]>
Commit | Line | Data |
---|---|---|
7ba38761 | 1 | /* |
dec3c184 | 2 | * Copyright (C) 2006-2019 Tobias Brunner |
d5cc1758 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
a44bb934 | 4 | * Copyright (C) 2005-2009 Martin Willi |
c71d53ba | 5 | * Copyright (C) 2005 Jan Hutter |
208678e6 | 6 | * HSR Hochschule fuer Technik Rapperswil |
7ba38761 JH |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
17 | */ | |
1396815a | 18 | |
05db0f97 VR |
19 | /* |
20 | * Copyright (c) 2014 Volker RĂ¼melin | |
21 | * | |
22 | * Permission is hereby granted, free of charge, to any person obtaining a copy | |
23 | * of this software and associated documentation files (the "Software"), to deal | |
24 | * in the Software without restriction, including without limitation the rights | |
25 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell | |
26 | * copies of the Software, and to permit persons to whom the Software is | |
27 | * furnished to do so, subject to the following conditions: | |
28 | * | |
29 | * The above copyright notice and this permission notice shall be included in | |
30 | * all copies or substantial portions of the Software. | |
31 | * | |
32 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR | |
33 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
34 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE | |
35 | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | |
36 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | |
37 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN | |
38 | * THE SOFTWARE. | |
39 | */ | |
40 | ||
5113680f | 41 | #include <string.h> |
c60c7694 | 42 | #include <sys/stat.h> |
db97fd82 | 43 | #include <errno.h> |
e13389a7 | 44 | #include <time.h> |
7ba38761 | 45 | |
88878242 MW |
46 | #include "ike_sa.h" |
47 | ||
db7ef624 | 48 | #include <library.h> |
c5f7146b | 49 | #include <daemon.h> |
893da041 | 50 | #include <collections/array.h> |
c60c7694 | 51 | #include <utils/lexparser.h> |
e0fe7651 MW |
52 | #include <processing/jobs/retransmit_job.h> |
53 | #include <processing/jobs/delete_ike_sa_job.h> | |
54 | #include <processing/jobs/send_dpd_job.h> | |
55 | #include <processing/jobs/send_keepalive_job.h> | |
56 | #include <processing/jobs/rekey_ike_sa_job.h> | |
60c82591 | 57 | #include <processing/jobs/retry_initiate_job.h> |
b1f2f05c | 58 | #include <sa/ikev2/tasks/ike_auth_lifetime.h> |
f20e00fe | 59 | #include <sa/ikev2/tasks/ike_reauth_complete.h> |
71c70705 | 60 | #include <sa/ikev2/tasks/ike_redirect.h> |
1b9c1ae0 | 61 | #include <credentials/sets/auth_cfg_wrapper.h> |
7ba38761 | 62 | |
dc04b7c7 | 63 | #ifdef ME |
15a682f4 | 64 | #include <sa/ikev2/tasks/ike_me.h> |
38951252 | 65 | #include <processing/jobs/initiate_mediation_job.h> |
d5cc1758 | 66 | #endif |
c60c7694 | 67 | |
a985db3f | 68 | ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING, |
60356f33 MW |
69 | "CREATED", |
70 | "CONNECTING", | |
71 | "ESTABLISHED", | |
c610f424 | 72 | "PASSIVE", |
60356f33 | 73 | "REKEYING", |
bb389973 | 74 | "REKEYED", |
60356f33 | 75 | "DELETING", |
a985db3f | 76 | "DESTROYING", |
60356f33 | 77 | ); |
7ba38761 | 78 | |
aad398a7 | 79 | typedef struct private_ike_sa_t private_ike_sa_t; |
7f56b494 | 80 | typedef struct attribute_entry_t attribute_entry_t; |
aad398a7 JH |
81 | |
82 | /** | |
83 | * Private data of an ike_sa_t object. | |
84 | */ | |
85 | struct private_ike_sa_t { | |
7daf5226 | 86 | |
aad398a7 | 87 | /** |
3dd3c5f3 | 88 | * Public members |
2f89902d | 89 | */ |
3dd3c5f3 | 90 | ike_sa_t public; |
7daf5226 | 91 | |
aad398a7 | 92 | /** |
a374d1ee | 93 | * Identifier for the current IKE_SA. |
aad398a7 JH |
94 | */ |
95 | ike_sa_id_t *ike_sa_id; | |
7daf5226 | 96 | |
0b611540 TB |
97 | /** |
98 | * IKE version of this SA. | |
99 | */ | |
100 | ike_version_t version; | |
101 | ||
c60c7694 MW |
102 | /** |
103 | * unique numerical ID for this IKE_SA. | |
104 | */ | |
b12c53ce | 105 | uint32_t unique_id; |
7daf5226 | 106 | |
aad398a7 | 107 | /** |
8dfbe71b | 108 | * Current state of the IKE_SA |
aad398a7 | 109 | */ |
7f56b494 | 110 | ike_sa_state_t state; |
7daf5226 | 111 | |
a9428251 | 112 | /** |
e0fe7651 | 113 | * IKE configuration used to set up this IKE_SA |
a9428251 | 114 | */ |
e0fe7651 | 115 | ike_cfg_t *ike_cfg; |
7daf5226 | 116 | |
c60c7694 MW |
117 | /** |
118 | * Peer and authentication information to establish IKE_SA. | |
119 | */ | |
e0fe7651 | 120 | peer_cfg_t *peer_cfg; |
7daf5226 | 121 | |
552cc11b | 122 | /** |
893da041 | 123 | * currently used authentication ruleset, local |
552cc11b | 124 | */ |
a44bb934 | 125 | auth_cfg_t *my_auth; |
7daf5226 | 126 | |
44ce7493 | 127 | /** |
893da041 | 128 | * currently used authentication constraints, remote |
44ce7493 | 129 | */ |
893da041 | 130 | auth_cfg_t *other_auth; |
44ce7493 MW |
131 | |
132 | /** | |
893da041 | 133 | * Array of completed local authentication rounds (as auth_cfg_t) |
44ce7493 | 134 | */ |
893da041 | 135 | array_t *my_auths; |
44ce7493 | 136 | |
552cc11b | 137 | /** |
893da041 | 138 | * Array of completed remote authentication rounds (as auth_cfg_t) |
552cc11b | 139 | */ |
893da041 | 140 | array_t *other_auths; |
7daf5226 | 141 | |
5dffdea1 MW |
142 | /** |
143 | * Selected IKE proposal | |
144 | */ | |
145 | proposal_t *proposal; | |
7daf5226 | 146 | |
c60c7694 MW |
147 | /** |
148 | * Juggles tasks to process messages | |
149 | */ | |
150 | task_manager_t *task_manager; | |
7daf5226 | 151 | |
8dfbe71b MW |
152 | /** |
153 | * Address of local host | |
154 | */ | |
155 | host_t *my_host; | |
7daf5226 | 156 | |
8dfbe71b MW |
157 | /** |
158 | * Address of remote host | |
159 | */ | |
160 | host_t *other_host; | |
7daf5226 | 161 | |
dc04b7c7 | 162 | #ifdef ME |
22452f70 TB |
163 | /** |
164 | * Are we mediation server | |
165 | */ | |
166 | bool is_mediation_server; | |
7daf5226 | 167 | |
d5cc1758 TB |
168 | /** |
169 | * Server reflexive host | |
170 | */ | |
171 | host_t *server_reflexive_host; | |
7daf5226 | 172 | |
9c2a905d TB |
173 | /** |
174 | * Connect ID | |
175 | */ | |
176 | chunk_t connect_id; | |
dc04b7c7 | 177 | #endif /* ME */ |
7daf5226 | 178 | |
8dfbe71b MW |
179 | /** |
180 | * Identification used for us | |
181 | */ | |
182 | identification_t *my_id; | |
7daf5226 | 183 | |
a9428251 | 184 | /** |
8dfbe71b | 185 | * Identification used for other |
a9428251 | 186 | */ |
8dfbe71b | 187 | identification_t *other_id; |
7daf5226 | 188 | |
3b04350a MW |
189 | /** |
190 | * set of extensions the peer supports | |
191 | */ | |
192 | ike_extension_t extensions; | |
7daf5226 | 193 | |
17d92e97 MW |
194 | /** |
195 | * set of condition flags currently enabled for this IKE_SA | |
196 | */ | |
197 | ike_condition_t conditions; | |
7daf5226 | 198 | |
aad398a7 | 199 | /** |
893da041 | 200 | * Array containing the child sa's of the current IKE_SA. |
aad398a7 | 201 | */ |
893da041 | 202 | array_t *child_sas; |
7daf5226 | 203 | |
bc997f65 | 204 | /** |
6a4ff35c | 205 | * keymat of this IKE_SA |
bc997f65 | 206 | */ |
6a4ff35c | 207 | keymat_t *keymat; |
7daf5226 | 208 | |
3dd3c5f3 | 209 | /** |
101d26ba | 210 | * Virtual IPs on local host |
3dd3c5f3 | 211 | */ |
893da041 | 212 | array_t *my_vips; |
7daf5226 | 213 | |
c60c7694 | 214 | /** |
101d26ba | 215 | * Virtual IPs on remote host |
c60c7694 | 216 | */ |
893da041 | 217 | array_t *other_vips; |
7daf5226 | 218 | |
31e5d441 | 219 | /** |
7f56b494 | 220 | * List of configuration attributes (attribute_entry_t) |
31e5d441 | 221 | */ |
893da041 | 222 | array_t *attributes; |
7daf5226 | 223 | |
17d92e97 | 224 | /** |
94bbc602 | 225 | * list of peer's addresses, additional ones transmitted via MOBIKE |
17d92e97 | 226 | */ |
893da041 | 227 | array_t *peer_addresses; |
7daf5226 | 228 | |
9d9a772e MW |
229 | /** |
230 | * previously value of received DESTINATION_IP hash | |
231 | */ | |
232 | chunk_t nat_detection_dest; | |
7daf5226 | 233 | |
3dfecde4 AS |
234 | /** |
235 | * NAT keep alive interval | |
236 | */ | |
b12c53ce | 237 | uint32_t keepalive_interval; |
7daf5226 | 238 | |
efd7fa7b TB |
239 | /** |
240 | * The schedueld keep alive job, if any | |
241 | */ | |
242 | send_keepalive_job_t *keepalive_job; | |
243 | ||
60c82591 TB |
244 | /** |
245 | * interval for retries during initiation (e.g. if DNS resolution failed), | |
246 | * 0 to disable (default) | |
247 | */ | |
b12c53ce | 248 | uint32_t retry_initiate_interval; |
60c82591 | 249 | |
77e42826 TB |
250 | /** |
251 | * TRUE if a retry_initiate_job has been queued | |
252 | */ | |
253 | bool retry_initiate_queued; | |
254 | ||
1396815a | 255 | /** |
fe04e93a | 256 | * Timestamps for this IKE_SA |
1396815a | 257 | */ |
b12c53ce | 258 | uint32_t stats[STAT_MAX]; |
7daf5226 | 259 | |
fdb9b2bd MW |
260 | /** |
261 | * how many times we have retried so far (keyingtries) | |
262 | */ | |
b12c53ce | 263 | uint32_t keyingtry; |
7daf5226 | 264 | |
d487b4b7 AS |
265 | /** |
266 | * local host address to be used for IKE, set via MIGRATE kernel message | |
267 | */ | |
268 | host_t *local_host; | |
7daf5226 | 269 | |
d487b4b7 AS |
270 | /** |
271 | * remote host address to be used for IKE, set via MIGRATE kernel message | |
272 | */ | |
273 | host_t *remote_host; | |
b24b73b7 MW |
274 | |
275 | /** | |
276 | * Flush auth configs once established? | |
277 | */ | |
278 | bool flush_auth_cfg; | |
40bab9a1 TB |
279 | |
280 | /** | |
281 | * Maximum length of a single fragment, 0 for address-specific defaults | |
282 | */ | |
283 | size_t fragment_size; | |
489d154e TB |
284 | |
285 | /** | |
286 | * Whether to follow IKEv2 redirects | |
287 | */ | |
288 | bool follow_redirects; | |
e4af6e6b TB |
289 | |
290 | /** | |
291 | * Original gateway address from which we got redirected | |
292 | */ | |
293 | host_t *redirected_from; | |
c6ebd033 TB |
294 | |
295 | /** | |
296 | * Timestamps of redirect attempts to handle loops | |
297 | */ | |
298 | array_t *redirected_at; | |
dec3c184 TB |
299 | |
300 | /** | |
301 | * Inbound interface ID | |
302 | */ | |
303 | uint32_t if_id_in; | |
304 | ||
305 | /** | |
306 | * Outbound interface ID | |
307 | */ | |
308 | uint32_t if_id_out; | |
aad398a7 JH |
309 | }; |
310 | ||
7f56b494 MW |
311 | /** |
312 | * Entry to maintain install configuration attributes during IKE_SA lifetime | |
313 | */ | |
314 | struct attribute_entry_t { | |
315 | /** handler used to install this attribute */ | |
316 | attribute_handler_t *handler; | |
317 | /** attribute type */ | |
318 | configuration_attribute_type_t type; | |
319 | /** attribute data */ | |
320 | chunk_t data; | |
321 | }; | |
322 | ||
0b2abb8c | 323 | /** |
3dd3c5f3 | 324 | * get the time of the latest traffic processed by the kernel |
0b2abb8c | 325 | */ |
c60c7694 | 326 | static time_t get_use_time(private_ike_sa_t* this, bool inbound) |
3a8f9f44 | 327 | { |
6e10aead | 328 | enumerator_t *enumerator; |
3dd3c5f3 | 329 | child_sa_t *child_sa; |
c3a78360 | 330 | time_t use_time, current; |
7daf5226 | 331 | |
c60c7694 MW |
332 | if (inbound) |
333 | { | |
85ac2fa5 | 334 | use_time = this->stats[STAT_INBOUND]; |
c60c7694 MW |
335 | } |
336 | else | |
337 | { | |
85ac2fa5 | 338 | use_time = this->stats[STAT_OUTBOUND]; |
c60c7694 | 339 | } |
893da041 MW |
340 | |
341 | enumerator = array_create_enumerator(this->child_sas); | |
6e10aead MW |
342 | while (enumerator->enumerate(enumerator, &child_sa)) |
343 | { | |
d954a208 | 344 | child_sa->get_usestats(child_sa, inbound, ¤t, NULL, NULL); |
c3a78360 | 345 | use_time = max(use_time, current); |
6e10aead MW |
346 | } |
347 | enumerator->destroy(enumerator); | |
7daf5226 | 348 | |
6e10aead | 349 | return use_time; |
a9428251 JH |
350 | } |
351 | ||
b12c53ce | 352 | METHOD(ike_sa_t, get_unique_id, uint32_t, |
8bced61b | 353 | private_ike_sa_t *this) |
aad398a7 | 354 | { |
c60c7694 | 355 | return this->unique_id; |
aad398a7 JH |
356 | } |
357 | ||
8bced61b MW |
358 | METHOD(ike_sa_t, get_name, char*, |
359 | private_ike_sa_t *this) | |
0fdc3c7f | 360 | { |
e0fe7651 | 361 | if (this->peer_cfg) |
c60c7694 | 362 | { |
e0fe7651 | 363 | return this->peer_cfg->get_name(this->peer_cfg); |
c60c7694 MW |
364 | } |
365 | return "(unnamed)"; | |
0fdc3c7f JH |
366 | } |
367 | ||
b12c53ce | 368 | METHOD(ike_sa_t, get_statistic, uint32_t, |
8bced61b | 369 | private_ike_sa_t *this, statistic_t kind) |
a3ce4bc2 | 370 | { |
85ac2fa5 | 371 | if (kind < STAT_MAX) |
a3ce4bc2 | 372 | { |
85ac2fa5 | 373 | return this->stats[kind]; |
a3ce4bc2 | 374 | } |
ee614711 | 375 | return 0; |
a3ce4bc2 MW |
376 | } |
377 | ||
44ff1153 | 378 | METHOD(ike_sa_t, set_statistic, void, |
b12c53ce | 379 | private_ike_sa_t *this, statistic_t kind, uint32_t value) |
44ff1153 TB |
380 | { |
381 | if (kind < STAT_MAX) | |
382 | { | |
383 | this->stats[kind] = value; | |
384 | } | |
385 | } | |
386 | ||
8bced61b MW |
387 | METHOD(ike_sa_t, get_my_host, host_t*, |
388 | private_ike_sa_t *this) | |
8dfbe71b | 389 | { |
e0fe7651 | 390 | return this->my_host; |
8dfbe71b MW |
391 | } |
392 | ||
8bced61b MW |
393 | METHOD(ike_sa_t, set_my_host, void, |
394 | private_ike_sa_t *this, host_t *me) | |
8dfbe71b | 395 | { |
e0fe7651 MW |
396 | DESTROY_IF(this->my_host); |
397 | this->my_host = me; | |
8dfbe71b MW |
398 | } |
399 | ||
8bced61b MW |
400 | METHOD(ike_sa_t, get_other_host, host_t*, |
401 | private_ike_sa_t *this) | |
397f3448 | 402 | { |
e0fe7651 | 403 | return this->other_host; |
c60c7694 MW |
404 | } |
405 | ||
8bced61b MW |
406 | METHOD(ike_sa_t, set_other_host, void, |
407 | private_ike_sa_t *this, host_t *other) | |
c60c7694 | 408 | { |
e0fe7651 MW |
409 | DESTROY_IF(this->other_host); |
410 | this->other_host = other; | |
397f3448 MW |
411 | } |
412 | ||
e4af6e6b TB |
413 | METHOD(ike_sa_t, get_redirected_from, host_t*, |
414 | private_ike_sa_t *this) | |
415 | { | |
416 | return this->redirected_from; | |
417 | } | |
418 | ||
8bced61b MW |
419 | METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*, |
420 | private_ike_sa_t *this) | |
8dfbe71b | 421 | { |
e0fe7651 | 422 | return this->peer_cfg; |
8dfbe71b MW |
423 | } |
424 | ||
8bced61b MW |
425 | METHOD(ike_sa_t, set_peer_cfg, void, |
426 | private_ike_sa_t *this, peer_cfg_t *peer_cfg) | |
fe04e93a | 427 | { |
e0fe7651 | 428 | peer_cfg->get_ref(peer_cfg); |
dbd21695 | 429 | DESTROY_IF(this->peer_cfg); |
e0fe7651 | 430 | this->peer_cfg = peer_cfg; |
7daf5226 | 431 | |
dec3c184 | 432 | if (!this->ike_cfg) |
e0fe7651 MW |
433 | { |
434 | this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); | |
435 | this->ike_cfg->get_ref(this->ike_cfg); | |
436 | } | |
dec3c184 TB |
437 | |
438 | this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE); | |
439 | this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE); | |
440 | allocate_unique_if_ids(&this->if_id_in, &this->if_id_out); | |
552cc11b MW |
441 | } |
442 | ||
8bced61b MW |
443 | METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*, |
444 | private_ike_sa_t *this, bool local) | |
552cc11b | 445 | { |
a44bb934 MW |
446 | if (local) |
447 | { | |
448 | return this->my_auth; | |
449 | } | |
552cc11b MW |
450 | return this->other_auth; |
451 | } | |
452 | ||
8bced61b MW |
453 | METHOD(ike_sa_t, add_auth_cfg, void, |
454 | private_ike_sa_t *this, bool local, auth_cfg_t *cfg) | |
44ce7493 MW |
455 | { |
456 | if (local) | |
457 | { | |
893da041 | 458 | array_insert(this->my_auths, ARRAY_TAIL, cfg); |
