]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/ikev2/task_manager_v2.c
projects / thirdparty / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ikev2: Accept INFORMATIONAL messages with MID 0 if used to sync MIDs
[thirdparty/strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2016 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_mid_sync.h>
38 #include <sa/ikev2/tasks/ike_vendor.h>
39 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
40 #include <sa/ikev2/tasks/child_create.h>
41 #include <sa/ikev2/tasks/child_rekey.h>
42 #include <sa/ikev2/tasks/child_delete.h>
43 #include <encoding/payloads/delete_payload.h>
44 #include <encoding/payloads/unknown_payload.h>
45 #include <processing/jobs/retransmit_job.h>
46 #include <processing/jobs/delete_ike_sa_job.h>
47 #include <processing/jobs/initiate_tasks_job.h>
48
49 #ifdef ME
50 #include <sa/ikev2/tasks/ike_me.h>
51 #endif
52
53 typedef struct private_task_manager_t private_task_manager_t;
54 typedef struct queued_task_t queued_task_t;
55
56 /**
57 * private data of the task manager
58 */
59 struct private_task_manager_t {
60
61 /**
62 * public functions
63 */
64 task_manager_v2_t public;
65
66 /**
67 * associated IKE_SA we are serving
68 */
69 ike_sa_t *ike_sa;
70
71 /**
72 * Exchange we are currently handling as responder
73 */
74 struct {
75 /**
76 * Message ID of the exchange
77 */
78 uint32_t mid;
79
80 /**
81 * packet(s) for retransmission
82 */
83 array_t *packets;
84
85 /**
86 * Helper to defragment the request
87 */
88 message_t *defrag;
89
90 } responding;
91
92 /**
93 * Exchange we are currently handling as initiator
94 */
95 struct {
96 /**
97 * Message ID of the exchange
98 */
99 uint32_t mid;
100
101 /**
102 * how many times we have retransmitted so far
103 */
104 u_int retransmitted;
105
106 /**
107 * packet(s) for retransmission
108 */
109 array_t *packets;
110
111 /**
112 * type of the initated exchange
113 */
114 exchange_type_t type;
115
116 /**
117 * TRUE if exchange was deferred because no path was available
118 */
119 bool deferred;
120
121 /**
122 * Helper to defragment the response
123 */
124 message_t *defrag;
125
126 } initiating;
127
128 /**
129 * Array of queued tasks not yet in action
130 */
131 array_t *queued_tasks;
132
133 /**
134 * Array of active tasks, initiated by ourselve
135 */
136 array_t *active_tasks;
137
138 /**
139 * Array of tasks initiated by peer
140 */
141 array_t *passive_tasks;
142
143 /**
144 * the task manager has been reset
145 */
146 bool reset;
147
148 /**
149 * Number of times we retransmit messages before giving up
150 */
151 u_int retransmit_tries;
152
153 /**
154 * Retransmission timeout
155 */
156 double retransmit_timeout;
157
158 /**
159 * Base to calculate retransmission timeout
160 */
161 double retransmit_base;
162
163 /**
164 * Use make-before-break instead of break-before-make reauth?
165 */
166 bool make_before_break;
167 };
168
169 /**
170 * Queued tasks
171 */
172 struct queued_task_t {
173
174 /**
175 * Queued task
176 */
177 task_t *task;
178
179 /**
180 * Time before which the task is not to be initiated
181 */
182 timeval_t time;
183 };
184
185 /**
186 * Reset retransmission packet list
187 */
188 static void clear_packets(array_t *array)
189 {
190 packet_t *packet;
191
192 while (array_remove(array, ARRAY_TAIL, &packet))
193 {
194 packet->destroy(packet);
195 }
196 }
197
198 METHOD(task_manager_t, flush_queue, void,
199 private_task_manager_t *this, task_queue_t queue)
200 {
201 array_t *array;
202 task_t *task;
203
204 switch (queue)
205 {
206 case TASK_QUEUE_ACTIVE:
207 array = this->active_tasks;
208 break;
209 case TASK_QUEUE_PASSIVE:
210 array = this->passive_tasks;
211 break;
212 case TASK_QUEUE_QUEUED:
213 array = this->queued_tasks;
214 break;
215 default:
216 return;
217 }
218 while (array_remove(array, ARRAY_TAIL, &task))
219 {
220 if (queue == TASK_QUEUE_QUEUED)
221 {
222 queued_task_t *queued = (queued_task_t*)task;
223 task = queued->task;
224 free(queued);
225 }
226 task->destroy(task);
227 }
228 }
229
230 METHOD(task_manager_t, flush, void,
231 private_task_manager_t *this)
232 {
233 flush_queue(this, TASK_QUEUE_QUEUED);
234 flush_queue(this, TASK_QUEUE_PASSIVE);
235 flush_queue(this, TASK_QUEUE_ACTIVE);
236 }
237
238 /**
239 * Move a task of a specific type from the queue to the active list, if it is
240 * not delayed.
241 */
242 static bool activate_task(private_task_manager_t *this, task_type_t type)
243 {
244 enumerator_t *enumerator;
245 queued_task_t *queued;
246 timeval_t now;
247 bool found = FALSE;
248
249 time_monotonic(&now);
250
251 enumerator = array_create_enumerator(this->queued_tasks);
252 while (enumerator->enumerate(enumerator, (void**)&queued))
253 {
254 if (queued->task->get_type(queued->task) == type &&
255 !timercmp(&now, &queued->time, <))
256 {
257 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
258 array_remove_at(this->queued_tasks, enumerator);
259 array_insert(this->active_tasks, ARRAY_TAIL, queued->task);
260 free(queued);
261 found = TRUE;
262 break;
263 }
264 }
265 enumerator->destroy(enumerator);
266 return found;
267 }
268
269 /**
270 * Send packets in the given array (they get cloned). Optionally, the
271 * source and destination addresses are changed before sending it.
