]>
Commit | Line | Data |
---|---|---|
7ba38761 | 1 | /* |
3a54206c | 2 | * Copyright (C) 2006-2020 Tobias Brunner |
d5cc1758 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
a44bb934 | 4 | * Copyright (C) 2005-2009 Martin Willi |
c71d53ba | 5 | * Copyright (C) 2005 Jan Hutter |
208678e6 | 6 | * HSR Hochschule fuer Technik Rapperswil |
7ba38761 JH |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
17 | */ | |
1396815a | 18 | |
05db0f97 VR |
19 | /* |
20 | * Copyright (c) 2014 Volker RĂ¼melin | |
21 | * | |
22 | * Permission is hereby granted, free of charge, to any person obtaining a copy | |
23 | * of this software and associated documentation files (the "Software"), to deal | |
24 | * in the Software without restriction, including without limitation the rights | |
25 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
26 | * copies of the Software, and to permit persons to whom the Software is | |
27 | * furnished to do so, subject to the following conditions: | |
28 | * | |
29 | * The above copyright notice and this permission notice shall be included in | |
30 | * all copies or substantial portions of the Software. | |
31 | * | |
32 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
33 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
34 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
35 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
36 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
37 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | |
38 | * THE SOFTWARE. | |
39 | */ | |
40 | ||
5113680f | 41 | #include <string.h> |
c60c7694 | 42 | #include <sys/stat.h> |
db97fd82 | 43 | #include <errno.h> |
e13389a7 | 44 | #include <time.h> |
7ba38761 | 45 | |
88878242 MW |
46 | #include "ike_sa.h" |
47 | ||
db7ef624 | 48 | #include <library.h> |
c5f7146b | 49 | #include <daemon.h> |
893da041 | 50 | #include <collections/array.h> |
c60c7694 | 51 | #include <utils/lexparser.h> |
e0fe7651 MW |
52 | #include <processing/jobs/retransmit_job.h> |
53 | #include <processing/jobs/delete_ike_sa_job.h> | |
54 | #include <processing/jobs/send_dpd_job.h> | |
55 | #include <processing/jobs/send_keepalive_job.h> | |
56 | #include <processing/jobs/rekey_ike_sa_job.h> | |
60c82591 | 57 | #include <processing/jobs/retry_initiate_job.h> |
b1f2f05c | 58 | #include <sa/ikev2/tasks/ike_auth_lifetime.h> |
f20e00fe | 59 | #include <sa/ikev2/tasks/ike_reauth_complete.h> |
71c70705 | 60 | #include <sa/ikev2/tasks/ike_redirect.h> |
1b9c1ae0 | 61 | #include <credentials/sets/auth_cfg_wrapper.h> |
7ba38761 | 62 | |
dc04b7c7 | 63 | #ifdef ME |
15a682f4 | 64 | #include <sa/ikev2/tasks/ike_me.h> |
38951252 | 65 | #include <processing/jobs/initiate_mediation_job.h> |
d5cc1758 | 66 | #endif |
c60c7694 | 67 | |
a985db3f | 68 | ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING, |
60356f33 MW |
69 | "CREATED", |
70 | "CONNECTING", | |
71 | "ESTABLISHED", | |
c610f424 | 72 | "PASSIVE", |
60356f33 | 73 | "REKEYING", |
bb389973 | 74 | "REKEYED", |
60356f33 | 75 | "DELETING", |
a985db3f | 76 | "DESTROYING", |
60356f33 | 77 | ); |
7ba38761 | 78 | |
aad398a7 | 79 | typedef struct private_ike_sa_t private_ike_sa_t; |
7f56b494 | 80 | typedef struct attribute_entry_t attribute_entry_t; |
aad398a7 JH |
81 | |
82 | /** | |
83 | * Private data of an ike_sa_t object. | |
84 | */ | |
85 | struct private_ike_sa_t { | |
7daf5226 | 86 | |
aad398a7 | 87 | /** |
3dd3c5f3 | 88 | * Public members |
2f89902d | 89 | */ |
3dd3c5f3 | 90 | ike_sa_t public; |
7daf5226 | 91 | |
aad398a7 | 92 | /** |
a374d1ee | 93 | * Identifier for the current IKE_SA. |
aad398a7 JH |
94 | */ |
95 | ike_sa_id_t *ike_sa_id; | |
7daf5226 | 96 | |
0b611540 TB |
97 | /** |
98 | * IKE version of this SA. | |
99 | */ | |
100 | ike_version_t version; | |
101 | ||
c60c7694 MW |
102 | /** |
103 | * unique numerical ID for this IKE_SA. | |
104 | */ | |
b12c53ce | 105 | uint32_t unique_id; |
7daf5226 | 106 | |
aad398a7 | 107 | /** |
8dfbe71b | 108 | * Current state of the IKE_SA |
aad398a7 | 109 | */ |
7f56b494 | 110 | ike_sa_state_t state; |
7daf5226 | 111 | |
a9428251 | 112 | /** |
e0fe7651 | 113 | * IKE configuration used to set up this IKE_SA |
a9428251 | 114 | */ |
e0fe7651 | 115 | ike_cfg_t *ike_cfg; |
7daf5226 | 116 | |
c60c7694 MW |
117 | /** |
118 | * Peer and authentication information to establish IKE_SA. | |
119 | */ | |
e0fe7651 | 120 | peer_cfg_t *peer_cfg; |
7daf5226 | 121 | |
552cc11b | 122 | /** |
893da041 | 123 | * currently used authentication ruleset, local |
552cc11b | 124 | */ |
a44bb934 | 125 | auth_cfg_t *my_auth; |
7daf5226 | 126 | |
44ce7493 | 127 | /** |
893da041 | 128 | * currently used authentication constraints, remote |
44ce7493 | 129 | */ |
893da041 | 130 | auth_cfg_t *other_auth; |
44ce7493 MW |
131 | |
132 | /** | |
893da041 | 133 | * Array of completed local authentication rounds (as auth_cfg_t) |
44ce7493 | 134 | */ |
893da041 | 135 | array_t *my_auths; |
44ce7493 | 136 | |
552cc11b | 137 | /** |
893da041 | 138 | * Array of completed remote authentication rounds (as auth_cfg_t) |
552cc11b | 139 | */ |
893da041 | 140 | array_t *other_auths; |
7daf5226 | 141 | |
5dffdea1 MW |
142 | /** |
143 | * Selected IKE proposal | |
144 | */ | |
145 | proposal_t *proposal; | |
7daf5226 | 146 | |
c60c7694 MW |
147 | /** |
148 | * Juggles tasks to process messages | |
149 | */ | |
150 | task_manager_t *task_manager; | |
7daf5226 | 151 | |
8dfbe71b MW |
152 | /** |
153 | * Address of local host | |
154 | */ | |
155 | host_t *my_host; | |
7daf5226 | 156 | |
8dfbe71b MW |
157 | /** |
158 | * Address of remote host | |
159 | */ | |
160 | host_t *other_host; | |
7daf5226 | 161 | |
dc04b7c7 | 162 | #ifdef ME |
22452f70 TB |
163 | /** |
164 | * Are we mediation server | |
165 | */ | |
166 | bool is_mediation_server; | |
7daf5226 | 167 | |
d5cc1758 TB |
168 | /** |
169 | * Server reflexive host | |
170 | */ | |
171 | host_t *server_reflexive_host; | |
7daf5226 | 172 | |
9c2a905d TB |
173 | /** |
174 | * Connect ID | |
175 | */ | |
176 | chunk_t connect_id; | |
dc04b7c7 | 177 | #endif /* ME */ |
7daf5226 | 178 | |
8dfbe71b MW |
179 | /** |
180 | * Identification used for us | |
181 | */ | |
182 | identification_t *my_id; | |
7daf5226 | 183 | |
a9428251 | 184 | /** |
8dfbe71b | 185 | * Identification used for other |
a9428251 | 186 | */ |
8dfbe71b | 187 | identification_t *other_id; |
7daf5226 | 188 | |
3b04350a MW |
189 | /** |
190 | * set of extensions the peer supports | |
191 | */ | |
192 | ike_extension_t extensions; | |
7daf5226 | 193 | |
17d92e97 MW |
194 | /** |
195 | * set of condition flags currently enabled for this IKE_SA | |
196 | */ | |
197 | ike_condition_t conditions; | |
7daf5226 | 198 | |
aad398a7 | 199 | /** |
893da041 | 200 | * Array containing the child sa's of the current IKE_SA. |
aad398a7 | 201 | */ |
893da041 | 202 | array_t *child_sas; |
7daf5226 | 203 | |
bc997f65 | 204 | /** |
6a4ff35c | 205 | * keymat of this IKE_SA |
bc997f65 | 206 | */ |
6a4ff35c | 207 | keymat_t *keymat; |
7daf5226 | 208 | |
3dd3c5f3 | 209 | /** |
101d26ba | 210 | * Virtual IPs on local host |
3dd3c5f3 | 211 | */ |
893da041 | 212 | array_t *my_vips; |
7daf5226 | 213 | |
c60c7694 | 214 | /** |
101d26ba | 215 | * Virtual IPs on remote host |
c60c7694 | 216 | */ |
893da041 | 217 | array_t *other_vips; |
7daf5226 | 218 | |
31e5d441 | 219 | /** |
7f56b494 | 220 | * List of configuration attributes (attribute_entry_t) |
31e5d441 | 221 | */ |
893da041 | 222 | array_t *attributes; |
7daf5226 | 223 | |
17d92e97 | 224 | /** |
94bbc602 | 225 | * list of peer's addresses, additional ones transmitted via MOBIKE |
17d92e97 | 226 | */ |
893da041 | 227 | array_t *peer_addresses; |
7daf5226 | 228 | |
9d9a772e MW |
229 | /** |
230 | * previously value of received DESTINATION_IP hash | |
231 | */ | |
232 | chunk_t nat_detection_dest; | |
7daf5226 | 233 | |
3dfecde4 AS |
234 | /** |
235 | * NAT keep alive interval | |
236 | */ | |
b12c53ce | 237 | uint32_t keepalive_interval; |
7daf5226 | 238 | |
efd7fa7b | 239 | /** |
b3ab7a48 | 240 | * The scheduled keep alive job, if any |
efd7fa7b TB |
241 | */ |
242 | send_keepalive_job_t *keepalive_job; | |
243 | ||
60c82591 TB |
244 | /** |
245 | * interval for retries during initiation (e.g. if DNS resolution failed), | |
246 | * 0 to disable (default) | |
247 | */ | |
b12c53ce | 248 | uint32_t retry_initiate_interval; |
60c82591 | 249 | |
77e42826 TB |
250 | /** |
251 | * TRUE if a retry_initiate_job has been queued | |
252 | */ | |
253 | bool retry_initiate_queued; | |
254 | ||
1396815a | 255 | /** |
fe04e93a | 256 | * Timestamps for this IKE_SA |
1396815a | 257 | */ |
b12c53ce | 258 | uint32_t stats[STAT_MAX]; |
7daf5226 | 259 | |
fdb9b2bd MW |
260 | /** |
261 | * how many times we have retried so far (keyingtries) | |
262 | */ | |
b12c53ce | 263 | uint32_t keyingtry; |
7daf5226 | 264 | |
d487b4b7 AS |
265 | /** |
266 | * local host address to be used for IKE, set via MIGRATE kernel message | |
267 | */ | |
268 | host_t *local_host; | |
7daf5226 | 269 | |
d487b4b7 AS |
270 | /** |
271 | * remote host address to be used for IKE, set via MIGRATE kernel message | |
272 | */ | |
273 | host_t *remote_host; | |
b24b73b7 MW |
274 | |
275 | /** | |
276 | * Flush auth configs once established? | |
277 | */ | |
278 | bool flush_auth_cfg; | |
40bab9a1 TB |
279 | |
280 | /** | |
281 | * Maximum length of a single fragment, 0 for address-specific defaults | |
282 | */ | |
283 | size_t fragment_size; | |
489d154e TB |
284 | |
285 | /** | |
286 | * Whether to follow IKEv2 redirects | |
287 | */ | |
288 | bool follow_redirects; | |
e4af6e6b TB |
289 | |
290 | /** | |
291 | * Original gateway address from which we got redirected | |
292 | */ | |
293 | host_t *redirected_from; | |
c6ebd033 TB |
294 | |
295 | /** | |
296 | * Timestamps of redirect attempts to handle loops | |
297 | */ | |
298 | array_t *redirected_at; | |
dec3c184 TB |
299 | |
300 | /** | |
301 | * Inbound interface ID | |
302 | */ | |
303 | uint32_t if_id_in; | |
304 | ||
305 | /** | |
306 | * Outbound interface ID | |
307 | */ | |
308 | uint32_t if_id_out; | |
aad398a7 JH |
309 | }; |
310 | ||
7f56b494 MW |
311 | /** |
312 | * Entry to maintain install configuration attributes during IKE_SA lifetime | |
313 | */ | |
314 | struct attribute_entry_t { | |
315 | /** handler used to install this attribute */ | |
316 | attribute_handler_t *handler; | |
317 | /** attribute type */ | |
318 | configuration_attribute_type_t type; | |
319 | /** attribute data */ | |
320 | chunk_t data; | |
321 | }; | |
322 | ||
0b2abb8c | 323 | /** |
3dd3c5f3 | 324 | * get the time of the latest traffic processed by the kernel |
0b2abb8c | 325 | */ |
c60c7694 | 326 | static time_t get_use_time(private_ike_sa_t* this, bool inbound) |
3a8f9f44 | 327 | { |
6e10aead | 328 | enumerator_t *enumerator; |
3dd3c5f3 | 329 | child_sa_t *child_sa; |
c3a78360 | 330 | time_t use_time, current; |
7daf5226 | 331 | |
c60c7694 MW |
332 | if (inbound) |
333 | { | |
85ac2fa5 | 334 | use_time = this->stats[STAT_INBOUND]; |
c60c7694 MW |
335 | } |
336 | else | |
337 | { | |
85ac2fa5 | 338 | use_time = this->stats[STAT_OUTBOUND]; |
c60c7694 | 339 | } |
893da041 MW |
340 | |
341 | enumerator = array_create_enumerator(this->child_sas); | |
6e10aead MW |
342 | while (enumerator->enumerate(enumerator, &child_sa)) |
343 | { | |
d954a208 | 344 | child_sa->get_usestats(child_sa, inbound, ¤t, NULL, NULL); |
c3a78360 | 345 | use_time = max(use_time, current); |
6e10aead MW |
346 | } |
347 | enumerator->destroy(enumerator); | |
7daf5226 | 348 | |
6e10aead | 349 | return use_time; |
a9428251 JH |
350 | } |
351 | ||
b12c53ce | 352 | METHOD(ike_sa_t, get_unique_id, uint32_t, |
8bced61b | 353 | private_ike_sa_t *this) |
aad398a7 | 354 | { |
c60c7694 | 355 | return this->unique_id; |
aad398a7 JH |
356 | } |
357 | ||
8bced61b MW |
358 | METHOD(ike_sa_t, get_name, char*, |
359 | private_ike_sa_t *this) | |
0fdc3c7f | 360 | { |
e0fe7651 | 361 | if (this->peer_cfg) |
c60c7694 | 362 | { |
e0fe7651 | 363 | return this->peer_cfg->get_name(this->peer_cfg); |
c60c7694 MW |
364 | } |
365 | return "(unnamed)"; | |
0fdc3c7f JH |
366 | } |
367 | ||
b12c53ce | 368 | METHOD(ike_sa_t, get_statistic, uint32_t, |
8bced61b | 369 | private_ike_sa_t *this, statistic_t kind) |
a3ce4bc2 | 370 | { |
85ac2fa5 | 371 | if (kind < STAT_MAX) |
a3ce4bc2 | 372 | { |
85ac2fa5 | 373 | return this->stats[kind]; |
a3ce4bc2 | 374 | } |
ee614711 | 375 | return 0; |
a3ce4bc2 MW |
376 | } |
377 | ||
44ff1153 | 378 | METHOD(ike_sa_t, set_statistic, void, |
b12c53ce | 379 | private_ike_sa_t *this, statistic_t kind, uint32_t value) |
44ff1153 TB |
380 | { |
381 | if (kind < STAT_MAX) | |
382 | { | |
383 | this->stats[kind] = value; | |
384 | } | |
385 | } | |
386 | ||
8bced61b MW |
387 | METHOD(ike_sa_t, get_my_host, host_t*, |
388 | private_ike_sa_t *this) | |
8dfbe71b | 389 | { |
e0fe7651 | 390 | return this->my_host; |
8dfbe71b MW |
391 | } |
392 | ||
8bced61b MW |
393 | METHOD(ike_sa_t, set_my_host, void, |
394 | private_ike_sa_t *this, host_t *me) | |
8dfbe71b | 395 | { |
e0fe7651 MW |
396 | DESTROY_IF(this->my_host); |
397 | this->my_host = me; | |
8dfbe71b MW |
398 | } |
399 | ||
8bced61b MW |
400 | METHOD(ike_sa_t, get_other_host, host_t*, |
401 | private_ike_sa_t *this) | |
397f3448 | 402 | { |
e0fe7651 | 403 | return this->other_host; |
c60c7694 MW |
404 | } |
405 | ||
8bced61b MW |
406 | METHOD(ike_sa_t, set_other_host, void, |
407 | private_ike_sa_t *this, host_t *other) | |
c60c7694 | 408 | { |
e0fe7651 MW |
409 | DESTROY_IF(this->other_host); |
410 | this->other_host = other; | |
397f3448 MW |
411 | } |
412 | ||
e4af6e6b TB |
413 | METHOD(ike_sa_t, get_redirected_from, host_t*, |
414 | private_ike_sa_t *this) | |
415 | { | |
416 | return this->redirected_from; | |
417 | } | |
418 | ||
8bced61b MW |
419 | METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*, |
420 | private_ike_sa_t *this) | |
8dfbe71b | 421 | { |
e0fe7651 | 422 | return this->peer_cfg; |
8dfbe71b MW |
423 | } |
424 | ||
8bced61b MW |
425 | METHOD(ike_sa_t, set_peer_cfg, void, |
426 | private_ike_sa_t *this, peer_cfg_t *peer_cfg) | |
fe04e93a | 427 | { |
e0fe7651 | 428 | peer_cfg->get_ref(peer_cfg); |
dbd21695 | 429 | DESTROY_IF(this->peer_cfg); |
e0fe7651 | 430 | this->peer_cfg = peer_cfg; |
7daf5226 | 431 | |
dec3c184 | 432 | if (!this->ike_cfg) |
e0fe7651 MW |
433 | { |
434 | this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); | |
435 | this->ike_cfg->get_ref(this->ike_cfg); | |
436 | } | |
dec3c184 TB |
437 | |
438 | this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE); | |
439 | this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE); | |
440 | allocate_unique_if_ids(&this->if_id_in, &this->if_id_out); | |
552cc11b MW |
441 | } |
442 | ||
8bced61b MW |
443 | METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*, |
444 | private_ike_sa_t *this, bool local) | |
552cc11b | 445 | { |
a44bb934 MW |
446 | if (local) |
447 | { | |
448 | return this->my_auth; | |
449 | } | |
552cc11b MW |
450 | return this->other_auth; |
451 | } | |
452 | ||
8bced61b MW |
453 | METHOD(ike_sa_t, add_auth_cfg, void, |
454 | private_ike_sa_t *this, bool local, auth_cfg_t *cfg) | |
44ce7493 MW |
455 | { |
456 | if (local) | |
457 | { | |
893da041 | 458 | array_insert(this->my_auths, ARRAY_TAIL, cfg); |
44ce7493 MW |
459 | } |
460 | else | |
461 | { | |
893da041 | 462 | array_insert(this->other_auths, ARRAY_TAIL, cfg); |
44ce7493 MW |
463 | } |
464 | } | |
465 | ||
8bced61b MW |