44ce7493 MW |
459 | } |
460 | else | |
461 | { | |
893da041 | 462 | array_insert(this->other_auths, ARRAY_TAIL, cfg); |
44ce7493 MW |
463 | } |
464 | } | |
465 | ||
8bced61b MW |
466 | METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*, |
467 | private_ike_sa_t *this, bool local) | |
44ce7493 MW |
468 | { |
469 | if (local) | |
470 | { | |
893da041 | 471 | return array_create_enumerator(this->my_auths); |
44ce7493 | 472 | } |
893da041 | 473 | return array_create_enumerator(this->other_auths); |
44ce7493 MW |
474 | } |
475 | ||
e41adf5f TB |
476 | /** |
477 | * Flush the stored authentication round information | |
478 | */ | |
479 | static void flush_auth_cfgs(private_ike_sa_t *this) | |
480 | { | |
481 | auth_cfg_t *cfg; | |
482 | ||
483 | this->my_auth->purge(this->my_auth, FALSE); | |
484 | this->other_auth->purge(this->other_auth, FALSE); | |
485 | ||
486 | while (array_remove(this->my_auths, ARRAY_TAIL, &cfg)) | |
487 | { | |
488 | cfg->destroy(cfg); | |
489 | } | |
490 | while (array_remove(this->other_auths, ARRAY_TAIL, &cfg)) | |
491 | { | |
492 | cfg->destroy(cfg); | |
493 | } | |
494 | } | |
495 | ||
1b9c1ae0 TB |
496 | METHOD(ike_sa_t, verify_peer_certificate, bool, |
497 | private_ike_sa_t *this) | |
498 | { | |
499 | enumerator_t *e1, *e2, *certs; | |
500 | auth_cfg_t *cfg, *cfg_done; | |
501 | certificate_t *peer, *cert; | |
502 | public_key_t *key; | |
503 | auth_cfg_t *auth; | |
504 | auth_cfg_wrapper_t *wrapper; | |
505 | time_t not_before, not_after; | |
506 | bool valid = TRUE, found; | |
507 | ||
508 | if (this->state != IKE_ESTABLISHED) | |
509 | { | |
510 | DBG1(DBG_IKE, "unable to verify peer certificate in state %N", | |
511 | ike_sa_state_names, this->state); | |
512 | return FALSE; | |
513 | } | |
514 | ||
e41adf5f TB |
515 | if (!this->flush_auth_cfg && |
516 | lib->settings->get_bool(lib->settings, | |
1b9c1ae0 | 517 | "%s.flush_auth_cfg", FALSE, lib->ns)) |
e41adf5f | 518 | { /* we can do this check only once if auth configs are flushed */ |
1b9c1ae0 TB |
519 | DBG1(DBG_IKE, "unable to verify peer certificate as authentication " |
520 | "information has been flushed"); | |
521 | return FALSE; | |
522 | } | |
e41adf5f TB |
523 | this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED, |
524 | FALSE); | |
1b9c1ae0 TB |
525 | |
526 | e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE); | |
527 | e2 = array_create_enumerator(this->other_auths); | |
528 | while (e1->enumerate(e1, &cfg)) | |
529 | { | |
530 | if (!e2->enumerate(e2, &cfg_done)) | |
531 | { /* this should not happen as the authentication should never have | |
532 | * succeeded */ | |
533 | valid = FALSE; | |
534 | break; | |
535 | } | |
536 | if ((uintptr_t)cfg_done->get(cfg_done, | |
537 | AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY) | |
538 | { | |
539 | continue; | |
540 | } | |
541 | peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT); | |
542 | if (!peer) | |
543 | { | |
544 | DBG1(DBG_IKE, "no subject certificate found, skipping certificate " | |
545 | "verification"); | |
546 | continue; | |
547 | } | |
548 | if (!peer->get_validity(peer, NULL, ¬_before, ¬_after)) | |
549 | { | |
1b9c1ae0 TB |
550 | DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)", |
551 | ¬_before, FALSE, ¬_after, FALSE); | |
552 | valid = FALSE; | |
553 | break; | |
554 | } | |
555 | key = peer->get_public_key(peer); | |
556 | if (!key) | |
557 | { | |
558 | DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate " | |
559 | "verification"); | |
560 | continue; | |
561 | } | |
562 | DBG1(DBG_IKE, "verifying peer certificate"); | |
563 | /* serve received certificates */ | |
564 | wrapper = auth_cfg_wrapper_create(cfg_done); | |
565 | lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE); | |
566 | certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, | |
567 | key->get_type(key), peer->get_subject(peer), TRUE); | |
568 | key->destroy(key); | |
569 | ||
570 | found = FALSE; | |
571 | while (certs->enumerate(certs, &cert, &auth)) | |
572 | { | |
573 | if (peer->equals(peer, cert)) | |
574 | { | |
575 | cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED, | |
576 | FALSE); | |
577 | cfg_done->merge(cfg_done, auth, FALSE); | |
578 | valid = cfg_done->complies(cfg_done, cfg, TRUE); | |
579 | found = TRUE; | |
580 | break; | |
581 | } | |
582 | } | |
583 | certs->destroy(certs); | |
584 | lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); | |
585 | wrapper->destroy(wrapper); | |
586 | if (!found || !valid) | |
587 | { | |
588 | valid = FALSE; | |
589 | break; | |
590 | } | |
591 | } | |
592 | e1->destroy(e1); | |
593 | e2->destroy(e2); | |
1b9c1ae0 | 594 | |
e41adf5f | 595 | if (this->flush_auth_cfg) |
44ce7493 | 596 | { |
e41adf5f TB |
597 | this->flush_auth_cfg = FALSE; |
598 | flush_auth_cfgs(this); | |
44ce7493 | 599 | } |
e41adf5f | 600 | return valid; |
44ce7493 MW |
601 | } |
602 | ||
8bced61b MW |
603 | METHOD(ike_sa_t, get_proposal, proposal_t*, |
604 | private_ike_sa_t *this) | |
5dffdea1 MW |
605 | { |
606 | return this->proposal; | |
607 | } | |
608 | ||
8bced61b MW |
609 | METHOD(ike_sa_t, set_proposal, void, |
610 | private_ike_sa_t *this, proposal_t *proposal) | |
5dffdea1 MW |
611 | { |
612 | DESTROY_IF(this->proposal); | |
613 | this->proposal = proposal->clone(proposal); | |
614 | } | |
615 | ||
8bced61b | 616 | METHOD(ike_sa_t, set_message_id, void, |
b12c53ce | 617 | private_ike_sa_t *this, bool initiate, uint32_t mid) |
b09ca747 MW |
618 | { |
619 | if (initiate) | |
620 | { | |
f1f09810 | 621 | this->task_manager->reset(this->task_manager, mid, UINT_MAX); |
b09ca747 MW |
622 | } |
623 | else | |
624 | { | |
f1f09810 | 625 | this->task_manager->reset(this->task_manager, UINT_MAX, mid); |
b09ca747 MW |
626 | } |
627 | } | |
628 | ||
347c403c TB |
629 | METHOD(ike_sa_t, get_message_id, uint32_t, |
630 | private_ike_sa_t *this, bool initiate) | |
631 | { | |
632 | return this->task_manager->get_mid(this->task_manager, initiate); | |
633 | } | |
634 | ||
8bced61b | 635 | METHOD(ike_sa_t, send_keepalive, void, |
efd7fa7b | 636 | private_ike_sa_t *this, bool scheduled) |
2b3100b5 | 637 | { |
2b3100b5 | 638 | time_t last_out, now, diff; |
7daf5226 | 639 | |
efd7fa7b TB |
640 | if (scheduled) |
641 | { | |
642 | this->keepalive_job = NULL; | |
643 | } | |
34f7d3b7 TB |
644 | if (!this->keepalive_interval || this->state == IKE_PASSIVE) |
645 | { /* keepalives disabled either by configuration or for passive IKE_SAs */ | |
646 | return; | |
647 | } | |
648 | if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE)) | |
649 | { /* disable keepalives if we are not NATed anymore, or the SA is stale */ | |
3d928c9f MW |
650 | return; |
651 | } | |
7daf5226 | 652 | |
2b3100b5 | 653 | last_out = get_use_time(this, FALSE); |
6180a558 | 654 | now = time_monotonic(NULL); |
7daf5226 | 655 | |
2b3100b5 | 656 | diff = now - last_out; |
7daf5226 | 657 | |
3dfecde4 | 658 | if (diff >= this->keepalive_interval) |
2b3100b5 MW |
659 | { |
660 | packet_t *packet; | |
661 | chunk_t data; | |
7daf5226 | 662 | |
2b3100b5 MW |
663 | packet = packet_create(); |
664 | packet->set_source(packet, this->my_host->clone(this->my_host)); | |
665 | packet->set_destination(packet, this->other_host->clone(this->other_host)); | |
666 | data.ptr = malloc(1); | |
667 | data.ptr[0] = 0xFF; | |
668 | data.len = 1; | |
669 | packet->set_data(packet, data); | |
f3fefb18 | 670 | DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host); |
75f83163 | 671 | charon->sender->send_no_marker(charon->sender, packet); |
2b3100b5 MW |
672 | diff = 0; |
673 | } | |
efd7fa7b TB |
674 | if (!this->keepalive_job) |
675 | { | |
676 | this->keepalive_job = send_keepalive_job_create(this->ike_sa_id); | |
677 | lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job, | |
678 | this->keepalive_interval - diff); | |
679 | } | |
2b3100b5 MW |
680 | } |
681 | ||
8bced61b MW |
682 | METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, |
683 | private_ike_sa_t *this) | |
8dfbe71b | 684 | { |
e0fe7651 | 685 | return this->ike_cfg; |
8dfbe71b | 686 | } |
5b97779f | 687 | |
8bced61b MW |
688 | METHOD(ike_sa_t, set_ike_cfg, void, |
689 | private_ike_sa_t *this, ike_cfg_t *ike_cfg) | |
fe04e93a | 690 | { |
054ee5e7 | 691 | DESTROY_IF(this->ike_cfg); |
e0fe7651 MW |
692 | ike_cfg->get_ref(ike_cfg); |
693 | this->ike_cfg = ike_cfg; | |
fe04e93a | 694 | } |
4a035181 | 695 | |
8bced61b MW |
696 | METHOD(ike_sa_t, enable_extension, void, |
697 | private_ike_sa_t *this, ike_extension_t extension) | |
2b3100b5 MW |
698 | { |
699 | this->extensions |= extension; | |
700 | } | |
701 | ||
8bced61b MW |
702 | METHOD(ike_sa_t, supports_extension, bool, |
703 | private_ike_sa_t *this, ike_extension_t extension) | |
2b3100b5 MW |
704 | { |
705 | return (this->extensions & extension) != FALSE; | |
706 | } | |
707 | ||
8bced61b MW |
708 | METHOD(ike_sa_t, has_condition, bool, |
709 | private_ike_sa_t *this, ike_condition_t condition) | |
2b3100b5 MW |
710 | { |
711 | return (this->conditions & condition) != FALSE; | |
712 | } | |
713 | ||
8bced61b MW |
714 | METHOD(ike_sa_t, set_condition, void, |
715 | private_ike_sa_t *this, ike_condition_t condition, bool enable) | |
2b3100b5 MW |
716 | { |
717 | if (has_condition(this, condition) != enable) | |
718 | { | |
719 | if (enable) | |
720 | { | |
fc2d1c42 | 721 | this->conditions |= condition; |
2b3100b5 MW |
722 | switch (condition) |
723 | { | |
2b3100b5 MW |
724 | case COND_NAT_HERE: |
725 | DBG1(DBG_IKE, "local host is behind NAT, sending keep alives"); | |
726 | this->conditions |= COND_NAT_ANY; | |
efd7fa7b | 727 | send_keepalive(this, FALSE); |
2b3100b5 MW |
728 | break; |
729 | case COND_NAT_THERE: | |
730 | DBG1(DBG_IKE, "remote host is behind NAT"); | |
731 | this->conditions |= COND_NAT_ANY; | |
732 | break; | |
9dae1bed | 733 | case COND_NAT_FAKE: |
f53b74c9 | 734 | DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation"); |
9dae1bed MW |
735 | this->conditions |= COND_NAT_ANY; |
736 | break; | |
2b3100b5 MW |
737 | default: |
738 | break; | |
739 | } | |
2b3100b5 MW |
740 | } |
741 | else | |
742 | { | |
fc2d1c42 | 743 | this->conditions &= ~condition; |
2b3100b5 MW |
744 | switch (condition) |
745 | { | |
fc2d1c42 MW |
746 | case COND_NAT_HERE: |
747 | case COND_NAT_THERE: | |
f9056115 TB |
748 | DBG1(DBG_IKE, "%s host is not behind NAT anymore", |
749 | condition == COND_NAT_HERE ? "local" : "remote"); | |
750 | /* fall-through */ | |
751 | case COND_NAT_FAKE: | |
fc2d1c42 MW |
752 | set_condition(this, COND_NAT_ANY, |
753 | has_condition(this, COND_NAT_HERE) || | |
9dae1bed MW |
754 | has_condition(this, COND_NAT_THERE) || |
755 | has_condition(this, COND_NAT_FAKE)); | |
fc2d1c42 | 756 | break; |
34f7d3b7 | 757 | case COND_STALE: |
efd7fa7b | 758 | send_keepalive(this, FALSE); |
34f7d3b7 | 759 | break; |
2b3100b5 MW |
760 | default: |
761 | break; | |
762 | } | |
2b3100b5 MW |
763 | } |
764 | } | |
765 | } | |
fe04e93a | 766 | |
8bced61b MW |
767 | METHOD(ike_sa_t, send_dpd, status_t, |
768 | private_ike_sa_t *this) | |
fdb9b2bd | 769 | { |
6554b5e4 | 770 | job_t *job; |
fdb9b2bd | 771 | time_t diff, delay; |
bcf8cdd5 | 772 | bool task_queued = FALSE; |
7daf5226 | 773 | |
916cdca8 MW |
774 | if (this->state == IKE_PASSIVE) |
775 | { | |
776 | return INVALID_STATE; | |
777 | } | |
f15c85a4 TB |
778 | if (this->version == IKEV1 && this->state == IKE_REKEYING) |
779 | { /* don't send DPDs for rekeyed IKEv1 SAs */ | |
780 | return SUCCESS; | |
781 | } | |
96926b00 | 782 | delay = this->peer_cfg->get_dpd(this->peer_cfg); |
fdb9b2bd MW |
783 | if (this->task_manager->busy(this->task_manager)) |
784 | { | |
785 | /* an exchange is in the air, no need to start a DPD check */ | |
786 | diff = 0; | |
787 | } | |
788 | else | |
789 | { | |
790 | /* check if there was any inbound traffic */ | |
791 | time_t last_in, now; | |
792 | last_in = get_use_time(this, TRUE); | |
6180a558 | 793 | now = time_monotonic(NULL); |
fdb9b2bd | 794 | diff = now - last_in; |
6c2d466b | 795 | if (!delay || diff >= delay) |
fdb9b2bd | 796 | { |
bcf8cdd5 | 797 | /* too long ago, initiate dead peer detection */ |
fdb9b2bd | 798 | DBG1(DBG_IKE, "sending DPD request"); |
244d715d | 799 | this->task_manager->queue_dpd(this->task_manager); |
bcf8cdd5 | 800 | task_queued = TRUE; |
244d715d | 801 | diff = 0; |
fdb9b2bd MW |
802 | } |
803 | } | |
804 | /* recheck in "interval" seconds */ | |
6c2d466b MW |
805 | if (delay) |
806 | { | |
807 | job = (job_t*)send_dpd_job_create(this->ike_sa_id); | |
808 | lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); | |
809 | } | |
bcf8cdd5 TB |
810 | if (task_queued) |
811 | { | |
812 | return this->task_manager->initiate(this->task_manager); | |
813 | } | |
814 | return SUCCESS; | |
fdb9b2bd MW |
815 | } |
816 | ||
8bced61b MW |
817 | METHOD(ike_sa_t, get_state, ike_sa_state_t, |
818 | private_ike_sa_t *this) | |
fdb9b2bd MW |
819 | { |
820 | return this->state; | |
821 | } | |
822 | ||
8bced61b MW |
823 | METHOD(ike_sa_t, set_state, void, |
824 | private_ike_sa_t *this, ike_sa_state_t state) | |
fdb9b2bd | 825 | { |
edaba56e | 826 | bool trigger_dpd = FALSE, keepalives = FALSE; |
85dd6a8d | 827 | |
98ba96f1 | 828 | DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N", |
51c8f826 | 829 | get_name(this), this->unique_id, |
fdb9b2bd MW |
830 | ike_sa_state_names, this->state, |
831 | ike_sa_state_names, state); | |
7daf5226 | 832 | |
0f33e826 | 833 | switch (state) |
fdb9b2bd | 834 | { |
0f33e826 | 835 | case IKE_ESTABLISHED: |
fdb9b2bd | 836 | { |
405cc1d9 MW |
837 | if (this->state == IKE_CONNECTING || |
838 | this->state == IKE_PASSIVE) | |
0f33e826 MW |
839 | { |
840 | job_t *job; | |
b12c53ce | 841 | uint32_t t; |
7daf5226 | 842 | |
ee614711 | 843 | /* calculate rekey, reauth and lifetime */ |
6180a558 | 844 | this->stats[STAT_ESTABLISHED] = time_monotonic(NULL); |
7daf5226 | 845 | |
ee614711 MW |
846 | /* schedule rekeying if we have a time which is smaller than |
847 | * an already scheduled rekeying */ | |
d08269c7 | 848 | t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE); |
484a06bc | 849 | if (t && (this->stats[STAT_REKEY] == 0 || |
85ac2fa5 | 850 | (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED]))) |
0f33e826 | 851 | { |
85ac2fa5 | 852 | this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED]; |
ee614711 | 853 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE); |
bb381e26 | 854 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
ee614711 | 855 | DBG1(DBG_IKE, "scheduling rekeying in %ds", t); |
0f33e826 | 856 | } |
d08269c7 | 857 | t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE); |
484a06bc | 858 | if (t && (this->stats[STAT_REAUTH] == 0 || |
85ac2fa5 | 859 | (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED]))) |
ee614711 | 860 | { |
85ac2fa5 | 861 | this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED]; |
ee614711 | 862 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE); |
bb381e26 | 863 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
ee614711 MW |
864 | DBG1(DBG_IKE, "scheduling reauthentication in %ds", t); |
865 | } | |
866 | t = this->peer_cfg->get_over_time(this->peer_cfg); | |
85ac2fa5 | 867 | if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH]) |