272 */
273 static void send_packets(private_task_manager_t *this, array_t *packets,
274 host_t *src, host_t *dst)
275 {
276 packet_t *packet, *clone;
277 int i;
278
279 for (i = 0; i < array_count(packets); i++)
280 {
281 array_get(packets, i, &packet);
282 clone = packet->clone(packet);
283 if (src)
284 {
285 clone->set_source(clone, src->clone(src));
286 }
287 if (dst)
288 {
289 clone->set_destination(clone, dst->clone(dst));
290 }
291 charon->sender->send(charon->sender, clone);
292 }
293 }
294
295 /**
296 * Generates the given message and stores packet(s) in the given array
297 */
298 static bool generate_message(private_task_manager_t *this, message_t *message,
299 array_t **packets)
300 {
301 enumerator_t *fragments;
302 packet_t *fragment;
303
304 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
305 &fragments) != SUCCESS)
306 {
307 return FALSE;
308 }
309 while (fragments->enumerate(fragments, &fragment))
310 {
311 array_insert_create(packets, ARRAY_TAIL, fragment);
312 }
313 fragments->destroy(fragments);
314 array_compress(*packets);
315 return TRUE;
316 }
317
318 METHOD(task_manager_t, retransmit, status_t,
319 private_task_manager_t *this, uint32_t message_id)
320 {
321 if (message_id == this->initiating.mid &&
322 array_count(this->initiating.packets))
323 {
324 uint32_t timeout;
325 job_t *job;
326 enumerator_t *enumerator;
327 packet_t *packet;
328 task_t *task;
329 ike_mobike_t *mobike = NULL;
330
331 array_get(this->initiating.packets, 0, &packet);
332
333 /* check if we are retransmitting a MOBIKE routability check */
334 if (this->initiating.type == INFORMATIONAL)
335 {
336 enumerator = array_create_enumerator(this->active_tasks);
337 while (enumerator->enumerate(enumerator, (void*)&task))
338 {
339 if (task->get_type(task) == TASK_IKE_MOBIKE)
340 {
341 mobike = (ike_mobike_t*)task;
342 break;
343 }
344 }
345 enumerator->destroy(enumerator);
346 }
347
348 if (!mobike || !mobike->is_probing(mobike))
349 {
350 if (this->initiating.retransmitted <= this->retransmit_tries)
351 {
352 timeout = (uint32_t)(this->retransmit_timeout * 1000.0 *
353 pow(this->retransmit_base, this->initiating.retransmitted));
354 }
355 else
356 {
357 DBG1(DBG_IKE, "giving up after %d retransmits",
358 this->initiating.retransmitted - 1);
359 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
360 packet);
361 return DESTROY_ME;
362 }
363
364 if (this->initiating.retransmitted)
365 {
366 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
367 this->initiating.retransmitted, message_id);
368 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
369 this->initiating.retransmitted);
370 }
371 if (!mobike)
372 {
373 send_packets(this, this->initiating.packets,
374 this->ike_sa->get_my_host(this->ike_sa),
375 this->ike_sa->get_other_host(this->ike_sa));
376 }
377 else
378 {
379 if (!mobike->transmit(mobike, packet))
380 {
381 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
382 "deferred");
383 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
384 this->initiating.deferred = TRUE;
385 return SUCCESS;
386 }
387 else if (mobike->is_probing(mobike))
388 {
389 timeout = ROUTEABILITY_CHECK_INTERVAL;
390 }
391 }
392 }
393 else
394 { /* for routeability checks, we use a more aggressive behavior */
395 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
396 {
397 timeout = ROUTEABILITY_CHECK_INTERVAL;
398 }
399 else
400 {
401 DBG1(DBG_IKE, "giving up after %d path probings",
402 this->initiating.retransmitted - 1);
403 return DESTROY_ME;
404 }
405
406 if (this->initiating.retransmitted)
407 {
408 DBG1(DBG_IKE, "path probing attempt %d",
409 this->initiating.retransmitted);
410 }
411 /* TODO-FRAG: presumably these small packets are not fragmented,
412 * we should maybe ensure this is the case when generating them */
413 if (!mobike->transmit(mobike, packet))
414 {
415 DBG1(DBG_IKE, "no route found to reach peer, path probing "
416 "deferred");
417 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
418 this->initiating.deferred = TRUE;
419 return SUCCESS;
420 }
421 }
422
423 this->initiating.retransmitted++;
424 job = (job_t*)retransmit_job_create(this->initiating.mid,
425 this->ike_sa->get_id(this->ike_sa));
426 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
427 }
428 return SUCCESS;
429 }
430
431 METHOD(task_manager_t, initiate, status_t,
432 private_task_manager_t *this)
433 {
434 enumerator_t *enumerator;
435 task_t *task;
436 message_t *message;
437 host_t *me, *other;
438 exchange_type_t exchange = 0;
439
440 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
441 {
442 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
443 exchange_type_names, this->initiating.type);
444 /* do not initiate if we already have a message in the air */
445 if (this->initiating.deferred)
446 { /* re-initiate deferred exchange */
447 this->initiating.deferred = FALSE;
448 this->initiating.retransmitted = 0;
449 return retransmit(this, this->initiating.mid);
450 }
451 return SUCCESS;
452 }
453
454 if (array_count(this->active_tasks) == 0)
455 {
456 DBG2(DBG_IKE, "activating new tasks");
457 switch (this->ike_sa->get_state(this->ike_sa))
458 {
459 case IKE_CREATED:
460 activate_task(this, TASK_IKE_VENDOR);
461 if (activate_task(this, TASK_IKE_INIT))
462 {
463 this->initiating.mid = 0;
464 exchange = IKE_SA_INIT;
465 activate_task(this, TASK_IKE_NATD);
466 activate_task(this, TASK_IKE_CERT_PRE);
467 #ifdef ME
468 /* this task has to be activated before the TASK_IKE_AUTH
469 * task, because that task pregenerates the packet after
470 * which no payloads can be added to the message anymore.
471 */
472 activate_task(this, TASK_IKE_ME);
473 #endif /* ME */
474 activate_task(this, TASK_IKE_AUTH);
475 activate_task(this, TASK_IKE_CERT_POST);
476 activate_task(this, TASK_IKE_CONFIG);
477 activate_task(this, TASK_CHILD_CREATE);
478 activate_task(this, TASK_IKE_AUTH_LIFETIME);
479 activate_task(this, TASK_IKE_MOBIKE);
480 }
481 break;
482 case IKE_ESTABLISHED:
483 if (activate_task(this, TASK_IKE_MOBIKE))
484 {
485 exchange = INFORMATIONAL;
486 break;
487 }
488 if (activate_task(this, TASK_IKE_DELETE))
489 {
490 exchange = INFORMATIONAL;
491 break;
492 }
493 if (activate_task(this, TASK_IKE_REDIRECT))
494 {
495 exchange = INFORMATIONAL;
496 break;
497 }
498 if (activate_task(this, TASK_CHILD_DELETE))
499 {
500 exchange = INFORMATIONAL;
501 break;
502 }
503 if (activate_task(this, TASK_IKE_REAUTH))
504 {
505 exchange = INFORMATIONAL;
506 break;
507 }
508 if (activate_task(this, TASK_CHILD_CREATE))
509 {
510 exchange = CREATE_CHILD_SA;
511 break;
512 }
513 if (activate_task(this, TASK_CHILD_REKEY))
514 {
515 exchange = CREATE_CHILD_SA;
516 break;
517 }
518 if (activate_task(this, TASK_IKE_REKEY))
519 {
520 exchange = CREATE_CHILD_SA;
521 break;
522 }
523 if (activate_task(this, TASK_IKE_DPD))
524 {
525 exchange = INFORMATIONAL;
526 break;
527 }
528 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
529 {
530 exchange = INFORMATIONAL;
531 break;
532 }
533 #ifdef ME
534 if (activate_task(this, TASK_IKE_ME))
535 {
536 exchange = ME_CONNECT;
537 break;
538 }
539 #endif /* ME */
540 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
541 {
542 exchange = INFORMATIONAL;
543 break;
544 }
545 if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
546 {
