ikev2: Delay online revocation checks during make-before-break reauthentication
[strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2015 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_vendor.h>
38 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
39 #include <sa/ikev2/tasks/child_create.h>
40 #include <sa/ikev2/tasks/child_rekey.h>
41 #include <sa/ikev2/tasks/child_delete.h>
42 #include <encoding/payloads/delete_payload.h>
43 #include <encoding/payloads/unknown_payload.h>
44 #include <processing/jobs/retransmit_job.h>
45 #include <processing/jobs/delete_ike_sa_job.h>
46
47 #ifdef ME
48 #include <sa/ikev2/tasks/ike_me.h>
49 #endif
50
51 typedef struct exchange_t exchange_t;
52
53 /**
54 * An exchange in the air, used do detect and handle retransmission
55 */
56 struct exchange_t {
57
58 /**
59 * Message ID used for this transaction
60 */
61 u_int32_t mid;
62
63 /**
64 * generated packet for retransmission
65 */
66 packet_t *packet;
67 };
68
69 typedef struct private_task_manager_t private_task_manager_t;
70
71 /**
72 * private data of the task manager
73 */
74 struct private_task_manager_t {
75
76 /**
77 * public functions
78 */
79 task_manager_v2_t public;
80
81 /**
82 * associated IKE_SA we are serving
83 */
84 ike_sa_t *ike_sa;
85
86 /**
87 * Exchange we are currently handling as responder
88 */
89 struct {
90 /**
91 * Message ID of the exchange
92 */
93 u_int32_t mid;
94
95 /**
96 * packet(s) for retransmission
97 */
98 array_t *packets;
99
100 /**
101 * Helper to defragment the request
102 */
103 message_t *defrag;
104
105 } responding;
106
107 /**
108 * Exchange we are currently handling as initiator
109 */
110 struct {
111 /**
112 * Message ID of the exchange
113 */
114 u_int32_t mid;
115
116 /**
117 * how many times we have retransmitted so far
118 */
119 u_int retransmitted;
120
121 /**
122 * packet(s) for retransmission
123 */
124 array_t *packets;
125
126 /**
127 * type of the initated exchange
128 */
129 exchange_type_t type;
130
131 /**
132 * TRUE if exchange was deferred because no path was available
133 */
134 bool deferred;
135
136 /**
137 * Helper to defragment the response
138 */
139 message_t *defrag;
140
141 } initiating;
142
143 /**
144 * Array of queued tasks not yet in action
145 */
146 array_t *queued_tasks;
147
148 /**
149 * Array of active tasks, initiated by ourselve
150 */
151 array_t *active_tasks;
152
153 /**
154 * Array of tasks initiated by peer
155 */
156 array_t *passive_tasks;
157
158 /**
159 * the task manager has been reset
160 */
161 bool reset;
162
163 /**
164 * Number of times we retransmit messages before giving up
165 */
166 u_int retransmit_tries;
167
168 /**
169 * Retransmission timeout
170 */
171 double retransmit_timeout;
172
173 /**
174 * Base to calculate retransmission timeout
175 */
176 double retransmit_base;
177
178 /**
179 * Use make-before-break instead of break-before-make reauth?
180 */
181 bool make_before_break;
182 };
183
184 /**
185 * Reset retransmission packet list
186 */
187 static void clear_packets(array_t *array)
188 {
189 packet_t *packet;
190
191 while (array_remove(array, ARRAY_TAIL, &packet))
192 {
193 packet->destroy(packet);
194 }
195 }
196
197 METHOD(task_manager_t, flush_queue, void,
198 private_task_manager_t *this, task_queue_t queue)
199 {
200 array_t *array;
201 task_t *task;
202
203 switch (queue)
204 {
205 case TASK_QUEUE_ACTIVE:
206 array = this->active_tasks;
207 break;
208 case TASK_QUEUE_PASSIVE:
209 array = this->passive_tasks;
210 break;
211 case TASK_QUEUE_QUEUED:
212 array = this->queued_tasks;
213 break;
214 default:
215 return;
216 }
217 while (array_remove(array, ARRAY_TAIL, &task))
218 {
219 task->destroy(task);
220 }
221 }
222
223 METHOD(task_manager_t, flush, void,
224 private_task_manager_t *this)
225 {
226 flush_queue(this, TASK_QUEUE_QUEUED);
227 flush_queue(this, TASK_QUEUE_PASSIVE);
228 flush_queue(this, TASK_QUEUE_ACTIVE);
229 }
230
231 /**
232 * move a task of a specific type from the queue to the active list
233 */
234 static bool activate_task(private_task_manager_t *this, task_type_t type)
235 {
236 enumerator_t *enumerator;
237 task_t *task;
238 bool found = FALSE;
239
240 enumerator = array_create_enumerator(this->queued_tasks);
241 while (enumerator->enumerate(enumerator, (void**)&task))
242 {
243 if (task->get_type(task) == type)
244 {
245 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
246 array_remove_at(this->queued_tasks, enumerator);
247 array_insert(this->active_tasks, ARRAY_TAIL, task);
248 found = TRUE;
249 break;
250 }
251 }
252 enumerator->destroy(enumerator);
253 return found;
254 }
255
256 /**
257 * Send packets in the given array (they get cloned). Optionally, the
258 * source and destination addresses are changed before sending it.
