ikev2: Don't cache response to MID sync request
[strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2016 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_mid_sync.h>
38 #include <sa/ikev2/tasks/ike_vendor.h>
39 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
40 #include <sa/ikev2/tasks/child_create.h>
41 #include <sa/ikev2/tasks/child_rekey.h>
42 #include <sa/ikev2/tasks/child_delete.h>
43 #include <encoding/payloads/delete_payload.h>
44 #include <encoding/payloads/unknown_payload.h>
45 #include <processing/jobs/retransmit_job.h>
46 #include <processing/jobs/delete_ike_sa_job.h>
47 #include <processing/jobs/initiate_tasks_job.h>
48
49 #ifdef ME
50 #include <sa/ikev2/tasks/ike_me.h>
51 #endif
52
53 typedef struct private_task_manager_t private_task_manager_t;
54 typedef struct queued_task_t queued_task_t;
55
56 /**
57 * private data of the task manager
58 */
59 struct private_task_manager_t {
60
61 /**
62 * public functions
63 */
64 task_manager_v2_t public;
65
66 /**
67 * associated IKE_SA we are serving
68 */
69 ike_sa_t *ike_sa;
70
71 /**
72 * Exchange we are currently handling as responder
73 */
74 struct {
75 /**
76 * Message ID of the exchange
77 */
78 uint32_t mid;
79
80 /**
81 * packet(s) for retransmission
82 */
83 array_t *packets;
84
85 /**
86 * Helper to defragment the request
87 */
88 message_t *defrag;
89
90 } responding;
91
92 /**
93 * Exchange we are currently handling as initiator
94 */
95 struct {
96 /**
97 * Message ID of the exchange
98 */
99 uint32_t mid;
100
101 /**
102 * how many times we have retransmitted so far
103 */
104 u_int retransmitted;
105
106 /**
107 * packet(s) for retransmission
108 */
109 array_t *packets;
110
111 /**
112 * type of the initated exchange
113 */
114 exchange_type_t type;
115
116 /**
117 * TRUE if exchange was deferred because no path was available
118 */
119 bool deferred;
120
121 /**
122 * Helper to defragment the response
123 */
124 message_t *defrag;
125
126 } initiating;
127
128 /**
129 * Array of queued tasks not yet in action
130 */
131 array_t *queued_tasks;
132
133 /**
134 * Array of active tasks, initiated by ourselve
135 */
136 array_t *active_tasks;
137
138 /**
139 * Array of tasks initiated by peer
140 */
141 array_t *passive_tasks;
142
143 /**
144 * the task manager has been reset
145 */
146 bool reset;
147
148 /**
149 * Number of times we retransmit messages before giving up
150 */
151 u_int retransmit_tries;
152
153 /**
154 * Retransmission timeout
155 */
156 double retransmit_timeout;
157
158 /**
159 * Base to calculate retransmission timeout
160 */
161 double retransmit_base;
162
163 /**
164 * Use make-before-break instead of break-before-make reauth?
165 */
166 bool make_before_break;
167 };
168
169 /**
170 * Queued tasks
171 */
172 struct queued_task_t {
173
174 /**
175 * Queued task
176 */
177 task_t *task;
178
179 /**
180 * Time before which the task is not to be initiated
181 */
182 timeval_t time;
183 };
184
185 /**
186 * Reset retransmission packet list
187 */
188 static void clear_packets(array_t *array)
189 {
190 packet_t *packet;
191
192 while (array_remove(array, ARRAY_TAIL, &packet))
193 {
194 packet->destroy(packet);
195 }
196 }
197
198 METHOD(task_manager_t, flush_queue, void,
199 private_task_manager_t *this, task_queue_t queue)
200 {
201 array_t *array;
202 task_t *task;
203
204 switch (queue)
205 {
206 case TASK_QUEUE_ACTIVE:
207 array = this->active_tasks;
208 break;
209 case TASK_QUEUE_PASSIVE:
210 array = this->passive_tasks;
211 break;
212 case TASK_QUEUE_QUEUED:
213 array = this->queued_tasks;
214 break;
215 default:
216 return;
217 }
218 while (array_remove(array, ARRAY_TAIL, &task))
219 {
220 if (queue == TASK_QUEUE_QUEUED)
221 {
222 queued_task_t *queued = (queued_task_t*)task;
223 task = queued->task;
224 free(queued);
225 }
226 task->destroy(task);
227 }
228 }
229
230 METHOD(task_manager_t, flush, void,
231 private_task_manager_t *this)
232 {
233 flush_queue(this, TASK_QUEUE_QUEUED);
234 flush_queue(this, TASK_QUEUE_PASSIVE);
235 flush_queue(this, TASK_QUEUE_ACTIVE);
236 }
237
238 /**
239 * Move a task of a specific type from the queue to the active list, if it is
240 * not delayed.
241 */
242 static bool activate_task(private_task_manager_t *this, task_type_t type)
243 {
244 enumerator_t *enumerator;
245 queued_task_t *queued;
246 timeval_t now;
247 bool found = FALSE;
248
249 time_monotonic(&now);
250
251 enumerator = array_create_enumerator(this->queued_tasks);
252 while (enumerator->enumerate(enumerator, (void**)&queued))
253 {
254 if (queued->task->get_type(queued->task) == type &&
255 !timercmp(&now, &queued->time, <))
256 {
257 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
258 array_remove_at(this->queued_tasks, enumerator);
259 array_insert(this->active_tasks, ARRAY_TAIL, queued->task);
260 free(queued);
261 found = TRUE;
262 break;
263 }
264 }
265 enumerator->destroy(enumerator);
266 return found;
267 }
268
269 /**
270 * Send packets in the given array (they get cloned). Optionally, the
271 * source and destination addresses are changed before sending it.
