projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Moving charon to libcharon.
[strongswan.git] / src / libcharon / sa / tasks / child_rekey.c
1 /*
2 * Copyright (C) 2005-2007 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "child_rekey.h"
18
19 #include <daemon.h>
20 #include <encoding/payloads/notify_payload.h>
21 #include <sa/tasks/child_create.h>
22 #include <sa/tasks/child_delete.h>
23 #include <processing/jobs/rekey_child_sa_job.h>
24 #include <processing/jobs/rekey_ike_sa_job.h>
25
26
27 typedef struct private_child_rekey_t private_child_rekey_t;
28
29 /**
30 * Private members of a child_rekey_t task.
31 */
32 struct private_child_rekey_t {
33
34 /**
35 * Public methods and task_t interface.
36 */
37 child_rekey_t public;
38
39 /**
40 * Assigned IKE_SA.
41 */
42 ike_sa_t *ike_sa;
43
44 /**
45 * Are we the initiator?
46 */
47 bool initiator;
48
49 /**
50 * Protocol of CHILD_SA to rekey
51 */
52 protocol_id_t protocol;
53
54 /**
55 * Inbound SPI of CHILD_SA to rekey
56 */
57 u_int32_t spi;
58
59 /**
60 * the CHILD_CREATE task which is reused to simplify rekeying
61 */
62 child_create_t *child_create;
63
64 /**
65 * the CHILD_DELETE task to delete rekeyed CHILD_SA
66 */
67 child_delete_t *child_delete;
68
69 /**
70 * CHILD_SA which gets rekeyed
71 */
72 child_sa_t *child_sa;
73
74 /**
75 * colliding task, may be delete or rekey
76 */
77 task_t *collision;
78 };
79
80 /**
81 * Implementation of task_t.build for initiator, after rekeying
82 */
83 static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
84 {
85 /* update exchange type to INFORMATIONAL for the delete */
86 message->set_exchange_type(message, INFORMATIONAL);
87
88 return this->child_delete->task.build(&this->child_delete->task, message);
89 }
90
91 /**
92 * Implementation of task_t.process for initiator, after rekeying
93 */
94 static status_t process_i_delete(private_child_rekey_t *this, message_t *message)
95 {
96 return this->child_delete->task.process(&this->child_delete->task, message);
97 }
98
99 /**
100 * find a child using the REKEY_SA notify
101 */
102 static void find_child(private_child_rekey_t *this, message_t *message)
103 {
104 notify_payload_t *notify;
105 protocol_id_t protocol;
106 u_int32_t spi;
107
108 notify = message->get_notify(message, REKEY_SA);
109 if (notify)
110 {
111 protocol = notify->get_protocol_id(notify);
112 spi = notify->get_spi(notify);
113
114 if (protocol == PROTO_ESP || protocol == PROTO_AH)
115 {
116 this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
117 spi, FALSE);
118 }
119 }
120 }
121
122 /**
123 * Implementation of task_t.build for initiator
124 */
125 static status_t build_i(private_child_rekey_t *this, message_t *message)
126 {
127 notify_payload_t *notify;
128 u_int32_t reqid;
129 child_cfg_t *config;
130
131 this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
132 this->spi, TRUE);
133 if (!this->child_sa)
134 { /* check if it is an outbound CHILD_SA */
135 this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
136 this->spi, FALSE);
137 if (!this->child_sa)
138 { /* CHILD_SA is gone, unable to rekey. As an empty CREATE_CHILD_SA
139 * exchange is invalid, we fall back to an INFORMATIONAL exchange.*/
140 message->set_exchange_type(message, INFORMATIONAL);
141 return SUCCESS;
142 }
143 /* we work only with the inbound SPI */
144 this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
145 }
146 config = this->child_sa->get_config(this->child_sa);
147
148 /* we just need the rekey notify ... */
149 notify = notify_payload_create_from_protocol_and_type(this->protocol,
150 REKEY_SA);
151 notify->set_spi(notify, this->spi);
152 message->add_payload(message, (payload_t*)notify);
153
154 /* ... our CHILD_CREATE task does the hard work for us. */
155 if (!this->child_create)
156 {
157 this->child_create = child_create_create(this->ike_sa, config, TRUE,
158 NULL, NULL);
159 }
160 reqid = this->child_sa->get_reqid(this->child_sa);
161 this->child_create->use_reqid(this->child_create, reqid);