259 */
260 static void send_packets(private_task_manager_t *this, array_t *packets,
261 host_t *src, host_t *dst)
262 {
263 packet_t *packet, *clone;
264 int i;
265
266 for (i = 0; i < array_count(packets); i++)
267 {
268 array_get(packets, i, &packet);
269 clone = packet->clone(packet);
270 if (src)
271 {
272 clone->set_source(clone, src->clone(src));
273 }
274 if (dst)
275 {
276 clone->set_destination(clone, dst->clone(dst));
277 }
278 charon->sender->send(charon->sender, clone);
279 }
280 }
281
282 /**
283 * Generates the given message and stores packet(s) in the given array
284 */
285 static bool generate_message(private_task_manager_t *this, message_t *message,
286 array_t **packets)
287 {
288 enumerator_t *fragments;
289 packet_t *fragment;
290
291 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
292 &fragments) != SUCCESS)
293 {
294 return FALSE;
295 }
296 while (fragments->enumerate(fragments, &fragment))
297 {
298 array_insert_create(packets, ARRAY_TAIL, fragment);
299 }
300 fragments->destroy(fragments);
301 array_compress(*packets);
302 return TRUE;
303 }
304
305 METHOD(task_manager_t, retransmit, status_t,
306 private_task_manager_t *this, u_int32_t message_id)
307 {
308 if (message_id == this->initiating.mid &&
309 array_count(this->initiating.packets))
310 {
311 u_int32_t timeout;
312 job_t *job;
313 enumerator_t *enumerator;
314 packet_t *packet;
315 task_t *task;
316 ike_mobike_t *mobike = NULL;
317
318 array_get(this->initiating.packets, 0, &packet);
319
320 /* check if we are retransmitting a MOBIKE routability check */
321 if (this->initiating.type == INFORMATIONAL)
322 {
323 enumerator = array_create_enumerator(this->active_tasks);
324 while (enumerator->enumerate(enumerator, (void*)&task))
325 {
326 if (task->get_type(task) == TASK_IKE_MOBIKE)
327 {
328 mobike = (ike_mobike_t*)task;
329 break;
330 }
331 }
332 enumerator->destroy(enumerator);
333 }
334
335 if (!mobike || !mobike->is_probing(mobike))
336 {
337 if (this->initiating.retransmitted <= this->retransmit_tries)
338 {
339 timeout = (u_int32_t)(this->retransmit_timeout * 1000.0 *
340 pow(this->retransmit_base, this->initiating.retransmitted));
341 }
342 else
343 {
344 DBG1(DBG_IKE, "giving up after %d retransmits",
345 this->initiating.retransmitted - 1);
346 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
347 packet);
348 return DESTROY_ME;
349 }
350
351 if (this->initiating.retransmitted)
352 {
353 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
354 this->initiating.retransmitted, message_id);
355 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet);
356 }
357 if (!mobike)
358 {
359 send_packets(this, this->initiating.packets,
360 this->ike_sa->get_my_host(this->ike_sa),
361 this->ike_sa->get_other_host(this->ike_sa));
362 }
363 else
364 {
365 if (!mobike->transmit(mobike, packet))
366 {
367 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
368 "deferred");
369 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
370 this->initiating.deferred = TRUE;
371 return SUCCESS;
372 }
373 else if (mobike->is_probing(mobike))
374 {
375 timeout = ROUTEABILITY_CHECK_INTERVAL;
376 }
377 }
378 }
379 else
380 { /* for routeability checks, we use a more aggressive behavior */
381 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
382 {
383 timeout = ROUTEABILITY_CHECK_INTERVAL;
384 }
385 else
386 {
387 DBG1(DBG_IKE, "giving up after %d path probings",
388 this->initiating.retransmitted - 1);
389 return DESTROY_ME;
390 }
391
392 if (this->initiating.retransmitted)
393 {
394 DBG1(DBG_IKE, "path probing attempt %d",
395 this->initiating.retransmitted);
396 }
397 /* TODO-FRAG: presumably these small packets are not fragmented,
398 * we should maybe ensure this is the case when generating them */
399 if (!mobike->transmit(mobike, packet))
400 {
401 DBG1(DBG_IKE, "no route found to reach peer, path probing "
402 "deferred");
403 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
404 this->initiating.deferred = TRUE;
405 return SUCCESS;
406 }
407 }
408
409 this->initiating.retransmitted++;
410 job = (job_t*)retransmit_job_create(this->initiating.mid,
411 this->ike_sa->get_id(this->ike_sa));
412 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
413 }
414 return SUCCESS;
415 }
416
417 METHOD(task_manager_t, initiate, status_t,
418 private_task_manager_t *this)
419 {
420 enumerator_t *enumerator;
421 task_t *task;
422 message_t *message;
423 host_t *me, *other;
424 exchange_type_t exchange = 0;
425
426 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
427 {
428 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
429 exchange_type_names, this->initiating.type);
430 /* do not initiate if we already have a message in the air */
431 if (this->initiating.deferred)
432 { /* re-initiate deferred exchange */
433 this->initiating.deferred = FALSE;
434 this->initiating.retransmitted = 0;
435 return retransmit(this, this->initiating.mid);
436 }
437 return SUCCESS;
438 }
439
440 if (array_count(this->active_tasks) == 0)
441 {
442 DBG2(DBG_IKE, "activating new tasks");
443 switch (this->ike_sa->get_state(this->ike_sa))
444 {
445 case IKE_CREATED:
446 activate_task(this, TASK_IKE_VENDOR);
447 if (activate_task(this, TASK_IKE_INIT))
448 {
449 this->initiating.mid = 0;
450 exchange = IKE_SA_INIT;
451 activate_task(this, TASK_IKE_NATD);
452 activate_task(this, TASK_IKE_CERT_PRE);
453 #ifdef ME
454 /* this task has to be activated before the TASK_IKE_AUTH
455 * task, because that task pregenerates the packet after
456 * which no payloads can be added to the message anymore.
457 */
458 activate_task(this, TASK_IKE_ME);
459 #endif /* ME */
460 activate_task(this, TASK_IKE_AUTH);
461 activate_task(this, TASK_IKE_CERT_POST);
462 activate_task(this, TASK_IKE_CONFIG);
463 activate_task(this, TASK_CHILD_CREATE);
464 activate_task(this, TASK_IKE_AUTH_LIFETIME);
465 activate_task(this, TASK_IKE_MOBIKE);
466 }
467 break;
468 case IKE_ESTABLISHED:
469 if (activate_task(this, TASK_IKE_MOBIKE))
470 {
471 exchange = INFORMATIONAL;
472 break;
473 }
474 if (activate_task(this, TASK_IKE_DELETE))
475 {
476 exchange = INFORMATIONAL;
477 break;
478 }
479 if (activate_task(this, TASK_IKE_REDIRECT))
480 {
481 exchange = INFORMATIONAL;
482 break;
483 }
484 if (activate_task(this, TASK_CHILD_DELETE))
485 {
486 exchange = INFORMATIONAL;
487 break;
488 }
489 if (activate_task(this, TASK_IKE_REAUTH))
490 {
491 exchange = INFORMATIONAL;
492 break;
493 }
494 if (activate_task(this, TASK_CHILD_CREATE))
495 {
496 exchange = CREATE_CHILD_SA;
497 break;
498 }
499 if (activate_task(this, TASK_CHILD_REKEY))
500 {
501 exchange = CREATE_CHILD_SA;
502 break;
503 }
504 if (activate_task(this, TASK_IKE_REKEY))
505 {
506 exchange = CREATE_CHILD_SA;
507 break;
508 }
509 if (activate_task(this, TASK_IKE_DPD))
510 {
511 exchange = INFORMATIONAL;
512 break;
513 }
514 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
515 {
516 exchange = INFORMATIONAL;
517 break;
518 }
519 #ifdef ME
520 if (activate_task(this, TASK_IKE_ME))
521 {
522 exchange = ME_CONNECT;
523 break;
524 }
525 #endif /* ME */
