500 }
501 break;
502 case IKE_ESTABLISHED:
503 if (activate_task(this, TASK_IKE_MOBIKE))
504 {
505 exchange = INFORMATIONAL;
506 break;
507 }
508 if (activate_task(this, TASK_IKE_DELETE))
509 {
510 exchange = INFORMATIONAL;
511 break;
512 }
513 if (activate_task(this, TASK_IKE_REDIRECT))
514 {
515 exchange = INFORMATIONAL;
516 break;
517 }
518 if (activate_task(this, TASK_CHILD_DELETE))
519 {
520 exchange = INFORMATIONAL;
521 break;
522 }
523 if (activate_task(this, TASK_IKE_REAUTH))
524 {
525 exchange = INFORMATIONAL;
526 break;
527 }
528 if (activate_task(this, TASK_CHILD_CREATE))
529 {
530 exchange = CREATE_CHILD_SA;
531 break;
532 }
533 if (activate_task(this, TASK_CHILD_REKEY))
534 {
535 exchange = CREATE_CHILD_SA;
536 break;
537 }
538 if (activate_task(this, TASK_IKE_REKEY))
539 {
540 exchange = CREATE_CHILD_SA;
541 break;
542 }
543 if (activate_task(this, TASK_IKE_DPD))
544 {
545 exchange = INFORMATIONAL;
546 break;
547 }
548 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
549 {
550 exchange = INFORMATIONAL;
551 break;
552 }
553 #ifdef ME
554 if (activate_task(this, TASK_IKE_ME))
555 {
556 exchange = ME_CONNECT;
557 break;
558 }
559 #endif /* ME */
560 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
561 {
562 exchange = INFORMATIONAL;
563 break;
564 }
565 if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
566 {
567 exchange = INFORMATIONAL;
568 break;
569 }
570 case IKE_REKEYING:
571 case IKE_REKEYED:
572 if (activate_task(this, TASK_IKE_DELETE))
573 {
574 exchange = INFORMATIONAL;
575 break;
576 }
577 case IKE_DELETING:
578 default:
579 break;
580 }
581 }
582 else
583 {
584 DBG2(DBG_IKE, "reinitiating already active tasks");
585 enumerator = array_create_enumerator(this->active_tasks);
586 while (enumerator->enumerate(enumerator, &task))
587 {
588 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
589 switch (task->get_type(task))
590 {
591 case TASK_IKE_INIT:
592 exchange = IKE_SA_INIT;
593 break;
594 case TASK_IKE_AUTH:
595 exchange = IKE_AUTH;
596 break;
597 case TASK_CHILD_CREATE:
598 case TASK_CHILD_REKEY:
599 case TASK_IKE_REKEY:
600 exchange = CREATE_CHILD_SA;
601 break;
602 case TASK_IKE_MOBIKE:
603 exchange = INFORMATIONAL;
604 break;
605 default:
606 continue;
607 }
608 break;
609 }
610 enumerator->destroy(enumerator);
611 }
612
613 if (exchange == 0)
614 {
615 DBG2(DBG_IKE, "nothing to initiate");
616 /* nothing to do yet... */
617 return SUCCESS;
618 }
619
620 me = this->ike_sa->get_my_host(this->ike_sa);
621 other = this->ike_sa->get_other_host(this->ike_sa);
622
623 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
624 message->set_message_id(message, this->initiating.mid);
625 message->set_source(message, me->clone(me));
626 message->set_destination(message, other->clone(other));
627 message->set_exchange_type(message, exchange);
628 this->initiating.type = exchange;
629 this->initiating.retransmitted = 0;
630 this->initiating.deferred = FALSE;
631
632 enumerator = array_create_enumerator(this->active_tasks);
633 while (enumerator->enumerate(enumerator, &task))
634 {
635 switch (task->build(task, message))
636 {
637 case SUCCESS:
638 /* task completed, remove it */
639 array_remove_at(this->active_tasks, enumerator);
640 task->destroy(task);
641 break;
642 case NEED_MORE:
643 /* processed, but task needs another exchange */
644 break;
645 case FAILED:
646 default:
647 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
648 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
649 this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED)
650 {
651 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
652 }
653 /* FALL */
654 case DESTROY_ME:
655 /* critical failure, destroy IKE_SA */
656 enumerator->destroy(enumerator);
657 message->destroy(message);
658 flush(this);
659 return DESTROY_ME;
660 }
661 }
662 enumerator->destroy(enumerator);
663
664 /* update exchange type if a task changed it */
665 this->initiating.type = message->get_exchange_type(message);
666 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
667 {
668 message->destroy(message);
669 return initiate(this);
670 }
671
672 if (!generate_message(this, message, &this->initiating.packets))
673 {
674 /* message generation failed. There is nothing more to do than to
675 * close the SA */
676 message->destroy(message);
677 flush(this);
678 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
679 return DESTROY_ME;
680 }
681 message->destroy(message);
682
683 array_compress(this->active_tasks);
684 array_compress(this->queued_tasks);
685
686 return retransmit(this, this->initiating.mid);
687 }
688
689 /**
690 * handle an incoming response message
691 */
692 static status_t process_response(private_task_manager_t *this,
693 message_t *message)
694 {
695 enumerator_t *enumerator;
696 task_t *task;
697
698 if (message->get_exchange_type(message) != this->initiating.type)
699 {
700 DBG1(DBG_IKE, "received %N response, but expected %N",
701 exchange_type_names, message->get_exchange_type(message),
702 exchange_type_names, this->initiating.type);
703 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
704 return DESTROY_ME;
705 }
706
707 /* handle fatal INVALID_SYNTAX notifies */
708 switch (message->get_exchange_type(message))
709 {
710 case CREATE_CHILD_SA:
711 case INFORMATIONAL:
712 if (message->get_notify(message, INVALID_SYNTAX))
713 {
714 DBG1(DBG_IKE, "received %N notify error, destroying IKE_SA",
715 notify_type_names, INVALID_SYNTAX);
716 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
717 return DESTROY_ME;
718 }
719 break;
720 default:
721 break;
722 }
723
724 enumerator = array_create_enumerator(this->active_tasks);
725 while (enumerator->enumerate(enumerator, &task))
726 {
727 if (!task->pre_process)
728 {
729 continue;
730 }
731 switch (task->pre_process(task, message))
732 {
733 case SUCCESS:
734 break;
735 case FAILED:
736 default:
737 /* just ignore the message */
738 DBG1(DBG_IKE, "ignore invalid %N response",
739 exchange_type_names, message->get_exchange_type(message));
740 enumerator->destroy(enumerator);
741 return SUCCESS;
742 case DESTROY_ME:
743 /* critical failure, destroy IKE_SA */
744 enumerator->destroy(enumerator);
745 return DESTROY_ME;
746 }
747 }
748 enumerator->destroy(enumerator);
749
750 if (this->initiating.retransmitted > 1)
751 {
752 packet_t *packet = NULL;
753 array_get(this->initiating.packets, 0, &packet);
754 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
755 }
756
757 /* catch if we get reset while processing */
758 this->reset = FALSE;
759 enumerator = array_create_enumerator(this->active_tasks);
760 while (enumerator->enumerate(enumerator, &task))
761 {
762 switch (task->process(task, message))
763 {
764 case SUCCESS:
765 /* task completed, remove it */
766 array_remove_at(this->active_tasks, enumerator);
767 task->destroy(task);
768 break;
769 case NEED_MORE:
