2 * Copyright (C) 2006-2018 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * Copyright (c) 2014 Volker RĂ¼melin
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
68 ENUM(ike_sa_state_names
, IKE_CREATED
, IKE_DESTROYING
,
79 typedef struct private_ike_sa_t private_ike_sa_t
;
80 typedef struct attribute_entry_t attribute_entry_t
;
83 * Private data of an ike_sa_t object.
85 struct private_ike_sa_t
{
93 * Identifier for the current IKE_SA.
95 ike_sa_id_t
*ike_sa_id
;
98 * IKE version of this SA.
100 ike_version_t version
;
103 * unique numerical ID for this IKE_SA.
108 * Current state of the IKE_SA
110 ike_sa_state_t state
;
113 * IKE configuration used to set up this IKE_SA
118 * Peer and authentication information to establish IKE_SA.
120 peer_cfg_t
*peer_cfg
;
123 * currently used authentication ruleset, local
128 * currently used authentication constraints, remote
130 auth_cfg_t
*other_auth
;
133 * Array of completed local authentication rounds (as auth_cfg_t)
138 * Array of completed remote authentication rounds (as auth_cfg_t)
140 array_t
*other_auths
;
143 * Selected IKE proposal
145 proposal_t
*proposal
;
148 * Juggles tasks to process messages
150 task_manager_t
*task_manager
;
153 * Address of local host
158 * Address of remote host
164 * Are we mediation server
166 bool is_mediation_server
;
169 * Server reflexive host
171 host_t
*server_reflexive_host
;
180 * Identification used for us
182 identification_t
*my_id
;
185 * Identification used for other
187 identification_t
*other_id
;
190 * set of extensions the peer supports
192 ike_extension_t extensions
;
195 * set of condition flags currently enabled for this IKE_SA
197 ike_condition_t conditions
;
200 * Array containing the child sa's of the current IKE_SA.
205 * keymat of this IKE_SA
210 * Virtual IPs on local host
215 * Virtual IPs on remote host
220 * List of configuration attributes (attribute_entry_t)
225 * list of peer's addresses, additional ones transmitted via MOBIKE
227 array_t
*peer_addresses
;
230 * previously value of received DESTINATION_IP hash
232 chunk_t nat_detection_dest
;
235 * NAT keep alive interval
237 uint32_t keepalive_interval
;
240 * The schedueld keep alive job, if any
242 send_keepalive_job_t
*keepalive_job
;
245 * interval for retries during initiation (e.g. if DNS resolution failed),
246 * 0 to disable (default)
248 uint32_t retry_initiate_interval
;
251 * TRUE if a retry_initiate_job has been queued
253 bool retry_initiate_queued
;
256 * Timestamps for this IKE_SA
258 uint32_t stats
[STAT_MAX
];
261 * how many times we have retried so far (keyingtries)
266 * local host address to be used for IKE, set via MIGRATE kernel message
271 * remote host address to be used for IKE, set via MIGRATE kernel message
276 * Flush auth configs once established?
281 * Maximum length of a single fragment, 0 for address-specific defaults
283 size_t fragment_size
;
286 * Whether to follow IKEv2 redirects
288 bool follow_redirects
;
291 * Original gateway address from which we got redirected
293 host_t
*redirected_from
;
296 * Timestamps of redirect attempts to handle loops
298 array_t
*redirected_at
;
302 * Entry to maintain install configuration attributes during IKE_SA lifetime
304 struct attribute_entry_t
{
305 /** handler used to install this attribute */
306 attribute_handler_t
*handler
;
307 /** attribute type */
308 configuration_attribute_type_t type
;
309 /** attribute data */
314 * get the time of the latest traffic processed by the kernel
316 static time_t get_use_time(private_ike_sa_t
* this, bool inbound
)
318 enumerator_t
*enumerator
;
319 child_sa_t
*child_sa
;
320 time_t use_time
, current
;
324 use_time
= this->stats
[STAT_INBOUND
];
328 use_time
= this->stats
[STAT_OUTBOUND
];
331 enumerator
= array_create_enumerator(this->child_sas
);
332 while (enumerator
->enumerate(enumerator
, &child_sa
))
334 child_sa
->get_usestats(child_sa
, inbound
, ¤t
, NULL
, NULL
);
335 use_time
= max(use_time
, current
);
337 enumerator
->destroy(enumerator
);
342 METHOD(ike_sa_t
, get_unique_id
, uint32_t,
343 private_ike_sa_t
*this)
345 return this->unique_id
;
348 METHOD(ike_sa_t
, get_name
, char*,
349 private_ike_sa_t
*this)
353 return this->peer_cfg
->get_name(this->peer_cfg
);
358 METHOD(ike_sa_t
, get_statistic
, uint32_t,
359 private_ike_sa_t
*this, statistic_t kind
)
363 return this->stats
[kind
];
368 METHOD(ike_sa_t
, set_statistic
, void,
369 private_ike_sa_t
*this, statistic_t kind
, uint32_t value
)
373 this->stats
[kind
] = value
;
377 METHOD(ike_sa_t
, get_my_host
, host_t
*,
378 private_ike_sa_t
*this)
380 return this->my_host
;
383 METHOD(ike_sa_t
, set_my_host
, void,
384 private_ike_sa_t
*this, host_t
*me
)
386 DESTROY_IF(this->my_host
);
390 METHOD(ike_sa_t
, get_other_host
, host_t
*,
391 private_ike_sa_t
*this)
393 return this->other_host
;
396 METHOD(ike_sa_t
, set_other_host
, void,
397 private_ike_sa_t
*this, host_t
*other
)
399 DESTROY_IF(this->other_host
);
400 this->other_host
= other
;
403 METHOD(ike_sa_t
, get_redirected_from
, host_t
*,
404 private_ike_sa_t
*this)
406 return this->redirected_from
;
409 METHOD(ike_sa_t
, get_peer_cfg
, peer_cfg_t
*,
410 private_ike_sa_t
*this)
412 return this->peer_cfg
;
415 METHOD(ike_sa_t
, set_peer_cfg
, void,
416 private_ike_sa_t
*this, peer_cfg_t
*peer_cfg
)