526 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
527 {
528 exchange = INFORMATIONAL;
529 break;
530 }
531 if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
532 {
533 exchange = INFORMATIONAL;
534 break;
535 }
536 case IKE_REKEYING:
537 if (activate_task(this, TASK_IKE_DELETE))
538 {
539 exchange = INFORMATIONAL;
540 break;
541 }
542 case IKE_DELETING:
543 default:
544 break;
545 }
546 }
547 else
548 {
549 DBG2(DBG_IKE, "reinitiating already active tasks");
550 enumerator = array_create_enumerator(this->active_tasks);
551 while (enumerator->enumerate(enumerator, &task))
552 {
553 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
554 switch (task->get_type(task))
555 {
556 case TASK_IKE_INIT:
557 exchange = IKE_SA_INIT;
558 break;
559 case TASK_IKE_AUTH:
560 exchange = IKE_AUTH;
561 break;
562 case TASK_CHILD_CREATE:
563 case TASK_CHILD_REKEY:
564 case TASK_IKE_REKEY:
565 exchange = CREATE_CHILD_SA;
566 break;
567 case TASK_IKE_MOBIKE:
568 exchange = INFORMATIONAL;
569 break;
570 default:
571 continue;
572 }
573 break;
574 }
575 enumerator->destroy(enumerator);
576 }
577
578 if (exchange == 0)
579 {
580 DBG2(DBG_IKE, "nothing to initiate");
581 /* nothing to do yet... */
582 return SUCCESS;
583 }
584
585 me = this->ike_sa->get_my_host(this->ike_sa);
586 other = this->ike_sa->get_other_host(this->ike_sa);
587
588 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
589 message->set_message_id(message, this->initiating.mid);
590 message->set_source(message, me->clone(me));
591 message->set_destination(message, other->clone(other));
592 message->set_exchange_type(message, exchange);
593 this->initiating.type = exchange;
594 this->initiating.retransmitted = 0;
595 this->initiating.deferred = FALSE;
596
597 enumerator = array_create_enumerator(this->active_tasks);
598 while (enumerator->enumerate(enumerator, &task))
599 {
600 switch (task->build(task, message))
601 {
602 case SUCCESS:
603 /* task completed, remove it */
604 array_remove_at(this->active_tasks, enumerator);
605 task->destroy(task);
606 break;
607 case NEED_MORE:
608 /* processed, but task needs another exchange */
609 break;
610 case FAILED:
611 default:
612 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
613 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING)
614 {
615 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
616 }
617 /* FALL */
618 case DESTROY_ME:
619 /* critical failure, destroy IKE_SA */
620 enumerator->destroy(enumerator);
621 message->destroy(message);
622 flush(this);
623 return DESTROY_ME;
624 }
625 }
626 enumerator->destroy(enumerator);
627
628 /* update exchange type if a task changed it */
629 this->initiating.type = message->get_exchange_type(message);
630 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
631 {
632 message->destroy(message);
633 return initiate(this);
634 }
635
636 if (!generate_message(this, message, &this->initiating.packets))
637 {
638 /* message generation failed. There is nothing more to do than to
639 * close the SA */
640 message->destroy(message);
641 flush(this);
642 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
643 return DESTROY_ME;
644 }
645 message->destroy(message);
646
647 array_compress(this->active_tasks);
648 array_compress(this->queued_tasks);
649
650 return retransmit(this, this->initiating.mid);
651 }
652
653 /**
654 * handle an incoming response message
655 */
656 static status_t process_response(private_task_manager_t *this,
657 message_t *message)
658 {
659 enumerator_t *enumerator;
660 task_t *task;
661
662 if (message->get_exchange_type(message) != this->initiating.type)
663 {
664 DBG1(DBG_IKE, "received %N response, but expected %N",
665 exchange_type_names, message->get_exchange_type(message),
666 exchange_type_names, this->initiating.type);
667 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
668 return DESTROY_ME;
669 }
670
671 enumerator = array_create_enumerator(this->active_tasks);
672 while (enumerator->enumerate(enumerator, &task))
673 {
674 if (!task->pre_process)
675 {
676 continue;
677 }
678 switch (task->pre_process(task, message))
679 {
680 case SUCCESS:
681 break;
682 case FAILED:
683 default:
684 /* just ignore the message */
685 DBG1(DBG_IKE, "ignore invalid %N response",
686 exchange_type_names, message->get_exchange_type(message));
687 enumerator->destroy(enumerator);
688 return SUCCESS;
689 case DESTROY_ME:
690 /* critical failure, destroy IKE_SA */
691 enumerator->destroy(enumerator);
692 return DESTROY_ME;
693 }
694 }
695 enumerator->destroy(enumerator);
696
697 /* catch if we get resetted while processing */
698 this->reset = FALSE;
699 enumerator = array_create_enumerator(this->active_tasks);
700 while (enumerator->enumerate(enumerator, &task))
701 {
702 switch (task->process(task, message))
703 {
704 case SUCCESS:
705 /* task completed, remove it */
706 array_remove_at(this->active_tasks, enumerator);
707 task->destroy(task);
708 break;
709 case NEED_MORE:
710 /* processed, but task needs another exchange */
711 break;
712 case FAILED:
713 default:
714 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
715 /* FALL */
716 case DESTROY_ME:
717 /* critical failure, destroy IKE_SA */
718 array_remove_at(this->active_tasks, enumerator);
719 enumerator->destroy(enumerator);
720 task->destroy(task);
721 return DESTROY_ME;
722 }
723 if (this->reset)
724 { /* start all over again if we were reset */
725 this->reset = FALSE;
726 enumerator->destroy(enumerator);
727 return initiate(this);
728 }
729 }
730 enumerator->destroy(enumerator);
731
732 this->initiating.mid++;
733 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
734 clear_packets(this->initiating.packets);
735
736 array_compress(this->active_tasks);
737
738 return initiate(this);
739 }
740
741 /**
742 * handle exchange collisions
743 */
744 static bool handle_collisions(private_task_manager_t *this, task_t *task)
745 {
746 enumerator_t *enumerator;
747 task_t *active;
748 task_type_t type;
749
750 type = task->get_type(task);
751
752 /* do we have to check */
753 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
754 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE ||
755 type == TASK_IKE_REAUTH)
756 {
757 /* find an exchange collision, and notify these tasks */
758 enumerator = array_create_enumerator(this->active_tasks);
759 while (enumerator->enumerate(enumerator, &active))
760 {
761 switch (active->get_type(active))
762 {
763 case TASK_IKE_REKEY:
764 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE ||
765 type == TASK_IKE_REAUTH)
766 {
767 ike_rekey_t *rekey = (ike_rekey_t*)active;
768 rekey->collide(rekey, task);
769 break;
770 }
771 continue;
772 case TASK_CHILD_REKEY:
773 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
774 {
775 child_rekey_t *rekey = (child_rekey_t*)active;
776 rekey->collide(rekey, task);
777 break;
778 }
779 continue;
780 default:
781 continue;
782 }
783 enumerator->destroy(enumerator);
784 return TRUE;
785 }
786 enumerator->destroy(enumerator);
787 }
788 return FALSE;
789 }
790
791 /**
792 * build a response depending on the "passive" task list
793 */