0f33e826 | 868 | { |
85ac2fa5 | 869 | if (this->stats[STAT_REAUTH] == 0) |
ee614711 | 870 | { |
85ac2fa5 | 871 | this->stats[STAT_DELETE] = this->stats[STAT_REKEY]; |
ee614711 | 872 | } |
85ac2fa5 | 873 | else if (this->stats[STAT_REKEY] == 0) |
ee614711 | 874 | { |
85ac2fa5 | 875 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH]; |
ee614711 MW |
876 | } |
877 | else | |
878 | { | |
85ac2fa5 MW |
879 | this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY], |
880 | this->stats[STAT_REAUTH]); | |
ee614711 | 881 | } |
85ac2fa5 MW |
882 | this->stats[STAT_DELETE] += t; |
883 | t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED]; | |
0f33e826 | 884 | job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); |
bb381e26 | 885 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
ee614711 | 886 | DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t); |
0f33e826 | 887 | } |
85dd6a8d | 888 | trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg); |
b76e96e2 MW |
889 | if (trigger_dpd) |
890 | { | |
891 | /* Some peers delay the DELETE after rekeying an IKE_SA. | |
892 | * If this delay is longer than our DPD delay, we would | |
893 | * send a DPD request here. The IKE_SA is not ready to do | |
894 | * so yet, so prevent that. */ | |
895 | this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED]; | |
896 | } | |
edaba56e TE |
897 | if (this->state == IKE_PASSIVE) |
898 | { | |
899 | keepalives = TRUE; | |
900 | } | |
e4af6e6b TB |
901 | DESTROY_IF(this->redirected_from); |
902 | this->redirected_from = NULL; | |
0f33e826 MW |
903 | } |
904 | break; | |
fdb9b2bd | 905 | } |
0f33e826 MW |
906 | default: |
907 | break; | |
fdb9b2bd | 908 | } |
a985db3f | 909 | charon->bus->ike_state_change(charon->bus, &this->public, state); |
fdb9b2bd | 910 | this->state = state; |
85dd6a8d MW |
911 | |
912 | if (trigger_dpd) | |
913 | { | |
f98af1dd MW |
914 | if (supports_extension(this, EXT_DPD)) |
915 | { | |
916 | send_dpd(this); | |
917 | } | |
918 | else | |
919 | { | |
920 | DBG1(DBG_IKE, "DPD not supported by peer, disabled"); | |
921 | } | |
85dd6a8d | 922 | } |
edaba56e TE |
923 | if (keepalives) |
924 | { | |
efd7fa7b | 925 | send_keepalive(this, FALSE); |
edaba56e | 926 | } |
fdb9b2bd MW |
927 | } |
928 | ||
8bced61b | 929 | METHOD(ike_sa_t, reset, void, |
c3539961 | 930 | private_ike_sa_t *this, bool new_spi) |
fdb9b2bd | 931 | { |
c3539961 TB |
932 | /* reset the initiator SPI if requested */ |
933 | if (new_spi) | |
934 | { | |
935 | charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager, | |
936 | &this->public); | |
937 | } | |
938 | /* the responder ID is reset, as peer may choose another one */ | |
fdb9b2bd MW |
939 | if (this->ike_sa_id->is_initiator(this->ike_sa_id)) |
940 | { | |
941 | this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0); | |
942 | } | |
7daf5226 | 943 | |
fdb9b2bd | 944 | set_state(this, IKE_CREATED); |
7daf5226 | 945 | |
550d9085 MW |
946 | flush_auth_cfgs(this); |
947 | ||
948 | this->keymat->destroy(this->keymat); | |
4b64a1a1 TB |
949 | this->keymat = keymat_create(this->version, |
950 | this->ike_sa_id->is_initiator(this->ike_sa_id)); | |
550d9085 | 951 | |
b09ca747 | 952 | this->task_manager->reset(this->task_manager, 0, 0); |
d9fe0ec7 | 953 | this->task_manager->queue_ike(this->task_manager); |
fdb9b2bd MW |
954 | } |
955 | ||
8bced61b MW |
956 | METHOD(ike_sa_t, get_keymat, keymat_t*, |
957 | private_ike_sa_t *this) | |
6a4ff35c MW |
958 | { |
959 | return this->keymat; | |
960 | } | |
961 | ||
101d26ba | 962 | METHOD(ike_sa_t, add_virtual_ip, void, |
8bced61b | 963 | private_ike_sa_t *this, bool local, host_t *ip) |
c532d646 MW |
964 | { |
965 | if (local) | |
966 | { | |
b185cdd1 MW |
967 | char *iface; |
968 | ||
8394ea2a TB |
969 | if (charon->kernel->get_interface(charon->kernel, this->my_host, |
970 | &iface)) | |
c532d646 | 971 | { |
b185cdd1 | 972 | DBG1(DBG_IKE, "installing new virtual IP %H", ip); |
8394ea2a TB |
973 | if (charon->kernel->add_ip(charon->kernel, ip, -1, |
974 | iface) == SUCCESS) | |
b185cdd1 | 975 | { |
893da041 | 976 | array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip)); |
b185cdd1 MW |
977 | } |
978 | else | |
979 | { | |
980 | DBG1(DBG_IKE, "installing virtual IP %H failed", ip); | |
981 | } | |
982 | free(iface); | |
c532d646 MW |
983 | } |
984 | else | |
985 | { | |
b185cdd1 | 986 | DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip); |
c532d646 MW |
987 | } |
988 | } | |
989 | else | |
990 | { | |
893da041 | 991 | array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip)); |
c532d646 MW |
992 | } |
993 | } | |
994 | ||
d2e8f20d TB |
995 | |
996 | METHOD(ike_sa_t, clear_virtual_ips, void, | |
997 | private_ike_sa_t *this, bool local) | |
998 | { | |
893da041 | 999 | array_t *vips; |
d2e8f20d TB |
1000 | host_t *vip; |
1001 | ||
893da041 MW |
1002 | vips = local ? this->my_vips : this->other_vips; |
1003 | if (!local && array_count(vips)) | |
12fa1784 AS |
1004 | { |
1005 | charon->bus->assign_vips(charon->bus, &this->public, FALSE); | |
1006 | } | |
893da041 | 1007 | while (array_remove(vips, ARRAY_HEAD, &vip)) |
d2e8f20d TB |
1008 | { |
1009 | if (local) | |
1010 | { | |
8394ea2a | 1011 | charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); |
d2e8f20d TB |
1012 | } |
1013 | vip->destroy(vip); | |
1014 | } | |
1015 | } | |
1016 | ||
101d26ba | 1017 | METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*, |
8bced61b | 1018 | private_ike_sa_t *this, bool local) |
c532d646 MW |
1019 | { |
1020 | if (local) | |
1021 | { | |
893da041 | 1022 | return array_create_enumerator(this->my_vips); |
c532d646 | 1023 | } |
893da041 | 1024 | return array_create_enumerator(this->other_vips); |
c532d646 MW |
1025 | } |
1026 | ||
94bbc602 | 1027 | METHOD(ike_sa_t, add_peer_address, void, |
8bced61b | 1028 | private_ike_sa_t *this, host_t *host) |
c532d646 | 1029 | { |
893da041 | 1030 | array_insert_create(&this->peer_addresses, ARRAY_TAIL, host); |
c532d646 | 1031 | } |
7daf5226 | 1032 | |
94bbc602 | 1033 | METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*, |
8bced61b | 1034 | private_ike_sa_t *this) |
c532d646 | 1035 | { |
893da041 | 1036 | if (this->peer_addresses) |
12715f19 | 1037 | { |
893da041 | 1038 | return array_create_enumerator(this->peer_addresses); |
12715f19 TB |
1039 | } |
1040 | /* in case we don't have MOBIKE */ | |
1041 | return enumerator_create_single(this->other_host, NULL); | |
572abc6c TB |
1042 | } |
1043 | ||
94bbc602 | 1044 | METHOD(ike_sa_t, clear_peer_addresses, void, |
572abc6c TB |
1045 | private_ike_sa_t *this) |
1046 | { | |
893da041 MW |
1047 | array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy)); |
1048 | this->peer_addresses = NULL; | |
c532d646 | 1049 | } |
9d9a772e | 1050 | |
8bced61b MW |
1051 | METHOD(ike_sa_t, has_mapping_changed, bool, |
1052 | private_ike_sa_t *this, chunk_t hash) | |
9d9a772e MW |
1053 | { |
1054 | if (this->nat_detection_dest.ptr == NULL) | |
1055 | { | |
1056 | this->nat_detection_dest = chunk_clone(hash); | |
1057 | return FALSE; | |
1058 | } | |
1059 | if (chunk_equals(hash, this->nat_detection_dest)) | |
1060 | { | |
1061 | return FALSE; | |
1062 | } | |
1063 | free(this->nat_detection_dest.ptr); | |
1064 | this->nat_detection_dest = chunk_clone(hash); | |
1065 | return TRUE; | |
1066 | } | |
1067 | ||
277f02ce TB |
1068 | METHOD(ike_sa_t, float_ports, void, |
1069 | private_ike_sa_t *this) | |
1070 | { | |
85bfab62 TB |
1071 | /* even if the remote port is not 500 (e.g. because the response was natted) |
1072 | * we switch the remote port if we used port 500 */ | |
1073 | if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT || | |
1074 | this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT) | |
1075 | { | |
1076 | this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); | |
1077 | } | |
b223d517 TB |
1078 | if (this->my_host->get_port(this->my_host) == |
1079 | charon->socket->get_port(charon->socket, FALSE)) | |
277f02ce | 1080 | { |
b223d517 TB |
1081 | this->my_host->set_port(this->my_host, |
1082 | charon->socket->get_port(charon->socket, TRUE)); | |
277f02ce | 1083 | } |
277f02ce TB |
1084 | } |
1085 | ||
8bced61b | 1086 | METHOD(ike_sa_t, update_hosts, void, |
2082417d | 1087 | private_ike_sa_t *this, host_t *me, host_t *other, bool force) |
0fdc3c7f | 1088 | { |
2b3100b5 | 1089 | bool update = FALSE; |
7daf5226 | 1090 | |
2b3100b5 | 1091 | if (me == NULL) |
8dfbe71b | 1092 | { |
2b3100b5 | 1093 | me = this->my_host; |
8dfbe71b | 1094 | } |
2b3100b5 | 1095 | if (other == NULL) |
3dd3c5f3 | 1096 | { |
2b3100b5 | 1097 | other = this->other_host; |
3dd3c5f3 | 1098 | } |
7daf5226 | 1099 | |
2b3100b5 MW |
1100 | /* apply hosts on first received message */ |
1101 | if (this->my_host->is_anyaddr(this->my_host) || | |
1102 | this->other_host->is_anyaddr(this->other_host)) | |
3dd3c5f3 | 1103 | { |
2b3100b5 MW |
1104 | set_my_host(this, me->clone(me)); |
1105 | set_other_host(this, other->clone(other)); | |
1106 | update = TRUE; | |
3dd3c5f3 MW |
1107 | } |
1108 | else | |
1109 | { | |
2b3100b5 | 1110 | /* update our address in any case */ |
21dd4c4b | 1111 | if (force && !me->equals(me, this->my_host)) |
3dd3c5f3 | 1112 | { |
e1fe2781 | 1113 | charon->bus->ike_update(charon->bus, &this->public, TRUE, me); |
2b3100b5 MW |
1114 | set_my_host(this, me->clone(me)); |
1115 | update = TRUE; | |
3dd3c5f3 | 1116 | } |
7daf5226 | 1117 | |
472156ee TB |
1118 | if (!other->equals(other, this->other_host) && |
1119 | (force || has_condition(this, COND_NAT_THERE))) | |
3dd3c5f3 | 1120 | { |
472156ee TB |
1121 | /* only update other's address if we are behind a static NAT, |
1122 | * which we assume is the case if we are not initiator */ | |
1123 | if (force || | |
1124 | (!has_condition(this, COND_NAT_HERE) || | |
1125 | !has_condition(this, COND_ORIGINAL_INITIATOR))) | |
2b3100b5 | 1126 | { |
e1fe2781 | 1127 | charon->bus->ike_update(charon->bus, &this->public, FALSE, other); |
2b3100b5 MW |
1128 | set_other_host(this, other->clone(other)); |
1129 | update = TRUE; | |
1130 | } | |
3dd3c5f3 MW |
1131 | } |
1132 | } | |
7daf5226 | 1133 | |
2b3100b5 MW |
1134 | /* update all associated CHILD_SAs, if required */ |
1135 | if (update) | |
3dd3c5f3 | 1136 | { |
e2630434 | 1137 | enumerator_t *enumerator; |
2b3100b5 | 1138 | child_sa_t *child_sa; |
893da041 | 1139 | linked_list_t *vips; |
7daf5226 | 1140 | |
893da041 MW |
1141 | vips = linked_list_create_from_enumerator( |
1142 | array_create_enumerator(this->my_vips)); | |
1143 | ||
1144 | enumerator = array_create_enumerator(this->child_sas); | |
1145 | while (enumerator->enumerate(enumerator, &child_sa)) | |
2b3100b5 | 1146 | { |
38227d0e MW |
1147 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
1148 | charon->child_sa_manager->add(charon->child_sa_manager, | |
1149 | child_sa, &this->public); | |
1150 | ||
893da041 MW |
1151 | if (child_sa->update(child_sa, this->my_host, this->other_host, |
1152 | vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED) | |
ea625fab TB |
1153 | { |
1154 | this->public.rekey_child_sa(&this->public, | |
1155 | child_sa->get_protocol(child_sa), | |
1156 | child_sa->get_spi(child_sa, TRUE)); | |
1157 | } | |
38227d0e | 1158 | |
2b3100b5 | 1159 | } |
e2630434 | 1160 | enumerator->destroy(enumerator); |
893da041 MW |
1161 | |
1162 | vips->destroy(vips); | |
3dd3c5f3 | 1163 | } |
8d77edde MW |
1164 | } |
1165 | ||
5b15bd5f MW |
1166 | /** |
1167 | * Set configured DSCP value on packet | |
1168 | */ | |
1169 | static void set_dscp(private_ike_sa_t *this, packet_t *packet) | |
1170 | { | |
1171 | ike_cfg_t *ike_cfg; | |
1172 | ||
1173 | /* prefer IKE config on peer_cfg, as its selection is more accurate | |
1174 | * then the initial IKE config */ | |
1175 | if (this->peer_cfg) | |
1176 | { | |
1177 | ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg); | |
1178 | } | |
1179 | else | |
1180 | { | |
1181 | ike_cfg = this->ike_cfg; | |
1182 | } | |
1183 | if (ike_cfg) | |
1184 | { | |
1185 | packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg)); | |
1186 | } | |
1187 | } | |
1188 | ||
8bced61b MW |
1189 | METHOD(ike_sa_t, generate_message, status_t, |
1190 | private_ike_sa_t *this, message_t *message, packet_t **packet) | |
8d77edde | 1191 | { |
47b8f6ef MW |
1192 | status_t status; |
1193 | ||
9ca5d028 | 1194 | if (message->is_encoded(message)) |
5b15bd5f | 1195 | { /* already encoded in task, but set DSCP value */ |
9ca5d028 | 1196 | *packet = message->get_packet(message); |
5b15bd5f | 1197 | set_dscp(this, *packet); |
9ca5d028 MW |
1198 | return SUCCESS; |
1199 | } | |
6180a558 | 1200 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
c60c7694 | 1201 | message->set_ike_sa_id(message, this->ike_sa_id); |
47b8f6ef MW |
1202 | charon->bus->message(charon->bus, message, FALSE, TRUE); |
1203 | status = message->generate(message, this->keymat, packet); | |
1204 | if (status == SUCCESS) | |
c60c7694 | 1205 | { |
5b15bd5f | 1206 | set_dscp(this, *packet); |
47b8f6ef | 1207 | charon->bus->message(charon->bus, message, FALSE, FALSE); |
b9d9f188 | 1208 | } |
47b8f6ef | 1209 | return status; |
3dd3c5f3 MW |
1210 | } |
1211 | ||
525cc46c TB |
1212 | CALLBACK(filter_fragments, bool, |
1213 | private_ike_sa_t *this, enumerator_t *orig, va_list args) | |
40bab9a1 | 1214 | { |
525cc46c TB |
1215 | packet_t *fragment, **packet; |
1216 | ||
1217 | VA_ARGS_VGET(args, packet); | |
1218 | ||
1219 | if (orig->enumerate(orig, &fragment)) | |
1220 | { | |
1221 | *packet = fragment->clone(fragment); | |
1222 | set_dscp(this, *packet); | |
1223 | return TRUE; | |
1224 | } | |
1225 | return FALSE; | |
40bab9a1 TB |
1226 | } |
1227 | ||
1228 | METHOD(ike_sa_t, generate_message_fragmented, status_t, | |
1229 | private_ike_sa_t *this, message_t *message, enumerator_t **packets) | |
1230 | { | |
1231 | enumerator_t *fragments; | |
1232 | packet_t *packet; | |
1233 | status_t status; | |
1234 | bool use_frags = FALSE; | |
e35bb6e9 | 1235 | bool pre_generated = FALSE; |
40bab9a1 | 1236 | |
1446fd8a | 1237 | if (this->ike_cfg) |
40bab9a1 TB |
1238 | { |
1239 | switch (this->ike_cfg->fragmentation(this->ike_cfg)) | |
1240 | { | |
1241 | case FRAGMENTATION_FORCE: | |
1242 | use_frags = TRUE; | |
1243 | break; | |
1244 | case FRAGMENTATION_YES: | |
1245 | use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION); | |
05db0f97 VR |
1246 | if (use_frags && this->version == IKEV1 && |
1247 | supports_extension(this, EXT_MS_WINDOWS)) | |
1248 | { | |
1249 | /* It seems Windows 7 and 8 peers only accept proprietary | |
1250 | * fragmented messages if they expect certificates. */ | |
1251 | use_frags = message->get_payload(message, | |
1252 | PLV1_CERTIFICATE) != NULL; | |
1253 | } | |
40bab9a1 TB |
1254 | break; |
1255 | default: | |
1256 | break; | |
1257 | } | |
1258 | } | |
1259 | if (!use_frags) | |
1260 | { | |
1261 | status = generate_message(this, message, &packet); | |
1262 | if (status != SUCCESS) | |
1263 | { | |
1264 | return status; | |
1265 | } | |
1266 | *packets = enumerator_create_single(packet, NULL); | |
1267 | return SUCCESS; | |
1268 | } | |
1269 | ||
e35bb6e9 | 1270 | pre_generated = message->is_encoded(message); |
40bab9a1 TB |
1271 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
1272 | message->set_ike_sa_id(message, this->ike_sa_id); | |
