[people/ms/strongswan.git] / src / libcharon / sa / ikev2 / tasks / ike_rekey.c

/*
 * Copyright (C) 2005-2008 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include "ike_rekey.h"

#include <daemon.h>
#include <encoding/payloads/notify_payload.h>
#include <sa/ikev2/tasks/ike_init.h>
#include <sa/ikev2/tasks/ike_delete.h>
#include <processing/jobs/delete_ike_sa_job.h>
#include <processing/jobs/rekey_ike_sa_job.h>
#include <processing/jobs/initiate_tasks_job.h>


typedef struct private_ike_rekey_t private_ike_rekey_t;

/**
 * Private members of a ike_rekey_t task.
 */
struct private_ike_rekey_t {

	/**
	 * Public methods and task_t interface.
	 */
	ike_rekey_t public;

	/**
	 * Assigned IKE_SA.
	 */
	ike_sa_t *ike_sa;

	/**
	 * New IKE_SA which replaces the current one
	 */
	ike_sa_t *new_sa;

	/**
	 * Are we the initiator?
	 */
	bool initiator;

	/**
	 * the TASK_IKE_INIT task which is reused to simplify rekeying
	 */
	ike_init_t *ike_init;

	/**
	 * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
	 */
	ike_delete_t *ike_delete;

	/**
	 * colliding task detected by the task manager
	 */
	task_t *collision;
};

/**
 * Check if an IKE_SA has any queued tasks, return initiation job
 */
static job_t* check_queued_tasks(ike_sa_t *ike_sa)
{
	enumerator_t *enumerator;
	task_t *task;
	job_t *job = NULL;

	enumerator = ike_sa->create_task_enumerator(ike_sa, TASK_QUEUE_QUEUED);
	if (enumerator->enumerate(enumerator, &task))
	{
		job = (job_t*)initiate_tasks_job_create(ike_sa->get_id(ike_sa));
	}
	enumerator->destroy(enumerator);

	return job;
}

/**
 * Establish the new replacement IKE_SA
 */
static void establish_new(private_ike_rekey_t *this)
{
	if (this->new_sa)
	{
		job_t *job;

		this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
		DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
			 this->new_sa->get_name(this->new_sa),
			 this->new_sa->get_unique_id(this->new_sa),
			 this->ike_sa->get_my_host(this->ike_sa),
			 this->ike_sa->get_my_id(this->ike_sa),
			 this->ike_sa->get_other_host(this->ike_sa),
			 this->ike_sa->get_other_id(this->ike_sa));

		this->new_sa->inherit_post(this->new_sa, this->ike_sa);
		charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
		job = check_queued_tasks(this->new_sa);
		/* don't queue job before checkin(), as the IKE_SA is not yet
		 * registered at the manager */
		charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
		if (job)
		{
			lib->processor->queue_job(lib->processor, job);
		}
		this->new_sa = NULL;
		/* set threads active IKE_SA after checkin */
		charon->bus->set_sa(charon->bus, this->ike_sa);
	}
}

METHOD(task_t, process_r_delete, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	establish_new(this);
	return this->ike_delete->task.process(&this->ike_delete->task, message);
}

METHOD(task_t, build_r_delete, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	return this->ike_delete->task.build(&this->ike_delete->task, message);
}

METHOD(task_t, build_i_delete, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	/* update exchange type to INFORMATIONAL for the delete */
	message->set_exchange_type(message, INFORMATIONAL);

	return this->ike_delete->task.build(&this->ike_delete->task, message);
}

METHOD(task_t, process_i_delete, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	return this->ike_delete->task.process(&this->ike_delete->task, message);
}

METHOD(task_t, build_i, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	ike_version_t version;

	/* create new SA only on first try */
	if (this->new_sa == NULL)
	{
		version = this->ike_sa->get_version(this->ike_sa);
		this->new_sa = charon->ike_sa_manager->checkout_new(
										charon->ike_sa_manager, version, TRUE);
		if (!this->new_sa)
		{	/* shouldn't happen */
			return FAILED;
		}
		this->new_sa->inherit_pre(this->new_sa, this->ike_sa);
		this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
		this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
	}
	this->ike_init->task.build(&this->ike_init->task, message);

	return NEED_MORE;
}

METHOD(task_t, process_r, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	enumerator_t *enumerator;
	child_sa_t *child_sa;