770 /* processed, but task needs another exchange */
771 break;
772 case FAILED:
773 default:
774 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
775 /* FALL */
776 case DESTROY_ME:
777 /* critical failure, destroy IKE_SA */
778 array_remove_at(this->active_tasks, enumerator);
779 enumerator->destroy(enumerator);
780 task->destroy(task);
781 return DESTROY_ME;
782 }
783 if (this->reset)
784 { /* start all over again if we were reset */
785 this->reset = FALSE;
786 enumerator->destroy(enumerator);
787 return initiate(this);
788 }
789 }
790 enumerator->destroy(enumerator);
791
792 this->initiating.mid++;
793 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
794 clear_packets(this->initiating.packets);
795
796 array_compress(this->active_tasks);
797
798 return initiate(this);
799 }
800
801 /**
802 * handle exchange collisions
803 */
804 static bool handle_collisions(private_task_manager_t *this, task_t *task)
805 {
806 enumerator_t *enumerator;
807 task_t *active;
808 task_type_t type;
809
810 type = task->get_type(task);
811
812 /* do we have to check */
813 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
814 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE)
815 {
816 /* find an exchange collision, and notify these tasks */
817 enumerator = array_create_enumerator(this->active_tasks);
818 while (enumerator->enumerate(enumerator, &active))
819 {
820 switch (active->get_type(active))
821 {
822 case TASK_IKE_REKEY:
823 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE)
824 {
825 ike_rekey_t *rekey = (ike_rekey_t*)active;
826 rekey->collide(rekey, task);
827 break;
828 }
829 continue;
830 case TASK_CHILD_REKEY:
831 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
832 {
833 child_rekey_t *rekey = (child_rekey_t*)active;
834 rekey->collide(rekey, task);
835 break;
836 }
837 continue;
838 default:
839 continue;
840 }
841 enumerator->destroy(enumerator);
842 return TRUE;
843 }
844 enumerator->destroy(enumerator);
845 }
846 return FALSE;
847 }
848
849 /**
850 * build a response depending on the "passive" task list
851 */
852 static status_t build_response(private_task_manager_t *this, message_t *request)
853 {
854 enumerator_t *enumerator;
855 task_t *task;
856 message_t *message;
857 host_t *me, *other;
858 bool delete = FALSE, hook = FALSE, mid_sync = FALSE;
859 ike_sa_id_t *id = NULL;
860 uint64_t responder_spi = 0;
861 bool result;
862
863 me = request->get_destination(request);
864 other = request->get_source(request);
865
866 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
867 message->set_exchange_type(message, request->get_exchange_type(request));
868 /* send response along the path the request came in */
869 message->set_source(message, me->clone(me));
870 message->set_destination(message, other->clone(other));
871 message->set_message_id(message, this->responding.mid);
872 message->set_request(message, FALSE);
873
874 enumerator = array_create_enumerator(this->passive_tasks);
875 while (enumerator->enumerate(enumerator, (void*)&task))
876 {
877 if (task->get_type(task) == TASK_IKE_MID_SYNC)
878 {
879 mid_sync = TRUE;
880 }
881 switch (task->build(task, message))
882 {
883 case SUCCESS:
884 /* task completed, remove it */
885 array_remove_at(this->passive_tasks, enumerator);
886 if (!handle_collisions(this, task))
887 {
888 task->destroy(task);
889 }
890 break;
891 case NEED_MORE:
892 /* processed, but task needs another exchange */
893 if (handle_collisions(this, task))
894 {
895 array_remove_at(this->passive_tasks, enumerator);
896 }
897 break;
898 case FAILED:
899 default:
900 hook = TRUE;
901 /* FALL */
902 case DESTROY_ME:
903 /* destroy IKE_SA, but SEND response first */
904 if (handle_collisions(this, task))
905 {
906 array_remove_at(this->passive_tasks, enumerator);
907 }
908 delete = TRUE;
909 break;
910 }
911 if (delete)
912 {
913 break;
914 }
915 }
916 enumerator->destroy(enumerator);
917
918 /* RFC 5996, section 2.6 mentions that in the event of a failure during
919 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
920 * actually explicitly allows it to be non-zero. Since we use the responder
921 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
922 * zero temporarily, otherwise checking the SA in would fail. */
923 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
924 {
925 id = this->ike_sa->get_id(this->ike_sa);
926 responder_spi = id->get_responder_spi(id);
927 id->set_responder_spi(id, 0);
928 }
929
930 /* message complete, send it */
931 clear_packets(this->responding.packets);
932 result = generate_message(this, message, &this->responding.packets);
933 message->destroy(message);
934 if (id)
935 {
936 id->set_responder_spi(id, responder_spi);
937 }
938 if (!result)
939 {
940 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
941 return DESTROY_ME;
942 }
943
944 send_packets(this, this->responding.packets, NULL, NULL);
945 if (delete)
946 {
947 if (hook)
948 {
949 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
950 }
951 return DESTROY_ME;
952 }
953 else if (mid_sync)
954 {
955 /* we don't want to resend messages to sync MIDs if requests with the
956 * previous MID arrive */
957 clear_packets(this->responding.packets);
958 /* avoid increasing the expected message ID after handling a message
959 * to sync MIDs with MID 0 */
960 return NEED_MORE;
961 }
962
963 array_compress(this->passive_tasks);
964
965 return SUCCESS;
966 }
967
968 /**
969 * handle an incoming request message
970 */
971 static status_t process_request(private_task_manager_t *this,
972 message_t *message)
973 {
974 enumerator_t *enumerator;
975 task_t *task = NULL;
976 payload_t *payload;
977 notify_payload_t *notify;
978 delete_payload_t *delete;
979 ike_sa_state_t state;
980
981 if (array_count(this->passive_tasks) == 0)
982 { /* create tasks depending on request type, if not already some queued */
983 state = this->ike_sa->get_state(this->ike_sa);
984 switch (message->get_exchange_type(message))
985 {
986 case IKE_SA_INIT:
987 {
988 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
989 array_insert(this->passive_tasks, ARRAY_TAIL, task);
990 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
991 array_insert(this->passive_tasks, ARRAY_TAIL, task);
992 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
993 array_insert(this->passive_tasks, ARRAY_TAIL, task);
994 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
995 array_insert(this->passive_tasks, ARRAY_TAIL, task);
996 #ifdef ME
997 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
998 array_insert(this->passive_tasks, ARRAY_TAIL, task);
999 #endif /* ME */
1000 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
1001 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1002 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
1003 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1004 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