272 */
273 static void send_packets(private_task_manager_t *this, array_t *packets,
274 host_t *src, host_t *dst)
275 {
276 packet_t *packet, *clone;
277 int i;
278
279 for (i = 0; i < array_count(packets); i++)
280 {
281 array_get(packets, i, &packet);
282 clone = packet->clone(packet);
283 if (src)
284 {
285 clone->set_source(clone, src->clone(src));
286 }
287 if (dst)
288 {
289 clone->set_destination(clone, dst->clone(dst));
290 }
291 charon->sender->send(charon->sender, clone);
292 }
293 }
294
295 /**
296 * Generates the given message and stores packet(s) in the given array
297 */
298 static bool generate_message(private_task_manager_t *this, message_t *message,
299 array_t **packets)
300 {
301 enumerator_t *fragments;
302 packet_t *fragment;
303
304 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
305 &fragments) != SUCCESS)
306 {
307 return FALSE;
308 }
309 while (fragments->enumerate(fragments, &fragment))
310 {
311 array_insert_create(packets, ARRAY_TAIL, fragment);
312 }
313 fragments->destroy(fragments);
314 array_compress(*packets);
315 return TRUE;
316 }
317
318 METHOD(task_manager_t, retransmit, status_t,
319 private_task_manager_t *this, uint32_t message_id)
320 {
321 if (message_id == this->initiating.mid &&
322 array_count(this->initiating.packets))
323 {
324 uint32_t timeout;
325 job_t *job;
326 enumerator_t *enumerator;
327 packet_t *packet;
328 task_t *task;
329 ike_mobike_t *mobike = NULL;
330
331 array_get(this->initiating.packets, 0, &packet);
332
333 /* check if we are retransmitting a MOBIKE routability check */
334 if (this->initiating.type == INFORMATIONAL)
335 {
336 enumerator = array_create_enumerator(this->active_tasks);
337 while (enumerator->enumerate(enumerator, (void*)&task))
338 {
339 if (task->get_type(task) == TASK_IKE_MOBIKE)
340 {
341 mobike = (ike_mobike_t*)task;
342 break;
343 }
344 }
345 enumerator->destroy(enumerator);
346 }
347
348 if (!mobike || !mobike->is_probing(mobike))
349 {
350 if (this->initiating.retransmitted <= this->retransmit_tries)
351 {
352 timeout = (uint32_t)(this->retransmit_timeout * 1000.0 *
353 pow(this->retransmit_base, this->initiating.retransmitted));
354 }
355 else
356 {
357 DBG1(DBG_IKE, "giving up after %d retransmits",
358 this->initiating.retransmitted - 1);
359 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
360 packet);
361 return DESTROY_ME;
362 }
363
364 if (this->initiating.retransmitted)
365 {
366 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
367 this->initiating.retransmitted, message_id);
368 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
369 this->initiating.retransmitted);
370 }
371 if (!mobike)
372 {
373 send_packets(this, this->initiating.packets,
374 this->ike_sa->get_my_host(this->ike_sa),
375 this->ike_sa->get_other_host(this->ike_sa));
376 }
377 else
378 {
379 if (!mobike->transmit(mobike, packet))
380 {
381 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
382 "deferred");
383 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
384 this->initiating.deferred = TRUE;
385 return SUCCESS;
386 }
387 else if (mobike->is_probing(mobike))
388 {
389 timeout = ROUTEABILITY_CHECK_INTERVAL;
390 }
391 }
392 }
393 else
394 { /* for routeability checks, we use a more aggressive behavior */
395 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
396 {
397 timeout = ROUTEABILITY_CHECK_INTERVAL;
398 }
399 else
400 {
401 DBG1(DBG_IKE, "giving up after %d path probings",
402 this->initiating.retransmitted - 1);
403 return DESTROY_ME;
404 }
405
406 if (this->initiating.retransmitted)
407 {
408 DBG1(DBG_IKE, "path probing attempt %d",
409 this->initiating.retransmitted);
410 }
411 /* TODO-FRAG: presumably these small packets are not fragmented,
412 * we should maybe ensure this is the case when generating them */
413 if (!mobike->transmit(mobike, packet))
414 {
415 DBG1(DBG_IKE, "no route found to reach peer, path probing "
416 "deferred");
417 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
418 this->initiating.deferred = TRUE;
419 return SUCCESS;
420 }
421 }
422
423 this->initiating.retransmitted++;
424 job = (job_t*)retransmit_job_create(this->initiating.mid,
425 this->ike_sa->get_id(this->ike_sa));
426 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
427 }
428 return SUCCESS;
429 }
430
431 METHOD(task_manager_t, initiate, status_t,
432 private_task_manager_t *this)
433 {
434 enumerator_t *enumerator;
435 task_t *task;
436 message_t *message;
437 host_t *me, *other;
438 exchange_type_t exchange = 0;
439
440 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
441 {
442 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
443 exchange_type_names, this->initiating.type);
444 /* do not initiate if we already have a message in the air */
445 if (this->initiating.deferred)
446 { /* re-initiate deferred exchange */
447 this->initiating.deferred = FALSE;
448 this->initiating.retransmitted = 0;
449 return retransmit(this, this->initiating.mid);
450 }
451 return SUCCESS;
452 }
453
454 if (array_count(this->active_tasks) == 0)
455 {
456 DBG2(DBG_IKE, "activating new tasks");
457 switch (this->ike_sa->get_state(this->ike_sa))
458 {
459 case IKE_CREATED:
460 activate_task(this, TASK_IKE_VENDOR);
461 if (activate_task(this, TASK_IKE_INIT))
462 {
463 this->initiating.mid = 0;
464 exchange = IKE_SA_INIT;
465 activate_task(this, TASK_IKE_NATD);
466 activate_task(this, TASK_IKE_CERT_PRE);
467 #ifdef ME
468 /* this task has to be activated before the TASK_IKE_AUTH
469 * task, because that task pregenerates the packet after
470 * which no payloads can be added to the message anymore.
471 */
472 activate_task(this, TASK_IKE_ME);
473 #endif /* ME */
474 activate_task(this, TASK_IKE_AUTH);
475 activate_task(this, TASK_IKE_CERT_POST);
476 activate_task(this, TASK_IKE_CONFIG);
477 activate_task(this, TASK_CHILD_CREATE);
478 activate_task(this, TASK_IKE_AUTH_LIFETIME);
479 activate_task(this, TASK_IKE_MOBIKE);
480 }
481 break;
482 case IKE_ESTABLISHED:
483 if (activate_task(this, TASK_IKE_MOBIKE))
484 {
485 exchange = INFORMATIONAL;
486 break;
487 }
488 if (activate_task(this, TASK_IKE_DELETE))
489 {
490 exchange = INFORMATIONAL;
491 break;
492 }
493 if (activate_task(this, TASK_IKE_REDIRECT))
494 {
495 exchange = INFORMATIONAL;
496 break;
497 }
498 if (activate_task(this, TASK_CHILD_DELETE))
499 {
500 exchange = INFORMATIONAL;
501 break;
502 }
503 if (activate_task(this, TASK_IKE_REAUTH))
504 {
505 exchange = INFORMATIONAL;
506 break;
507 }
508 if (activate_task(this, TASK_CHILD_CREATE))
509 {
510 exchange = CREATE_CHILD_SA;
511 break;
512 }
513 if (activate_task(this, TASK_CHILD_REKEY))
514 {
515 exchange = CREATE_CHILD_SA;
516 break;
517 }
518 if (activate_task(this, TASK_IKE_REKEY))
519 {
520 exchange = CREATE_CHILD_SA;
521 break;
522 }
523 if (activate_task(this, TASK_IKE_DPD))
524 {
525 exchange = INFORMATIONAL;
526 break;
527 }
528 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
529 {
530 exchange = INFORMATIONAL;
531 break;
532 }
533 #ifdef ME
534 if (activate_task(this, TASK_IKE_ME))
535 {
536 exchange = ME_CONNECT;
537 break;
538 }
539 #endif /* ME */
540 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
541 {
542 exchange = INFORMATIONAL;
543 break;
544 }
545 if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
546 {
547 exchange = INFORMATIONAL;
548 break;
549 }
550 case IKE_REKEYING:
551 case IKE_REKEYED:
552 if (activate_task(this, TASK_IKE_DELETE))
553 {
554 exchange = INFORMATIONAL;
555 break;
556 }
557 case IKE_DELETING:
558 default:
559 break;
560 }
561 }
562 else
563 {
564 DBG2(DBG_IKE, "reinitiating already active tasks");
565 enumerator = array_create_enumerator(this->active_tasks);
566 while (enumerator->enumerate(enumerator, &task))
567 {
568 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
569 switch (task->get_type(task))
570 {
571 case TASK_IKE_INIT:
572 exchange = IKE_SA_INIT;
573 break;
574 case TASK_IKE_AUTH:
575 exchange = IKE_AUTH;
576 break;
577 case TASK_CHILD_CREATE:
578 case TASK_CHILD_REKEY:
579 case TASK_IKE_REKEY:
580 exchange = CREATE_CHILD_SA;
581 break;
582 case TASK_IKE_MOBIKE:
583 exchange = INFORMATIONAL;
584 break;
585 default:
586 continue;
587 }
588 break;
589 }
590 enumerator->destroy(enumerator);
591 }
592
593 if (exchange == 0)
594 {
595 DBG2(DBG_IKE, "nothing to initiate");
596 /* nothing to do yet... */
597 return SUCCESS;
598 }
599
600 me = this->ike_sa->get_my_host(this->ike_sa);
601 other = this->ike_sa->get_other_host(this->ike_sa);
602
603 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
604 message->set_message_id(message, this->initiating.mid);
605 message->set_source(message, me->clone(me));
606 message->set_destination(message, other->clone(other));
607 message->set_exchange_type(message, exchange);
608 this->initiating.type = exchange;
609 this->initiating.retransmitted = 0;
610 this->initiating.deferred = FALSE;
611
612 enumerator = array_create_enumerator(this->active_tasks);
613 while (enumerator->enumerate(enumerator, &task))
614 {
615 switch (task->build(task, message))
616 {
617 case SUCCESS:
618 /* task completed, remove it */
619 array_remove_at(this->active_tasks, enumerator);
620 task->destroy(task);
621 break;
622 case NEED_MORE:
623 /* processed, but task needs another exchange */
624 break;
625 case FAILED:
626 default:
627 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
628 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
629 this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED)
630 {
631 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
632 }
633 /* FALL */
634 case DESTROY_ME:
635 /* critical failure, destroy IKE_SA */
636 enumerator->destroy(enumerator);
637 message->destroy(message);
638 flush(this);
639 return DESTROY_ME;
640 }
641 }
642 enumerator->destroy(enumerator);
643
644 /* update exchange type if a task changed it */
645 this->initiating.type = message->get_exchange_type(message);
646 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
647 {
648 message->destroy(message);
649 return initiate(this);
650 }
651
652 if (!generate_message(this, message, &this->initiating.packets))
653 {
654 /* message generation failed. There is nothing more to do than to
655 * close the SA */
656 message->destroy(message);
657 flush(this);
658 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
659 return DESTROY_ME;
660 }
661 message->destroy(message);
662
663 array_compress(this->active_tasks);
664 array_compress(this->queued_tasks);
665
666 return retransmit(this, this->initiating.mid);
667 }
668
669 /**
670 * handle an incoming response message
671 */
672 static status_t process_response(private_task_manager_t *this,
673 message_t *message)
674 {
675 enumerator_t *enumerator;
676 task_t *task;
677
678 if (message->get_exchange_type(message) != this->initiating.type)
679 {
680 DBG1(DBG_IKE, "received %N response, but expected %N",
681 exchange_type_names, message->get_exchange_type(message),
682 exchange_type_names, this->initiating.type);
683 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
684 return DESTROY_ME;
685 }
686
687 enumerator = array_create_enumerator(this->active_tasks);
688 while (enumerator->enumerate(enumerator, &task))
689 {
690 if (!task->pre_process)
691 {
692 continue;
693 }
694 switch (task->pre_process(task, message))
695 {
696 case SUCCESS:
697 break;
698 case FAILED:
699 default:
700 /* just ignore the message */
701 DBG1(DBG_IKE, "ignore invalid %N response",
702 exchange_type_names, message->get_exchange_type(message));
703 enumerator->destroy(enumerator);
704 return SUCCESS;
705 case DESTROY_ME:
706 /* critical failure, destroy IKE_SA */
707 enumerator->destroy(enumerator);
708 return DESTROY_ME;
709 }
710 }
711 enumerator->destroy(enumerator);
712
713 if (this->initiating.retransmitted > 1)
714 {
715 packet_t *packet = NULL;
716 array_get(this->initiating.packets, 0, &packet);
717 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
718 }
719
720 /* catch if we get resetted while processing */
721 this->reset = FALSE;
722 enumerator = array_create_enumerator(this->active_tasks);
723 while (enumerator->enumerate(enumerator, &task))
724 {
725 switch (task->process(task, message))
726 {
727 case SUCCESS:
728 /* task completed, remove it */
729 array_remove_at(this->active_tasks, enumerator);
730 task->destroy(task);
731 break;
732 case NEED_MORE:
733 /* processed, but task needs another exchange */
734 break;
735 case FAILED:
736 default:
737 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
738 /* FALL */
739 case DESTROY_ME:
740 /* critical failure, destroy IKE_SA */
741 array_remove_at(this->active_tasks, enumerator);
742 enumerator->destroy(enumerator);
743 task->destroy(task);
744 return DESTROY_ME;
745 }
746 if (this->reset)
747 { /* start all over again if we were reset */
748 this->reset = FALSE;
749 enumerator->destroy(enumerator);
750 return initiate(this);
751 }
752 }
753 enumerator->destroy(enumerator);
754
755 this->initiating.mid++;
756 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
757 clear_packets(this->initiating.packets);
758
759 array_compress(this->active_tasks);
760
761 return initiate(this);
762 }
763
764 /**
765 * handle exchange collisions
766 */
767 static bool handle_collisions(private_task_manager_t *this, task_t *task)
768 {
769 enumerator_t *enumerator;
770 task_t *active;
771 task_type_t type;
772
773 type = task->get_type(task);
774
775 /* do we have to check */
776 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
777 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE)
778 {
779 /* find an exchange collision, and notify these tasks */
780 enumerator = array_create_enumerator(this->active_tasks);
781 while (enumerator->enumerate(enumerator, &active))
782 {
783 switch (active->get_type(active))
784 {
785 case TASK_IKE_REKEY:
786 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE)
787 {
788 ike_rekey_t *rekey = (ike_rekey_t*)active;
789 rekey->collide(rekey, task);
790 break;
791 }
792 continue;
793 case TASK_CHILD_REKEY:
794 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
795 {
796 child_rekey_t *rekey = (child_rekey_t*)active;
797 rekey->collide(rekey, task);
798 break;
799 }
800 continue;
801 default:
802 continue;
803 }
804 enumerator->destroy(enumerator);
805 return TRUE;
806 }
807 enumerator->destroy(enumerator);
808 }
809 return FALSE;
810 }
811
812 /**
813 * build a response depending on the "passive" task list
814 */
815 static status_t build_response(private_task_manager_t *this, message_t *request)
816 {
817 enumerator_t *enumerator;
818 task_t *task;
819 message_t *message;
820 host_t *me, *other;
821 bool delete = FALSE, hook = FALSE, mid_sync = FALSE;
822 ike_sa_id_t *id = NULL;
823 uint64_t responder_spi = 0;
824 bool result;
825
826 me = request->get_destination(request);