466 | METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*, |
467 | private_ike_sa_t *this, bool local) | |
44ce7493 MW |
468 | { |
469 | if (local) | |
470 | { | |
893da041 | 471 | return array_create_enumerator(this->my_auths); |
44ce7493 | 472 | } |
893da041 | 473 | return array_create_enumerator(this->other_auths); |
44ce7493 MW |
474 | } |
475 | ||
e41adf5f TB |
476 | /** |
477 | * Flush the stored authentication round information | |
478 | */ | |
479 | static void flush_auth_cfgs(private_ike_sa_t *this) | |
480 | { | |
481 | auth_cfg_t *cfg; | |
482 | ||
483 | this->my_auth->purge(this->my_auth, FALSE); | |
484 | this->other_auth->purge(this->other_auth, FALSE); | |
485 | ||
486 | while (array_remove(this->my_auths, ARRAY_TAIL, &cfg)) | |
487 | { | |
488 | cfg->destroy(cfg); | |
489 | } | |
490 | while (array_remove(this->other_auths, ARRAY_TAIL, &cfg)) | |
491 | { | |
492 | cfg->destroy(cfg); | |
493 | } | |
494 | } | |
495 | ||
1b9c1ae0 TB |
496 | METHOD(ike_sa_t, verify_peer_certificate, bool, |
497 | private_ike_sa_t *this) | |
498 | { | |
499 | enumerator_t *e1, *e2, *certs; | |
500 | auth_cfg_t *cfg, *cfg_done; | |
501 | certificate_t *peer, *cert; | |
502 | public_key_t *key; | |
503 | auth_cfg_t *auth; | |
504 | auth_cfg_wrapper_t *wrapper; | |
505 | time_t not_before, not_after; | |
506 | bool valid = TRUE, found; | |
507 | ||
508 | if (this->state != IKE_ESTABLISHED) | |
509 | { | |
510 | DBG1(DBG_IKE, "unable to verify peer certificate in state %N", | |
511 | ike_sa_state_names, this->state); | |
512 | return FALSE; | |
513 | } | |
514 | ||
e41adf5f TB |
515 | if (!this->flush_auth_cfg && |
516 | lib->settings->get_bool(lib->settings, | |
1b9c1ae0 | 517 | "%s.flush_auth_cfg", FALSE, lib->ns)) |
e41adf5f | 518 | { /* we can do this check only once if auth configs are flushed */ |
1b9c1ae0 TB |
519 | DBG1(DBG_IKE, "unable to verify peer certificate as authentication " |
520 | "information has been flushed"); | |
521 | return FALSE; | |
522 | } | |
e41adf5f TB |
523 | this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED, |
524 | FALSE); | |
1b9c1ae0 TB |
525 | |
526 | e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE); | |
527 | e2 = array_create_enumerator(this->other_auths); | |
528 | while (e1->enumerate(e1, &cfg)) | |
529 | { | |
530 | if (!e2->enumerate(e2, &cfg_done)) | |
531 | { /* this should not happen as the authentication should never have | |
532 | * succeeded */ | |
533 | valid = FALSE; | |
534 | break; | |
535 | } | |
536 | if ((uintptr_t)cfg_done->get(cfg_done, | |
537 | AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY) | |
538 | { | |
539 | continue; | |
540 | } | |
541 | peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT); | |
542 | if (!peer) | |
543 | { | |
544 | DBG1(DBG_IKE, "no subject certificate found, skipping certificate " | |
545 | "verification"); | |
546 | continue; | |
547 | } | |
548 | if (!peer->get_validity(peer, NULL, ¬_before, ¬_after)) | |
549 | { | |
1b9c1ae0 TB |
550 | DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)", |
551 | ¬_before, FALSE, ¬_after, FALSE); | |
552 | valid = FALSE; | |
553 | break; | |
554 | } | |
555 | key = peer->get_public_key(peer); | |
556 | if (!key) | |
557 | { | |
558 | DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate " | |
559 | "verification"); | |
560 | continue; | |
561 | } | |
562 | DBG1(DBG_IKE, "verifying peer certificate"); | |
563 | /* serve received certificates */ | |
564 | wrapper = auth_cfg_wrapper_create(cfg_done); | |
565 | lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE); | |
566 | certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, | |
567 | key->get_type(key), peer->get_subject(peer), TRUE); | |
568 | key->destroy(key); | |
569 | ||
570 | found = FALSE; | |
571 | while (certs->enumerate(certs, &cert, &auth)) | |
572 | { | |
573 | if (peer->equals(peer, cert)) | |
574 | { | |
575 | cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED, | |
576 | FALSE); | |
577 | cfg_done->merge(cfg_done, auth, FALSE); | |
578 | valid = cfg_done->complies(cfg_done, cfg, TRUE); | |
579 | found = TRUE; | |
580 | break; | |
581 | } | |
582 | } | |
583 | certs->destroy(certs); | |
584 | lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); | |
585 | wrapper->destroy(wrapper); | |
586 | if (!found || !valid) | |
587 | { | |
588 | valid = FALSE; | |
589 | break; | |
590 | } | |
591 | } | |
592 | e1->destroy(e1); | |
593 | e2->destroy(e2); | |
1b9c1ae0 | 594 | |
e41adf5f | 595 | if (this->flush_auth_cfg) |
44ce7493 | 596 | { |
e41adf5f TB |
597 | this->flush_auth_cfg = FALSE; |
598 | flush_auth_cfgs(this); | |
44ce7493 | 599 | } |
e41adf5f | 600 | return valid; |
44ce7493 MW |
601 | } |
602 | ||
8bced61b MW |
603 | METHOD(ike_sa_t, get_proposal, proposal_t*, |
604 | private_ike_sa_t *this) | |
5dffdea1 MW |
605 | { |
606 | return this->proposal; | |
607 | } | |
608 | ||
8bced61b MW |
609 | METHOD(ike_sa_t, set_proposal, void, |
610 | private_ike_sa_t *this, proposal_t *proposal) | |
5dffdea1 MW |
611 | { |
612 | DESTROY_IF(this->proposal); | |
a2cb2c9c | 613 | this->proposal = proposal->clone(proposal, 0); |
5dffdea1 MW |
614 | } |
615 | ||
8bced61b | 616 | METHOD(ike_sa_t, set_message_id, void, |
b12c53ce | 617 | private_ike_sa_t *this, bool initiate, uint32_t mid) |
b09ca747 MW |
618 | { |
619 | if (initiate) | |
620 | { | |
f1f09810 | 621 | this->task_manager->reset(this->task_manager, mid, UINT_MAX); |
b09ca747 MW |
622 | } |
623 | else | |
624 | { | |
f1f09810 | 625 | this->task_manager->reset(this->task_manager, UINT_MAX, mid); |
b09ca747 MW |
626 | } |
627 | } | |
628 | ||
347c403c TB |
629 | METHOD(ike_sa_t, get_message_id, uint32_t, |
630 | private_ike_sa_t *this, bool initiate) | |
631 | { | |
632 | return this->task_manager->get_mid(this->task_manager, initiate); | |
633 | } | |
634 | ||
8bced61b | 635 | METHOD(ike_sa_t, send_keepalive, void, |
efd7fa7b | 636 | private_ike_sa_t *this, bool scheduled) |
2b3100b5 | 637 | { |
2b3100b5 | 638 | time_t last_out, now, diff; |
7daf5226 | 639 | |
efd7fa7b TB |
640 | if (scheduled) |
641 | { | |
642 | this->keepalive_job = NULL; | |
643 | } | |
34f7d3b7 TB |
644 | if (!this->keepalive_interval || this->state == IKE_PASSIVE) |
645 | { /* keepalives disabled either by configuration or for passive IKE_SAs */ | |
646 | return; | |
647 | } | |
648 | if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE)) | |
649 | { /* disable keepalives if we are not NATed anymore, or the SA is stale */ | |
3d928c9f MW |
650 | return; |
651 | } | |
7daf5226 | 652 | |
2b3100b5 | 653 | last_out = get_use_time(this, FALSE); |
6180a558 | 654 | now = time_monotonic(NULL); |
7daf5226 | 655 | |
2b3100b5 | 656 | diff = now - last_out; |
7daf5226 | 657 | |
3dfecde4 | 658 | if (diff >= this->keepalive_interval) |
2b3100b5 MW |
659 | { |
660 | packet_t *packet; | |
661 | chunk_t data; | |
7daf5226 | 662 | |
2b3100b5 MW |
663 | packet = packet_create(); |
664 | packet->set_source(packet, this->my_host->clone(this->my_host)); | |
665 | packet->set_destination(packet, this->other_host->clone(this->other_host)); | |
666 | data.ptr = malloc(1); | |
667 | data.ptr[0] = 0xFF; | |
668 | data.len = 1; | |
669 | packet->set_data(packet, data); | |
f3fefb18 | 670 | DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host); |
75f83163 | 671 | charon->sender->send_no_marker(charon->sender, packet); |
2b3100b5 MW |
672 | diff = 0; |
673 | } | |
efd7fa7b TB |
674 | if (!this->keepalive_job) |
675 | { | |
676 | this->keepalive_job = send_keepalive_job_create(this->ike_sa_id); | |
677 | lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job, | |
678 | this->keepalive_interval - diff); | |
679 | } | |
2b3100b5 MW |
680 | } |
681 | ||
8bced61b MW |
682 | METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, |
683 | private_ike_sa_t *this) | |
8dfbe71b | 684 | { |
e0fe7651 | 685 | return this->ike_cfg; |
8dfbe71b | 686 | } |
5b97779f | 687 | |
8bced61b MW |
688 | METHOD(ike_sa_t, set_ike_cfg, void, |
689 | private_ike_sa_t *this, ike_cfg_t *ike_cfg) | |
fe04e93a | 690 | { |
054ee5e7 | 691 | DESTROY_IF(this->ike_cfg); |
e0fe7651 MW |
692 | ike_cfg->get_ref(ike_cfg); |
693 | this->ike_cfg = ike_cfg; | |
fe04e93a | 694 | } |
4a035181 | 695 | |
8bced61b MW |
696 | METHOD(ike_sa_t, enable_extension, void, |
697 | private_ike_sa_t *this, ike_extension_t extension) | |
2b3100b5 MW |
698 | { |
699 | this->extensions |= extension; | |
700 | } | |
701 | ||
8bced61b MW |
702 | METHOD(ike_sa_t, supports_extension, bool, |
703 | private_ike_sa_t *this, ike_extension_t extension) | |
2b3100b5 MW |
704 | { |
705 | return (this->extensions & extension) != FALSE; | |
706 | } | |
707 | ||
8bced61b MW |
708 | METHOD(ike_sa_t, has_condition, bool, |
709 | private_ike_sa_t *this, ike_condition_t condition) | |
2b3100b5 MW |
710 | { |
711 | return (this->conditions & condition) != FALSE; | |
712 | } | |
713 | ||
8bced61b MW |
714 | METHOD(ike_sa_t, set_condition, void, |
715 | private_ike_sa_t *this, ike_condition_t condition, bool enable) | |
2b3100b5 MW |
716 | { |
717 | if (has_condition(this, condition) != enable) | |
718 | { | |
719 | if (enable) | |
720 | { | |
fc2d1c42 | 721 | this->conditions |= condition; |
2b3100b5 MW |
722 | switch (condition) |
723 | { | |
2b3100b5 MW |
724 | case COND_NAT_HERE: |
725 | DBG1(DBG_IKE, "local host is behind NAT, sending keep alives"); | |
726 | this->conditions |= COND_NAT_ANY; | |
efd7fa7b | 727 | send_keepalive(this, FALSE); |
2b3100b5 MW |
728 | break; |
729 | case COND_NAT_THERE: | |
730 | DBG1(DBG_IKE, "remote host is behind NAT"); | |
731 | this->conditions |= COND_NAT_ANY; | |
732 | break; | |
9dae1bed | 733 | case COND_NAT_FAKE: |
f53b74c9 | 734 | DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation"); |
9dae1bed MW |
735 | this->conditions |= COND_NAT_ANY; |
736 | break; | |
2b3100b5 MW |
737 | default: |
738 | break; | |
739 | } | |
2b3100b5 MW |
740 | } |
741 | else | |
742 | { | |
fc2d1c42 | 743 | this->conditions &= ~condition; |
2b3100b5 MW |
744 | switch (condition) |
745 | { | |
fc2d1c42 MW |
746 | case COND_NAT_HERE: |
747 | case COND_NAT_THERE: | |
f9056115 TB |
748 | DBG1(DBG_IKE, "%s host is not behind NAT anymore", |
749 | condition == COND_NAT_HERE ? "local" : "remote"); | |
750 | /* fall-through */ | |
751 | case COND_NAT_FAKE: | |
fc2d1c42 MW |
752 | set_condition(this, COND_NAT_ANY, |
753 | has_condition(this, COND_NAT_HERE) || | |
9dae1bed MW |
754 | has_condition(this, COND_NAT_THERE) || |
755 | has_condition(this, COND_NAT_FAKE)); | |
fc2d1c42 | 756 | break; |
34f7d3b7 | 757 | case COND_STALE: |
efd7fa7b | 758 | send_keepalive(this, FALSE); |
34f7d3b7 | 759 | break; |
2b3100b5 MW |
760 | default: |
761 | break; | |
762 | } | |
2b3100b5 MW |
763 | } |
764 | } | |
765 | } | |
fe04e93a | 766 | |
8bced61b MW |
767 | METHOD(ike_sa_t, send_dpd, status_t, |
768 | private_ike_sa_t *this) | |
fdb9b2bd | 769 | { |
6554b5e4 | 770 | job_t *job; |
fdb9b2bd | 771 | time_t diff, delay; |
bcf8cdd5 | 772 | bool task_queued = FALSE; |
7daf5226 | 773 | |
916cdca8 MW |
774 | if (this->state == IKE_PASSIVE) |
775 | { | |
776 | return INVALID_STATE; | |
777 | } | |
f15c85a4 TB |
778 | if (this->version == IKEV1 && this->state == IKE_REKEYING) |
779 | { /* don't send DPDs for rekeyed IKEv1 SAs */ | |
780 | return SUCCESS; | |
781 | } | |
96926b00 | 782 | delay = this->peer_cfg->get_dpd(this->peer_cfg); |
fdb9b2bd MW |
783 | if (this->task_manager->busy(this->task_manager)) |
784 | { | |
785 | /* an exchange is in the air, no need to start a DPD check */ | |
786 | diff = 0; | |
787 | } | |
788 | else | |
789 | { | |
790 | /* check if there was any inbound traffic */ | |
791 | time_t last_in, now; | |
792 | last_in = get_use_time(this, TRUE); | |
6180a558 | 793 | now = time_monotonic(NULL); |
fdb9b2bd | 794 | diff = now - last_in; |
6c2d466b | 795 | if (!delay || diff >= delay) |
fdb9b2bd | 796 | { |
bcf8cdd5 | 797 | /* too long ago, initiate dead peer detection */ |
fdb9b2bd | 798 | DBG1(DBG_IKE, "sending DPD request"); |
244d715d | 799 | this->task_manager->queue_dpd(this->task_manager); |
bcf8cdd5 | 800 | task_queued = TRUE; |
244d715d | 801 | diff = 0; |
fdb9b2bd MW |
802 | } |
803 | } | |
804 | /* recheck in "interval" seconds */ | |
6c2d466b MW |
805 | if (delay) |
806 | { | |
807 | job = (job_t*)send_dpd_job_create(this->ike_sa_id); | |
808 | lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); | |
809 | } | |
bcf8cdd5 TB |
810 | if (task_queued) |
811 | { | |
812 | return this->task_manager->initiate(this->task_manager); | |
813 | } | |
814 | return SUCCESS; | |
fdb9b2bd MW |
815 | } |
816 | ||
8bced61b MW |
817 | METHOD(ike_sa_t, get_state, ike_sa_state_t, |
818 | private_ike_sa_t *this) | |
fdb9b2bd MW |
819 | { |
820 | return this->state; | |
821 | } | |
822 | ||
8bced61b MW |
823 | METHOD(ike_sa_t, set_state, void, |
824 | private_ike_sa_t *this, ike_sa_state_t state) | |
fdb9b2bd | 825 | { |
edaba56e | 826 | bool trigger_dpd = FALSE, keepalives = FALSE; |
85dd6a8d | 827 | |
98ba96f1 | 828 | DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N", |
51c8f826 | 829 | get_name(this), this->unique_id, |
fdb9b2bd MW |
830 | ike_sa_state_names, this->state, |
831 | ike_sa_state_names, state); | |
7daf5226 | 832 | |
0f33e826 | 833 | switch (state) |
fdb9b2bd | 834 | { |
0f33e826 | 835 | case IKE_ESTABLISHED: |
fdb9b2bd | 836 | { |
405cc1d9 MW |
837 | if (this->state == IKE_CONNECTING || |
838 | this->state == IKE_PASSIVE) | |
0f33e826 MW |
839 | { |
840 | job_t *job; | |
b12c53ce | 841 | uint32_t t; |
7daf5226 | 842 | |
ee614711 | 843 | /* calculate rekey, reauth and lifetime */ |
6180a558 | 844 | this->stats[STAT_ESTABLISHED] = time_monotonic(NULL); |
7daf5226 | 845 | |
ee614711 MW |
846 | /* schedule rekeying if we have a time which is smaller than |
847 | * an already scheduled rekeying */ | |
d08269c7 | 848 | t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE); |
484a06bc | 849 | if (t && (this->stats[STAT_REKEY] == 0 || |
85ac2fa5 | 850 | (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED]))) |
0f33e826 | 851 | { |
85ac2fa5 | 852 | this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED]; |
ee614711 | 853 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE); |
bb381e26 | 854 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
ee614711 | 855 | DBG1(DBG_IKE, "scheduling rekeying in %ds", t); |
0f33e826 | 856 | } |
d08269c7 | 857 | t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE); |
484a06bc | 858 | if (t && (this->stats[STAT_REAUTH] == 0 || |
85ac2fa5 | 859 | (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED]))) |
ee614711 | 860 | { |
85ac2fa5 | 861 | this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED]; |
ee614711 | 862 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE); |
bb381e26 | 863 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
ee614711 MW |
864 | DBG1(DBG_IKE, "scheduling reauthentication in %ds", t); |
865 | } | |
866 | t = this->peer_cfg->get_over_time(this->peer_cfg); | |
85ac2fa5 | 867 | if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH]) |
0f33e826 | 868 | { |
85ac2fa5 | 869 | if (this->stats[STAT_REAUTH] == 0) |
ee614711 | 870 | { |
85ac2fa5 | 871 | this->stats[STAT_DELETE] = this->stats[STAT_REKEY]; |
ee614711 | 872 | } |
85ac2fa5 | 873 | else if (this->stats[STAT_REKEY] == 0) |
ee614711 | 874 | { |
85ac2fa5 | 875 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH]; |
ee614711 MW |
876 | } |
877 | else | |