1005 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1006 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
1007 NULL, NULL);
1008 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1009 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
1010 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1011 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
1012 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1013 break;
1014 }
1015 case CREATE_CHILD_SA:
1016 { /* FIXME: we should prevent this on mediation connections */
1017 bool notify_found = FALSE, ts_found = FALSE;
1018
1019 if (state == IKE_CREATED ||
1020 state == IKE_CONNECTING)
1021 {
1022 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
1023 "unestablished IKE_SA, rejected");
1024 return FAILED;
1025 }
1026
1027 enumerator = message->create_payload_enumerator(message);
1028 while (enumerator->enumerate(enumerator, &payload))
1029 {
1030 switch (payload->get_type(payload))
1031 {
1032 case PLV2_NOTIFY:
1033 { /* if we find a rekey notify, its CHILD_SA rekeying */
1034 notify = (notify_payload_t*)payload;
1035 if (notify->get_notify_type(notify) == REKEY_SA &&
1036 (notify->get_protocol_id(notify) == PROTO_AH ||
1037 notify->get_protocol_id(notify) == PROTO_ESP))
1038 {
1039 notify_found = TRUE;
1040 }
1041 break;
1042 }
1043 case PLV2_TS_INITIATOR:
1044 case PLV2_TS_RESPONDER:
1045 { /* if we don't find a TS, its IKE rekeying */
1046 ts_found = TRUE;
1047 break;
1048 }
1049 default:
1050 break;
1051 }
1052 }
1053 enumerator->destroy(enumerator);
1054
1055 if (ts_found)
1056 {
1057 if (notify_found)
1058 {
1059 task = (task_t*)child_rekey_create(this->ike_sa,
1060 PROTO_NONE, 0);
1061 }
1062 else
1063 {
1064 task = (task_t*)child_create_create(this->ike_sa, NULL,
1065 FALSE, NULL, NULL);
1066 }
1067 }
1068 else
1069 {
1070 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
1071 }
1072 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1073 break;
1074 }
1075 case INFORMATIONAL:
1076 {
1077 enumerator = message->create_payload_enumerator(message);
1078 while (enumerator->enumerate(enumerator, &payload))
1079 {
1080 switch (payload->get_type(payload))
1081 {
1082 case PLV2_NOTIFY:
1083 {
1084 notify = (notify_payload_t*)payload;
1085 if (state == IKE_REKEYED)
1086 {
1087 DBG1(DBG_IKE, "received unexpected notify %N "
1088 "for rekeyed IKE_SA, ignored",
1089 notify_type_names,
1090 notify->get_notify_type(notify));
1091 break;
1092 }
1093 switch (notify->get_notify_type(notify))
1094 {
1095 case ADDITIONAL_IP4_ADDRESS:
1096 case ADDITIONAL_IP6_ADDRESS:
1097 case NO_ADDITIONAL_ADDRESSES:
1098 case UPDATE_SA_ADDRESSES:
1099 case NO_NATS_ALLOWED:
1100 case UNACCEPTABLE_ADDRESSES:
1101 case UNEXPECTED_NAT_DETECTED:
1102 case COOKIE2:
1103 case NAT_DETECTION_SOURCE_IP:
1104 case NAT_DETECTION_DESTINATION_IP:
1105 task = (task_t*)ike_mobike_create(
1106 this->ike_sa, FALSE);
1107 break;
1108 case AUTH_LIFETIME:
1109 task = (task_t*)ike_auth_lifetime_create(
1110 this->ike_sa, FALSE);
1111 break;
1112 case AUTHENTICATION_FAILED:
1113 /* initiator failed to authenticate us.
1114 * We use ike_delete to handle this, which
1115 * invokes all the required hooks. */
1116 task = (task_t*)ike_delete_create(
1117 this->ike_sa, FALSE);
1118 break;
1119 case REDIRECT:
1120 task = (task_t*)ike_redirect_create(
1121 this->ike_sa, NULL);
1122 break;
1123 case IKEV2_MESSAGE_ID_SYNC:
1124 task = (task_t*)ike_mid_sync_create(
1125 this->ike_sa);
1126 break;
1127 default:
1128 break;
1129 }
1130 break;
1131 }
1132 case PLV2_DELETE:
1133 {
1134 delete = (delete_payload_t*)payload;
1135 if (delete->get_protocol_id(delete) == PROTO_IKE)
1136 {
1137 task = (task_t*)ike_delete_create(this->ike_sa,
1138 FALSE);
1139 }
1140 else
1141 {
1142 task = (task_t*)child_delete_create(this->ike_sa,
1143 PROTO_NONE, 0, FALSE);
1144 }
1145 break;
1146 }
1147 default:
1148 break;
1149 }
1150 if (task)
1151 {
1152 break;
1153 }
1154 }
1155 enumerator->destroy(enumerator);
1156
1157 if (task == NULL)
1158 {
1159 task = (task_t*)ike_dpd_create(FALSE);
1160 }
1161 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1162 break;
1163 }
1164 #ifdef ME
1165 case ME_CONNECT:
1166 {
1167 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1168 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1169 }
1170 #endif /* ME */
1171 default:
1172 break;
1173 }
1174 }
1175
1176 enumerator = array_create_enumerator(this->passive_tasks);
1177 while (enumerator->enumerate(enumerator, &task))
1178 {
1179 if (!task->pre_process)
1180 {
1181 continue;
1182 }
1183 switch (task->pre_process(task, message))
1184 {
1185 case SUCCESS:
1186 break;
1187 case FAILED:
1188 default:
1189 /* just ignore the message */
1190 DBG1(DBG_IKE, "ignore invalid %N request",
1191 exchange_type_names, message->get_exchange_type(message));
1192 enumerator->destroy(enumerator);
1193 switch (message->get_exchange_type(message))
1194 {
1195 case IKE_SA_INIT:
1196 /* no point in keeping the SA when it was created with
1197 * an invalid IKE_SA_INIT message */
1198 return DESTROY_ME;
1199 default:
1200 /* remove tasks we queued for this request */
1201 flush_queue(this, TASK_QUEUE_PASSIVE);
1202 /* fall-through */
1203 case IKE_AUTH:
1204 return NEED_MORE;
1205 }
1206 case DESTROY_ME:
1207 /* critical failure, destroy IKE_SA */
1208 enumerator->destroy(enumerator);
1209 return DESTROY_ME;
1210 }
1211 }
1212 enumerator->destroy(enumerator);
1213
1214 /* let the tasks process the message */
1215 enumerator = array_create_enumerator(this->passive_tasks);
1216 while (enumerator->enumerate(enumerator, (void*)&task))
1217 {
1218 switch (task->process(task, message))
1219 {
1220 case SUCCESS:
1221 /* task completed, remove it */
1222 array_remove_at(this->passive_tasks, enumerator);
1223 task->destroy(task);
1224 break;
1225 case NEED_MORE:
1226 /* processed, but task needs at least another call to build() */
1227 break;
1228 case FAILED:
1229 default:
1230 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1231 /* FALL */
1232 case DESTROY_ME:
1233 /* critical failure, destroy IKE_SA */
1234 array_remove_at(this->passive_tasks, enumerator);
1235 enumerator->destroy(enumerator);
1236 task->destroy(task);
1237 return DESTROY_ME;
1238 }
1239 }
1240 enumerator->destroy(enumerator);
1241
1242 return build_response(this, message);
1243 }
1244
1245 METHOD(task_manager_t, incr_mid, void,
1246 private_task_manager_t *this, bool initiate)
1247 {
1248 if (initiate)
1249 {
1250 this->initiating.mid++;
1251 }
1252 else
1253 {
1254 this->responding.mid++;
1255 }
1256 }
1257
1258 METHOD(task_manager_t, get_mid, uint32_t,
1259 private_task_manager_t *this, bool initiate)
1260 {
1261 return initiate ? this->initiating.mid : this->responding.mid;
1262 }
1263
1264 /**
1265 * Handle the given IKE fragment, if it is one.