794 static status_t build_response(private_task_manager_t *this, message_t *request)
795 {
796 enumerator_t *enumerator;
797 task_t *task;
798 message_t *message;
799 host_t *me, *other;
800 bool delete = FALSE, hook = FALSE;
801 ike_sa_id_t *id = NULL;
802 u_int64_t responder_spi = 0;
803 bool result;
804
805 me = request->get_destination(request);
806 other = request->get_source(request);
807
808 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
809 message->set_exchange_type(message, request->get_exchange_type(request));
810 /* send response along the path the request came in */
811 message->set_source(message, me->clone(me));
812 message->set_destination(message, other->clone(other));
813 message->set_message_id(message, this->responding.mid);
814 message->set_request(message, FALSE);
815
816 enumerator = array_create_enumerator(this->passive_tasks);
817 while (enumerator->enumerate(enumerator, (void*)&task))
818 {
819 switch (task->build(task, message))
820 {
821 case SUCCESS:
822 /* task completed, remove it */
823 array_remove_at(this->passive_tasks, enumerator);
824 if (!handle_collisions(this, task))
825 {
826 task->destroy(task);
827 }
828 break;
829 case NEED_MORE:
830 /* processed, but task needs another exchange */
831 if (handle_collisions(this, task))
832 {
833 array_remove_at(this->passive_tasks, enumerator);
834 }
835 break;
836 case FAILED:
837 default:
838 hook = TRUE;
839 /* FALL */
840 case DESTROY_ME:
841 /* destroy IKE_SA, but SEND response first */
842 delete = TRUE;
843 break;
844 }
845 if (delete)
846 {
847 break;
848 }
849 }
850 enumerator->destroy(enumerator);
851
852 /* RFC 5996, section 2.6 mentions that in the event of a failure during
853 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
854 * actually explicitly allows it to be non-zero. Since we use the responder
855 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
856 * zero temporarily, otherwise checking the SA in would fail. */
857 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
858 {
859 id = this->ike_sa->get_id(this->ike_sa);
860 responder_spi = id->get_responder_spi(id);
861 id->set_responder_spi(id, 0);
862 }
863
864 /* message complete, send it */
865 clear_packets(this->responding.packets);
866 result = generate_message(this, message, &this->responding.packets);
867 message->destroy(message);
868 if (id)
869 {
870 id->set_responder_spi(id, responder_spi);
871 }
872 if (!result)
873 {
874 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
875 return DESTROY_ME;
876 }
877
878 send_packets(this, this->responding.packets, NULL, NULL);
879 if (delete)
880 {
881 if (hook)
882 {
883 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
884 }
885 return DESTROY_ME;
886 }
887
888 array_compress(this->passive_tasks);
889
890 return SUCCESS;
891 }
892
893 /**
894 * handle an incoming request message
895 */
896 static status_t process_request(private_task_manager_t *this,
897 message_t *message)
898 {
899 enumerator_t *enumerator;
900 task_t *task = NULL;
901 payload_t *payload;
902 notify_payload_t *notify;
903 delete_payload_t *delete;
904
905 if (array_count(this->passive_tasks) == 0)
906 { /* create tasks depending on request type, if not already some queued */
907 switch (message->get_exchange_type(message))
908 {
909 case IKE_SA_INIT:
910 {
911 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
912 array_insert(this->passive_tasks, ARRAY_TAIL, task);
913 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
914 array_insert(this->passive_tasks, ARRAY_TAIL, task);
915 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
916 array_insert(this->passive_tasks, ARRAY_TAIL, task);
917 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
918 array_insert(this->passive_tasks, ARRAY_TAIL, task);
919 #ifdef ME
920 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
921 array_insert(this->passive_tasks, ARRAY_TAIL, task);
922 #endif /* ME */
923 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
924 array_insert(this->passive_tasks, ARRAY_TAIL, task);
925 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
926 array_insert(this->passive_tasks, ARRAY_TAIL, task);
927 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
928 array_insert(this->passive_tasks, ARRAY_TAIL, task);
929 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
930 NULL, NULL);
931 array_insert(this->passive_tasks, ARRAY_TAIL, task);
932 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
933 array_insert(this->passive_tasks, ARRAY_TAIL, task);
934 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
935 array_insert(this->passive_tasks, ARRAY_TAIL, task);
936 break;
937 }
938 case CREATE_CHILD_SA:
939 { /* FIXME: we should prevent this on mediation connections */
940 bool notify_found = FALSE, ts_found = FALSE;
941
942 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
943 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING)
944 {
945 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
946 "unestablished IKE_SA, rejected");
947 return FAILED;
948 }
949
950 enumerator = message->create_payload_enumerator(message);
951 while (enumerator->enumerate(enumerator, &payload))
952 {
953 switch (payload->get_type(payload))
954 {
955 case PLV2_NOTIFY:
956 { /* if we find a rekey notify, its CHILD_SA rekeying */
957 notify = (notify_payload_t*)payload;
958 if (notify->get_notify_type(notify) == REKEY_SA &&
959 (notify->get_protocol_id(notify) == PROTO_AH ||
960 notify->get_protocol_id(notify) == PROTO_ESP))
961 {
962 notify_found = TRUE;
963 }
964 break;
965 }
966 case PLV2_TS_INITIATOR:
967 case PLV2_TS_RESPONDER:
968 { /* if we don't find a TS, its IKE rekeying */
969 ts_found = TRUE;
970 break;
971 }
972 default:
973 break;
974 }
975 }
976 enumerator->destroy(enumerator);
977
978 if (ts_found)
979 {
980 if (notify_found)
981 {
982 task = (task_t*)child_rekey_create(this->ike_sa,
983 PROTO_NONE, 0);
984 }
985 else
986 {
987 task = (task_t*)child_create_create(this->ike_sa, NULL,
988 FALSE, NULL, NULL);
989 }
990 }
991 else
992 {
993 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
994 }
995 array_insert(this->passive_tasks, ARRAY_TAIL, task);
996 break;
997 }
998 case INFORMATIONAL:
999 {
1000 enumerator = message->create_payload_enumerator(message);
1001 while (enumerator->enumerate(enumerator, &payload))
1002 {
1003 switch (payload->get_type(payload))
1004 {
1005 case PLV2_NOTIFY:
1006 {
1007 notify = (notify_payload_t*)payload;
1008 switch (notify->get_notify_type(notify))
1009 {
1010 case ADDITIONAL_IP4_ADDRESS:
1011 case ADDITIONAL_IP6_ADDRESS:
1012 case NO_ADDITIONAL_ADDRESSES:
1013 case UPDATE_SA_ADDRESSES:
1014 case NO_NATS_ALLOWED:
1015 case UNACCEPTABLE_ADDRESSES:
1016 case UNEXPECTED_NAT_DETECTED:
1017 case COOKIE2:
1018 case NAT_DETECTION_SOURCE_IP:
1019 case NAT_DETECTION_DESTINATION_IP:
1020 task = (task_t*)ike_mobike_create(
1021 this->ike_sa, FALSE);
1022 break;
1023 case AUTH_LIFETIME:
1024 task = (task_t*)ike_auth_lifetime_create(
1025 this->ike_sa, FALSE);
1026 break;
1027 case AUTHENTICATION_FAILED:
1028 /* initiator failed to authenticate us.