878 | { | |
85ac2fa5 MW |
879 | this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY], |
880 | this->stats[STAT_REAUTH]); | |
ee614711 | 881 | } |
85ac2fa5 MW |
882 | this->stats[STAT_DELETE] += t; |
883 | t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED]; | |
0f33e826 | 884 | job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); |
bb381e26 | 885 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
ee614711 | 886 | DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t); |
0f33e826 | 887 | } |
85dd6a8d | 888 | trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg); |
b76e96e2 MW |
889 | if (trigger_dpd) |
890 | { | |
891 | /* Some peers delay the DELETE after rekeying an IKE_SA. | |
892 | * If this delay is longer than our DPD delay, we would | |
893 | * send a DPD request here. The IKE_SA is not ready to do | |
894 | * so yet, so prevent that. */ | |
895 | this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED]; | |
896 | } | |
edaba56e TE |
897 | if (this->state == IKE_PASSIVE) |
898 | { | |
899 | keepalives = TRUE; | |
900 | } | |
e4af6e6b TB |
901 | DESTROY_IF(this->redirected_from); |
902 | this->redirected_from = NULL; | |
0f33e826 MW |
903 | } |
904 | break; | |
fdb9b2bd | 905 | } |
0f33e826 MW |
906 | default: |
907 | break; | |
fdb9b2bd | 908 | } |
a985db3f | 909 | charon->bus->ike_state_change(charon->bus, &this->public, state); |
fdb9b2bd | 910 | this->state = state; |
85dd6a8d MW |
911 | |
912 | if (trigger_dpd) | |
913 | { | |
f98af1dd MW |
914 | if (supports_extension(this, EXT_DPD)) |
915 | { | |
916 | send_dpd(this); | |
917 | } | |
918 | else | |
919 | { | |
920 | DBG1(DBG_IKE, "DPD not supported by peer, disabled"); | |
921 | } | |
85dd6a8d | 922 | } |
edaba56e TE |
923 | if (keepalives) |
924 | { | |
efd7fa7b | 925 | send_keepalive(this, FALSE); |
edaba56e | 926 | } |
fdb9b2bd MW |
927 | } |
928 | ||
8bced61b | 929 | METHOD(ike_sa_t, reset, void, |
c3539961 | 930 | private_ike_sa_t *this, bool new_spi) |
fdb9b2bd | 931 | { |
c3539961 TB |
932 | /* reset the initiator SPI if requested */ |
933 | if (new_spi) | |
934 | { | |
935 | charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager, | |
936 | &this->public); | |
3a54206c TB |
937 | |
938 | /* when starting from scratch, connect to the original peer again e.g. | |
939 | * if we got redirected but weren't able to connect successfully */ | |
940 | if (this->redirected_from) | |
941 | { | |
942 | this->redirected_from->destroy(this->redirected_from); | |
943 | this->redirected_from = NULL; | |
944 | /* we can't restore the original value, if there was any */ | |
945 | DESTROY_IF(this->remote_host); | |
946 | this->remote_host = NULL; | |
947 | } | |
c3539961 TB |
948 | } |
949 | /* the responder ID is reset, as peer may choose another one */ | |
fdb9b2bd MW |
950 | if (this->ike_sa_id->is_initiator(this->ike_sa_id)) |
951 | { | |
952 | this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0); | |
953 | } | |
7daf5226 | 954 | |
fdb9b2bd | 955 | set_state(this, IKE_CREATED); |
7daf5226 | 956 | |
550d9085 MW |
957 | flush_auth_cfgs(this); |
958 | ||
959 | this->keymat->destroy(this->keymat); | |
4b64a1a1 TB |
960 | this->keymat = keymat_create(this->version, |
961 | this->ike_sa_id->is_initiator(this->ike_sa_id)); | |
550d9085 | 962 | |
b09ca747 | 963 | this->task_manager->reset(this->task_manager, 0, 0); |
d9fe0ec7 | 964 | this->task_manager->queue_ike(this->task_manager); |
fdb9b2bd MW |
965 | } |
966 | ||
8bced61b MW |
967 | METHOD(ike_sa_t, get_keymat, keymat_t*, |
968 | private_ike_sa_t *this) | |
6a4ff35c MW |
969 | { |
970 | return this->keymat; | |
971 | } | |
972 | ||
101d26ba | 973 | METHOD(ike_sa_t, add_virtual_ip, void, |
8bced61b | 974 | private_ike_sa_t *this, bool local, host_t *ip) |
c532d646 MW |
975 | { |
976 | if (local) | |
977 | { | |
b185cdd1 MW |
978 | char *iface; |
979 | ||
8394ea2a TB |
980 | if (charon->kernel->get_interface(charon->kernel, this->my_host, |
981 | &iface)) | |
c532d646 | 982 | { |
b185cdd1 | 983 | DBG1(DBG_IKE, "installing new virtual IP %H", ip); |
8394ea2a TB |
984 | if (charon->kernel->add_ip(charon->kernel, ip, -1, |
985 | iface) == SUCCESS) | |
b185cdd1 | 986 | { |
893da041 | 987 | array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip)); |
b185cdd1 MW |
988 | } |
989 | else | |
990 | { | |
991 | DBG1(DBG_IKE, "installing virtual IP %H failed", ip); | |
992 | } | |
993 | free(iface); | |
c532d646 MW |
994 | } |
995 | else | |
996 | { | |
b185cdd1 | 997 | DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip); |
c532d646 MW |
998 | } |
999 | } | |
1000 | else | |
1001 | { | |
893da041 | 1002 | array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip)); |
c532d646 MW |
1003 | } |
1004 | } | |
1005 | ||
d2e8f20d TB |
1006 | |
1007 | METHOD(ike_sa_t, clear_virtual_ips, void, | |
1008 | private_ike_sa_t *this, bool local) | |
1009 | { | |
893da041 | 1010 | array_t *vips; |
d2e8f20d TB |
1011 | host_t *vip; |
1012 | ||
893da041 MW |
1013 | vips = local ? this->my_vips : this->other_vips; |
1014 | if (!local && array_count(vips)) | |
12fa1784 AS |
1015 | { |
1016 | charon->bus->assign_vips(charon->bus, &this->public, FALSE); | |
1017 | } | |
893da041 | 1018 | while (array_remove(vips, ARRAY_HEAD, &vip)) |
d2e8f20d TB |
1019 | { |
1020 | if (local) | |
1021 | { | |
8394ea2a | 1022 | charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); |
d2e8f20d TB |
1023 | } |
1024 | vip->destroy(vip); | |
1025 | } | |
1026 | } | |
1027 | ||
101d26ba | 1028 | METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*, |
8bced61b | 1029 | private_ike_sa_t *this, bool local) |
c532d646 MW |
1030 | { |
1031 | if (local) | |
1032 | { | |
893da041 | 1033 | return array_create_enumerator(this->my_vips); |
c532d646 | 1034 | } |
893da041 | 1035 | return array_create_enumerator(this->other_vips); |
c532d646 MW |
1036 | } |
1037 | ||
94bbc602 | 1038 | METHOD(ike_sa_t, add_peer_address, void, |
8bced61b | 1039 | private_ike_sa_t *this, host_t *host) |
c532d646 | 1040 | { |
893da041 | 1041 | array_insert_create(&this->peer_addresses, ARRAY_TAIL, host); |
c532d646 | 1042 | } |
7daf5226 | 1043 | |
94bbc602 | 1044 | METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*, |
8bced61b | 1045 | private_ike_sa_t *this) |
c532d646 | 1046 | { |
893da041 | 1047 | if (this->peer_addresses) |
12715f19 | 1048 | { |
893da041 | 1049 | return array_create_enumerator(this->peer_addresses); |
12715f19 TB |
1050 | } |
1051 | /* in case we don't have MOBIKE */ | |
1052 | return enumerator_create_single(this->other_host, NULL); | |
572abc6c TB |
1053 | } |
1054 | ||
94bbc602 | 1055 | METHOD(ike_sa_t, clear_peer_addresses, void, |
572abc6c TB |
1056 | private_ike_sa_t *this) |
1057 | { | |
893da041 MW |
1058 | array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy)); |
1059 | this->peer_addresses = NULL; | |
c532d646 | 1060 | } |
9d9a772e | 1061 | |
8bced61b MW |
1062 | METHOD(ike_sa_t, has_mapping_changed, bool, |
1063 | private_ike_sa_t *this, chunk_t hash) | |
9d9a772e MW |
1064 | { |
1065 | if (this->nat_detection_dest.ptr == NULL) | |
1066 | { | |
1067 | this->nat_detection_dest = chunk_clone(hash); | |
1068 | return FALSE; | |
1069 | } | |
1070 | if (chunk_equals(hash, this->nat_detection_dest)) | |
1071 | { | |
1072 | return FALSE; | |
1073 | } | |
1074 | free(this->nat_detection_dest.ptr); | |
1075 | this->nat_detection_dest = chunk_clone(hash); | |
1076 | return TRUE; | |
1077 | } | |
1078 | ||
277f02ce TB |
1079 | METHOD(ike_sa_t, float_ports, void, |
1080 | private_ike_sa_t *this) | |
1081 | { | |
85bfab62 TB |
1082 | /* even if the remote port is not 500 (e.g. because the response was natted) |
1083 | * we switch the remote port if we used port 500 */ | |
1084 | if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT || | |
1085 | this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT) | |
1086 | { | |
1087 | this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); | |
1088 | } | |
b223d517 TB |
1089 | if (this->my_host->get_port(this->my_host) == |
1090 | charon->socket->get_port(charon->socket, FALSE)) | |
277f02ce | 1091 | { |
b223d517 TB |
1092 | this->my_host->set_port(this->my_host, |
1093 | charon->socket->get_port(charon->socket, TRUE)); | |
277f02ce | 1094 | } |
277f02ce TB |
1095 | } |
1096 | ||
8bced61b | 1097 | METHOD(ike_sa_t, update_hosts, void, |
2082417d | 1098 | private_ike_sa_t *this, host_t *me, host_t *other, bool force) |
0fdc3c7f | 1099 | { |
2b3100b5 | 1100 | bool update = FALSE; |
7daf5226 | 1101 | |
2b3100b5 | 1102 | if (me == NULL) |
8dfbe71b | 1103 | { |
2b3100b5 | 1104 | me = this->my_host; |
8dfbe71b | 1105 | } |
2b3100b5 | 1106 | if (other == NULL) |
3dd3c5f3 | 1107 | { |
2b3100b5 | 1108 | other = this->other_host; |
3dd3c5f3 | 1109 | } |
7daf5226 | 1110 | |
2b3100b5 MW |
1111 | /* apply hosts on first received message */ |
1112 | if (this->my_host->is_anyaddr(this->my_host) || | |
1113 | this->other_host->is_anyaddr(this->other_host)) | |
3dd3c5f3 | 1114 | { |
2b3100b5 MW |
1115 | set_my_host(this, me->clone(me)); |
1116 | set_other_host(this, other->clone(other)); | |
1117 | update = TRUE; | |
3dd3c5f3 MW |
1118 | } |
1119 | else | |
1120 | { | |
2b3100b5 | 1121 | /* update our address in any case */ |
21dd4c4b | 1122 | if (force && !me->equals(me, this->my_host)) |
3dd3c5f3 | 1123 | { |
e1fe2781 | 1124 | charon->bus->ike_update(charon->bus, &this->public, TRUE, me); |
2b3100b5 MW |
1125 | set_my_host(this, me->clone(me)); |
1126 | update = TRUE; | |
3dd3c5f3 | 1127 | } |
7daf5226 | 1128 | |
472156ee TB |
1129 | if (!other->equals(other, this->other_host) && |
1130 | (force || has_condition(this, COND_NAT_THERE))) | |
3dd3c5f3 | 1131 | { |
472156ee TB |
1132 | /* only update other's address if we are behind a static NAT, |
1133 | * which we assume is the case if we are not initiator */ | |
1134 | if (force || | |
1135 | (!has_condition(this, COND_NAT_HERE) || | |
1136 | !has_condition(this, COND_ORIGINAL_INITIATOR))) | |
2b3100b5 | 1137 | { |
e1fe2781 | 1138 | charon->bus->ike_update(charon->bus, &this->public, FALSE, other); |
2b3100b5 MW |
1139 | set_other_host(this, other->clone(other)); |
1140 | update = TRUE; | |
1141 | } | |
3dd3c5f3 MW |
1142 | } |
1143 | } | |
7daf5226 | 1144 | |
2b3100b5 MW |
1145 | /* update all associated CHILD_SAs, if required */ |
1146 | if (update) | |
3dd3c5f3 | 1147 | { |
e2630434 | 1148 | enumerator_t *enumerator; |
2b3100b5 | 1149 | child_sa_t *child_sa; |
893da041 | 1150 | linked_list_t *vips; |
7daf5226 | 1151 | |
893da041 MW |
1152 | vips = linked_list_create_from_enumerator( |
1153 | array_create_enumerator(this->my_vips)); | |
1154 | ||
1155 | enumerator = array_create_enumerator(this->child_sas); | |
1156 | while (enumerator->enumerate(enumerator, &child_sa)) | |
2b3100b5 | 1157 | { |
38227d0e MW |
1158 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
1159 | charon->child_sa_manager->add(charon->child_sa_manager, | |
1160 | child_sa, &this->public); | |
1161 | ||
893da041 MW |
1162 | if (child_sa->update(child_sa, this->my_host, this->other_host, |
1163 | vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED) | |
ea625fab TB |
1164 | { |
1165 | this->public.rekey_child_sa(&this->public, | |
1166 | child_sa->get_protocol(child_sa), | |
1167 | child_sa->get_spi(child_sa, TRUE)); | |
1168 | } | |
38227d0e | 1169 | |
2b3100b5 | 1170 | } |
e2630434 | 1171 | enumerator->destroy(enumerator); |
893da041 MW |
1172 | |
1173 | vips->destroy(vips); | |
3dd3c5f3 | 1174 | } |
8d77edde MW |
1175 | } |
1176 | ||
5b15bd5f MW |
1177 | /** |
1178 | * Set configured DSCP value on packet | |
1179 | */ | |
1180 | static void set_dscp(private_ike_sa_t *this, packet_t *packet) | |
1181 | { | |
1182 | ike_cfg_t *ike_cfg; | |
1183 | ||
1184 | /* prefer IKE config on peer_cfg, as its selection is more accurate | |
1185 | * then the initial IKE config */ | |
1186 | if (this->peer_cfg) | |
1187 | { | |
1188 | ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg); | |
1189 | } | |
1190 | else | |
1191 | { | |
1192 | ike_cfg = this->ike_cfg; | |
1193 | } | |
1194 | if (ike_cfg) | |
1195 | { | |
1196 | packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg)); | |
1197 | } | |
1198 | } | |
1199 | ||
8bced61b MW |
1200 | METHOD(ike_sa_t, generate_message, status_t, |
1201 | private_ike_sa_t *this, message_t *message, packet_t **packet) | |
8d77edde | 1202 | { |
47b8f6ef MW |
1203 | status_t status; |
1204 | ||
9ca5d028 | 1205 | if (message->is_encoded(message)) |
5b15bd5f | 1206 | { /* already encoded in task, but set DSCP value */ |
9ca5d028 | 1207 | *packet = message->get_packet(message); |
5b15bd5f | 1208 | set_dscp(this, *packet); |
9ca5d028 MW |
1209 | return SUCCESS; |
1210 | } | |
6180a558 | 1211 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
c60c7694 | 1212 | message->set_ike_sa_id(message, this->ike_sa_id); |
47b8f6ef MW |
1213 | charon->bus->message(charon->bus, message, FALSE, TRUE); |
1214 | status = message->generate(message, this->keymat, packet); | |
1215 | if (status == SUCCESS) | |
c60c7694 | 1216 | { |
5b15bd5f | 1217 | set_dscp(this, *packet); |
47b8f6ef | 1218 | charon->bus->message(charon->bus, message, FALSE, FALSE); |
b9d9f188 | 1219 | } |
47b8f6ef | 1220 | return status; |
3dd3c5f3 MW |
1221 | } |
1222 | ||
525cc46c TB |
1223 | CALLBACK(filter_fragments, bool, |
1224 | private_ike_sa_t *this, enumerator_t *orig, va_list args) | |
40bab9a1 | 1225 | { |
525cc46c TB |
1226 | packet_t *fragment, **packet; |
1227 | ||
1228 | VA_ARGS_VGET(args, packet); | |
1229 | ||
1230 | if (orig->enumerate(orig, &fragment)) | |
1231 | { | |
1232 | *packet = fragment->clone(fragment); | |
1233 | set_dscp(this, *packet); | |
1234 | return TRUE; | |
1235 | } | |
1236 | return FALSE; | |
40bab9a1 TB |
1237 | } |
1238 | ||
1239 | METHOD(ike_sa_t, generate_message_fragmented, status_t, | |
1240 | private_ike_sa_t *this, message_t *message, enumerator_t **packets) | |
1241 | { | |
1242 | enumerator_t *fragments; | |
1243 | packet_t *packet; | |
1244 | status_t status; | |
1245 | bool use_frags = FALSE; | |
e35bb6e9 | 1246 | bool pre_generated = FALSE; |
40bab9a1 | 1247 | |
1446fd8a | 1248 | if (this->ike_cfg) |
40bab9a1 TB |
1249 | { |
1250 | switch (this->ike_cfg->fragmentation(this->ike_cfg)) | |
1251 | { | |
1252 | case FRAGMENTATION_FORCE: | |
1253 | use_frags = TRUE; | |
1254 | break; | |
1255 | case FRAGMENTATION_YES: | |
1256 | use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION); | |
05db0f97 VR |
1257 | if (use_frags && this->version == IKEV1 && |
1258 | supports_extension(this, EXT_MS_WINDOWS)) | |
1259 | { | |
1260 | /* It seems Windows 7 and 8 peers only accept proprietary | |
1261 | * fragmented messages if they expect certificates. */ | |
1262 | use_frags = message->get_payload(message, | |
1263 | PLV1_CERTIFICATE) != NULL; | |
1264 | } | |
40bab9a1 TB |
1265 | break; |
1266 | default: | |
1267 | break; | |
1268 | } | |
1269 | } | |
1270 | if (!use_frags) | |
1271 | { | |
1272 | status = generate_message(this, message, &packet); | |
1273 | if (status != SUCCESS) | |
1274 | { | |
1275 | return status; | |
1276 | } | |
1277 | *packets = enumerator_create_single(packet, NULL); | |
1278 | return SUCCESS; | |
1279 | } | |
1280 | ||
e35bb6e9 | 1281 | pre_generated = message->is_encoded(message); |
40bab9a1 TB |
1282 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
1283 | message->set_ike_sa_id(message, this->ike_sa_id); | |
e35bb6e9 TB |
1284 | if (!pre_generated) |
