projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
ikev2: Initiate other tasks after a no-op task
[strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2015 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_vendor.h>
38 #include <sa/ikev2/tasks/child_create.h>
39 #include <sa/ikev2/tasks/child_rekey.h>
40 #include <sa/ikev2/tasks/child_delete.h>
41 #include <encoding/payloads/delete_payload.h>
42 #include <encoding/payloads/unknown_payload.h>
43 #include <processing/jobs/retransmit_job.h>
44 #include <processing/jobs/delete_ike_sa_job.h>
45
46 #ifdef ME
47 #include <sa/ikev2/tasks/ike_me.h>
48 #endif
49
50 typedef struct exchange_t exchange_t;
51
52 /**
53 * An exchange in the air, used do detect and handle retransmission
54 */
55 struct exchange_t {
56
57 /**
58 * Message ID used for this transaction
59 */
60 u_int32_t mid;
61
62 /**
63 * generated packet for retransmission
64 */
65 packet_t *packet;
66 };
67
68 typedef struct private_task_manager_t private_task_manager_t;
69
70 /**
71 * private data of the task manager
72 */
73 struct private_task_manager_t {
74
75 /**
76 * public functions
77 */
78 task_manager_v2_t public;
79
80 /**
81 * associated IKE_SA we are serving
82 */
83 ike_sa_t *ike_sa;
84
85 /**
86 * Exchange we are currently handling as responder
87 */
88 struct {
89 /**
90 * Message ID of the exchange
91 */
92 u_int32_t mid;
93
94 /**
95 * packet(s) for retransmission
96 */
97 array_t *packets;
98
99 /**
100 * Helper to defragment the request
101 */
102 message_t *defrag;
103
104 } responding;
105
106 /**
107 * Exchange we are currently handling as initiator
108 */
109 struct {
110 /**
111 * Message ID of the exchange
112 */
113 u_int32_t mid;
114
115 /**
116 * how many times we have retransmitted so far
117 */
118 u_int retransmitted;
119
120 /**
121 * packet(s) for retransmission
122 */
123 array_t *packets;
124
125 /**
126 * type of the initated exchange
127 */
128 exchange_type_t type;
129
130 /**
131 * TRUE if exchange was deferred because no path was available
132 */
133 bool deferred;
134
135 /**
136 * Helper to defragment the response
137 */
138 message_t *defrag;
139
140 } initiating;
141
142 /**
143 * Array of queued tasks not yet in action
144 */
145 array_t *queued_tasks;
146
147 /**
148 * Array of active tasks, initiated by ourselve
149 */
150 array_t *active_tasks;
151
152 /**
153 * Array of tasks initiated by peer
154 */
155 array_t *passive_tasks;
156
157 /**
158 * the task manager has been reset
159 */
160 bool reset;
161
162 /**
163 * Number of times we retransmit messages before giving up
164 */
165 u_int retransmit_tries;
166
167 /**
168 * Retransmission timeout
169 */
170 double retransmit_timeout;
171
172 /**
173 * Base to calculate retransmission timeout
174 */
175 double retransmit_base;
176
177 /**
178 * Use make-before-break instead of break-before-make reauth?
179 */
180 bool make_before_break;
181 };
182
183 /**
184 * Reset retransmission packet list
185 */
186 static void clear_packets(array_t *array)
187 {
188 packet_t *packet;
189
190 while (array_remove(array, ARRAY_TAIL, &packet))
191 {
192 packet->destroy(packet);
193 }
194 }
195
196 METHOD(task_manager_t, flush_queue, void,
197 private_task_manager_t *this, task_queue_t queue)
198 {
199 array_t *array;
200 task_t *task;
201
202 switch (queue)
203 {
204 case TASK_QUEUE_ACTIVE:
205 array = this->active_tasks;
206 break;
207 case TASK_QUEUE_PASSIVE:
208 array = this->passive_tasks;
209 break;
210 case TASK_QUEUE_QUEUED:
211 array = this->queued_tasks;
212 break;
213 default:
214 return;
215 }
216 while (array_remove(array, ARRAY_TAIL, &task))
217 {
218 task->destroy(task);
219 }
220 }
221
222 METHOD(task_manager_t, flush, void,
223 private_task_manager_t *this)
224 {
225 flush_queue(this, TASK_QUEUE_QUEUED);
226 flush_queue(this, TASK_QUEUE_PASSIVE);
227 flush_queue(this, TASK_QUEUE_ACTIVE);
228 }
229
230 /**
231 * move a task of a specific type from the queue to the active list
232 */
233 static bool activate_task(private_task_manager_t *this, task_type_t type)
234 {
235 enumerator_t *enumerator;
236 task_t *task;
237 bool found = FALSE;
238
239 enumerator = array_create_enumerator(this->queued_tasks);
240 while (enumerator->enumerate(enumerator, (void**)&task))
241 {
242 if (task->get_type(task) == type)
243 {
244 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
245 array_remove_at(this->queued_tasks, enumerator);
246 array_insert(this->active_tasks, ARRAY_TAIL, task);
247 found = TRUE;
248 break;
249 }
250 }
251 enumerator->destroy(enumerator);
252 return found;
253 }
254
255 /**
256 * Send packets in the given array (they get cloned). Optionally, the
257 * source and destination addresses are changed before sending it.