	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
	{
		DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
		return NEED_MORE;
	}

	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
	while (enumerator->enumerate(enumerator, (void**)&child_sa))
	{
		switch (child_sa->get_state(child_sa))
		{
			case CHILD_CREATED:
			case CHILD_REKEYING:
			case CHILD_RETRYING:
			case CHILD_DELETING:
				/* we do not allow rekeying while we have children in-progress */
				DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
				enumerator->destroy(enumerator);
				return NEED_MORE;
			default:
				break;
		}
	}
	enumerator->destroy(enumerator);

	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
							this->ike_sa->get_version(this->ike_sa), FALSE);
	if (!this->new_sa)
	{	/* shouldn't happen */
		return FAILED;
	}
	this->new_sa->inherit_pre(this->new_sa, this->ike_sa);
	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
	this->ike_init->task.process(&this->ike_init->task, message);

	return NEED_MORE;
}

METHOD(task_t, build_r, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	if (this->new_sa == NULL)
	{
		/* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
		message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
		return SUCCESS;
	}

	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
	{
		return SUCCESS;
	}

	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);

	/* rekeying successful, delete the IKE_SA using a subtask */
	this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
	this->public.task.build = _build_r_delete;
	this->public.task.process = _process_r_delete;

	/* the peer does have to delete the IKE_SA. If it does not, we get a
	 * unusable IKE_SA in REKEYING state without a replacement. We consider
	 * this a timeout condition by the peer, and trigger a delete actively. */
	lib->scheduler->schedule_job(lib->scheduler, (job_t*)
		delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 90);

	return NEED_MORE;
}

METHOD(task_t, process_i, status_t,
	private_ike_rekey_t *this, message_t *message)
{
	if (message->get_notify(message, NO_ADDITIONAL_SAS))
	{
		DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
			 "starting reauthentication");
		this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
		lib->processor->queue_job(lib->processor,
				(job_t*)rekey_ike_sa_job_create(
							this->ike_sa->get_id(this->ike_sa), TRUE));
		return SUCCESS;
	}

	switch (this->ike_init->task.process(&this->ike_init->task, message))
	{
		case FAILED:
			/* rekeying failed, fallback to old SA */
			if (!(this->collision && (
				this->collision->get_type(this->collision) == TASK_IKE_DELETE ||
				this->collision->get_type(this->collision) == TASK_IKE_REAUTH)))
			{
				job_t *job;
				u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
				job = (job_t*)rekey_ike_sa_job_create(
										this->ike_sa->get_id(this->ike_sa), FALSE);
				DBG1(DBG_IKE, "IKE_SA rekeying failed, "
										"trying again in %d seconds", retry);
				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
				lib->scheduler->schedule_job(lib->scheduler, job, retry);
			}
			return SUCCESS;
		case NEED_MORE:
			/* bad dh group, try again */
			this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
			return NEED_MORE;
		default:
			break;
	}

	/* check for collisions */
	if (this->collision &&
		this->collision->get_type(this->collision) == TASK_IKE_REKEY)
	{
		private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;

		/* ike_init can be NULL, if child_sa is half-open */
		if (other->ike_init)
		{
			host_t *host;
			chunk_t this_nonce, other_nonce;

			this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
			other_nonce = other->ike_init->get_lower_nonce(other->ike_init);

			/* if we have the lower nonce, delete rekeyed SA. If not, delete
			 * the redundant. */
			if (memcmp(this_nonce.ptr, other_nonce.ptr,
						min(this_nonce.len, other_nonce.len)) > 0)
			{
				/* peer should delete this SA. Add a timeout just in case. */
				job_t *job = (job_t*)delete_ike_sa_job_create(
						other->new_sa->get_id(other->new_sa), TRUE);
				lib->scheduler->schedule_job(lib->scheduler, job, 10);
				DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
				charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
				other->new_sa = NULL;
			}
			else
			{
				DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
					 "deleting redundant IKE_SA");
				/* apply host for a proper delete */
				host = this->ike_sa->get_my_host(this->ike_sa);
				this->new_sa->set_my_host(this->new_sa, host->clone(host));
				host = this->ike_sa->get_other_host(this->ike_sa);
				this->new_sa->set_other_host(this->new_sa, host->clone(host));
				this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
				this->new_sa->set_state(this->new_sa, IKE_REKEYING);
				if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
				{
					this->new_sa->destroy(this->new_sa);
				}
				else
				{
					charon->ike_sa_manager->checkin(
								charon->ike_sa_manager, this->new_sa);
					/* set threads active IKE_SA after checkin */
					charon->bus->set_sa(charon->bus, this->ike_sa);
				}
				this->new_sa = NULL;
				establish_new(other);
				return SUCCESS;
			}
		}
		/* set threads active IKE_SA after checkin */
		charon->bus->set_sa(charon->bus, this->ike_sa);
	}