1266 *
1267 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1268 * handled properly. Error states are returned if the fragment was invalid or
1269 * the reassembled message could not have been processed properly.
1270 */
1271 static status_t handle_fragment(private_task_manager_t *this,
1272 message_t **defrag, message_t *msg)
1273 {
1274 message_t *reassembled;
1275 status_t status;
1276
1277 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1278 {
1279 return SUCCESS;
1280 }
1281 if (!*defrag)
1282 {
1283 *defrag = message_create_defrag(msg);
1284 if (!*defrag)
1285 {
1286 return FAILED;
1287 }
1288 }
1289 status = (*defrag)->add_fragment(*defrag, msg);
1290 if (status == SUCCESS)
1291 {
1292 /* reinject the reassembled message */
1293 reassembled = *defrag;
1294 *defrag = NULL;
1295 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1296 if (status == SUCCESS)
1297 {
1298 /* avoid processing the last fragment */
1299 status = NEED_MORE;
1300 }
1301 reassembled->destroy(reassembled);
1302 }
1303 return status;
1304 }
1305
1306 /**
1307 * Send a notify back to the sender
1308 */
1309 static void send_notify_response(private_task_manager_t *this,
1310 message_t *request, notify_type_t type,
1311 chunk_t data)
1312 {
1313 message_t *response;
1314 packet_t *packet;
1315 host_t *me, *other;
1316
1317 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1318 response->set_exchange_type(response, request->get_exchange_type(request));
1319 response->set_request(response, FALSE);
1320 response->set_message_id(response, request->get_message_id(request));
1321 response->add_notify(response, FALSE, type, data);
1322 me = this->ike_sa->get_my_host(this->ike_sa);
1323 if (me->is_anyaddr(me))
1324 {
1325 me = request->get_destination(request);
1326 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1327 }
1328 other = this->ike_sa->get_other_host(this->ike_sa);
1329 if (other->is_anyaddr(other))
1330 {
1331 other = request->get_source(request);
1332 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1333 }
1334 response->set_source(response, me->clone(me));
1335 response->set_destination(response, other->clone(other));
1336 if (this->ike_sa->generate_message(this->ike_sa, response,
1337 &packet) == SUCCESS)
1338 {
1339 charon->sender->send(charon->sender, packet);
1340 }
1341 response->destroy(response);
1342 }
1343
1344 /**
1345 * Send an INVALID_SYNTAX notify and destroy the IKE_SA for authenticated
1346 * messages.
1347 */
1348 static status_t send_invalid_syntax(private_task_manager_t *this,
1349 message_t *msg)
1350 {
1351 send_notify_response(this, msg, INVALID_SYNTAX, chunk_empty);
1352 incr_mid(this, FALSE);
1353
1354 /* IKE_SA_INIT is currently the only type the parser accepts unprotected,
1355 * don't destroy the IKE_SA if such a message is invalid */
1356 if (msg->get_exchange_type(msg) == IKE_SA_INIT)
1357 {
1358 return FAILED;
1359 }
1360 return DESTROY_ME;
1361 }
1362
1363 /**
1364 * Parse the given message and verify that it is valid.
1365 */
1366 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1367 {
1368 status_t parse_status, status;
1369 uint8_t type = 0;
1370
1371 parse_status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1372
1373 if (parse_status == SUCCESS)
1374 { /* check for unsupported critical payloads */
1375 enumerator_t *enumerator;
1376 unknown_payload_t *unknown;
1377 payload_t *payload;
1378
1379 enumerator = msg->create_payload_enumerator(msg);
1380 while (enumerator->enumerate(enumerator, &payload))
1381 {
1382 if (payload->get_type(payload) == PL_UNKNOWN)
1383 {
1384 unknown = (unknown_payload_t*)payload;
1385 if (unknown->is_critical(unknown))
1386 {
1387 type = unknown->get_type(unknown);
1388 DBG1(DBG_ENC, "payload type %N is not supported, "
1389 "but payload is critical!", payload_type_names, type);
1390 parse_status = NOT_SUPPORTED;
1391 break;
1392 }
1393 }
1394 }
1395 enumerator->destroy(enumerator);
1396 }
1397
1398 status = parse_status;
1399
1400 if (parse_status != SUCCESS)
1401 {
1402 bool is_request = msg->get_request(msg);
1403
1404 switch (parse_status)
1405 {
1406 case NOT_SUPPORTED:
1407 DBG1(DBG_IKE, "critical unknown payloads found");
1408 if (is_request)
1409 {
1410 send_notify_response(this, msg,
1411 UNSUPPORTED_CRITICAL_PAYLOAD,
1412 chunk_from_thing(type));
1413 incr_mid(this, FALSE);
1414 }
1415 break;
1416 case PARSE_ERROR:
1417 DBG1(DBG_IKE, "message parsing failed");
1418 if (is_request)
1419 {
1420 status = send_invalid_syntax(this, msg);
1421 }
1422 break;
1423 case VERIFY_ERROR:
1424 DBG1(DBG_IKE, "message verification failed");
1425 if (is_request)
1426 {
1427 status = send_invalid_syntax(this, msg);
1428 }
1429 break;
1430 case FAILED:
1431 DBG1(DBG_IKE, "integrity check failed");
1432 /* ignored */
1433 break;
1434 case INVALID_STATE:
1435 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1436 default:
1437 break;
1438 }
1439 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1440 exchange_type_names, msg->get_exchange_type(msg),
1441 is_request ? "request" : "response",
1442 msg->get_message_id(msg));
1443
1444 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg,
1445 parse_status);
1446
1447 switch (this->ike_sa->get_state(this->ike_sa))
1448 {
1449 case IKE_CREATED:
1450 /* invalid initiation attempt, close SA */
1451 status = DESTROY_ME;
1452 break;
1453 case IKE_CONNECTING:
1454 case IKE_REKEYED:
1455 /* don't trigger updown event in these states */
1456 break;
1457 default:
1458 if (status == DESTROY_ME)
1459 {
1460 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1461 }
1462 break;
1463 }
1464 }
1465 return status;
1466 }
1467
1468 /**
1469 * Check if a message with message ID 0 looks like it is used to synchronize
1470 * the message IDs.