258 */
259 static void send_packets(private_task_manager_t *this, array_t *packets,
260 host_t *src, host_t *dst)
261 {
262 packet_t *packet, *clone;
263 int i;
264
265 for (i = 0; i < array_count(packets); i++)
266 {
267 array_get(packets, i, &packet);
268 clone = packet->clone(packet);
269 if (src)
270 {
271 clone->set_source(clone, src->clone(src));
272 }
273 if (dst)
274 {
275 clone->set_destination(clone, dst->clone(dst));
276 }
277 charon->sender->send(charon->sender, clone);
278 }
279 }
280
281 /**
282 * Generates the given message and stores packet(s) in the given array
283 */
284 static bool generate_message(private_task_manager_t *this, message_t *message,
285 array_t **packets)
286 {
287 enumerator_t *fragments;
288 packet_t *fragment;
289
290 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
291 &fragments) != SUCCESS)
292 {
293 return FALSE;
294 }
295 while (fragments->enumerate(fragments, &fragment))
296 {
297 array_insert_create(packets, ARRAY_TAIL, fragment);
298 }
299 fragments->destroy(fragments);
300 array_compress(*packets);
301 return TRUE;
302 }
303
304 METHOD(task_manager_t, retransmit, status_t,
305 private_task_manager_t *this, u_int32_t message_id)
306 {
307 if (message_id == this->initiating.mid &&
308 array_count(this->initiating.packets))
309 {
310 u_int32_t timeout;
311 job_t *job;
312 enumerator_t *enumerator;
313 packet_t *packet;
314 task_t *task;
315 ike_mobike_t *mobike = NULL;
316
317 array_get(this->initiating.packets, 0, &packet);
318
319 /* check if we are retransmitting a MOBIKE routability check */
320 if (this->initiating.type == INFORMATIONAL)
321 {
322 enumerator = array_create_enumerator(this->active_tasks);
323 while (enumerator->enumerate(enumerator, (void*)&task))
324 {
325 if (task->get_type(task) == TASK_IKE_MOBIKE)
326 {
327 mobike = (ike_mobike_t*)task;
328 break;
329 }
330 }
331 enumerator->destroy(enumerator);
332 }
333
334 if (!mobike || !mobike->is_probing(mobike))
335 {
336 if (this->initiating.retransmitted <= this->retransmit_tries)
337 {
338 timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
339 pow(this->retransmit_base, this->initiating.retransmitted));
340 }
341 else
342 {
343 DBG1(DBG_IKE, "giving up after %d retransmits",
344 this->initiating.retransmitted - 1);
345 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
346 packet);
347 return DESTROY_ME;
348 }
349
350 if (this->initiating.retransmitted)
351 {
352 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
353 this->initiating.retransmitted, message_id);
354 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
355 }
356 if (!mobike)
357 {
358 send_packets(this, this->initiating.packets,
359 this->ike_sa->get_my_host(this->ike_sa),
360 this->ike_sa->get_other_host(this->ike_sa));
361 }
362 else
363 {
364 if (!mobike->transmit(mobike, packet))
365 {
366 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
367 "deferred");
368 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
369 this->initiating.deferred = TRUE;
370 return SUCCESS;
371 }
372 else if (mobike->is_probing(mobike))
373 {
374 timeout = ROUTEABILITY_CHECK_INTERVAL;
375 }
376 }
377 }
378 else
379 { /* for routeability checks, we use a more aggressive behavior */
380 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
381 {
382 timeout = ROUTEABILITY_CHECK_INTERVAL;
383 }
384 else
385 {
386 DBG1(DBG_IKE, "giving up after %d path probings",
387 this->initiating.retransmitted - 1);
388 return DESTROY_ME;
389 }
390
391 if (this->initiating.retransmitted)
392 {
393 DBG1(DBG_IKE, "path probing attempt %d",
394 this->initiating.retransmitted);
395 }
396 /* TODO-FRAG: presumably these small packets are not fragmented,
397 * we should maybe ensure this is the case when generating them */
398 if (!mobike->transmit(mobike, packet))
399 {
400 DBG1(DBG_IKE, "no route found to reach peer, path probing "
401 "deferred");
402 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
403 this->initiating.deferred = TRUE;
404 return SUCCESS;
405 }
406 }
407
408 this->initiating.retransmitted++;
409 job = (job_t*)retransmit_job_create(this->initiating.mid,
410 this->ike_sa->get_id(this->ike_sa));
411 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
412 }
413 return SUCCESS;
414 }
415
416 METHOD(task_manager_t, initiate, status_t,
417 private_task_manager_t *this)
418 {
419 enumerator_t *enumerator;
420 task_t *task;
421 message_t *message;
422 host_t *me, *other;
423 exchange_type_t exchange = 0;
424
425 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
426 {
427 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
428 exchange_type_names, this->initiating.type);
429 /* do not initiate if we already have a message in the air */
430 if (this->initiating.deferred)
431 { /* re-initiate deferred exchange */
432 this->initiating.deferred = FALSE;
433 this->initiating.retransmitted = 0;
434 return retransmit(this, this->initiating.mid);
435 }
436 return SUCCESS;
437 }
438
439 if (array_count(this->active_tasks) == 0)
440 {
441 DBG2(DBG_IKE, "activating new tasks");
442 switch (this->ike_sa->get_state(this->ike_sa))
443 {
444 case IKE_CREATED:
445 activate_task(this, TASK_IKE_VENDOR);
446 if (activate_task(this, TASK_IKE_INIT))
447 {
448 this->initiating.mid = 0;
449 exchange = IKE_SA_INIT;
450 activate_task(this, TASK_IKE_NATD);
451 activate_task(this, TASK_IKE_CERT_PRE);
452 #ifdef ME
453 /* this task has to be activated before the TASK_IKE_AUTH
454 * task, because that task pregenerates the packet after
455 * which no payloads can be added to the message anymore.
456 */
457 activate_task(this, TASK_IKE_ME);
458 #endif /* ME */
459 activate_task(this, TASK_IKE_AUTH);
460 activate_task(this, TASK_IKE_CERT_POST);
461 activate_task(this, TASK_IKE_CONFIG);
462 activate_task(this, TASK_CHILD_CREATE);
463 activate_task(this, TASK_IKE_AUTH_LIFETIME);
464 activate_task(this, TASK_IKE_MOBIKE);
465 }
466 break;
467 case IKE_ESTABLISHED:
468 if (activate_task(this, TASK_IKE_MOBIKE))
469 {
470 exchange = INFORMATIONAL;
471 break;
472 }
473 if (activate_task(this, TASK_IKE_DELETE))
474 {
475 exchange = INFORMATIONAL;
476 break;
477 }
478 if (activate_task(this, TASK_IKE_REDIRECT))
479 {
480 exchange = INFORMATIONAL;
481 break;
482 }
483 if (activate_task(this, TASK_CHILD_DELETE))
484 {
485 exchange = INFORMATIONAL;
486 break;
487 }
488 if (activate_task(this, TASK_IKE_REAUTH))
489 {
490 exchange = INFORMATIONAL;
491 break;
492 }
493 if (activate_task(this, TASK_CHILD_CREATE))
494 {
495 exchange = CREATE_CHILD_SA;
496 break;
497 }
498 if (activate_task(this, TASK_CHILD_REKEY))
499 {
500 exchange = CREATE_CHILD_SA;
501 break;
502 }
503 if (activate_task(this, TASK_IKE_REKEY))
504 {
505 exchange = CREATE_CHILD_SA;
506 break;
507 }
508 if (activate_task(this, TASK_IKE_DPD))
509 {
510 exchange = INFORMATIONAL;
511 break;
512 }
513 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
514 {
515 exchange = INFORMATIONAL;
516 break;
517 }
518 #ifdef ME
519 if (activate_task(this, TASK_IKE_ME))
520 {
521 exchange = ME_CONNECT;
522 break;
523 }