547 exchange = INFORMATIONAL;
548 break;
549 }
550 case IKE_REKEYING:
551 case IKE_REKEYED:
552 if (activate_task(this, TASK_IKE_DELETE))
553 {
554 exchange = INFORMATIONAL;
555 break;
556 }
557 case IKE_DELETING:
558 default:
559 break;
560 }
561 }
562 else
563 {
564 DBG2(DBG_IKE, "reinitiating already active tasks");
565 enumerator = array_create_enumerator(this->active_tasks);
566 while (enumerator->enumerate(enumerator, &task))
567 {
568 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
569 switch (task->get_type(task))
570 {
571 case TASK_IKE_INIT:
572 exchange = IKE_SA_INIT;
573 break;
574 case TASK_IKE_AUTH:
575 exchange = IKE_AUTH;
576 break;
577 case TASK_CHILD_CREATE:
578 case TASK_CHILD_REKEY:
579 case TASK_IKE_REKEY:
580 exchange = CREATE_CHILD_SA;
581 break;
582 case TASK_IKE_MOBIKE:
583 exchange = INFORMATIONAL;
584 break;
585 default:
586 continue;
587 }
588 break;
589 }
590 enumerator->destroy(enumerator);
591 }
592
593 if (exchange == 0)
594 {
595 DBG2(DBG_IKE, "nothing to initiate");
596 /* nothing to do yet... */
597 return SUCCESS;
598 }
599
600 me = this->ike_sa->get_my_host(this->ike_sa);
601 other = this->ike_sa->get_other_host(this->ike_sa);
602
603 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
604 message->set_message_id(message, this->initiating.mid);
605 message->set_source(message, me->clone(me));
606 message->set_destination(message, other->clone(other));
607 message->set_exchange_type(message, exchange);
608 this->initiating.type = exchange;
609 this->initiating.retransmitted = 0;
610 this->initiating.deferred = FALSE;
611
612 enumerator = array_create_enumerator(this->active_tasks);
613 while (enumerator->enumerate(enumerator, &task))
614 {
615 switch (task->build(task, message))
616 {
617 case SUCCESS:
618 /* task completed, remove it */
619 array_remove_at(this->active_tasks, enumerator);
620 task->destroy(task);
621 break;
622 case NEED_MORE:
623 /* processed, but task needs another exchange */
624 break;
625 case FAILED:
626 default:
627 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
628 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
629 this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED)
630 {
631 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
632 }
633 /* FALL */
634 case DESTROY_ME:
635 /* critical failure, destroy IKE_SA */
636 enumerator->destroy(enumerator);
637 message->destroy(message);
638 flush(this);
639 return DESTROY_ME;
640 }
641 }
642 enumerator->destroy(enumerator);
643
644 /* update exchange type if a task changed it */
645 this->initiating.type = message->get_exchange_type(message);
646 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
647 {
648 message->destroy(message);
649 return initiate(this);
650 }
651
652 if (!generate_message(this, message, &this->initiating.packets))
653 {
654 /* message generation failed. There is nothing more to do than to
655 * close the SA */
656 message->destroy(message);
657 flush(this);
658 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
659 return DESTROY_ME;
660 }
661 message->destroy(message);
662
663 array_compress(this->active_tasks);
664 array_compress(this->queued_tasks);
665
666 return retransmit(this, this->initiating.mid);
667 }
668
669 /**
670 * handle an incoming response message
671 */
672 static status_t process_response(private_task_manager_t *this,
673 message_t *message)
674 {
675 enumerator_t *enumerator;
676 task_t *task;
677
678 if (message->get_exchange_type(message) != this->initiating.type)
679 {
680 DBG1(DBG_IKE, "received %N response, but expected %N",
681 exchange_type_names, message->get_exchange_type(message),
682 exchange_type_names, this->initiating.type);
683 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
684 return DESTROY_ME;
685 }
686
687 enumerator = array_create_enumerator(this->active_tasks);
688 while (enumerator->enumerate(enumerator, &task))
689 {
690 if (!task->pre_process)
691 {
692 continue;
693 }
694 switch (task->pre_process(task, message))
695 {
696 case SUCCESS:
697 break;
698 case FAILED:
699 default:
700 /* just ignore the message */
701 DBG1(DBG_IKE, "ignore invalid %N response",
702 exchange_type_names, message->get_exchange_type(message));
703 enumerator->destroy(enumerator);
704 return SUCCESS;
705 case DESTROY_ME:
706 /* critical failure, destroy IKE_SA */
707 enumerator->destroy(enumerator);
708 return DESTROY_ME;
709 }
710 }
711 enumerator->destroy(enumerator);
712
713 if (this->initiating.retransmitted > 1)
714 {
715 packet_t *packet = NULL;
716 array_get(this->initiating.packets, 0, &packet);
717 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
718 }
719
720 /* catch if we get resetted while processing */
721 this->reset = FALSE;
722 enumerator = array_create_enumerator(this->active_tasks);
723 while (enumerator->enumerate(enumerator, &task))
724 {
725 switch (task->process(task, message))
726 {
727 case SUCCESS:
728 /* task completed, remove it */
729 array_remove_at(this->active_tasks, enumerator);
730 task->destroy(task);
731 break;
732 case NEED_MORE:
733 /* processed, but task needs another exchange */
734 break;
735 case FAILED:
736 default:
737 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
738 /* FALL */
739 case DESTROY_ME:
740 /* critical failure, destroy IKE_SA */
741 array_remove_at(this->active_tasks, enumerator);
742 enumerator->destroy(enumerator);
743 task->destroy(task);
744 return DESTROY_ME;
745 }
746 if (this->reset)
747 { /* start all over again if we were reset */
748 this->reset = FALSE;
749 enumerator->destroy(enumerator);
750 return initiate(this);
751 }
752 }
753 enumerator->destroy(enumerator);
754
755 this->initiating.mid++;
756 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
757 clear_packets(this->initiating.packets);
758
759 array_compress(this->active_tasks);
760
761 return initiate(this);
762 }
763
764 /**
765 * handle exchange collisions
766 */
767 static bool handle_collisions(private_task_manager_t *this, task_t *task)
768 {
769 enumerator_t *enumerator;
770 task_t *active;
771 task_type_t type;
772
773 type = task->get_type(task);
774
775 /* do we have to check */
776 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
777 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE)
778 {
779 /* find an exchange collision, and notify these tasks */
780 enumerator = array_create_enumerator(this->active_tasks);
781 while (enumerator->enumerate(enumerator, &active))
782 {
783 switch (active->get_type(active))
784 {
785 case TASK_IKE_REKEY:
786 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE)
787 {
788 ike_rekey_t *rekey = (ike_rekey_t*)active;
789 rekey->collide(rekey, task);
790 break;
791 }
792 continue;
793 case TASK_CHILD_REKEY:
794 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
795 {
796 child_rekey_t *rekey = (child_rekey_t*)active;
797 rekey->collide(rekey, task);
798 break;
799 }
800 continue;
801 default:
802 continue;
803 }
804 enumerator->destroy(enumerator);
805 return TRUE;
806 }
807 enumerator->destroy(enumerator);
808 }
809 return FALSE;
810 }
811
812 /**
813 * build a response depending on the "passive" task list
814 */
815 static status_t build_response(private_task_manager_t *this, message_t *request)
816 {
817 enumerator_t *enumerator;
818 task_t *task;
819 message_t *message;
