projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
child-delete: Delay the removal of the inbound SA of rekeyed CHILD_SAs
[strongswan.git] / src / libcharon / sa / ikev2 / tasks / child_rekey.c
1 /*
2 * Copyright (C) 2009-2016 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "child_rekey.h"
19
20 #include <daemon.h>
21 #include <encoding/payloads/notify_payload.h>
22 #include <sa/ikev2/tasks/child_create.h>
23 #include <sa/ikev2/tasks/child_delete.h>
24 #include <processing/jobs/rekey_child_sa_job.h>
25 #include <processing/jobs/rekey_ike_sa_job.h>
26
27
28 typedef struct private_child_rekey_t private_child_rekey_t;
29
30 /**
31 * Private members of a child_rekey_t task.
32 */
33 struct private_child_rekey_t {
34
35 /**
36 * Public methods and task_t interface.
37 */
38 child_rekey_t public;
39
40 /**
41 * Assigned IKE_SA.
42 */
43 ike_sa_t *ike_sa;
44
45 /**
46 * Are we the initiator?
47 */
48 bool initiator;
49
50 /**
51 * Protocol of CHILD_SA to rekey
52 */
53 protocol_id_t protocol;
54
55 /**
56 * Inbound SPI of CHILD_SA to rekey
57 */
58 uint32_t spi;
59
60 /**
61 * the CHILD_CREATE task which is reused to simplify rekeying
62 */
63 child_create_t *child_create;
64
65 /**
66 * the CHILD_DELETE task to delete rekeyed CHILD_SA
67 */
68 child_delete_t *child_delete;
69
70 /**
71 * CHILD_SA which gets rekeyed
72 */
73 child_sa_t *child_sa;
74
75 /**
76 * colliding task, may be delete or rekey
77 */
78 task_t *collision;
79
80 /**
81 * Indicate that peer destroyed the redundant child from collision.
82 * This happens if a peer's delete notification for the redundant
83 * child gets processed before the rekey job. If so, we must not
84 * touch the child created in the collision since it points to
85 * memory already freed.
86 */
87 bool other_child_destroyed;
88 };
89
90 /**
91 * Schedule a retry if rekeying temporary failed
92 */
93 static void schedule_delayed_rekey(private_child_rekey_t *this)
94 {
95 uint32_t retry;
96 job_t *job;
97
98 retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
99 job = (job_t*)rekey_child_sa_job_create(
100 this->child_sa->get_protocol(this->child_sa),
101 this->child_sa->get_spi(this->child_sa, TRUE),
102 this->ike_sa->get_my_host(this->ike_sa));
103 DBG1(DBG_IKE, "CHILD_SA rekeying failed, trying again in %d seconds", retry);
104 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
105 lib->scheduler->schedule_job(lib->scheduler, job, retry);
106 }
107
108 /**
109 * Implementation of task_t.build for initiator, after rekeying
110 */
111 static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
112 {
113 /* update exchange type to INFORMATIONAL for the delete */
114 message->set_exchange_type(message, INFORMATIONAL);
115
116 return this->child_delete->task.build(&this->child_delete->task, message);
117 }
118
119 /**
120 * Implementation of task_t.process for initiator, after rekeying
121 */
122 static status_t process_i_delete(private_child_rekey_t *this, message_t *message)
123 {
124 return this->child_delete->task.process(&this->child_delete->task, message);
125 }
126
127 /**
128 * find a child using the REKEY_SA notify
129 */
130 static void find_child(private_child_rekey_t *this, message_t *message)
131 {
132 notify_payload_t *notify;
133 protocol_id_t protocol;
134 uint32_t spi;
135 child_sa_t *child_sa;
136
137 notify = message->get_notify(message, REKEY_SA);
138 if (notify)
139 {
140 protocol = notify->get_protocol_id(notify);
141 spi = notify->get_spi(notify);
142
143 if (protocol == PROTO_ESP || protocol == PROTO_AH)
144 {
145 child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
146 spi, FALSE);
147 if (child_sa &&
148 child_sa->get_state(child_sa) == CHILD_DELETING &&
149 child_sa->get_outbound_state(child_sa) == CHILD_OUTBOUND_NONE)
150 { /* ignore rekeyed CHILD_SAs we keep around */
151 return;
152 }
153 this->child_sa = child_sa;
154 }
155 }
156 }
157
158 METHOD(task_t, build_i, status_t,
159 private_child_rekey_t *this, message_t *message)
160 {
161 notify_payload_t *notify;
162 uint32_t reqid;
163 child_cfg_t *config;
164
165 this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
166 this->spi, TRUE);
167 if (!this->child_sa)
168 { /* check if it is an outbound CHILD_SA */
169 this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
170 this->spi, FALSE);
171 if (this->child_sa)
172 {