827 other = request->get_source(request);
828
829 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
830 message->set_exchange_type(message, request->get_exchange_type(request));
831 /* send response along the path the request came in */
832 message->set_source(message, me->clone(me));
833 message->set_destination(message, other->clone(other));
834 message->set_message_id(message, this->responding.mid);
835 message->set_request(message, FALSE);
836
837 enumerator = array_create_enumerator(this->passive_tasks);
838 while (enumerator->enumerate(enumerator, (void*)&task))
839 {
840 if (task->get_type(task) == TASK_IKE_MID_SYNC)
841 {
842 mid_sync = TRUE;
843 }
844 switch (task->build(task, message))
845 {
846 case SUCCESS:
847 /* task completed, remove it */
848 array_remove_at(this->passive_tasks, enumerator);
849 if (!handle_collisions(this, task))
850 {
851 task->destroy(task);
852 }
853 break;
854 case NEED_MORE:
855 /* processed, but task needs another exchange */
856 if (handle_collisions(this, task))
857 {
858 array_remove_at(this->passive_tasks, enumerator);
859 }
860 break;
861 case FAILED:
862 default:
863 hook = TRUE;
864 /* FALL */
865 case DESTROY_ME:
866 /* destroy IKE_SA, but SEND response first */
867 if (handle_collisions(this, task))
868 {
869 array_remove_at(this->passive_tasks, enumerator);
870 }
871 delete = TRUE;
872 break;
873 }
874 if (delete)
875 {
876 break;
877 }
878 }
879 enumerator->destroy(enumerator);
880
881 /* RFC 5996, section 2.6 mentions that in the event of a failure during
882 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
883 * actually explicitly allows it to be non-zero. Since we use the responder
884 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
885 * zero temporarily, otherwise checking the SA in would fail. */
886 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
887 {
888 id = this->ike_sa->get_id(this->ike_sa);
889 responder_spi = id->get_responder_spi(id);
890 id->set_responder_spi(id, 0);
891 }
892
893 /* message complete, send it */
894 clear_packets(this->responding.packets);
895 result = generate_message(this, message, &this->responding.packets);
896 message->destroy(message);
897 if (id)
898 {
899 id->set_responder_spi(id, responder_spi);
900 }
901 if (!result)
902 {
903 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
904 return DESTROY_ME;
905 }
906
907 send_packets(this, this->responding.packets, NULL, NULL);
908 if (delete)
909 {
910 if (hook)
911 {
912 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
913 }
914 return DESTROY_ME;
915 }
916 else if (mid_sync)
917 {
918 /* we don't want to resend messages to sync MIDs if requests with the
919 * previous MID arrive */
920 clear_packets(this->responding.packets);
921 }
922
923 array_compress(this->passive_tasks);
924
925 return SUCCESS;
926 }
927
928 /**
929 * handle an incoming request message
930 */
931 static status_t process_request(private_task_manager_t *this,
932 message_t *message)
933 {
934 enumerator_t *enumerator;
935 task_t *task = NULL;
936 payload_t *payload;
937 notify_payload_t *notify;
938 delete_payload_t *delete;
939 ike_sa_state_t state;
940
941 if (array_count(this->passive_tasks) == 0)
942 { /* create tasks depending on request type, if not already some queued */
943 state = this->ike_sa->get_state(this->ike_sa);
944 switch (message->get_exchange_type(message))
945 {
946 case IKE_SA_INIT:
947 {
948 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
949 array_insert(this->passive_tasks, ARRAY_TAIL, task);
950 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
951 array_insert(this->passive_tasks, ARRAY_TAIL, task);
952 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
953 array_insert(this->passive_tasks, ARRAY_TAIL, task);
954 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
955 array_insert(this->passive_tasks, ARRAY_TAIL, task);
956 #ifdef ME
957 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
958 array_insert(this->passive_tasks, ARRAY_TAIL, task);
959 #endif /* ME */
960 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
961 array_insert(this->passive_tasks, ARRAY_TAIL, task);
962 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
963 array_insert(this->passive_tasks, ARRAY_TAIL, task);
964 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
965 array_insert(this->passive_tasks, ARRAY_TAIL, task);
966 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
967 NULL, NULL);
968 array_insert(this->passive_tasks, ARRAY_TAIL, task);
969 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
970 array_insert(this->passive_tasks, ARRAY_TAIL, task);
971 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
972 array_insert(this->passive_tasks, ARRAY_TAIL, task);
973 break;
974 }
975 case CREATE_CHILD_SA:
976 { /* FIXME: we should prevent this on mediation connections */
977 bool notify_found = FALSE, ts_found = FALSE;
978
979 if (state == IKE_CREATED ||
980 state == IKE_CONNECTING)
981 {
982 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
983 "unestablished IKE_SA, rejected");
984 return FAILED;
985 }
986
987 enumerator = message->create_payload_enumerator(message);
988 while (enumerator->enumerate(enumerator, &payload))
989 {
990 switch (payload->get_type(payload))
991 {
992 case PLV2_NOTIFY:
993 { /* if we find a rekey notify, its CHILD_SA rekeying */
994 notify = (notify_payload_t*)payload;
995 if (notify->get_notify_type(notify) == REKEY_SA &&
996 (notify->get_protocol_id(notify) == PROTO_AH ||
997 notify->get_protocol_id(notify) == PROTO_ESP))
998 {
999 notify_found = TRUE;
1000 }
1001 break;
1002 }
1003 case PLV2_TS_INITIATOR:
1004 case PLV2_TS_RESPONDER:
1005 { /* if we don't find a TS, its IKE rekeying */
1006 ts_found = TRUE;
1007 break;
1008 }
1009 default:
1010 break;
1011 }
1012 }
1013 enumerator->destroy(enumerator);
1014
1015 if (ts_found)
1016 {
1017 if (notify_found)
1018 {
1019 task = (task_t*)child_rekey_create(this->ike_sa,
1020 PROTO_NONE, 0);
1021 }
1022 else
1023 {
1024 task = (task_t*)child_create_create(this->ike_sa, NULL,
1025 FALSE, NULL, NULL);
1026 }
1027 }
1028 else
1029 {
1030 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
1031 }
1032 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1033 break;
1034 }
1035 case INFORMATIONAL:
1036 {
1037 enumerator = message->create_payload_enumerator(message);
1038 while (enumerator->enumerate(enumerator, &payload))
1039 {
1040 switch (payload->get_type(payload))
1041 {
1042 case PLV2_NOTIFY:
1043 {
1044 notify = (notify_payload_t*)payload;
1045 if (state == IKE_REKEYED)
1046 {
1047 DBG1(DBG_IKE, "received unexpected notify %N "
1048 "for rekeyed IKE_SA, ignored",
1049 notify_type_names,
1050 notify->get_notify_type(notify));
1051 break;
1052 }
1053 switch (notify->get_notify_type(notify))
1054 {
1055 case ADDITIONAL_IP4_ADDRESS:
1056 case ADDITIONAL_IP6_ADDRESS:
1057 case NO_ADDITIONAL_ADDRESSES:
1058 case UPDATE_SA_ADDRESSES:
1059 case NO_NATS_ALLOWED:
1060 case UNACCEPTABLE_ADDRESSES:
1061 case UNEXPECTED_NAT_DETECTED:
1062 case COOKIE2:
1063 case NAT_DETECTION_SOURCE_IP:
1064 case NAT_DETECTION_DESTINATION_IP:
1065 task = (task_t*)ike_mobike_create(
1066 this->ike_sa, FALSE);
1067 break;
1068 case AUTH_LIFETIME:
1069 task = (task_t*)ike_auth_lifetime_create(
1070 this->ike_sa, FALSE);
1071 break;
1072 case AUTHENTICATION_FAILED:
1073 /* initiator failed to authenticate us.