418 peer_cfg
->get_ref(peer_cfg
);
419 DESTROY_IF(this->peer_cfg
);
420 this->peer_cfg
= peer_cfg
;
422 if (this->ike_cfg
== NULL
)
424 this->ike_cfg
= peer_cfg
->get_ike_cfg(peer_cfg
);
425 this->ike_cfg
->get_ref(this->ike_cfg
);
429 METHOD(ike_sa_t
, get_auth_cfg
, auth_cfg_t
*,
430 private_ike_sa_t
*this, bool local
)
434 return this->my_auth
;
436 return this->other_auth
;
439 METHOD(ike_sa_t
, add_auth_cfg
, void,
440 private_ike_sa_t
*this, bool local
, auth_cfg_t
*cfg
)
444 array_insert(this->my_auths
, ARRAY_TAIL
, cfg
);
448 array_insert(this->other_auths
, ARRAY_TAIL
, cfg
);
452 METHOD(ike_sa_t
, create_auth_cfg_enumerator
, enumerator_t
*,
453 private_ike_sa_t
*this, bool local
)
457 return array_create_enumerator(this->my_auths
);
459 return array_create_enumerator(this->other_auths
);
463 * Flush the stored authentication round information
465 static void flush_auth_cfgs(private_ike_sa_t
*this)
469 this->my_auth
->purge(this->my_auth
, FALSE
);
470 this->other_auth
->purge(this->other_auth
, FALSE
);
472 while (array_remove(this->my_auths
, ARRAY_TAIL
, &cfg
))
476 while (array_remove(this->other_auths
, ARRAY_TAIL
, &cfg
))
482 METHOD(ike_sa_t
, verify_peer_certificate
, bool,
483 private_ike_sa_t
*this)
485 enumerator_t
*e1
, *e2
, *certs
;
486 auth_cfg_t
*cfg
, *cfg_done
;
487 certificate_t
*peer
, *cert
;
490 auth_cfg_wrapper_t
*wrapper
;
491 time_t not_before
, not_after
;
492 bool valid
= TRUE
, found
;
494 if (this->state
!= IKE_ESTABLISHED
)
496 DBG1(DBG_IKE
, "unable to verify peer certificate in state %N",
497 ike_sa_state_names
, this->state
);
501 if (!this->flush_auth_cfg
&&
502 lib
->settings
->get_bool(lib
->settings
,
503 "%s.flush_auth_cfg", FALSE
, lib
->ns
))
504 { /* we can do this check only once if auth configs are flushed */
505 DBG1(DBG_IKE
, "unable to verify peer certificate as authentication "
506 "information has been flushed");
509 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED
,
512 e1
= this->peer_cfg
->create_auth_cfg_enumerator(this->peer_cfg
, FALSE
);
513 e2
= array_create_enumerator(this->other_auths
);
514 while (e1
->enumerate(e1
, &cfg
))
516 if (!e2
->enumerate(e2
, &cfg_done
))
517 { /* this should not happen as the authentication should never have
522 if ((uintptr_t)cfg_done
->get(cfg_done
,
523 AUTH_RULE_AUTH_CLASS
) != AUTH_CLASS_PUBKEY
)
527 peer
= cfg_done
->get(cfg_done
, AUTH_RULE_SUBJECT_CERT
);
530 DBG1(DBG_IKE
, "no subject certificate found, skipping certificate "
534 if (!peer
->get_validity(peer
, NULL
, ¬_before
, ¬_after
))
536 DBG1(DBG_IKE
, "peer certificate invalid (valid from %T to %T)",
537 ¬_before
, FALSE
, ¬_after
, FALSE
);
541 key
= peer
->get_public_key(peer
);
544 DBG1(DBG_IKE
, "unable to retrieve public key, skipping certificate "
548 DBG1(DBG_IKE
, "verifying peer certificate");
549 /* serve received certificates */
550 wrapper
= auth_cfg_wrapper_create(cfg_done
);
551 lib
->credmgr
->add_local_set(lib
->credmgr
, &wrapper
->set
, FALSE
);
552 certs
= lib
->credmgr
->create_trusted_enumerator(lib
->credmgr
,
553 key
->get_type(key
), peer
->get_subject(peer
), TRUE
);
557 while (certs
->enumerate(certs
, &cert
, &auth
))
559 if (peer
->equals(peer
, cert
))
561 cfg_done
->add(cfg_done
, AUTH_RULE_CERT_VALIDATION_SUSPENDED
,
563 cfg_done
->merge(cfg_done
, auth
, FALSE
);
564 valid
= cfg_done
->complies(cfg_done
, cfg
, TRUE
);
569 certs
->destroy(certs
);
570 lib
->credmgr
->remove_local_set(lib
->credmgr
, &wrapper
->set
);
571 wrapper
->destroy(wrapper
);
572 if (!found
|| !valid
)
581 if (this->flush_auth_cfg
)
583 this->flush_auth_cfg
= FALSE
;
584 flush_auth_cfgs(this);
589 METHOD(ike_sa_t
, get_proposal
, proposal_t
*,
590 private_ike_sa_t
*this)
592 return this->proposal
;
595 METHOD(ike_sa_t
, set_proposal
, void,
596 private_ike_sa_t
*this, proposal_t
*proposal
)
598 DESTROY_IF(this->proposal
);
599 this->proposal
= proposal
->clone(proposal
);
602 METHOD(ike_sa_t
, set_message_id
, void,
603 private_ike_sa_t
*this, bool initiate
, uint32_t mid
)
607 this->task_manager
->reset(this->task_manager
, mid
, UINT_MAX
);
611 this->task_manager
->reset(this->task_manager
, UINT_MAX
, mid
);
615 METHOD(ike_sa_t
, get_message_id
, uint32_t,
616 private_ike_sa_t
*this, bool initiate
)
618 return this->task_manager
->get_mid(this->task_manager
, initiate
);
621 METHOD(ike_sa_t
, send_keepalive
, void,
622 private_ike_sa_t
*this, bool scheduled
)
624 time_t last_out
, now
, diff
;
628 this->keepalive_job
= NULL
;
630 if (!this->keepalive_interval
|| this->state
== IKE_PASSIVE
)
631 { /* keepalives disabled either by configuration or for passive IKE_SAs */
634 if (!(this->conditions
& COND_NAT_HERE
) || (this->conditions
& COND_STALE
))
635 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
639 last_out
= get_use_time(this, FALSE
);
640 now
= time_monotonic(NULL
);
642 diff
= now
- last_out
;
644 if (diff
>= this->keepalive_interval
)
649 packet
= packet_create();
650 packet
->set_source(packet
, this->my_host
->clone(this->my_host
));
651 packet
->set_destination(packet
, this->other_host
->clone(this->other_host
));
652 data
.ptr
= malloc(1);
655 packet
->set_data(packet
, data
);
656 DBG1(DBG_IKE
, "sending keep alive to %#H", this->other_host
);
657 charon
->sender
->send_no_marker(charon
->sender
, packet
);