1471 */
1472 static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
1473 bool strict)
1474 {
1475 enumerator_t *enumerator;
1476 notify_payload_t *notify;
1477 payload_t *payload;
1478 bool found = FALSE, other = FALSE;
1479
1480 if (msg->get_exchange_type(msg) == INFORMATIONAL)
1481 {
1482 enumerator = msg->create_payload_enumerator(msg);
1483 while (enumerator->enumerate(enumerator, &payload))
1484 {
1485 if (payload->get_type(payload) == PLV2_NOTIFY)
1486 {
1487 notify = (notify_payload_t*)payload;
1488 switch (notify->get_notify_type(notify))
1489 {
1490 case IKEV2_MESSAGE_ID_SYNC:
1491 case IPSEC_REPLAY_COUNTER_SYNC:
1492 found = TRUE;
1493 continue;
1494 default:
1495 break;
1496 }
1497 }
1498 if (strict)
1499 {
1500 other = TRUE;
1501 break;
1502 }
1503 }
1504 enumerator->destroy(enumerator);
1505 }
1506 return found && !other;
1507 }
1508
1509 /**
1510 * Check whether we should reject the given request message
1511 */
1512 static inline bool reject_request(private_task_manager_t *this,
1513 message_t *msg)
1514 {
1515 ike_sa_state_t state;
1516 exchange_type_t type;
1517 ike_sa_id_t *ike_sa_id;
1518 bool reject = FALSE;
1519
1520 state = this->ike_sa->get_state(this->ike_sa);
1521 type = msg->get_exchange_type(msg);
1522
1523 /* reject initial messages if not received in specific states */
1524 switch (type)
1525 {
1526 case IKE_SA_INIT:
1527 reject = state != IKE_CREATED;
1528 break;
1529 case IKE_AUTH:
1530 reject = state != IKE_CONNECTING;
1531 break;
1532 default:
1533 break;
1534 }
1535
1536 if (!reject)
1537 {
1538 switch (state)
1539 {
1540 /* after rekeying we only expect a DELETE in an INFORMATIONAL */
1541 case IKE_REKEYED:
1542 reject = type != INFORMATIONAL;
1543 break;
1544 /* also reject requests for half-open IKE_SAs as initiator */
1545 case IKE_CREATED:
1546 case IKE_CONNECTING:
1547 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1548 reject = ike_sa_id->is_initiator(ike_sa_id);
1549 break;
1550 default:
1551 break;
1552 }
1553 }
1554
1555 if (reject)
1556 {
1557 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", exchange_type_names,
1558 type, ike_sa_state_names, state);
1559 }
1560 return reject;
1561 }
1562 /**
1563 * Check if a message with message ID 0 looks like it is used to synchronize
1564 * the message IDs and we are prepared to process it.
1565 *
1566 * Note: This is not called if the responder never sent a message before (i.e.
1567 * we expect MID 0).
1568 */
1569 static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
1570 {
1571 if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
1572 this->ike_sa->supports_extension(this->ike_sa,
1573 EXT_IKE_MESSAGE_ID_SYNC))
1574 {
1575 return looks_like_mid_sync(this, msg, TRUE);
1576 }
1577 return FALSE;
1578 }
1579
1580 METHOD(task_manager_t, process_message, status_t,
1581 private_task_manager_t *this, message_t *msg)
1582 {
1583 host_t *me, *other;
1584 status_t status;
1585 uint32_t mid;
1586 bool schedule_delete_job = FALSE;
1587
1588 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1589 status = parse_message(this, msg);
1590 if (status != SUCCESS)
1591 {
1592 return status;
1593 }
1594
1595 me = msg->get_destination(msg);
1596 other = msg->get_source(msg);
1597
1598 /* if this IKE_SA is virgin, we check for a config */
1599 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1600 {
1601 ike_cfg_t *ike_cfg;
1602
1603 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1604 me, other, IKEV2);
1605 if (ike_cfg == NULL)
1606 {
1607 /* no config found for these hosts, destroy */
1608 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1609 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1610 send_notify_response(this, msg,
1611 NO_PROPOSAL_CHOSEN, chunk_empty);
1612 return DESTROY_ME;
1613 }
1614 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1615 ike_cfg->destroy(ike_cfg);
1616 /* add a timeout if peer does not establish it completely */
1617 schedule_delete_job = TRUE;
1618 }
1619
1620 mid = msg->get_message_id(msg);
1621 if (msg->get_request(msg))
1622 {
1623 if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
1624 {
1625 if (reject_request(this, msg))
1626 {
1627 return FAILED;
1628 }
1629 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1630 { /* with MOBIKE, we do no implicit updates */
1631 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1632 }
1633 status = handle_fragment(this, &this->responding.defrag, msg);
1634 if (status != SUCCESS)
1635 {
1636 if (status == NEED_MORE)
1637 {
1638 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1639 time_monotonic(NULL));
1640 }
1641 return status;
1642 }
1643 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1644 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1645 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1646 return SUCCESS;
1647 }
1648 switch (process_request(this, msg))
1649 {
1650 case SUCCESS:
1651 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1652 time_monotonic(NULL));
1653 this->responding.mid++;
1654 break;
1655 case NEED_MORE:
1656 break;
1657 default:
1658 flush(this);
1659 return DESTROY_ME;
1660 }
1661 }
1662 else if ((mid == this->responding.mid - 1) &&
1663 array_count(this->responding.packets) &&
1664 !(mid == 0 && looks_like_mid_sync(this, msg, FALSE)))
1665 {
1666 status = handle_fragment(this, &this->responding.defrag, msg);
1667 if (status != SUCCESS)
1668 {
1669 if (status == NEED_MORE)
1670 {
1671 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1672 time_monotonic(NULL));
1673 }
1674 return status;
1675 }
1676 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1677 "retransmitting response", mid);
1678 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1679 time_monotonic(NULL));
1680 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1681 send_packets(this, this->responding.packets,
1682 msg->get_destination(msg), msg->get_source(msg));
1683 }
1684 else
1685 {
1686 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1687 mid, this->responding.mid);
1688 }
1689 }
1690 else
1691 {
1692 if (mid == this->initiating.mid)
1693 {
1694 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1695 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1696 msg->get_exchange_type(msg) != IKE_SA_INIT)
1697 { /* only do updates based on verified messages (or initial ones) */