820 host_t *me, *other;
821 bool delete = FALSE, hook = FALSE;
822 ike_sa_id_t *id = NULL;
823 uint64_t responder_spi = 0;
824 bool result;
825
826 me = request->get_destination(request);
827 other = request->get_source(request);
828
829 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
830 message->set_exchange_type(message, request->get_exchange_type(request));
831 /* send response along the path the request came in */
832 message->set_source(message, me->clone(me));
833 message->set_destination(message, other->clone(other));
834 message->set_message_id(message, this->responding.mid);
835 message->set_request(message, FALSE);
836
837 enumerator = array_create_enumerator(this->passive_tasks);
838 while (enumerator->enumerate(enumerator, (void*)&task))
839 {
840 switch (task->build(task, message))
841 {
842 case SUCCESS:
843 /* task completed, remove it */
844 array_remove_at(this->passive_tasks, enumerator);
845 if (!handle_collisions(this, task))
846 {
847 task->destroy(task);
848 }
849 break;
850 case NEED_MORE:
851 /* processed, but task needs another exchange */
852 if (handle_collisions(this, task))
853 {
854 array_remove_at(this->passive_tasks, enumerator);
855 }
856 break;
857 case FAILED:
858 default:
859 hook = TRUE;
860 /* FALL */
861 case DESTROY_ME:
862 /* destroy IKE_SA, but SEND response first */
863 if (handle_collisions(this, task))
864 {
865 array_remove_at(this->passive_tasks, enumerator);
866 }
867 delete = TRUE;
868 break;
869 }
870 if (delete)
871 {
872 break;
873 }
874 }
875 enumerator->destroy(enumerator);
876
877 /* RFC 5996, section 2.6 mentions that in the event of a failure during
878 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
879 * actually explicitly allows it to be non-zero. Since we use the responder
880 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
881 * zero temporarily, otherwise checking the SA in would fail. */
882 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
883 {
884 id = this->ike_sa->get_id(this->ike_sa);
885 responder_spi = id->get_responder_spi(id);
886 id->set_responder_spi(id, 0);
887 }
888
889 /* message complete, send it */
890 clear_packets(this->responding.packets);
891 result = generate_message(this, message, &this->responding.packets);
892 message->destroy(message);
893 if (id)
894 {
895 id->set_responder_spi(id, responder_spi);
896 }
897 if (!result)
898 {
899 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
900 return DESTROY_ME;
901 }
902
903 send_packets(this, this->responding.packets, NULL, NULL);
904 if (delete)
905 {
906 if (hook)
907 {
908 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
909 }
910 return DESTROY_ME;
911 }
912
913 array_compress(this->passive_tasks);
914
915 return SUCCESS;
916 }
917
918 /**
919 * handle an incoming request message
920 */
921 static status_t process_request(private_task_manager_t *this,
922 message_t *message)
923 {
924 enumerator_t *enumerator;
925 task_t *task = NULL;
926 payload_t *payload;
927 notify_payload_t *notify;
928 delete_payload_t *delete;
929 ike_sa_state_t state;
930
931 if (array_count(this->passive_tasks) == 0)
932 { /* create tasks depending on request type, if not already some queued */
933 state = this->ike_sa->get_state(this->ike_sa);
934 switch (message->get_exchange_type(message))
935 {
936 case IKE_SA_INIT:
937 {
938 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
939 array_insert(this->passive_tasks, ARRAY_TAIL, task);
940 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
941 array_insert(this->passive_tasks, ARRAY_TAIL, task);
942 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
943 array_insert(this->passive_tasks, ARRAY_TAIL, task);
944 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
945 array_insert(this->passive_tasks, ARRAY_TAIL, task);
946 #ifdef ME
947 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
948 array_insert(this->passive_tasks, ARRAY_TAIL, task);
949 #endif /* ME */
950 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
951 array_insert(this->passive_tasks, ARRAY_TAIL, task);
952 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
953 array_insert(this->passive_tasks, ARRAY_TAIL, task);
954 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
955 array_insert(this->passive_tasks, ARRAY_TAIL, task);
956 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
957 NULL, NULL);
958 array_insert(this->passive_tasks, ARRAY_TAIL, task);
959 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
960 array_insert(this->passive_tasks, ARRAY_TAIL, task);
961 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
962 array_insert(this->passive_tasks, ARRAY_TAIL, task);
963 break;
964 }
965 case CREATE_CHILD_SA:
966 { /* FIXME: we should prevent this on mediation connections */
967 bool notify_found = FALSE, ts_found = FALSE;
968
969 if (state == IKE_CREATED ||
970 state == IKE_CONNECTING)
971 {
972 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
973 "unestablished IKE_SA, rejected");
974 return FAILED;
975 }
976
977 enumerator = message->create_payload_enumerator(message);
978 while (enumerator->enumerate(enumerator, &payload))
979 {
980 switch (payload->get_type(payload))
981 {
982 case PLV2_NOTIFY:
983 { /* if we find a rekey notify, its CHILD_SA rekeying */
984 notify = (notify_payload_t*)payload;
985 if (notify->get_notify_type(notify) == REKEY_SA &&
986 (notify->get_protocol_id(notify) == PROTO_AH ||
987 notify->get_protocol_id(notify) == PROTO_ESP))
988 {
989 notify_found = TRUE;
990 }
991 break;
992 }
993 case PLV2_TS_INITIATOR:
994 case PLV2_TS_RESPONDER:
995 { /* if we don't find a TS, its IKE rekeying */
996 ts_found = TRUE;
997 break;
998 }
999 default:
1000 break;
1001 }
1002 }
1003 enumerator->destroy(enumerator);
1004
1005 if (ts_found)
1006 {
1007 if (notify_found)
1008 {
1009 task = (task_t*)child_rekey_create(this->ike_sa,
1010 PROTO_NONE, 0);
1011 }
1012 else
1013 {
1014 task = (task_t*)child_create_create(this->ike_sa, NULL,
1015 FALSE, NULL, NULL);
1016 }
1017 }
1018 else
1019 {
1020 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
1021 }
1022 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1023 break;
1024 }
1025 case INFORMATIONAL:
1026 {
1027 enumerator = message->create_payload_enumerator(message);
1028 while (enumerator->enumerate(enumerator, &payload))
1029 {
1030 switch (payload->get_type(payload))
1031 {
1032 case PLV2_NOTIFY:
1033 {
1034 notify = (notify_payload_t*)payload;
1035 if (state == IKE_REKEYED)
1036 {
1037 DBG1(DBG_IKE, "received unexpected notify %N "
1038 "for rekeyed IKE_SA, ignored",
1039 notify_type_names,
1040 notify->get_notify_type(notify));
1041 break;
1042 }
1043 switch (notify->get_notify_type(notify))
1044 {
1045 case ADDITIONAL_IP4_ADDRESS:
1046 case ADDITIONAL_IP6_ADDRESS:
1047 case NO_ADDITIONAL_ADDRESSES:
1048 case UPDATE_SA_ADDRESSES:
1049 case NO_NATS_ALLOWED:
1050 case UNACCEPTABLE_ADDRESSES:
1051 case UNEXPECTED_NAT_DETECTED:
1052 case COOKIE2:
1053 case NAT_DETECTION_SOURCE_IP:
1054 case NAT_DETECTION_DESTINATION_IP:
1055 task = (task_t*)ike_mobike_create(
1056 this->ike_sa, FALSE);
1057 break;
1058 case AUTH_LIFETIME:
1059 task = (task_t*)ike_auth_lifetime_create(
1060 this->ike_sa, FALSE);
1061 break;
1062 case AUTHENTICATION_FAILED:
1063 /* initiator failed to authenticate us.