1029 * We use ike_delete to handle this, which
1030 * invokes all the required hooks. */
1031 task = (task_t*)ike_delete_create(
1032 this->ike_sa, FALSE);
1033 break;
1034 case REDIRECT:
1035 task = (task_t*)ike_redirect_create(
1036 this->ike_sa, NULL);
1037 break;
1038 default:
1039 break;
1040 }
1041 break;
1042 }
1043 case PLV2_DELETE:
1044 {
1045 delete = (delete_payload_t*)payload;
1046 if (delete->get_protocol_id(delete) == PROTO_IKE)
1047 {
1048 task = (task_t*)ike_delete_create(this->ike_sa,
1049 FALSE);
1050 }
1051 else
1052 {
1053 task = (task_t*)child_delete_create(this->ike_sa,
1054 PROTO_NONE, 0, FALSE);
1055 }
1056 break;
1057 }
1058 default:
1059 break;
1060 }
1061 if (task)
1062 {
1063 break;
1064 }
1065 }
1066 enumerator->destroy(enumerator);
1067
1068 if (task == NULL)
1069 {
1070 task = (task_t*)ike_dpd_create(FALSE);
1071 }
1072 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1073 break;
1074 }
1075 #ifdef ME
1076 case ME_CONNECT:
1077 {
1078 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1079 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1080 }
1081 #endif /* ME */
1082 default:
1083 break;
1084 }
1085 }
1086
1087 enumerator = array_create_enumerator(this->passive_tasks);
1088 while (enumerator->enumerate(enumerator, &task))
1089 {
1090 if (!task->pre_process)
1091 {
1092 continue;
1093 }
1094 switch (task->pre_process(task, message))
1095 {
1096 case SUCCESS:
1097 break;
1098 case FAILED:
1099 default:
1100 /* just ignore the message */
1101 DBG1(DBG_IKE, "ignore invalid %N request",
1102 exchange_type_names, message->get_exchange_type(message));
1103 enumerator->destroy(enumerator);
1104 switch (message->get_exchange_type(message))
1105 {
1106 case IKE_SA_INIT:
1107 /* no point in keeping the SA when it was created with
1108 * an invalid IKE_SA_INIT message */
1109 return DESTROY_ME;
1110 default:
1111 /* remove tasks we queued for this request */
1112 flush_queue(this, TASK_QUEUE_PASSIVE);
1113 /* fall-through */
1114 case IKE_AUTH:
1115 return NEED_MORE;
1116 }
1117 case DESTROY_ME:
1118 /* critical failure, destroy IKE_SA */
1119 enumerator->destroy(enumerator);
1120 return DESTROY_ME;
1121 }
1122 }
1123 enumerator->destroy(enumerator);
1124
1125 /* let the tasks process the message */
1126 enumerator = array_create_enumerator(this->passive_tasks);
1127 while (enumerator->enumerate(enumerator, (void*)&task))
1128 {
1129 switch (task->process(task, message))
1130 {
1131 case SUCCESS:
1132 /* task completed, remove it */
1133 array_remove_at(this->passive_tasks, enumerator);
1134 task->destroy(task);
1135 break;
1136 case NEED_MORE:
1137 /* processed, but task needs at least another call to build() */
1138 break;
1139 case FAILED:
1140 default:
1141 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1142 /* FALL */
1143 case DESTROY_ME:
1144 /* critical failure, destroy IKE_SA */
1145 array_remove_at(this->passive_tasks, enumerator);
1146 enumerator->destroy(enumerator);
1147 task->destroy(task);
1148 return DESTROY_ME;
1149 }
1150 }
1151 enumerator->destroy(enumerator);
1152
1153 return build_response(this, message);
1154 }
1155
1156 METHOD(task_manager_t, incr_mid, void,
1157 private_task_manager_t *this, bool initiate)
1158 {
1159 if (initiate)
1160 {
1161 this->initiating.mid++;
1162 }
1163 else
1164 {
1165 this->responding.mid++;
1166 }
1167 }
1168
1169 /**
1170 * Handle the given IKE fragment, if it is one.
1171 *
1172 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1173 * handled properly. Error states are returned if the fragment was invalid or
1174 * the reassembled message could not have been processed properly.
1175 */
1176 static status_t handle_fragment(private_task_manager_t *this,
1177 message_t **defrag, message_t *msg)
1178 {
1179 message_t *reassembled;
1180 status_t status;
1181
1182 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1183 {
1184 return SUCCESS;
1185 }
1186 if (!*defrag)
1187 {
1188 *defrag = message_create_defrag(msg);
1189 if (!*defrag)
1190 {
1191 return FAILED;
1192 }
1193 }
1194 status = (*defrag)->add_fragment(*defrag, msg);
1195 if (status == SUCCESS)
1196 {
1197 /* reinject the reassembled message */
1198 reassembled = *defrag;
1199 *defrag = NULL;
1200 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1201 if (status == SUCCESS)
1202 {
1203 /* avoid processing the last fragment */
1204 status = NEED_MORE;
1205 }
1206 reassembled->destroy(reassembled);
1207 }
1208 return status;
1209 }
1210
1211 /**
1212 * Send a notify back to the sender
1213 */
1214 static void send_notify_response(private_task_manager_t *this,
1215 message_t *request, notify_type_t type,
1216 chunk_t data)
1217 {
1218 message_t *response;
1219 packet_t *packet;
1220 host_t *me, *other;
1221
1222 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1223 response->set_exchange_type(response, request->get_exchange_type(request));
1224 response->set_request(response, FALSE);
1225 response->set_message_id(response, request->get_message_id(request));
1226 response->add_notify(response, FALSE, type, data);
1227 me = this->ike_sa->get_my_host(this->ike_sa);
1228 if (me->is_anyaddr(me))
1229 {
1230 me = request->get_destination(request);
1231 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1232 }
1233 other = this->ike_sa->get_other_host(this->ike_sa);
1234 if (other->is_anyaddr(other))
1235 {
1236 other = request->get_source(request);
1237 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1238 }
1239 response->set_source(response, me->clone(me));
1240 response->set_destination(response, other->clone(other));
1241 if (this->ike_sa->generate_message(this->ike_sa, response,
1242 &packet) == SUCCESS)
1243 {
1244 charon->sender->send(charon->sender, packet);
1245 }
1246 response->destroy(response);
1247 }
1248
1249 /**
1250 * Parse the given message and verify that it is valid.