173 /* we work only with the inbound SPI */
174 this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
175 }
176 }
177 if (!this->child_sa ||
178 (!this->child_create &&
179 this->child_sa->get_state(this->child_sa) != CHILD_INSTALLED) ||
180 (this->child_create &&
181 this->child_sa->get_state(this->child_sa) != CHILD_REKEYING))
182 {
183 /* CHILD_SA is gone or in the wrong state, unable to rekey */
184 message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED);
185 return SUCCESS;
186 }
187 config = this->child_sa->get_config(this->child_sa);
188
189
190 /* our CHILD_CREATE task does the hard work for us */
191 if (!this->child_create)
192 {
193 this->child_create = child_create_create(this->ike_sa,
194 config->get_ref(config), TRUE, NULL, NULL);
195 }
196 reqid = this->child_sa->get_reqid(this->child_sa);
197 this->child_create->use_reqid(this->child_create, reqid);
198 this->child_create->use_marks(this->child_create,
199 this->child_sa->get_mark(this->child_sa, TRUE).value,
200 this->child_sa->get_mark(this->child_sa, FALSE).value);
201
202 if (this->child_create->task.build(&this->child_create->task,
203 message) != NEED_MORE)
204 {
205 schedule_delayed_rekey(this);
206 return FAILED;
207 }
208 if (message->get_exchange_type(message) == CREATE_CHILD_SA)
209 {
210 /* don't add the notify if the CHILD_CREATE task changed the exchange */
211 notify = notify_payload_create_from_protocol_and_type(PLV2_NOTIFY,
212 this->protocol, REKEY_SA);
213 notify->set_spi(notify, this->spi);
214 message->add_payload(message, (payload_t*)notify);
215 }
216 this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
217
218 return NEED_MORE;
219 }
220
221 METHOD(task_t, process_r, status_t,
222 private_child_rekey_t *this, message_t *message)
223 {
224 /* let the CHILD_CREATE task process the message */
225 this->child_create->task.process(&this->child_create->task, message);
226
227 find_child(this, message);
228
229 return NEED_MORE;
230 }
231
232 METHOD(task_t, build_r, status_t,
233 private_child_rekey_t *this, message_t *message)
234 {
235 child_cfg_t *config;
236 uint32_t reqid;
237 child_sa_state_t state;
238 child_sa_t *child_sa;
239
240 if (!this->child_sa)
241 {
242 DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
243 message->add_notify(message, TRUE, CHILD_SA_NOT_FOUND, chunk_empty);
244 return SUCCESS;
245 }
246 if (this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
247 {
248 DBG1(DBG_IKE, "unable to rekey, we are deleting the CHILD_SA");
249 message->add_notify(message, TRUE, TEMPORARY_FAILURE, chunk_empty);
250 return SUCCESS;
251 }
252
253 /* let the CHILD_CREATE task build the response */
254 reqid = this->child_sa->get_reqid(this->child_sa);
255 this->child_create->use_reqid(this->child_create, reqid);
256 this->child_create->use_marks(this->child_create,
257 this->child_sa->get_mark(this->child_sa, TRUE).value,
258 this->child_sa->get_mark(this->child_sa, FALSE).value);
259 config = this->child_sa->get_config(this->child_sa);
260 this->child_create->set_config(this->child_create, config->get_ref(config));
261 this->child_create->task.build(&this->child_create->task, message);
262
263 state = this->child_sa->get_state(this->child_sa);
264 this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
265
266 if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL)
267 { /* rekeying failed, reuse old child */
268 this->child_sa->set_state(this->child_sa, state);
269 return SUCCESS;
270 }
271
272 child_sa = this->child_create->get_child(this->child_create);
273 this->child_sa->set_state(this->child_sa, CHILD_REKEYED);
274 this->child_sa->set_rekey_spi(this->child_sa,
275 child_sa->get_spi(child_sa, FALSE));
276
277 /* invoke rekey hook */
278 charon->bus->child_rekey(charon->bus, this->child_sa,
279 this->child_create->get_child(this->child_create));
280 return SUCCESS;
281 }
282
283 /**
284 * Handle a rekey collision
285 */
286 static child_sa_t *handle_collision(private_child_rekey_t *this)
287 {
288 child_sa_t *to_delete;
289
290 if (this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
291 {
292 chunk_t this_nonce, other_nonce;
293 private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
294
295 this_nonce = this->child_create->get_lower_nonce(this->child_create);
296 other_nonce = other->child_create->get_lower_nonce(other->child_create);
297