660 if (!this->keepalive_job
)
662 this->keepalive_job
= send_keepalive_job_create(this->ike_sa_id
);
663 lib
->scheduler
->schedule_job(lib
->scheduler
, (job_t
*)this->keepalive_job
,
664 this->keepalive_interval
- diff
);
668 METHOD(ike_sa_t
, get_ike_cfg
, ike_cfg_t
*,
669 private_ike_sa_t
*this)
671 return this->ike_cfg
;
674 METHOD(ike_sa_t
, set_ike_cfg
, void,
675 private_ike_sa_t
*this, ike_cfg_t
*ike_cfg
)
677 DESTROY_IF(this->ike_cfg
);
678 ike_cfg
->get_ref(ike_cfg
);
679 this->ike_cfg
= ike_cfg
;
682 METHOD(ike_sa_t
, enable_extension
, void,
683 private_ike_sa_t
*this, ike_extension_t extension
)
685 this->extensions
|= extension
;
688 METHOD(ike_sa_t
, supports_extension
, bool,
689 private_ike_sa_t
*this, ike_extension_t extension
)
691 return (this->extensions
& extension
) != FALSE
;
694 METHOD(ike_sa_t
, has_condition
, bool,
695 private_ike_sa_t
*this, ike_condition_t condition
)
697 return (this->conditions
& condition
) != FALSE
;
700 METHOD(ike_sa_t
, set_condition
, void,
701 private_ike_sa_t
*this, ike_condition_t condition
, bool enable
)
703 if (has_condition(this, condition
) != enable
)
707 this->conditions
|= condition
;
711 DBG1(DBG_IKE
, "local host is behind NAT, sending keep alives");
712 this->conditions
|= COND_NAT_ANY
;
713 send_keepalive(this, FALSE
);
716 DBG1(DBG_IKE
, "remote host is behind NAT");
717 this->conditions
|= COND_NAT_ANY
;
720 DBG1(DBG_IKE
, "faking NAT situation to enforce UDP encapsulation");
721 this->conditions
|= COND_NAT_ANY
;
729 this->conditions
&= ~condition
;
734 DBG1(DBG_IKE
, "%s host is not behind NAT anymore",
735 condition
== COND_NAT_HERE
? "local" : "remote");
738 set_condition(this, COND_NAT_ANY
,
739 has_condition(this, COND_NAT_HERE
) ||
740 has_condition(this, COND_NAT_THERE
) ||
741 has_condition(this, COND_NAT_FAKE
));
744 send_keepalive(this, FALSE
);
753 METHOD(ike_sa_t
, send_dpd
, status_t
,
754 private_ike_sa_t
*this)
758 bool task_queued
= FALSE
;
760 if (this->state
== IKE_PASSIVE
)
762 return INVALID_STATE
;
764 if (this->version
== IKEV1
&& this->state
== IKE_REKEYING
)
765 { /* don't send DPDs for rekeyed IKEv1 SAs */
768 delay
= this->peer_cfg
->get_dpd(this->peer_cfg
);
769 if (this->task_manager
->busy(this->task_manager
))
771 /* an exchange is in the air, no need to start a DPD check */
776 /* check if there was any inbound traffic */
778 last_in
= get_use_time(this, TRUE
);
779 now
= time_monotonic(NULL
);
780 diff
= now
- last_in
;
781 if (!delay
|| diff
>= delay
)
783 /* too long ago, initiate dead peer detection */
784 DBG1(DBG_IKE
, "sending DPD request");
785 this->task_manager
->queue_dpd(this->task_manager
);
790 /* recheck in "interval" seconds */
793 job
= (job_t
*)send_dpd_job_create(this->ike_sa_id
);
794 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, delay
- diff
);
798 return this->task_manager
->initiate(this->task_manager
);
803 METHOD(ike_sa_t
, get_state
, ike_sa_state_t
,
804 private_ike_sa_t
*this)
809 METHOD(ike_sa_t
, set_state
, void,
810 private_ike_sa_t
*this, ike_sa_state_t state
)
812 bool trigger_dpd
= FALSE
, keepalives
= FALSE
;
814 DBG2(DBG_IKE
, "IKE_SA %s[%d] state change: %N => %N",
815 get_name(this), this->unique_id
,
816 ike_sa_state_names
, this->state
,
817 ike_sa_state_names
, state
);
821 case IKE_ESTABLISHED
:
823 if (this->state
== IKE_CONNECTING
||
824 this->state
== IKE_PASSIVE
)
829 /* calculate rekey, reauth and lifetime */
830 this->stats
[STAT_ESTABLISHED
] = time_monotonic(NULL
);
832 /* schedule rekeying if we have a time which is smaller than
833 * an already scheduled rekeying */
834 t
= this->peer_cfg
->get_rekey_time(this->peer_cfg
, TRUE
);
835 if (t
&& (this->stats
[STAT_REKEY
] == 0 ||
836 (this->stats
[STAT_REKEY
] > t
+ this->stats
[STAT_ESTABLISHED
])))
838 this->stats
[STAT_REKEY
] = t
+ this->stats
[STAT_ESTABLISHED
];
839 job
= (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, FALSE
);
840 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
841 DBG1(DBG_IKE
, "scheduling rekeying in %ds", t
);
843 t
= this->peer_cfg
->get_reauth_time(this->peer_cfg
, TRUE
);
844 if (t
&& (this->stats
[STAT_REAUTH
] == 0 ||
845 (this->stats
[STAT_REAUTH
] > t
+ this->stats
[STAT_ESTABLISHED
])))
847 this->stats
[STAT_REAUTH
] = t
+ this->stats
[STAT_ESTABLISHED
];
848 job
= (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
);
849 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
850 DBG1(DBG_IKE
, "scheduling reauthentication in %ds", t
);
852 t
= this->peer_cfg
->get_over_time(this->peer_cfg
);
853 if (this->stats
[STAT_REKEY
] || this->stats
[STAT_REAUTH
])
855 if (this->stats
[STAT_REAUTH
] == 0)
857 this->stats
[STAT_DELETE
] = this->stats
[STAT_REKEY
];
859 else if (this->stats
[STAT_REKEY
] == 0)
861 this->stats
[STAT_DELETE
] = this->stats
[STAT_REAUTH
];
865 this->stats
[STAT_DELETE
] = min(this->stats
[STAT_REKEY
],
866 this->stats
[STAT_REAUTH
]);
868 this->stats
[STAT_DELETE
] += t
;
869 t
= this->stats
[STAT_DELETE
] - this->stats
[STAT_ESTABLISHED
];
870 job
= (job_t
*)delete_ike_sa_job_create(this->ike_sa_id
, TRUE
);
871 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
872 DBG1(DBG_IKE
, "maximum IKE_SA lifetime %ds", t
);
874 trigger_dpd
= this->peer_cfg
->get_dpd(this->peer_cfg
);
877 /* Some peers delay the DELETE after rekeying an IKE_SA.