	establish_new(this);

	/* rekeying successful, delete the IKE_SA using a subtask */
	this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
	this->public.task.build = _build_i_delete;
	this->public.task.process = _process_i_delete;

	return NEED_MORE;
}

METHOD(task_t, get_type, task_type_t,
	private_ike_rekey_t *this)
{
	return TASK_IKE_REKEY;
}

METHOD(ike_rekey_t, collide, void,
	private_ike_rekey_t* this, task_t *other)
{
	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
		 TASK_IKE_REKEY, task_type_names, other->get_type(other));
	DESTROY_IF(this->collision);
	this->collision = other;
}

METHOD(task_t, migrate, void,
	private_ike_rekey_t *this, ike_sa_t *ike_sa)
{
	if (this->ike_init)
	{
		this->ike_init->task.destroy(&this->ike_init->task);
	}
	if (this->ike_delete)
	{
		this->ike_delete->task.destroy(&this->ike_delete->task);
	}
	DESTROY_IF(this->new_sa);
	DESTROY_IF(this->collision);

	this->collision = NULL;
	this->ike_sa = ike_sa;
	this->new_sa = NULL;
	this->ike_init = NULL;
	this->ike_delete = NULL;
}

METHOD(task_t, destroy, void,
	private_ike_rekey_t *this)
{
	if (this->ike_init)
	{
		this->ike_init->task.destroy(&this->ike_init->task);
	}
	if (this->ike_delete)
	{
		this->ike_delete->task.destroy(&this->ike_delete->task);
	}
	DESTROY_IF(this->new_sa);
	DESTROY_IF(this->collision);
	free(this);
}

/*
 * Described in header.
 */
ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
{
	private_ike_rekey_t *this;

	INIT(this,
		.public = {
			.task = {
				.get_type = _get_type,
				.build = _build_r,
				.process = _process_r,
				.migrate = _migrate,
				.destroy = _destroy,
			},
			.collide = _collide,
		},
		.ike_sa = ike_sa,
		.initiator = initiator,
	);
	if (initiator)
	{
		this->public.task.build = _build_i;
		this->public.task.process = _process_i;
	}