524 #endif /* ME */
525 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
526 {
527 exchange = INFORMATIONAL;
528 break;
529 }
530 case IKE_REKEYING:
531 if (activate_task(this, TASK_IKE_DELETE))
532 {
533 exchange = INFORMATIONAL;
534 break;
535 }
536 case IKE_DELETING:
537 default:
538 break;
539 }
540 }
541 else
542 {
543 DBG2(DBG_IKE, "reinitiating already active tasks");
544 enumerator = array_create_enumerator(this->active_tasks);
545 while (enumerator->enumerate(enumerator, &task))
546 {
547 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
548 switch (task->get_type(task))
549 {
550 case TASK_IKE_INIT:
551 exchange = IKE_SA_INIT;
552 break;
553 case TASK_IKE_AUTH:
554 exchange = IKE_AUTH;
555 break;
556 case TASK_CHILD_CREATE:
557 case TASK_CHILD_REKEY:
558 case TASK_IKE_REKEY:
559 exchange = CREATE_CHILD_SA;
560 break;
561 case TASK_IKE_MOBIKE:
562 exchange = INFORMATIONAL;
563 break;
564 default:
565 continue;
566 }
567 break;
568 }
569 enumerator->destroy(enumerator);
570 }
571
572 if (exchange == 0)
573 {
574 DBG2(DBG_IKE, "nothing to initiate");
575 /* nothing to do yet... */
576 return SUCCESS;
577 }
578
579 me = this->ike_sa->get_my_host(this->ike_sa);
580 other = this->ike_sa->get_other_host(this->ike_sa);
581
582 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
583 message->set_message_id(message, this->initiating.mid);
584 message->set_source(message, me->clone(me));
585 message->set_destination(message, other->clone(other));
586 message->set_exchange_type(message, exchange);
587 this->initiating.type = exchange;
588 this->initiating.retransmitted = 0;
589 this->initiating.deferred = FALSE;
590
591 enumerator = array_create_enumerator(this->active_tasks);
592 while (enumerator->enumerate(enumerator, &task))
593 {
594 switch (task->build(task, message))
595 {
596 case SUCCESS:
597 /* task completed, remove it */
598 array_remove_at(this->active_tasks, enumerator);
599 task->destroy(task);
600 break;
601 case NEED_MORE:
602 /* processed, but task needs another exchange */
603 break;
604 case FAILED:
605 default:
606 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
607 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
608 {
609 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
610 }
611 /* FALL */
612 case DESTROY_ME:
613 /* critical failure, destroy IKE_SA */
614 enumerator->destroy(enumerator);
615 message->destroy(message);
616 flush(this);
617 return DESTROY_ME;
618 }
619 }
620 enumerator->destroy(enumerator);
621
622 /* update exchange type if a task changed it */
623 this->initiating.type = message->get_exchange_type(message);
624 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
625 {
626 message->destroy(message);
627 return initiate(this);
628 }
629
630 if (!generate_message(this, message, &this->initiating.packets))
631 {
632 /* message generation failed. There is nothing more to do than to
633 * close the SA */
634 message->destroy(message);
635 flush(this);
636 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
637 return DESTROY_ME;
638 }
639 message->destroy(message);
640
641 array_compress(this->active_tasks);
642 array_compress(this->queued_tasks);
643
644 return retransmit(this, this->initiating.mid);
645 }
646
647 /**
648 * handle an incoming response message
649 */
650 static status_t process_response(private_task_manager_t *this,
651 message_t *message)
652 {
653 enumerator_t *enumerator;
654 task_t *task;
655
656 if (message->get_exchange_type(message) != this->initiating.type)
657 {
658 DBG1(DBG_IKE, "received %N response, but expected %N",
659 exchange_type_names, message->get_exchange_type(message),
660 exchange_type_names, this->initiating.type);
661 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
662 return DESTROY_ME;
663 }
664
665 enumerator = array_create_enumerator(this->active_tasks);
666 while (enumerator->enumerate(enumerator, &task))
667 {
668 if (!task->pre_process)
669 {
670 continue;
671 }
672 switch (task->pre_process(task, message))
673 {
674 case SUCCESS:
675 break;
676 case FAILED:
677 default:
678 /* just ignore the message */
679 DBG1(DBG_IKE, "ignore invalid %N response",
680 exchange_type_names, message->get_exchange_type(message));
681 enumerator->destroy(enumerator);
682 return SUCCESS;
683 case DESTROY_ME:
684 /* critical failure, destroy IKE_SA */
685 enumerator->destroy(enumerator);
686 return DESTROY_ME;
687 }
688 }
689 enumerator->destroy(enumerator);
690
691 /* catch if we get resetted while processing */
692 this->reset = FALSE;
693 enumerator = array_create_enumerator(this->active_tasks);
694 while (enumerator->enumerate(enumerator, &task))
695 {
696 switch (task->process(task, message))
697 {
698 case SUCCESS:
699 /* task completed, remove it */
700 array_remove_at(this->active_tasks, enumerator);
701 task->destroy(task);
702 break;
703 case NEED_MORE:
704 /* processed, but task needs another exchange */
705 break;
706 case FAILED:
707 default:
708 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
709 /* FALL */
710 case DESTROY_ME:
711 /* critical failure, destroy IKE_SA */
712 array_remove_at(this->active_tasks, enumerator);
713 enumerator->destroy(enumerator);
714 task->destroy(task);
715 return DESTROY_ME;
716 }
717 if (this->reset)
718 { /* start all over again if we were reset */
719 this->reset = FALSE;
720 enumerator->destroy(enumerator);
721 return initiate(this);
722 }
723 }
724 enumerator->destroy(enumerator);
725
726 this->initiating.mid++;
727 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
728 clear_packets(this->initiating.packets);
729
730 array_compress(this->active_tasks);
731
732 return initiate(this);
733 }
734
735 /**
736 * handle exchange collisions
737 */
738 static bool handle_collisions(private_task_manager_t *this, task_t *task)
739 {
740 enumerator_t *enumerator;
741 task_t *active;
742 task_type_t type;
743
744 type = task->get_type(task);
745
746 /* do we have to check */
747 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
748 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE ||
749 type == TASK_IKE_REAUTH)
750 {
751 /* find an exchange collision, and notify these tasks */
752 enumerator = array_create_enumerator(this->active_tasks);
753 while (enumerator->enumerate(enumerator, &active))
754 {
755 switch (active->get_type(active))
756 {
757 case TASK_IKE_REKEY:
758 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE ||
759 type == TASK_IKE_REAUTH)
760 {
761 ike_rekey_t *rekey = (ike_rekey_t*)active;
762 rekey->collide(rekey, task);
763 break;
764 }
765 continue;
766 case TASK_CHILD_REKEY:
767 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
768 {
769 child_rekey_t *rekey = (child_rekey_t*)active;
770 rekey->collide(rekey, task);
771 break;
772 }
773 continue;
774 default:
775 continue;
776 }
777 enumerator->destroy(enumerator);
778 return TRUE;
779 }
780 enumerator->destroy(enumerator);
781 }
782 return FALSE;
783 }
784
785 /**
786 * build a response depending on the "passive" task list
787 */
788 static status_t build_response(private_task_manager_t *this, message_t *request)