e35bb6e9 TB |
1273 | if (!pre_generated) |
1274 | { | |
1275 | charon->bus->message(charon->bus, message, FALSE, TRUE); | |
1276 | } | |
40bab9a1 TB |
1277 | status = message->fragment(message, this->keymat, this->fragment_size, |
1278 | &fragments); | |
1279 | if (status == SUCCESS) | |
1280 | { | |
e35bb6e9 TB |
1281 | if (!pre_generated) |
1282 | { | |
1283 | charon->bus->message(charon->bus, message, FALSE, FALSE); | |
1284 | } | |
525cc46c | 1285 | *packets = enumerator_create_filter(fragments, filter_fragments, |
40bab9a1 TB |
1286 | this, NULL); |
1287 | } | |
1288 | return status; | |
1289 | } | |
1290 | ||
8bced61b MW |
1291 | METHOD(ike_sa_t, set_kmaddress, void, |
1292 | private_ike_sa_t *this, host_t *local, host_t *remote) | |
d487b4b7 AS |
1293 | { |
1294 | DESTROY_IF(this->local_host); | |
1295 | DESTROY_IF(this->remote_host); | |
1296 | this->local_host = local->clone(local); | |
1297 | this->remote_host = remote->clone(remote); | |
1298 | } | |
1299 | ||
dc04b7c7 | 1300 | #ifdef ME |
8bced61b MW |
1301 | METHOD(ike_sa_t, act_as_mediation_server, void, |
1302 | private_ike_sa_t *this) | |
22452f70 TB |
1303 | { |
1304 | charon->mediation_manager->update_sa_id(charon->mediation_manager, | |
1305 | this->other_id, this->ike_sa_id); | |
1306 | this->is_mediation_server = TRUE; | |
1307 | } | |
1308 | ||
8bced61b MW |
1309 | METHOD(ike_sa_t, get_server_reflexive_host, host_t*, |
1310 | private_ike_sa_t *this) | |
d5cc1758 TB |
1311 | { |
1312 | return this->server_reflexive_host; | |
1313 | } | |
1314 | ||
8bced61b MW |
1315 | METHOD(ike_sa_t, set_server_reflexive_host, void, |
1316 | private_ike_sa_t *this, host_t *host) | |
d5cc1758 TB |
1317 | { |
1318 | DESTROY_IF(this->server_reflexive_host); | |
1319 | this->server_reflexive_host = host; | |
1320 | } | |
1321 | ||
8bced61b MW |
1322 | METHOD(ike_sa_t, get_connect_id, chunk_t, |
1323 | private_ike_sa_t *this) | |
9c2a905d TB |
1324 | { |
1325 | return this->connect_id; | |
1326 | } | |
1327 | ||
8bced61b MW |
1328 | METHOD(ike_sa_t, respond, status_t, |
1329 | private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id) | |
d5cc1758 | 1330 | { |
dc04b7c7 TB |
1331 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1332 | task->respond(task, peer_id, connect_id); | |
d5cc1758 TB |
1333 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1334 | return this->task_manager->initiate(this->task_manager); | |
1335 | } | |
1336 | ||
8bced61b MW |
1337 | METHOD(ike_sa_t, callback, status_t, |
1338 | private_ike_sa_t *this, identification_t *peer_id) | |
d5cc1758 | 1339 | { |
dc04b7c7 | 1340 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
d5cc1758 TB |
1341 | task->callback(task, peer_id); |
1342 | this->task_manager->queue_task(this->task_manager, (task_t*)task); | |
1343 | return this->task_manager->initiate(this->task_manager); | |
1344 | } | |
1345 | ||
8bced61b MW |
1346 | METHOD(ike_sa_t, relay, status_t, |
1347 | private_ike_sa_t *this, identification_t *requester, chunk_t connect_id, | |
1348 | chunk_t connect_key, linked_list_t *endpoints, bool response) | |
d5cc1758 | 1349 | { |
dc04b7c7 TB |
1350 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1351 | task->relay(task, requester, connect_id, connect_key, endpoints, response); | |
d5cc1758 TB |
1352 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1353 | return this->task_manager->initiate(this->task_manager); | |
1354 | } | |
1355 | ||
8bced61b MW |
1356 | METHOD(ike_sa_t, initiate_mediation, status_t, |
1357 | private_ike_sa_t *this, peer_cfg_t *mediated_cfg) | |
d5cc1758 | 1358 | { |
dc04b7c7 | 1359 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
d5cc1758 TB |
1360 | task->connect(task, mediated_cfg->get_peer_id(mediated_cfg)); |
1361 | this->task_manager->queue_task(this->task_manager, (task_t*)task); | |
1362 | return this->task_manager->initiate(this->task_manager); | |
1363 | } | |
1364 | ||
8bced61b MW |
1365 | METHOD(ike_sa_t, initiate_mediated, status_t, |
1366 | private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id) | |
d5cc1758 | 1367 | { |
471f9230 TB |
1368 | set_my_host(this, me->clone(me)); |
1369 | set_other_host(this, other->clone(other)); | |
4a6474c2 | 1370 | chunk_free(&this->connect_id); |
9c2a905d | 1371 | this->connect_id = chunk_clone(connect_id); |
d5cc1758 TB |
1372 | return this->task_manager->initiate(this->task_manager); |
1373 | } | |
dc04b7c7 | 1374 | #endif /* ME */ |
d5cc1758 | 1375 | |
5a22a021 MW |
1376 | /** |
1377 | * Resolve DNS host in configuration | |
1378 | */ | |
1379 | static void resolve_hosts(private_ike_sa_t *this) | |
1380 | { | |
1381 | host_t *host; | |
0edce687 | 1382 | int family = AF_UNSPEC; |
bf92887a TB |
1383 | |
1384 | switch (charon->socket->supported_families(charon->socket)) | |
1385 | { | |
1386 | case SOCKET_FAMILY_IPV4: | |
1387 | family = AF_INET; | |
1388 | break; | |
1389 | case SOCKET_FAMILY_IPV6: | |
1390 | family = AF_INET6; | |
1391 | break; | |
1392 | case SOCKET_FAMILY_BOTH: | |
1393 | case SOCKET_FAMILY_NONE: | |
1394 | break; | |
1395 | } | |
7daf5226 | 1396 | |
a11048ad TB |
1397 | /* if an IP address is set locally, use the same family to resolve remote */ |
1398 | if (family == AF_UNSPEC && !this->remote_host) | |
1399 | { | |
1400 | if (this->local_host) | |
1401 | { | |
1402 | family = this->local_host->get_family(this->local_host); | |
1403 | } | |
1404 | else | |
1405 | { | |
1406 | family = ike_cfg_get_family(this->ike_cfg, TRUE); | |
1407 | } | |
1408 | } | |
1409 | ||
d487b4b7 AS |
1410 | if (this->remote_host) |
1411 | { | |
1412 | host = this->remote_host->clone(this->remote_host); | |
1413 | host->set_port(host, IKEV2_UDP_PORT); | |
1414 | } | |
1415 | else | |
1416 | { | |
0edce687 | 1417 | host = this->ike_cfg->resolve_other(this->ike_cfg, family); |
d487b4b7 | 1418 | } |
5a22a021 MW |
1419 | if (host) |
1420 | { | |
6f7a3b33 TB |
1421 | if (!host->is_anyaddr(host) || |
1422 | this->other_host->is_anyaddr(this->other_host)) | |
1423 | { /* don't set to %any if we currently have an address, but the | |
1424 | * address family might have changed */ | |
1425 | set_other_host(this, host); | |
1426 | } | |
faebdeac | 1427 | else |
2d14cb4d TB |
1428 | { /* reuse the original port as some implementations might not like |
1429 | * initial IKE messages on other ports */ | |
1430 | this->other_host->set_port(this->other_host, host->get_port(host)); | |
faebdeac TB |
1431 | host->destroy(host); |
1432 | } | |
5a22a021 | 1433 | } |
7daf5226 | 1434 | |
d487b4b7 | 1435 | if (this->local_host) |
e7991a2e | 1436 | { |
d487b4b7 | 1437 | host = this->local_host->clone(this->local_host); |
b223d517 | 1438 | host->set_port(host, charon->socket->get_port(charon->socket, FALSE)); |
d487b4b7 AS |
1439 | } |
1440 | else | |
1441 | { | |
c6a8990b MW |
1442 | /* use same address family as for other */ |
1443 | if (!this->other_host->is_anyaddr(this->other_host)) | |
1444 | { | |
1445 | family = this->other_host->get_family(this->other_host); | |
1446 | } | |
0edce687 | 1447 | host = this->ike_cfg->resolve_me(this->ike_cfg, family); |
7daf5226 | 1448 | |
d487b4b7 AS |
1449 | if (host && host->is_anyaddr(host) && |
1450 | !this->other_host->is_anyaddr(this->other_host)) | |
5353f22e | 1451 | { |
d487b4b7 | 1452 | host->destroy(host); |
8394ea2a TB |
1453 | host = charon->kernel->get_source_addr(charon->kernel, |
1454 | this->other_host, NULL); | |
d487b4b7 AS |
1455 | if (host) |
1456 | { | |
cc2eadde | 1457 | host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg)); |
d487b4b7 | 1458 | } |
9717826f MW |
1459 | else |
1460 | { /* fallback to address family specific %any(6), if configured */ | |
0edce687 | 1461 | host = this->ike_cfg->resolve_me(this->ike_cfg, family); |
9717826f | 1462 | } |
5353f22e | 1463 | } |
e7991a2e | 1464 | } |
5a22a021 MW |
1465 | if (host) |
1466 | { | |
e7991a2e | 1467 | set_my_host(this, host); |
5a22a021 MW |
1468 | } |
1469 | } | |
1470 | ||
8bced61b | 1471 | METHOD(ike_sa_t, initiate, status_t, |
b12c53ce | 1472 | private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid, |
8bced61b | 1473 | traffic_selector_t *tsi, traffic_selector_t *tsr) |
aad398a7 | 1474 | { |
60c82591 TB |
1475 | bool defer_initiate = FALSE; |
1476 | ||
c60c7694 | 1477 | if (this->state == IKE_CREATED) |
c0593835 | 1478 | { |
a994050e MW |
1479 | if (this->my_host->is_anyaddr(this->my_host) || |
1480 | this->other_host->is_anyaddr(this->other_host)) | |
1481 | { | |
1482 | resolve_hosts(this); | |
1483 | } | |
7daf5226 | 1484 | |
d5cc1758 | 1485 | if (this->other_host->is_anyaddr(this->other_host) |
dc04b7c7 | 1486 | #ifdef ME |
d5cc1758 | 1487 | && !this->peer_cfg->get_mediated_by(this->peer_cfg) |
dc04b7c7 | 1488 | #endif /* ME */ |
d5cc1758 | 1489 | ) |
128ca073 | 1490 | { |
0edce687 MW |
1491 | char *addr; |
1492 | ||
be8af56e | 1493 | addr = this->ike_cfg->get_other_addr(this->ike_cfg); |
53d2164c | 1494 | if (!this->retry_initiate_interval) |
60c82591 | 1495 | { |
53d2164c TB |
1496 | DBG1(DBG_IKE, "unable to resolve %s, initiate aborted", |
1497 | addr); | |
60c82591 TB |
1498 | DESTROY_IF(child_cfg); |
1499 | charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED); | |
1500 | return DESTROY_ME; | |
1501 | } | |
1502 | DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds", | |
1503 | addr, this->retry_initiate_interval); | |
1504 | defer_initiate = TRUE; | |
128ca073 | 1505 | } |
7daf5226 | 1506 | |
faf9569f | 1507 | set_condition(this, COND_ORIGINAL_INITIATOR, TRUE); |
a60daa07 | 1508 | this->task_manager->queue_ike(this->task_manager); |
d5cc1758 TB |
1509 | } |
1510 | ||
dc04b7c7 | 1511 | #ifdef ME |
4a6474c2 | 1512 | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
f967db31 TB |
1513 | { |
1514 | if (this->state == IKE_ESTABLISHED) | |
1515 | { | |
484a06bc TB |
1516 | /* mediation connection is already established, retrigger state |
1517 | * change to notify bus listeners */ | |
f967db31 TB |
1518 | DBG1(DBG_IKE, "mediation connection is already up"); |
1519 | set_state(this, IKE_ESTABLISHED); | |
1520 | } | |
c3f803c4 | 1521 | DESTROY_IF(child_cfg); |
d5cc1758 TB |
1522 | } |
1523 | else | |
dc04b7c7 | 1524 | #endif /* ME */ |
9c64f214 | 1525 | if (child_cfg) |
d5cc1758 | 1526 | { |
38951252 | 1527 | /* normal IKE_SA with CHILD_SA */ |
fe43d9a2 MW |
1528 | this->task_manager->queue_child(this->task_manager, child_cfg, reqid, |
1529 | tsi, tsr); | |
4a6474c2 TB |
1530 | #ifdef ME |
1531 | if (this->peer_cfg->get_mediated_by(this->peer_cfg)) | |
1532 | { | |
1533 | /* mediated connection, initiate mediation process */ | |
1534 | job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id); | |
bb381e26 | 1535 | lib->processor->queue_job(lib->processor, job); |
4a6474c2 TB |
1536 | return SUCCESS; |
1537 | } | |
1538 | #endif /* ME */ | |
c60c7694 | 1539 | } |
7daf5226 | 1540 | |
60c82591 TB |
1541 | if (defer_initiate) |
1542 | { | |
77e42826 TB |
1543 | if (!this->retry_initiate_queued) |
1544 | { | |
1545 | job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id); | |
1546 | lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, | |
1547 | this->retry_initiate_interval); | |
1548 | this->retry_initiate_queued = TRUE; | |
1549 | } | |
60c82591 TB |
1550 | return SUCCESS; |
1551 | } | |
77e42826 | 1552 | this->retry_initiate_queued = FALSE; |
c60c7694 | 1553 | return this->task_manager->initiate(this->task_manager); |
aad398a7 JH |
1554 | } |
1555 | ||
77e42826 TB |
1556 | METHOD(ike_sa_t, retry_initiate, status_t, |
1557 | private_ike_sa_t *this) | |
1558 | { | |
1559 | if (this->retry_initiate_queued) | |
1560 | { | |
1561 | this->retry_initiate_queued = FALSE; | |
1562 | return initiate(this, NULL, 0, NULL, NULL); | |
1563 | } | |
1564 | return SUCCESS; | |
1565 | } | |
1566 | ||
8bced61b MW |
1567 | METHOD(ike_sa_t, process_message, status_t, |
1568 | private_ike_sa_t *this, message_t *message) | |
98f97433 MW |
1569 | { |
1570 | status_t status; | |
7daf5226 | 1571 | |
c610f424 MW |
1572 | if (this->state == IKE_PASSIVE) |
1573 | { /* do not handle messages in passive state */ | |
1574 | return FAILED; | |
1575 | } | |
448e2e29 | 1576 | if (message->get_major_version(message) != this->version) |
98f97433 | 1577 | { |
448e2e29 | 1578 | DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA", |
98f97433 | 1579 | exchange_type_names, message->get_exchange_type(message), |
448e2e29 MW |
1580 | message->get_major_version(message), |
1581 | ike_version_names, this->version); | |
1582 | /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1 | |
1583 | * INVALID_MAJOR_VERSION on an IKEv2 SA. */ | |
1584 | return FAILED; | |
98f97433 | 1585 | } |
68c6863b | 1586 | status = this->task_manager->process_message(this->task_manager, message); |
b24b73b7 | 1587 | if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED) |
98f97433 | 1588 | { |
e41adf5f TB |
1589 | /* authentication completed but if the online validation is suspended we |
1590 | * need the auth cfgs until we did the delayed verification, we flush | |
1591 | * them afterwards */ | |
1592 | if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED)) | |
1593 | { | |
1594 | this->flush_auth_cfg = FALSE; | |
1595 | flush_auth_cfgs(this); | |
1596 | } | |
98f97433 | 1597 | } |
44ce7493 | 1598 | return status; |
98f97433 | 1599 | } |
8dfbe71b | 1600 | |
8bced61b MW |
1601 | METHOD(ike_sa_t, get_id, ike_sa_id_t*, |
1602 | private_ike_sa_t *this) | |
0df63d6b | 1603 | { |
8dfbe71b | 1604 | return this->ike_sa_id; |
0df63d6b JH |
1605 | } |
1606 | ||
0b611540 TB |
1607 | METHOD(ike_sa_t, get_version, ike_version_t, |
1608 | private_ike_sa_t *this) | |
1609 | { | |
1610 | return this->version; | |
1611 | } | |
1612 | ||
8bced61b MW |
1613 | METHOD(ike_sa_t, get_my_id, identification_t*, |
1614 | private_ike_sa_t *this) | |
0fdc3c7f | 1615 | { |
8dfbe71b | 1616 | return this->my_id; |
8d68033e JH |
1617 | } |
1618 | ||
8bced61b MW |
1619 | METHOD(ike_sa_t, set_my_id, void, |
1620 | private_ike_sa_t *this, identification_t *me) | |
8d68033e | 1621 | { |
c0593835 | 1622 | DESTROY_IF(this->my_id); |
8dfbe71b | 1623 | this->my_id = me; |
0fdc3c7f JH |
1624 | } |
1625 | ||
8bced61b MW |
1626 | METHOD(ike_sa_t, get_other_id, identification_t*, |
1627 | private_ike_sa_t *this) | |
30b5b412 | 1628 | { |
8dfbe71b | 1629 | return this->other_id; |
3dd3c5f3 | 1630 | } |
8dfbe71b | 1631 | |
8bced61b MW |
1632 | METHOD(ike_sa_t, get_other_eap_id, identification_t*, |
1633 | private_ike_sa_t *this) | |
045833c7 MW |
1634 | { |
1635 | identification_t *id = NULL, *current; | |
1636 | enumerator_t *enumerator; | |
1637 | auth_cfg_t *cfg; | |
1638 | ||
893da041 | 1639 | enumerator = array_create_enumerator(this->other_auths); |
045833c7 MW |
1640 | while (enumerator->enumerate(enumerator, &cfg)) |
1641 | { | |
1642 | /* prefer EAP-Identity of last round */ | |
1643 | current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY); | |
1644 | if (!current || current->get_type(current) == ID_ANY) | |
beab4a90 MW |
1645 | { |
1646 | current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY); | |
1647 | } | |
1648 | if (!current || current->get_type(current) == ID_ANY) | |
045833c7 MW |
1649 | { |
1650 | current = cfg->get(cfg, AUTH_RULE_IDENTITY); | |
1651 | } | |
1652 | if (current && current->get_type(current) != ID_ANY) | |