	return &this->public;
}
Commit	Line	Data
c60c7694	1	/*
6a4ff35c	2	* Copyright (C) 2005-2008 Martin Willi
c60c7694 MW	3	* Copyright (C) 2005 Jan Hutter
	4	* Hochschule fuer Technik Rapperswil
	5	*
	6	* This program is free software; you can redistribute it and/or modify it
	7	* under the terms of the GNU General Public License as published by the
	8	* Free Software Foundation; either version 2 of the License, or (at your
	9	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	10	*
	11	* This program is distributed in the hope that it will be useful, but
	12	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	13	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	14	* for more details.
	15	*/
	16
	17	#include "ike_rekey.h"
	18
	19	#include <daemon.h>
c60c7694	20	#include <encoding/payloads/notify_payload.h>
15a682f4 MW	21	#include <sa/ikev2/tasks/ike_init.h>
15a682f4 MW	22	#include <sa/ikev2/tasks/ike_delete.h>
e0fe7651 MW	23	#include <processing/jobs/delete_ike_sa_job.h>
e0fe7651 MW	24	#include <processing/jobs/rekey_ike_sa_job.h>
80a1ebb1	25	#include <processing/jobs/initiate_tasks_job.h>
c60c7694 MW	26
	27
	28	typedef struct private_ike_rekey_t private_ike_rekey_t;
	29
	30	/**
	31	* Private members of a ike_rekey_t task.
	32	*/
	33	struct private_ike_rekey_t {
7daf5226	34
c60c7694 MW	35	/**
	36	* Public methods and task_t interface.
	37	*/
	38	ike_rekey_t public;
7daf5226	39
c60c7694 MW	40	/**
	41	* Assigned IKE_SA.
	42	*/
	43	ike_sa_t *ike_sa;
7daf5226	44
c60c7694 MW	45	/**
	46	* New IKE_SA which replaces the current one
	47	*/
	48	ike_sa_t *new_sa;
7daf5226	49
c60c7694 MW	50	/**
	51	* Are we the initiator?
	52	*/
	53	bool initiator;
7daf5226	54
c60c7694	55	/**
a09972df	56	* the TASK_IKE_INIT task which is reused to simplify rekeying
c60c7694 MW	57	*/
c60c7694 MW	58	ike_init_t *ike_init;
7daf5226	59
394eb35b MW	60	/**
	61	* IKE_DELETE task to delete the old IKE_SA after rekeying was successful
	62	*/
	63	ike_delete_t *ike_delete;
7daf5226	64
eef08590 MW	65	/**
	66	* colliding task detected by the task manager
	67	*/
	68	task_t *collision;
c60c7694 MW	69	};
c60c7694 MW	70
80a1ebb1 MW	71	/**
	72	* Check if an IKE_SA has any queued tasks, return initiation job
	73	*/
	74	static job_t* check_queued_tasks(ike_sa_t *ike_sa)
	75	{
	76	enumerator_t *enumerator;
	77	task_t *task;
	78	job_t *job = NULL;
	79
	80	enumerator = ike_sa->create_task_enumerator(ike_sa, TASK_QUEUE_QUEUED);
	81	if (enumerator->enumerate(enumerator, &task))
	82	{
	83	job = (job_t*)initiate_tasks_job_create(ike_sa->get_id(ike_sa));
	84	}
	85	enumerator->destroy(enumerator);
	86
	87	return job;
	88	}
	89
3ced6b51 MW	90	/**
	91	* Establish the new replacement IKE_SA
	92	*/
	93	static void establish_new(private_ike_rekey_t *this)
	94	{
	95	if (this->new_sa)
	96	{
80a1ebb1 MW	97	job_t *job;
80a1ebb1 MW	98
3ced6b51 MW	99	this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
	100	DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
	101	this->new_sa->get_name(this->new_sa),
	102	this->new_sa->get_unique_id(this->new_sa),
	103	this->ike_sa->get_my_host(this->ike_sa),
	104	this->ike_sa->get_my_id(this->ike_sa),
	105	this->ike_sa->get_other_host(this->ike_sa),
	106	this->ike_sa->get_other_id(this->ike_sa));
	107
713a1122	108	this->new_sa->inherit_post(this->new_sa, this->ike_sa);
3ced6b51	109	charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
80a1ebb1 MW	110	job = check_queued_tasks(this->new_sa);
	111	/* don't queue job before checkin(), as the IKE_SA is not yet
	112	* registered at the manager */
3ced6b51	113	charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
80a1ebb1 MW	114	if (job)
	115	{
	116	lib->processor->queue_job(lib->processor, job);
	117	}
3ced6b51 MW	118	this->new_sa = NULL;
	119	/* set threads active IKE_SA after checkin */
	120	charon->bus->set_sa(charon->bus, this->ike_sa);
	121	}