1698 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1699 { /* with MOBIKE, we do no implicit updates. we force an
1700 * update of the local address on IKE_SA_INIT, but never
1701 * for the remote address */
1702 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1703 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1704 }
1705 }
1706 status = handle_fragment(this, &this->initiating.defrag, msg);
1707 if (status != SUCCESS)
1708 {
1709 if (status == NEED_MORE)
1710 {
1711 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1712 time_monotonic(NULL));
1713 }
1714 return status;
1715 }
1716 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1717 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1718 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1719 return SUCCESS;
1720 }
1721 if (process_response(this, msg) != SUCCESS)
1722 {
1723 flush(this);
1724 return DESTROY_ME;
1725 }
1726 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1727 time_monotonic(NULL));
1728 }
1729 else
1730 {
1731 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1732 mid, this->initiating.mid);
1733 return SUCCESS;
1734 }
1735 }
1736
1737 if (schedule_delete_job)
1738 {
1739 ike_sa_id_t *ike_sa_id;
1740 job_t *job;
1741
1742 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1743 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1744 lib->scheduler->schedule_job(lib->scheduler, job,
1745 lib->settings->get_int(lib->settings,
1746 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1747 lib->ns));
1748 }
1749 return SUCCESS;
1750 }
1751
1752 METHOD(task_manager_t, queue_task_delayed, void,
1753 private_task_manager_t *this, task_t *task, uint32_t delay)
1754 {
1755 queued_task_t *queued;
1756 timeval_t time;
1757
1758 time_monotonic(&time);
1759 if (delay)
1760 {
1761 job_t *job;
1762
1763 DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names,
1764 task->get_type(task), delay);
1765 time.tv_sec += delay;
1766
1767 job = (job_t*)initiate_tasks_job_create(
1768 this->ike_sa->get_id(this->ike_sa));
1769 lib->scheduler->schedule_job_tv(lib->scheduler, job, time);
1770 }
1771 else
1772 {
1773 DBG2(DBG_IKE, "queueing %N task", task_type_names,
1774 task->get_type(task));
1775 }
1776 INIT(queued,
1777 .task = task,
1778 .time = time,
1779 );
1780 array_insert(this->queued_tasks, ARRAY_TAIL, queued);
1781 }
1782
1783 METHOD(task_manager_t, queue_task, void,
1784 private_task_manager_t *this, task_t *task)
1785 {
1786 queue_task_delayed(this, task, 0);
1787 }
1788
1789 /**
1790 * Check if a given task has been queued already
1791 */
1792 static bool has_queued(private_task_manager_t *this, task_type_t type)
1793 {
1794 enumerator_t *enumerator;
1795 bool found = FALSE;
1796 queued_task_t *queued;
1797
1798 enumerator = array_create_enumerator(this->queued_tasks);
1799 while (enumerator->enumerate(enumerator, &queued))
1800 {
1801 if (queued->task->get_type(queued->task) == type)
1802 {
1803 found = TRUE;
1804 break;
1805 }
1806 }
1807 enumerator->destroy(enumerator);
1808 return found;
1809 }
1810
1811 METHOD(task_manager_t, queue_ike, void,
1812 private_task_manager_t *this)
1813 {
1814 if (!has_queued(this, TASK_IKE_VENDOR))
1815 {
1816 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1817 }
1818 if (!has_queued(this, TASK_IKE_INIT))
1819 {
1820 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1821 }
1822 if (!has_queued(this, TASK_IKE_NATD))
1823 {
1824 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1825 }
1826 if (!has_queued(this, TASK_IKE_CERT_PRE))
1827 {
1828 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1829 }
1830 if (!has_queued(this, TASK_IKE_AUTH))
1831 {
1832 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1833 }
1834 if (!has_queued(this, TASK_IKE_CERT_POST))
1835 {
1836 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1837 }
1838 if (!has_queued(this, TASK_IKE_CONFIG))
1839 {
1840 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1841 }
1842 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1843 {
1844 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1845 }
1846 if (!has_queued(this, TASK_IKE_MOBIKE))
1847 {
1848 peer_cfg_t *peer_cfg;
1849
1850 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1851 if (peer_cfg->use_mobike(peer_cfg))
1852 {
1853 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1854 }
1855 }
1856 #ifdef ME
1857 if (!has_queued(this, TASK_IKE_ME))
1858 {
1859 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1860 }
1861 #endif /* ME */
1862 }
1863
1864 METHOD(task_manager_t, queue_ike_rekey, void,
1865 private_task_manager_t *this)
1866 {
1867 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1868 }
1869
1870 /**
1871 * Start reauthentication using make-before-break
1872 */
1873 static void trigger_mbb_reauth(private_task_manager_t *this)
1874 {
1875 enumerator_t *enumerator;
1876 child_sa_t *child_sa;
1877 child_cfg_t *cfg;
1878 peer_cfg_t *peer;
1879 ike_sa_t *new;
1880 host_t *host;
1881 queued_task_t *queued;
1882 bool children = FALSE;
1883
1884 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1885 this->ike_sa->get_version(this->ike_sa), TRUE);
1886 if (!new)
1887 { /* shouldn't happen */
1888 return;
1889 }
1890
1891 peer = this->ike_sa->get_peer_cfg(this->ike_sa);
1892 new->set_peer_cfg(new, peer);
1893 host = this->ike_sa->get_other_host(this->ike_sa);
1894 new->set_other_host(new, host->clone(host));
1895 host = this->ike_sa->get_my_host(this->ike_sa);
1896 new->set_my_host(new, host->clone(host));
1897 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1898 while (enumerator->enumerate(enumerator, &host))
1899 {
1900 new->add_virtual_ip(new, TRUE, host);
1901 }
1902 enumerator->destroy(enumerator);
1903
1904 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1905 while (enumerator->enumerate(enumerator, &child_sa))
1906 {
1907 child_create_t *child_create;
1908
1909 switch (child_sa->get_state(child_sa))
1910 {
1911 case CHILD_REKEYED:
1912 case CHILD_DELETED:
1913 /* ignore CHILD_SAs in these states */
1914 continue;
1915 default:
1916 break;
1917 }
1918 cfg = child_sa->get_config(child_sa);
1919 child_create = child_create_create(new, cfg->get_ref(cfg),
1920 FALSE, NULL, NULL);
1921 child_create->use_reqid(child_create, child_sa->get_reqid(child_sa));