789 {
790 enumerator_t *enumerator;
791 task_t *task;
792 message_t *message;
793 host_t *me, *other;
794 bool delete = FALSE, hook = FALSE;
795 ike_sa_id_t *id = NULL;
796 u_int64_t responder_spi = 0;
797 bool result;
798
799 me = request->get_destination(request);
800 other = request->get_source(request);
801
802 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
803 message->set_exchange_type(message, request->get_exchange_type(request));
804 /* send response along the path the request came in */
805 message->set_source(message, me->clone(me));
806 message->set_destination(message, other->clone(other));
807 message->set_message_id(message, this->responding.mid);
808 message->set_request(message, FALSE);
809
810 enumerator = array_create_enumerator(this->passive_tasks);
811 while (enumerator->enumerate(enumerator, (void*)&task))
812 {
813 switch (task->build(task, message))
814 {
815 case SUCCESS:
816 /* task completed, remove it */
817 array_remove_at(this->passive_tasks, enumerator);
818 if (!handle_collisions(this, task))
819 {
820 task->destroy(task);
821 }
822 break;
823 case NEED_MORE:
824 /* processed, but task needs another exchange */
825 if (handle_collisions(this, task))
826 {
827 array_remove_at(this->passive_tasks, enumerator);
828 }
829 break;
830 case FAILED:
831 default:
832 hook = TRUE;
833 /* FALL */
834 case DESTROY_ME:
835 /* destroy IKE_SA, but SEND response first */
836 delete = TRUE;
837 break;
838 }
839 if (delete)
840 {
841 break;
842 }
843 }
844 enumerator->destroy(enumerator);
845
846 /* RFC 5996, section 2.6 mentions that in the event of a failure during
847 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
848 * actually explicitly allows it to be non-zero. Since we use the responder
849 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
850 * zero temporarily, otherwise checking the SA in would fail. */
851 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
852 {
853 id = this->ike_sa->get_id(this->ike_sa);
854 responder_spi = id->get_responder_spi(id);
855 id->set_responder_spi(id, 0);
856 }
857
858 /* message complete, send it */
859 clear_packets(this->responding.packets);
860 result = generate_message(this, message, &this->responding.packets);
861 message->destroy(message);
862 if (id)
863 {
864 id->set_responder_spi(id, responder_spi);
865 }
866 if (!result)
867 {
868 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
869 return DESTROY_ME;
870 }
871
872 send_packets(this, this->responding.packets, NULL, NULL);
873 if (delete)
874 {
875 if (hook)
876 {
877 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
878 }
879 return DESTROY_ME;
880 }
881
882 array_compress(this->passive_tasks);
883
884 return SUCCESS;
885 }
886
887 /**
888 * handle an incoming request message
889 */
890 static status_t process_request(private_task_manager_t *this,
891 message_t *message)
892 {
893 enumerator_t *enumerator;
894 task_t *task = NULL;
895 payload_t *payload;
896 notify_payload_t *notify;
897 delete_payload_t *delete;
898
899 if (array_count(this->passive_tasks) == 0)
900 { /* create tasks depending on request type, if not already some queued */
901 switch (message->get_exchange_type(message))
902 {
903 case IKE_SA_INIT:
904 {
905 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
906 array_insert(this->passive_tasks, ARRAY_TAIL, task);
907 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
908 array_insert(this->passive_tasks, ARRAY_TAIL, task);
909 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
910 array_insert(this->passive_tasks, ARRAY_TAIL, task);
911 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
912 array_insert(this->passive_tasks, ARRAY_TAIL, task);
913 #ifdef ME
914 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
915 array_insert(this->passive_tasks, ARRAY_TAIL, task);
916 #endif /* ME */
917 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
918 array_insert(this->passive_tasks, ARRAY_TAIL, task);
919 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
920 array_insert(this->passive_tasks, ARRAY_TAIL, task);
921 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
922 array_insert(this->passive_tasks, ARRAY_TAIL, task);
923 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
924 NULL, NULL);
925 array_insert(this->passive_tasks, ARRAY_TAIL, task);
926 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
927 array_insert(this->passive_tasks, ARRAY_TAIL, task);
928 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
929 array_insert(this->passive_tasks, ARRAY_TAIL, task);
930 break;
931 }
932 case CREATE_CHILD_SA:
933 { /* FIXME: we should prevent this on mediation connections */
934 bool notify_found = FALSE, ts_found = FALSE;
935
936 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
937 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
938 {
939 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
940 "unestablished IKE_SA, rejected");
941 return FAILED;
942 }
943
944 enumerator = message->create_payload_enumerator(message);
945 while (enumerator->enumerate(enumerator, &payload))
946 {
947 switch (payload->get_type(payload))
948 {
949 case PLV2_NOTIFY:
950 { /* if we find a rekey notify, its CHILD_SA rekeying */
951 notify = (notify_payload_t*)payload;
952 if (notify->get_notify_type(notify) == REKEY_SA &&
953 (notify->get_protocol_id(notify) == PROTO_AH ||
954 notify->get_protocol_id(notify) == PROTO_ESP))
955 {
956 notify_found = TRUE;
957 }
958 break;
959 }
960 case PLV2_TS_INITIATOR:
961 case PLV2_TS_RESPONDER:
962 { /* if we don't find a TS, its IKE rekeying */
963 ts_found = TRUE;
964 break;
965 }
966 default:
967 break;
968 }
969 }
970 enumerator->destroy(enumerator);
971
972 if (ts_found)
973 {
974 if (notify_found)
975 {
976 task = (task_t*)child_rekey_create(this->ike_sa,
977 PROTO_NONE, 0);
978 }
979 else
980 {
981 task = (task_t*)child_create_create(this->ike_sa, NULL,
982 FALSE, NULL, NULL);
983 }
984 }
985 else
986 {
987 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
988 }
989 array_insert(this->passive_tasks, ARRAY_TAIL, task);
990 break;
991 }
992 case INFORMATIONAL:
993 {
994 enumerator = message->create_payload_enumerator(message);
995 while (enumerator->enumerate(enumerator, &payload))
996 {
997 switch (payload->get_type(payload))
998 {
999 case PLV2_NOTIFY:
1000 {
1001 notify = (notify_payload_t*)payload;
1002 switch (notify->get_notify_type(notify))
1003 {
1004 case ADDITIONAL_IP4_ADDRESS:
1005 case ADDITIONAL_IP6_ADDRESS:
1006 case NO_ADDITIONAL_ADDRESSES:
1007 case UPDATE_SA_ADDRESSES:
1008 case NO_NATS_ALLOWED:
1009 case UNACCEPTABLE_ADDRESSES:
1010 case UNEXPECTED_NAT_DETECTED:
1011 case COOKIE2:
1012 case NAT_DETECTION_SOURCE_IP:
1013 case NAT_DETECTION_DESTINATION_IP:
1014 task = (task_t*)ike_mobike_create(
1015 this->ike_sa, FALSE);
1016 break;
1017 case AUTH_LIFETIME:
1018 task = (task_t*)ike_auth_lifetime_create(
1019 this->ike_sa, FALSE);
1020 break;
1021 case AUTHENTICATION_FAILED:
1022 /* initiator failed to authenticate us.