1653 | { | |
1654 | id = current; | |
1655 | continue; | |
1656 | } | |
1657 | } | |
1658 | enumerator->destroy(enumerator); | |
1659 | if (id) | |
1660 | { | |
1661 | return id; | |
1662 | } | |
1663 | return this->other_id; | |
1664 | } | |
1665 | ||
8bced61b MW |
1666 | METHOD(ike_sa_t, set_other_id, void, |
1667 | private_ike_sa_t *this, identification_t *other) | |
3dd3c5f3 | 1668 | { |
c0593835 | 1669 | DESTROY_IF(this->other_id); |
8dfbe71b | 1670 | this->other_id = other; |
30b5b412 MW |
1671 | } |
1672 | ||
dec3c184 TB |
1673 | METHOD(ike_sa_t, get_if_id, uint32_t, |
1674 | private_ike_sa_t *this, bool inbound) | |
1675 | { | |
1676 | return inbound ? this->if_id_in : this->if_id_out; | |
1677 | } | |
1678 | ||
8bced61b MW |
1679 | METHOD(ike_sa_t, add_child_sa, void, |
1680 | private_ike_sa_t *this, child_sa_t *child_sa) | |
32b6500f | 1681 | { |
893da041 | 1682 | array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa); |
38227d0e MW |
1683 | charon->child_sa_manager->add(charon->child_sa_manager, |
1684 | child_sa, &this->public); | |
32b6500f MW |
1685 | } |
1686 | ||
8bced61b | 1687 | METHOD(ike_sa_t, get_child_sa, child_sa_t*, |
b12c53ce | 1688 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound) |
695723d4 | 1689 | { |
e2630434 | 1690 | enumerator_t *enumerator; |
695723d4 | 1691 | child_sa_t *current, *found = NULL; |
7daf5226 | 1692 | |
893da041 | 1693 | enumerator = array_create_enumerator(this->child_sas); |
e2630434 | 1694 | while (enumerator->enumerate(enumerator, (void**)¤t)) |
c60c7694 | 1695 | { |
698d7749 | 1696 | if (current->get_spi(current, inbound) == spi && |
191a26a6 | 1697 | current->get_protocol(current) == protocol) |
695723d4 MW |
1698 | { |
1699 | found = current; | |
1700 | } | |
1701 | } | |
e2630434 | 1702 | enumerator->destroy(enumerator); |
695723d4 | 1703 | return found; |
8d77edde MW |
1704 | } |
1705 | ||
4bbce1ef | 1706 | METHOD(ike_sa_t, get_child_count, int, |
8bced61b | 1707 | private_ike_sa_t *this) |
3183006d | 1708 | { |
893da041 | 1709 | return array_count(this->child_sas); |
4bbce1ef TB |
1710 | } |
1711 | ||
38227d0e MW |
1712 | /** |
1713 | * Private data of a create_child_sa_enumerator() | |
1714 | */ | |
1715 | typedef struct { | |
1716 | /** implements enumerator */ | |
1717 | enumerator_t public; | |
1718 | /** inner array enumerator */ | |
1719 | enumerator_t *inner; | |
1720 | /** current item */ | |
1721 | child_sa_t *current; | |
1722 | } child_enumerator_t; | |
1723 | ||
1724 | METHOD(enumerator_t, child_enumerate, bool, | |
95a63bf2 | 1725 | child_enumerator_t *this, va_list args) |
38227d0e | 1726 | { |
95a63bf2 TB |
1727 | child_sa_t **child_sa; |
1728 | ||
1729 | VA_ARGS_VGET(args, child_sa); | |
38227d0e MW |
1730 | if (this->inner->enumerate(this->inner, &this->current)) |
1731 | { | |
1732 | *child_sa = this->current; | |
1733 | return TRUE; | |
1734 | } | |
1735 | return FALSE; | |
1736 | } | |
1737 | ||
1738 | METHOD(enumerator_t, child_enumerator_destroy, void, | |
1739 | child_enumerator_t *this) | |
1740 | { | |
1741 | this->inner->destroy(this->inner); | |
1742 | free(this); | |
1743 | } | |
1744 | ||
4bbce1ef TB |
1745 | METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*, |
1746 | private_ike_sa_t *this) | |
1747 | { | |
38227d0e MW |
1748 | child_enumerator_t *enumerator; |
1749 | ||
1750 | INIT(enumerator, | |
1751 | .public = { | |
95a63bf2 TB |
1752 | .enumerate = enumerator_enumerate_default, |
1753 | .venumerate = _child_enumerate, | |
38227d0e MW |
1754 | .destroy = _child_enumerator_destroy, |
1755 | }, | |
1756 | .inner = array_create_enumerator(this->child_sas), | |
1757 | ); | |
1758 | return &enumerator->public; | |
4bbce1ef TB |
1759 | } |
1760 | ||
1761 | METHOD(ike_sa_t, remove_child_sa, void, | |
1762 | private_ike_sa_t *this, enumerator_t *enumerator) | |
1763 | { | |
38227d0e MW |
1764 | child_enumerator_t *ce = (child_enumerator_t*)enumerator; |
1765 | ||
1766 | charon->child_sa_manager->remove(charon->child_sa_manager, ce->current); | |
1767 | array_remove_at(this->child_sas, ce->inner); | |
3183006d MW |
1768 | } |
1769 | ||
8bced61b | 1770 | METHOD(ike_sa_t, rekey_child_sa, status_t, |
b12c53ce | 1771 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi) |
8d77edde | 1772 | { |
916cdca8 MW |
1773 | if (this->state == IKE_PASSIVE) |
1774 | { | |
1775 | return INVALID_STATE; | |
1776 | } | |
463a73cc | 1777 | this->task_manager->queue_child_rekey(this->task_manager, protocol, spi); |
394eb35b | 1778 | return this->task_manager->initiate(this->task_manager); |
698d7749 MW |
1779 | } |
1780 | ||
8bced61b | 1781 | METHOD(ike_sa_t, delete_child_sa, status_t, |
b12c53ce | 1782 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired) |
698d7749 | 1783 | { |
916cdca8 MW |
1784 | if (this->state == IKE_PASSIVE) |
1785 | { | |
1786 | return INVALID_STATE; | |
1787 | } | |
3a925f74 MW |
1788 | this->task_manager->queue_child_delete(this->task_manager, |
1789 | protocol, spi, expired); | |
394eb35b | 1790 | return this->task_manager->initiate(this->task_manager); |
698d7749 MW |
1791 | } |
1792 | ||
8bced61b | 1793 | METHOD(ike_sa_t, destroy_child_sa, status_t, |
b12c53ce | 1794 | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi) |
698d7749 | 1795 | { |
e2630434 | 1796 | enumerator_t *enumerator; |
698d7749 MW |
1797 | child_sa_t *child_sa; |
1798 | status_t status = NOT_FOUND; | |
7daf5226 | 1799 | |
38227d0e | 1800 | enumerator = create_child_sa_enumerator(this); |
e2630434 | 1801 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
698d7749 MW |
1802 | { |
1803 | if (child_sa->get_protocol(child_sa) == protocol && | |
1804 | child_sa->get_spi(child_sa, TRUE) == spi) | |
1805 | { | |
38227d0e | 1806 | remove_child_sa(this, enumerator); |
698d7749 | 1807 | child_sa->destroy(child_sa); |
698d7749 MW |
1808 | status = SUCCESS; |
1809 | break; | |
1810 | } | |
8d77edde | 1811 | } |
e2630434 | 1812 | enumerator->destroy(enumerator); |
698d7749 | 1813 | return status; |
8d77edde MW |
1814 | } |
1815 | ||
8bced61b | 1816 | METHOD(ike_sa_t, delete_, status_t, |
a79d5103 | 1817 | private_ike_sa_t *this, bool force) |
6fe03b0a | 1818 | { |
a79d5103 TB |
1819 | status_t status = DESTROY_ME; |
1820 | ||
6fe03b0a MW |
1821 | switch (this->state) |
1822 | { | |
3a0b67bc | 1823 | case IKE_ESTABLISHED: |
ebc6445d TB |
1824 | case IKE_REKEYING: |
1825 | if (time_monotonic(NULL) >= this->stats[STAT_DELETE] && | |
1826 | !(this->version == IKEV1 && this->state == IKE_REKEYING)) | |
1827 | { /* IKE_SA hard lifetime hit, ignored for reauthenticated | |
1828 | * IKEv1 SAs */ | |
c45cf904 MW |
1829 | charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED); |
1830 | } | |
3ed148b3 | 1831 | this->task_manager->queue_ike_delete(this->task_manager); |
a79d5103 TB |
1832 | status = this->task_manager->initiate(this->task_manager); |
1833 | break; | |
98f97433 | 1834 | case IKE_CREATED: |
a985db3f | 1835 | DBG1(DBG_IKE, "deleting unestablished IKE_SA"); |
98f97433 | 1836 | break; |
c610f424 MW |
1837 | case IKE_PASSIVE: |
1838 | break; | |
6fe03b0a | 1839 | default: |
a79d5103 TB |
1840 | DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification", |
1841 | ike_sa_state_names, this->state); | |
1842 | force = TRUE; | |
c60c7694 | 1843 | break; |
6fe03b0a | 1844 | } |
a79d5103 TB |
1845 | |
1846 | if (force) | |
1847 | { | |
1848 | status = DESTROY_ME; | |
1849 | ||
1850 | if (this->version == IKEV2) | |
1851 | { /* for IKEv1 we trigger this in the ISAKMP delete task */ | |
1852 | switch (this->state) | |
1853 | { | |
1854 | case IKE_ESTABLISHED: | |
1855 | case IKE_REKEYING: | |
1856 | case IKE_DELETING: | |
1857 | charon->bus->ike_updown(charon->bus, &this->public, FALSE); | |
1858 | default: | |
1859 | break; | |
1860 | } | |
1861 | } | |
1862 | } | |
1863 | return status; | |
6fe03b0a MW |
1864 | } |
1865 | ||
8bced61b MW |
1866 | METHOD(ike_sa_t, rekey, status_t, |
1867 | private_ike_sa_t *this) | |
fe04e93a | 1868 | { |
916cdca8 MW |
1869 | if (this->state == IKE_PASSIVE) |
1870 | { | |
1871 | return INVALID_STATE; | |
1872 | } | |
dab60d64 | 1873 | this->task_manager->queue_ike_rekey(this->task_manager); |
c60c7694 | 1874 | return this->task_manager->initiate(this->task_manager); |
fe04e93a MW |
1875 | } |
1876 | ||
8bced61b MW |
1877 | METHOD(ike_sa_t, reauth, status_t, |
1878 | private_ike_sa_t *this) | |
6fe03b0a | 1879 | { |
916cdca8 MW |
1880 | if (this->state == IKE_PASSIVE) |
1881 | { | |
1882 | return INVALID_STATE; | |
1883 | } | |
34e402ef TB |
1884 | if (this->state == IKE_CONNECTING) |
1885 | { | |
1886 | DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]", | |
1887 | get_name(this), this->unique_id); | |
c3539961 | 1888 | reset(this, TRUE); |
34e402ef TB |
1889 | return this->task_manager->initiate(this->task_manager); |
1890 | } | |
ee614711 MW |
1891 | /* we can't reauthenticate as responder when we use EAP or virtual IPs. |
1892 | * If the peer does not support RFC4478, there is no way to keep the | |
1893 | * IKE_SA up. */ | |
faf9569f | 1894 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
ee614711 MW |
1895 | { |
1896 | DBG1(DBG_IKE, "initiator did not reauthenticate as requested"); | |
893da041 | 1897 | if (array_count(this->other_vips) != 0 || |
7e9e1f96 | 1898 | has_condition(this, COND_XAUTH_AUTHENTICATED) || |
78abba42 TB |
1899 | has_condition(this, COND_EAP_AUTHENTICATED) |
1900 | #ifdef ME | |
484a06bc | 1901 | /* as mediation server we too cannot reauth the IKE_SA */ |
78abba42 TB |
1902 | || this->is_mediation_server |
1903 | #endif /* ME */ | |
1904 | ) | |
ee614711 | 1905 | { |
e9fcf1c6 | 1906 | time_t del, now; |
7daf5226 | 1907 | |
e9fcf1c6 MW |
1908 | del = this->stats[STAT_DELETE]; |
1909 | now = time_monotonic(NULL); | |
fbaf5cd2 MW |
1910 | DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V", |
1911 | get_name(this), this->unique_id, &now, &del); | |
ee614711 MW |
1912 | return FAILED; |
1913 | } | |
1914 | else | |
1915 | { | |
fbaf5cd2 MW |
1916 | DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively", |
1917 | get_name(this), this->unique_id); | |
ee614711 MW |
1918 | } |
1919 | } | |
fbaf5cd2 MW |
1920 | else |
1921 | { | |
1922 | DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]", | |
1923 | get_name(this), this->unique_id); | |
1924 | } | |
873b63b7 | 1925 | set_condition(this, COND_REAUTHENTICATING, TRUE); |
cedb412e | 1926 | this->task_manager->queue_ike_reauth(this->task_manager); |
26424f03 | 1927 | return this->task_manager->initiate(this->task_manager); |
6fe03b0a | 1928 | } |
face844a | 1929 | |
68db844f TB |
1930 | /** |
1931 | * Check if tasks to create CHILD_SAs are queued in the given queue | |
1932 | */ | |
1933 | static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue) | |
1934 | { | |
1935 | enumerator_t *enumerator; | |
1936 | task_t *task; | |
1937 | bool found = FALSE; | |
1938 | ||
1939 | enumerator = this->task_manager->create_task_enumerator(this->task_manager, | |
1940 | queue); | |
1941 | while (enumerator->enumerate(enumerator, &task)) | |
1942 | { | |
1943 | if (task->get_type(task) == TASK_CHILD_CREATE || | |
1944 | task->get_type(task) == TASK_QUICK_MODE) | |
1945 | { | |
1946 | found = TRUE; | |
1947 | break; | |
1948 | } | |
1949 | } | |
1950 | enumerator->destroy(enumerator); | |
1951 | return found; | |
1952 | } | |
1953 | ||
f20e00fe TB |
1954 | /** |
1955 | * Reestablish CHILD_SAs and migrate queued tasks. | |
1956 | * | |
1957 | * If force is true all SAs are restarted, otherwise their close/dpd_action | |
1958 | * is followed. | |
1959 | */ | |
1960 | static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new, | |
1961 | bool force) | |
1962 | { | |
1963 | enumerator_t *enumerator; | |
1964 | child_sa_t *child_sa; | |
1965 | child_cfg_t *child_cfg; | |
1966 | action_t action; | |
1967 | status_t status = FAILED; | |
1968 | ||
1969 | /* handle existing CHILD_SAs */ | |
1970 | enumerator = create_child_sa_enumerator(this); | |
1971 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) | |
1972 | { | |
a747ad73 TB |
1973 | switch (child_sa->get_state(child_sa)) |
1974 | { | |
1975 | case CHILD_REKEYED: | |
1976 | case CHILD_DELETED: | |
1977 | /* ignore CHILD_SAs in these states */ | |
1978 | continue; | |
1979 | default: | |
1980 | break; | |
1981 | } | |
f20e00fe TB |
1982 | if (force) |
1983 | { | |
a1620c16 | 1984 | action = ACTION_RESTART; |
f20e00fe TB |
1985 | } |
1986 | else | |
1987 | { /* only restart CHILD_SAs that are configured accordingly */ | |
1988 | if (this->state == IKE_DELETING) | |
1989 | { | |
1990 | action = child_sa->get_close_action(child_sa); | |
1991 | } | |
1992 | else | |
1993 | { | |
1994 | action = child_sa->get_dpd_action(child_sa); | |
1995 | } | |
1996 | } | |
1997 | switch (action) | |
1998 | { | |
1999 | case ACTION_RESTART: | |
2000 | child_cfg = child_sa->get_config(child_sa); | |
2001 | DBG1(DBG_IKE, "restarting CHILD_SA %s", | |
2002 | child_cfg->get_name(child_cfg)); | |
2003 | child_cfg->get_ref(child_cfg); | |
2004 | status = new->initiate(new, child_cfg, | |
2005 | child_sa->get_reqid(child_sa), NULL, NULL); | |
2006 | break; | |
2007 | default: | |
2008 | continue; | |
2009 | } | |
2010 | if (status == DESTROY_ME) | |
2011 | { | |
2012 | break; | |
2013 | } | |
2014 | } | |
2015 | enumerator->destroy(enumerator); | |
2016 | /* adopt any active or queued CHILD-creating tasks */ | |
2017 | if (status != DESTROY_ME) | |
2018 | { | |
5e97a5e6 | 2019 | new->adopt_child_tasks(new, &this->public); |
f20e00fe TB |
2020 | if (new->get_state(new) == IKE_CREATED) |
2021 | { | |
2022 | status = new->initiate(new, NULL, 0, NULL, NULL); | |
2023 | } | |
2024 | } | |
2025 | return status; | |
2026 | } | |
2027 | ||
8bced61b MW |
2028 | METHOD(ike_sa_t, reestablish, status_t, |
2029 | private_ike_sa_t *this) | |
96926b00 MW |
2030 | { |
2031 | ike_sa_t *new; | |
2032 | host_t *host; | |
348af092 | 2033 | action_t action; |
e2630434 | 2034 | enumerator_t *enumerator; |
96926b00 | 2035 | child_sa_t *child_sa; |
cf76c429 | 2036 | bool restart = FALSE; |
96926b00 | 2037 | status_t status = FAILED; |
7daf5226 | 2038 | |
873b63b7 | 2039 | if (has_condition(this, COND_REAUTHENTICATING)) |
23470d84 | 2040 | { /* only reauthenticate if we have children */ |
893da041 | 2041 | if (array_count(this->child_sas) == 0 |
23470d84 TB |
2042 | #ifdef ME |
2043 | /* allow reauth of mediation connections without CHILD_SAs */ | |
2044 | && !this->peer_cfg->is_mediation(this->peer_cfg) | |
2045 | #endif /* ME */ | |
2046 | ) | |
348af092 | 2047 | { |
23470d84 TB |
2048 | DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " |
2049 | "to recreate"); | |
348af092 MW |
2050 | } |
2051 | else | |
2052 | { | |
23470d84 | 2053 | restart = TRUE; |
348af092 | 2054 | } |
23470d84 TB |
2055 | } |
2056 | else | |
2057 | { /* check if we have children to keep up at all */ | |
893da041 | 2058 | enumerator = array_create_enumerator(this->child_sas); |
23470d84 | 2059 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
cadb5d16 | 2060 | { |
a747ad73 TB |
2061 | switch (child_sa->get_state(child_sa)) |
2062 | { | |
2063 | case CHILD_REKEYED: | |
2064 | case CHILD_DELETED: | |
2065 | /* ignore CHILD_SAs in these states */ | |
2066 | continue; | |