1074 * We use ike_delete to handle this, which
1075 * invokes all the required hooks. */
1076 task = (task_t*)ike_delete_create(
1077 this->ike_sa, FALSE);
1078 break;
1079 case REDIRECT:
1080 task = (task_t*)ike_redirect_create(
1081 this->ike_sa, NULL);
1082 break;
1083 case IKEV2_MESSAGE_ID_SYNC:
1084 task = (task_t*)ike_mid_sync_create(
1085 this->ike_sa);
1086 break;
1087 default:
1088 break;
1089 }
1090 break;
1091 }
1092 case PLV2_DELETE:
1093 {
1094 delete = (delete_payload_t*)payload;
1095 if (delete->get_protocol_id(delete) == PROTO_IKE)
1096 {
1097 task = (task_t*)ike_delete_create(this->ike_sa,
1098 FALSE);
1099 }
1100 else
1101 {
1102 task = (task_t*)child_delete_create(this->ike_sa,
1103 PROTO_NONE, 0, FALSE);
1104 }
1105 break;
1106 }
1107 default:
1108 break;
1109 }
1110 if (task)
1111 {
1112 break;
1113 }
1114 }
1115 enumerator->destroy(enumerator);
1116
1117 if (task == NULL)
1118 {
1119 task = (task_t*)ike_dpd_create(FALSE);
1120 }
1121 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1122 break;
1123 }
1124 #ifdef ME
1125 case ME_CONNECT:
1126 {
1127 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1128 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1129 }
1130 #endif /* ME */
1131 default:
1132 break;
1133 }
1134 }
1135
1136 enumerator = array_create_enumerator(this->passive_tasks);
1137 while (enumerator->enumerate(enumerator, &task))
1138 {
1139 if (!task->pre_process)
1140 {
1141 continue;
1142 }
1143 switch (task->pre_process(task, message))
1144 {
1145 case SUCCESS:
1146 break;
1147 case FAILED:
1148 default:
1149 /* just ignore the message */
1150 DBG1(DBG_IKE, "ignore invalid %N request",
1151 exchange_type_names, message->get_exchange_type(message));
1152 enumerator->destroy(enumerator);
1153 switch (message->get_exchange_type(message))
1154 {
1155 case IKE_SA_INIT:
1156 /* no point in keeping the SA when it was created with
1157 * an invalid IKE_SA_INIT message */
1158 return DESTROY_ME;
1159 default:
1160 /* remove tasks we queued for this request */
1161 flush_queue(this, TASK_QUEUE_PASSIVE);
1162 /* fall-through */
1163 case IKE_AUTH:
1164 return NEED_MORE;
1165 }
1166 case DESTROY_ME:
1167 /* critical failure, destroy IKE_SA */
1168 enumerator->destroy(enumerator);
1169 return DESTROY_ME;
1170 }
1171 }
1172 enumerator->destroy(enumerator);
1173
1174 /* let the tasks process the message */
1175 enumerator = array_create_enumerator(this->passive_tasks);
1176 while (enumerator->enumerate(enumerator, (void*)&task))
1177 {
1178 switch (task->process(task, message))
1179 {
1180 case SUCCESS:
1181 /* task completed, remove it */
1182 array_remove_at(this->passive_tasks, enumerator);
1183 task->destroy(task);
1184 break;
1185 case NEED_MORE:
1186 /* processed, but task needs at least another call to build() */
1187 break;
1188 case FAILED:
1189 default:
1190 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1191 /* FALL */
1192 case DESTROY_ME:
1193 /* critical failure, destroy IKE_SA */
1194 array_remove_at(this->passive_tasks, enumerator);
1195 enumerator->destroy(enumerator);
1196 task->destroy(task);
1197 return DESTROY_ME;
1198 }
1199 }
1200 enumerator->destroy(enumerator);
1201
1202 return build_response(this, message);
1203 }
1204
1205 METHOD(task_manager_t, incr_mid, void,
1206 private_task_manager_t *this, bool initiate)
1207 {
1208 if (initiate)
1209 {
1210 this->initiating.mid++;
1211 }
1212 else
1213 {
1214 this->responding.mid++;
1215 }
1216 }
1217
1218 METHOD(task_manager_t, get_mid, uint32_t,
1219 private_task_manager_t *this, bool initiate)
1220 {
1221 return initiate ? this->initiating.mid : this->responding.mid;
1222 }
1223
1224 /**
1225 * Handle the given IKE fragment, if it is one.
1226 *
1227 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1228 * handled properly. Error states are returned if the fragment was invalid or
1229 * the reassembled message could not have been processed properly.
1230 */
1231 static status_t handle_fragment(private_task_manager_t *this,
1232 message_t **defrag, message_t *msg)
1233 {
1234 message_t *reassembled;
1235 status_t status;
1236
1237 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1238 {
1239 return SUCCESS;
1240 }
1241 if (!*defrag)
1242 {
1243 *defrag = message_create_defrag(msg);
1244 if (!*defrag)
1245 {
1246 return FAILED;
1247 }
1248 }
1249 status = (*defrag)->add_fragment(*defrag, msg);
1250 if (status == SUCCESS)
1251 {
1252 /* reinject the reassembled message */
1253 reassembled = *defrag;
1254 *defrag = NULL;
1255 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1256 if (status == SUCCESS)
1257 {
1258 /* avoid processing the last fragment */
1259 status = NEED_MORE;
1260 }
1261 reassembled->destroy(reassembled);
1262 }
1263 return status;
1264 }
1265
1266 /**
1267 * Send a notify back to the sender
1268 */
1269 static void send_notify_response(private_task_manager_t *this,
1270 message_t *request, notify_type_t type,
1271 chunk_t data)
1272 {
1273 message_t *response;
1274 packet_t *packet;
1275 host_t *me, *other;
1276
1277 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1278 response->set_exchange_type(response, request->get_exchange_type(request));
1279 response->set_request(response, FALSE);
1280 response->set_message_id(response, request->get_message_id(request));
1281 response->add_notify(response, FALSE, type, data);
1282 me = this->ike_sa->get_my_host(this->ike_sa);
1283 if (me->is_anyaddr(me))
1284 {
1285 me = request->get_destination(request);
1286 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1287 }
1288 other = this->ike_sa->get_other_host(this->ike_sa);
1289 if (other->is_anyaddr(other))
1290 {
1291 other = request->get_source(request);
1292 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1293 }
1294 response->set_source(response, me->clone(me));
1295 response->set_destination(response, other->clone(other));
1296 if (this->ike_sa->generate_message(this->ike_sa, response,
1297 &packet) == SUCCESS)
1298 {
1299 charon->sender->send(charon->sender, packet);
1300 }
1301 response->destroy(response);
1302 }
1303
1304 /**
1305 * Parse the given message and verify that it is valid.
1306 */
1307 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1308 {
1309 status_t status;
1310 uint8_t type = 0;
1311
1312 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1313
1314 if (status == SUCCESS)
1315 { /* check for unsupported critical payloads */
1316 enumerator_t *enumerator;
1317 unknown_payload_t *unknown;
1318 payload_t *payload;
1319
1320 enumerator = msg->create_payload_enumerator(msg);
1321 while (enumerator->enumerate(enumerator, &payload))
1322 {
1323 if (payload->get_type(payload) == PL_UNKNOWN)
1324 {
1325 unknown = (unknown_payload_t*)payload;
1326 if (unknown->is_critical(unknown))
1327 {
1328 type = unknown->get_type(unknown);
1329 DBG1(DBG_ENC, "payload type %N is not supported, "
1330 "but its critical!", payload_type_names, type);
1331 status = NOT_SUPPORTED;
1332 break;
1333 }
1334 }
1335 }
1336 enumerator->destroy(enumerator);
1337 }
1338
1339 if (status != SUCCESS)
1340 {
1341 bool is_request = msg->get_request(msg);
1342
1343 switch (status)
1344 {
1345 case NOT_SUPPORTED:
1346 DBG1(DBG_IKE, "critical unknown payloads found");
1347 if (is_request)
1348 {
1349 send_notify_response(this, msg,
1350 UNSUPPORTED_CRITICAL_PAYLOAD,
1351 chunk_from_thing(type));
1352 incr_mid(this, FALSE);
1353 }
1354 break;
1355 case PARSE_ERROR:
1356 DBG1(DBG_IKE, "message parsing failed");
1357 if (is_request)
1358 {
1359 send_notify_response(this, msg,
1360 INVALID_SYNTAX, chunk_empty);
1361 incr_mid(this, FALSE);
1362 }
1363 break;
1364 case VERIFY_ERROR:
1365 DBG1(DBG_IKE, "message verification failed");
1366 if (is_request)
1367 {
1368 send_notify_response(this, msg,
1369 INVALID_SYNTAX, chunk_empty);
1370 incr_mid(this, FALSE);
1371 }
1372 break;
1373 case FAILED:
1374 DBG1(DBG_IKE, "integrity check failed");
1375 /* ignored */
1376 break;
1377 case INVALID_STATE:
1378 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1379 default:
1380 break;
1381 }
1382 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1383 exchange_type_names, msg->get_exchange_type(msg),
1384 is_request ? "request" : "response",
1385 msg->get_message_id(msg));
1386
1387 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1388
1389 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1390 { /* invalid initiation attempt, close SA */
1391 return DESTROY_ME;
1392 }
1393 }
1394 return status;
1395 }
1396
1397 /**
1398 * Check if a message with message ID 0 might be used to synchronize the
1399 * message IDs.