1922 child_create->use_marks(child_create,
1923 child_sa->get_mark(child_sa, TRUE).value,
1924 child_sa->get_mark(child_sa, FALSE).value);
1925 /* interface IDs are not migrated as the new CHILD_SAs on old and new
1926 * IKE_SA go though regular updown events */
1927 new->queue_task(new, &child_create->task);
1928 children = TRUE;
1929 }
1930 enumerator->destroy(enumerator);
1931
1932 enumerator = array_create_enumerator(this->queued_tasks);
1933 while (enumerator->enumerate(enumerator, &queued))
1934 {
1935 if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE)
1936 {
1937 queued->task->migrate(queued->task, new);
1938 new->queue_task(new, queued->task);
1939 array_remove_at(this->queued_tasks, enumerator);
1940 free(queued);
1941 children = TRUE;
1942 }
1943 }
1944 enumerator->destroy(enumerator);
1945
1946 if (!children
1947 #ifdef ME
1948 /* allow reauth of mediation connections without CHILD_SAs */
1949 && !peer->is_mediation(peer)
1950 #endif /* ME */
1951 )
1952 {
1953 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1954 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
1955 "to recreate");
1956 return;
1957 }
1958
1959 /* suspend online revocation checking until the SA is established */
1960 new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
1961
1962 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1963 {
1964 new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
1965 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1966 this->ike_sa->get_id(this->ike_sa)));
1967 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1968 }
1969 else
1970 {
1971 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1972 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1973 }
1974 charon->bus->set_sa(charon->bus, this->ike_sa);
1975 }
1976
1977 METHOD(task_manager_t, queue_ike_reauth, void,
1978 private_task_manager_t *this)
1979 {
1980 if (this->make_before_break)
1981 {
1982 return trigger_mbb_reauth(this);
1983 }
1984 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1985 }
1986
1987 METHOD(task_manager_t, queue_ike_delete, void,
1988 private_task_manager_t *this)
1989 {
1990 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1991 }
1992
1993 /**
1994 * There is no need to queue more than one mobike task, so this either returns
1995 * an already queued task or queues one if there is none yet.
1996 */
1997 static ike_mobike_t *queue_mobike_task(private_task_manager_t *this)
1998 {
1999 enumerator_t *enumerator;
2000 queued_task_t *queued;
2001 ike_mobike_t *mobike = NULL;
2002
2003 enumerator = array_create_enumerator(this->queued_tasks);
2004 while (enumerator->enumerate(enumerator, &queued))
2005 {
2006 if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
2007 {
2008 mobike = (ike_mobike_t*)queued->task;
2009 break;
2010 }
2011 }
2012 enumerator->destroy(enumerator);
2013
2014 if (!mobike)
2015 {
2016 mobike = ike_mobike_create(this->ike_sa, TRUE);
2017 queue_task(this, &mobike->task);
2018 }
2019 return mobike;
2020 }
2021
2022 METHOD(task_manager_t, queue_mobike, void,
2023 private_task_manager_t *this, bool roam, bool address)
2024 {
2025 ike_mobike_t *mobike;
2026
2027 mobike = queue_mobike_task(this);
2028 if (roam)
2029 {
2030 enumerator_t *enumerator;
2031 task_t *current;
2032
2033 mobike->roam(mobike, address);
2034
2035 /* enable path probing for a currently active MOBIKE task. This might
2036 * not be the case if an address appeared on a new interface while the
2037 * current address is not working but has not yet disappeared. */
2038 enumerator = array_create_enumerator(this->active_tasks);
2039 while (enumerator->enumerate(enumerator, &current))
2040 {
2041 if (current->get_type(current) == TASK_IKE_MOBIKE)
2042 {
2043 ike_mobike_t *active = (ike_mobike_t*)current;
2044 active->enable_probing(active);
2045 break;
2046 }
2047 }
2048 enumerator->destroy(enumerator);
2049 }
2050 else
2051 {
2052 mobike->addresses(mobike);
2053 }
2054 }
2055
2056 METHOD(task_manager_t, queue_dpd, void,
2057 private_task_manager_t *this)
2058 {
2059 ike_mobike_t *mobike;
2060
2061 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
2062 {
2063 #ifdef ME
2064 peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
2065 if (cfg->get_peer_id(cfg) ||
2066 this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
2067 #else
2068 if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
2069 #endif
2070 {
2071 /* use mobike enabled DPD to detect NAT mapping changes */
2072 mobike = queue_mobike_task(this);
2073 mobike->dpd(mobike);
2074 return;
2075 }
2076 }
2077 queue_task(this, (task_t*)ike_dpd_create(TRUE));
2078 }
2079
2080 METHOD(task_manager_t, queue_child, void,
2081 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
2082 traffic_selector_t *tsi, traffic_selector_t *tsr)
2083 {
2084 child_create_t *task;
2085
2086 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
2087 if (reqid)
2088 {
2089 task->use_reqid(task, reqid);
2090 }
2091 queue_task(this, &task->task);
2092 }
2093
2094 METHOD(task_manager_t, queue_child_rekey, void,
2095 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
2096 {
2097 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
2098 }
2099
2100 METHOD(task_manager_t, queue_child_delete, void,
2101 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
2102 bool expired)
2103 {
2104 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
2105 protocol, spi, expired));
2106 }
2107
2108 METHOD(task_manager_t, adopt_tasks, void,
2109 private_task_manager_t *this, task_manager_t *other_public)
2110 {
2111 private_task_manager_t *other = (private_task_manager_t*)other_public;
2112 queued_task_t *queued;
2113 timeval_t now;
2114
2115 time_monotonic(&now);
2116
2117 /* move queued tasks from other to this */
2118 while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued))
2119 {
2120 DBG2(DBG_IKE, "migrating %N task", task_type_names,
2121 queued->task->get_type(queued->task));
2122 queued->task->migrate(queued->task, this->ike_sa);
2123 /* don't delay tasks on the new IKE_SA */
2124 queued->time = now;
2125 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
2126 }
2127 }
2128
2129 METHOD(task_manager_t, busy, bool,
2130 private_task_manager_t *this)
2131 {
2132 return array_count(this->active_tasks) > 0;
2133 }
2134