2067 | default: | |
2068 | break; | |
2069 | } | |
23470d84 TB |
2070 | if (this->state == IKE_DELETING) |
2071 | { | |
2072 | action = child_sa->get_close_action(child_sa); | |
2073 | } | |
2074 | else | |
2075 | { | |
2076 | action = child_sa->get_dpd_action(child_sa); | |
2077 | } | |
2078 | switch (action) | |
2079 | { | |
2080 | case ACTION_RESTART: | |
2081 | restart = TRUE; | |
2082 | break; | |
2083 | case ACTION_ROUTE: | |
2084 | charon->traps->install(charon->traps, this->peer_cfg, | |
24fa1bb0 | 2085 | child_sa->get_config(child_sa)); |
23470d84 TB |
2086 | break; |
2087 | default: | |
2088 | break; | |
2089 | } | |
cadb5d16 | 2090 | } |
23470d84 | 2091 | enumerator->destroy(enumerator); |
68db844f | 2092 | /* check if we have tasks that recreate children */ |
07a9d5c9 TB |
2093 | if (!restart) |
2094 | { | |
2095 | restart = is_child_queued(this, TASK_QUEUE_ACTIVE) || | |
2096 | is_child_queued(this, TASK_QUEUE_QUEUED); | |
2097 | } | |
cadb5d16 | 2098 | #ifdef ME |
23470d84 TB |
2099 | /* mediation connections have no children, keep them up anyway */ |
2100 | if (this->peer_cfg->is_mediation(this->peer_cfg)) | |
2101 | { | |
2102 | restart = TRUE; | |
2103 | } | |
cadb5d16 | 2104 | #endif /* ME */ |
23470d84 | 2105 | } |
cf76c429 | 2106 | if (!restart) |
cadb5d16 MW |
2107 | { |
2108 | return FAILED; | |
2109 | } | |
7daf5226 | 2110 | |
cadb5d16 | 2111 | /* check if we are able to reestablish this IKE_SA */ |
faf9569f | 2112 | if (!has_condition(this, COND_ORIGINAL_INITIATOR) && |
893da041 | 2113 | (array_count(this->other_vips) != 0 || |
96926b00 MW |
2114 | has_condition(this, COND_EAP_AUTHENTICATED) |
2115 | #ifdef ME | |
2116 | || this->is_mediation_server | |
2117 | #endif /* ME */ | |
2118 | )) | |
2119 | { | |
68447302 | 2120 | DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup"); |
96926b00 MW |
2121 | return FAILED; |
2122 | } | |
7daf5226 | 2123 | |
0b611540 TB |
2124 | new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, |
2125 | this->version, TRUE); | |
3d54ae94 MW |
2126 | if (!new) |
2127 | { | |
2128 | return FAILED; | |
2129 | } | |
96926b00 MW |
2130 | new->set_peer_cfg(new, this->peer_cfg); |
2131 | host = this->other_host; | |
2132 | new->set_other_host(new, host->clone(host)); | |
2133 | host = this->my_host; | |
2134 | new->set_my_host(new, host->clone(host)); | |
614359a7 | 2135 | charon->bus->ike_reestablish_pre(charon->bus, &this->public, new); |
7505fb8d TB |
2136 | if (!has_condition(this, COND_REAUTHENTICATING)) |
2137 | { /* reauthenticate to the same addresses, but resolve hosts if | |
2138 | * reestablishing (old addresses serve as fallback) */ | |
2139 | resolve_hosts((private_ike_sa_t*)new); | |
2140 | } | |
96926b00 | 2141 | /* if we already have a virtual IP, we reuse it */ |
893da041 | 2142 | enumerator = array_create_enumerator(this->my_vips); |
101d26ba | 2143 | while (enumerator->enumerate(enumerator, &host)) |
96926b00 | 2144 | { |
101d26ba | 2145 | new->add_virtual_ip(new, TRUE, host); |
96926b00 | 2146 | } |
101d26ba | 2147 | enumerator->destroy(enumerator); |
7daf5226 | 2148 | |
96926b00 | 2149 | #ifdef ME |
96926b00 MW |
2150 | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
2151 | { | |
a13c013b | 2152 | status = new->initiate(new, NULL, 0, NULL, NULL); |
96926b00 | 2153 | } |
cadb5d16 | 2154 | else |
96926b00 | 2155 | #endif /* ME */ |
96926b00 | 2156 | { |
f20e00fe TB |
2157 | status = reestablish_children(this, new, |
2158 | has_condition(this, COND_REAUTHENTICATING)); | |
96926b00 | 2159 | } |
7daf5226 | 2160 | |
cadb5d16 | 2161 | if (status == DESTROY_ME) |
96926b00 | 2162 | { |
614359a7 TB |
2163 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2164 | FALSE); | |
cadb5d16 | 2165 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); |
04d6583e | 2166 | status = FAILED; |
96926b00 MW |
2167 | } |
2168 | else | |
2169 | { | |
614359a7 TB |
2170 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2171 | TRUE); | |
cadb5d16 | 2172 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); |
04d6583e | 2173 | status = SUCCESS; |
96926b00 | 2174 | } |
04d6583e MW |
2175 | charon->bus->set_sa(charon->bus, &this->public); |
2176 | return status; | |
96926b00 MW |
2177 | } |
2178 | ||
f20e00fe TB |
2179 | /** |
2180 | * Resolve the given gateway ID | |
2181 | */ | |
2182 | static host_t *resolve_gateway_id(identification_t *gateway) | |
c126ddd0 TB |
2183 | { |
2184 | char gw[BUF_LEN]; | |
f20e00fe | 2185 | host_t *addr; |
c126ddd0 | 2186 | |
f20e00fe TB |
2187 | snprintf(gw, sizeof(gw), "%Y", gateway); |
2188 | gw[sizeof(gw)-1] = '\0'; | |
2189 | addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT); | |
2190 | if (!addr) | |
2191 | { | |
2192 | DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed", | |
2193 | gateway); | |
2194 | } | |
2195 | return addr; | |
2196 | } | |
2197 | ||
2198 | /** | |
2199 | * Redirect the current SA to the given target host | |
2200 | */ | |
2201 | static bool redirect_established(private_ike_sa_t *this, identification_t *to) | |
2202 | { | |
2203 | private_ike_sa_t *new_priv; | |
2204 | ike_sa_t *new; | |
2205 | host_t *other; | |
c6ebd033 | 2206 | time_t redirect; |
f20e00fe TB |
2207 | |
2208 | new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, | |
2209 | this->version, TRUE); | |
2210 | if (!new) | |
489d154e | 2211 | { |
489d154e TB |
2212 | return FALSE; |
2213 | } | |
f20e00fe TB |
2214 | new_priv = (private_ike_sa_t*)new; |
2215 | new->set_peer_cfg(new, this->peer_cfg); | |
2216 | new_priv->redirected_from = this->other_host->clone(this->other_host); | |
2217 | charon->bus->ike_reestablish_pre(charon->bus, &this->public, new); | |
2218 | other = resolve_gateway_id(to); | |
2219 | if (other) | |
2220 | { | |
2221 | set_my_host(new_priv, this->my_host->clone(this->my_host)); | |
2222 | /* this allows us to force the remote address while we still properly | |
2223 | * resolve the local address */ | |
2224 | new_priv->remote_host = other; | |
2225 | resolve_hosts(new_priv); | |
c6ebd033 TB |
2226 | new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS); |
2227 | while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect)) | |
2228 | { | |
2229 | array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect); | |
2230 | } | |
f20e00fe TB |
2231 | if (reestablish_children(this, new, TRUE) != DESTROY_ME) |
2232 | { | |
2233 | #ifdef USE_IKEV2 | |
2234 | new->queue_task(new, (task_t*)ike_reauth_complete_create(new, | |
2235 | this->ike_sa_id)); | |
2236 | #endif | |
2237 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, | |
2238 | TRUE); | |
2239 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); | |
2240 | charon->bus->set_sa(charon->bus, &this->public); | |
2241 | return TRUE; | |
2242 | } | |
2243 | } | |
2244 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, | |
2245 | FALSE); | |
2246 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); | |
2247 | charon->bus->set_sa(charon->bus, &this->public); | |
2248 | return FALSE; | |
2249 | } | |
c126ddd0 | 2250 | |
f20e00fe TB |
2251 | /** |
2252 | * Redirect the current connecting SA to the given target host | |
2253 | */ | |
2254 | static bool redirect_connecting(private_ike_sa_t *this, identification_t *to) | |
2255 | { | |
2256 | host_t *other; | |
2257 | ||
2258 | other = resolve_gateway_id(to); | |
c126ddd0 TB |
2259 | if (!other) |
2260 | { | |
c126ddd0 TB |
2261 | return FALSE; |
2262 | } | |
c3539961 | 2263 | reset(this, TRUE); |
f20e00fe TB |
2264 | DESTROY_IF(this->redirected_from); |
2265 | this->redirected_from = this->other_host->clone(this->other_host); | |
2266 | DESTROY_IF(this->remote_host); | |
2267 | /* this allows us to force the remote address while we still properly | |
2268 | * resolve the local address */ | |
2269 | this->remote_host = other; | |
2270 | resolve_hosts(this); | |
2271 | return TRUE; | |
2272 | } | |
2273 | ||
c6ebd033 TB |
2274 | /** |
2275 | * Check if the current redirect exceeds the limits for redirects | |
2276 | */ | |
2277 | static bool redirect_count_exceeded(private_ike_sa_t *this) | |
2278 | { | |
2279 | time_t now, redirect; | |
2280 | ||
2281 | now = time_monotonic(NULL); | |
2282 | /* remove entries outside the defined period */ | |
2283 | while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) && | |
2284 | now - redirect >= REDIRECT_LOOP_DETECT_PERIOD) | |
2285 | { | |
2286 | array_remove(this->redirected_at, ARRAY_HEAD, NULL); | |
2287 | } | |
2288 | if (array_count(this->redirected_at) < MAX_REDIRECTS) | |
2289 | { | |
2290 | if (!this->redirected_at) | |
2291 | { | |
2292 | this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS); | |
2293 | } | |
2294 | array_insert(this->redirected_at, ARRAY_TAIL, &now); | |
2295 | return FALSE; | |
2296 | } | |
2297 | return TRUE; | |
2298 | } | |
2299 | ||
f20e00fe TB |
2300 | METHOD(ike_sa_t, handle_redirect, bool, |
2301 | private_ike_sa_t *this, identification_t *gateway) | |
2302 | { | |
2303 | DBG1(DBG_IKE, "redirected to %Y", gateway); | |
2304 | if (!this->follow_redirects) | |
2305 | { | |
2306 | DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it"); | |
2307 | return FALSE; | |
2308 | } | |
c6ebd033 TB |
2309 | if (redirect_count_exceeded(this)) |
2310 | { | |
2311 | DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds", | |
2312 | MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD); | |
2313 | return FALSE; | |
2314 | } | |
f20e00fe | 2315 | |
c126ddd0 TB |
2316 | switch (this->state) |
2317 | { | |
2318 | case IKE_CONNECTING: | |
f20e00fe TB |
2319 | return redirect_connecting(this, gateway); |
2320 | case IKE_ESTABLISHED: | |
2321 | return redirect_established(this, gateway); | |
c126ddd0 TB |
2322 | default: |
2323 | DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N", | |
2324 | ike_sa_state_names, this->state); | |
c126ddd0 TB |
2325 | return FALSE; |
2326 | } | |
2327 | } | |
2328 | ||
71c70705 TB |
2329 | METHOD(ike_sa_t, redirect, status_t, |
2330 | private_ike_sa_t *this, identification_t *gateway) | |
2331 | { | |
2332 | switch (this->state) | |
2333 | { | |
2334 | case IKE_CONNECTING: | |
2335 | case IKE_ESTABLISHED: | |
2336 | case IKE_REKEYING: | |
2337 | if (has_condition(this, COND_REDIRECTED)) | |
2338 | { /* IKE_SA already got redirected */ | |
2339 | return SUCCESS; | |
2340 | } | |
2341 | if (has_condition(this, COND_ORIGINAL_INITIATOR)) | |
2342 | { | |
2343 | DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator"); | |
2344 | return FAILED; | |
2345 | } | |
2346 | if (this->version == IKEV1) | |
2347 | { | |
2348 | DBG1(DBG_IKE, "unable to redirect IKEv1 SA"); | |
2349 | return FAILED; | |
2350 | } | |
2351 | if (!supports_extension(this, EXT_IKE_REDIRECTION)) | |
2352 | { | |
2353 | DBG1(DBG_IKE, "client does not support IKE redirection"); | |
2354 | return FAILED; | |
2355 | } | |
2356 | #ifdef USE_IKEV2 | |
2357 | this->task_manager->queue_task(this->task_manager, | |
2358 | (task_t*)ike_redirect_create(&this->public, gateway)); | |
2359 | #endif | |
2360 | return this->task_manager->initiate(this->task_manager); | |
2361 | default: | |
2362 | DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N", | |
2363 | ike_sa_state_names, this->state); | |
2364 | return INVALID_STATE; | |
2365 | } | |
2366 | } | |
2367 | ||
8bced61b | 2368 | METHOD(ike_sa_t, retransmit, status_t, |
b12c53ce | 2369 | private_ike_sa_t *this, uint32_t message_id) |
96926b00 | 2370 | { |
916cdca8 MW |
2371 | if (this->state == IKE_PASSIVE) |
2372 | { | |
2373 | return INVALID_STATE; | |
2374 | } | |
6180a558 | 2375 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
96926b00 MW |
2376 | if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS) |
2377 | { | |
2378 | /* send a proper signal to brief interested bus listeners */ | |
2379 | switch (this->state) | |
2380 | { | |
2381 | case IKE_CONNECTING: | |
2382 | { | |
d9c1dae2 | 2383 | /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */ |
b12c53ce | 2384 | uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg); |
1d6dc627 TB |
2385 | charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE, |
2386 | this->keyingtry); | |
96926b00 MW |
2387 | this->keyingtry++; |
2388 | if (tries == 0 || tries > this->keyingtry) | |
2389 | { | |
a985db3f MW |
2390 | DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", |
2391 | this->keyingtry + 1, tries); | |
c3539961 | 2392 | reset(this, TRUE); |
4d7a2128 | 2393 | resolve_hosts(this); |
96926b00 MW |
2394 | return this->task_manager->initiate(this->task_manager); |
2395 | } | |
a985db3f | 2396 | DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding"); |
ebc6defa TB |
2397 | |
2398 | if (this->version == IKEV1 && array_count(this->child_sas)) | |
2399 | { | |
eb822106 TB |
2400 | enumerator_t *enumerator; |
2401 | child_sa_t *child_sa; | |
2402 | ||
ebc6defa TB |
2403 | /* if reauthenticating an IKEv1 SA failed (assumed for an SA |
2404 | * in this state with CHILD_SAs), try again from scratch */ | |
2405 | DBG1(DBG_IKE, "reauthentication failed, trying to " | |
2406 | "reestablish IKE_SA"); | |
2407 | reestablish(this); | |
eb822106 TB |
2408 | /* trigger down events for the CHILD_SAs, as no down event |
2409 | * is triggered below for IKE SAs in this state */ | |
2410 | enumerator = array_create_enumerator(this->child_sas); | |
2411 | while (enumerator->enumerate(enumerator, &child_sa)) | |
2412 | { | |
2413 | if (child_sa->get_state(child_sa) != CHILD_REKEYED && | |
2414 | child_sa->get_state(child_sa) != CHILD_DELETED) | |
2415 | { | |
2416 | charon->bus->child_updown(charon->bus, child_sa, | |
2417 | FALSE); | |
2418 | } | |
2419 | } | |
2420 | enumerator->destroy(enumerator); | |
ebc6defa | 2421 | } |
96926b00 MW |
2422 | break; |
2423 | } | |
96926b00 | 2424 | case IKE_DELETING: |
a985db3f | 2425 | DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding"); |
10f8834b TB |
2426 | if (has_condition(this, COND_REAUTHENTICATING) && |
2427 | !lib->settings->get_bool(lib->settings, | |
2428 | "%s.make_before_break", FALSE, lib->ns)) | |
74571430 TB |
2429 | { |
2430 | DBG1(DBG_IKE, "delete during reauthentication failed, " | |
2431 | "trying to reestablish IKE_SA anyway"); | |
2432 | reestablish(this); | |
2433 | } | |
96926b00 | 2434 | break; |
348af092 | 2435 | case IKE_REKEYING: |
a985db3f | 2436 | DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding"); |
348af092 | 2437 | /* FALL */ |
96926b00 | 2438 | default: |
348af092 | 2439 | reestablish(this); |
96926b00 MW |
2440 | break; |
2441 | } | |
bb389973 TB |
2442 | if (this->state != IKE_CONNECTING && |
2443 | this->state != IKE_REKEYED) | |
3babde90 TB |
2444 | { |
2445 | charon->bus->ike_updown(charon->bus, &this->public, FALSE); | |
2446 | } | |
96926b00 MW |
2447 | return DESTROY_ME; |
2448 | } | |
2449 | return SUCCESS; | |
2450 | } | |
2451 | ||
a07b6973 | 2452 | METHOD(ike_sa_t, set_auth_lifetime, status_t, |
b12c53ce | 2453 | private_ike_sa_t *this, uint32_t lifetime) |
ee614711 | 2454 | { |
b12c53ce | 2455 | uint32_t diff, hard, soft, now; |
a07b6973 | 2456 | bool send_update; |
ee614711 | 2457 | |
bdcf4417 MW |
2458 | diff = this->peer_cfg->get_over_time(this->peer_cfg); |
2459 | now = time_monotonic(NULL); | |
2460 | hard = now + lifetime; | |
2461 | soft = hard - diff; | |
2462 | ||
a07b6973 MW |