1023 * We use ike_delete to handle this, which
1024 * invokes all the required hooks. */
1025 task = (task_t*)ike_delete_create(
1026 this->ike_sa, FALSE);
1027 break;
1028 case REDIRECT:
1029 task = (task_t*)ike_redirect_create(
1030 this->ike_sa, NULL);
1031 break;
1032 default:
1033 break;
1034 }
1035 break;
1036 }
1037 case PLV2_DELETE:
1038 {
1039 delete = (delete_payload_t*)payload;
1040 if (delete->get_protocol_id(delete) == PROTO_IKE)
1041 {
1042 task = (task_t*)ike_delete_create(this->ike_sa,
1043 FALSE);
1044 }
1045 else
1046 {
1047 task = (task_t*)child_delete_create(this->ike_sa,
1048 PROTO_NONE, 0, FALSE);
1049 }
1050 break;
1051 }
1052 default:
1053 break;
1054 }
1055 if (task)
1056 {
1057 break;
1058 }
1059 }
1060 enumerator->destroy(enumerator);
1061
1062 if (task == NULL)
1063 {
1064 task = (task_t*)ike_dpd_create(FALSE);
1065 }
1066 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1067 break;
1068 }
1069 #ifdef ME
1070 case ME_CONNECT:
1071 {
1072 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1073 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1074 }
1075 #endif /* ME */
1076 default:
1077 break;
1078 }
1079 }
1080
1081 enumerator = array_create_enumerator(this->passive_tasks);
1082 while (enumerator->enumerate(enumerator, &task))
1083 {
1084 if (!task->pre_process)
1085 {
1086 continue;
1087 }
1088 switch (task->pre_process(task, message))
1089 {
1090 case SUCCESS:
1091 break;
1092 case FAILED:
1093 default:
1094 /* just ignore the message */
1095 DBG1(DBG_IKE, "ignore invalid %N request",
1096 exchange_type_names, message->get_exchange_type(message));
1097 enumerator->destroy(enumerator);
1098 switch (message->get_exchange_type(message))
1099 {
1100 case IKE_SA_INIT:
1101 /* no point in keeping the SA when it was created with
1102 * an invalid IKE_SA_INIT message */
1103 return DESTROY_ME;
1104 default:
1105 /* remove tasks we queued for this request */
1106 flush_queue(this, TASK_QUEUE_PASSIVE);
1107 /* fall-through */
1108 case IKE_AUTH:
1109 return NEED_MORE;
1110 }
1111 case DESTROY_ME:
1112 /* critical failure, destroy IKE_SA */
1113 enumerator->destroy(enumerator);
1114 return DESTROY_ME;
1115 }
1116 }
1117 enumerator->destroy(enumerator);
1118
1119 /* let the tasks process the message */
1120 enumerator = array_create_enumerator(this->passive_tasks);
1121 while (enumerator->enumerate(enumerator, (void*)&task))
1122 {
1123 switch (task->process(task, message))
1124 {
1125 case SUCCESS:
1126 /* task completed, remove it */
1127 array_remove_at(this->passive_tasks, enumerator);
1128 task->destroy(task);
1129 break;
1130 case NEED_MORE:
1131 /* processed, but task needs at least another call to build() */
1132 break;
1133 case FAILED:
1134 default:
1135 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1136 /* FALL */
1137 case DESTROY_ME:
1138 /* critical failure, destroy IKE_SA */
1139 array_remove_at(this->passive_tasks, enumerator);
1140 enumerator->destroy(enumerator);
1141 task->destroy(task);
1142 return DESTROY_ME;
1143 }
1144 }
1145 enumerator->destroy(enumerator);
1146
1147 return build_response(this, message);
1148 }
1149
1150 METHOD(task_manager_t, incr_mid, void,
1151 private_task_manager_t *this, bool initiate)
1152 {
1153 if (initiate)
1154 {
1155 this->initiating.mid++;
1156 }
1157 else
1158 {
1159 this->responding.mid++;
1160 }
1161 }
1162
1163 /**
1164 * Handle the given IKE fragment, if it is one.
1165 *
1166 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1167 * handled properly. Error states are returned if the fragment was invalid or
1168 * the reassembled message could not have been processed properly.
1169 */
1170 static status_t handle_fragment(private_task_manager_t *this,
1171 message_t **defrag, message_t *msg)
1172 {
1173 message_t *reassembled;
1174 status_t status;
1175
1176 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1177 {
1178 return SUCCESS;
1179 }
1180 if (!*defrag)
1181 {
1182 *defrag = message_create_defrag(msg);
1183 if (!*defrag)
1184 {
1185 return FAILED;
1186 }
1187 }
1188 status = (*defrag)->add_fragment(*defrag, msg);
1189 if (status == SUCCESS)
1190 {
1191 /* reinject the reassembled message */
1192 reassembled = *defrag;
1193 *defrag = NULL;
1194 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1195 if (status == SUCCESS)
1196 {
1197 /* avoid processing the last fragment */
1198 status = NEED_MORE;
1199 }
1200 reassembled->destroy(reassembled);
1201 }
1202 return status;
1203 }
1204
1205 /**
1206 * Send a notify back to the sender
1207 */
1208 static void send_notify_response(private_task_manager_t *this,
1209 message_t *request, notify_type_t type,
1210 chunk_t data)
1211 {
1212 message_t *response;
1213 packet_t *packet;
1214 host_t *me, *other;
1215
1216 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1217 response->set_exchange_type(response, request->get_exchange_type(request));
1218 response->set_request(response, FALSE);
1219 response->set_message_id(response, request->get_message_id(request));
1220 response->add_notify(response, FALSE, type, data);
1221 me = this->ike_sa->get_my_host(this->ike_sa);
1222 if (me->is_anyaddr(me))
1223 {
1224 me = request->get_destination(request);
1225 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1226 }
1227 other = this->ike_sa->get_other_host(this->ike_sa);
1228 if (other->is_anyaddr(other))
1229 {
1230 other = request->get_source(request);
1231 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1232 }
1233 response->set_source(response, me->clone(me));
1234 response->set_destination(response, other->clone(other));
1235 if (this->ike_sa->generate_message(this->ike_sa, response,
1236 &packet) == SUCCESS)
1237 {
1238 charon->sender->send(charon->sender, packet);
1239 }
1240 response->destroy(response);
1241 }
1242
1243 /**
1244 * Parse the given message and verify that it is valid.
