]> git.ipfire.org Git - people/ms/strongswan.git/blame - src/libcharon/sa/ikev2/tasks/ike_rekey.c
projects / people / ms / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
kernel-netlink: Respect kernel routing priorities for IKE routes
[people/ms/strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_rekey.c
CommitLineData
c60c7694 1/*
6a4ff35c 2 * Copyright (C) 2005-2008 Martin Willi
c60c7694
MW		 3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17#include "ike_rekey.h"
18
19#include <daemon.h>
c60c7694 20#include <encoding/payloads/notify_payload.h>
15a682f4
MW		 21#include <sa/ikev2/tasks/ike_init.h>
22#include <sa/ikev2/tasks/ike_delete.h>
e0fe7651
MW		 23#include <processing/jobs/delete_ike_sa_job.h>
24#include <processing/jobs/rekey_ike_sa_job.h>
c60c7694
MW		 25
26
27typedef struct private_ike_rekey_t private_ike_rekey_t;
28
29/**
30 * Private members of a ike_rekey_t task.
31 */
32struct private_ike_rekey_t {
7daf5226 33
c60c7694
MW		 34 /**
35 * Public methods and task_t interface.
36 */
37 ike_rekey_t public;
7daf5226 38
c60c7694
MW		 39 /**
40 * Assigned IKE_SA.
41 */
42 ike_sa_t *ike_sa;
7daf5226 43
c60c7694
MW		 44 /**
45 * New IKE_SA which replaces the current one
46 */
47 ike_sa_t *new_sa;
7daf5226 48
c60c7694
MW		 49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
7daf5226 53
c60c7694 54 /**
a09972df 55 * the TASK_IKE_INIT task which is reused to simplify rekeying
c60c7694
MW		 56 */
57 ike_init_t *ike_init;
7daf5226 58
394eb35b
MW		 59 /**
60 * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
61 */
62 ike_delete_t *ike_delete;
7daf5226 63
eef08590
MW		 64 /**
65 * colliding task detected by the task manager
66 */
67 task_t *collision;
c60c7694
MW		 68};
69
3ced6b51
MW		 70/**
71 * Establish the new replacement IKE_SA
72 */
73static void establish_new(private_ike_rekey_t *this)
74{
75 if (this->new_sa)
76 {
77 this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
78 DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
79 this->new_sa->get_name(this->new_sa),
80 this->new_sa->get_unique_id(this->new_sa),
81 this->ike_sa->get_my_host(this->ike_sa),
82 this->ike_sa->get_my_id(this->ike_sa),
83 this->ike_sa->get_other_host(this->ike_sa),
84 this->ike_sa->get_other_id(this->ike_sa));
85
713a1122 86 this->new_sa->inherit_post(this->new_sa, this->ike_sa);
3ced6b51
MW		 87 charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
88 charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
89 this->new_sa = NULL;
90 /* set threads active IKE_SA after checkin */
91 charon->bus->set_sa(charon->bus, this->ike_sa);
92 }
93}
94
f42156a8
MW		 95METHOD(task_t, process_r_delete, status_t,
96 private_ike_rekey_t *this, message_t *message)
97{
3ced6b51 98 establish_new(this);
f42156a8
MW		 99 return this->ike_delete->task.process(&this->ike_delete->task, message);
100}
101
102METHOD(task_t, build_r_delete, status_t,
103 private_ike_rekey_t *this, message_t *message)
104{
105 return this->ike_delete->task.build(&this->ike_delete->task, message);
106}
107
41080cbb
MW		 108METHOD(task_t, build_i_delete, status_t,
109 private_ike_rekey_t *this, message_t *message)
394eb35b
MW		 110{
111 /* update exchange type to INFORMATIONAL for the delete */
112 message->set_exchange_type(message, INFORMATIONAL);
7daf5226 113
394eb35b
MW		 114 return this->ike_delete->task.build(&this->ike_delete->task, message);
115}
116
41080cbb
MW		 117METHOD(task_t, process_i_delete, status_t,
118 private_ike_rekey_t *this, message_t *message)
394eb35b
MW		 119{
120 return this->ike_delete->task.process(&this->ike_delete->task, message);
121}
122
41080cbb
MW		 123METHOD(task_t, build_i, status_t,
124 private_ike_rekey_t *this, message_t *message)
c60c7694 125{
3d54ae94 126 ike_version_t version;
7daf5226 127
1fd5383e
MW		 128 /* create new SA only on first try */
129 if (this->new_sa == NULL)
130 {
3d54ae94 131 version = this->ike_sa->get_version(this->ike_sa);
0b611540
TB		 132 this->new_sa = charon->ike_sa_manager->checkout_new(
133 charon->ike_sa_manager, version, TRUE);
3d54ae94
MW		 134 if (!this->new_sa)
135 { /* shouldn't happen */
136 return FAILED;
137 }
713a1122 138 this->new_sa->inherit_pre(this->new_sa, this->ike_sa);
1fd5383e
MW		 139 this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
140 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
141 }
c60c7694 142 this->ike_init->task.build(&this->ike_init->task, message);
c60c7694
MW		 143
144 return NEED_MORE;