1285 | { | |
1286 | charon->bus->message(charon->bus, message, FALSE, TRUE); | |
1287 | } | |
40bab9a1 TB |
1288 | status = message->fragment(message, this->keymat, this->fragment_size, |
1289 | &fragments); | |
1290 | if (status == SUCCESS) | |
1291 | { | |
e35bb6e9 TB |
1292 | if (!pre_generated) |
1293 | { | |
1294 | charon->bus->message(charon->bus, message, FALSE, FALSE); | |
1295 | } | |
525cc46c | 1296 | *packets = enumerator_create_filter(fragments, filter_fragments, |
40bab9a1 TB |
1297 | this, NULL); |
1298 | } | |
1299 | return status; | |
1300 | } | |
1301 | ||
8bced61b MW |
1302 | METHOD(ike_sa_t, set_kmaddress, void, |
1303 | private_ike_sa_t *this, host_t *local, host_t *remote) | |
d487b4b7 AS |
1304 | { |
1305 | DESTROY_IF(this->local_host); | |
1306 | DESTROY_IF(this->remote_host); | |
1307 | this->local_host = local->clone(local); | |
1308 | this->remote_host = remote->clone(remote); | |
1309 | } | |
1310 | ||
dc04b7c7 | 1311 | #ifdef ME |
8bced61b MW |
1312 | METHOD(ike_sa_t, act_as_mediation_server, void, |
1313 | private_ike_sa_t *this) | |
22452f70 TB |
1314 | { |
1315 | charon->mediation_manager->update_sa_id(charon->mediation_manager, | |
1316 | this->other_id, this->ike_sa_id); | |
1317 | this->is_mediation_server = TRUE; | |
1318 | } | |
1319 | ||
8bced61b MW |
1320 | METHOD(ike_sa_t, get_server_reflexive_host, host_t*, |
1321 | private_ike_sa_t *this) | |
d5cc1758 TB |
1322 | { |
1323 | return this->server_reflexive_host; | |
1324 | } | |
1325 | ||
8bced61b MW |
1326 | METHOD(ike_sa_t, set_server_reflexive_host, void, |
1327 | private_ike_sa_t *this, host_t *host) | |
d5cc1758 TB |
1328 | { |
1329 | DESTROY_IF(this->server_reflexive_host); | |
1330 | this->server_reflexive_host = host; | |
1331 | } | |
1332 | ||
8bced61b MW |
1333 | METHOD(ike_sa_t, get_connect_id, chunk_t, |
1334 | private_ike_sa_t *this) | |
9c2a905d TB |
1335 | { |
1336 | return this->connect_id; | |
1337 | } | |
1338 | ||
8bced61b MW |
1339 | METHOD(ike_sa_t, respond, status_t, |
1340 | private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id) | |
d5cc1758 | 1341 | { |
dc04b7c7 TB |
1342 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1343 | task->respond(task, peer_id, connect_id); | |
d5cc1758 TB |
1344 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1345 | return this->task_manager->initiate(this->task_manager); | |
1346 | } | |
1347 | ||
8bced61b MW |
1348 | METHOD(ike_sa_t, callback, status_t, |
1349 | private_ike_sa_t *this, identification_t *peer_id) | |
d5cc1758 | 1350 | { |
dc04b7c7 | 1351 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
d5cc1758 TB |
1352 | task->callback(task, peer_id); |
1353 | this->task_manager->queue_task(this->task_manager, (task_t*)task); | |
1354 | return this->task_manager->initiate(this->task_manager); | |
1355 | } | |
1356 | ||
8bced61b MW |
1357 | METHOD(ike_sa_t, relay, status_t, |
1358 | private_ike_sa_t *this, identification_t *requester, chunk_t connect_id, | |
1359 | chunk_t connect_key, linked_list_t *endpoints, bool response) | |
d5cc1758 | 1360 | { |
dc04b7c7 TB |
1361 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1362 | task->relay(task, requester, connect_id, connect_key, endpoints, response); | |
d5cc1758 TB |
1363 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1364 | return this->task_manager->initiate(this->task_manager); | |
1365 | } | |
1366 | ||
8bced61b MW |
1367 | METHOD(ike_sa_t, initiate_mediation, status_t, |
1368 | private_ike_sa_t *this, peer_cfg_t *mediated_cfg) | |
d5cc1758 | 1369 | { |
dc04b7c7 | 1370 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
d5cc1758 TB |
1371 | task->connect(task, mediated_cfg->get_peer_id(mediated_cfg)); |
1372 | this->task_manager->queue_task(this->task_manager, (task_t*)task); | |
1373 | return this->task_manager->initiate(this->task_manager); | |
1374 | } | |
1375 | ||
8bced61b MW |
1376 | METHOD(ike_sa_t, initiate_mediated, status_t, |
1377 | private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id) | |
d5cc1758 | 1378 | { |
471f9230 TB |
1379 | set_my_host(this, me->clone(me)); |
1380 | set_other_host(this, other->clone(other)); | |
4a6474c2 | 1381 | chunk_free(&this->connect_id); |
9c2a905d | 1382 | this->connect_id = chunk_clone(connect_id); |
d5cc1758 TB |
1383 | return this->task_manager->initiate(this->task_manager); |
1384 | } | |
dc04b7c7 | 1385 | #endif /* ME */ |
d5cc1758 | 1386 | |
5a22a021 MW |
1387 | /** |
1388 | * Resolve DNS host in configuration | |
1389 | */ | |
1390 | static void resolve_hosts(private_ike_sa_t *this) | |
1391 | { | |
1392 | host_t *host; | |
0edce687 | 1393 | int family = AF_UNSPEC; |
bf92887a TB |
1394 | |
1395 | switch (charon->socket->supported_families(charon->socket)) | |
1396 | { | |
1397 | case SOCKET_FAMILY_IPV4: | |
1398 | family = AF_INET; | |
1399 | break; | |
1400 | case SOCKET_FAMILY_IPV6: | |
1401 | family = AF_INET6; | |
1402 | break; | |
1403 | case SOCKET_FAMILY_BOTH: | |
1404 | case SOCKET_FAMILY_NONE: | |
1405 | break; | |
1406 | } | |
7daf5226 | 1407 | |
a11048ad TB |
1408 | /* if an IP address is set locally, use the same family to resolve remote */ |
1409 | if (family == AF_UNSPEC && !this->remote_host) | |
1410 | { | |
1411 | if (this->local_host) | |
1412 | { | |
1413 | family = this->local_host->get_family(this->local_host); | |
1414 | } | |
1415 | else | |
1416 | { | |
1417 | family = ike_cfg_get_family(this->ike_cfg, TRUE); | |
1418 | } | |
1419 | } | |
1420 | ||
d487b4b7 AS |
1421 | if (this->remote_host) |
1422 | { | |
1423 | host = this->remote_host->clone(this->remote_host); | |
1424 | host->set_port(host, IKEV2_UDP_PORT); | |
1425 | } | |
1426 | else | |
1427 | { | |
0edce687 | 1428 | host = this->ike_cfg->resolve_other(this->ike_cfg, family); |
d487b4b7 | 1429 | } |
5a22a021 MW |
1430 | if (host) |
1431 | { | |
6f7a3b33 TB |
1432 | if (!host->is_anyaddr(host) || |
1433 | this->other_host->is_anyaddr(this->other_host)) | |
1434 | { /* don't set to %any if we currently have an address, but the | |
1435 | * address family might have changed */ | |
1436 | set_other_host(this, host); | |
1437 | } | |
faebdeac | 1438 | else |
2d14cb4d TB |
1439 | { /* reuse the original port as some implementations might not like |
1440 | * initial IKE messages on other ports */ | |
1441 | this->other_host->set_port(this->other_host, host->get_port(host)); | |
faebdeac TB |
1442 | host->destroy(host); |
1443 | } | |
5a22a021 | 1444 | } |
7daf5226 | 1445 | |
d487b4b7 | 1446 | if (this->local_host) |
e7991a2e | 1447 | { |
d487b4b7 | 1448 | host = this->local_host->clone(this->local_host); |
b223d517 | 1449 | host->set_port(host, charon->socket->get_port(charon->socket, FALSE)); |
d487b4b7 AS |
1450 | } |
1451 | else | |
1452 | { | |
c6a8990b MW |
1453 | /* use same address family as for other */ |
1454 | if (!this->other_host->is_anyaddr(this->other_host)) | |
1455 | { | |
1456 | family = this->other_host->get_family(this->other_host); | |
1457 | } | |
0edce687 | 1458 | host = this->ike_cfg->resolve_me(this->ike_cfg, family); |
7daf5226 | 1459 | |
d487b4b7 AS |
1460 | if (host && host->is_anyaddr(host) && |
1461 | !this->other_host->is_anyaddr(this->other_host)) | |
5353f22e | 1462 | { |
d487b4b7 | 1463 | host->destroy(host); |
8394ea2a TB |
1464 | host = charon->kernel->get_source_addr(charon->kernel, |
1465 | this->other_host, NULL); | |
d487b4b7 AS |
1466 | if (host) |
1467 | { | |
cc2eadde | 1468 | host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg)); |
d487b4b7 | 1469 | } |
9717826f MW |
1470 | else |
1471 | { /* fallback to address family specific %any(6), if configured */ | |
0edce687 | 1472 | host = this->ike_cfg->resolve_me(this->ike_cfg, family); |
9717826f | 1473 | } |
5353f22e | 1474 | } |
e7991a2e | 1475 | } |
5a22a021 MW |
1476 | if (host) |
1477 | { | |
e7991a2e | 1478 | set_my_host(this, host); |
5a22a021 MW |
1479 | } |
1480 | } | |
1481 | ||
8bced61b | 1482 | METHOD(ike_sa_t, initiate, status_t, |
b12c53ce | 1483 | private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid, |
8bced61b | 1484 | traffic_selector_t *tsi, traffic_selector_t *tsr) |
aad398a7 | 1485 | { |
60c82591 TB |
1486 | bool defer_initiate = FALSE; |
1487 | ||
c60c7694 | 1488 | if (this->state == IKE_CREATED) |
c0593835 | 1489 | { |
a994050e MW |
1490 | if (this->my_host->is_anyaddr(this->my_host) || |
1491 | this->other_host->is_anyaddr(this->other_host)) | |
1492 | { | |
1493 | resolve_hosts(this); | |
1494 | } | |
7daf5226 | 1495 | |
d5cc1758 | 1496 | if (this->other_host->is_anyaddr(this->other_host) |
dc04b7c7 | 1497 | #ifdef ME |
d5cc1758 | 1498 | && !this->peer_cfg->get_mediated_by(this->peer_cfg) |
dc04b7c7 | 1499 | #endif /* ME */ |
d5cc1758 | 1500 | ) |
128ca073 | 1501 | { |
0edce687 MW |
1502 | char *addr; |
1503 | ||
be8af56e | 1504 | addr = this->ike_cfg->get_other_addr(this->ike_cfg); |
53d2164c | 1505 | if (!this->retry_initiate_interval) |
60c82591 | 1506 | { |
53d2164c TB |
1507 | DBG1(DBG_IKE, "unable to resolve %s, initiate aborted", |
1508 | addr); | |
60c82591 TB |
1509 | DESTROY_IF(child_cfg); |
1510 | charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED); | |
1511 | return DESTROY_ME; | |
1512 | } | |
1513 | DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds", | |
1514 | addr, this->retry_initiate_interval); | |
1515 | defer_initiate = TRUE; | |
128ca073 | 1516 | } |
7daf5226 | 1517 | |
faf9569f | 1518 | set_condition(this, COND_ORIGINAL_INITIATOR, TRUE); |
a60daa07 | 1519 | this->task_manager->queue_ike(this->task_manager); |
d5cc1758 TB |
1520 | } |
1521 | ||
dc04b7c7 | 1522 | #ifdef ME |
4a6474c2 | 1523 | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
f967db31 TB |
1524 | { |
1525 | if (this->state == IKE_ESTABLISHED) | |
1526 | { | |
484a06bc TB |
1527 | /* mediation connection is already established, retrigger state |
1528 | * change to notify bus listeners */ | |
f967db31 TB |
1529 | DBG1(DBG_IKE, "mediation connection is already up"); |
1530 | set_state(this, IKE_ESTABLISHED); | |
1531 | } | |
c3f803c4 | 1532 | DESTROY_IF(child_cfg); |
d5cc1758 TB |
1533 | } |
1534 | else | |
dc04b7c7 | 1535 | #endif /* ME */ |
9c64f214 | 1536 | if (child_cfg) |
d5cc1758 | 1537 | { |
38951252 | 1538 | /* normal IKE_SA with CHILD_SA */ |
fe43d9a2 MW |
1539 | this->task_manager->queue_child(this->task_manager, child_cfg, reqid, |
1540 | tsi, tsr); | |
4a6474c2 TB |
1541 | #ifdef ME |
1542 | if (this->peer_cfg->get_mediated_by(this->peer_cfg)) | |
1543 | { | |
1544 | /* mediated connection, initiate mediation process */ | |
1545 | job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id); | |
bb381e26 | 1546 | lib->processor->queue_job(lib->processor, job); |
4a6474c2 TB |
1547 | return SUCCESS; |
1548 | } | |
1549 | #endif /* ME */ | |
c60c7694 | 1550 | } |
7daf5226 | 1551 | |
60c82591 TB |
1552 | if (defer_initiate) |
1553 | { | |
77e42826 TB |
1554 | if (!this->retry_initiate_queued) |
1555 | { | |
1556 | job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id); | |
1557 | lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, | |
1558 | this->retry_initiate_interval); | |
1559 | this->retry_initiate_queued = TRUE; | |
1560 | } | |
60c82591 TB |
1561 | return SUCCESS; |
1562 | } | |
77e42826 | 1563 | this->retry_initiate_queued = FALSE; |
c60c7694 | 1564 | return this->task_manager->initiate(this->task_manager); |
aad398a7 JH |
1565 | } |
1566 | ||
77e42826 TB |
1567 | METHOD(ike_sa_t, retry_initiate, status_t, |
1568 | private_ike_sa_t *this) | |
1569 | { | |
1570 | if (this->retry_initiate_queued) | |
1571 | { | |
1572 | this->retry_initiate_queued = FALSE; | |
1573 | return initiate(this, NULL, 0, NULL, NULL); | |
1574 | } | |
1575 | return SUCCESS; | |
1576 | } | |
1577 | ||
8bced61b MW |
1578 | METHOD(ike_sa_t, process_message, status_t, |
1579 | private_ike_sa_t *this, message_t *message) | |
98f97433 MW |
1580 | { |
1581 | status_t status; | |
7daf5226 | 1582 | |
c610f424 MW |
1583 | if (this->state == IKE_PASSIVE) |
1584 | { /* do not handle messages in passive state */ | |
1585 | return FAILED; | |
1586 | } | |
448e2e29 | 1587 | if (message->get_major_version(message) != this->version) |
98f97433 | 1588 | { |
448e2e29 | 1589 | DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA", |
98f97433 | 1590 | exchange_type_names, message->get_exchange_type(message), |
448e2e29 MW |
1591 | message->get_major_version(message), |
1592 | ike_version_names, this->version); | |
1593 | /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1 | |
1594 | * INVALID_MAJOR_VERSION on an IKEv2 SA. */ | |
1595 | return FAILED; | |
98f97433 | 1596 | } |
68c6863b | 1597 | status = this->task_manager->process_message(this->task_manager, message); |
b24b73b7 | 1598 | if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED) |
98f97433 | 1599 | { |
e41adf5f TB |
1600 | /* authentication completed but if the online validation is suspended we |
1601 | * need the auth cfgs until we did the delayed verification, we flush | |
1602 | * them afterwards */ | |
1603 | if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED)) | |
1604 | { | |
1605 | this->flush_auth_cfg = FALSE; | |
1606 | flush_auth_cfgs(this); | |
1607 | } | |
98f97433 | 1608 | } |
44ce7493 | 1609 | return status; |
98f97433 | 1610 | } |
8dfbe71b | 1611 | |
8bced61b MW |
1612 | METHOD(ike_sa_t, get_id, ike_sa_id_t*, |
1613 | private_ike_sa_t *this) | |
0df63d6b | 1614 | { |
8dfbe71b | 1615 | return this->ike_sa_id; |
0df63d6b JH |
1616 | } |
1617 | ||
0b611540 TB |
1618 | METHOD(ike_sa_t, get_version, ike_version_t, |
1619 | private_ike_sa_t *this) | |
1620 | { | |
1621 | return this->version; | |
1622 | } | |
1623 | ||
8bced61b MW |
1624 | METHOD(ike_sa_t, get_my_id, identification_t*, |
1625 | private_ike_sa_t *this) | |
0fdc3c7f | 1626 | { |
8dfbe71b | 1627 | return this->my_id; |
8d68033e JH |
1628 | } |
1629 | ||
8bced61b MW |
1630 | METHOD(ike_sa_t, set_my_id, void, |
1631 | private_ike_sa_t *this, identification_t *me) | |
8d68033e | 1632 | { |
c0593835 | 1633 | DESTROY_IF(this->my_id); |
8dfbe71b | 1634 | this->my_id = me; |
0fdc3c7f JH |
1635 | } |
1636 | ||
8bced61b MW |
1637 | METHOD(ike_sa_t, get_other_id, identification_t*, |
1638 | private_ike_sa_t *this) | |
30b5b412 | 1639 | { |
8dfbe71b | 1640 | return this->other_id; |
3dd3c5f3 | 1641 | } |
8dfbe71b | 1642 | |
8bced61b MW |
1643 | METHOD(ike_sa_t, get_other_eap_id, identification_t*, |
1644 | private_ike_sa_t *this) | |
045833c7 MW |
1645 | { |
1646 | identification_t *id = NULL, *current; | |
1647 | enumerator_t *enumerator; | |
1648 | auth_cfg_t *cfg; | |
1649 | ||
893da041 | 1650 | enumerator = array_create_enumerator(this->other_auths); |
045833c7 MW |
1651 | while (enumerator->enumerate(enumerator, &cfg)) |
1652 | { | |
1653 | /* prefer EAP-Identity of last round */ | |
1654 | current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY); | |
1655 | if (!current || current->get_type(current) == ID_ANY) | |
beab4a90 MW |
1656 | { |
1657 | current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY); | |
1658 | } | |
1659 | if (!current || current->get_type(current) == ID_ANY) | |
045833c7 MW |
1660 | { |
1661 | current = cfg->get(cfg, AUTH_RULE_IDENTITY); | |
1662 | } | |
1663 | if (current && current->get_type(current) != ID_ANY) | |
1664 | { | |
1665 | id = current; | |
1666 | continue; | |
1667 | } | |
1668 | } | |
1669 | enumerator->destroy(enumerator); | |
1670 | if (id) | |
1671 | { | |
1672 | return id; | |
1673 | } | |