1245 */
1246 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1247 {
1248 status_t status;
1249 u_int8_t type = 0;
1250
1251 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1252
1253 if (status == SUCCESS)
1254 { /* check for unsupported critical payloads */
1255 enumerator_t *enumerator;
1256 unknown_payload_t *unknown;
1257 payload_t *payload;
1258
1259 enumerator = msg->create_payload_enumerator(msg);
1260 while (enumerator->enumerate(enumerator, &payload))
1261 {
1262 if (payload->get_type(payload) == PL_UNKNOWN)
1263 {
1264 unknown = (unknown_payload_t*)payload;
1265 if (unknown->is_critical(unknown))
1266 {
1267 type = unknown->get_type(unknown);
1268 DBG1(DBG_ENC, "payload type %N is not supported, "
1269 "but its critical!", payload_type_names, type);
1270 status = NOT_SUPPORTED;
1271 break;
1272 }
1273 }
1274 }
1275 enumerator->destroy(enumerator);
1276 }
1277
1278 if (status != SUCCESS)
1279 {
1280 bool is_request = msg->get_request(msg);
1281
1282 switch (status)
1283 {
1284 case NOT_SUPPORTED:
1285 DBG1(DBG_IKE, "critical unknown payloads found");
1286 if (is_request)
1287 {
1288 send_notify_response(this, msg,
1289 UNSUPPORTED_CRITICAL_PAYLOAD,
1290 chunk_from_thing(type));
1291 incr_mid(this, FALSE);
1292 }
1293 break;
1294 case PARSE_ERROR:
1295 DBG1(DBG_IKE, "message parsing failed");
1296 if (is_request)
1297 {
1298 send_notify_response(this, msg,
1299 INVALID_SYNTAX, chunk_empty);
1300 incr_mid(this, FALSE);
1301 }
1302 break;
1303 case VERIFY_ERROR:
1304 DBG1(DBG_IKE, "message verification failed");
1305 if (is_request)
1306 {
1307 send_notify_response(this, msg,
1308 INVALID_SYNTAX, chunk_empty);
1309 incr_mid(this, FALSE);
1310 }
1311 break;
1312 case FAILED:
1313 DBG1(DBG_IKE, "integrity check failed");
1314 /* ignored */
1315 break;
1316 case INVALID_STATE:
1317 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1318 default:
1319 break;
1320 }
1321 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1322 exchange_type_names, msg->get_exchange_type(msg),
1323 is_request ? "request" : "response",
1324 msg->get_message_id(msg));
1325
1326 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1327
1328 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1329 { /* invalid initiation attempt, close SA */
1330 return DESTROY_ME;
1331 }
1332 }
1333 return status;
1334 }
1335
1336
1337 METHOD(task_manager_t, process_message, status_t,
1338 private_task_manager_t *this, message_t *msg)
1339 {
1340 host_t *me, *other;
1341 status_t status;
1342 u_int32_t mid;
1343 bool schedule_delete_job = FALSE;
1344
1345 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1346 status = parse_message(this, msg);
1347 if (status != SUCCESS)
1348 {
1349 return status;
1350 }
1351
1352 me = msg->get_destination(msg);
1353 other = msg->get_source(msg);
1354
1355 /* if this IKE_SA is virgin, we check for a config */
1356 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1357 {
1358 ike_cfg_t *ike_cfg;
1359
1360 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1361 me, other, IKEV2);
1362 if (ike_cfg == NULL)
1363 {
1364 /* no config found for these hosts, destroy */
1365 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1366 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1367 send_notify_response(this, msg,
1368 NO_PROPOSAL_CHOSEN, chunk_empty);
1369 return DESTROY_ME;
1370 }
1371 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1372 ike_cfg->destroy(ike_cfg);
1373 /* add a timeout if peer does not establish it completely */
1374 schedule_delete_job = TRUE;
1375 }
1376 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1377 time_monotonic(NULL));
1378
1379 mid = msg->get_message_id(msg);
1380 if (msg->get_request(msg))
1381 {
1382 if (mid == this->responding.mid)
1383 {
1384 /* reject initial messages if not received in specific states */
1385 if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
1386 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
1387 (msg->get_exchange_type(msg) == IKE_AUTH &&
1388 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
1389 {
1390 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
1391 exchange_type_names, msg->get_exchange_type(msg),
1392 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
1393 return FAILED;
1394 }
1395 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1396 { /* with MOBIKE, we do no implicit updates */
1397 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1398 }
1399 status = handle_fragment(this, &this->responding.defrag, msg);
1400 if (status != SUCCESS)
1401 {
1402 return status;
1403 }
1404 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1405 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1406 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1407 return SUCCESS;
1408 }
1409 switch (process_request(this, msg))
1410 {
1411 case SUCCESS:
1412 this->responding.mid++;
1413 break;
1414 case NEED_MORE:
1415 break;
1416 default:
1417 flush(this);
1418 return DESTROY_ME;
1419 }
1420 }
1421 else if ((mid == this->responding.mid - 1) &&
1422 array_count(this->responding.packets))
1423 {
1424 status = handle_fragment(this, &this->responding.defrag, msg);
1425 if (status != SUCCESS)
1426 {
1427 return status;
1428 }
1429 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1430 "retransmitting response", mid);
1431 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1432 send_packets(this, this->responding.packets,
1433 msg->get_destination(msg), msg->get_source(msg));
1434 }
1435 else
1436 {
1437 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1438 mid, this->responding.mid);
1439 }
1440 }
1441 else
1442 {
1443 if (mid == this->initiating.mid)
1444 {
1445 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1446 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1447 msg->get_exchange_type(msg) != IKE_SA_INIT)
1448 { /* only do updates based on verified messages (or initial ones) */
1449 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1450 { /* with MOBIKE, we do no implicit updates. we force an
1451 * update of the local address on IKE_SA_INIT, but never
1452 * for the remote address */
1453 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1454 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1455 }
1456 }
1457 status = handle_fragment(this, &this->initiating.defrag, msg);
1458 if (status != SUCCESS)
1459 {
1460 return status;
1461 }
1462 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1463 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1464 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1465 return SUCCESS;
1466 }
1467 if (process_response(this, msg) != SUCCESS)
1468 {
1469 flush(this);
1470 return DESTROY_ME;
1471 }
1472 }
1473 else
1474 {
1475 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1476 mid, this->initiating.mid);
1477 return SUCCESS;
1478 }
1479 }