878 * If this delay is longer than our DPD delay, we would
879 * send a DPD request here. The IKE_SA is not ready to do
880 * so yet, so prevent that. */
881 this->stats
[STAT_INBOUND
] = this->stats
[STAT_ESTABLISHED
];
883 if (this->state
== IKE_PASSIVE
)
887 DESTROY_IF(this->redirected_from
);
888 this->redirected_from
= NULL
;
895 charon
->bus
->ike_state_change(charon
->bus
, &this->public, state
);
900 if (supports_extension(this, EXT_DPD
))
906 DBG1(DBG_IKE
, "DPD not supported by peer, disabled");
911 send_keepalive(this, FALSE
);
915 METHOD(ike_sa_t
, reset
, void,
916 private_ike_sa_t
*this, bool new_spi
)
918 /* reset the initiator SPI if requested */
921 charon
->ike_sa_manager
->new_initiator_spi(charon
->ike_sa_manager
,
924 /* the responder ID is reset, as peer may choose another one */
925 if (this->ike_sa_id
->is_initiator(this->ike_sa_id
))
927 this->ike_sa_id
->set_responder_spi(this->ike_sa_id
, 0);
930 set_state(this, IKE_CREATED
);
932 flush_auth_cfgs(this);
934 this->keymat
->destroy(this->keymat
);
935 this->keymat
= keymat_create(this->version
,
936 this->ike_sa_id
->is_initiator(this->ike_sa_id
));
938 this->task_manager
->reset(this->task_manager
, 0, 0);
939 this->task_manager
->queue_ike(this->task_manager
);
942 METHOD(ike_sa_t
, get_keymat
, keymat_t
*,
943 private_ike_sa_t
*this)
948 METHOD(ike_sa_t
, add_virtual_ip
, void,
949 private_ike_sa_t
*this, bool local
, host_t
*ip
)
955 if (charon
->kernel
->get_interface(charon
->kernel
, this->my_host
,
958 DBG1(DBG_IKE
, "installing new virtual IP %H", ip
);
959 if (charon
->kernel
->add_ip(charon
->kernel
, ip
, -1,
962 array_insert_create(&this->my_vips
, ARRAY_TAIL
, ip
->clone(ip
));
966 DBG1(DBG_IKE
, "installing virtual IP %H failed", ip
);
972 DBG1(DBG_IKE
, "looking up interface for virtual IP %H failed", ip
);
977 array_insert_create(&this->other_vips
, ARRAY_TAIL
, ip
->clone(ip
));
982 METHOD(ike_sa_t
, clear_virtual_ips
, void,
983 private_ike_sa_t
*this, bool local
)
988 vips
= local
? this->my_vips
: this->other_vips
;
989 if (!local
&& array_count(vips
))
991 charon
->bus
->assign_vips(charon
->bus
, &this->public, FALSE
);
993 while (array_remove(vips
, ARRAY_HEAD
, &vip
))
997 charon
->kernel
->del_ip(charon
->kernel
, vip
, -1, TRUE
);
1003 METHOD(ike_sa_t
, create_virtual_ip_enumerator
, enumerator_t
*,
1004 private_ike_sa_t
*this, bool local
)
1008 return array_create_enumerator(this->my_vips
);
1010 return array_create_enumerator(this->other_vips
);
1013 METHOD(ike_sa_t
, add_peer_address
, void,
1014 private_ike_sa_t
*this, host_t
*host
)
1016 array_insert_create(&this->peer_addresses
, ARRAY_TAIL
, host
);
1019 METHOD(ike_sa_t
, create_peer_address_enumerator
, enumerator_t
*,
1020 private_ike_sa_t
*this)
1022 if (this->peer_addresses
)
1024 return array_create_enumerator(this->peer_addresses
);
1026 /* in case we don't have MOBIKE */
1027 return enumerator_create_single(this->other_host
, NULL
);
1030 METHOD(ike_sa_t
, clear_peer_addresses
, void,
1031 private_ike_sa_t
*this)
1033 array_destroy_offset(this->peer_addresses
, offsetof(host_t
, destroy
));
1034 this->peer_addresses
= NULL
;
1037 METHOD(ike_sa_t
, has_mapping_changed
, bool,
1038 private_ike_sa_t
*this, chunk_t hash
)
1040 if (this->nat_detection_dest
.ptr
== NULL
)
1042 this->nat_detection_dest
= chunk_clone(hash
);
1045 if (chunk_equals(hash
, this->nat_detection_dest
))
1049 free(this->nat_detection_dest
.ptr
);
1050 this->nat_detection_dest
= chunk_clone(hash
);
1054 METHOD(ike_sa_t
, float_ports
, void,
1055 private_ike_sa_t
*this)
1057 /* even if the remote port is not 500 (e.g. because the response was natted)
1058 * we switch the remote port if we used port 500 */
1059 if (this->other_host
->get_port(this->other_host
) == IKEV2_UDP_PORT
||
1060 this->my_host
->get_port(this->my_host
) == IKEV2_UDP_PORT
)
1062 this->other_host
->set_port(this->other_host
, IKEV2_NATT_PORT
);
1064 if (this->my_host
->get_port(this->my_host
) ==
1065 charon
->socket
->get_port(charon
->socket
, FALSE
))
1067 this->my_host
->set_port(this->my_host
,
1068 charon
->socket
->get_port(charon
->socket
, TRUE
));
1072 METHOD(ike_sa_t
, update_hosts
, void,
1073 private_ike_sa_t
*this, host_t
*me
, host_t
*other
, bool force
)
1075 bool update
= FALSE
;
1083 other
= this->other_host
;
1086 /* apply hosts on first received message */
1087 if (this->my_host
->is_anyaddr(this->my_host
) ||
1088 this->other_host
->is_anyaddr(this->other_host
))
1090 set_my_host(this, me
->clone(me
));
1091 set_other_host(this, other
->clone(other
));
1096 /* update our address in any case */
1097 if (force
&& !me
->equals(me
, this->my_host
))
1099 charon
->bus
->ike_update(charon
->bus
, &this->public, TRUE
, me
);
1100 set_my_host(this, me
->clone(me
));
1104 if (!other
->equals(other
, this->other_host
) &&
1105 (force
|| has_condition(this, COND_NAT_THERE
)))
1107 /* only update other's address if we are behind a static NAT,
1108 * which we assume is the case if we are not initiator */
1110 (!has_condition(this, COND_NAT_HERE
) ||
1111 !has_condition(this, COND_ORIGINAL_INITIATOR
)))
1113 charon
->bus
->ike_update(charon
->bus
, &this->public, FALSE
, other
);
1114 set_other_host(this, other
->clone(other
));
1120 /* update all associated CHILD_SAs, if required */
1123 enumerator_t
*enumerator
;
1124 child_sa_t
*child_sa
;
1125 linked_list_t
*vips
;
1127 vips
= linked_list_create_from_enumerator(
1128 array_create_enumerator(this->my_vips
));
1130 enumerator
= array_create_enumerator(this->child_sas
);
1131 while (enumerator
->enumerate(enumerator
, &child_sa
))
1133 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
1134 charon
->child_sa_manager
->add(charon
->child_sa_manager
,
1135 child_sa
, &this->public);
1137 if (child_sa
->update(child_sa
, this->my_host
, this->other_host
,
1138 vips
, has_condition(this, COND_NAT_ANY
)) == NOT_SUPPORTED
)
1140 this->public.rekey_child_sa(&this->public,
1141 child_sa
->get_protocol(child_sa
),
1142 child_sa
->get_spi(child_sa
, TRUE
));
1146 enumerator
->destroy(enumerator
);
1148 vips
->destroy(vips
);
1153 * Set configured DSCP value on packet
1155 static void set_dscp(private_ike_sa_t
*this, packet_t
*packet
)
1159 /* prefer IKE config on peer_cfg, as its selection is more accurate