1400 */
1401 static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
1402 {
1403 enumerator_t *enumerator;
1404 notify_payload_t *notify;
1405 payload_t *payload;
1406 bool found = FALSE, other = FALSE;
1407
1408 if (msg->get_exchange_type(msg) == INFORMATIONAL &&
1409 this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
1410 this->ike_sa->supports_extension(this->ike_sa,
1411 EXT_IKE_MESSAGE_ID_SYNC))
1412 {
1413 enumerator = msg->create_payload_enumerator(msg);
1414 while (enumerator->enumerate(enumerator, &payload))
1415 {
1416 if (payload->get_type(payload) == PLV2_NOTIFY)
1417 {
1418 notify = (notify_payload_t*)payload;
1419 switch (notify->get_notify_type(notify))
1420 {
1421 case IKEV2_MESSAGE_ID_SYNC:
1422 case IPSEC_REPLAY_COUNTER_SYNC:
1423 found = TRUE;
1424 continue;
1425 default:
1426 break;
1427 }
1428 }
1429 other = TRUE;
1430 break;
1431 }
1432 enumerator->destroy(enumerator);
1433 }
1434 return found && !other;
1435 }
1436
1437 METHOD(task_manager_t, process_message, status_t,
1438 private_task_manager_t *this, message_t *msg)
1439 {
1440 host_t *me, *other;
1441 status_t status;
1442 uint32_t mid;
1443 bool schedule_delete_job = FALSE;
1444 ike_sa_state_t state;
1445 exchange_type_t type;
1446
1447 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1448 status = parse_message(this, msg);
1449 if (status != SUCCESS)
1450 {
1451 return status;
1452 }
1453
1454 me = msg->get_destination(msg);
1455 other = msg->get_source(msg);
1456
1457 /* if this IKE_SA is virgin, we check for a config */
1458 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1459 {
1460 ike_cfg_t *ike_cfg;
1461
1462 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1463 me, other, IKEV2);
1464 if (ike_cfg == NULL)
1465 {
1466 /* no config found for these hosts, destroy */
1467 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1468 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1469 send_notify_response(this, msg,
1470 NO_PROPOSAL_CHOSEN, chunk_empty);
1471 return DESTROY_ME;
1472 }
1473 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1474 ike_cfg->destroy(ike_cfg);
1475 /* add a timeout if peer does not establish it completely */
1476 schedule_delete_job = TRUE;
1477 }
1478 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1479 time_monotonic(NULL));
1480
1481 mid = msg->get_message_id(msg);
1482 if (msg->get_request(msg))
1483 {
1484 if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
1485 {
1486 /* reject initial messages if not received in specific states,
1487 * after rekeying we only expect a DELETE in an INFORMATIONAL */
1488 type = msg->get_exchange_type(msg);
1489 state = this->ike_sa->get_state(this->ike_sa);
1490 if ((type == IKE_SA_INIT && state != IKE_CREATED) ||
1491 (type == IKE_AUTH && state != IKE_CONNECTING) ||
1492 (state == IKE_REKEYED && type != INFORMATIONAL))
1493 {
1494 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
1495 exchange_type_names, type, ike_sa_state_names, state);
1496 return FAILED;
1497 }
1498 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1499 { /* with MOBIKE, we do no implicit updates */
1500 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1501 }
1502 status = handle_fragment(this, &this->responding.defrag, msg);
1503 if (status != SUCCESS)
1504 {
1505 return status;
1506 }
1507 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1508 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1509 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1510 return SUCCESS;
1511 }
1512 switch (process_request(this, msg))
1513 {
1514 case SUCCESS:
1515 this->responding.mid++;
1516 break;
1517 case NEED_MORE:
1518 break;
1519 default:
1520 flush(this);
1521 return DESTROY_ME;
1522 }
1523 }
1524 else if ((mid == this->responding.mid - 1) &&
1525 array_count(this->responding.packets))
1526 {
1527 status = handle_fragment(this, &this->responding.defrag, msg);
1528 if (status != SUCCESS)
1529 {
1530 return status;
1531 }
1532 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1533 "retransmitting response", mid);
1534 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1535 send_packets(this, this->responding.packets,
1536 msg->get_destination(msg), msg->get_source(msg));
1537 }
1538 else
1539 {
1540 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1541 mid, this->responding.mid);
1542 }
1543 }
1544 else
1545 {
1546 if (mid == this->initiating.mid)
1547 {
1548 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1549 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1550 msg->get_exchange_type(msg) != IKE_SA_INIT)
1551 { /* only do updates based on verified messages (or initial ones) */
1552 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1553 { /* with MOBIKE, we do no implicit updates. we force an
1554 * update of the local address on IKE_SA_INIT, but never
1555 * for the remote address */
1556 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1557 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1558 }
1559 }
1560 status = handle_fragment(this, &this->initiating.defrag, msg);
1561 if (status != SUCCESS)
1562 {
1563 return status;
1564 }
1565 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1566 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1567 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1568 return SUCCESS;
1569 }
1570 if (process_response(this, msg) != SUCCESS)
1571 {
1572 flush(this);
1573 return DESTROY_ME;
1574 }
1575 }
1576 else
1577 {
1578 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1579 mid, this->initiating.mid);
1580 return SUCCESS;
1581 }
1582 }
1583
1584 if (schedule_delete_job)
1585 {
1586 ike_sa_id_t *ike_sa_id;
1587 job_t *job;
1588
1589 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1590 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1591 lib->scheduler->schedule_job(lib->scheduler, job,
1592 lib->settings->get_int(lib->settings,
1593 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1594 lib->ns));
1595 }
1596 return SUCCESS;
1597 }
1598
1599 METHOD(task_manager_t, queue_task_delayed, void,
1600 private_task_manager_t *this, task_t *task, uint32_t delay)
1601 {
1602 enumerator_t *enumerator;
1603 queued_task_t *queued;
1604 timeval_t time;
1605
1606 if (task->get_type(task) == TASK_IKE_MOBIKE)
1607 { /* there is no need to queue more than one mobike task */
1608 enumerator = array_create_enumerator(this->queued_tasks);
1609 while (enumerator->enumerate(enumerator, &queued))
1610 {
1611 if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
1612 {
1613 enumerator->destroy(enumerator);
1614 task->destroy(task);
1615 return;
1616 }
1617 }
1618 enumerator->destroy(enumerator);
1619 }
1620 time_monotonic(&time);
1621 if (delay)
1622 {
1623 job_t *job;
1624
1625 DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names,
1626 task->get_type(task), delay);
1627 time.tv_sec += delay;
1628
1629 job = (job_t*)initiate_tasks_job_create(
1630 this->ike_sa->get_id(this->ike_sa));
1631 lib->scheduler->schedule_job_tv(lib->scheduler, job, time);
1632 }
1633 else
1634 {
1635 DBG2(DBG_IKE, "queueing %N task", task_type_names,
1636 task->get_type(task));
1637 }
1638 INIT(queued,
1639 .task = task,
1640 .time = time,
1641 );