1064 * We use ike_delete to handle this, which
1065 * invokes all the required hooks. */
1066 task = (task_t*)ike_delete_create(
1067 this->ike_sa, FALSE);
1068 break;
1069 case REDIRECT:
1070 task = (task_t*)ike_redirect_create(
1071 this->ike_sa, NULL);
1072 break;
1073 case IKEV2_MESSAGE_ID_SYNC:
1074 task = (task_t*)ike_mid_sync_create(
1075 this->ike_sa);
1076 break;
1077 default:
1078 break;
1079 }
1080 break;
1081 }
1082 case PLV2_DELETE:
1083 {
1084 delete = (delete_payload_t*)payload;
1085 if (delete->get_protocol_id(delete) == PROTO_IKE)
1086 {
1087 task = (task_t*)ike_delete_create(this->ike_sa,
1088 FALSE);
1089 }
1090 else
1091 {
1092 task = (task_t*)child_delete_create(this->ike_sa,
1093 PROTO_NONE, 0, FALSE);
1094 }
1095 break;
1096 }
1097 default:
1098 break;
1099 }
1100 if (task)
1101 {
1102 break;
1103 }
1104 }
1105 enumerator->destroy(enumerator);
1106
1107 if (task == NULL)
1108 {
1109 task = (task_t*)ike_dpd_create(FALSE);
1110 }
1111 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1112 break;
1113 }
1114 #ifdef ME
1115 case ME_CONNECT:
1116 {
1117 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1118 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1119 }
1120 #endif /* ME */
1121 default:
1122 break;
1123 }
1124 }
1125
1126 enumerator = array_create_enumerator(this->passive_tasks);
1127 while (enumerator->enumerate(enumerator, &task))
1128 {
1129 if (!task->pre_process)
1130 {
1131 continue;
1132 }
1133 switch (task->pre_process(task, message))
1134 {
1135 case SUCCESS:
1136 break;
1137 case FAILED:
1138 default:
1139 /* just ignore the message */
1140 DBG1(DBG_IKE, "ignore invalid %N request",
1141 exchange_type_names, message->get_exchange_type(message));
1142 enumerator->destroy(enumerator);
1143 switch (message->get_exchange_type(message))
1144 {
1145 case IKE_SA_INIT:
1146 /* no point in keeping the SA when it was created with
1147 * an invalid IKE_SA_INIT message */
1148 return DESTROY_ME;
1149 default:
1150 /* remove tasks we queued for this request */
1151 flush_queue(this, TASK_QUEUE_PASSIVE);
1152 /* fall-through */
1153 case IKE_AUTH:
1154 return NEED_MORE;
1155 }
1156 case DESTROY_ME:
1157 /* critical failure, destroy IKE_SA */
1158 enumerator->destroy(enumerator);
1159 return DESTROY_ME;
1160 }
1161 }
1162 enumerator->destroy(enumerator);
1163
1164 /* let the tasks process the message */
1165 enumerator = array_create_enumerator(this->passive_tasks);
1166 while (enumerator->enumerate(enumerator, (void*)&task))
1167 {
1168 switch (task->process(task, message))
1169 {
1170 case SUCCESS:
1171 /* task completed, remove it */
1172 array_remove_at(this->passive_tasks, enumerator);
1173 task->destroy(task);
1174 break;
1175 case NEED_MORE:
1176 /* processed, but task needs at least another call to build() */
1177 break;
1178 case FAILED:
1179 default:
1180 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1181 /* FALL */
1182 case DESTROY_ME:
1183 /* critical failure, destroy IKE_SA */
1184 array_remove_at(this->passive_tasks, enumerator);
1185 enumerator->destroy(enumerator);
1186 task->destroy(task);
1187 return DESTROY_ME;
1188 }
1189 }
1190 enumerator->destroy(enumerator);
1191
1192 return build_response(this, message);
1193 }
1194
1195 METHOD(task_manager_t, incr_mid, void,
1196 private_task_manager_t *this, bool initiate)
1197 {
1198 if (initiate)
1199 {
1200 this->initiating.mid++;
1201 }
1202 else
1203 {
1204 this->responding.mid++;
1205 }
1206 }
1207
1208 METHOD(task_manager_t, get_mid, uint32_t,
1209 private_task_manager_t *this, bool initiate)
1210 {
1211 return initiate ? this->initiating.mid : this->responding.mid;
1212 }
1213
1214 /**
1215 * Handle the given IKE fragment, if it is one.
1216 *
1217 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1218 * handled properly. Error states are returned if the fragment was invalid or
1219 * the reassembled message could not have been processed properly.
1220 */
1221 static status_t handle_fragment(private_task_manager_t *this,
1222 message_t **defrag, message_t *msg)
1223 {
1224 message_t *reassembled;
1225 status_t status;
1226
1227 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1228 {
1229 return SUCCESS;
1230 }
1231 if (!*defrag)
1232 {
1233 *defrag = message_create_defrag(msg);
1234 if (!*defrag)
1235 {
1236 return FAILED;
1237 }
1238 }
1239 status = (*defrag)->add_fragment(*defrag, msg);
1240 if (status == SUCCESS)
1241 {
1242 /* reinject the reassembled message */
1243 reassembled = *defrag;
1244 *defrag = NULL;
1245 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1246 if (status == SUCCESS)
1247 {
1248 /* avoid processing the last fragment */
1249 status = NEED_MORE;
1250 }
1251 reassembled->destroy(reassembled);
1252 }
1253 return status;
1254 }
1255
1256 /**
1257 * Send a notify back to the sender
1258 */
1259 static void send_notify_response(private_task_manager_t *this,
1260 message_t *request, notify_type_t type,
1261 chunk_t data)
1262 {
1263 message_t *response;
1264 packet_t *packet;
1265 host_t *me, *other;
1266
1267 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1268 response->set_exchange_type(response, request->get_exchange_type(request));
1269 response->set_request(response, FALSE);
1270 response->set_message_id(response, request->get_message_id(request));
1271 response->add_notify(response, FALSE, type, data);
1272 me = this->ike_sa->get_my_host(this->ike_sa);
1273 if (me->is_anyaddr(me))
1274 {
1275 me = request->get_destination(request);
1276 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1277 }
1278 other = this->ike_sa->get_other_host(this->ike_sa);
1279 if (other->is_anyaddr(other))
1280 {
1281 other = request->get_source(request);
1282 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1283 }
1284 response->set_source(response, me->clone(me));
1285 response->set_destination(response, other->clone(other));
1286 if (this->ike_sa->generate_message(this->ike_sa, response,
1287 &packet) == SUCCESS)
1288 {
1289 charon->sender->send(charon->sender, packet);
1290 }
1291 response->destroy(response);
1292 }
1293
1294 /**
1295 * Parse the given message and verify that it is valid.
1296 */
1297 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1298 {
1299 status_t status;
1300 uint8_t type = 0;
1301
1302 status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1303
1304 if (status == SUCCESS)
1305 { /* check for unsupported critical payloads */
1306 enumerator_t *enumerator;
1307 unknown_payload_t *unknown;
1308 payload_t *payload;
1309
1310 enumerator = msg->create_payload_enumerator(msg);
1311 while (enumerator->enumerate(enumerator, &payload))
1312 {
1313 if (payload->get_type(payload) == PL_UNKNOWN)
1314 {
1315 unknown = (unknown_payload_t*)payload;
1316 if (unknown->is_critical(unknown))
1317 {
1318 type = unknown->get_type(unknown);
1319 DBG1(DBG_ENC, "payload type %N is not supported, "
1320 "but its critical!", payload_type_names, type);
1321 status = NOT_SUPPORTED;
1322 break;
1323 }
1324 }
1325 }
1326 enumerator->destroy(enumerator);
1327 }
1328
1329 if (status != SUCCESS)
1330 {
1331 bool is_request = msg->get_request(msg);
1332
1333 switch (status)
1334 {
1335 case NOT_SUPPORTED:
1336 DBG1(DBG_IKE, "critical unknown payloads found");
1337 if (is_request)
1338 {
1339 send_notify_response(this, msg,
1340 UNSUPPORTED_CRITICAL_PAYLOAD,
1341 chunk_from_thing(type));
1342 incr_mid(this, FALSE);
1343 }
1344 break;
1345 case PARSE_ERROR:
1346 DBG1(DBG_IKE, "message parsing failed");
1347 if (is_request)
1348 {
1349 send_notify_response(this, msg,
1350 INVALID_SYNTAX, chunk_empty);
1351 incr_mid(this, FALSE);
1352 }
1353 break;
1354 case VERIFY_ERROR:
1355 DBG1(DBG_IKE, "message verification failed");
1356 if (is_request)
1357 {
1358 send_notify_response(this, msg,
1359 INVALID_SYNTAX, chunk_empty);
1360 incr_mid(this, FALSE);
1361 }
1362 break;
1363 case FAILED:
1364 DBG1(DBG_IKE, "integrity check failed");
1365 /* ignored */
1366 break;
1367 case INVALID_STATE:
1368 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1369 default:
1370 break;
1371 }
1372 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1373 exchange_type_names, msg->get_exchange_type(msg),
1374 is_request ? "request" : "response",
1375 msg->get_message_id(msg));
1376
1377 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, status);
1378
1379 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED)
1380 { /* invalid initiation attempt, close SA */
1381 return DESTROY_ME;
1382 }
1383 }
1384 return status;
1385 }
1386
1387 /**
1388 * Check if a message with message ID 0 might be used to synchronize the
1389 * message IDs.