1160 * then the initial IKE config */
1163 ike_cfg
= this->peer_cfg
->get_ike_cfg(this->peer_cfg
);
1167 ike_cfg
= this->ike_cfg
;
1171 packet
->set_dscp(packet
, ike_cfg
->get_dscp(ike_cfg
));
1175 METHOD(ike_sa_t
, generate_message
, status_t
,
1176 private_ike_sa_t
*this, message_t
*message
, packet_t
**packet
)
1180 if (message
->is_encoded(message
))
1181 { /* already encoded in task, but set DSCP value */
1182 *packet
= message
->get_packet(message
);
1183 set_dscp(this, *packet
);
1186 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
1187 message
->set_ike_sa_id(message
, this->ike_sa_id
);
1188 charon
->bus
->message(charon
->bus
, message
, FALSE
, TRUE
);
1189 status
= message
->generate(message
, this->keymat
, packet
);
1190 if (status
== SUCCESS
)
1192 set_dscp(this, *packet
);
1193 charon
->bus
->message(charon
->bus
, message
, FALSE
, FALSE
);
1198 CALLBACK(filter_fragments
, bool,
1199 private_ike_sa_t
*this, enumerator_t
*orig
, va_list args
)
1201 packet_t
*fragment
, **packet
;
1203 VA_ARGS_VGET(args
, packet
);
1205 if (orig
->enumerate(orig
, &fragment
))
1207 *packet
= fragment
->clone(fragment
);
1208 set_dscp(this, *packet
);
1214 METHOD(ike_sa_t
, generate_message_fragmented
, status_t
,
1215 private_ike_sa_t
*this, message_t
*message
, enumerator_t
**packets
)
1217 enumerator_t
*fragments
;
1220 bool use_frags
= FALSE
;
1221 bool pre_generated
= FALSE
;
1225 switch (this->ike_cfg
->fragmentation(this->ike_cfg
))
1227 case FRAGMENTATION_FORCE
:
1230 case FRAGMENTATION_YES
:
1231 use_frags
= supports_extension(this, EXT_IKE_FRAGMENTATION
);
1232 if (use_frags
&& this->version
== IKEV1
&&
1233 supports_extension(this, EXT_MS_WINDOWS
))
1235 /* It seems Windows 7 and 8 peers only accept proprietary
1236 * fragmented messages if they expect certificates. */
1237 use_frags
= message
->get_payload(message
,
1238 PLV1_CERTIFICATE
) != NULL
;
1247 status
= generate_message(this, message
, &packet
);
1248 if (status
!= SUCCESS
)
1252 *packets
= enumerator_create_single(packet
, NULL
);
1256 pre_generated
= message
->is_encoded(message
);
1257 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
1258 message
->set_ike_sa_id(message
, this->ike_sa_id
);
1261 charon
->bus
->message(charon
->bus
, message
, FALSE
, TRUE
);
1263 status
= message
->fragment(message
, this->keymat
, this->fragment_size
,
1265 if (status
== SUCCESS
)
1269 charon
->bus
->message(charon
->bus
, message
, FALSE
, FALSE
);
1271 *packets
= enumerator_create_filter(fragments
, filter_fragments
,
1277 METHOD(ike_sa_t
, set_kmaddress
, void,
1278 private_ike_sa_t
*this, host_t
*local
, host_t
*remote
)
1280 DESTROY_IF(this->local_host
);
1281 DESTROY_IF(this->remote_host
);
1282 this->local_host
= local
->clone(local
);
1283 this->remote_host
= remote
->clone(remote
);
1287 METHOD(ike_sa_t
, act_as_mediation_server
, void,
1288 private_ike_sa_t
*this)
1290 charon
->mediation_manager
->update_sa_id(charon
->mediation_manager
,
1291 this->other_id
, this->ike_sa_id
);
1292 this->is_mediation_server
= TRUE
;
1295 METHOD(ike_sa_t
, get_server_reflexive_host
, host_t
*,
1296 private_ike_sa_t
*this)
1298 return this->server_reflexive_host
;
1301 METHOD(ike_sa_t
, set_server_reflexive_host
, void,
1302 private_ike_sa_t
*this, host_t
*host
)
1304 DESTROY_IF(this->server_reflexive_host
);
1305 this->server_reflexive_host
= host
;
1308 METHOD(ike_sa_t
, get_connect_id
, chunk_t
,
1309 private_ike_sa_t
*this)
1311 return this->connect_id
;
1314 METHOD(ike_sa_t
, respond
, status_t
,
1315 private_ike_sa_t
*this, identification_t
*peer_id
, chunk_t connect_id
)
1317 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1318 task
->respond(task
, peer_id
, connect_id
);
1319 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1320 return this->task_manager
->initiate(this->task_manager
);
1323 METHOD(ike_sa_t
, callback
, status_t
,
1324 private_ike_sa_t
*this, identification_t
*peer_id
)
1326 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1327 task
->callback(task
, peer_id
);
1328 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1329 return this->task_manager
->initiate(this->task_manager
);
1332 METHOD(ike_sa_t
, relay
, status_t
,
1333 private_ike_sa_t
*this, identification_t
*requester
, chunk_t connect_id
,
1334 chunk_t connect_key
, linked_list_t
*endpoints
, bool response
)
1336 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1337 task
->relay(task
, requester
, connect_id
, connect_key
, endpoints
, response
);
1338 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1339 return this->task_manager
->initiate(this->task_manager
);
1342 METHOD(ike_sa_t
, initiate_mediation
, status_t
,
1343 private_ike_sa_t
*this, peer_cfg_t
*mediated_cfg
)
1345 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1346 task
->connect(task
, mediated_cfg
->get_peer_id(mediated_cfg
));
1347 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1348 return this->task_manager
->initiate(this->task_manager
);
1351 METHOD(ike_sa_t
, initiate_mediated
, status_t
,
1352 private_ike_sa_t
*this, host_t
*me
, host_t
*other
, chunk_t connect_id
)
1354 set_my_host(this, me
->clone(me
));
1355 set_other_host(this, other
->clone(other
));
1356 chunk_free(&this->connect_id
);
1357 this->connect_id
= chunk_clone(connect_id
);
1358 return this->task_manager
->initiate(this->task_manager
);
1363 * Resolve DNS host in configuration
1365 static void resolve_hosts(private_ike_sa_t
*this)
1368 int family
= AF_UNSPEC
;
1370 switch (charon
->socket
->supported_families(charon
->socket
))
1372 case SOCKET_FAMILY_IPV4
:
1375 case SOCKET_FAMILY_IPV6
:
1378 case SOCKET_FAMILY_BOTH
:
1379 case SOCKET_FAMILY_NONE
:
1383 /* if an IP address is set locally, use the same family to resolve remote */
1384 if (family
== AF_UNSPEC
&& !this->remote_host
)
1386 if (this->local_host
)
1388 family
= this->local_host
->get_family(this->local_host
);
1392 family
= ike_cfg_get_family(this->ike_cfg
, TRUE
);
1396 if (this->remote_host
)
1398 host
= this->remote_host
->clone(this->remote_host
);
1399 host
->set_port(host
, IKEV2_UDP_PORT
);
1403 host
= this->ike_cfg
->resolve_other(this->ike_cfg
, family
);
1407 if (!host
->is_anyaddr(host
) ||
1408 this->other_host
->is_anyaddr(this->other_host
))