2463 | /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime. |
2464 | * We send the notify in IKE_AUTH if not yet ESTABLISHED. */ | |
b1f2f05c | 2465 | send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 && |
a07b6973 | 2466 | !has_condition(this, COND_ORIGINAL_INITIATOR) && |
893da041 | 2467 | (array_count(this->other_vips) != 0 || |
a07b6973 MW |
2468 | has_condition(this, COND_EAP_AUTHENTICATED)); |
2469 | ||
bdcf4417 | 2470 | if (lifetime < diff) |
ee614711 | 2471 | { |
bdcf4417 | 2472 | this->stats[STAT_REAUTH] = now; |
a07b6973 MW |
2473 | |
2474 | if (!send_update) | |
2475 | { | |
2476 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, " | |
2477 | "starting reauthentication", lifetime); | |
2478 | lib->processor->queue_job(lib->processor, | |
b9b8a98f | 2479 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE)); |
a07b6973 | 2480 | } |
ee614711 | 2481 | } |
85ac2fa5 | 2482 | else if (this->stats[STAT_REAUTH] == 0 || |
bdcf4417 | 2483 | this->stats[STAT_REAUTH] > soft) |
ee614711 | 2484 | { |
bdcf4417 | 2485 | this->stats[STAT_REAUTH] = soft; |
a07b6973 MW |
2486 | if (!send_update) |
2487 | { | |
2488 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling " | |
2489 | "reauthentication in %ds", lifetime, lifetime - diff); | |
2490 | lib->scheduler->schedule_job(lib->scheduler, | |
6554b5e4 | 2491 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), |
bdcf4417 | 2492 | lifetime - diff); |
a07b6973 | 2493 | } |
3fd9c757 AS |
2494 | } |
2495 | else | |
2496 | { | |
6180a558 MW |
2497 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, " |
2498 | "reauthentication already scheduled in %ds", lifetime, | |
2499 | this->stats[STAT_REAUTH] - time_monotonic(NULL)); | |
a07b6973 | 2500 | send_update = FALSE; |
ee614711 | 2501 | } |
bdcf4417 MW |
2502 | /* give at least some seconds to reauthenticate */ |
2503 | this->stats[STAT_DELETE] = max(hard, now + 10); | |
a07b6973 | 2504 | |
2d39f79b | 2505 | #ifdef USE_IKEV2 |
a07b6973 MW |
2506 | if (send_update) |
2507 | { | |
2d39f79b TB |
2508 | ike_auth_lifetime_t *task; |
2509 | ||
a07b6973 MW |
2510 | task = ike_auth_lifetime_create(&this->public, TRUE); |
2511 | this->task_manager->queue_task(this->task_manager, &task->task); | |
2512 | return this->task_manager->initiate(this->task_manager); | |
2513 | } | |
2d39f79b | 2514 | #endif |
a07b6973 | 2515 | return SUCCESS; |
ee614711 MW |
2516 | } |
2517 | ||
bab56a4a TB |
2518 | /** |
2519 | * Check if the current combination of source and destination address is still | |
2520 | * valid. | |
2521 | */ | |
2522 | static bool is_current_path_valid(private_ike_sa_t *this) | |
2523 | { | |
2524 | bool valid = FALSE; | |
2525 | host_t *src; | |
597e8c9e MW |
2526 | |
2527 | if (supports_extension(this, EXT_MOBIKE) && | |
2528 | lib->settings->get_bool(lib->settings, | |
2529 | "%s.prefer_best_path", FALSE, lib->ns)) | |
2530 | { | |
2531 | /* check if the current path is the best path; migrate otherwise */ | |
2532 | src = charon->kernel->get_source_addr(charon->kernel, this->other_host, | |
2533 | NULL); | |
2534 | if (src) | |
2535 | { | |
2536 | valid = src->ip_equals(src, this->my_host); | |
2537 | src->destroy(src); | |
2538 | } | |
2539 | if (!valid) | |
2540 | { | |
2541 | DBG1(DBG_IKE, "old path is not preferred anymore"); | |
2542 | } | |
2543 | return valid; | |
2544 | } | |
8394ea2a TB |
2545 | src = charon->kernel->get_source_addr(charon->kernel, this->other_host, |
2546 | this->my_host); | |
bab56a4a TB |
2547 | if (src) |
2548 | { | |
2549 | if (src->ip_equals(src, this->my_host)) | |
2550 | { | |
2551 | valid = TRUE; | |
2552 | } | |
2553 | src->destroy(src); | |
2554 | } | |
597e8c9e MW |
2555 | if (!valid) |
2556 | { | |
2557 | DBG1(DBG_IKE, "old path is not available anymore, try to find another"); | |
2558 | } | |
bab56a4a TB |
2559 | return valid; |
2560 | } | |
2561 | ||
2562 | /** | |
2563 | * Check if we have any path avialable for this IKE SA. | |
2564 | */ | |
2565 | static bool is_any_path_valid(private_ike_sa_t *this) | |
2566 | { | |
2567 | bool valid = FALSE; | |
2568 | enumerator_t *enumerator; | |
ae9ce835 | 2569 | host_t *src = NULL, *addr; |
ff601341 TB |
2570 | int family = AF_UNSPEC; |
2571 | ||
2572 | switch (charon->socket->supported_families(charon->socket)) | |
2573 | { | |
2574 | case SOCKET_FAMILY_IPV4: | |
2575 | family = AF_INET; | |
2576 | break; | |
2577 | case SOCKET_FAMILY_IPV6: | |
2578 | family = AF_INET6; | |
2579 | break; | |
2580 | case SOCKET_FAMILY_BOTH: | |
2581 | case SOCKET_FAMILY_NONE: | |
2582 | break; | |
2583 | } | |
72b28112 | 2584 | |
12715f19 | 2585 | enumerator = create_peer_address_enumerator(this); |
72b28112 | 2586 | while (enumerator->enumerate(enumerator, &addr)) |
bab56a4a | 2587 | { |
ff601341 TB |
2588 | if (family != AF_UNSPEC && addr->get_family(addr) != family) |
2589 | { | |
2590 | continue; | |
2591 | } | |
72b28112 | 2592 | DBG1(DBG_IKE, "looking for a route to %H ...", addr); |
8394ea2a | 2593 | src = charon->kernel->get_source_addr(charon->kernel, addr, NULL); |
72b28112 | 2594 | if (src) |
bab56a4a | 2595 | { |
72b28112 | 2596 | break; |
bab56a4a | 2597 | } |
bab56a4a | 2598 | } |
72b28112 | 2599 | enumerator->destroy(enumerator); |
bab56a4a TB |
2600 | if (src) |
2601 | { | |
2602 | valid = TRUE; | |
2603 | src->destroy(src); | |
2604 | } | |
2605 | return valid; | |
2606 | } | |
2607 | ||
8bced61b MW |
2608 | METHOD(ike_sa_t, roam, status_t, |
2609 | private_ike_sa_t *this, bool address) | |
17d92e97 | 2610 | { |
011b1cca MW |
2611 | switch (this->state) |
2612 | { | |
2613 | case IKE_CREATED: | |
2614 | case IKE_DELETING: | |
7afd9d66 | 2615 | case IKE_DESTROYING: |
c610f424 | 2616 | case IKE_PASSIVE: |
bb389973 | 2617 | case IKE_REKEYED: |
011b1cca MW |
2618 | return SUCCESS; |
2619 | default: | |
2620 | break; | |
2621 | } | |
7daf5226 | 2622 | |
007a2701 TB |
2623 | if (!this->ike_cfg) |
2624 | { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and | |
2625 | * without config assigned */ | |
2626 | return SUCCESS; | |
2627 | } | |
8929c700 TB |
2628 | if (this->version == IKEV1) |
2629 | { /* ignore roam events for IKEv1 where we don't have MOBIKE and would | |
2630 | * have to reestablish from scratch (reauth is not enough) */ | |
2631 | return SUCCESS; | |
2632 | } | |
007a2701 | 2633 | |
be27e768 TB |
2634 | /* ignore roam events if MOBIKE is not supported/enabled and the local |
2635 | * address is statically configured */ | |
8929c700 | 2636 | if (!supports_extension(this, EXT_MOBIKE) && |
be27e768 TB |
2637 | ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE)) |
2638 | { | |
2639 | DBG2(DBG_IKE, "keeping statically configured path %H - %H", | |
2640 | this->my_host, this->other_host); | |
2641 | return SUCCESS; | |
2642 | } | |
2643 | ||
ce5b1708 | 2644 | /* keep existing path if possible */ |
bab56a4a | 2645 | if (is_current_path_valid(this)) |
face844a | 2646 | { |
bab56a4a TB |
2647 | DBG2(DBG_IKE, "keeping connection path %H - %H", |
2648 | this->my_host, this->other_host); | |
2649 | set_condition(this, COND_STALE, FALSE); | |
261b2572 TB |
2650 | |
2651 | if (supports_extension(this, EXT_MOBIKE) && address) | |
2652 | { /* if any addresses changed, send an updated list */ | |
2653 | DBG1(DBG_IKE, "sending address list update using MOBIKE"); | |
873df908 | 2654 | this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE); |
261b2572 TB |
2655 | return this->task_manager->initiate(this->task_manager); |
2656 | } | |
bab56a4a | 2657 | return SUCCESS; |
7afd9d66 | 2658 | } |
261b2572 | 2659 | |
bab56a4a | 2660 | if (!is_any_path_valid(this)) |
7afd9d66 | 2661 | { |
bab56a4a TB |
2662 | DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", |
2663 | this->other_host); | |
2664 | set_condition(this, COND_STALE, TRUE); | |
2665 | return SUCCESS; | |
17d92e97 | 2666 | } |
7afd9d66 | 2667 | set_condition(this, COND_STALE, FALSE); |
7daf5226 | 2668 | |
face844a MW |
2669 | /* update addresses with mobike, if supported ... */ |
2670 | if (supports_extension(this, EXT_MOBIKE)) | |
2671 | { | |
57744088 TB |
2672 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
2673 | { /* responder updates the peer about changed address config */ | |
2674 | DBG1(DBG_IKE, "sending address list update using MOBIKE, " | |
2675 | "implicitly requesting an address change"); | |
2676 | address = TRUE; | |
2677 | } | |
2678 | else | |
2679 | { | |
2680 | DBG1(DBG_IKE, "requesting address change using MOBIKE"); | |
2681 | } | |
873df908 | 2682 | this->task_manager->queue_mobike(this->task_manager, TRUE, address); |
face844a MW |
2683 | return this->task_manager->initiate(this->task_manager); |
2684 | } | |
57744088 | 2685 | |
96926b00 | 2686 | /* ... reauth if not */ |
57744088 TB |
2687 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
2688 | { /* responder does not reauthenticate */ | |
2689 | set_condition(this, COND_STALE, TRUE); | |
2690 | return SUCCESS; | |
2691 | } | |
2692 | DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change"); | |
a46fe568 TB |
2693 | /* since our previous path is not valid anymore, try and find a new one */ |
2694 | resolve_hosts(this); | |
96926b00 | 2695 | return reauth(this); |
17d92e97 | 2696 | } |
6fe03b0a | 2697 | |
8bced61b MW |
2698 | METHOD(ike_sa_t, add_configuration_attribute, void, |
2699 | private_ike_sa_t *this, attribute_handler_t *handler, | |
2700 | configuration_attribute_type_t type, chunk_t data) | |
7f56b494 | 2701 | { |
893da041 MW |
2702 | attribute_entry_t entry = { |
2703 | .handler = handler, | |
2704 | .type = type, | |
2705 | .data = chunk_clone(data), | |
2706 | }; | |
2707 | array_insert(this->attributes, ARRAY_TAIL, &entry); | |
7f56b494 MW |
2708 | } |
2709 | ||
525cc46c TB |
2710 | CALLBACK(filter_attribute, bool, |
2711 | void *null, enumerator_t *orig, va_list args) | |
9d257034 | 2712 | { |
525cc46c TB |
2713 | attribute_entry_t *entry; |
2714 | configuration_attribute_type_t *type; | |
2715 | chunk_t *data; | |
2716 | bool *handled; | |
2717 | ||
2718 | VA_ARGS_VGET(args, type, data, handled); | |
2719 | ||
2720 | if (orig->enumerate(orig, &entry)) | |
2721 | { | |
2722 | *type = entry->type; | |
2723 | *data = entry->data; | |
2724 | *handled = entry->handler != NULL; | |
2725 | return TRUE; | |
2726 | } | |
2727 | return FALSE; | |
9d257034 MW |
2728 | } |
2729 | ||
2730 | METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*, | |
2731 | private_ike_sa_t *this) | |
2732 | { | |
2733 | return enumerator_create_filter(array_create_enumerator(this->attributes), | |
525cc46c | 2734 | filter_attribute, NULL, NULL); |
9d257034 MW |
2735 | } |
2736 | ||
ea340ee8 MW |
2737 | METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, |
2738 | private_ike_sa_t *this, task_queue_t queue) | |
2739 | { | |
2740 | return this->task_manager->create_task_enumerator(this->task_manager, queue); | |
2741 | } | |
2742 | ||
b7160401 TB |
2743 | METHOD(ike_sa_t, remove_task, void, |
2744 | private_ike_sa_t *this, enumerator_t *enumerator) | |
2745 | { | |
2746 | return this->task_manager->remove_task(this->task_manager, enumerator); | |
2747 | } | |
2748 | ||
cbc1a20f MW |
2749 | METHOD(ike_sa_t, flush_queue, void, |
2750 | private_ike_sa_t *this, task_queue_t queue) | |
2751 | { | |
2752 | this->task_manager->flush_queue(this->task_manager, queue); | |
2753 | } | |
2754 | ||
69adeb5b MW |
2755 | METHOD(ike_sa_t, queue_task, void, |
2756 | private_ike_sa_t *this, task_t *task) | |
2757 | { | |
2758 | this->task_manager->queue_task(this->task_manager, task); | |
2759 | } | |
2760 | ||
208678e6 TB |
2761 | METHOD(ike_sa_t, queue_task_delayed, void, |
2762 | private_ike_sa_t *this, task_t *task, uint32_t delay) | |
2763 | { | |
2764 | this->task_manager->queue_task_delayed(this->task_manager, task, delay); | |
2765 | } | |
2766 | ||
5e97a5e6 TB |
2767 | /** |
2768 | * Migrate and queue child-creating tasks from another IKE_SA | |
2769 | */ | |
2770 | static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other, | |
2771 | task_queue_t queue) | |
00c889f4 | 2772 | { |
5e97a5e6 TB |
2773 | enumerator_t *enumerator; |
2774 | task_t *task; | |
00c889f4 | 2775 | |
5e97a5e6 TB |
2776 | enumerator = other->create_task_enumerator(other, queue); |
2777 | while (enumerator->enumerate(enumerator, &task)) | |
2778 | { | |
2779 | if (task->get_type(task) == TASK_CHILD_CREATE || | |
2780 | task->get_type(task) == TASK_QUICK_MODE) | |
2781 | { | |
2782 | other->remove_task(other, enumerator); | |
2783 | task->migrate(task, &this->public); | |
2784 | queue_task(this, task); | |
2785 | } | |
2786 | } | |
2787 | enumerator->destroy(enumerator); | |
2788 | } | |
2789 | ||
2790 | METHOD(ike_sa_t, adopt_child_tasks, void, | |
2791 | private_ike_sa_t *this, ike_sa_t *other) | |
2792 | { | |
2793 | migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE); | |
2794 | migrate_child_tasks(this, other, TASK_QUEUE_QUEUED); | |
00c889f4 TB |
2795 | } |
2796 | ||
713a1122 MW |
2797 | METHOD(ike_sa_t, inherit_pre, void, |
2798 | private_ike_sa_t *this, ike_sa_t *other_public) | |
2799 | { | |
2800 | private_ike_sa_t *other = (private_ike_sa_t*)other_public; | |
2801 | ||
2802 | /* apply config and hosts */ | |
2803 | set_peer_cfg(this, other->peer_cfg); | |
2804 | set_my_host(this, other->my_host->clone(other->my_host)); | |
2805 | set_other_host(this, other->other_host->clone(other->other_host)); | |
094963d1 MW |
2806 | |
2807 | /* apply extensions and conditions with a few exceptions */ | |
2808 | this->extensions = other->extensions; | |
2809 | this->conditions = other->conditions; | |
2810 | this->conditions &= ~COND_STALE; | |
2811 | this->conditions &= ~COND_REAUTHENTICATING; | |
713a1122 MW |
2812 | } |
2813 | ||
2814 | METHOD(ike_sa_t, inherit_post, void, | |
8bced61b | 2815 | private_ike_sa_t *this, ike_sa_t *other_public) |
3183006d | 2816 | { |
8bced61b | 2817 | private_ike_sa_t *other = (private_ike_sa_t*)other_public; |
c60c7694 | 2818 | child_sa_t *child_sa; |
5d6b9815 | 2819 | enumerator_t *enumerator; |
893da041 | 2820 | attribute_entry_t entry; |
5d6b9815 | 2821 | auth_cfg_t *cfg; |
101d26ba | 2822 | host_t *vip; |
7daf5226 | 2823 | |
c60c7694 MW |
2824 | /* apply hosts and ids */ |
2825 | this->my_host->destroy(this->my_host); | |
2826 | this->other_host->destroy(this->other_host); | |
2827 | this->my_id->destroy(this->my_id); | |
2828 | this->other_id->destroy(this->other_id); | |
2829 | this->my_host = other->my_host->clone(other->my_host); | |
2830 | this->other_host = other->other_host->clone(other->other_host); | |
2831 | this->my_id = other->my_id->clone(other->my_id); | |
2832 | this->other_id = other->other_id->clone(other->other_id); | |
dec3c184 TB |
2833 | this->if_id_in = other->if_id_in; |
2834 | this->if_id_out = other->if_id_out; | |
7daf5226 | 2835 | |
101d26ba | 2836 | /* apply assigned virtual IPs... */ |
893da041 | 2837 | while (array_remove(other->my_vips, ARRAY_HEAD, &vip)) |
c60c7694 | 2838 | { |
893da041 | 2839 | array_insert_create(&this->my_vips, ARRAY_TAIL, vip); |
c60c7694 | 2840 | } |
893da041 | 2841 | while (array_remove(other->other_vips, ARRAY_HEAD, &vip)) |
c60c7694 | 2842 | { |
893da041 | 2843 | array_insert_create(&this->other_vips, ARRAY_TAIL, vip); |
c60c7694 | 2844 | } |
7daf5226 | 2845 | |
b8ecdfd8 MW |