1390 */
1391 static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
1392 {
1393 enumerator_t *enumerator;
1394 notify_payload_t *notify;
1395 payload_t *payload;
1396 bool found = FALSE, other = FALSE;
1397
1398 if (msg->get_exchange_type(msg) == INFORMATIONAL &&
1399 this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
1400 this->ike_sa->supports_extension(this->ike_sa,
1401 EXT_IKE_MESSAGE_ID_SYNC))
1402 {
1403 enumerator = msg->create_payload_enumerator(msg);
1404 while (enumerator->enumerate(enumerator, &payload))
1405 {
1406 if (payload->get_type(payload) == PLV2_NOTIFY)
1407 {
1408 notify = (notify_payload_t*)payload;
1409 switch (notify->get_notify_type(notify))
1410 {
1411 case IKEV2_MESSAGE_ID_SYNC:
1412 case IPSEC_REPLAY_COUNTER_SYNC:
1413 found = TRUE;
1414 continue;
1415 default:
1416 break;
1417 }
1418 }
1419 other = TRUE;
1420 break;
1421 }
1422 enumerator->destroy(enumerator);
1423 }
1424 return found && !other;
1425 }
1426
1427 METHOD(task_manager_t, process_message, status_t,
1428 private_task_manager_t *this, message_t *msg)
1429 {
1430 host_t *me, *other;
1431 status_t status;
1432 uint32_t mid;
1433 bool schedule_delete_job = FALSE;
1434 ike_sa_state_t state;
1435 exchange_type_t type;
1436
1437 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1438 status = parse_message(this, msg);
1439 if (status != SUCCESS)
1440 {
1441 return status;
1442 }
1443
1444 me = msg->get_destination(msg);
1445 other = msg->get_source(msg);
1446
1447 /* if this IKE_SA is virgin, we check for a config */
1448 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1449 {
1450 ike_cfg_t *ike_cfg;
1451
1452 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1453 me, other, IKEV2);
1454 if (ike_cfg == NULL)
1455 {
1456 /* no config found for these hosts, destroy */
1457 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1458 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1459 send_notify_response(this, msg,
1460 NO_PROPOSAL_CHOSEN, chunk_empty);
1461 return DESTROY_ME;
1462 }
1463 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1464 ike_cfg->destroy(ike_cfg);
1465 /* add a timeout if peer does not establish it completely */
1466 schedule_delete_job = TRUE;
1467 }
1468 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1469 time_monotonic(NULL));
1470
1471 mid = msg->get_message_id(msg);
1472 if (msg->get_request(msg))
1473 {
1474 if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
1475 {
1476 /* reject initial messages if not received in specific states,
1477 * after rekeying we only expect a DELETE in an INFORMATIONAL */
1478 type = msg->get_exchange_type(msg);
1479 state = this->ike_sa->get_state(this->ike_sa);
1480 if ((type == IKE_SA_INIT && state != IKE_CREATED) ||
1481 (type == IKE_AUTH && state != IKE_CONNECTING) ||
1482 (state == IKE_REKEYED && type != INFORMATIONAL))
1483 {
1484 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N",
1485 exchange_type_names, type, ike_sa_state_names, state);
1486 return FAILED;
1487 }
1488 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1489 { /* with MOBIKE, we do no implicit updates */
1490 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1491 }
1492 status = handle_fragment(this, &this->responding.defrag, msg);
1493 if (status != SUCCESS)
1494 {
1495 return status;
1496 }
1497 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1498 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1499 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1500 return SUCCESS;
1501 }
1502 switch (process_request(this, msg))
1503 {
1504 case SUCCESS:
1505 this->responding.mid++;
1506 break;
1507 case NEED_MORE:
1508 break;
1509 default:
1510 flush(this);
1511 return DESTROY_ME;
1512 }
1513 }
1514 else if ((mid == this->responding.mid - 1) &&
1515 array_count(this->responding.packets))
1516 {
1517 status = handle_fragment(this, &this->responding.defrag, msg);
1518 if (status != SUCCESS)
1519 {
1520 return status;
1521 }
1522 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1523 "retransmitting response", mid);
1524 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1525 send_packets(this, this->responding.packets,
1526 msg->get_destination(msg), msg->get_source(msg));
1527 }
1528 else
1529 {
1530 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1531 mid, this->responding.mid);
1532 }
1533 }
1534 else
1535 {
1536 if (mid == this->initiating.mid)
1537 {
1538 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1539 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1540 msg->get_exchange_type(msg) != IKE_SA_INIT)
1541 { /* only do updates based on verified messages (or initial ones) */
1542 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1543 { /* with MOBIKE, we do no implicit updates. we force an
1544 * update of the local address on IKE_SA_INIT, but never
1545 * for the remote address */
1546 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1547 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1548 }
1549 }
1550 status = handle_fragment(this, &this->initiating.defrag, msg);
1551 if (status != SUCCESS)
1552 {
1553 return status;
1554 }
1555 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1556 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1557 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1558 return SUCCESS;
1559 }
1560 if (process_response(this, msg) != SUCCESS)
1561 {
1562 flush(this);
1563 return DESTROY_ME;
1564 }
1565 }
1566 else
1567 {
1568 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1569 mid, this->initiating.mid);
1570 return SUCCESS;
1571 }
1572 }
1573
1574 if (schedule_delete_job)
1575 {
1576 ike_sa_id_t *ike_sa_id;
1577 job_t *job;
1578
1579 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1580 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1581 lib->scheduler->schedule_job(lib->scheduler, job,
1582 lib->settings->get_int(lib->settings,
1583 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1584 lib->ns));
1585 }
1586 return SUCCESS;
1587 }
1588
1589 METHOD(task_manager_t, queue_task_delayed, void,
1590 private_task_manager_t *this, task_t *task, uint32_t delay)
1591 {
1592 enumerator_t *enumerator;
1593 queued_task_t *queued;
1594 timeval_t time;
1595
1596 if (task->get_type(task) == TASK_IKE_MOBIKE)
1597 { /* there is no need to queue more than one mobike task */
1598 enumerator = array_create_enumerator(this->queued_tasks);
1599 while (enumerator->enumerate(enumerator, &queued))
1600 {
1601 if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
1602 {
1603 enumerator->destroy(enumerator);
1604 task->destroy(task);
1605 return;
1606 }
1607 }
1608 enumerator->destroy(enumerator);
1609 }
1610 time_monotonic(&time);
1611 if (delay)
1612 {
1613 job_t *job;
1614
1615 DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names,
1616 task->get_type(task), delay);
1617 time.tv_sec += delay;
1618
1619 job = (job_t*)initiate_tasks_job_create(
1620 this->ike_sa->get_id(this->ike_sa));
1621 lib->scheduler->schedule_job_tv(lib->scheduler, job, time);
1622 }
1623 else
1624 {
1625 DBG2(DBG_IKE, "queueing %N task", task_type_names,
1626 task->get_type(task));
1627 }
1628 INIT(queued,
1629 .task = task,
1630 .time = time,
1631 );
1632 array_insert(this->queued_tasks, ARRAY_TAIL, queued);