1674 | return this->other_id; | |
1675 | } | |
1676 | ||
8bced61b MW |
1677 | METHOD(ike_sa_t, set_other_id, void, |
1678 | private_ike_sa_t *this, identification_t *other) | |
3dd3c5f3 | 1679 | { |
c0593835 | 1680 | DESTROY_IF(this->other_id); |
8dfbe71b | 1681 | this->other_id = other; |
30b5b412 MW |
1682 | } |
1683 | ||
dec3c184 TB |
1684 | METHOD(ike_sa_t, get_if_id, uint32_t, |
1685 | private_ike_sa_t *this, bool inbound) | |
1686 | { | |
1687 | return inbound ? this->if_id_in : this->if_id_out; | |
1688 | } | |
1689 | ||
8bced61b MW |
1690 | METHOD(ike_sa_t, add_child_sa, void, |
1691 | private_ike_sa_t *this, child_sa_t *child_sa) | |
32b6500f | 1692 | { |
893da041 | 1693 | array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa); |
38227d0e MW |
1694 | charon->child_sa_manager->add(charon->child_sa_manager, |
1695 | child_sa, &this->public); | |
32b6500f MW |
1696 | } |
1697 | ||
8bced61b | 1698 | METHOD(ike_sa_t, get_child_sa, child_sa_t*, |
b12c53ce | 1699 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound) |
695723d4 | 1700 | { |
e2630434 | 1701 | enumerator_t *enumerator; |
695723d4 | 1702 | child_sa_t *current, *found = NULL; |
7daf5226 | 1703 | |
893da041 | 1704 | enumerator = array_create_enumerator(this->child_sas); |
e2630434 | 1705 | while (enumerator->enumerate(enumerator, (void**)¤t)) |
c60c7694 | 1706 | { |
698d7749 | 1707 | if (current->get_spi(current, inbound) == spi && |
191a26a6 | 1708 | current->get_protocol(current) == protocol) |
695723d4 MW |
1709 | { |
1710 | found = current; | |
1711 | } | |
1712 | } | |
e2630434 | 1713 | enumerator->destroy(enumerator); |
695723d4 | 1714 | return found; |
8d77edde MW |
1715 | } |
1716 | ||
4bbce1ef | 1717 | METHOD(ike_sa_t, get_child_count, int, |
8bced61b | 1718 | private_ike_sa_t *this) |
3183006d | 1719 | { |
893da041 | 1720 | return array_count(this->child_sas); |
4bbce1ef TB |
1721 | } |
1722 | ||
38227d0e MW |
1723 | /** |
1724 | * Private data of a create_child_sa_enumerator() | |
1725 | */ | |
1726 | typedef struct { | |
1727 | /** implements enumerator */ | |
1728 | enumerator_t public; | |
1729 | /** inner array enumerator */ | |
1730 | enumerator_t *inner; | |
1731 | /** current item */ | |
1732 | child_sa_t *current; | |
1733 | } child_enumerator_t; | |
1734 | ||
1735 | METHOD(enumerator_t, child_enumerate, bool, | |
95a63bf2 | 1736 | child_enumerator_t *this, va_list args) |
38227d0e | 1737 | { |
95a63bf2 TB |
1738 | child_sa_t **child_sa; |
1739 | ||
1740 | VA_ARGS_VGET(args, child_sa); | |
38227d0e MW |
1741 | if (this->inner->enumerate(this->inner, &this->current)) |
1742 | { | |
1743 | *child_sa = this->current; | |
1744 | return TRUE; | |
1745 | } | |
1746 | return FALSE; | |
1747 | } | |
1748 | ||
1749 | METHOD(enumerator_t, child_enumerator_destroy, void, | |
1750 | child_enumerator_t *this) | |
1751 | { | |
1752 | this->inner->destroy(this->inner); | |
1753 | free(this); | |
1754 | } | |
1755 | ||
4bbce1ef TB |
1756 | METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*, |
1757 | private_ike_sa_t *this) | |
1758 | { | |
38227d0e MW |
1759 | child_enumerator_t *enumerator; |
1760 | ||
1761 | INIT(enumerator, | |
1762 | .public = { | |
95a63bf2 TB |
1763 | .enumerate = enumerator_enumerate_default, |
1764 | .venumerate = _child_enumerate, | |
38227d0e MW |
1765 | .destroy = _child_enumerator_destroy, |
1766 | }, | |
1767 | .inner = array_create_enumerator(this->child_sas), | |
1768 | ); | |
1769 | return &enumerator->public; | |
4bbce1ef TB |
1770 | } |
1771 | ||
1772 | METHOD(ike_sa_t, remove_child_sa, void, | |
1773 | private_ike_sa_t *this, enumerator_t *enumerator) | |
1774 | { | |
38227d0e MW |
1775 | child_enumerator_t *ce = (child_enumerator_t*)enumerator; |
1776 | ||
1777 | charon->child_sa_manager->remove(charon->child_sa_manager, ce->current); | |
1778 | array_remove_at(this->child_sas, ce->inner); | |
3183006d MW |
1779 | } |
1780 | ||
8bced61b | 1781 | METHOD(ike_sa_t, rekey_child_sa, status_t, |
b12c53ce | 1782 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi) |
8d77edde | 1783 | { |
916cdca8 MW |
1784 | if (this->state == IKE_PASSIVE) |
1785 | { | |
1786 | return INVALID_STATE; | |
1787 | } | |
463a73cc | 1788 | this->task_manager->queue_child_rekey(this->task_manager, protocol, spi); |
394eb35b | 1789 | return this->task_manager->initiate(this->task_manager); |
698d7749 MW |
1790 | } |
1791 | ||
8bced61b | 1792 | METHOD(ike_sa_t, delete_child_sa, status_t, |
b12c53ce | 1793 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired) |
698d7749 | 1794 | { |
916cdca8 MW |
1795 | if (this->state == IKE_PASSIVE) |
1796 | { | |
1797 | return INVALID_STATE; | |
1798 | } | |
3a925f74 MW |
1799 | this->task_manager->queue_child_delete(this->task_manager, |
1800 | protocol, spi, expired); | |
394eb35b | 1801 | return this->task_manager->initiate(this->task_manager); |
698d7749 MW |
1802 | } |
1803 | ||
8bced61b | 1804 | METHOD(ike_sa_t, destroy_child_sa, status_t, |
b12c53ce | 1805 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi) |
698d7749 | 1806 | { |
e2630434 | 1807 | enumerator_t *enumerator; |
698d7749 MW |
1808 | child_sa_t *child_sa; |
1809 | status_t status = NOT_FOUND; | |
7daf5226 | 1810 | |
38227d0e | 1811 | enumerator = create_child_sa_enumerator(this); |
e2630434 | 1812 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
698d7749 MW |
1813 | { |
1814 | if (child_sa->get_protocol(child_sa) == protocol && | |
1815 | child_sa->get_spi(child_sa, TRUE) == spi) | |
1816 | { | |
38227d0e | 1817 | remove_child_sa(this, enumerator); |
698d7749 | 1818 | child_sa->destroy(child_sa); |
698d7749 MW |
1819 | status = SUCCESS; |
1820 | break; | |
1821 | } | |
8d77edde | 1822 | } |
e2630434 | 1823 | enumerator->destroy(enumerator); |
698d7749 | 1824 | return status; |
8d77edde MW |
1825 | } |
1826 | ||
8bced61b | 1827 | METHOD(ike_sa_t, delete_, status_t, |
a79d5103 | 1828 | private_ike_sa_t *this, bool force) |
6fe03b0a | 1829 | { |
a79d5103 TB |
1830 | status_t status = DESTROY_ME; |
1831 | ||
6fe03b0a MW |
1832 | switch (this->state) |
1833 | { | |
3a0b67bc | 1834 | case IKE_ESTABLISHED: |
ebc6445d TB |
1835 | case IKE_REKEYING: |
1836 | if (time_monotonic(NULL) >= this->stats[STAT_DELETE] && | |
1837 | !(this->version == IKEV1 && this->state == IKE_REKEYING)) | |
1838 | { /* IKE_SA hard lifetime hit, ignored for reauthenticated | |
1839 | * IKEv1 SAs */ | |
c45cf904 MW |
1840 | charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED); |
1841 | } | |
3ed148b3 | 1842 | this->task_manager->queue_ike_delete(this->task_manager); |
a79d5103 TB |
1843 | status = this->task_manager->initiate(this->task_manager); |
1844 | break; | |
98f97433 | 1845 | case IKE_CREATED: |
a985db3f | 1846 | DBG1(DBG_IKE, "deleting unestablished IKE_SA"); |
98f97433 | 1847 | break; |
c610f424 MW |
1848 | case IKE_PASSIVE: |
1849 | break; | |
6fe03b0a | 1850 | default: |
a79d5103 TB |
1851 | DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification", |
1852 | ike_sa_state_names, this->state); | |
1853 | force = TRUE; | |
c60c7694 | 1854 | break; |
6fe03b0a | 1855 | } |
a79d5103 TB |
1856 | |
1857 | if (force) | |
1858 | { | |
1859 | status = DESTROY_ME; | |
1860 | ||
1861 | if (this->version == IKEV2) | |
1862 | { /* for IKEv1 we trigger this in the ISAKMP delete task */ | |
1863 | switch (this->state) | |
1864 | { | |
1865 | case IKE_ESTABLISHED: | |
1866 | case IKE_REKEYING: | |
1867 | case IKE_DELETING: | |
1868 | charon->bus->ike_updown(charon->bus, &this->public, FALSE); | |
1869 | default: | |
1870 | break; | |
1871 | } | |
1872 | } | |
1873 | } | |
1874 | return status; | |
6fe03b0a MW |
1875 | } |
1876 | ||
8bced61b MW |
1877 | METHOD(ike_sa_t, rekey, status_t, |
1878 | private_ike_sa_t *this) | |
fe04e93a | 1879 | { |
916cdca8 MW |
1880 | if (this->state == IKE_PASSIVE) |
1881 | { | |
1882 | return INVALID_STATE; | |
1883 | } | |
dab60d64 | 1884 | this->task_manager->queue_ike_rekey(this->task_manager); |
c60c7694 | 1885 | return this->task_manager->initiate(this->task_manager); |
fe04e93a MW |
1886 | } |
1887 | ||
8bced61b MW |
1888 | METHOD(ike_sa_t, reauth, status_t, |
1889 | private_ike_sa_t *this) | |
6fe03b0a | 1890 | { |
916cdca8 MW |
1891 | if (this->state == IKE_PASSIVE) |
1892 | { | |
1893 | return INVALID_STATE; | |
1894 | } | |
34e402ef TB |
1895 | if (this->state == IKE_CONNECTING) |
1896 | { | |
1897 | DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]", | |
1898 | get_name(this), this->unique_id); | |
c3539961 | 1899 | reset(this, TRUE); |
34e402ef TB |
1900 | return this->task_manager->initiate(this->task_manager); |
1901 | } | |
ee614711 MW |
1902 | /* we can't reauthenticate as responder when we use EAP or virtual IPs. |
1903 | * If the peer does not support RFC4478, there is no way to keep the | |
1904 | * IKE_SA up. */ | |
faf9569f | 1905 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
ee614711 MW |
1906 | { |
1907 | DBG1(DBG_IKE, "initiator did not reauthenticate as requested"); | |
893da041 | 1908 | if (array_count(this->other_vips) != 0 || |
7e9e1f96 | 1909 | has_condition(this, COND_XAUTH_AUTHENTICATED) || |
78abba42 TB |
1910 | has_condition(this, COND_EAP_AUTHENTICATED) |
1911 | #ifdef ME | |
484a06bc | 1912 | /* as mediation server we too cannot reauth the IKE_SA */ |
78abba42 TB |
1913 | || this->is_mediation_server |
1914 | #endif /* ME */ | |
1915 | ) | |
ee614711 | 1916 | { |
e9fcf1c6 | 1917 | time_t del, now; |
7daf5226 | 1918 | |
e9fcf1c6 MW |
1919 | del = this->stats[STAT_DELETE]; |
1920 | now = time_monotonic(NULL); | |
fbaf5cd2 MW |
1921 | DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V", |
1922 | get_name(this), this->unique_id, &now, &del); | |
ee614711 MW |
1923 | return FAILED; |
1924 | } | |
1925 | else | |
1926 | { | |
fbaf5cd2 MW |
1927 | DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively", |
1928 | get_name(this), this->unique_id); | |
ee614711 MW |
1929 | } |
1930 | } | |
fbaf5cd2 MW |
1931 | else |
1932 | { | |
1933 | DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]", | |
1934 | get_name(this), this->unique_id); | |
1935 | } | |
873b63b7 | 1936 | set_condition(this, COND_REAUTHENTICATING, TRUE); |
cedb412e | 1937 | this->task_manager->queue_ike_reauth(this->task_manager); |
26424f03 | 1938 | return this->task_manager->initiate(this->task_manager); |
6fe03b0a | 1939 | } |
face844a | 1940 | |
68db844f | 1941 | /** |
96b61792 | 1942 | * Check if any tasks of a specific type are queued in the given queue. |
68db844f | 1943 | */ |
96b61792 TB |
1944 | static bool is_task_queued(private_ike_sa_t *this, task_queue_t queue, |
1945 | task_type_t type) | |
68db844f TB |
1946 | { |
1947 | enumerator_t *enumerator; | |
1948 | task_t *task; | |
1949 | bool found = FALSE; | |
1950 | ||
1951 | enumerator = this->task_manager->create_task_enumerator(this->task_manager, | |
1952 | queue); | |
1953 | while (enumerator->enumerate(enumerator, &task)) | |
1954 | { | |
96b61792 | 1955 | if (task->get_type(task) == type) |
68db844f TB |
1956 | { |
1957 | found = TRUE; | |
1958 | break; | |
1959 | } | |
1960 | } | |
1961 | enumerator->destroy(enumerator); | |
1962 | return found; | |
1963 | } | |
1964 | ||
96b61792 TB |
1965 | /** |
1966 | * Check if any tasks to create CHILD_SAs are queued in the given queue. | |
1967 | */ | |
1968 | static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue) | |
1969 | { | |
1970 | return is_task_queued(this, queue, | |
1971 | this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE); | |
1972 | } | |
1973 | ||
1974 | /** | |
1975 | * Check if any tasks to delete the IKE_SA are queued in the given queue. | |
1976 | */ | |
1977 | static bool is_delete_queued(private_ike_sa_t *this, task_queue_t queue) | |
1978 | { | |
1979 | return is_task_queued(this, queue, | |
1980 | this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE); | |
1981 | } | |
1982 | ||
f20e00fe TB |
1983 | /** |
1984 | * Reestablish CHILD_SAs and migrate queued tasks. | |
1985 | * | |
1986 | * If force is true all SAs are restarted, otherwise their close/dpd_action | |
1987 | * is followed. | |
1988 | */ | |
1989 | static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new, | |
1990 | bool force) | |
1991 | { | |
1992 | enumerator_t *enumerator; | |
1993 | child_sa_t *child_sa; | |
1994 | child_cfg_t *child_cfg; | |
1995 | action_t action; | |
1996 | status_t status = FAILED; | |
1997 | ||
1998 | /* handle existing CHILD_SAs */ | |
1999 | enumerator = create_child_sa_enumerator(this); | |
2000 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) | |
2001 | { | |
a747ad73 TB |
2002 | switch (child_sa->get_state(child_sa)) |
2003 | { | |
2004 | case CHILD_REKEYED: | |
2005 | case CHILD_DELETED: | |
2006 | /* ignore CHILD_SAs in these states */ | |
2007 | continue; | |
2008 | default: | |
2009 | break; | |
2010 | } | |
f20e00fe TB |
2011 | if (force) |
2012 | { | |
a1620c16 | 2013 | action = ACTION_RESTART; |
f20e00fe TB |
2014 | } |
2015 | else | |
2016 | { /* only restart CHILD_SAs that are configured accordingly */ | |
2017 | if (this->state == IKE_DELETING) | |
2018 | { | |
2019 | action = child_sa->get_close_action(child_sa); | |
2020 | } | |
2021 | else | |
2022 | { | |
2023 | action = child_sa->get_dpd_action(child_sa); | |
2024 | } | |
2025 | } | |
2026 | switch (action) | |
2027 | { | |
2028 | case ACTION_RESTART: | |
2029 | child_cfg = child_sa->get_config(child_sa); | |
2030 | DBG1(DBG_IKE, "restarting CHILD_SA %s", | |
2031 | child_cfg->get_name(child_cfg)); | |
2032 | child_cfg->get_ref(child_cfg); | |
2033 | status = new->initiate(new, child_cfg, | |
2034 | child_sa->get_reqid(child_sa), NULL, NULL); | |
2035 | break; | |
2036 | default: | |
2037 | continue; | |
2038 | } | |
2039 | if (status == DESTROY_ME) | |
2040 | { | |
2041 | break; | |
2042 | } | |
2043 | } | |
2044 | enumerator->destroy(enumerator); | |
2045 | /* adopt any active or queued CHILD-creating tasks */ | |
2046 | if (status != DESTROY_ME) | |
2047 | { | |
5e97a5e6 | 2048 | new->adopt_child_tasks(new, &this->public); |
f20e00fe TB |
2049 | if (new->get_state(new) == IKE_CREATED) |
2050 | { | |
2051 | status = new->initiate(new, NULL, 0, NULL, NULL); | |
2052 | } | |
2053 | } | |
2054 | return status; | |
2055 | } | |
2056 | ||
8bced61b MW |
2057 | METHOD(ike_sa_t, reestablish, status_t, |
2058 | private_ike_sa_t *this) | |
96926b00 MW |
2059 | { |
2060 | ike_sa_t *new; | |
2061 | host_t *host; | |
348af092 | 2062 | action_t action; |
e2630434 | 2063 | enumerator_t *enumerator; |
96926b00 | 2064 | child_sa_t *child_sa; |
cf76c429 | 2065 | bool restart = FALSE; |
96926b00 | 2066 | status_t status = FAILED; |
7daf5226 | 2067 | |
96b61792 TB |
2068 | if (is_delete_queued(this, TASK_QUEUE_QUEUED)) |
2069 | { /* don't reestablish IKE_SAs that have explicitly been deleted in the | |
2070 | * mean time */ | |
2071 | return FAILED; | |
2072 | } | |
2073 | ||
873b63b7 | 2074 | if (has_condition(this, COND_REAUTHENTICATING)) |
23470d84 | 2075 | { /* only reauthenticate if we have children */ |
893da041 | 2076 | if (array_count(this->child_sas) == 0 |
23470d84 TB |
2077 | #ifdef ME |
2078 | /* allow reauth of mediation connections without CHILD_SAs */ | |
2079 | && !this->peer_cfg->is_mediation(this->peer_cfg) | |
2080 | #endif /* ME */ | |
2081 | ) | |
348af092 | 2082 | { |
23470d84 TB |
2083 | DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " |
2084 | "to recreate"); | |
348af092 MW |
2085 | } |
2086 | else | |
2087 | { | |