1409 { /* don't set to %any if we currently have an address, but the
1410 * address family might have changed */
1411 set_other_host(this, host
);
1414 { /* reuse the original port as some implementations might not like
1415 * initial IKE messages on other ports */
1416 this->other_host
->set_port(this->other_host
, host
->get_port(host
));
1417 host
->destroy(host
);
1421 if (this->local_host
)
1423 host
= this->local_host
->clone(this->local_host
);
1424 host
->set_port(host
, charon
->socket
->get_port(charon
->socket
, FALSE
));
1428 /* use same address family as for other */
1429 if (!this->other_host
->is_anyaddr(this->other_host
))
1431 family
= this->other_host
->get_family(this->other_host
);
1433 host
= this->ike_cfg
->resolve_me(this->ike_cfg
, family
);
1435 if (host
&& host
->is_anyaddr(host
) &&
1436 !this->other_host
->is_anyaddr(this->other_host
))
1438 host
->destroy(host
);
1439 host
= charon
->kernel
->get_source_addr(charon
->kernel
,
1440 this->other_host
, NULL
);
1443 host
->set_port(host
, this->ike_cfg
->get_my_port(this->ike_cfg
));
1446 { /* fallback to address family specific %any(6), if configured */
1447 host
= this->ike_cfg
->resolve_me(this->ike_cfg
, family
);
1453 set_my_host(this, host
);
1457 METHOD(ike_sa_t
, initiate
, status_t
,
1458 private_ike_sa_t
*this, child_cfg_t
*child_cfg
, uint32_t reqid
,
1459 traffic_selector_t
*tsi
, traffic_selector_t
*tsr
)
1461 bool defer_initiate
= FALSE
;
1463 if (this->state
== IKE_CREATED
)
1465 if (this->my_host
->is_anyaddr(this->my_host
) ||
1466 this->other_host
->is_anyaddr(this->other_host
))
1468 resolve_hosts(this);
1471 if (this->other_host
->is_anyaddr(this->other_host
)
1473 && !this->peer_cfg
->get_mediated_by(this->peer_cfg
)
1479 addr
= this->ike_cfg
->get_other_addr(this->ike_cfg
);
1480 if (!this->retry_initiate_interval
)
1482 DBG1(DBG_IKE
, "unable to resolve %s, initiate aborted",
1484 DESTROY_IF(child_cfg
);
1485 charon
->bus
->alert(charon
->bus
, ALERT_PEER_ADDR_FAILED
);
1488 DBG1(DBG_IKE
, "unable to resolve %s, retrying in %ds",
1489 addr
, this->retry_initiate_interval
);
1490 defer_initiate
= TRUE
;
1493 set_condition(this, COND_ORIGINAL_INITIATOR
, TRUE
);
1494 this->task_manager
->queue_ike(this->task_manager
);
1498 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
1500 if (this->state
== IKE_ESTABLISHED
)
1502 /* mediation connection is already established, retrigger state
1503 * change to notify bus listeners */
1504 DBG1(DBG_IKE
, "mediation connection is already up");
1505 set_state(this, IKE_ESTABLISHED
);
1507 DESTROY_IF(child_cfg
);
1513 /* normal IKE_SA with CHILD_SA */
1514 this->task_manager
->queue_child(this->task_manager
, child_cfg
, reqid
,
1517 if (this->peer_cfg
->get_mediated_by(this->peer_cfg
))
1519 /* mediated connection, initiate mediation process */
1520 job_t
*job
= (job_t
*)initiate_mediation_job_create(this->ike_sa_id
);
1521 lib
->processor
->queue_job(lib
->processor
, job
);
1529 if (!this->retry_initiate_queued
)
1531 job_t
*job
= (job_t
*)retry_initiate_job_create(this->ike_sa_id
);
1532 lib
->scheduler
->schedule_job(lib
->scheduler
, (job_t
*)job
,
1533 this->retry_initiate_interval
);
1534 this->retry_initiate_queued
= TRUE
;
1538 this->retry_initiate_queued
= FALSE
;
1539 return this->task_manager
->initiate(this->task_manager
);
1542 METHOD(ike_sa_t
, retry_initiate
, status_t
,
1543 private_ike_sa_t
*this)
1545 if (this->retry_initiate_queued
)
1547 this->retry_initiate_queued
= FALSE
;
1548 return initiate(this, NULL
, 0, NULL
, NULL
);
1553 METHOD(ike_sa_t
, process_message
, status_t
,
1554 private_ike_sa_t
*this, message_t
*message
)
1558 if (this->state
== IKE_PASSIVE
)
1559 { /* do not handle messages in passive state */
1562 if (message
->get_major_version(message
) != this->version
)
1564 DBG1(DBG_IKE
, "ignoring %N IKEv%u exchange on %N SA",
1565 exchange_type_names
, message
->get_exchange_type(message
),
1566 message
->get_major_version(message
),
1567 ike_version_names
, this->version
);
1568 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1569 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1572 status
= this->task_manager
->process_message(this->task_manager
, message
);
1573 if (this->flush_auth_cfg
&& this->state
== IKE_ESTABLISHED
)
1575 /* authentication completed but if the online validation is suspended we
1576 * need the auth cfgs until we did the delayed verification, we flush
1577 * them afterwards */
1578 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED
))
1580 this->flush_auth_cfg
= FALSE
;
1581 flush_auth_cfgs(this);
1587 METHOD(ike_sa_t
, get_id
, ike_sa_id_t
*,
1588 private_ike_sa_t
*this)
1590 return this->ike_sa_id
;
1593 METHOD(ike_sa_t
, get_version
, ike_version_t
,
1594 private_ike_sa_t
*this)
1596 return this->version
;
1599 METHOD(ike_sa_t
, get_my_id
, identification_t
*,
1600 private_ike_sa_t
*this)
1605 METHOD(ike_sa_t
, set_my_id
, void,
1606 private_ike_sa_t
*this, identification_t
*me
)
1608 DESTROY_IF(this->my_id
);
1612 METHOD(ike_sa_t
, get_other_id
, identification_t
*,
1613 private_ike_sa_t
*this)
1615 return this->other_id
;
1618 METHOD(ike_sa_t
, get_other_eap_id
, identification_t
*,
1619 private_ike_sa_t
*this)
1621 identification_t
*id
= NULL
, *current
;
1622 enumerator_t
*enumerator
;
1625 enumerator
= array_create_enumerator(this->other_auths
);
1626 while (enumerator
->enumerate(enumerator
, &cfg
))
1628 /* prefer EAP-Identity of last round */
1629 current
= cfg
->get(cfg
, AUTH_RULE_EAP_IDENTITY
);
1630 if (!current
|| current
->get_type(current
) == ID_ANY
)
1632 current
= cfg
->get(cfg
, AUTH_RULE_XAUTH_IDENTITY
);
1634 if (!current
|| current
->get_type(current
) == ID_ANY
)
1636 current
= cfg
->get(cfg
, AUTH_RULE_IDENTITY
);
1638 if (current
&& current
->get_type(current
) != ID_ANY
)
1644 enumerator
->destroy(enumerator
);
1649 return this->other_id
;
1652 METHOD(ike_sa_t
, set_other_id
, void,
1653 private_ike_sa_t
*this, identification_t
*other
)
1655 DESTROY_IF(this->other_id
);
1656 this->other_id
= other
;
1659 METHOD(ike_sa_t
, add_child_sa
, void,
1660 private_ike_sa_t
*this, child_sa_t
*child_sa
)
1662 array_insert_create(&this->child_sas
, ARRAY_TAIL
, child_sa
);
1663 charon
->child_sa_manager
->add(charon
->child_sa_manager
,
1664 child_sa
, &this->public);