1642 array_insert(this->queued_tasks, ARRAY_TAIL, queued);
1643 }
1644
1645 METHOD(task_manager_t, queue_task, void,
1646 private_task_manager_t *this, task_t *task)
1647 {
1648 queue_task_delayed(this, task, 0);
1649 }
1650
1651 /**
1652 * Check if a given task has been queued already
1653 */
1654 static bool has_queued(private_task_manager_t *this, task_type_t type)
1655 {
1656 enumerator_t *enumerator;
1657 bool found = FALSE;
1658 queued_task_t *queued;
1659
1660 enumerator = array_create_enumerator(this->queued_tasks);
1661 while (enumerator->enumerate(enumerator, &queued))
1662 {
1663 if (queued->task->get_type(queued->task) == type)
1664 {
1665 found = TRUE;
1666 break;
1667 }
1668 }
1669 enumerator->destroy(enumerator);
1670 return found;
1671 }
1672
1673 METHOD(task_manager_t, queue_ike, void,
1674 private_task_manager_t *this)
1675 {
1676 if (!has_queued(this, TASK_IKE_VENDOR))
1677 {
1678 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1679 }
1680 if (!has_queued(this, TASK_IKE_INIT))
1681 {
1682 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1683 }
1684 if (!has_queued(this, TASK_IKE_NATD))
1685 {
1686 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1687 }
1688 if (!has_queued(this, TASK_IKE_CERT_PRE))
1689 {
1690 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1691 }
1692 if (!has_queued(this, TASK_IKE_AUTH))
1693 {
1694 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1695 }
1696 if (!has_queued(this, TASK_IKE_CERT_POST))
1697 {
1698 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1699 }
1700 if (!has_queued(this, TASK_IKE_CONFIG))
1701 {
1702 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1703 }
1704 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1705 {
1706 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1707 }
1708 if (!has_queued(this, TASK_IKE_MOBIKE))
1709 {
1710 peer_cfg_t *peer_cfg;
1711
1712 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1713 if (peer_cfg->use_mobike(peer_cfg))
1714 {
1715 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1716 }
1717 }
1718 #ifdef ME
1719 if (!has_queued(this, TASK_IKE_ME))
1720 {
1721 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1722 }
1723 #endif /* ME */
1724 }
1725
1726 METHOD(task_manager_t, queue_ike_rekey, void,
1727 private_task_manager_t *this)
1728 {
1729 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1730 }
1731
1732 /**
1733 * Start reauthentication using make-before-break
1734 */
1735 static void trigger_mbb_reauth(private_task_manager_t *this)
1736 {
1737 enumerator_t *enumerator;
1738 child_sa_t *child_sa;
1739 child_cfg_t *cfg;
1740 ike_sa_t *new;
1741 host_t *host;
1742 queued_task_t *queued;
1743
1744 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1745 this->ike_sa->get_version(this->ike_sa), TRUE);
1746 if (!new)
1747 { /* shouldn't happen */
1748 return;
1749 }
1750
1751 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1752 host = this->ike_sa->get_other_host(this->ike_sa);
1753 new->set_other_host(new, host->clone(host));
1754 host = this->ike_sa->get_my_host(this->ike_sa);
1755 new->set_my_host(new, host->clone(host));
1756 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1757 while (enumerator->enumerate(enumerator, &host))
1758 {
1759 new->add_virtual_ip(new, TRUE, host);
1760 }
1761 enumerator->destroy(enumerator);
1762
1763 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1764 while (enumerator->enumerate(enumerator, &child_sa))
1765 {
1766 cfg = child_sa->get_config(child_sa);
1767 new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
1768 FALSE, NULL, NULL)->task);
1769 }
1770 enumerator->destroy(enumerator);
1771
1772 enumerator = array_create_enumerator(this->queued_tasks);
1773 while (enumerator->enumerate(enumerator, &queued))
1774 {
1775 if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE)
1776 {
1777 queued->task->migrate(queued->task, new);
1778 new->queue_task(new, queued->task);
1779 array_remove_at(this->queued_tasks, enumerator);
1780 free(queued);
1781 }
1782 }
1783 enumerator->destroy(enumerator);
1784
1785 /* suspend online revocation checking until the SA is established */
1786 new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
1787
1788 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1789 {
1790 new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
1791 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1792 this->ike_sa->get_id(this->ike_sa)));
1793 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1794 }
1795 else
1796 {
1797 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1798 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1799 }
1800 charon->bus->set_sa(charon->bus, this->ike_sa);
1801 }
1802
1803 METHOD(task_manager_t, queue_ike_reauth, void,
1804 private_task_manager_t *this)
1805 {
1806 if (this->make_before_break)
1807 {
1808 return trigger_mbb_reauth(this);
1809 }
1810 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1811 }
1812
1813 METHOD(task_manager_t, queue_ike_delete, void,
1814 private_task_manager_t *this)
1815 {
1816 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1817 }
1818
1819 METHOD(task_manager_t, queue_mobike, void,
1820 private_task_manager_t *this, bool roam, bool address)
1821 {
1822 ike_mobike_t *mobike;
1823
1824 mobike = ike_mobike_create(this->ike_sa, TRUE);
1825 if (roam)
1826 {
1827 enumerator_t *enumerator;
1828 task_t *current;
1829
1830 mobike->roam(mobike, address);
1831
1832 /* enable path probing for a currently active MOBIKE task. This might
1833 * not be the case if an address appeared on a new interface while the
1834 * current address is not working but has not yet disappeared. */
1835 enumerator = array_create_enumerator(this->active_tasks);
1836 while (enumerator->enumerate(enumerator, &current))
1837 {
1838 if (current->get_type(current) == TASK_IKE_MOBIKE)
1839 {
1840 ike_mobike_t *active = (ike_mobike_t*)current;
1841 active->enable_probing(active);
1842 break;
1843 }
1844 }
1845 enumerator->destroy(enumerator);
1846 }
1847 else
1848 {
1849 mobike->addresses(mobike);
1850 }
1851 queue_task(this, &mobike->task);
1852 }
1853
1854 METHOD(task_manager_t, queue_child, void,
1855 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
1856 traffic_selector_t *tsi, traffic_selector_t *tsr)
1857 {
1858 child_create_t *task;
1859
1860 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
1861 if (reqid)
1862 {
1863 task->use_reqid(task, reqid);
1864 }
1865 queue_task(this, &task->task);
1866 }
1867
1868 METHOD(task_manager_t, queue_child_rekey, void,
1869 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
1870 {
1871 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
1872 }
1873
1874 METHOD(task_manager_t, queue_child_delete, void,
1875 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
1876 bool expired)
1877 {
1878 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
1879 protocol, spi, expired));
1880 }
1881
1882 METHOD(task_manager_t, queue_dpd, void,
1883 private_task_manager_t *this)
1884 {
1885 ike_mobike_t *mobike;
1886
1887 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
1888 this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
1889 {
1890 #ifdef ME
1891 peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1892 if (cfg->get_peer_id(cfg) ||
