src/libcharon/sa/tasks/ike_reauth.c

   1 /*
   2  * Copyright (C) 2006-2008 Martin Willi
   3  * Hochschule fuer Technik Rapperswil
   4  *
   5  * This program is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License as published by the
   7  * Free Software Foundation; either version 2 of the License, or (at your
   8  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   9  *
  10  * This program is distributed in the hope that it will be useful, but
  11  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  12  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  13  * for more details.
  14  */
  15
  16 #include "ike_reauth.h"
  17
  18 #include <daemon.h>
  19 #include <sa/tasks/ike_delete.h>
  20
  21
  22 typedef struct private_ike_reauth_t private_ike_reauth_t;
  23
  24 /**
  25  * Private members of a ike_reauth_t task.
  26  */
  27 struct private_ike_reauth_t {
  28
  29         /**
  30          * Public methods and task_t interface.
  31          */
  32         ike_reauth_t public;
  33
  34         /**
  35          * Assigned IKE_SA.
  36          */
  37         ike_sa_t *ike_sa;
  38
  39         /**
  40          * reused ike_delete task
  41          */
  42         ike_delete_t *ike_delete;
  43 };
  44
  45 /**
  46  * Implementation of task_t.build for initiator
  47  */
  48 static status_t build_i(private_ike_reauth_t *this, message_t *message)
  49 {
  50         return this->ike_delete->task.build(&this->ike_delete->task, message);
  51 }
  52
  53 /**
  54  * Implementation of task_t.process for initiator
  55  */
  56 static status_t process_i(private_ike_reauth_t *this, message_t *message)
  57 {
  58         ike_sa_t *new;
  59         host_t *host;
  60         enumerator_t *enumerator;
  61         child_sa_t *child_sa;
  62         peer_cfg_t *peer_cfg;
  63
  64         /* process delete response first */
  65         this->ike_delete->task.process(&this->ike_delete->task, message);
  66
  67         peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
  68
  69         /* reauthenticate only if we have children */
  70         if (this->ike_sa->get_child_count(this->ike_sa) == 0
  71 #ifdef ME
  72                 /* we allow peers to reauth mediation connections (without children) */
  73                 && !peer_cfg->is_mediation(peer_cfg)
  74 #endif /* ME */
  75                 )
  76         {
  77                 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA to recreate");
  78                 return FAILED;
  79         }
  80
  81         new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE);
  82
  83         new->set_peer_cfg(new, peer_cfg);
  84         host = this->ike_sa->get_other_host(this->ike_sa);
  85         new->set_other_host(new, host->clone(host));
  86         host = this->ike_sa->get_my_host(this->ike_sa);
  87         new->set_my_host(new, host->clone(host));
  88         /* if we already have a virtual IP, we reuse it */
  89         host = this->ike_sa->get_virtual_ip(this->ike_sa, TRUE);
  90         if (host)
  91         {
  92                 new->set_virtual_ip(new, TRUE, host);
  93         }
  94
  95 #ifdef ME
  96         /* we initiate the new IKE_SA of the mediation connection without CHILD_SA */
  97         if (peer_cfg->is_mediation(peer_cfg))
  98         {
  99                 if (new->initiate(new, NULL, 0, NULL, NULL) == DESTROY_ME)
 100                 {
 101                         charon->ike_sa_manager->checkin_and_destroy(
 102                                                                 charon->ike_sa_manager, new);
 103                         /* set threads active IKE_SA after checkin */
 104                         charon->bus->set_sa(charon->bus, this->ike_sa);
 105                         DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
 106                         return FAILED;
 107                 }
 108         }
 109 #endif /* ME */
 110
 111         enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
 112         while (enumerator->enumerate(enumerator, (void**)&child_sa))
 113         {
 114                 switch (child_sa->get_state(child_sa))
 115                 {
 116                         case CHILD_ROUTED:
 117                         {
 118                                 /* move routed child directly */
 119                                 this->ike_sa->remove_child_sa(this->ike_sa, enumerator);
 120                                 new->add_child_sa(new, child_sa);
 121                                 break;
 122                         }
 123                         default:
 124                         {
 125                                 /* initiate/queue all child SAs */
 126                                 child_cfg_t *child_cfg = child_sa->get_config(child_sa);
 127                                 child_cfg->get_ref(child_cfg);
 128                                 if (new->initiate(new, child_cfg, 0, NULL, NULL) == DESTROY_ME)
 129                                 {
 130                                         enumerator->destroy(enumerator);
 131                                         charon->ike_sa_manager->checkin_and_destroy(
 132                                                                                 charon->ike_sa_manager, new);
 133                                         /* set threads active IKE_SA after checkin */
 134                                         charon->bus->set_sa(charon->bus, this->ike_sa);
 135                                         DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
 136                                         return FAILED;
 137                                 }
 138                                 break;
 139                         }
 140                 }
 141         }
 142         enumerator->destroy(enumerator);
 143         charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
 144         /* set threads active IKE_SA after checkin */
 145         charon->bus->set_sa(charon->bus, this->ike_sa);
 146
 147         /* we always destroy the obsolete IKE_SA */
 148         return DESTROY_ME;
 149 }
 150
 151 /**
 152  * Implementation of task_t.get_type
 153  */
 154 static task_type_t get_type(private_ike_reauth_t *this)
 155 {
 156         return IKE_REAUTH;
 157 }
 158
 159 /**
 160  * Implementation of task_t.migrate
 161  */
 162 static void migrate(private_ike_reauth_t *this, ike_sa_t *ike_sa)
 163 {
 164         this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
 165         this->ike_sa = ike_sa;
 166 }
 167
 168 /**
 169  * Implementation of task_t.destroy
 170  */
 171 static void destroy(private_ike_reauth_t *this)
 172 {
 173         this->ike_delete->task.destroy(&this->ike_delete->task);
 174         free(this);
 175 }
 176
 177 /*
 178  * Described in header.
 179  */
 180 ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
 181 {
 182         private_ike_reauth_t *this = malloc_thing(private_ike_reauth_t);
 183
 184         this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
 185         this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
 186         this->public.task.destroy = (void(*)(task_t*))destroy;
 187         this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
 188         this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
 189
 190         this->ike_sa = ike_sa;
 191         this->ike_delete = ike_delete_create(ike_sa, TRUE);
 192
 193         return &this->public;
 194 }
 195