	122	}
	123
f42156a8 MW	124	METHOD(task_t, process_r_delete, status_t,
	125	private_ike_rekey_t this, message_t message)
	126	{
3ced6b51	127	establish_new(this);
f42156a8 MW	128	return this->ike_delete->task.process(&this->ike_delete->task, message);
	129	}
	130
	131	METHOD(task_t, build_r_delete, status_t,
	132	private_ike_rekey_t this, message_t message)
	133	{
	134	return this->ike_delete->task.build(&this->ike_delete->task, message);
	135	}
	136
41080cbb MW	137	METHOD(task_t, build_i_delete, status_t,
41080cbb MW	138	private_ike_rekey_t this, message_t message)
394eb35b MW	139	{
	140	/* update exchange type to INFORMATIONAL for the delete */
	141	message->set_exchange_type(message, INFORMATIONAL);
7daf5226	142
394eb35b MW	143	return this->ike_delete->task.build(&this->ike_delete->task, message);
	144	}
	145
41080cbb MW	146	METHOD(task_t, process_i_delete, status_t,
41080cbb MW	147	private_ike_rekey_t this, message_t message)
394eb35b MW	148	{
	149	return this->ike_delete->task.process(&this->ike_delete->task, message);
	150	}
	151
41080cbb MW	152	METHOD(task_t, build_i, status_t,
41080cbb MW	153	private_ike_rekey_t this, message_t message)
c60c7694	154	{
3d54ae94	155	ike_version_t version;
7daf5226	156
1fd5383e MW	157	/* create new SA only on first try */
	158	if (this->new_sa == NULL)
	159	{
3d54ae94	160	version = this->ike_sa->get_version(this->ike_sa);
0b611540 TB	161	this->new_sa = charon->ike_sa_manager->checkout_new(
0b611540 TB	162	charon->ike_sa_manager, version, TRUE);
3d54ae94 MW	163	if (!this->new_sa)
	164	{ /* shouldn't happen */
	165	return FAILED;
	166	}
713a1122	167	this->new_sa->inherit_pre(this->new_sa, this->ike_sa);
1fd5383e MW	168	this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
	169	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
	170	}
c60c7694	171	this->ike_init->task.build(&this->ike_init->task, message);
c60c7694 MW	172
	173	return NEED_MORE;
	174	}
	175
41080cbb MW	176	METHOD(task_t, process_r, status_t,
41080cbb MW	177	private_ike_rekey_t this, message_t message)
c60c7694	178	{
4bbce1ef	179	enumerator_t *enumerator;
0f33e826	180	child_sa_t *child_sa;
7daf5226	181
0f33e826 MW	182	if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
	183	{
	184	DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
	185	return NEED_MORE;
	186	}
	187
4bbce1ef TB	188	enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
4bbce1ef TB	189	while (enumerator->enumerate(enumerator, (void**)&child_sa))
0f33e826 MW	190	{
	191	switch (child_sa->get_state(child_sa))
	192	{
	193	case CHILD_CREATED:
	194	case CHILD_REKEYING:
f1773fee	195	case CHILD_RETRYING:
0f33e826 MW	196	case CHILD_DELETING:
	197	/* we do not allow rekeying while we have children in-progress */
	198	DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
4bbce1ef	199	enumerator->destroy(enumerator);
0f33e826 MW	200	return NEED_MORE;
	201	default:
	202	break;
	203	}
	204	}
4bbce1ef	205	enumerator->destroy(enumerator);
7daf5226	206
b9e363f8	207	this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
3d54ae94 MW	208	this->ike_sa->get_version(this->ike_sa), FALSE);
	209	if (!this->new_sa)
	210	{ /* shouldn't happen */
	211	return FAILED;
	212	}
713a1122	213	this->new_sa->inherit_pre(this->new_sa, this->ike_sa);
c60c7694 MW	214	this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
c60c7694 MW	215	this->ike_init->task.process(&this->ike_init->task, message);
7daf5226	216
c60c7694 MW	217	return NEED_MORE;
	218	}
	219
41080cbb MW	220	METHOD(task_t, build_r, status_t,
41080cbb MW	221	private_ike_rekey_t this, message_t message)
c60c7694	222	{
0f33e826 MW	223	if (this->new_sa == NULL)
	224	{
	225	/* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
	226	message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
	227	return SUCCESS;
	228	}
7daf5226	229
c60c7694 MW	230	if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