23470d84 | 2088 | restart = TRUE; |
348af092 | 2089 | } |
23470d84 TB |
2090 | } |
2091 | else | |
2092 | { /* check if we have children to keep up at all */ | |
893da041 | 2093 | enumerator = array_create_enumerator(this->child_sas); |
23470d84 | 2094 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
cadb5d16 | 2095 | { |
a747ad73 TB |
2096 | switch (child_sa->get_state(child_sa)) |
2097 | { | |
2098 | case CHILD_REKEYED: | |
2099 | case CHILD_DELETED: | |
2100 | /* ignore CHILD_SAs in these states */ | |
2101 | continue; | |
2102 | default: | |
2103 | break; | |
2104 | } | |
23470d84 TB |
2105 | if (this->state == IKE_DELETING) |
2106 | { | |
2107 | action = child_sa->get_close_action(child_sa); | |
2108 | } | |
2109 | else | |
2110 | { | |
2111 | action = child_sa->get_dpd_action(child_sa); | |
2112 | } | |
2113 | switch (action) | |
2114 | { | |
2115 | case ACTION_RESTART: | |
2116 | restart = TRUE; | |
2117 | break; | |
2118 | case ACTION_ROUTE: | |
2119 | charon->traps->install(charon->traps, this->peer_cfg, | |
24fa1bb0 | 2120 | child_sa->get_config(child_sa)); |
23470d84 TB |
2121 | break; |
2122 | default: | |
2123 | break; | |
2124 | } | |
cadb5d16 | 2125 | } |
23470d84 | 2126 | enumerator->destroy(enumerator); |
68db844f | 2127 | /* check if we have tasks that recreate children */ |
07a9d5c9 TB |
2128 | if (!restart) |
2129 | { | |
2130 | restart = is_child_queued(this, TASK_QUEUE_ACTIVE) || | |
2131 | is_child_queued(this, TASK_QUEUE_QUEUED); | |
2132 | } | |
cadb5d16 | 2133 | #ifdef ME |
23470d84 TB |
2134 | /* mediation connections have no children, keep them up anyway */ |
2135 | if (this->peer_cfg->is_mediation(this->peer_cfg)) | |
2136 | { | |
2137 | restart = TRUE; | |
2138 | } | |
cadb5d16 | 2139 | #endif /* ME */ |
23470d84 | 2140 | } |
cf76c429 | 2141 | if (!restart) |
cadb5d16 MW |
2142 | { |
2143 | return FAILED; | |
2144 | } | |
7daf5226 | 2145 | |
cadb5d16 | 2146 | /* check if we are able to reestablish this IKE_SA */ |
faf9569f | 2147 | if (!has_condition(this, COND_ORIGINAL_INITIATOR) && |
893da041 | 2148 | (array_count(this->other_vips) != 0 || |
96926b00 MW |
2149 | has_condition(this, COND_EAP_AUTHENTICATED) |
2150 | #ifdef ME | |
2151 | || this->is_mediation_server | |
2152 | #endif /* ME */ | |
2153 | )) | |
2154 | { | |
68447302 | 2155 | DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup"); |
96926b00 MW |
2156 | return FAILED; |
2157 | } | |
7daf5226 | 2158 | |
0b611540 TB |
2159 | new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, |
2160 | this->version, TRUE); | |
3d54ae94 MW |
2161 | if (!new) |
2162 | { | |
2163 | return FAILED; | |
2164 | } | |
96926b00 MW |
2165 | new->set_peer_cfg(new, this->peer_cfg); |
2166 | host = this->other_host; | |
2167 | new->set_other_host(new, host->clone(host)); | |
2168 | host = this->my_host; | |
2169 | new->set_my_host(new, host->clone(host)); | |
614359a7 | 2170 | charon->bus->ike_reestablish_pre(charon->bus, &this->public, new); |
7505fb8d TB |
2171 | if (!has_condition(this, COND_REAUTHENTICATING)) |
2172 | { /* reauthenticate to the same addresses, but resolve hosts if | |
2173 | * reestablishing (old addresses serve as fallback) */ | |
2174 | resolve_hosts((private_ike_sa_t*)new); | |
2175 | } | |
96926b00 | 2176 | /* if we already have a virtual IP, we reuse it */ |
893da041 | 2177 | enumerator = array_create_enumerator(this->my_vips); |
101d26ba | 2178 | while (enumerator->enumerate(enumerator, &host)) |
96926b00 | 2179 | { |
101d26ba | 2180 | new->add_virtual_ip(new, TRUE, host); |
96926b00 | 2181 | } |
101d26ba | 2182 | enumerator->destroy(enumerator); |
7daf5226 | 2183 | |
96926b00 | 2184 | #ifdef ME |
96926b00 MW |
2185 | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
2186 | { | |
a13c013b | 2187 | status = new->initiate(new, NULL, 0, NULL, NULL); |
96926b00 | 2188 | } |
cadb5d16 | 2189 | else |
96926b00 | 2190 | #endif /* ME */ |
96926b00 | 2191 | { |
f20e00fe TB |
2192 | status = reestablish_children(this, new, |
2193 | has_condition(this, COND_REAUTHENTICATING)); | |
96926b00 | 2194 | } |
7daf5226 | 2195 | |
cadb5d16 | 2196 | if (status == DESTROY_ME) |
96926b00 | 2197 | { |
614359a7 TB |
2198 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2199 | FALSE); | |
cadb5d16 | 2200 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); |
04d6583e | 2201 | status = FAILED; |
96926b00 MW |
2202 | } |
2203 | else | |
2204 | { | |
614359a7 TB |
2205 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2206 | TRUE); | |
cadb5d16 | 2207 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); |
04d6583e | 2208 | status = SUCCESS; |
96926b00 | 2209 | } |
04d6583e MW |
2210 | charon->bus->set_sa(charon->bus, &this->public); |
2211 | return status; | |
96926b00 MW |
2212 | } |
2213 | ||
f20e00fe TB |
2214 | /** |
2215 | * Resolve the given gateway ID | |
2216 | */ | |
2217 | static host_t *resolve_gateway_id(identification_t *gateway) | |
c126ddd0 TB |
2218 | { |
2219 | char gw[BUF_LEN]; | |
f20e00fe | 2220 | host_t *addr; |
c126ddd0 | 2221 | |
f20e00fe TB |
2222 | snprintf(gw, sizeof(gw), "%Y", gateway); |
2223 | gw[sizeof(gw)-1] = '\0'; | |
2224 | addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT); | |
2225 | if (!addr) | |
2226 | { | |
2227 | DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed", | |
2228 | gateway); | |
2229 | } | |
2230 | return addr; | |
2231 | } | |
2232 | ||
2233 | /** | |
2234 | * Redirect the current SA to the given target host | |
2235 | */ | |
2236 | static bool redirect_established(private_ike_sa_t *this, identification_t *to) | |
2237 | { | |
2238 | private_ike_sa_t *new_priv; | |
2239 | ike_sa_t *new; | |
2240 | host_t *other; | |
c6ebd033 | 2241 | time_t redirect; |
f20e00fe TB |
2242 | |
2243 | new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, | |
2244 | this->version, TRUE); | |
2245 | if (!new) | |
489d154e | 2246 | { |
489d154e TB |
2247 | return FALSE; |
2248 | } | |
f20e00fe TB |
2249 | new_priv = (private_ike_sa_t*)new; |
2250 | new->set_peer_cfg(new, this->peer_cfg); | |
2251 | new_priv->redirected_from = this->other_host->clone(this->other_host); | |
2252 | charon->bus->ike_reestablish_pre(charon->bus, &this->public, new); | |
2253 | other = resolve_gateway_id(to); | |
2254 | if (other) | |
2255 | { | |
2256 | set_my_host(new_priv, this->my_host->clone(this->my_host)); | |
2257 | /* this allows us to force the remote address while we still properly | |
2258 | * resolve the local address */ | |
2259 | new_priv->remote_host = other; | |
2260 | resolve_hosts(new_priv); | |
c6ebd033 TB |
2261 | new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS); |
2262 | while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect)) | |
2263 | { | |
2264 | array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect); | |
2265 | } | |
f20e00fe TB |
2266 | if (reestablish_children(this, new, TRUE) != DESTROY_ME) |
2267 | { | |
2268 | #ifdef USE_IKEV2 | |
2269 | new->queue_task(new, (task_t*)ike_reauth_complete_create(new, | |
2270 | this->ike_sa_id)); | |
2271 | #endif | |
2272 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, | |
2273 | TRUE); | |
2274 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); | |
2275 | charon->bus->set_sa(charon->bus, &this->public); | |
2276 | return TRUE; | |
2277 | } | |
2278 | } | |
2279 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, | |
2280 | FALSE); | |
2281 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); | |
2282 | charon->bus->set_sa(charon->bus, &this->public); | |
2283 | return FALSE; | |
2284 | } | |
c126ddd0 | 2285 | |
f20e00fe TB |
2286 | /** |
2287 | * Redirect the current connecting SA to the given target host | |
2288 | */ | |
2289 | static bool redirect_connecting(private_ike_sa_t *this, identification_t *to) | |
2290 | { | |
2291 | host_t *other; | |
2292 | ||
2293 | other = resolve_gateway_id(to); | |
c126ddd0 TB |
2294 | if (!other) |
2295 | { | |
c126ddd0 TB |
2296 | return FALSE; |
2297 | } | |
c3539961 | 2298 | reset(this, TRUE); |
f20e00fe TB |
2299 | DESTROY_IF(this->redirected_from); |
2300 | this->redirected_from = this->other_host->clone(this->other_host); | |
f20e00fe TB |
2301 | /* this allows us to force the remote address while we still properly |
2302 | * resolve the local address */ | |
3a54206c | 2303 | DESTROY_IF(this->remote_host); |
f20e00fe TB |
2304 | this->remote_host = other; |
2305 | resolve_hosts(this); | |
2306 | return TRUE; | |
2307 | } | |
2308 | ||
c6ebd033 TB |
2309 | /** |
2310 | * Check if the current redirect exceeds the limits for redirects | |
2311 | */ | |
2312 | static bool redirect_count_exceeded(private_ike_sa_t *this) | |
2313 | { | |
2314 | time_t now, redirect; | |
2315 | ||
2316 | now = time_monotonic(NULL); | |
2317 | /* remove entries outside the defined period */ | |
2318 | while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) && | |
2319 | now - redirect >= REDIRECT_LOOP_DETECT_PERIOD) | |
2320 | { | |
2321 | array_remove(this->redirected_at, ARRAY_HEAD, NULL); | |
2322 | } | |
2323 | if (array_count(this->redirected_at) < MAX_REDIRECTS) | |
2324 | { | |
2325 | if (!this->redirected_at) | |
2326 | { | |
2327 | this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS); | |
2328 | } | |
2329 | array_insert(this->redirected_at, ARRAY_TAIL, &now); | |
2330 | return FALSE; | |
2331 | } | |
2332 | return TRUE; | |
2333 | } | |
2334 | ||
f20e00fe TB |
2335 | METHOD(ike_sa_t, handle_redirect, bool, |
2336 | private_ike_sa_t *this, identification_t *gateway) | |
2337 | { | |
2338 | DBG1(DBG_IKE, "redirected to %Y", gateway); | |
2339 | if (!this->follow_redirects) | |
2340 | { | |
2341 | DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it"); | |
2342 | return FALSE; | |
2343 | } | |
c6ebd033 TB |
2344 | if (redirect_count_exceeded(this)) |
2345 | { | |
2346 | DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds", | |
2347 | MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD); | |
2348 | return FALSE; | |
2349 | } | |
f20e00fe | 2350 | |
c126ddd0 TB |
2351 | switch (this->state) |
2352 | { | |
2353 | case IKE_CONNECTING: | |
f20e00fe TB |
2354 | return redirect_connecting(this, gateway); |
2355 | case IKE_ESTABLISHED: | |
2356 | return redirect_established(this, gateway); | |
c126ddd0 TB |
2357 | default: |
2358 | DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N", | |
2359 | ike_sa_state_names, this->state); | |
c126ddd0 TB |
2360 | return FALSE; |
2361 | } | |
2362 | } | |
2363 | ||
71c70705 TB |
2364 | METHOD(ike_sa_t, redirect, status_t, |
2365 | private_ike_sa_t *this, identification_t *gateway) | |
2366 | { | |
2367 | switch (this->state) | |
2368 | { | |
2369 | case IKE_CONNECTING: | |
2370 | case IKE_ESTABLISHED: | |
2371 | case IKE_REKEYING: | |
2372 | if (has_condition(this, COND_REDIRECTED)) | |
2373 | { /* IKE_SA already got redirected */ | |
2374 | return SUCCESS; | |
2375 | } | |
2376 | if (has_condition(this, COND_ORIGINAL_INITIATOR)) | |
2377 | { | |
2378 | DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator"); | |
2379 | return FAILED; | |
2380 | } | |
2381 | if (this->version == IKEV1) | |
2382 | { | |
2383 | DBG1(DBG_IKE, "unable to redirect IKEv1 SA"); | |
2384 | return FAILED; | |
2385 | } | |
2386 | if (!supports_extension(this, EXT_IKE_REDIRECTION)) | |
2387 | { | |
2388 | DBG1(DBG_IKE, "client does not support IKE redirection"); | |
2389 | return FAILED; | |
2390 | } | |
2391 | #ifdef USE_IKEV2 | |
2392 | this->task_manager->queue_task(this->task_manager, | |
2393 | (task_t*)ike_redirect_create(&this->public, gateway)); | |
2394 | #endif | |
2395 | return this->task_manager->initiate(this->task_manager); | |
2396 | default: | |
2397 | DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N", | |
2398 | ike_sa_state_names, this->state); | |
2399 | return INVALID_STATE; | |
2400 | } | |
2401 | } | |
2402 | ||
8bced61b | 2403 | METHOD(ike_sa_t, retransmit, status_t, |
b12c53ce | 2404 | private_ike_sa_t *this, uint32_t message_id) |
96926b00 | 2405 | { |
916cdca8 MW |
2406 | if (this->state == IKE_PASSIVE) |
2407 | { | |
2408 | return INVALID_STATE; | |
2409 | } | |
6180a558 | 2410 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
96926b00 MW |
2411 | if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS) |
2412 | { | |
2413 | /* send a proper signal to brief interested bus listeners */ | |
2414 | switch (this->state) | |
2415 | { | |
2416 | case IKE_CONNECTING: | |
2417 | { | |
d9c1dae2 | 2418 | /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */ |
b12c53ce | 2419 | uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg); |
1d6dc627 TB |
2420 | charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE, |
2421 | this->keyingtry); | |
96926b00 MW |
2422 | this->keyingtry++; |
2423 | if (tries == 0 || tries > this->keyingtry) | |
2424 | { | |
a985db3f MW |
2425 | DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", |
2426 | this->keyingtry + 1, tries); | |
c3539961 | 2427 | reset(this, TRUE); |
4d7a2128 | 2428 | resolve_hosts(this); |
96926b00 MW |
2429 | return this->task_manager->initiate(this->task_manager); |
2430 | } | |
a985db3f | 2431 | DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding"); |
ebc6defa TB |
2432 | |
2433 | if (this->version == IKEV1 && array_count(this->child_sas)) | |
2434 | { | |
eb822106 TB |
2435 | enumerator_t *enumerator; |
2436 | child_sa_t *child_sa; | |
2437 | ||
ebc6defa TB |
2438 | /* if reauthenticating an IKEv1 SA failed (assumed for an SA |
2439 | * in this state with CHILD_SAs), try again from scratch */ | |
2440 | DBG1(DBG_IKE, "reauthentication failed, trying to " | |
2441 | "reestablish IKE_SA"); | |
2442 | reestablish(this); | |
eb822106 TB |
2443 | /* trigger down events for the CHILD_SAs, as no down event |
2444 | * is triggered below for IKE SAs in this state */ | |
2445 | enumerator = array_create_enumerator(this->child_sas); | |
2446 | while (enumerator->enumerate(enumerator, &child_sa)) | |
2447 | { | |
2448 | if (child_sa->get_state(child_sa) != CHILD_REKEYED && | |
2449 | child_sa->get_state(child_sa) != CHILD_DELETED) | |
2450 | { | |
2451 | charon->bus->child_updown(charon->bus, child_sa, | |
2452 | FALSE); | |
2453 | } | |
2454 | } | |
2455 | enumerator->destroy(enumerator); | |
ebc6defa | 2456 | } |
96926b00 MW |
2457 | break; |
2458 | } | |
96926b00 | 2459 | case IKE_DELETING: |
a985db3f | 2460 | DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding"); |
10f8834b TB |
2461 | if (has_condition(this, COND_REAUTHENTICATING) && |
2462 | !lib->settings->get_bool(lib->settings, | |
2463 | "%s.make_before_break", FALSE, lib->ns)) | |
74571430 TB |
2464 | { |
2465 | DBG1(DBG_IKE, "delete during reauthentication failed, " | |
2466 | "trying to reestablish IKE_SA anyway"); | |
2467 | reestablish(this); | |
2468 | } | |
96926b00 | 2469 | break; |
348af092 | 2470 | case IKE_REKEYING: |
a985db3f | 2471 | DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding"); |
348af092 | 2472 | /* FALL */ |
96926b00 | 2473 | default: |
348af092 | 2474 | reestablish(this); |
96926b00 MW |
2475 | break; |
2476 | } | |
bb389973 TB |
2477 | if (this->state != IKE_CONNECTING && |
2478 | this->state != IKE_REKEYED) | |
3babde90 TB |
2479 | { |
2480 | charon->bus->ike_updown(charon->bus, &this->public, FALSE); | |
2481 | } | |
96926b00 MW |
2482 | return DESTROY_ME; |
2483 | } | |
2484 | return SUCCESS; | |
2485 | } | |
2486 | ||
a07b6973 | 2487 | METHOD(ike_sa_t, set_auth_lifetime, status_t, |
b12c53ce | 2488 | private_ike_sa_t *this, uint32_t lifetime) |