1667 METHOD(ike_sa_t
, get_child_sa
, child_sa_t
*,
1668 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
, bool inbound
)
1670 enumerator_t
*enumerator
;
1671 child_sa_t
*current
, *found
= NULL
;
1673 enumerator
= array_create_enumerator(this->child_sas
);
1674 while (enumerator
->enumerate(enumerator
, (void**)¤t
))
1676 if (current
->get_spi(current
, inbound
) == spi
&&
1677 current
->get_protocol(current
) == protocol
)
1682 enumerator
->destroy(enumerator
);
1686 METHOD(ike_sa_t
, get_child_count
, int,
1687 private_ike_sa_t
*this)
1689 return array_count(this->child_sas
);
1693 * Private data of a create_child_sa_enumerator()
1696 /** implements enumerator */
1697 enumerator_t
public;
1698 /** inner array enumerator */
1699 enumerator_t
*inner
;
1701 child_sa_t
*current
;
1702 } child_enumerator_t
;
1704 METHOD(enumerator_t
, child_enumerate
, bool,
1705 child_enumerator_t
*this, va_list args
)
1707 child_sa_t
**child_sa
;
1709 VA_ARGS_VGET(args
, child_sa
);
1710 if (this->inner
->enumerate(this->inner
, &this->current
))
1712 *child_sa
= this->current
;
1718 METHOD(enumerator_t
, child_enumerator_destroy
, void,
1719 child_enumerator_t
*this)
1721 this->inner
->destroy(this->inner
);
1725 METHOD(ike_sa_t
, create_child_sa_enumerator
, enumerator_t
*,
1726 private_ike_sa_t
*this)
1728 child_enumerator_t
*enumerator
;
1732 .enumerate
= enumerator_enumerate_default
,
1733 .venumerate
= _child_enumerate
,
1734 .destroy
= _child_enumerator_destroy
,
1736 .inner
= array_create_enumerator(this->child_sas
),
1738 return &enumerator
->public;
1741 METHOD(ike_sa_t
, remove_child_sa
, void,
1742 private_ike_sa_t
*this, enumerator_t
*enumerator
)
1744 child_enumerator_t
*ce
= (child_enumerator_t
*)enumerator
;
1746 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, ce
->current
);
1747 array_remove_at(this->child_sas
, ce
->inner
);
1750 METHOD(ike_sa_t
, rekey_child_sa
, status_t
,
1751 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
)
1753 if (this->state
== IKE_PASSIVE
)
1755 return INVALID_STATE
;
1757 this->task_manager
->queue_child_rekey(this->task_manager
, protocol
, spi
);
1758 return this->task_manager
->initiate(this->task_manager
);
1761 METHOD(ike_sa_t
, delete_child_sa
, status_t
,
1762 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
, bool expired
)
1764 if (this->state
== IKE_PASSIVE
)
1766 return INVALID_STATE
;
1768 this->task_manager
->queue_child_delete(this->task_manager
,
1769 protocol
, spi
, expired
);
1770 return this->task_manager
->initiate(this->task_manager
);
1773 METHOD(ike_sa_t
, destroy_child_sa
, status_t
,
1774 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
)
1776 enumerator_t
*enumerator
;
1777 child_sa_t
*child_sa
;
1778 status_t status
= NOT_FOUND
;
1780 enumerator
= create_child_sa_enumerator(this);
1781 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
1783 if (child_sa
->get_protocol(child_sa
) == protocol
&&
1784 child_sa
->get_spi(child_sa
, TRUE
) == spi
)
1786 remove_child_sa(this, enumerator
);
1787 child_sa
->destroy(child_sa
);
1792 enumerator
->destroy(enumerator
);
1796 METHOD(ike_sa_t
, delete_
, status_t
,
1797 private_ike_sa_t
*this, bool force
)
1799 status_t status
= DESTROY_ME
;
1801 switch (this->state
)
1803 case IKE_ESTABLISHED
:
1805 if (time_monotonic(NULL
) >= this->stats
[STAT_DELETE
] &&
1806 !(this->version
== IKEV1
&& this->state
== IKE_REKEYING
))
1807 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1809 charon
->bus
->alert(charon
->bus
, ALERT_IKE_SA_EXPIRED
);
1811 this->task_manager
->queue_ike_delete(this->task_manager
);
1812 status
= this->task_manager
->initiate(this->task_manager
);
1815 DBG1(DBG_IKE
, "deleting unestablished IKE_SA");
1820 DBG1(DBG_IKE
, "destroying IKE_SA in state %N without notification",
1821 ike_sa_state_names
, this->state
);
1828 status
= DESTROY_ME
;
1830 if (this->version
== IKEV2
)
1831 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1832 switch (this->state
)
1834 case IKE_ESTABLISHED
:
1837 charon
->bus
->ike_updown(charon
->bus
, &this->public, FALSE
);
1846 METHOD(ike_sa_t
, rekey
, status_t
,
1847 private_ike_sa_t
*this)
1849 if (this->state
== IKE_PASSIVE
)
1851 return INVALID_STATE
;
1853 this->task_manager
->queue_ike_rekey(this->task_manager
);
1854 return this->task_manager
->initiate(this->task_manager
);
1857 METHOD(ike_sa_t
, reauth
, status_t
,
1858 private_ike_sa_t
*this)
1860 if (this->state
== IKE_PASSIVE
)
1862 return INVALID_STATE
;
1864 if (this->state
== IKE_CONNECTING
)
1866 DBG0(DBG_IKE
, "reinitiating IKE_SA %s[%d]",
1867 get_name(this), this->unique_id
);
1869 return this->task_manager
->initiate(this->task_manager
);
1871 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1872 * If the peer does not support RFC4478, there is no way to keep the
1874 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
1876 DBG1(DBG_IKE
, "initiator did not reauthenticate as requested");
1877 if (array_count(this->other_vips
) != 0 ||
1878 has_condition(this, COND_XAUTH_AUTHENTICATED
) ||
1879 has_condition(this, COND_EAP_AUTHENTICATED
)
1881 /* as mediation server we too cannot reauth the IKE_SA */
1882 || this->is_mediation_server
1888 del
= this->stats
[STAT_DELETE
];
1889 now
= time_monotonic(NULL
);
1890 DBG1(DBG_IKE
, "IKE_SA %s[%d] will timeout in %V",
1891 get_name(this), this->unique_id
, &now
, &del
);
1896 DBG0(DBG_IKE
, "reauthenticating IKE_SA %s[%d] actively",
1897 get_name(this), this->unique_id
);
1902 DBG0(DBG_IKE
, "reauthenticating IKE_SA %s[%d]",
1903 get_name(this), this->unique_id
);
1905 set_condition(this, COND_REAUTHENTICATING
, TRUE
);
1906 this->task_manager
->queue_ike_reauth(this->task_manager
);
1907 return this->task_manager
->initiate(this->task_manager
);
1911 * Check if tasks to create CHILD_SAs are queued in the given queue
1913 static bool is_child_queued(private_ike_sa_t
*this, task_queue_t queue
)
1915 enumerator_t
*enumerator
;
1919 enumerator
= this->task_manager
->create_task_enumerator(this->task_manager
,
1921 while (enumerator
->enumerate(enumerator
, &task
))
1923 if (task
->get_type(task
) == TASK_CHILD_CREATE
||
1924 task
->get_type(task
) == TASK_QUICK_MODE
)
1930 enumerator
->destroy(enumerator
);
1935 * Reestablish CHILD_SAs and migrate queued tasks.