298 /* if we have the lower nonce, delete rekeyed SA. If not, delete
299 * the redundant. */
300 if (memcmp(this_nonce.ptr, other_nonce.ptr,
301 min(this_nonce.len, other_nonce.len)) > 0)
302 {
303 child_sa_t *child_sa;
304
305 DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child");
306 to_delete = this->child_sa;
307 /* don't touch child other created, it has already been deleted */
308 if (!this->other_child_destroyed)
309 {
310 /* disable close action and updown event for redundant child */
311 child_sa = other->child_create->get_child(other->child_create);
312 if (child_sa)
313 {
314 child_sa->set_close_action(child_sa, ACTION_NONE);
315 if (child_sa->get_state(child_sa) != CHILD_REKEYED)
316 {
317 child_sa->set_state(child_sa, CHILD_REKEYED);
318 }
319 }
320 }
321 }
322 else
323 {
324 DBG1(DBG_IKE, "CHILD_SA rekey collision lost, "
325 "deleting rekeyed child");
326 to_delete = this->child_create->get_child(this->child_create);
327 }
328 }
329 else
330 { /* CHILD_DELETE */
331 child_delete_t *del = (child_delete_t*)this->collision;
332
333 /* we didn't had a chance to compare the nonces, so we delete
334 * the CHILD_SA the other is not deleting. */
335 if (del->get_child(del) != this->child_sa)
336 {
337 DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, "
338 "deleting rekeyed child");
339 to_delete = this->child_sa;
340 }
341 else
342 {
343 DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, "
344 "deleting redundant child");
345 to_delete = this->child_create->get_child(this->child_create);
346 }
347 }
348 return to_delete;
349 }
350
351 METHOD(task_t, process_i, status_t,
352 private_child_rekey_t *this, message_t *message)
353 {
354 protocol_id_t protocol;
355 uint32_t spi;
356 child_sa_t *to_delete;
357
358 if (message->get_notify(message, NO_ADDITIONAL_SAS))
359 {
360 DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
361 "starting reauthentication");
362 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
363 lib->processor->queue_job(lib->processor,
364 (job_t*)rekey_ike_sa_job_create(
365 this->ike_sa->get_id(this->ike_sa), TRUE));
366 return SUCCESS;
367 }
368 if (message->get_notify(message, CHILD_SA_NOT_FOUND))
369 {
370 child_cfg_t *child_cfg;
371 uint32_t reqid;
372
373 if (this->collision &&
374 this->collision->get_type(this->collision) == TASK_CHILD_DELETE)
375 { /* ignore this error if we already deleted the CHILD_SA on the
376 * peer's behalf (could happen if the other peer does not detect
377 * the collision and did not respond with TEMPORARY_FAILURE) */
378 return SUCCESS;
379 }
380 DBG1(DBG_IKE, "peer didn't find the CHILD_SA we tried to rekey");
381 /* FIXME: according to RFC 7296 we should only create a new CHILD_SA if
382 * it does not exist yet, we currently have no good way of checking for
383 * that (we could go by name, but that might be tricky e.g. due to
384 * narrowing) */
385 spi = this->child_sa->get_spi(this->child_sa, TRUE);
386 reqid = this->child_sa->get_reqid(this->child_sa);
387 protocol = this->child_sa->get_protocol(this->child_sa);
388 child_cfg = this->child_sa->get_config(this->child_sa);
389 child_cfg->get_ref(child_cfg);
390 charon->bus->child_updown(charon->bus, this->child_sa, FALSE);
391 this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
392 return this->ike_sa->initiate(this->ike_sa,
393 child_cfg->get_ref(child_cfg), reqid,
394 NULL, NULL);
395 }
396
397 if (this->child_create->task.process(&this->child_create->task,
398 message) == NEED_MORE)
399 {
400 /* bad DH group while rekeying, retry, or failure requiring deletion */
401 return NEED_MORE;
402 }
403 if (message->get_payload(message, PLV2_SECURITY_ASSOCIATION) == NULL)
404 {
405 /* establishing new child failed, reuse old and try again. but not when
406 * we received a delete in the meantime */
407 if (!this->collision ||
408 this->collision->get_type(this->collision) != TASK_CHILD_DELETE)
409 {
410 schedule_delayed_rekey(this);
411 }
412 return SUCCESS;
413 }
414
415 /* check for rekey collisions */
416 if (this->collision)
417 {
418 to_delete = handle_collision(this);
419 }
420 else
421 {
422 to_delete = this->child_sa;
423 }
424
425 if (to_delete != this->child_create->get_child(this->child_create))
426 { /* invoke rekey hook if rekeying successful */
427 charon->bus->child_rekey(charon->bus, this->child_sa,