1633 }
1634
1635 METHOD(task_manager_t, queue_task, void,
1636 private_task_manager_t *this, task_t *task)
1637 {
1638 queue_task_delayed(this, task, 0);
1639 }
1640
1641 /**
1642 * Check if a given task has been queued already
1643 */
1644 static bool has_queued(private_task_manager_t *this, task_type_t type)
1645 {
1646 enumerator_t *enumerator;
1647 bool found = FALSE;
1648 queued_task_t *queued;
1649
1650 enumerator = array_create_enumerator(this->queued_tasks);
1651 while (enumerator->enumerate(enumerator, &queued))
1652 {
1653 if (queued->task->get_type(queued->task) == type)
1654 {
1655 found = TRUE;
1656 break;
1657 }
1658 }
1659 enumerator->destroy(enumerator);
1660 return found;
1661 }
1662
1663 METHOD(task_manager_t, queue_ike, void,
1664 private_task_manager_t *this)
1665 {
1666 if (!has_queued(this, TASK_IKE_VENDOR))
1667 {
1668 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1669 }
1670 if (!has_queued(this, TASK_IKE_INIT))
1671 {
1672 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1673 }
1674 if (!has_queued(this, TASK_IKE_NATD))
1675 {
1676 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1677 }
1678 if (!has_queued(this, TASK_IKE_CERT_PRE))
1679 {
1680 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1681 }
1682 if (!has_queued(this, TASK_IKE_AUTH))
1683 {
1684 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1685 }
1686 if (!has_queued(this, TASK_IKE_CERT_POST))
1687 {
1688 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1689 }
1690 if (!has_queued(this, TASK_IKE_CONFIG))
1691 {
1692 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1693 }
1694 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1695 {
1696 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1697 }
1698 if (!has_queued(this, TASK_IKE_MOBIKE))
1699 {
1700 peer_cfg_t *peer_cfg;
1701
1702 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1703 if (peer_cfg->use_mobike(peer_cfg))
1704 {
1705 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1706 }
1707 }
1708 #ifdef ME
1709 if (!has_queued(this, TASK_IKE_ME))
1710 {
1711 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1712 }
1713 #endif /* ME */
1714 }
1715
1716 METHOD(task_manager_t, queue_ike_rekey, void,
1717 private_task_manager_t *this)
1718 {
1719 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1720 }
1721
1722 /**
1723 * Start reauthentication using make-before-break
1724 */
1725 static void trigger_mbb_reauth(private_task_manager_t *this)
1726 {
1727 enumerator_t *enumerator;
1728 child_sa_t *child_sa;
1729 child_cfg_t *cfg;
1730 ike_sa_t *new;
1731 host_t *host;
1732 queued_task_t *queued;
1733
1734 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1735 this->ike_sa->get_version(this->ike_sa), TRUE);
1736 if (!new)
1737 { /* shouldn't happen */
1738 return;
1739 }
1740
1741 new->set_peer_cfg(new, this->ike_sa->get_peer_cfg(this->ike_sa));
1742 host = this->ike_sa->get_other_host(this->ike_sa);
1743 new->set_other_host(new, host->clone(host));
1744 host = this->ike_sa->get_my_host(this->ike_sa);
1745 new->set_my_host(new, host->clone(host));
1746 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1747 while (enumerator->enumerate(enumerator, &host))
1748 {
1749 new->add_virtual_ip(new, TRUE, host);
1750 }
1751 enumerator->destroy(enumerator);
1752
1753 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1754 while (enumerator->enumerate(enumerator, &child_sa))
1755 {
1756 cfg = child_sa->get_config(child_sa);
1757 new->queue_task(new, &child_create_create(new, cfg->get_ref(cfg),
1758 FALSE, NULL, NULL)->task);
1759 }
1760 enumerator->destroy(enumerator);
1761
1762 enumerator = array_create_enumerator(this->queued_tasks);
1763 while (enumerator->enumerate(enumerator, &queued))
1764 {
1765 if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE)
1766 {
1767 queued->task->migrate(queued->task, new);
1768 new->queue_task(new, queued->task);
1769 array_remove_at(this->queued_tasks, enumerator);
1770 free(queued);
1771 }
1772 }
1773 enumerator->destroy(enumerator);
1774
1775 /* suspend online revocation checking until the SA is established */
1776 new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
1777
1778 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
1779 {
1780 new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
1781 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
1782 this->ike_sa->get_id(this->ike_sa)));
1783 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
1784 }
1785 else
1786 {
1787 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
1788 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
1789 }
1790 charon->bus->set_sa(charon->bus, this->ike_sa);
1791 }
1792
1793 METHOD(task_manager_t, queue_ike_reauth, void,
1794 private_task_manager_t *this)
1795 {
1796 if (this->make_before_break)
1797 {
1798 return trigger_mbb_reauth(this);
1799 }
1800 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
1801 }
1802
1803 METHOD(task_manager_t, queue_ike_delete, void,
1804 private_task_manager_t *this)
1805 {
1806 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
1807 }
1808
1809 METHOD(task_manager_t, queue_mobike, void,
1810 private_task_manager_t *this, bool roam, bool address)
1811 {
1812 ike_mobike_t *mobike;
1813
1814 mobike = ike_mobike_create(this->ike_sa, TRUE);
1815 if (roam)
1816 {
1817 enumerator_t *enumerator;
1818 task_t *current;
1819
1820 mobike->roam(mobike, address);
1821
1822 /* enable path probing for a currently active MOBIKE task. This might
1823 * not be the case if an address appeared on a new interface while the
1824 * current address is not working but has not yet disappeared. */
1825 enumerator = array_create_enumerator(this->active_tasks);
1826 while (enumerator->enumerate(enumerator, &current))
1827 {
1828 if (current->get_type(current) == TASK_IKE_MOBIKE)
1829 {
1830 ike_mobike_t *active = (ike_mobike_t*)current;
1831 active->enable_probing(active);
1832 break;
1833 }
1834 }
1835 enumerator->destroy(enumerator);
1836 }
1837 else
1838 {
1839 mobike->addresses(mobike);
1840 }
1841 queue_task(this, &mobike->task);
1842 }
1843
1844 METHOD(task_manager_t, queue_child, void,
1845 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
1846 traffic_selector_t *tsi, traffic_selector_t *tsr)
1847 {
1848 child_create_t *task;
1849
1850 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
1851 if (reqid)
1852 {
1853 task->use_reqid(task, reqid);
1854 }
1855 queue_task(this, &task->task);
1856 }
1857
1858 METHOD(task_manager_t, queue_child_rekey, void,
1859 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
1860 {
1861 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
1862 }
1863
1864 METHOD(task_manager_t, queue_child_delete, void,
1865 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
1866 bool expired)
1867 {
1868 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
1869 protocol, spi, expired));
1870 }
1871
1872 METHOD(task_manager_t, queue_dpd, void,
1873 private_task_manager_t *this)
1874 {
1875 ike_mobike_t *mobike;
1876
1877 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE) &&
1878 this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
1879 {
1880 #ifdef ME
1881 peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1882 if (cfg->get_peer_id(cfg) ||