162 this->child_create->task.build(&this->child_create->task, message);
163
164 this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
165
166 return NEED_MORE;
167 }
168
169 /**
170 * Implementation of task_t.process for initiator
171 */
172 static status_t process_r(private_child_rekey_t *this, message_t *message)
173 {
174 /* let the CHILD_CREATE task process the message */
175 this->child_create->task.process(&this->child_create->task, message);
176
177 find_child(this, message);
178
179 return NEED_MORE;
180 }
181
182 /**
183 * Implementation of task_t.build for responder
184 */
185 static status_t build_r(private_child_rekey_t *this, message_t *message)
186 {
187 u_int32_t reqid;
188
189 if (this->child_sa == NULL ||
190 this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
191 {
192 DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
193 message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
194 return SUCCESS;
195 }
196
197 /* let the CHILD_CREATE task build the response */
198 reqid = this->child_sa->get_reqid(this->child_sa);
199 this->child_create->use_reqid(this->child_create, reqid);
200 this->child_create->task.build(&this->child_create->task, message);
201
202 if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
203 {
204 /* rekeying failed, reuse old child */
205 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
206 return SUCCESS;
207 }
208
209 this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
210
211 /* invoke rekey hook */
212 charon->bus->child_rekey(charon->bus, this->child_sa,
213 this->child_create->get_child(this->child_create));
214 return SUCCESS;
215 }
216
217 /**
218 * Implementation of task_t.process for initiator
219 */
220 static status_t process_i(private_child_rekey_t *this, message_t *message)
221 {
222 protocol_id_t protocol;
223 u_int32_t spi;
224 child_sa_t *to_delete;
225
226 if (message->get_notify(message, NO_ADDITIONAL_SAS))
227 {
228 DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
229 "starting reauthentication");
230 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
231 charon->processor->queue_job(charon->processor,
232 (job_t*)rekey_ike_sa_job_create(
233 this->ike_sa->get_id(this->ike_sa), TRUE));
234 return SUCCESS;
235 }
236
237 if (this->child_create->task.process(&this->child_create->task,
238 message) == NEED_MORE)
239 {
240 /* bad DH group while rekeying, try again */
241 this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
242 return NEED_MORE;
243 }
244 if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
245 {
246 /* establishing new child failed, reuse old. but not when we
247 * recieved a delete in the meantime */
248 if (!(this->collision &&
249 this->collision->get_type(this->collision) == CHILD_DELETE))
250 {
251 job_t *job;
252 u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
253
254 job = (job_t*)rekey_child_sa_job_create(
255 this->child_sa->get_reqid(this->child_sa),
256 this->child_sa->get_protocol(this->child_sa),
257 this->child_sa->get_spi(this->child_sa, TRUE));
258 DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
259 "trying again in %d seconds", retry);
260 this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
261 charon->scheduler->schedule_job(charon->scheduler, job, retry);
262 }
263 return SUCCESS;
264 }
265
266 to_delete = this->child_sa;
267
268 /* check for rekey collisions */
269 if (this->collision &&
270 this->collision->get_type(this->collision) == CHILD_REKEY)
271 {
272 chunk_t this_nonce, other_nonce;
273 private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
274
275 this_nonce = this->child_create->get_lower_nonce(this->child_create);
276 other_nonce = other->child_create->get_lower_nonce(other->child_create);
277
278 /* if we have the lower nonce, delete rekeyed SA. If not, delete
279 * the redundant. */
280 if (memcmp(this_nonce.ptr, other_nonce.ptr,
281 min(this_nonce.len, other_nonce.len)) < 0)
282 {
283 DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child");
284 }
285 else
286 {