2135 METHOD(task_manager_t, reset, void,
2136 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
2137 {
2138 enumerator_t *enumerator;
2139 queued_task_t *queued;
2140 task_t *task;
2141 timeval_t now;
2142
2143 /* reset message counters and retransmit packets */
2144 clear_packets(this->responding.packets);
2145 clear_packets(this->initiating.packets);
2146 DESTROY_IF(this->responding.defrag);
2147 DESTROY_IF(this->initiating.defrag);
2148 this->responding.defrag = NULL;
2149 this->initiating.defrag = NULL;
2150 if (initiate != UINT_MAX)
2151 {
2152 this->initiating.mid = initiate;
2153 }
2154 if (respond != UINT_MAX)
2155 {
2156 this->responding.mid = respond;
2157 }
2158 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
2159
2160 time_monotonic(&now);
2161 /* reset queued tasks */
2162 enumerator = array_create_enumerator(this->queued_tasks);
2163 while (enumerator->enumerate(enumerator, &queued))
2164 {
2165 queued->time = now;
2166 queued->task->migrate(queued->task, this->ike_sa);
2167 }
2168 enumerator->destroy(enumerator);
2169
2170 /* reset active tasks */
2171 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
2172 {
2173 task->migrate(task, this->ike_sa);
2174 INIT(queued,
2175 .task = task,
2176 .time = now,
2177 );
2178 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
2179 }
2180
2181 this->reset = TRUE;
2182 }
2183
2184 /**
2185 * Data for a task queue enumerator
2186 */
2187 typedef struct {
2188 enumerator_t public;
2189 task_queue_t queue;
2190 enumerator_t *inner;
2191 queued_task_t *queued;
2192 } task_enumerator_t;
2193
2194 METHOD(enumerator_t, task_enumerator_destroy, void,
2195 task_enumerator_t *this)
2196 {
2197 this->inner->destroy(this->inner);
2198 free(this);
2199 }
2200
2201 METHOD(enumerator_t, task_enumerator_enumerate, bool,
2202 task_enumerator_t *this, va_list args)
2203 {
2204 task_t **task;
2205
2206 VA_ARGS_VGET(args, task);
2207 if (this->queue == TASK_QUEUE_QUEUED)
2208 {
2209 if (this->inner->enumerate(this->inner, &this->queued))
2210 {
2211 *task = this->queued->task;
2212 return TRUE;
2213 }
2214 }
2215 else if (this->inner->enumerate(this->inner, task))
2216 {
2217 return TRUE;
2218 }
2219 return FALSE;
2220 }
2221
2222 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
2223 private_task_manager_t *this, task_queue_t queue)
2224 {
2225 task_enumerator_t *enumerator;
2226
2227 INIT(enumerator,
2228 .public = {
2229 .enumerate = enumerator_enumerate_default,
2230 .venumerate = _task_enumerator_enumerate,
2231 .destroy = _task_enumerator_destroy,
2232 },
2233 .queue = queue,
2234 );
2235 switch (queue)
2236 {
2237 case TASK_QUEUE_ACTIVE:
2238 enumerator->inner = array_create_enumerator(this->active_tasks);
2239 break;
2240 case TASK_QUEUE_PASSIVE:
2241 enumerator->inner = array_create_enumerator(this->passive_tasks);
2242 break;
2243 case TASK_QUEUE_QUEUED:
2244 enumerator->inner = array_create_enumerator(this->queued_tasks);
2245 break;
2246 default:
2247 enumerator->inner = enumerator_create_empty();
2248 break;
2249 }
2250 return &enumerator->public;
2251 }
2252
2253 METHOD(task_manager_t, remove_task, void,
2254 private_task_manager_t *this, enumerator_t *enumerator_public)
2255 {
2256 task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public;
2257
2258 switch (enumerator->queue)
2259 {
2260 case TASK_QUEUE_ACTIVE:
2261 array_remove_at(this->active_tasks, enumerator->inner);
2262 break;
2263 case TASK_QUEUE_PASSIVE:
2264 array_remove_at(this->passive_tasks, enumerator->inner);
2265 break;
2266 case TASK_QUEUE_QUEUED:
2267 array_remove_at(this->queued_tasks, enumerator->inner);
2268 free(enumerator->queued);
2269 enumerator->queued = NULL;
2270 break;
2271 default:
2272 break;
2273 }
2274 }
2275
2276 METHOD(task_manager_t, destroy, void,
2277 private_task_manager_t *this)
2278 {
2279 flush(this);
2280
2281 array_destroy(this->active_tasks);
2282 array_destroy(this->queued_tasks);
2283 array_destroy(this->passive_tasks);
2284
2285 clear_packets(this->responding.packets);
2286 array_destroy(this->responding.packets);
2287 clear_packets(this->initiating.packets);
2288 array_destroy(this->initiating.packets);
2289 DESTROY_IF(this->responding.defrag);
2290 DESTROY_IF(this->initiating.defrag);
2291 free(this);
2292 }
2293
2294 /*
2295 * see header file
2296 */
2297 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
2298 {
2299 private_task_manager_t *this;
2300
2301 INIT(this,
2302 .public = {
2303 .task_manager = {
2304 .process_message = _process_message,
2305 .queue_task = _queue_task,
2306 .queue_task_delayed = _queue_task_delayed,
2307 .queue_ike = _queue_ike,
2308 .queue_ike_rekey = _queue_ike_rekey,
2309 .queue_ike_reauth = _queue_ike_reauth,
2310 .queue_ike_delete = _queue_ike_delete,
2311 .queue_mobike = _queue_mobike,
2312 .queue_child = _queue_child,
2313 .queue_child_rekey = _queue_child_rekey,
2314 .queue_child_delete = _queue_child_delete,
2315 .queue_dpd = _queue_dpd,
2316 .initiate = _initiate,
2317 .retransmit = _retransmit,
2318 .incr_mid = _incr_mid,
2319 .get_mid = _get_mid,
2320 .reset = _reset,
2321 .adopt_tasks = _adopt_tasks,
2322 .busy = _busy,
2323 .create_task_enumerator = _create_task_enumerator,
2324 .remove_task = _remove_task,
2325 .flush = _flush,
2326 .flush_queue = _flush_queue,
2327 .destroy = _destroy,
2328 },
2329 },
2330 .ike_sa = ike_sa,
2331 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
2332 .queued_tasks = array_create(0, 0),
2333 .active_tasks = array_create(0, 0),
2334 .passive_tasks = array_create(0, 0),
2335 .retransmit_tries = lib->settings->get_int(lib->settings,
2336 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2337 .retransmit_timeout = lib->settings->get_double(lib->settings,
2338 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2339 .retransmit_base = lib->settings->get_double(lib->settings,
2340 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2341 .retransmit_jitter = min(lib->settings->get_int(lib->settings,
2342 "%s.retransmit_jitter", 0, lib->ns), RETRANSMIT_JITTER_MAX),
2343 .retransmit_limit = lib->settings->get_int(lib->settings,
2344 "%s.retransmit_limit", 0, lib->ns) * 1000,
2345 .make_before_break = lib->settings->get_bool(lib->settings,
2346 "%s.make_before_break", FALSE, lib->ns),
2347 );
2348
2349 return &this->public;
2350 }