ee614711 | 2489 | { |
b12c53ce | 2490 | uint32_t diff, hard, soft, now; |
a07b6973 | 2491 | bool send_update; |
ee614711 | 2492 | |
bdcf4417 MW |
2493 | diff = this->peer_cfg->get_over_time(this->peer_cfg); |
2494 | now = time_monotonic(NULL); | |
2495 | hard = now + lifetime; | |
2496 | soft = hard - diff; | |
2497 | ||
a07b6973 MW |
2498 | /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime. |
2499 | * We send the notify in IKE_AUTH if not yet ESTABLISHED. */ | |
b1f2f05c | 2500 | send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 && |
a07b6973 | 2501 | !has_condition(this, COND_ORIGINAL_INITIATOR) && |
893da041 | 2502 | (array_count(this->other_vips) != 0 || |
a07b6973 MW |
2503 | has_condition(this, COND_EAP_AUTHENTICATED)); |
2504 | ||
bdcf4417 | 2505 | if (lifetime < diff) |
ee614711 | 2506 | { |
bdcf4417 | 2507 | this->stats[STAT_REAUTH] = now; |
a07b6973 MW |
2508 | |
2509 | if (!send_update) | |
2510 | { | |
2511 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, " | |
2512 | "starting reauthentication", lifetime); | |
2513 | lib->processor->queue_job(lib->processor, | |
b9b8a98f | 2514 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE)); |
a07b6973 | 2515 | } |
ee614711 | 2516 | } |
85ac2fa5 | 2517 | else if (this->stats[STAT_REAUTH] == 0 || |
bdcf4417 | 2518 | this->stats[STAT_REAUTH] > soft) |
ee614711 | 2519 | { |
bdcf4417 | 2520 | this->stats[STAT_REAUTH] = soft; |
a07b6973 MW |
2521 | if (!send_update) |
2522 | { | |
2523 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling " | |
2524 | "reauthentication in %ds", lifetime, lifetime - diff); | |
2525 | lib->scheduler->schedule_job(lib->scheduler, | |
6554b5e4 | 2526 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), |
bdcf4417 | 2527 | lifetime - diff); |
a07b6973 | 2528 | } |
3fd9c757 AS |
2529 | } |
2530 | else | |
2531 | { | |
6180a558 MW |
2532 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, " |
2533 | "reauthentication already scheduled in %ds", lifetime, | |
2534 | this->stats[STAT_REAUTH] - time_monotonic(NULL)); | |
a07b6973 | 2535 | send_update = FALSE; |
ee614711 | 2536 | } |
bdcf4417 MW |
2537 | /* give at least some seconds to reauthenticate */ |
2538 | this->stats[STAT_DELETE] = max(hard, now + 10); | |
a07b6973 | 2539 | |
2d39f79b | 2540 | #ifdef USE_IKEV2 |
a07b6973 MW |
2541 | if (send_update) |
2542 | { | |
2d39f79b TB |
2543 | ike_auth_lifetime_t *task; |
2544 | ||
a07b6973 MW |
2545 | task = ike_auth_lifetime_create(&this->public, TRUE); |
2546 | this->task_manager->queue_task(this->task_manager, &task->task); | |
2547 | return this->task_manager->initiate(this->task_manager); | |
2548 | } | |
2d39f79b | 2549 | #endif |
a07b6973 | 2550 | return SUCCESS; |
ee614711 MW |
2551 | } |
2552 | ||
bab56a4a TB |
2553 | /** |
2554 | * Check if the current combination of source and destination address is still | |
2555 | * valid. | |
2556 | */ | |
2557 | static bool is_current_path_valid(private_ike_sa_t *this) | |
2558 | { | |
2559 | bool valid = FALSE; | |
2560 | host_t *src; | |
597e8c9e MW |
2561 | |
2562 | if (supports_extension(this, EXT_MOBIKE) && | |
2563 | lib->settings->get_bool(lib->settings, | |
2564 | "%s.prefer_best_path", FALSE, lib->ns)) | |
2565 | { | |
2566 | /* check if the current path is the best path; migrate otherwise */ | |
2567 | src = charon->kernel->get_source_addr(charon->kernel, this->other_host, | |
2568 | NULL); | |
2569 | if (src) | |
2570 | { | |
2571 | valid = src->ip_equals(src, this->my_host); | |
2572 | src->destroy(src); | |
2573 | } | |
2574 | if (!valid) | |
2575 | { | |
2576 | DBG1(DBG_IKE, "old path is not preferred anymore"); | |
2577 | } | |
2578 | return valid; | |
2579 | } | |
8394ea2a TB |
2580 | src = charon->kernel->get_source_addr(charon->kernel, this->other_host, |
2581 | this->my_host); | |
bab56a4a TB |
2582 | if (src) |
2583 | { | |
2584 | if (src->ip_equals(src, this->my_host)) | |
2585 | { | |
2586 | valid = TRUE; | |
2587 | } | |
2588 | src->destroy(src); | |
2589 | } | |
597e8c9e MW |
2590 | if (!valid) |
2591 | { | |
2592 | DBG1(DBG_IKE, "old path is not available anymore, try to find another"); | |
2593 | } | |
bab56a4a TB |
2594 | return valid; |
2595 | } | |
2596 | ||
2597 | /** | |
02b34840 | 2598 | * Check if we have any path available for this IKE SA. |
bab56a4a TB |
2599 | */ |
2600 | static bool is_any_path_valid(private_ike_sa_t *this) | |
2601 | { | |
2602 | bool valid = FALSE; | |
2603 | enumerator_t *enumerator; | |
ae9ce835 | 2604 | host_t *src = NULL, *addr; |
ff601341 TB |
2605 | int family = AF_UNSPEC; |
2606 | ||
2607 | switch (charon->socket->supported_families(charon->socket)) | |
2608 | { | |
2609 | case SOCKET_FAMILY_IPV4: | |
2610 | family = AF_INET; | |
2611 | break; | |
2612 | case SOCKET_FAMILY_IPV6: | |
2613 | family = AF_INET6; | |
2614 | break; | |
2615 | case SOCKET_FAMILY_BOTH: | |
2616 | case SOCKET_FAMILY_NONE: | |
2617 | break; | |
2618 | } | |
72b28112 | 2619 | |
12715f19 | 2620 | enumerator = create_peer_address_enumerator(this); |
72b28112 | 2621 | while (enumerator->enumerate(enumerator, &addr)) |
bab56a4a | 2622 | { |
ff601341 TB |
2623 | if (family != AF_UNSPEC && addr->get_family(addr) != family) |
2624 | { | |
2625 | continue; | |
2626 | } | |
72b28112 | 2627 | DBG1(DBG_IKE, "looking for a route to %H ...", addr); |
8394ea2a | 2628 | src = charon->kernel->get_source_addr(charon->kernel, addr, NULL); |
72b28112 | 2629 | if (src) |
bab56a4a | 2630 | { |
72b28112 | 2631 | break; |
bab56a4a | 2632 | } |
bab56a4a | 2633 | } |
72b28112 | 2634 | enumerator->destroy(enumerator); |
bab56a4a TB |
2635 | if (src) |
2636 | { | |
2637 | valid = TRUE; | |
2638 | src->destroy(src); | |
2639 | } | |
2640 | return valid; | |
2641 | } | |
2642 | ||
8bced61b MW |
2643 | METHOD(ike_sa_t, roam, status_t, |
2644 | private_ike_sa_t *this, bool address) | |
17d92e97 | 2645 | { |
011b1cca MW |
2646 | switch (this->state) |
2647 | { | |
2648 | case IKE_CREATED: | |
2649 | case IKE_DELETING: | |
7afd9d66 | 2650 | case IKE_DESTROYING: |
c610f424 | 2651 | case IKE_PASSIVE: |
bb389973 | 2652 | case IKE_REKEYED: |
011b1cca MW |
2653 | return SUCCESS; |
2654 | default: | |
2655 | break; | |
2656 | } | |
7daf5226 | 2657 | |
007a2701 TB |
2658 | if (!this->ike_cfg) |
2659 | { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and | |
2660 | * without config assigned */ | |
2661 | return SUCCESS; | |
2662 | } | |
8929c700 TB |
2663 | if (this->version == IKEV1) |
2664 | { /* ignore roam events for IKEv1 where we don't have MOBIKE and would | |
2665 | * have to reestablish from scratch (reauth is not enough) */ | |
2666 | return SUCCESS; | |
2667 | } | |
007a2701 | 2668 | |
be27e768 TB |
2669 | /* ignore roam events if MOBIKE is not supported/enabled and the local |
2670 | * address is statically configured */ | |
8929c700 | 2671 | if (!supports_extension(this, EXT_MOBIKE) && |
be27e768 TB |
2672 | ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE)) |
2673 | { | |
2674 | DBG2(DBG_IKE, "keeping statically configured path %H - %H", | |
2675 | this->my_host, this->other_host); | |
2676 | return SUCCESS; | |
2677 | } | |
2678 | ||
ce5b1708 | 2679 | /* keep existing path if possible */ |
bab56a4a | 2680 | if (is_current_path_valid(this)) |
face844a | 2681 | { |
bab56a4a TB |
2682 | DBG2(DBG_IKE, "keeping connection path %H - %H", |
2683 | this->my_host, this->other_host); | |
2684 | set_condition(this, COND_STALE, FALSE); | |
261b2572 TB |
2685 | |
2686 | if (supports_extension(this, EXT_MOBIKE) && address) | |
2687 | { /* if any addresses changed, send an updated list */ | |
2688 | DBG1(DBG_IKE, "sending address list update using MOBIKE"); | |
873df908 | 2689 | this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE); |
261b2572 TB |
2690 | return this->task_manager->initiate(this->task_manager); |
2691 | } | |
bab56a4a | 2692 | return SUCCESS; |
7afd9d66 | 2693 | } |
261b2572 | 2694 | |
bab56a4a | 2695 | if (!is_any_path_valid(this)) |
7afd9d66 | 2696 | { |
bab56a4a TB |
2697 | DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", |
2698 | this->other_host); | |
2699 | set_condition(this, COND_STALE, TRUE); | |
2700 | return SUCCESS; | |
17d92e97 | 2701 | } |
7afd9d66 | 2702 | set_condition(this, COND_STALE, FALSE); |
7daf5226 | 2703 | |
face844a MW |
2704 | /* update addresses with mobike, if supported ... */ |
2705 | if (supports_extension(this, EXT_MOBIKE)) | |
2706 | { | |
57744088 TB |
2707 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
2708 | { /* responder updates the peer about changed address config */ | |
2709 | DBG1(DBG_IKE, "sending address list update using MOBIKE, " | |
2710 | "implicitly requesting an address change"); | |
2711 | address = TRUE; | |
2712 | } | |
2713 | else | |
2714 | { | |
2715 | DBG1(DBG_IKE, "requesting address change using MOBIKE"); | |
2716 | } | |
873df908 | 2717 | this->task_manager->queue_mobike(this->task_manager, TRUE, address); |
face844a MW |
2718 | return this->task_manager->initiate(this->task_manager); |
2719 | } | |
57744088 | 2720 | |
96926b00 | 2721 | /* ... reauth if not */ |
57744088 TB |
2722 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
2723 | { /* responder does not reauthenticate */ | |
2724 | set_condition(this, COND_STALE, TRUE); | |
2725 | return SUCCESS; | |
2726 | } | |
2727 | DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change"); | |
a46fe568 TB |
2728 | /* since our previous path is not valid anymore, try and find a new one */ |
2729 | resolve_hosts(this); | |
96926b00 | 2730 | return reauth(this); |
17d92e97 | 2731 | } |
6fe03b0a | 2732 | |
8bced61b MW |
2733 | METHOD(ike_sa_t, add_configuration_attribute, void, |
2734 | private_ike_sa_t *this, attribute_handler_t *handler, | |
2735 | configuration_attribute_type_t type, chunk_t data) | |
7f56b494 | 2736 | { |
893da041 MW |
2737 | attribute_entry_t entry = { |
2738 | .handler = handler, | |
2739 | .type = type, | |
2740 | .data = chunk_clone(data), | |
2741 | }; | |
2742 | array_insert(this->attributes, ARRAY_TAIL, &entry); | |
7f56b494 MW |
2743 | } |
2744 | ||
525cc46c TB |
2745 | CALLBACK(filter_attribute, bool, |
2746 | void *null, enumerator_t *orig, va_list args) | |
9d257034 | 2747 | { |
525cc46c TB |
2748 | attribute_entry_t *entry; |
2749 | configuration_attribute_type_t *type; | |
2750 | chunk_t *data; | |
2751 | bool *handled; | |
2752 | ||
2753 | VA_ARGS_VGET(args, type, data, handled); | |
2754 | ||
2755 | if (orig->enumerate(orig, &entry)) | |
2756 | { | |
2757 | *type = entry->type; | |
2758 | *data = entry->data; | |
2759 | *handled = entry->handler != NULL; | |
2760 | return TRUE; | |
2761 | } | |
2762 | return FALSE; | |
9d257034 MW |
2763 | } |
2764 | ||
2765 | METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*, | |
2766 | private_ike_sa_t *this) | |
2767 | { | |
2768 | return enumerator_create_filter(array_create_enumerator(this->attributes), | |
525cc46c | 2769 | filter_attribute, NULL, NULL); |
9d257034 MW |
2770 | } |
2771 | ||
ea340ee8 MW |
2772 | METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, |
2773 | private_ike_sa_t *this, task_queue_t queue) | |
2774 | { | |
2775 | return this->task_manager->create_task_enumerator(this->task_manager, queue); | |
2776 | } | |
2777 | ||
b7160401 TB |
2778 | METHOD(ike_sa_t, remove_task, void, |
2779 | private_ike_sa_t *this, enumerator_t *enumerator) | |
2780 | { | |
2781 | return this->task_manager->remove_task(this->task_manager, enumerator); | |
2782 | } | |
2783 | ||
cbc1a20f MW |
2784 | METHOD(ike_sa_t, flush_queue, void, |
2785 | private_ike_sa_t *this, task_queue_t queue) | |
2786 | { | |
2787 | this->task_manager->flush_queue(this->task_manager, queue); | |
2788 | } | |
2789 | ||
69adeb5b MW |
2790 | METHOD(ike_sa_t, queue_task, void, |
2791 | private_ike_sa_t *this, task_t *task) | |
2792 | { | |
2793 | this->task_manager->queue_task(this->task_manager, task); | |
2794 | } | |
2795 | ||
208678e6 TB |
2796 | METHOD(ike_sa_t, queue_task_delayed, void, |
2797 | private_ike_sa_t *this, task_t *task, uint32_t delay) | |
2798 | { | |
2799 | this->task_manager->queue_task_delayed(this->task_manager, task, delay); | |
2800 | } | |
2801 | ||
5e97a5e6 TB |
2802 | /** |
2803 | * Migrate and queue child-creating tasks from another IKE_SA | |
2804 | */ | |
2805 | static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other, | |
2806 | task_queue_t queue) | |
00c889f4 | 2807 | { |
5e97a5e6 TB |
2808 | enumerator_t *enumerator; |
2809 | task_t *task; | |
00c889f4 | 2810 | |
5e97a5e6 TB |
2811 | enumerator = other->create_task_enumerator(other, queue); |
2812 | while (enumerator->enumerate(enumerator, &task)) | |
2813 | { | |
2814 | if (task->get_type(task) == TASK_CHILD_CREATE || | |
2815 | task->get_type(task) == TASK_QUICK_MODE) | |
2816 | { | |
2817 | other->remove_task(other, enumerator); | |
2818 | task->migrate(task, &this->public); | |
2819 | queue_task(this, task); | |
2820 | } | |
2821 | } | |
2822 | enumerator->destroy(enumerator); | |
2823 | } | |
2824 | ||
2825 | METHOD(ike_sa_t, adopt_child_tasks, void, | |
2826 | private_ike_sa_t *this, ike_sa_t *other) | |
2827 | { | |
2828 | migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE); | |
2829 | migrate_child_tasks(this, other, TASK_QUEUE_QUEUED); | |
00c889f4 TB |
2830 | } |
2831 | ||
713a1122 MW |
2832 | METHOD(ike_sa_t, inherit_pre, void, |
2833 | private_ike_sa_t *this, ike_sa_t *other_public) | |
2834 | { | |
2835 | private_ike_sa_t *other = (private_ike_sa_t*)other_public; | |
2836 | ||
2837 | /* apply config and hosts */ | |
2838 | set_peer_cfg(this, other->peer_cfg); | |
2839 | set_my_host(this, other->my_host->clone(other->my_host)); | |
2840 | set_other_host(this, other->other_host->clone(other->other_host)); | |
094963d1 MW |
2841 | |
2842 | /* apply extensions and conditions with a few exceptions */ | |
2843 | this->extensions = other->extensions; | |
2844 | this->conditions = other->conditions; | |
2845 | this->conditions &= ~COND_STALE; | |
2846 | this->conditions &= ~COND_REAUTHENTICATING; | |
713a1122 MW |
2847 | } |
2848 | ||
2849 | METHOD(ike_sa_t, inherit_post, void, | |
8bced61b | 2850 | private_ike_sa_t *this, ike_sa_t *other_public) |
3183006d | 2851 | { |
8bced61b | 2852 | private_ike_sa_t *other = (private_ike_sa_t*)other_public; |
c60c7694 | 2853 | child_sa_t *child_sa; |
5d6b9815 | 2854 | enumerator_t *enumerator; |
893da041 | 2855 | attribute_entry_t entry; |
5d6b9815 | 2856 | auth_cfg_t *cfg; |
101d26ba | 2857 | host_t *vip; |
7daf5226 | 2858 | |
c60c7694 MW |
2859 | /* apply hosts and ids */ |
2860 | this->my_host->destroy(this->my_host); | |
2861 | this->other_host->destroy(this->other_host); | |
2862 | this->my_id->destroy(this->my_id); | |
2863 | this->other_id->destroy(this->other_id); | |
2864 | this->my_host = other->my_host->clone(other->my_host); | |
2865 | this->other_host = other->other_host->clone(other->other_host); | |
2866 | this->my_id = other->my_id->clone(other->my_id); | |
2867 | this->other_id = other->other_id->clone(other->other_id); | |
dec3c184 TB |
2868 | this->if_id_in = other->if_id_in; |
2869 | this->if_id_out = other->if_id_out; | |
7daf5226 | 2870 | |
101d26ba | 2871 | /* apply assigned virtual IPs... */ |
893da041 | 2872 | while (array_remove(other->my_vips, ARRAY_HEAD, &vip)) |
c60c7694 | 2873 | { |
893da041 | 2874 | array_insert_create(&this->my_vips, ARRAY_TAIL, vip); |
c60c7694 | 2875 | } |
893da041 | 2876 | while (array_remove(other->other_vips, ARRAY_HEAD, &vip)) |