2846 | /* MOBIKE additional addresses */ |
2847 | while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip)) | |
2848 | { | |
2849 | array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip); | |
2850 | } | |
2851 | ||
5d6b9815 | 2852 | /* authentication information */ |
893da041 | 2853 | enumerator = array_create_enumerator(other->my_auths); |
5d6b9815 MW |
2854 | while (enumerator->enumerate(enumerator, &cfg)) |
2855 | { | |
893da041 | 2856 | array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg)); |
5d6b9815 MW |
2857 | } |
2858 | enumerator->destroy(enumerator); | |
893da041 | 2859 | enumerator = array_create_enumerator(other->other_auths); |
5d6b9815 MW |
2860 | while (enumerator->enumerate(enumerator, &cfg)) |
2861 | { | |
893da041 | 2862 | array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg)); |
5d6b9815 MW |
2863 | } |
2864 | enumerator->destroy(enumerator); | |
2865 | ||
7f56b494 | 2866 | /* ... and configuration attributes */ |
893da041 | 2867 | while (array_remove(other->attributes, ARRAY_HEAD, &entry)) |
c60c7694 | 2868 | { |
893da041 | 2869 | array_insert(this->attributes, ARRAY_TAIL, &entry); |
c60c7694 | 2870 | } |
b0e40caa | 2871 | |
faf9569f | 2872 | /* inherit all conditions */ |
b0e40caa AS |
2873 | this->conditions = other->conditions; |
2874 | if (this->conditions & COND_NAT_HERE) | |
2875 | { | |
efd7fa7b | 2876 | send_keepalive(this, FALSE); |
b0e40caa | 2877 | } |
7daf5226 | 2878 | |
22452f70 TB |
2879 | #ifdef ME |
2880 | if (other->is_mediation_server) | |
2881 | { | |
2882 | act_as_mediation_server(this); | |
2883 | } | |
2884 | else if (other->server_reflexive_host) | |
2885 | { | |
2886 | this->server_reflexive_host = other->server_reflexive_host->clone( | |
2887 | other->server_reflexive_host); | |
2888 | } | |
2889 | #endif /* ME */ | |
b0e40caa | 2890 | |
c60c7694 | 2891 | /* adopt all children */ |
893da041 | 2892 | while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa)) |
c60c7694 | 2893 | { |
38227d0e MW |
2894 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
2895 | add_child_sa(this, child_sa); | |
c60c7694 | 2896 | } |
7daf5226 | 2897 | |
e23a59f6 MW |
2898 | /* move pending tasks to the new IKE_SA */ |
2899 | this->task_manager->adopt_tasks(this->task_manager, other->task_manager); | |
7daf5226 | 2900 | |
ee614711 | 2901 | /* reauthentication timeout survives a rekeying */ |
85ac2fa5 | 2902 | if (other->stats[STAT_REAUTH]) |
ee614711 | 2903 | { |
6180a558 | 2904 | time_t reauth, delete, now = time_monotonic(NULL); |
7daf5226 | 2905 | |
85ac2fa5 MW |
2906 | this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH]; |
2907 | reauth = this->stats[STAT_REAUTH] - now; | |
ee614711 | 2908 | delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg); |
85ac2fa5 | 2909 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete; |
ee614711 MW |
2910 | DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, " |
2911 | "lifetime reduced to %ds", reauth, delete); | |
bb381e26 | 2912 | lib->scheduler->schedule_job(lib->scheduler, |
6554b5e4 | 2913 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth); |
bb381e26 | 2914 | lib->scheduler->schedule_job(lib->scheduler, |
6554b5e4 | 2915 | (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete); |
ee614711 | 2916 | } |
3183006d MW |
2917 | } |
2918 | ||
8bced61b MW |
2919 | METHOD(ike_sa_t, destroy, void, |
2920 | private_ike_sa_t *this) | |
60356f33 | 2921 | { |
893da041 | 2922 | attribute_entry_t entry; |
2b0c8ee3 | 2923 | child_sa_t *child_sa; |
101d26ba | 2924 | host_t *vip; |
7daf5226 | 2925 | |
65c907cd | 2926 | charon->bus->set_sa(charon->bus, &this->public); |
7daf5226 | 2927 | |
a985db3f | 2928 | set_state(this, IKE_DESTROYING); |
b1908994 TE |
2929 | if (this->task_manager) |
2930 | { | |
2931 | this->task_manager->flush(this->task_manager); | |
2932 | } | |
7daf5226 | 2933 | |
7f56b494 | 2934 | /* remove attributes first, as we pass the IKE_SA to the handler */ |
eef7427b | 2935 | charon->bus->handle_vips(charon->bus, &this->public, FALSE); |
893da041 | 2936 | while (array_remove(this->attributes, ARRAY_TAIL, &entry)) |
7f56b494 | 2937 | { |
5ae32210 MW |
2938 | if (entry.handler) |
2939 | { | |
75136327 | 2940 | charon->attributes->release(charon->attributes, entry.handler, |
a12f357b | 2941 | &this->public, entry.type, entry.data); |
5ae32210 | 2942 | } |
893da041 | 2943 | free(entry.data.ptr); |
7f56b494 | 2944 | } |
2b0c8ee3 MW |
2945 | /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill |
2946 | * routes that the CHILD_SA tries to uninstall. */ | |
2947 | while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa)) | |
2948 | { | |
38227d0e | 2949 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
2b0c8ee3 MW |
2950 | child_sa->destroy(child_sa); |
2951 | } | |
893da041 | 2952 | while (array_remove(this->my_vips, ARRAY_TAIL, &vip)) |
c60c7694 | 2953 | { |
8394ea2a | 2954 | charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); |
101d26ba | 2955 | vip->destroy(vip); |
c60c7694 | 2956 | } |
893da041 | 2957 | if (array_count(this->other_vips)) |
12fa1784 AS |
2958 | { |
2959 | charon->bus->assign_vips(charon->bus, &this->public, FALSE); | |
2960 | } | |
893da041 | 2961 | while (array_remove(this->other_vips, ARRAY_TAIL, &vip)) |
cdcfe777 | 2962 | { |
497ce2cf | 2963 | if (this->peer_cfg) |
cdcfe777 | 2964 | { |
28a3d5bf | 2965 | linked_list_t *pools; |
28a3d5bf | 2966 | |
28a3d5bf MW |
2967 | pools = linked_list_create_from_enumerator( |
2968 | this->peer_cfg->create_pool_enumerator(this->peer_cfg)); | |
75136327 | 2969 | charon->attributes->release_address(charon->attributes, |
a16058a4 | 2970 | pools, vip, &this->public); |
28a3d5bf | 2971 | pools->destroy(pools); |
cdcfe777 | 2972 | } |
101d26ba | 2973 | vip->destroy(vip); |
cdcfe777 | 2974 | } |
a3854d83 MW |
2975 | |
2976 | /* unset SA after here to avoid usage by the listeners */ | |
2977 | charon->bus->set_sa(charon->bus, NULL); | |
2978 | ||
2b0c8ee3 | 2979 | array_destroy(this->child_sas); |
b1908994 | 2980 | DESTROY_IF(this->task_manager); |
a3854d83 | 2981 | DESTROY_IF(this->keymat); |
893da041 MW |
2982 | array_destroy(this->attributes); |
2983 | array_destroy(this->my_vips); | |
2984 | array_destroy(this->other_vips); | |
2985 | array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy)); | |
dc04b7c7 | 2986 | #ifdef ME |
22452f70 | 2987 | if (this->is_mediation_server) |
d5cc1758 | 2988 | { |
484a06bc TB |
2989 | charon->mediation_manager->remove(charon->mediation_manager, |
2990 | this->ike_sa_id); | |
d5cc1758 TB |
2991 | } |
2992 | DESTROY_IF(this->server_reflexive_host); | |
9c2a905d | 2993 | chunk_free(&this->connect_id); |
dc04b7c7 | 2994 | #endif /* ME */ |
9d9a772e | 2995 | free(this->nat_detection_dest.ptr); |
7daf5226 | 2996 | |
8dfbe71b MW |
2997 | DESTROY_IF(this->my_host); |
2998 | DESTROY_IF(this->other_host); | |
2999 | DESTROY_IF(this->my_id); | |
3000 | DESTROY_IF(this->other_id); | |
d487b4b7 AS |
3001 | DESTROY_IF(this->local_host); |
3002 | DESTROY_IF(this->remote_host); | |
e4af6e6b | 3003 | DESTROY_IF(this->redirected_from); |
c6ebd033 | 3004 | array_destroy(this->redirected_at); |
7daf5226 | 3005 | |
e0fe7651 MW |
3006 | DESTROY_IF(this->ike_cfg); |
3007 | DESTROY_IF(this->peer_cfg); | |
5dffdea1 | 3008 | DESTROY_IF(this->proposal); |
a44bb934 MW |
3009 | this->my_auth->destroy(this->my_auth); |
3010 | this->other_auth->destroy(this->other_auth); | |
893da041 MW |
3011 | array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy)); |
3012 | array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy)); | |
7daf5226 | 3013 | |
87a217f9 | 3014 | this->ike_sa_id->destroy(this->ike_sa_id); |
5113680f | 3015 | free(this); |
7ba38761 JH |
3016 | } |
3017 | ||
3018 | /* | |
39b2903f | 3019 | * Described in header. |
7ba38761 | 3020 | */ |
17ec1c74 MW |
3021 | ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, |
3022 | ike_version_t version) | |
7ba38761 | 3023 | { |
8bced61b | 3024 | private_ike_sa_t *this; |
3568abe7 | 3025 | static refcount_t unique_id = 0; |
7daf5226 | 3026 | |
3d54ae94 MW |
3027 | if (version == IKE_ANY) |
3028 | { /* prefer IKEv2 if protocol not specified */ | |
3029 | #ifdef USE_IKEV2 | |
3030 | version = IKEV2; | |
3031 | #else | |
3032 | version = IKEV1; | |
3033 | #endif | |
3034 | } | |
3035 | ||
8bced61b MW |
3036 | INIT(this, |
3037 | .public = { | |
0b611540 | 3038 | .get_version = _get_version, |
8bced61b MW |
3039 | .get_state = _get_state, |
3040 | .set_state = _set_state, | |
3041 | .get_name = _get_name, | |
3042 | .get_statistic = _get_statistic, | |
44ff1153 | 3043 | .set_statistic = _set_statistic, |
8bced61b MW |
3044 | .process_message = _process_message, |
3045 | .initiate = _initiate, | |
77e42826 | 3046 | .retry_initiate = _retry_initiate, |
8bced61b MW |
3047 | .get_ike_cfg = _get_ike_cfg, |
3048 | .set_ike_cfg = _set_ike_cfg, | |
3049 | .get_peer_cfg = _get_peer_cfg, | |
3050 | .set_peer_cfg = _set_peer_cfg, | |
3051 | .get_auth_cfg = _get_auth_cfg, | |
3052 | .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, | |
1b9c1ae0 | 3053 | .verify_peer_certificate = _verify_peer_certificate, |
8bced61b MW |
3054 | .add_auth_cfg = _add_auth_cfg, |
3055 | .get_proposal = _get_proposal, | |
3056 | .set_proposal = _set_proposal, | |
3057 | .get_id = _get_id, | |
3058 | .get_my_host = _get_my_host, | |
3059 | .set_my_host = _set_my_host, | |
3060 | .get_other_host = _get_other_host, | |
3061 | .set_other_host = _set_other_host, | |
3062 | .set_message_id = _set_message_id, | |
347c403c | 3063 | .get_message_id = _get_message_id, |
277f02ce | 3064 | .float_ports = _float_ports, |
8bced61b MW |
3065 | .update_hosts = _update_hosts, |
3066 | .get_my_id = _get_my_id, | |
3067 | .set_my_id = _set_my_id, | |
3068 | .get_other_id = _get_other_id, | |
3069 | .set_other_id = _set_other_id, | |
3070 | .get_other_eap_id = _get_other_eap_id, | |
3071 | .enable_extension = _enable_extension, | |
3072 | .supports_extension = _supports_extension, | |
3073 | .set_condition = _set_condition, | |
3074 | .has_condition = _has_condition, | |
94bbc602 TB |
3075 | .create_peer_address_enumerator = _create_peer_address_enumerator, |
3076 | .add_peer_address = _add_peer_address, | |
3077 | .clear_peer_addresses = _clear_peer_addresses, | |
8bced61b MW |
3078 | .has_mapping_changed = _has_mapping_changed, |
3079 | .retransmit = _retransmit, | |
3080 | .delete = _delete_, | |
3081 | .destroy = _destroy, | |
3082 | .send_dpd = _send_dpd, | |
3083 | .send_keepalive = _send_keepalive, | |
71c70705 | 3084 | .redirect = _redirect, |
c126ddd0 | 3085 | .handle_redirect = _handle_redirect, |
e4af6e6b | 3086 | .get_redirected_from = _get_redirected_from, |
8bced61b MW |
3087 | .get_keymat = _get_keymat, |
3088 | .add_child_sa = _add_child_sa, | |
3089 | .get_child_sa = _get_child_sa, | |
4bbce1ef TB |
3090 | .get_child_count = _get_child_count, |
3091 | .create_child_sa_enumerator = _create_child_sa_enumerator, | |
3092 | .remove_child_sa = _remove_child_sa, | |
8bced61b MW |
3093 | .rekey_child_sa = _rekey_child_sa, |
3094 | .delete_child_sa = _delete_child_sa, | |
3095 | .destroy_child_sa = _destroy_child_sa, | |
3096 | .rekey = _rekey, | |
3097 | .reauth = _reauth, | |
3098 | .reestablish = _reestablish, | |
3099 | .set_auth_lifetime = _set_auth_lifetime, | |
3100 | .roam = _roam, | |
713a1122 MW |
3101 | .inherit_pre = _inherit_pre, |
3102 | .inherit_post = _inherit_post, | |
8bced61b | 3103 | .generate_message = _generate_message, |
40bab9a1 | 3104 | .generate_message_fragmented = _generate_message_fragmented, |
8bced61b MW |
3105 | .reset = _reset, |
3106 | .get_unique_id = _get_unique_id, | |
101d26ba | 3107 | .add_virtual_ip = _add_virtual_ip, |
d2e8f20d | 3108 | .clear_virtual_ips = _clear_virtual_ips, |
101d26ba | 3109 | .create_virtual_ip_enumerator = _create_virtual_ip_enumerator, |
8bced61b | 3110 | .add_configuration_attribute = _add_configuration_attribute, |
9d257034 | 3111 | .create_attribute_enumerator = _create_attribute_enumerator, |
dec3c184 | 3112 | .get_if_id = _get_if_id, |
8bced61b | 3113 | .set_kmaddress = _set_kmaddress, |
ea340ee8 | 3114 | .create_task_enumerator = _create_task_enumerator, |
b7160401 | 3115 | .remove_task = _remove_task, |
cbc1a20f | 3116 | .flush_queue = _flush_queue, |
69adeb5b | 3117 | .queue_task = _queue_task, |
208678e6 | 3118 | .queue_task_delayed = _queue_task_delayed, |
00c889f4 | 3119 | .adopt_child_tasks = _adopt_child_tasks, |
dc04b7c7 | 3120 | #ifdef ME |
8bced61b MW |
3121 | .act_as_mediation_server = _act_as_mediation_server, |
3122 | .get_server_reflexive_host = _get_server_reflexive_host, | |
3123 | .set_server_reflexive_host = _set_server_reflexive_host, | |
3124 | .get_connect_id = _get_connect_id, | |
3125 | .initiate_mediation = _initiate_mediation, | |
3126 | .initiate_mediated = _initiate_mediated, | |
3127 | .relay = _relay, | |
3128 | .callback = _callback, | |
3129 | .respond = _respond, | |
dc04b7c7 | 3130 | #endif /* ME */ |
8bced61b MW |
3131 | }, |
3132 | .ike_sa_id = ike_sa_id->clone(ike_sa_id), | |
0b611540 | 3133 | .version = version, |
8bced61b MW |
3134 | .my_host = host_create_any(AF_INET), |
3135 | .other_host = host_create_any(AF_INET), | |
3136 | .my_id = identification_create_from_encoding(ID_ANY, chunk_empty), | |
3137 | .other_id = identification_create_from_encoding(ID_ANY, chunk_empty), | |
17ec1c74 | 3138 | .keymat = keymat_create(version, initiator), |
8bced61b MW |
3139 | .state = IKE_CREATED, |
3140 | .stats[STAT_INBOUND] = time_monotonic(NULL), | |
3141 | .stats[STAT_OUTBOUND] = time_monotonic(NULL), | |
3142 | .my_auth = auth_cfg_create(), | |
3143 | .other_auth = auth_cfg_create(), | |
893da041 MW |
3144 | .my_auths = array_create(0, 0), |
3145 | .other_auths = array_create(0, 0), | |
3146 | .attributes = array_create(sizeof(attribute_entry_t), 0), | |
3568abe7 | 3147 | .unique_id = ref_get(&unique_id), |
8bced61b | 3148 | .keepalive_interval = lib->settings->get_time(lib->settings, |
d223fe80 | 3149 | "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns), |
60c82591 | 3150 | .retry_initiate_interval = lib->settings->get_time(lib->settings, |
d223fe80 | 3151 | "%s.retry_initiate_interval", 0, lib->ns), |
b24b73b7 | 3152 | .flush_auth_cfg = lib->settings->get_bool(lib->settings, |
d223fe80 | 3153 | "%s.flush_auth_cfg", FALSE, lib->ns), |
40bab9a1 | 3154 | .fragment_size = lib->settings->get_int(lib->settings, |
0642f42b | 3155 | "%s.fragment_size", 1280, lib->ns), |
489d154e TB |
3156 | .follow_redirects = lib->settings->get_bool(lib->settings, |
3157 | "%s.follow_redirects", TRUE, lib->ns), | |
8bced61b | 3158 | ); |
4b64a1a1 | 3159 | |
11aadd77 MW |
3160 | if (version == IKEV2) |
3161 | { /* always supported with IKEv2 */ | |
3162 | enable_extension(this, EXT_DPD); | |
3163 | } | |
3164 | ||
5baaaa5e | 3165 | this->task_manager = task_manager_create(&this->public); |
b223d517 TB |
3166 | this->my_host->set_port(this->my_host, |
3167 | charon->socket->get_port(charon->socket, FALSE)); | |
7daf5226 | 3168 | |
3d54ae94 MW |
3169 | if (!this->task_manager || !this->keymat) |
3170 | { | |
3171 | DBG1(DBG_IKE, "IKE version %d not supported", this->version); | |
3172 | destroy(this); | |
3173 | return NULL; | |
3174 | } | |
3dd3c5f3 | 3175 | return &this->public; |
7ba38761 | 3176 | } |