1883 this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
1884 #else
1885 if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
1886 #endif
1887 {
1888 /* use mobike enabled DPD to detect NAT mapping changes */
1889 mobike = ike_mobike_create(this->ike_sa, TRUE);
1890 mobike->dpd(mobike);
1891 queue_task(this, &mobike->task);
1892 return;
1893 }
1894 }
1895 queue_task(this, (task_t*)ike_dpd_create(TRUE));
1896 }
1897
1898 METHOD(task_manager_t, adopt_tasks, void,
1899 private_task_manager_t *this, task_manager_t *other_public)
1900 {
1901 private_task_manager_t *other = (private_task_manager_t*)other_public;
1902 queued_task_t *queued;
1903 timeval_t now;
1904
1905 time_monotonic(&now);
1906
1907 /* move queued tasks from other to this */
1908 while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued))
1909 {
1910 DBG2(DBG_IKE, "migrating %N task", task_type_names,
1911 queued->task->get_type(queued->task));
1912 queued->task->migrate(queued->task, this->ike_sa);
1913 /* don't delay tasks on the new IKE_SA */
1914 queued->time = now;
1915 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
1916 }
1917 }
1918
1919 /**
1920 * Migrates child-creating tasks from other to this
1921 */
1922 static void migrate_child_tasks(private_task_manager_t *this,
1923 private_task_manager_t *other,
1924 task_queue_t queue)
1925 {
1926 enumerator_t *enumerator;
1927 array_t *array;
1928 task_t *task;
1929
1930 switch (queue)
1931 {
1932 case TASK_QUEUE_ACTIVE:
1933 array = other->active_tasks;
1934 break;
1935 case TASK_QUEUE_QUEUED:
1936 array = other->queued_tasks;
1937 break;
1938 default:
1939 return;
1940 }
1941
1942 enumerator = array_create_enumerator(array);
1943 while (enumerator->enumerate(enumerator, &task))
1944 {
1945 queued_task_t *queued = NULL;
1946
1947 if (queue == TASK_QUEUE_QUEUED)
1948 {
1949 queued = (queued_task_t*)task;
1950 task = queued->task;
1951 }
1952 if (task->get_type(task) == TASK_CHILD_CREATE)
1953 {
1954 array_remove_at(array, enumerator);
1955 task->migrate(task, this->ike_sa);
1956 queue_task(this, task);
1957 free(queued);
1958 }
1959 }
1960 enumerator->destroy(enumerator);
1961 }
1962
1963 METHOD(task_manager_t, adopt_child_tasks, void,
1964 private_task_manager_t *this, task_manager_t *other_public)
1965 {
1966 private_task_manager_t *other = (private_task_manager_t*)other_public;
1967
1968 /* move active child tasks from other to this */
1969 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
1970 /* do the same for queued tasks */
1971 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
1972 }
1973
1974 METHOD(task_manager_t, busy, bool,
1975 private_task_manager_t *this)
1976 {
1977 return array_count(this->active_tasks) > 0;
1978 }
1979
1980 METHOD(task_manager_t, reset, void,
1981 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
1982 {
1983 enumerator_t *enumerator;
1984 queued_task_t *queued;
1985 task_t *task;
1986 timeval_t now;
1987
1988 /* reset message counters and retransmit packets */
1989 clear_packets(this->responding.packets);
1990 clear_packets(this->initiating.packets);
1991 DESTROY_IF(this->responding.defrag);
1992 DESTROY_IF(this->initiating.defrag);
1993 this->responding.defrag = NULL;
1994 this->initiating.defrag = NULL;
1995 if (initiate != UINT_MAX)
1996 {
1997 this->initiating.mid = initiate;
1998 }
1999 if (respond != UINT_MAX)
2000 {
2001 this->responding.mid = respond;
2002 }
2003 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
2004
2005 time_monotonic(&now);
2006 /* reset queued tasks */
2007 enumerator = array_create_enumerator(this->queued_tasks);
2008 while (enumerator->enumerate(enumerator, &queued))
2009 {
2010 queued->time = now;
2011 queued->task->migrate(queued->task, this->ike_sa);
2012 }
2013 enumerator->destroy(enumerator);
2014
2015 /* reset active tasks */
2016 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
2017 {
2018 task->migrate(task, this->ike_sa);
2019 INIT(queued,
2020 .task = task,
2021 .time = now,
2022 );
2023 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
2024 }
2025
2026 this->reset = TRUE;
2027 }
2028
2029 /**
2030 * Filter queued tasks
2031 */
2032 static bool filter_queued(void *unused, queued_task_t **queued, task_t **task)
2033 {
2034 *task = (*queued)->task;
2035 return TRUE;
2036 }
2037
2038 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
2039 private_task_manager_t *this, task_queue_t queue)
2040 {
2041 switch (queue)
2042 {
2043 case TASK_QUEUE_ACTIVE:
2044 return array_create_enumerator(this->active_tasks);
2045 case TASK_QUEUE_PASSIVE:
2046 return array_create_enumerator(this->passive_tasks);
2047 case TASK_QUEUE_QUEUED:
2048 return enumerator_create_filter(
2049 array_create_enumerator(this->queued_tasks),
2050 (void*)filter_queued, NULL, NULL);
2051 default:
2052 return enumerator_create_empty();
2053 }
2054 }
2055
2056 METHOD(task_manager_t, destroy, void,
2057 private_task_manager_t *this)
2058 {
2059 flush(this);
2060
2061 array_destroy(this->active_tasks);
2062 array_destroy(this->queued_tasks);
2063 array_destroy(this->passive_tasks);
2064
2065 clear_packets(this->responding.packets);
2066 array_destroy(this->responding.packets);
2067 clear_packets(this->initiating.packets);
2068 array_destroy(this->initiating.packets);
2069 DESTROY_IF(this->responding.defrag);
2070 DESTROY_IF(this->initiating.defrag);
2071 free(this);
2072 }
2073
2074 /*
2075 * see header file
2076 */
2077 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
2078 {
2079 private_task_manager_t *this;
2080
2081 INIT(this,
2082 .public = {
2083 .task_manager = {
2084 .process_message = _process_message,
2085 .queue_task = _queue_task,
2086 .queue_task_delayed = _queue_task_delayed,
2087 .queue_ike = _queue_ike,
2088 .queue_ike_rekey = _queue_ike_rekey,
2089 .queue_ike_reauth = _queue_ike_reauth,
2090 .queue_ike_delete = _queue_ike_delete,
2091 .queue_mobike = _queue_mobike,
2092 .queue_child = _queue_child,
2093 .queue_child_rekey = _queue_child_rekey,
2094 .queue_child_delete = _queue_child_delete,
2095 .queue_dpd = _queue_dpd,
2096 .initiate = _initiate,
2097 .retransmit = _retransmit,
2098 .incr_mid = _incr_mid,
2099 .get_mid = _get_mid,
2100 .reset = _reset,
2101 .adopt_tasks = _adopt_tasks,
2102 .adopt_child_tasks = _adopt_child_tasks,
2103 .busy = _busy,
2104 .create_task_enumerator = _create_task_enumerator,
2105 .flush = _flush,
2106 .flush_queue = _flush_queue,
2107 .destroy = _destroy,
2108 },
2109 },
2110 .ike_sa = ike_sa,
2111 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
2112 .queued_tasks = array_create(0, 0),
2113 .active_tasks = array_create(0, 0),
2114 .passive_tasks = array_create(0, 0),
2115 .retransmit_tries = lib->settings->get_int(lib->settings,
2116 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2117 .retransmit_timeout = lib->settings->get_double(lib->settings,
2118 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2119 .retransmit_base = lib->settings->get_double(lib->settings,
2120 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2121 .make_before_break = lib->settings->get_bool(lib->settings,
2122 "%s.make_before_break", FALSE, lib->ns),
2123 );
2124
2125 return &this->public;
2126 }
Unnamed repository; edit this file 'description' to name the repository.