c60c7694 | 2877 | { |
893da041 | 2878 | array_insert_create(&this->other_vips, ARRAY_TAIL, vip); |
c60c7694 | 2879 | } |
7daf5226 | 2880 | |
b8ecdfd8 MW |
2881 | /* MOBIKE additional addresses */ |
2882 | while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip)) | |
2883 | { | |
2884 | array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip); | |
2885 | } | |
2886 | ||
5d6b9815 | 2887 | /* authentication information */ |
893da041 | 2888 | enumerator = array_create_enumerator(other->my_auths); |
5d6b9815 MW |
2889 | while (enumerator->enumerate(enumerator, &cfg)) |
2890 | { | |
893da041 | 2891 | array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg)); |
5d6b9815 MW |
2892 | } |
2893 | enumerator->destroy(enumerator); | |
893da041 | 2894 | enumerator = array_create_enumerator(other->other_auths); |
5d6b9815 MW |
2895 | while (enumerator->enumerate(enumerator, &cfg)) |
2896 | { | |
893da041 | 2897 | array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg)); |
5d6b9815 MW |
2898 | } |
2899 | enumerator->destroy(enumerator); | |
2900 | ||
7f56b494 | 2901 | /* ... and configuration attributes */ |
893da041 | 2902 | while (array_remove(other->attributes, ARRAY_HEAD, &entry)) |
c60c7694 | 2903 | { |
893da041 | 2904 | array_insert(this->attributes, ARRAY_TAIL, &entry); |
c60c7694 | 2905 | } |
b0e40caa | 2906 | |
faf9569f | 2907 | /* inherit all conditions */ |
b0e40caa AS |
2908 | this->conditions = other->conditions; |
2909 | if (this->conditions & COND_NAT_HERE) | |
2910 | { | |
efd7fa7b | 2911 | send_keepalive(this, FALSE); |
b0e40caa | 2912 | } |
7daf5226 | 2913 | |
22452f70 TB |
2914 | #ifdef ME |
2915 | if (other->is_mediation_server) | |
2916 | { | |
2917 | act_as_mediation_server(this); | |
2918 | } | |
2919 | else if (other->server_reflexive_host) | |
2920 | { | |
2921 | this->server_reflexive_host = other->server_reflexive_host->clone( | |
2922 | other->server_reflexive_host); | |
2923 | } | |
2924 | #endif /* ME */ | |
b0e40caa | 2925 | |
c60c7694 | 2926 | /* adopt all children */ |
893da041 | 2927 | while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa)) |
c60c7694 | 2928 | { |
38227d0e MW |
2929 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
2930 | add_child_sa(this, child_sa); | |
c60c7694 | 2931 | } |
7daf5226 | 2932 | |
e23a59f6 MW |
2933 | /* move pending tasks to the new IKE_SA */ |
2934 | this->task_manager->adopt_tasks(this->task_manager, other->task_manager); | |
7daf5226 | 2935 | |
ee614711 | 2936 | /* reauthentication timeout survives a rekeying */ |
85ac2fa5 | 2937 | if (other->stats[STAT_REAUTH]) |
ee614711 | 2938 | { |
6180a558 | 2939 | time_t reauth, delete, now = time_monotonic(NULL); |
7daf5226 | 2940 | |
85ac2fa5 MW |
2941 | this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH]; |
2942 | reauth = this->stats[STAT_REAUTH] - now; | |
ee614711 | 2943 | delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg); |
85ac2fa5 | 2944 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete; |
ee614711 MW |
2945 | DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, " |
2946 | "lifetime reduced to %ds", reauth, delete); | |
bb381e26 | 2947 | lib->scheduler->schedule_job(lib->scheduler, |
6554b5e4 | 2948 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth); |
bb381e26 | 2949 | lib->scheduler->schedule_job(lib->scheduler, |
6554b5e4 | 2950 | (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete); |
ee614711 | 2951 | } |
3183006d MW |
2952 | } |
2953 | ||
8bced61b MW |
2954 | METHOD(ike_sa_t, destroy, void, |
2955 | private_ike_sa_t *this) | |
60356f33 | 2956 | { |
893da041 | 2957 | attribute_entry_t entry; |
2b0c8ee3 | 2958 | child_sa_t *child_sa; |
101d26ba | 2959 | host_t *vip; |
7daf5226 | 2960 | |
65c907cd | 2961 | charon->bus->set_sa(charon->bus, &this->public); |
7daf5226 | 2962 | |
a985db3f | 2963 | set_state(this, IKE_DESTROYING); |
b1908994 TE |
2964 | if (this->task_manager) |
2965 | { | |
2966 | this->task_manager->flush(this->task_manager); | |
2967 | } | |
7daf5226 | 2968 | |
7f56b494 | 2969 | /* remove attributes first, as we pass the IKE_SA to the handler */ |
eef7427b | 2970 | charon->bus->handle_vips(charon->bus, &this->public, FALSE); |
893da041 | 2971 | while (array_remove(this->attributes, ARRAY_TAIL, &entry)) |
7f56b494 | 2972 | { |
5ae32210 MW |
2973 | if (entry.handler) |
2974 | { | |
75136327 | 2975 | charon->attributes->release(charon->attributes, entry.handler, |
a12f357b | 2976 | &this->public, entry.type, entry.data); |
5ae32210 | 2977 | } |
893da041 | 2978 | free(entry.data.ptr); |
7f56b494 | 2979 | } |
2b0c8ee3 MW |
2980 | /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill |
2981 | * routes that the CHILD_SA tries to uninstall. */ | |
2982 | while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa)) | |
2983 | { | |
38227d0e | 2984 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
2b0c8ee3 MW |
2985 | child_sa->destroy(child_sa); |
2986 | } | |
893da041 | 2987 | while (array_remove(this->my_vips, ARRAY_TAIL, &vip)) |
c60c7694 | 2988 | { |
8394ea2a | 2989 | charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); |
101d26ba | 2990 | vip->destroy(vip); |
c60c7694 | 2991 | } |
893da041 | 2992 | if (array_count(this->other_vips)) |
12fa1784 AS |
2993 | { |
2994 | charon->bus->assign_vips(charon->bus, &this->public, FALSE); | |
2995 | } | |
893da041 | 2996 | while (array_remove(this->other_vips, ARRAY_TAIL, &vip)) |
cdcfe777 | 2997 | { |
497ce2cf | 2998 | if (this->peer_cfg) |
cdcfe777 | 2999 | { |
28a3d5bf | 3000 | linked_list_t *pools; |
28a3d5bf | 3001 | |
28a3d5bf MW |
3002 | pools = linked_list_create_from_enumerator( |
3003 | this->peer_cfg->create_pool_enumerator(this->peer_cfg)); | |
75136327 | 3004 | charon->attributes->release_address(charon->attributes, |
a16058a4 | 3005 | pools, vip, &this->public); |
28a3d5bf | 3006 | pools->destroy(pools); |
cdcfe777 | 3007 | } |
101d26ba | 3008 | vip->destroy(vip); |
cdcfe777 | 3009 | } |
a3854d83 MW |
3010 | |
3011 | /* unset SA after here to avoid usage by the listeners */ | |
3012 | charon->bus->set_sa(charon->bus, NULL); | |
3013 | ||
2b0c8ee3 | 3014 | array_destroy(this->child_sas); |
b1908994 | 3015 | DESTROY_IF(this->task_manager); |
a3854d83 | 3016 | DESTROY_IF(this->keymat); |
893da041 MW |
3017 | array_destroy(this->attributes); |
3018 | array_destroy(this->my_vips); | |
3019 | array_destroy(this->other_vips); | |
3020 | array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy)); | |
dc04b7c7 | 3021 | #ifdef ME |
22452f70 | 3022 | if (this->is_mediation_server) |
d5cc1758 | 3023 | { |
484a06bc TB |
3024 | charon->mediation_manager->remove(charon->mediation_manager, |
3025 | this->ike_sa_id); | |
d5cc1758 TB |
3026 | } |
3027 | DESTROY_IF(this->server_reflexive_host); | |
9c2a905d | 3028 | chunk_free(&this->connect_id); |
dc04b7c7 | 3029 | #endif /* ME */ |
9d9a772e | 3030 | free(this->nat_detection_dest.ptr); |
7daf5226 | 3031 | |
8dfbe71b MW |
3032 | DESTROY_IF(this->my_host); |
3033 | DESTROY_IF(this->other_host); | |
3034 | DESTROY_IF(this->my_id); | |
3035 | DESTROY_IF(this->other_id); | |
d487b4b7 AS |
3036 | DESTROY_IF(this->local_host); |
3037 | DESTROY_IF(this->remote_host); | |
e4af6e6b | 3038 | DESTROY_IF(this->redirected_from); |
c6ebd033 | 3039 | array_destroy(this->redirected_at); |
7daf5226 | 3040 | |
e0fe7651 MW |
3041 | DESTROY_IF(this->ike_cfg); |
3042 | DESTROY_IF(this->peer_cfg); | |
5dffdea1 | 3043 | DESTROY_IF(this->proposal); |
a44bb934 MW |
3044 | this->my_auth->destroy(this->my_auth); |
3045 | this->other_auth->destroy(this->other_auth); | |
893da041 MW |
3046 | array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy)); |
3047 | array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy)); | |
7daf5226 | 3048 | |
87a217f9 | 3049 | this->ike_sa_id->destroy(this->ike_sa_id); |
5113680f | 3050 | free(this); |
7ba38761 JH |
3051 | } |
3052 | ||
3053 | /* | |
39b2903f | 3054 | * Described in header. |
7ba38761 | 3055 | */ |
17ec1c74 MW |
3056 | ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, |
3057 | ike_version_t version) | |
7ba38761 | 3058 | { |
8bced61b | 3059 | private_ike_sa_t *this; |
3568abe7 | 3060 | static refcount_t unique_id = 0; |
7daf5226 | 3061 | |
3d54ae94 MW |
3062 | if (version == IKE_ANY) |
3063 | { /* prefer IKEv2 if protocol not specified */ | |
3064 | #ifdef USE_IKEV2 | |
3065 | version = IKEV2; | |
3066 | #else | |
3067 | version = IKEV1; | |
3068 | #endif | |
3069 | } | |
3070 | ||
8bced61b MW |
3071 | INIT(this, |
3072 | .public = { | |
0b611540 | 3073 | .get_version = _get_version, |
8bced61b MW |
3074 | .get_state = _get_state, |
3075 | .set_state = _set_state, | |
3076 | .get_name = _get_name, | |
3077 | .get_statistic = _get_statistic, | |
44ff1153 | 3078 | .set_statistic = _set_statistic, |
8bced61b MW |
3079 | .process_message = _process_message, |
3080 | .initiate = _initiate, | |
77e42826 | 3081 | .retry_initiate = _retry_initiate, |
8bced61b MW |
3082 | .get_ike_cfg = _get_ike_cfg, |
3083 | .set_ike_cfg = _set_ike_cfg, | |
3084 | .get_peer_cfg = _get_peer_cfg, | |
3085 | .set_peer_cfg = _set_peer_cfg, | |
3086 | .get_auth_cfg = _get_auth_cfg, | |
3087 | .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, | |
1b9c1ae0 | 3088 | .verify_peer_certificate = _verify_peer_certificate, |
8bced61b MW |
3089 | .add_auth_cfg = _add_auth_cfg, |
3090 | .get_proposal = _get_proposal, | |
3091 | .set_proposal = _set_proposal, | |
3092 | .get_id = _get_id, | |
3093 | .get_my_host = _get_my_host, | |
3094 | .set_my_host = _set_my_host, | |
3095 | .get_other_host = _get_other_host, | |
3096 | .set_other_host = _set_other_host, | |
3097 | .set_message_id = _set_message_id, | |
347c403c | 3098 | .get_message_id = _get_message_id, |
277f02ce | 3099 | .float_ports = _float_ports, |
8bced61b MW |
3100 | .update_hosts = _update_hosts, |
3101 | .get_my_id = _get_my_id, | |
3102 | .set_my_id = _set_my_id, | |
3103 | .get_other_id = _get_other_id, | |
3104 | .set_other_id = _set_other_id, | |
3105 | .get_other_eap_id = _get_other_eap_id, | |
3106 | .enable_extension = _enable_extension, | |
3107 | .supports_extension = _supports_extension, | |
3108 | .set_condition = _set_condition, | |
3109 | .has_condition = _has_condition, | |
94bbc602 TB |
3110 | .create_peer_address_enumerator = _create_peer_address_enumerator, |
3111 | .add_peer_address = _add_peer_address, | |
3112 | .clear_peer_addresses = _clear_peer_addresses, | |
8bced61b MW |
3113 | .has_mapping_changed = _has_mapping_changed, |
3114 | .retransmit = _retransmit, | |
3115 | .delete = _delete_, | |
3116 | .destroy = _destroy, | |
3117 | .send_dpd = _send_dpd, | |
3118 | .send_keepalive = _send_keepalive, | |
71c70705 | 3119 | .redirect = _redirect, |
c126ddd0 | 3120 | .handle_redirect = _handle_redirect, |
e4af6e6b | 3121 | .get_redirected_from = _get_redirected_from, |
8bced61b MW |
3122 | .get_keymat = _get_keymat, |
3123 | .add_child_sa = _add_child_sa, | |
3124 | .get_child_sa = _get_child_sa, | |
4bbce1ef TB |
3125 | .get_child_count = _get_child_count, |
3126 | .create_child_sa_enumerator = _create_child_sa_enumerator, | |
3127 | .remove_child_sa = _remove_child_sa, | |
8bced61b MW |
3128 | .rekey_child_sa = _rekey_child_sa, |
3129 | .delete_child_sa = _delete_child_sa, | |
3130 | .destroy_child_sa = _destroy_child_sa, | |
3131 | .rekey = _rekey, | |
3132 | .reauth = _reauth, | |
3133 | .reestablish = _reestablish, | |
3134 | .set_auth_lifetime = _set_auth_lifetime, | |
3135 | .roam = _roam, | |
713a1122 MW |
3136 | .inherit_pre = _inherit_pre, |
3137 | .inherit_post = _inherit_post, | |
8bced61b | 3138 | .generate_message = _generate_message, |
40bab9a1 | 3139 | .generate_message_fragmented = _generate_message_fragmented, |
8bced61b MW |
3140 | .reset = _reset, |
3141 | .get_unique_id = _get_unique_id, | |
101d26ba | 3142 | .add_virtual_ip = _add_virtual_ip, |
d2e8f20d | 3143 | .clear_virtual_ips = _clear_virtual_ips, |
101d26ba | 3144 | .create_virtual_ip_enumerator = _create_virtual_ip_enumerator, |
8bced61b | 3145 | .add_configuration_attribute = _add_configuration_attribute, |
9d257034 | 3146 | .create_attribute_enumerator = _create_attribute_enumerator, |
dec3c184 | 3147 | .get_if_id = _get_if_id, |
8bced61b | 3148 | .set_kmaddress = _set_kmaddress, |
ea340ee8 | 3149 | .create_task_enumerator = _create_task_enumerator, |
b7160401 | 3150 | .remove_task = _remove_task, |
cbc1a20f | 3151 | .flush_queue = _flush_queue, |
69adeb5b | 3152 | .queue_task = _queue_task, |
208678e6 | 3153 | .queue_task_delayed = _queue_task_delayed, |
00c889f4 | 3154 | .adopt_child_tasks = _adopt_child_tasks, |
dc04b7c7 | 3155 | #ifdef ME |
8bced61b MW |
3156 | .act_as_mediation_server = _act_as_mediation_server, |
3157 | .get_server_reflexive_host = _get_server_reflexive_host, | |
3158 | .set_server_reflexive_host = _set_server_reflexive_host, | |
3159 | .get_connect_id = _get_connect_id, | |
3160 | .initiate_mediation = _initiate_mediation, | |
3161 | .initiate_mediated = _initiate_mediated, | |
3162 | .relay = _relay, | |
3163 | .callback = _callback, | |
3164 | .respond = _respond, | |
dc04b7c7 | 3165 | #endif /* ME */ |
8bced61b MW |
3166 | }, |
3167 | .ike_sa_id = ike_sa_id->clone(ike_sa_id), | |
0b611540 | 3168 | .version = version, |
8bced61b MW |
3169 | .my_host = host_create_any(AF_INET), |
3170 | .other_host = host_create_any(AF_INET), | |
3171 | .my_id = identification_create_from_encoding(ID_ANY, chunk_empty), | |
3172 | .other_id = identification_create_from_encoding(ID_ANY, chunk_empty), | |
17ec1c74 | 3173 | .keymat = keymat_create(version, initiator), |
8bced61b MW |
3174 | .state = IKE_CREATED, |
3175 | .stats[STAT_INBOUND] = time_monotonic(NULL), | |
3176 | .stats[STAT_OUTBOUND] = time_monotonic(NULL), | |
3177 | .my_auth = auth_cfg_create(), | |
3178 | .other_auth = auth_cfg_create(), | |
893da041 MW |
3179 | .my_auths = array_create(0, 0), |
3180 | .other_auths = array_create(0, 0), | |
3181 | .attributes = array_create(sizeof(attribute_entry_t), 0), | |
3568abe7 | 3182 | .unique_id = ref_get(&unique_id), |
8bced61b | 3183 | .keepalive_interval = lib->settings->get_time(lib->settings, |
d223fe80 | 3184 | "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns), |
60c82591 | 3185 | .retry_initiate_interval = lib->settings->get_time(lib->settings, |
d223fe80 | 3186 | "%s.retry_initiate_interval", 0, lib->ns), |
b24b73b7 | 3187 | .flush_auth_cfg = lib->settings->get_bool(lib->settings, |
d223fe80 | 3188 | "%s.flush_auth_cfg", FALSE, lib->ns), |
40bab9a1 | 3189 | .fragment_size = lib->settings->get_int(lib->settings, |
0642f42b | 3190 | "%s.fragment_size", 1280, lib->ns), |
489d154e TB |
3191 | .follow_redirects = lib->settings->get_bool(lib->settings, |
3192 | "%s.follow_redirects", TRUE, lib->ns), | |
8bced61b | 3193 | ); |
4b64a1a1 | 3194 | |
11aadd77 MW |
3195 | if (version == IKEV2) |
3196 | { /* always supported with IKEv2 */ | |
3197 | enable_extension(this, EXT_DPD); | |
3198 | } | |
3199 | ||
5baaaa5e | 3200 | this->task_manager = task_manager_create(&this->public); |
b223d517 TB |
3201 | this->my_host->set_port(this->my_host, |
3202 | charon->socket->get_port(charon->socket, FALSE)); | |
7daf5226 | 3203 | |
3d54ae94 MW |
3204 | if (!this->task_manager || !this->keymat) |
3205 | { | |
3206 | DBG1(DBG_IKE, "IKE version %d not supported", this->version); | |
3207 | destroy(this); | |
3208 | return NULL; | |
3209 | } | |
3dd3c5f3 | 3210 | return &this->public; |
7ba38761 | 3211 | } |