	231	{
	232	return SUCCESS;
	233	}
7daf5226	234
c60c7694	235	this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
7daf5226	236
f42156a8 MW	237	/* rekeying successful, delete the IKE_SA using a subtask */
	238	this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
	239	this->public.task.build = _build_r_delete;
	240	this->public.task.process = _process_r_delete;
	241
1cce0df4 MW	242	/* the peer does have to delete the IKE_SA. If it does not, we get a
	243	* unusable IKE_SA in REKEYING state without a replacement. We consider
	244	* this a timeout condition by the peer, and trigger a delete actively. */
	245	lib->scheduler->schedule_job(lib->scheduler, (job_t*)
	246	delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE), 90);
	247
f42156a8	248	return NEED_MORE;
c60c7694 MW	249	}
c60c7694 MW	250
41080cbb MW	251	METHOD(task_t, process_i, status_t,
41080cbb MW	252	private_ike_rekey_t this, message_t message)
c60c7694	253	{
9beb8386	254	if (message->get_notify(message, NO_ADDITIONAL_SAS))
dad8ecee	255	{
9beb8386 MW	256	DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
	257	"starting reauthentication");
	258	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
bb381e26	259	lib->processor->queue_job(lib->processor,
9beb8386 MW	260	(job_t*)rekey_ike_sa_job_create(
	261	this->ike_sa->get_id(this->ike_sa), TRUE));
	262	return SUCCESS;
dad8ecee	263	}
7daf5226	264
1fd5383e	265	switch (this->ike_init->task.process(&this->ike_init->task, message))
c60c7694	266	{
1fd5383e MW	267	case FAILED:
1fd5383e MW	268	/* rekeying failed, fallback to old SA */
26424f03	269	if (!(this->collision && (
a09972df MW	270	this->collision->get_type(this->collision) == TASK_IKE_DELETE \|\|
a09972df MW	271	this->collision->get_type(this->collision) == TASK_IKE_REAUTH)))
1fd5383e MW	272	{
	273	job_t *job;
	274	u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
	275	job = (job_t*)rekey_ike_sa_job_create(
	276	this->ike_sa->get_id(this->ike_sa), FALSE);
	277	DBG1(DBG_IKE, "IKE_SA rekeying failed, "
b9b8a98f	278	"trying again in %d seconds", retry);
1fd5383e	279	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
bb381e26	280	lib->scheduler->schedule_job(lib->scheduler, job, retry);
1fd5383e MW	281	}
	282	return SUCCESS;
	283	case NEED_MORE:
	284	/* bad dh group, try again */
	285	this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
	286	return NEED_MORE;
	287	default:
	288	break;
c60c7694	289	}
7daf5226	290
eef08590 MW	291	/* check for collisions */
eef08590 MW	292	if (this->collision &&
a09972df	293	this->collision->get_type(this->collision) == TASK_IKE_REKEY)
eef08590	294	{
eef08590	295	private_ike_rekey_t other = (private_ike_rekey_t)this->collision;
7daf5226	296
e54e86cb TE	297	/* ike_init can be NULL, if child_sa is half-open */
e54e86cb TE	298	if (other->ike_init)
eef08590	299	{
e54e86cb TE	300	host_t *host;
	301	chunk_t this_nonce, other_nonce;
	302
	303	this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
	304	other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
	305
	306	/* if we have the lower nonce, delete rekeyed SA. If not, delete
	307	* the redundant. */
	308	if (memcmp(this_nonce.ptr, other_nonce.ptr,
1ed482d8	309	min(this_nonce.len, other_nonce.len)) > 0)
09f706ec	310	{
e54e86cb TE	311	/* peer should delete this SA. Add a timeout just in case. */
	312	job_t job = (job_t)delete_ike_sa_job_create(
	313	other->new_sa->get_id(other->new_sa), TRUE);
bb381e26	314	lib->scheduler->schedule_job(lib->scheduler, job, 10);
1ed482d8	315	DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
e54e86cb TE	316	charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
e54e86cb TE	317	other->new_sa = NULL;
09f706ec MW	318	}
	319	else
	320	{
1ed482d8 MW	321	DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
1ed482d8 MW	322	"deleting redundant IKE_SA");