1893 this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
1894 #else
1895 if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
1896 #endif
1897 {
1898 /* use mobike enabled DPD to detect NAT mapping changes */
1899 mobike = ike_mobike_create(this->ike_sa, TRUE);
1900 mobike->dpd(mobike);
1901 queue_task(this, &mobike->task);
1902 return;
1903 }
1904 }
1905 queue_task(this, (task_t*)ike_dpd_create(TRUE));
1906 }
1907
1908 METHOD(task_manager_t, adopt_tasks, void,
1909 private_task_manager_t *this, task_manager_t *other_public)
1910 {
1911 private_task_manager_t *other = (private_task_manager_t*)other_public;
1912 queued_task_t *queued;
1913 timeval_t now;
1914
1915 time_monotonic(&now);
1916
1917 /* move queued tasks from other to this */
1918 while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued))
1919 {
1920 DBG2(DBG_IKE, "migrating %N task", task_type_names,
1921 queued->task->get_type(queued->task));
1922 queued->task->migrate(queued->task, this->ike_sa);
1923 /* don't delay tasks on the new IKE_SA */
1924 queued->time = now;
1925 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
1926 }
1927 }
1928
1929 /**
1930 * Migrates child-creating tasks from other to this
1931 */
1932 static void migrate_child_tasks(private_task_manager_t *this,
1933 private_task_manager_t *other,
1934 task_queue_t queue)
1935 {
1936 enumerator_t *enumerator;
1937 array_t *array;
1938 task_t *task;
1939
1940 switch (queue)
1941 {
1942 case TASK_QUEUE_ACTIVE:
1943 array = other->active_tasks;
1944 break;
1945 case TASK_QUEUE_QUEUED:
1946 array = other->queued_tasks;
1947 break;
1948 default:
1949 return;
1950 }
1951
1952 enumerator = array_create_enumerator(array);
1953 while (enumerator->enumerate(enumerator, &task))
1954 {
1955 queued_task_t *queued = NULL;
1956
1957 if (queue == TASK_QUEUE_QUEUED)
1958 {
1959 queued = (queued_task_t*)task;
1960 task = queued->task;
1961 }
1962 if (task->get_type(task) == TASK_CHILD_CREATE)
1963 {
1964 array_remove_at(array, enumerator);
1965 task->migrate(task, this->ike_sa);
1966 queue_task(this, task);
1967 free(queued);
1968 }
1969 }
1970 enumerator->destroy(enumerator);
1971 }
1972
1973 METHOD(task_manager_t, adopt_child_tasks, void,
1974 private_task_manager_t *this, task_manager_t *other_public)
1975 {
1976 private_task_manager_t *other = (private_task_manager_t*)other_public;
1977
1978 /* move active child tasks from other to this */
1979 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
1980 /* do the same for queued tasks */
1981 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
1982 }
1983
1984 METHOD(task_manager_t, busy, bool,
1985 private_task_manager_t *this)
1986 {
1987 return array_count(this->active_tasks) > 0;
1988 }
1989
1990 METHOD(task_manager_t, reset, void,
1991 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
1992 {
1993 enumerator_t *enumerator;
1994 queued_task_t *queued;
1995 task_t *task;
1996 timeval_t now;
1997
1998 /* reset message counters and retransmit packets */
1999 clear_packets(this->responding.packets);
2000 clear_packets(this->initiating.packets);
2001 DESTROY_IF(this->responding.defrag);
2002 DESTROY_IF(this->initiating.defrag);
2003 this->responding.defrag = NULL;
2004 this->initiating.defrag = NULL;
2005 if (initiate != UINT_MAX)
2006 {
2007 this->initiating.mid = initiate;
2008 }
2009 if (respond != UINT_MAX)
2010 {
2011 this->responding.mid = respond;
2012 }
2013 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
2014
2015 time_monotonic(&now);
2016 /* reset queued tasks */
2017 enumerator = array_create_enumerator(this->queued_tasks);
2018 while (enumerator->enumerate(enumerator, &queued))
2019 {
2020 queued->time = now;
2021 queued->task->migrate(queued->task, this->ike_sa);
2022 }
2023 enumerator->destroy(enumerator);
2024
2025 /* reset active tasks */
2026 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
2027 {
2028 task->migrate(task, this->ike_sa);
2029 INIT(queued,
2030 .task = task,
2031 .time = now,
2032 );
2033 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
2034 }
2035
2036 this->reset = TRUE;
2037 }
2038
2039 /**
2040 * Filter queued tasks
2041 */
2042 static bool filter_queued(void *unused, queued_task_t **queued, task_t **task)
2043 {
2044 *task = (*queued)->task;
2045 return TRUE;
2046 }
2047
2048 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
2049 private_task_manager_t *this, task_queue_t queue)
2050 {
2051 switch (queue)
2052 {
2053 case TASK_QUEUE_ACTIVE:
2054 return array_create_enumerator(this->active_tasks);
2055 case TASK_QUEUE_PASSIVE:
2056 return array_create_enumerator(this->passive_tasks);
2057 case TASK_QUEUE_QUEUED:
2058 return enumerator_create_filter(
2059 array_create_enumerator(this->queued_tasks),
2060 (void*)filter_queued, NULL, NULL);
2061 default:
2062 return enumerator_create_empty();
2063 }
2064 }
2065
2066 METHOD(task_manager_t, destroy, void,
2067 private_task_manager_t *this)
2068 {
2069 flush(this);
2070
2071 array_destroy(this->active_tasks);
2072 array_destroy(this->queued_tasks);
2073 array_destroy(this->passive_tasks);
2074
2075 clear_packets(this->responding.packets);
2076 array_destroy(this->responding.packets);
2077 clear_packets(this->initiating.packets);
2078 array_destroy(this->initiating.packets);
2079 DESTROY_IF(this->responding.defrag);
2080 DESTROY_IF(this->initiating.defrag);
2081 free(this);
2082 }
2083
2084 /*
2085 * see header file
2086 */
2087 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
2088 {
2089 private_task_manager_t *this;
2090
2091 INIT(this,
2092 .public = {
2093 .task_manager = {
2094 .process_message = _process_message,
2095 .queue_task = _queue_task,
2096 .queue_task_delayed = _queue_task_delayed,
2097 .queue_ike = _queue_ike,
2098 .queue_ike_rekey = _queue_ike_rekey,
2099 .queue_ike_reauth = _queue_ike_reauth,
2100 .queue_ike_delete = _queue_ike_delete,
2101 .queue_mobike = _queue_mobike,
2102 .queue_child = _queue_child,
2103 .queue_child_rekey = _queue_child_rekey,
2104 .queue_child_delete = _queue_child_delete,
2105 .queue_dpd = _queue_dpd,
2106 .initiate = _initiate,
2107 .retransmit = _retransmit,
2108 .incr_mid = _incr_mid,
2109 .get_mid = _get_mid,
2110 .reset = _reset,
2111 .adopt_tasks = _adopt_tasks,
2112 .adopt_child_tasks = _adopt_child_tasks,
2113 .busy = _busy,
2114 .create_task_enumerator = _create_task_enumerator,
2115 .flush = _flush,
2116 .flush_queue = _flush_queue,
2117 .destroy = _destroy,
2118 },
2119 },
2120 .ike_sa = ike_sa,
2121 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
2122 .queued_tasks = array_create(0, 0),
2123 .active_tasks = array_create(0, 0),
2124 .passive_tasks = array_create(0, 0),
2125 .retransmit_tries = lib->settings->get_int(lib->settings,
2126 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2127 .retransmit_timeout = lib->settings->get_double(lib->settings,
2128 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2129 .retransmit_base = lib->settings->get_double(lib->settings,
2130 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2131 .make_before_break = lib->settings->get_bool(lib->settings,
2132 "%s.make_before_break", FALSE, lib->ns),
2133 );
2134
2135 return &this->public;
2136 }