1480
1481 if (schedule_delete_job)
1482 {
1483 ike_sa_id_t *ike_sa_id;
1484 job_t *job;
1485
1486 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1487 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1488 lib->scheduler->schedule_job(lib->scheduler, job,
1489 lib->settings->get_int(lib->settings,
1490 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1491 lib->ns));
1492 }
1493 return SUCCESS;
1494 }
1495
1496 METHOD(task_manager_t, queue_task, void,
1497 private_task_manager_t *this, task_t *task)
1498 {
1499 if (task->get_type(task) == TASK_IKE_MOBIKE)
1500 { /* there is no need to queue more than one mobike task */
1501 enumerator_t *enumerator;
1502 task_t *current;
1503
1504 enumerator = array_create_enumerator(this->queued_tasks);
1505 while (enumerator->enumerate(enumerator, &current))
1506 {
1507 if (current->get_type(current) == TASK_IKE_MOBIKE)
1508 {
1509 enumerator->destroy(enumerator);
1510 task->destroy(task);
1511 return;
1512 }
1513 }
1514 enumerator->destroy(enumerator);
1515 }
1516 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1517 array_insert(this->queued_tasks, ARRAY_TAIL, task);
1518 }
1519
1520 /**
1521 * Check if a given task has been queued already
1522 */
1523 static bool has_queued(private_task_manager_t *this, task_type_t type)
1524 {
1525 enumerator_t *enumerator;
1526 bool found = FALSE;
1527 task_t *task;
1528
1529 enumerator = array_create_enumerator(this->queued_tasks);
1530 while (enumerator->enumerate(enumerator, &task))
1531 {
1532 if (task->get_type(task) == type)
1533 {
1534 found = TRUE;
1535 break;
1536 }
1537 }
1538 enumerator->destroy(enumerator);
1539 return found;
1540 }
1541
1542 METHOD(task_manager_t, queue_ike, void,
1543 private_task_manager_t *this)
1544 {
1545 if (!has_queued(this, TASK_IKE_VENDOR))
1546 {
1547 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1548 }
1549 if (!has_queued(this, TASK_IKE_INIT))
1550 {
1551 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1552 }
1553 if (!has_queued(this, TASK_IKE_NATD))
1554 {
1555 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1556 }
1557 if (!has_queued(this, TASK_IKE_CERT_PRE))
1558 {
1559 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1560 }
1561 if (!has_queued(this, TASK_IKE_AUTH))
1562 {
1563 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1564 }
1565 if (!has_queued(this, TASK_IKE_CERT_POST))
1566 {
1567 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1568 }
1569 if (!has_queued(this, TASK_IKE_CONFIG))
1570 {
1571 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1572 }
1573 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1574 {
1575 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1576 }
1577 if (!has_queued(this, TASK_IKE_MOBIKE))
1578 {
1579 peer_cfg_t *peer_cfg;
1580
1581 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1582 if (peer_cfg->use_mobike(peer_cfg))
1583 {
1584 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1585 }
1586 }
1587 #ifdef ME
1588 if (!has_queued(this, TASK_IKE_ME))
1589 {
1590 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1591 }
1592 #endif /* ME */
1593 }
1594
1595 METHOD(task_manager_t, queue_ike_rekey, void,
1596 private_task_manager_t *this)
1597 {
1598 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1599 }
1600
1601 /**
1602 * Start reauthentication using make-before-break
1603 */
1604 static void trigger_mbb_reauth(private_task_manager_t *this)
1605 {
1606 enumerator_t *enumerator;
1607 child_sa_t *child_sa;
1608 child_cfg_t *cfg;
1609 ike_sa_t *new;
1610 host_t *host;
1611 task_t *task;
1612
1613 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1614 this->ike_sa->get_version(this->ike_sa), TRUE);
1615 if (!new)
1616 { /* shouldn't happen */
1617 return;
1618 }
1619
1620 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1621 host = this->ike_sa->get_other_host(this->ike_sa);
1622 new->set_other_host(new, host->clone(host));
1623 host = this->ike_sa->get_my_host(this->ike_sa);
1624 new->set_my_host(new, host->clone(host));
1625 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1626 while (enumerator->enumerate(enumerator, &host))
1627 {
1628 new->add_virtual_ip(new, TRUE, host);
1629 }
1630 enumerator->destroy(enumerator);
1631
1632 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1633 while (enumerator->enumerate(enumerator, &child_sa))
1634 {
1635 cfg = child_sa->get_config(child_sa);
1636 new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
1637 FALSE, NULL, NULL)->task);
1638 }
1639 enumerator->destroy(enumerator);
1640
1641 enumerator = array_create_enumerator(this->queued_tasks);
1642 while (enumerator->enumerate(enumerator, &task))
1643 {
1644 if (task->get_type(task) == TASK_CHILD_CREATE)
1645 {
1646 task->migrate(task, new);
1647 new->queue_task(new, task);
1648 array_remove_at(this->queued_tasks, enumerator);
1649 }
1650 }
1651 enumerator->destroy(enumerator);
1652
1653 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1654 {
1655 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1656 this->ike_sa->get_id(this->ike_sa)));
1657 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1658 }
1659 else
1660 {
1661 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1662 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1663 }
1664 charon->bus->set_sa(charon->bus, this->ike_sa);
1665 }
1666
1667 METHOD(task_manager_t, queue_ike_reauth, void,
1668 private_task_manager_t *this)
1669 {
1670 if (this->make_before_break)
1671 {
1672 return trigger_mbb_reauth(this);
1673 }
1674 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1675 }
1676
1677 METHOD(task_manager_t, queue_ike_delete, void,
1678 private_task_manager_t *this)
1679 {
1680 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1681 }
1682
1683 METHOD(task_manager_t, queue_mobike, void,
1684 private_task_manager_t *this, bool roam, bool address)
1685 {
1686 ike_mobike_t *mobike;
1687
1688 mobike = ike_mobike_create(this->ike_sa, TRUE);
1689 if (roam)
1690 {
1691 enumerator_t *enumerator;
1692 task_t *current;
1693
1694 mobike->roam(mobike, address);
1695
1696 /* enable path probing for a currently active MOBIKE task. This might
1697 * not be the case if an address appeared on a new interface while the
1698 * current address is not working but has not yet disappeared. */
1699 enumerator = array_create_enumerator(this->active_tasks);
1700 while (enumerator->enumerate(enumerator, &current))
1701 {
1702 if (current->get_type(current) == TASK_IKE_MOBIKE)
1703 {
1704 ike_mobike_t *active = (ike_mobike_t*)current;
1705 active->enable_probing(active);
1706 break;
1707 }
1708 }
1709 enumerator->destroy(enumerator);
1710 }
1711 else
1712 {
1713 mobike->addresses(mobike);
1714 }
1715 queue_task(this, &mobike->task);
1716 }
1717
1718 METHOD(task_manager_t, queue_child, void,