e54e86cb TE	323	/* apply host for a proper delete */
	324	host = this->ike_sa->get_my_host(this->ike_sa);
	325	this->new_sa->set_my_host(this->new_sa, host->clone(host));
	326	host = this->ike_sa->get_other_host(this->ike_sa);
	327	this->new_sa->set_other_host(this->new_sa, host->clone(host));
	328	this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
3ced6b51	329	this->new_sa->set_state(this->new_sa, IKE_REKEYING);
e54e86cb TE	330	if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
e54e86cb TE	331	{
3ced6b51	332	this->new_sa->destroy(this->new_sa);
e54e86cb TE	333	}
	334	else
	335	{
	336	charon->ike_sa_manager->checkin(
	337	charon->ike_sa_manager, this->new_sa);
3ced6b51 MW	338	/* set threads active IKE_SA after checkin */
3ced6b51 MW	339	charon->bus->set_sa(charon->bus, this->ike_sa);
e54e86cb	340	}
3ced6b51 MW	341	this->new_sa = NULL;
3ced6b51 MW	342	establish_new(other);
e54e86cb	343	return SUCCESS;
09f706ec	344	}
eef08590	345	}
f2e1ff59 MW	346	/* set threads active IKE_SA after checkin */
f2e1ff59 MW	347	charon->bus->set_sa(charon->bus, this->ike_sa);
eef08590	348	}
7daf5226	349
3ced6b51 MW	350	establish_new(this);
3ced6b51 MW	351
394eb35b MW	352	/* rekeying successful, delete the IKE_SA using a subtask */
394eb35b MW	353	this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
41080cbb MW	354	this->public.task.build = _build_i_delete;
41080cbb MW	355	this->public.task.process = _process_i_delete;
7daf5226	356
394eb35b	357	return NEED_MORE;
c60c7694 MW	358	}
c60c7694 MW	359
41080cbb MW	360	METHOD(task_t, get_type, task_type_t,
41080cbb MW	361	private_ike_rekey_t *this)
c60c7694	362	{
a09972df	363	return TASK_IKE_REKEY;
c60c7694 MW	364	}
c60c7694 MW	365
41080cbb MW	366	METHOD(ike_rekey_t, collide, void,
41080cbb MW	367	private_ike_rekey_t* this, task_t *other)
eef08590	368	{
a09972df MW	369	DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
a09972df MW	370	TASK_IKE_REKEY, task_type_names, other->get_type(other));
eef08590 MW	371	DESTROY_IF(this->collision);
	372	this->collision = other;
	373	}
	374
41080cbb MW	375	METHOD(task_t, migrate, void,
41080cbb MW	376	private_ike_rekey_t this, ike_sa_t ike_sa)
c60c7694 MW	377	{
	378	if (this->ike_init)
	379	{
	380	this->ike_init->task.destroy(&this->ike_init->task);
	381	}
394eb35b MW	382	if (this->ike_delete)
	383	{
	384	this->ike_delete->task.destroy(&this->ike_delete->task);
	385	}
3ced6b51	386	DESTROY_IF(this->new_sa);
eef08590	387	DESTROY_IF(this->collision);
7daf5226	388
eef08590	389	this->collision = NULL;
c60c7694 MW	390	this->ike_sa = ike_sa;
	391	this->new_sa = NULL;
	392	this->ike_init = NULL;
394eb35b	393	this->ike_delete = NULL;
c60c7694 MW	394	}
c60c7694 MW	395
41080cbb MW	396	METHOD(task_t, destroy, void,
41080cbb MW	397	private_ike_rekey_t *this)
c60c7694	398	{
eef08590	399	if (this->ike_init)
c60c7694	400	{
eef08590	401	this->ike_init->task.destroy(&this->ike_init->task);
c60c7694	402	}
394eb35b MW	403	if (this->ike_delete)
	404	{
	405	this->ike_delete->task.destroy(&this->ike_delete->task);
	406	}
3ced6b51	407	DESTROY_IF(this->new_sa);
eef08590	408	DESTROY_IF(this->collision);
c60c7694 MW	409	free(this);
	410	}
	411
	412	/*
	413	* Described in header.
	414	*/
	415	ike_rekey_t ike_rekey_create(ike_sa_t ike_sa, bool initiator)
	416	{
41080cbb MW	417	private_ike_rekey_t *this;
	418
	419	INIT(this,
	420	.public = {
	421	.task = {
	422	.get_type = _get_type,
	423	.build = _build_r,
	424	.process = _process_r,
	425	.migrate = _migrate,
	426	.destroy = _destroy,
	427	},
	428	.collide = _collide,
	429	},
	430	.ike_sa = ike_sa,
	431	.initiator = initiator,
	432	);
c60c7694 MW	433	if (initiator)
c60c7694 MW	434	{
41080cbb MW	435	this->public.task.build = _build_i;
41080cbb MW	436	this->public.task.process = _process_i;
c60c7694	437	}
7daf5226	438
c60c7694 MW	439	return &this->public;
c60c7694 MW	440	}