1251 */
1252 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1253 {
1254 status_t status;
1255 u_int8_t type = 0;
1256
1257 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1258
1259 if (status == SUCCESS)
1260 { /* check for unsupported critical payloads */
1261 enumerator_t *enumerator;
1262 unknown_payload_t *unknown;
1263 payload_t *payload;
1264
1265 enumerator = msg->create_payload_enumerator(msg);
1266 while (enumerator->enumerate(enumerator, &payload))
1267 {
1268 if (payload->get_type(payload) == PL_UNKNOWN)
1269 {
1270 unknown = (unknown_payload_t*)payload;
1271 if (unknown->is_critical(unknown))
1272 {
1273 type = unknown->get_type(unknown);
1274 DBG1(DBG_ENC, "payload type %N is not supported, "
1275 "but its critical!", payload_type_names, type);
1276 status = NOT_SUPPORTED;
1277 break;
1278 }
1279 }
1280 }
1281 enumerator->destroy(enumerator);
1282 }
1283
1284 if (status != SUCCESS)
1285 {
1286 bool is_request = msg->get_request(msg);
1287
1288 switch (status)
1289 {
1290 case NOT_SUPPORTED:
1291 DBG1(DBG_IKE, "critical unknown payloads found");
1292 if (is_request)
1293 {
1294 send_notify_response(this, msg,
1295 UNSUPPORTED_CRITICAL_PAYLOAD,
1296 chunk_from_thing(type));
1297 incr_mid(this, FALSE);
1298 }
1299 break;
1300 case PARSE_ERROR:
1301 DBG1(DBG_IKE, "message parsing failed");
1302 if (is_request)
1303 {
1304 send_notify_response(this, msg,
1305 INVALID_SYNTAX, chunk_empty);
1306 incr_mid(this, FALSE);
1307 }
1308 break;
1309 case VERIFY_ERROR:
1310 DBG1(DBG_IKE, "message verification failed");
1311 if (is_request)
1312 {
1313 send_notify_response(this, msg,
1314 INVALID_SYNTAX, chunk_empty);
1315 incr_mid(this, FALSE);
1316 }
1317 break;
1318 case FAILED:
1319 DBG1(DBG_IKE, "integrity check failed");
1320 /* ignored */
1321 break;
1322 case INVALID_STATE:
1323 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1324 default:
1325 break;
1326 }
1327 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1328 exchange_type_names, msg->get_exchange_type(msg),
1329 is_request ? "request" : "response",
1330 msg->get_message_id(msg));
1331
1332 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1333
1334 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1335 { /* invalid initiation attempt, close SA */
1336 return DESTROY_ME;
1337 }
1338 }
1339 return status;
1340 }
1341
1342
1343 METHOD(task_manager_t, process_message, status_t,
1344 private_task_manager_t *this, message_t *msg)
1345 {
1346 host_t *me, *other;
1347 status_t status;
1348 u_int32_t mid;
1349 bool schedule_delete_job = FALSE;
1350
1351 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1352 status = parse_message(this, msg);
1353 if (status != SUCCESS)
1354 {
1355 return status;
1356 }
1357
1358 me = msg->get_destination(msg);
1359 other = msg->get_source(msg);
1360
1361 /* if this IKE_SA is virgin, we check for a config */
1362 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1363 {
1364 ike_cfg_t *ike_cfg;
1365
1366 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1367 me, other, IKEV2);
1368 if (ike_cfg == NULL)
1369 {
1370 /* no config found for these hosts, destroy */
1371 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1372 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1373 send_notify_response(this, msg,
1374 NO_PROPOSAL_CHOSEN, chunk_empty);
1375 return DESTROY_ME;
1376 }
1377 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1378 ike_cfg->destroy(ike_cfg);
1379 /* add a timeout if peer does not establish it completely */
1380 schedule_delete_job = TRUE;
1381 }
1382 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1383 time_monotonic(NULL));
1384
1385 mid = msg->get_message_id(msg);
1386 if (msg->get_request(msg))
1387 {
1388 if (mid == this->responding.mid)
1389 {
1390 /* reject initial messages if not received in specific states */
1391 if ((msg->get_exchange_type(msg) == IKE_SA_INIT &&
1392 this->ike_sa->get_state(this->ike_sa) != IKE_CREATED) ||
1393 (msg->get_exchange_type(msg) == IKE_AUTH &&
1394 this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING))
1395 {
1396 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
1397 exchange_type_names, msg->get_exchange_type(msg),
1398 ike_sa_state_names, this->ike_sa->get_state(this->ike_sa));
1399 return FAILED;
1400 }
1401 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1402 { /* with MOBIKE, we do no implicit updates */
1403 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1404 }
1405 status = handle_fragment(this, &this->responding.defrag, msg);
1406 if (status != SUCCESS)
1407 {
1408 return status;
1409 }
1410 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1411 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1412 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1413 return SUCCESS;
1414 }
1415 switch (process_request(this, msg))
1416 {
1417 case SUCCESS:
1418 this->responding.mid++;
1419 break;
1420 case NEED_MORE:
1421 break;
1422 default:
1423 flush(this);
1424 return DESTROY_ME;
1425 }
1426 }
1427 else if ((mid == this->responding.mid - 1) &&
1428 array_count(this->responding.packets))
1429 {
1430 status = handle_fragment(this, &this->responding.defrag, msg);
1431 if (status != SUCCESS)
1432 {
1433 return status;
1434 }
1435 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1436 "retransmitting response", mid);
1437 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1438 send_packets(this, this->responding.packets,
1439 msg->get_destination(msg), msg->get_source(msg));
1440 }
1441 else
1442 {
1443 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1444 mid, this->responding.mid);
1445 }
1446 }
1447 else
1448 {
1449 if (mid == this->initiating.mid)
1450 {
1451 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1452 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1453 msg->get_exchange_type(msg) != IKE_SA_INIT)
1454 { /* only do updates based on verified messages (or initial ones) */
1455 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1456 { /* with MOBIKE, we do no implicit updates. we force an
1457 * update of the local address on IKE_SA_INIT, but never
1458 * for the remote address */
1459 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1460 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1461 }
1462 }
1463 status = handle_fragment(this, &this->initiating.defrag, msg);
1464 if (status != SUCCESS)
1465 {
1466 return status;
1467 }
1468 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1469 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1470 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1471 return SUCCESS;
1472 }
1473 if (process_response(this, msg) != SUCCESS)
1474 {
1475 flush(this);
1476 return DESTROY_ME;
1477 }
1478 }
1479 else
1480 {
1481 DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
1482 mid, this->initiating.mid);
1483 return SUCCESS;
1484 }
1485 }
1486
1487 if (schedule_delete_job)
1488 {
1489 ike_sa_id_t *ike_sa_id;
1490 job_t *job;
1491