1719 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1720 traffic_selector_t *tsi, traffic_selector_t *tsr)
1721 {
1722 child_create_t *task;
1723
1724 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
1725 if (reqid)
1726 {
1727 task->use_reqid(task, reqid);
1728 }
1729 queue_task(this, &task->task);
1730 }
1731
1732 METHOD(task_manager_t, queue_child_rekey, void,
1733 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1734 {
1735 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
1736 }
1737
1738 METHOD(task_manager_t, queue_child_delete, void,
1739 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1740 bool expired)
1741 {
1742 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
1743 protocol, spi, expired));
1744 }
1745
1746 METHOD(task_manager_t, queue_dpd, void,
1747 private_task_manager_t *this)
1748 {
1749 ike_mobike_t *mobike;
1750
1751 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
1752 this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
1753 {
1754 /* use mobike enabled DPD to detect NAT mapping changes */
1755 mobike = ike_mobike_create(this->ike_sa, TRUE);
1756 mobike->dpd(mobike);
1757 queue_task(this, &mobike->task);
1758 }
1759 else
1760 {
1761 queue_task(this, (task_t*)ike_dpd_create(TRUE));
1762 }
1763 }
1764
1765 METHOD(task_manager_t, adopt_tasks, void,
1766 private_task_manager_t *this, task_manager_t *other_public)
1767 {
1768 private_task_manager_t *other = (private_task_manager_t*)other_public;
1769 task_t *task;
1770
1771 /* move queued tasks from other to this */
1772 while (array_remove(other->queued_tasks, ARRAY_TAIL, &task))
1773 {
1774 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1775 task->migrate(task, this->ike_sa);
1776 array_insert(this->queued_tasks, ARRAY_HEAD, task);
1777 }
1778 }
1779
1780 /**
1781 * Migrates child-creating tasks from src to dst
1782 */
1783 static void migrate_child_tasks(private_task_manager_t *this,
1784 array_t *src, array_t *dst)
1785 {
1786 enumerator_t *enumerator;
1787 task_t *task;
1788
1789 enumerator = array_create_enumerator(src);
1790 while (enumerator->enumerate(enumerator, &task))
1791 {
1792 if (task->get_type(task) == TASK_CHILD_CREATE)
1793 {
1794 array_remove_at(src, enumerator);
1795 task->migrate(task, this->ike_sa);
1796 array_insert(dst, ARRAY_TAIL, task);
1797 }
1798 }
1799 enumerator->destroy(enumerator);
1800 }
1801
1802 METHOD(task_manager_t, adopt_child_tasks, void,
1803 private_task_manager_t *this, task_manager_t *other_public)
1804 {
1805 private_task_manager_t *other = (private_task_manager_t*)other_public;
1806
1807 /* move active child tasks from other to this */
1808 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1809 /* do the same for queued tasks */
1810 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1811 }
1812
1813 METHOD(task_manager_t, busy, bool,
1814 private_task_manager_t *this)
1815 {
1816 return array_count(this->active_tasks) > 0;
1817 }
1818
1819 METHOD(task_manager_t, reset, void,
1820 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1821 {
1822 enumerator_t *enumerator;
1823 task_t *task;
1824
1825 /* reset message counters and retransmit packets */
1826 clear_packets(this->responding.packets);
1827 clear_packets(this->initiating.packets);
1828 DESTROY_IF(this->responding.defrag);
1829 DESTROY_IF(this->initiating.defrag);
1830 this->responding.defrag = NULL;
1831 this->initiating.defrag = NULL;
1832 if (initiate != UINT_MAX)
1833 {
1834 this->initiating.mid = initiate;
1835 }
1836 if (respond != UINT_MAX)
1837 {
1838 this->responding.mid = respond;
1839 }
1840 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1841
1842 /* reset queued tasks */
1843 enumerator = array_create_enumerator(this->queued_tasks);
1844 while (enumerator->enumerate(enumerator, &task))
1845 {
1846 task->migrate(task, this->ike_sa);
1847 }
1848 enumerator->destroy(enumerator);
1849
1850 /* reset active tasks */
1851 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
1852 {
1853 task->migrate(task, this->ike_sa);
1854 array_insert(this->queued_tasks, ARRAY_HEAD, task);
1855 }
1856
1857 this->reset = TRUE;
1858 }
1859
1860 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1861 private_task_manager_t *this, task_queue_t queue)
1862 {
1863 switch (queue)
1864 {
1865 case TASK_QUEUE_ACTIVE:
1866 return array_create_enumerator(this->active_tasks);
1867 case TASK_QUEUE_PASSIVE:
1868 return array_create_enumerator(this->passive_tasks);
1869 case TASK_QUEUE_QUEUED:
1870 return array_create_enumerator(this->queued_tasks);
1871 default:
1872 return enumerator_create_empty();
1873 }
1874 }
1875
1876 METHOD(task_manager_t, destroy, void,
1877 private_task_manager_t *this)
1878 {
1879 flush(this);
1880
1881 array_destroy(this->active_tasks);
1882 array_destroy(this->queued_tasks);
1883 array_destroy(this->passive_tasks);
1884
1885 clear_packets(this->responding.packets);
1886 array_destroy(this->responding.packets);
1887 clear_packets(this->initiating.packets);
1888 array_destroy(this->initiating.packets);
1889 DESTROY_IF(this->responding.defrag);
1890 DESTROY_IF(this->initiating.defrag);
1891 free(this);
1892 }
1893
1894 /*
1895 * see header file
1896 */
1897 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
1898 {
1899 private_task_manager_t *this;
1900
1901 INIT(this,
1902 .public = {
1903 .task_manager = {
1904 .process_message = _process_message,
1905 .queue_task = _queue_task,
1906 .queue_ike = _queue_ike,
1907 .queue_ike_rekey = _queue_ike_rekey,
1908 .queue_ike_reauth = _queue_ike_reauth,
1909 .queue_ike_delete = _queue_ike_delete,
1910 .queue_mobike = _queue_mobike,
1911 .queue_child = _queue_child,
1912 .queue_child_rekey = _queue_child_rekey,
1913 .queue_child_delete = _queue_child_delete,
1914 .queue_dpd = _queue_dpd,
1915 .initiate = _initiate,
1916 .retransmit = _retransmit,
1917 .incr_mid = _incr_mid,
1918 .reset = _reset,
1919 .adopt_tasks = _adopt_tasks,
1920 .adopt_child_tasks = _adopt_child_tasks,
1921 .busy = _busy,
1922 .create_task_enumerator = _create_task_enumerator,
1923 .flush = _flush,
1924 .flush_queue = _flush_queue,
1925 .destroy = _destroy,
1926 },
1927 },
1928 .ike_sa = ike_sa,
1929 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
1930 .queued_tasks = array_create(0, 0),
1931 .active_tasks = array_create(0, 0),
1932 .passive_tasks = array_create(0, 0),
1933 .retransmit_tries = lib->settings->get_int(lib->settings,
1934 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
1935 .retransmit_timeout = lib->settings->get_double(lib->settings,
1936 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
1937 .retransmit_base = lib->settings->get_double(lib->settings,
1938 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
1939 .make_before_break = lib->settings->get_bool(lib->settings,
1940 "%s.make_before_break", FALSE, lib->ns),
1941 );
1942
1943 return &this->public;
1944 }
strongSwan - IPsec VPN