287 DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child");
288 to_delete = this->child_create->get_child(this->child_create);
289 if (to_delete == NULL)
290 {
291 /* ooops, should not happen, fallback */
292 to_delete = this->child_sa;
293 }
294 }
295 }
296
297 if (to_delete != this->child_create->get_child(this->child_create))
298 { /* invoke rekey hook if rekeying successful */
299 charon->bus->child_rekey(charon->bus, this->child_sa,
300 this->child_create->get_child(this->child_create));
301 }
302
303 spi = to_delete->get_spi(to_delete, TRUE);
304 protocol = to_delete->get_protocol(to_delete);
305
306 /* rekeying done, delete the obsolete CHILD_SA using a subtask */
307 this->child_delete = child_delete_create(this->ike_sa, protocol, spi);
308 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
309 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
310
311 return NEED_MORE;
312 }
313
314 /**
315 * Implementation of task_t.get_type
316 */
317 static task_type_t get_type(private_child_rekey_t *this)
318 {
319 return CHILD_REKEY;
320 }
321
322 /**
323 * Implementation of child_rekey_t.collide
324 */
325 static void collide(private_child_rekey_t *this, task_t *other)
326 {
327 /* the task manager only detects exchange collision, but not if
328 * the collision is for the same child. we check it here. */
329 if (other->get_type(other) == CHILD_REKEY)
330 {
331 private_child_rekey_t *rekey = (private_child_rekey_t*)other;
332 if (rekey == NULL || rekey->child_sa != this->child_sa)
333 {
334 /* not the same child => no collision */
335 other->destroy(other);
336 return;
337 }
338 }
339 else if (other->get_type(other) == CHILD_DELETE)
340 {
341 child_delete_t *del = (child_delete_t*)other;
342 if (del == NULL || del->get_child(del) != this->child_sa)
343 {
344 /* not the same child => no collision */
345 other->destroy(other);
346 return;
347 }
348 }
349 else
350 {
351 /* any other task is not critical for collisisions, ignore */
352 other->destroy(other);
353 return;
354 }
355 DESTROY_IF(this->collision);
356 this->collision = other;
357 }
358
359 /**
360 * Implementation of task_t.migrate
361 */
362 static void migrate(private_child_rekey_t *this, ike_sa_t *ike_sa)
363 {
364 if (this->child_create)
365 {
366 this->child_create->task.migrate(&this->child_create->task, ike_sa);
367 }
368 if (this->child_delete)
369 {
370 this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
371 }
372 DESTROY_IF(this->collision);
373
374 this->ike_sa = ike_sa;
375 this->collision = NULL;
376 }
377
378 /**
379 * Implementation of task_t.destroy
380 */
381 static void destroy(private_child_rekey_t *this)
382 {
383 if (this->child_create)
384 {
385 this->child_create->task.destroy(&this->child_create->task);
386 }
387 if (this->child_delete)
388 {
389 this->child_delete->task.destroy(&this->child_delete->task);
390 }
391 DESTROY_IF(this->collision);
392 free(this);
393 }
394
395 /*
396 * Described in header.
397 */
398 child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
399 u_int32_t spi)
400 {
401 private_child_rekey_t *this = malloc_thing(private_child_rekey_t);
402
403 this->public.collide = (void (*)(child_rekey_t*,task_t*))collide;
404 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
405 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
406 this->public.task.destroy = (void(*)(task_t*))destroy;
407 if (protocol != PROTO_NONE)
408 {
409 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
410 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
411 this->initiator = TRUE;
412 this->child_create = NULL;
413 }
414 else
415 {
416 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
417 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
418 this->initiator = FALSE;
419 this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
420 }
421
422 this->ike_sa = ike_sa;
423 this->child_sa = NULL;
424 this->protocol = protocol;
425 this->spi = spi;
426 this->collision = NULL;
427 this->child_delete = NULL;
428
429 return &this->public;
430 }
strongSwan - IPsec VPN