428 this->child_create->get_child(this->child_create));
429 }
430
431 if (to_delete == NULL)
432 {
433 return SUCCESS;
434 }
435 /* disable updown event for redundant CHILD_SA */
436 if (to_delete->get_state(to_delete) != CHILD_REKEYED)
437 {
438 to_delete->set_state(to_delete, CHILD_REKEYED);
439 }
440 spi = to_delete->get_spi(to_delete, TRUE);
441 protocol = to_delete->get_protocol(to_delete);
442
443 /* rekeying done, delete the obsolete CHILD_SA using a subtask */
444 this->child_delete = child_delete_create(this->ike_sa, protocol, spi, FALSE);
445 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
446 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
447
448 return NEED_MORE;
449 }
450
451 METHOD(task_t, get_type, task_type_t,
452 private_child_rekey_t *this)
453 {
454 return TASK_CHILD_REKEY;
455 }
456
457 METHOD(child_rekey_t, is_redundant, bool,
458 private_child_rekey_t *this, child_sa_t *child)
459 {
460 if (this->collision &&
461 this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
462 {
463 private_child_rekey_t *rekey = (private_child_rekey_t*)this->collision;
464 return child == rekey->child_create->get_child(rekey->child_create);
465 }
466 return FALSE;
467 }
468
469 METHOD(child_rekey_t, collide, void,
470 private_child_rekey_t *this, task_t *other)
471 {
472 /* the task manager only detects exchange collision, but not if
473 * the collision is for the same child. we check it here. */
474 if (other->get_type(other) == TASK_CHILD_REKEY)
475 {
476 private_child_rekey_t *rekey = (private_child_rekey_t*)other;
477 child_sa_t *other_child;
478
479 if (rekey->child_sa != this->child_sa)
480 { /* not the same child => no collision */
481 other->destroy(other);
482 return;
483 }
484 /* ignore passive tasks that did not successfully create a CHILD_SA */
485 other_child = rekey->child_create->get_child(rekey->child_create);
486 if (!other_child ||
487 other_child->get_state(other_child) != CHILD_INSTALLED)
488 {
489 other->destroy(other);
490 return;
491 }
492 }
493 else if (other->get_type(other) == TASK_CHILD_DELETE)
494 {
495 child_delete_t *del = (child_delete_t*)other;
496 if (is_redundant(this, del->get_child(del)))
497 {
498 this->other_child_destroyed = TRUE;
499 other->destroy(other);
500 return;
501 }
502 if (del->get_child(del) != this->child_sa)
503 {
504 /* not the same child => no collision */
505 other->destroy(other);
506 return;
507 }
508 }
509 else
510 {
511 /* any other task is not critical for collisions, ignore */
512 other->destroy(other);
513 return;
514 }
515 DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
516 TASK_CHILD_REKEY, task_type_names, other->get_type(other));
517 DESTROY_IF(this->collision);
518 this->collision = other;
519 }
520
521 METHOD(task_t, migrate, void,
522 private_child_rekey_t *this, ike_sa_t *ike_sa)
523 {
524 if (this->child_create)
525 {
526 this->child_create->task.migrate(&this->child_create->task, ike_sa);
527 }
528 if (this->child_delete)
529 {
530 this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
531 }
532 DESTROY_IF(this->collision);
533
534 this->ike_sa = ike_sa;
535 this->collision = NULL;
536 }
537
538 METHOD(task_t, destroy, void,
539 private_child_rekey_t *this)
540 {
541 if (this->child_create)
542 {
543 this->child_create->task.destroy(&this->child_create->task);
544 }
545 if (this->child_delete)
546 {
547 this->child_delete->task.destroy(&this->child_delete->task);
548 }
549 DESTROY_IF(this->collision);
550 free(this);
551 }
552
553 /*
554 * Described in header.
555 */
556 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
557 uint32_t spi)
558 {
559 private_child_rekey_t *this;
560
561 INIT(this,
562 .public = {
563 .task = {
564 .get_type = _get_type,
565 .migrate = _migrate,
566 .destroy = _destroy,
567 },
568 .is_redundant = _is_redundant,
569 .collide = _collide,
570 },
571 .ike_sa = ike_sa,
572 .protocol = protocol,
573 .spi = spi,
574 );
575
576 if (protocol != PROTO_NONE)
577 {
578 this->public.task.build = _build_i;
579 this->public.task.process = _process_i;
580 this->initiator = TRUE;
581 this->child_create = NULL;
582 }
583 else
584 {
585 this->public.task.build = _build_r;
586 this->public.task.process = _process_r;
587 this->initiator = FALSE;
588 this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
589 }
590
591 return &this->public;
592 }
strongSwan - IPsec VPN