1492 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1493 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1494 lib->scheduler->schedule_job(lib->scheduler, job,
1495 lib->settings->get_int(lib->settings,
1496 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1497 lib->ns));
1498 }
1499 return SUCCESS;
1500 }
1501
1502 METHOD(task_manager_t, queue_task, void,
1503 private_task_manager_t *this, task_t *task)
1504 {
1505 if (task->get_type(task) == TASK_IKE_MOBIKE)
1506 { /* there is no need to queue more than one mobike task */
1507 enumerator_t *enumerator;
1508 task_t *current;
1509
1510 enumerator = array_create_enumerator(this->queued_tasks);
1511 while (enumerator->enumerate(enumerator, &current))
1512 {
1513 if (current->get_type(current) == TASK_IKE_MOBIKE)
1514 {
1515 enumerator->destroy(enumerator);
1516 task->destroy(task);
1517 return;
1518 }
1519 }
1520 enumerator->destroy(enumerator);
1521 }
1522 DBG2(DBG_IKE, "queueing %N task", task_type_names, task->get_type(task));
1523 array_insert(this->queued_tasks, ARRAY_TAIL, task);
1524 }
1525
1526 /**
1527 * Check if a given task has been queued already
1528 */
1529 static bool has_queued(private_task_manager_t *this, task_type_t type)
1530 {
1531 enumerator_t *enumerator;
1532 bool found = FALSE;
1533 task_t *task;
1534
1535 enumerator = array_create_enumerator(this->queued_tasks);
1536 while (enumerator->enumerate(enumerator, &task))
1537 {
1538 if (task->get_type(task) == type)
1539 {
1540 found = TRUE;
1541 break;
1542 }
1543 }
1544 enumerator->destroy(enumerator);
1545 return found;
1546 }
1547
1548 METHOD(task_manager_t, queue_ike, void,
1549 private_task_manager_t *this)
1550 {
1551 if (!has_queued(this, TASK_IKE_VENDOR))
1552 {
1553 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1554 }
1555 if (!has_queued(this, TASK_IKE_INIT))
1556 {
1557 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1558 }
1559 if (!has_queued(this, TASK_IKE_NATD))
1560 {
1561 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1562 }
1563 if (!has_queued(this, TASK_IKE_CERT_PRE))
1564 {
1565 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1566 }
1567 if (!has_queued(this, TASK_IKE_AUTH))
1568 {
1569 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1570 }
1571 if (!has_queued(this, TASK_IKE_CERT_POST))
1572 {
1573 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1574 }
1575 if (!has_queued(this, TASK_IKE_CONFIG))
1576 {
1577 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1578 }
1579 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1580 {
1581 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1582 }
1583 if (!has_queued(this, TASK_IKE_MOBIKE))
1584 {
1585 peer_cfg_t *peer_cfg;
1586
1587 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1588 if (peer_cfg->use_mobike(peer_cfg))
1589 {
1590 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1591 }
1592 }
1593 #ifdef ME
1594 if (!has_queued(this, TASK_IKE_ME))
1595 {
1596 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1597 }
1598 #endif /* ME */
1599 }
1600
1601 METHOD(task_manager_t, queue_ike_rekey, void,
1602 private_task_manager_t *this)
1603 {
1604 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1605 }
1606
1607 /**
1608 * Start reauthentication using make-before-break
1609 */
1610 static void trigger_mbb_reauth(private_task_manager_t *this)
1611 {
1612 enumerator_t *enumerator;
1613 child_sa_t *child_sa;
1614 child_cfg_t *cfg;
1615 ike_sa_t *new;
1616 host_t *host;
1617 task_t *task;
1618
1619 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1620 this->ike_sa->get_version(this->ike_sa), TRUE);
1621 if (!new)
1622 { /* shouldn't happen */
1623 return;
1624 }
1625
1626 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1627 host = this->ike_sa->get_other_host(this->ike_sa);
1628 new->set_other_host(new, host->clone(host));
1629 host = this->ike_sa->get_my_host(this->ike_sa);
1630 new->set_my_host(new, host->clone(host));
1631 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1632 while (enumerator->enumerate(enumerator, &host))
1633 {
1634 new->add_virtual_ip(new, TRUE, host);
1635 }
1636 enumerator->destroy(enumerator);
1637
1638 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1639 while (enumerator->enumerate(enumerator, &child_sa))
1640 {
1641 cfg = child_sa->get_config(child_sa);
1642 new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
1643 FALSE, NULL, NULL)->task);
1644 }
1645 enumerator->destroy(enumerator);
1646
1647 enumerator = array_create_enumerator(this->queued_tasks);
1648 while (enumerator->enumerate(enumerator, &task))
1649 {
1650 if (task->get_type(task) == TASK_CHILD_CREATE)
1651 {
1652 task->migrate(task, new);
1653 new->queue_task(new, task);
1654 array_remove_at(this->queued_tasks, enumerator);
1655 }
1656 }
1657 enumerator->destroy(enumerator);
1658
1659 /* suspend online revocation checking until the SA is established */
1660 new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
1661
1662 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1663 {
1664 new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
1665 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1666 this->ike_sa->get_id(this->ike_sa)));
1667 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1668 }
1669 else
1670 {
1671 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1672 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1673 }
1674 charon->bus->set_sa(charon->bus, this->ike_sa);
1675 }
1676
1677 METHOD(task_manager_t, queue_ike_reauth, void,
1678 private_task_manager_t *this)
1679 {
1680 if (this->make_before_break)
1681 {
1682 return trigger_mbb_reauth(this);
1683 }
1684 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1685 }
1686
1687 METHOD(task_manager_t, queue_ike_delete, void,
1688 private_task_manager_t *this)
1689 {
1690 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1691 }
1692
1693 METHOD(task_manager_t, queue_mobike, void,
1694 private_task_manager_t *this, bool roam, bool address)
1695 {
1696 ike_mobike_t *mobike;
1697
1698 mobike = ike_mobike_create(this->ike_sa, TRUE);
1699 if (roam)
1700 {
1701 enumerator_t *enumerator;
1702 task_t *current;
1703
1704 mobike->roam(mobike, address);
1705
1706 /* enable path probing for a currently active MOBIKE task. This might
1707 * not be the case if an address appeared on a new interface while the
1708 * current address is not working but has not yet disappeared. */
1709 enumerator = array_create_enumerator(this->active_tasks);
1710 while (enumerator->enumerate(enumerator, &current))
1711 {
1712 if (current->get_type(current) == TASK_IKE_MOBIKE)
1713 {
1714 ike_mobike_t *active = (ike_mobike_t*)current;
1715 active->enable_probing(active);
1716 break;
1717 }
1718 }
1719 enumerator->destroy(enumerator);
1720 }
1721 else
1722 {
1723 mobike->addresses(mobike);
1724 }
1725 queue_task(this, &mobike->task);
1726 }
1727
1728 METHOD(task_manager_t, queue_child, void,