145}
146
41080cbb
MW		 147METHOD(task_t, process_r, status_t,
148 private_ike_rekey_t *this, message_t *message)
c60c7694 149{
4bbce1ef 150 enumerator_t *enumerator;
0f33e826 151 child_sa_t *child_sa;
7daf5226 152
0f33e826
MW		 153 if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
154 {
155 DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
156 return NEED_MORE;
157 }
158
4bbce1ef
TB		 159 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
160 while (enumerator->enumerate(enumerator, (void**)&child_sa))
0f33e826
MW		 161 {
162 switch (child_sa->get_state(child_sa))
163 {
164 case CHILD_CREATED:
165 case CHILD_REKEYING:
f1773fee 166 case CHILD_RETRYING:
0f33e826
MW		 167 case CHILD_DELETING:
168 /* we do not allow rekeying while we have children in-progress */
169 DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
4bbce1ef 170 enumerator->destroy(enumerator);
0f33e826
MW		 171 return NEED_MORE;
172 default:
173 break;
174 }
175 }
4bbce1ef 176 enumerator->destroy(enumerator);
7daf5226 177
b9e363f8 178 this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
3d54ae94
MW		 179 this->ike_sa->get_version(this->ike_sa), FALSE);
180 if (!this->new_sa)
181 { /* shouldn't happen */
182 return FAILED;
183 }
713a1122 184 this->new_sa->inherit_pre(this->new_sa, this->ike_sa);
c60c7694
MW		 185 this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
186 this->ike_init->task.process(&this->ike_init->task, message);
7daf5226 187
c60c7694
MW		 188 return NEED_MORE;
189}
190
41080cbb
MW		 191METHOD(task_t, build_r, status_t,
192 private_ike_rekey_t *this, message_t *message)
c60c7694 193{
0f33e826
MW		 194 if (this->new_sa == NULL)
195 {
196 /* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
197 message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
198 return SUCCESS;
199 }
7daf5226 200
c60c7694
MW		 201 if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
202 {
203 return SUCCESS;
204 }
7daf5226 205
c60c7694 206 this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
7daf5226 207
f42156a8
MW		 208 /* rekeying successful, delete the IKE_SA using a subtask */
209 this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
210 this->public.task.build = _build_r_delete;
211 this->public.task.process = _process_r_delete;
212
213 return NEED_MORE;
c60c7694
MW		 214}
215
41080cbb
MW		 216METHOD(task_t, process_i, status_t,
217 private_ike_rekey_t *this, message_t *message)
c60c7694 218{
9beb8386 219 if (message->get_notify(message, NO_ADDITIONAL_SAS))
dad8ecee 220 {
9beb8386
MW		 221 DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
222 "starting reauthentication");
223 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
bb381e26 224 lib->processor->queue_job(lib->processor,
9beb8386
MW		 225 (job_t*)rekey_ike_sa_job_create(
226 this->ike_sa->get_id(this->ike_sa), TRUE));
227 return SUCCESS;
dad8ecee 228 }
7daf5226 229
1fd5383e 230 switch (this->ike_init->task.process(&this->ike_init->task, message))
c60c7694 231 {
1fd5383e
MW		 232 case FAILED:
233 /* rekeying failed, fallback to old SA */
26424f03 234 if (!(this->collision && (
a09972df
MW		 235 this->collision->get_type(this->collision) == TASK_IKE_DELETE ||
236 this->collision->get_type(this->collision) == TASK_IKE_REAUTH)))
1fd5383e
MW		 237 {
238 job_t *job;
239 u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
240 job = (job_t*)rekey_ike_sa_job_create(
241 this->ike_sa->get_id(this->ike_sa), FALSE);
242 DBG1(DBG_IKE, "IKE_SA rekeying failed, "
b9b8a98f 243 "trying again in %d seconds", retry);
1fd5383e 244 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
bb381e26 245 lib->scheduler->schedule_job(lib->scheduler, job, retry);
1fd5383e
MW		 246 }
247 return SUCCESS;
248 case NEED_MORE:
249 /* bad dh group, try again */
250 this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
251 return NEED_MORE;
252 default:
253 break;
c60c7694 254 }
7daf5226 255
eef08590
MW		 256 /* check for collisions */
257 if (this->collision &&
a09972df 258 this->collision->get_type(this->collision) == TASK_IKE_REKEY)
eef08590 259 {
eef08590 260 private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
7daf5226 261
e54e86cb
TE		 262 /* ike_init can be NULL, if child_sa is half-open */
263 if (other->ike_init)
eef08590 264 {
e54e86cb
TE		 265 host_t *host;
266 chunk_t this_nonce, other_nonce;
267
268 this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
269 other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