1729 private_task_manager_t *this, child_cfg_t *cfg, u_int32_t reqid,
1730 traffic_selector_t *tsi, traffic_selector_t *tsr)
1731 {
1732 child_create_t *task;
1733
1734 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
1735 if (reqid)
1736 {
1737 task->use_reqid(task, reqid);
1738 }
1739 queue_task(this, &task->task);
1740 }
1741
1742 METHOD(task_manager_t, queue_child_rekey, void,
1743 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi)
1744 {
1745 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
1746 }
1747
1748 METHOD(task_manager_t, queue_child_delete, void,
1749 private_task_manager_t *this, protocol_id_t protocol, u_int32_t spi,
1750 bool expired)
1751 {
1752 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
1753 protocol, spi, expired));
1754 }
1755
1756 METHOD(task_manager_t, queue_dpd, void,
1757 private_task_manager_t *this)
1758 {
1759 ike_mobike_t *mobike;
1760
1761 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
1762 this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
1763 {
1764 /* use mobike enabled DPD to detect NAT mapping changes */
1765 mobike = ike_mobike_create(this->ike_sa, TRUE);
1766 mobike->dpd(mobike);
1767 queue_task(this, &mobike->task);
1768 }
1769 else
1770 {
1771 queue_task(this, (task_t*)ike_dpd_create(TRUE));
1772 }
1773 }
1774
1775 METHOD(task_manager_t, adopt_tasks, void,
1776 private_task_manager_t *this, task_manager_t *other_public)
1777 {
1778 private_task_manager_t *other = (private_task_manager_t*)other_public;
1779 task_t *task;
1780
1781 /* move queued tasks from other to this */
1782 while (array_remove(other->queued_tasks, ARRAY_TAIL, &task))
1783 {
1784 DBG2(DBG_IKE, "migrating %N task", task_type_names, task->get_type(task));
1785 task->migrate(task, this->ike_sa);
1786 array_insert(this->queued_tasks, ARRAY_HEAD, task);
1787 }
1788 }
1789
1790 /**
1791 * Migrates child-creating tasks from src to dst
1792 */
1793 static void migrate_child_tasks(private_task_manager_t *this,
1794 array_t *src, array_t *dst)
1795 {
1796 enumerator_t *enumerator;
1797 task_t *task;
1798
1799 enumerator = array_create_enumerator(src);
1800 while (enumerator->enumerate(enumerator, &task))
1801 {
1802 if (task->get_type(task) == TASK_CHILD_CREATE)
1803 {
1804 array_remove_at(src, enumerator);
1805 task->migrate(task, this->ike_sa);
1806 array_insert(dst, ARRAY_TAIL, task);
1807 }
1808 }
1809 enumerator->destroy(enumerator);
1810 }
1811
1812 METHOD(task_manager_t, adopt_child_tasks, void,
1813 private_task_manager_t *this, task_manager_t *other_public)
1814 {
1815 private_task_manager_t *other = (private_task_manager_t*)other_public;
1816
1817 /* move active child tasks from other to this */
1818 migrate_child_tasks(this, other->active_tasks, this->queued_tasks);
1819 /* do the same for queued tasks */
1820 migrate_child_tasks(this, other->queued_tasks, this->queued_tasks);
1821 }
1822
1823 METHOD(task_manager_t, busy, bool,
1824 private_task_manager_t *this)
1825 {
1826 return array_count(this->active_tasks) > 0;
1827 }
1828
1829 METHOD(task_manager_t, reset, void,
1830 private_task_manager_t *this, u_int32_t initiate, u_int32_t respond)
1831 {
1832 enumerator_t *enumerator;
1833 task_t *task;
1834
1835 /* reset message counters and retransmit packets */
1836 clear_packets(this->responding.packets);
1837 clear_packets(this->initiating.packets);
1838 DESTROY_IF(this->responding.defrag);
1839 DESTROY_IF(this->initiating.defrag);
1840 this->responding.defrag = NULL;
1841 this->initiating.defrag = NULL;
1842 if (initiate != UINT_MAX)
1843 {
1844 this->initiating.mid = initiate;
1845 }
1846 if (respond != UINT_MAX)
1847 {
1848 this->responding.mid = respond;
1849 }
1850 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
1851
1852 /* reset queued tasks */
1853 enumerator = array_create_enumerator(this->queued_tasks);
1854 while (enumerator->enumerate(enumerator, &task))
1855 {
1856 task->migrate(task, this->ike_sa);
1857 }
1858 enumerator->destroy(enumerator);
1859
1860 /* reset active tasks */
1861 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
1862 {
1863 task->migrate(task, this->ike_sa);
1864 array_insert(this->queued_tasks, ARRAY_HEAD, task);
1865 }
1866
1867 this->reset = TRUE;
1868 }
1869
1870 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
1871 private_task_manager_t *this, task_queue_t queue)
1872 {
1873 switch (queue)
1874 {
1875 case TASK_QUEUE_ACTIVE:
1876 return array_create_enumerator(this->active_tasks);
1877 case TASK_QUEUE_PASSIVE:
1878 return array_create_enumerator(this->passive_tasks);
1879 case TASK_QUEUE_QUEUED:
1880 return array_create_enumerator(this->queued_tasks);
1881 default:
1882 return enumerator_create_empty();
1883 }
1884 }
1885
1886 METHOD(task_manager_t, destroy, void,
1887 private_task_manager_t *this)
1888 {
1889 flush(this);
1890
1891 array_destroy(this->active_tasks);
1892 array_destroy(this->queued_tasks);
1893 array_destroy(this->passive_tasks);
1894
1895 clear_packets(this->responding.packets);
1896 array_destroy(this->responding.packets);
1897 clear_packets(this->initiating.packets);
1898 array_destroy(this->initiating.packets);
1899 DESTROY_IF(this->responding.defrag);
1900 DESTROY_IF(this->initiating.defrag);
1901 free(this);
1902 }
1903
1904 /*
1905 * see header file
1906 */
1907 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
1908 {
1909 private_task_manager_t *this;
1910
1911 INIT(this,
1912 .public = {
1913 .task_manager = {
1914 .process_message = _process_message,
1915 .queue_task = _queue_task,
1916 .queue_ike = _queue_ike,
1917 .queue_ike_rekey = _queue_ike_rekey,
1918 .queue_ike_reauth = _queue_ike_reauth,
1919 .queue_ike_delete = _queue_ike_delete,
1920 .queue_mobike = _queue_mobike,
1921 .queue_child = _queue_child,
1922 .queue_child_rekey = _queue_child_rekey,
1923 .queue_child_delete = _queue_child_delete,
1924 .queue_dpd = _queue_dpd,
1925 .initiate = _initiate,
1926 .retransmit = _retransmit,
1927 .incr_mid = _incr_mid,
1928 .reset = _reset,
1929 .adopt_tasks = _adopt_tasks,
1930 .adopt_child_tasks = _adopt_child_tasks,
1931 .busy = _busy,
1932 .create_task_enumerator = _create_task_enumerator,
1933 .flush = _flush,
1934 .flush_queue = _flush_queue,
1935 .destroy = _destroy,
1936 },
1937 },
1938 .ike_sa = ike_sa,
1939 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
1940 .queued_tasks = array_create(0, 0),
1941 .active_tasks = array_create(0, 0),
1942 .passive_tasks = array_create(0, 0),
1943 .retransmit_tries = lib->settings->get_int(lib->settings,
1944 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
1945 .retransmit_timeout = lib->settings->get_double(lib->settings,
1946 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
1947 .retransmit_base = lib->settings->get_double(lib->settings,
1948 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
1949 .make_before_break = lib->settings->get_bool(lib->settings,
1950 "%s.make_before_break", FALSE, lib->ns),
1951 );
1952
1953 return &this->public;
1954 }