270
271 /* if we have the lower nonce, delete rekeyed SA. If not, delete
272 * the redundant. */
273 if (memcmp(this_nonce.ptr, other_nonce.ptr,
1ed482d8 274 min(this_nonce.len, other_nonce.len)) > 0)
09f706ec 275 {
e54e86cb
TE		 276 /* peer should delete this SA. Add a timeout just in case. */
277 job_t *job = (job_t*)delete_ike_sa_job_create(
278 other->new_sa->get_id(other->new_sa), TRUE);
bb381e26 279 lib->scheduler->schedule_job(lib->scheduler, job, 10);
1ed482d8 280 DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
e54e86cb
TE		 281 charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
282 other->new_sa = NULL;
09f706ec
MW		 283 }
284 else
285 {
1ed482d8
MW		 286 DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
287 "deleting redundant IKE_SA");
e54e86cb
TE		 288 /* apply host for a proper delete */
289 host = this->ike_sa->get_my_host(this->ike_sa);
290 this->new_sa->set_my_host(this->new_sa, host->clone(host));
291 host = this->ike_sa->get_other_host(this->ike_sa);
292 this->new_sa->set_other_host(this->new_sa, host->clone(host));
293 this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
3ced6b51 294 this->new_sa->set_state(this->new_sa, IKE_REKEYING);
e54e86cb
TE		 295 if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
296 {
3ced6b51 297 this->new_sa->destroy(this->new_sa);
e54e86cb
TE		 298 }
299 else
300 {
301 charon->ike_sa_manager->checkin(
302 charon->ike_sa_manager, this->new_sa);
3ced6b51
MW		 303 /* set threads active IKE_SA after checkin */
304 charon->bus->set_sa(charon->bus, this->ike_sa);
e54e86cb 305 }
3ced6b51
MW		 306 this->new_sa = NULL;
307 establish_new(other);
e54e86cb 308 return SUCCESS;
09f706ec 309 }
eef08590 310 }
f2e1ff59
MW		 311 /* set threads active IKE_SA after checkin */
312 charon->bus->set_sa(charon->bus, this->ike_sa);
eef08590 313 }
7daf5226 314
3ced6b51
MW		 315 establish_new(this);
316
394eb35b
MW		 317 /* rekeying successful, delete the IKE_SA using a subtask */
318 this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
41080cbb
MW		 319 this->public.task.build = _build_i_delete;
320 this->public.task.process = _process_i_delete;
7daf5226 321
394eb35b 322 return NEED_MORE;
c60c7694
MW		 323}
324
41080cbb
MW		 325METHOD(task_t, get_type, task_type_t,
326 private_ike_rekey_t *this)
c60c7694 327{
a09972df 328 return TASK_IKE_REKEY;
c60c7694
MW		 329}
330
41080cbb
MW		 331METHOD(ike_rekey_t, collide, void,
332 private_ike_rekey_t* this, task_t *other)
eef08590 333{
a09972df
MW		 334 DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
335 TASK_IKE_REKEY, task_type_names, other->get_type(other));
eef08590
MW		 336 DESTROY_IF(this->collision);
337 this->collision = other;
338}
339
41080cbb
MW		 340METHOD(task_t, migrate, void,
341 private_ike_rekey_t *this, ike_sa_t *ike_sa)
c60c7694
MW		 342{
343 if (this->ike_init)
344 {
345 this->ike_init->task.destroy(&this->ike_init->task);
346 }
394eb35b
MW		 347 if (this->ike_delete)
348 {
349 this->ike_delete->task.destroy(&this->ike_delete->task);
350 }
3ced6b51 351 DESTROY_IF(this->new_sa);
eef08590 352 DESTROY_IF(this->collision);
7daf5226 353
eef08590 354 this->collision = NULL;
c60c7694
MW		 355 this->ike_sa = ike_sa;
356 this->new_sa = NULL;
357 this->ike_init = NULL;
394eb35b 358 this->ike_delete = NULL;
c60c7694
MW		 359}
360
41080cbb
MW		 361METHOD(task_t, destroy, void,
362 private_ike_rekey_t *this)
c60c7694 363{
eef08590 364 if (this->ike_init)
c60c7694 365 {
eef08590 366 this->ike_init->task.destroy(&this->ike_init->task);
c60c7694 367 }
394eb35b
MW		 368 if (this->ike_delete)
369 {
370 this->ike_delete->task.destroy(&this->ike_delete->task);
371 }
3ced6b51 372 DESTROY_IF(this->new_sa);
eef08590 373 DESTROY_IF(this->collision);
c60c7694
MW		 374 free(this);
375}
376
377/*
378 * Described in header.
379 */
380ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
381{
41080cbb
MW		 382 private_ike_rekey_t *this;
383
384 INIT(this,
385 .public = {
386 .task = {
387 .get_type = _get_type,
388 .build = _build_r,
389 .process = _process_r,
390 .migrate = _migrate,
391 .destroy = _destroy,
392 },
393 .collide = _collide,
394 },
395 .ike_sa = ike_sa,
396 .initiator = initiator,
397 );
c60c7694
MW		 398 if (initiator)
399 {
41080cbb
MW		 400 this->public.task.build = _build_i;
401 this->public.task.process = _process_i;
c60c7694 402 }
7daf5226 403
c60c7694
MW		 404 return &this->public;
405}
Michael's strongswan development tree