1937 * If force is true all SAs are restarted, otherwise their close/dpd_action
1940 static status_t
reestablish_children(private_ike_sa_t
*this, ike_sa_t
*new,
1943 enumerator_t
*enumerator
;
1944 child_sa_t
*child_sa
;
1945 child_cfg_t
*child_cfg
;
1947 status_t status
= FAILED
;
1949 /* handle existing CHILD_SAs */
1950 enumerator
= create_child_sa_enumerator(this);
1951 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
1953 switch (child_sa
->get_state(child_sa
))
1957 /* ignore CHILD_SAs in these states */
1964 action
= ACTION_RESTART
;
1967 { /* only restart CHILD_SAs that are configured accordingly */
1968 if (this->state
== IKE_DELETING
)
1970 action
= child_sa
->get_close_action(child_sa
);
1974 action
= child_sa
->get_dpd_action(child_sa
);
1979 case ACTION_RESTART
:
1980 child_cfg
= child_sa
->get_config(child_sa
);
1981 DBG1(DBG_IKE
, "restarting CHILD_SA %s",
1982 child_cfg
->get_name(child_cfg
));
1983 child_cfg
->get_ref(child_cfg
);
1984 status
= new->initiate(new, child_cfg
,
1985 child_sa
->get_reqid(child_sa
), NULL
, NULL
);
1990 if (status
== DESTROY_ME
)
1995 enumerator
->destroy(enumerator
);
1996 /* adopt any active or queued CHILD-creating tasks */
1997 if (status
!= DESTROY_ME
)
1999 new->adopt_child_tasks(new, &this->public);
2000 if (new->get_state(new) == IKE_CREATED
)
2002 status
= new->initiate(new, NULL
, 0, NULL
, NULL
);
2008 METHOD(ike_sa_t
, reestablish
, status_t
,
2009 private_ike_sa_t
*this)
2014 enumerator_t
*enumerator
;
2015 child_sa_t
*child_sa
;
2016 bool restart
= FALSE
;
2017 status_t status
= FAILED
;
2019 if (has_condition(this, COND_REAUTHENTICATING
))
2020 { /* only reauthenticate if we have children */
2021 if (array_count(this->child_sas
) == 0
2023 /* allow reauth of mediation connections without CHILD_SAs */
2024 && !this->peer_cfg
->is_mediation(this->peer_cfg
)
2028 DBG1(DBG_IKE
, "unable to reauthenticate IKE_SA, no CHILD_SA "
2037 { /* check if we have children to keep up at all */
2038 enumerator
= array_create_enumerator(this->child_sas
);
2039 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
2041 switch (child_sa
->get_state(child_sa
))
2045 /* ignore CHILD_SAs in these states */
2050 if (this->state
== IKE_DELETING
)
2052 action
= child_sa
->get_close_action(child_sa
);
2056 action
= child_sa
->get_dpd_action(child_sa
);
2060 case ACTION_RESTART
:
2064 charon
->traps
->install(charon
->traps
, this->peer_cfg
,
2065 child_sa
->get_config(child_sa
));
2071 enumerator
->destroy(enumerator
);
2072 /* check if we have tasks that recreate children */
2075 restart
= is_child_queued(this, TASK_QUEUE_ACTIVE
) ||
2076 is_child_queued(this, TASK_QUEUE_QUEUED
);
2079 /* mediation connections have no children, keep them up anyway */
2080 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
2091 /* check if we are able to reestablish this IKE_SA */
2092 if (!has_condition(this, COND_ORIGINAL_INITIATOR
) &&
2093 (array_count(this->other_vips
) != 0 ||
2094 has_condition(this, COND_EAP_AUTHENTICATED
)
2096 || this->is_mediation_server
2100 DBG1(DBG_IKE
, "unable to reestablish IKE_SA due to asymmetric setup");
2104 new = charon
->ike_sa_manager
->checkout_new(charon
->ike_sa_manager
,
2105 this->version
, TRUE
);
2110 new->set_peer_cfg(new, this->peer_cfg
);
2111 host
= this->other_host
;
2112 new->set_other_host(new, host
->clone(host
));
2113 host
= this->my_host
;
2114 new->set_my_host(new, host
->clone(host
));
2115 charon
->bus
->ike_reestablish_pre(charon
->bus
, &this->public, new);
2116 if (!has_condition(this, COND_REAUTHENTICATING
))
2117 { /* reauthenticate to the same addresses, but resolve hosts if
2118 * reestablishing (old addresses serve as fallback) */
2119 resolve_hosts((private_ike_sa_t
*)new);
2121 /* if we already have a virtual IP, we reuse it */
2122 enumerator
= array_create_enumerator(this->my_vips
);
2123 while (enumerator
->enumerate(enumerator
, &host
))
2125 new->add_virtual_ip(new, TRUE
, host
);
2127 enumerator
->destroy(enumerator
);
2130 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
2132 status
= new->initiate(new, NULL
, 0, NULL
, NULL
);
2137 status
= reestablish_children(this, new,
2138 has_condition(this, COND_REAUTHENTICATING
));
2141 if (status
== DESTROY_ME
)
2143 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2145 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, new);
2150 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2152 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, new);
2155 charon
->bus
->set_sa(charon
->bus
, &this->public);
2160 * Resolve the given gateway ID
2162 static host_t
*resolve_gateway_id(identification_t
*gateway
)
2167 snprintf(gw
, sizeof(gw
), "%Y", gateway
);
2168 gw
[sizeof(gw
)-1] = '\0';
2169 addr
= host_create_from_dns(gw
, AF_UNSPEC
, IKEV2_UDP_PORT
);
2172 DBG1(DBG_IKE
, "unable to resolve gateway ID '%Y', redirect failed",
2179 * Redirect the current SA to the given target host
2181 static bool redirect_established(private_ike_sa_t
*this, identification_t
*to
)
2183 private_ike_sa_t
*new_priv
;
2188 new = charon
->ike_sa_manager
->checkout_new(charon
->ike_sa_manager
,
2189 this->version
, TRUE
);
2194 new_priv
= (private_ike_sa_t
*)new;
2195 new->set_peer_cfg(new, this->peer_cfg
);
2196 new_priv
->redirected_from
= this->other_host
->clone(this->other_host
);
2197 charon
->bus
->ike_reestablish_pre(charon
->bus
, &this->public, new);
2198 other
= resolve_gateway_id(to
);
2201 set_my_host(new_priv
, this->my_host
->clone(this->my_host
));
2202 /* this allows us to force the remote address while we still properly
2203 * resolve the local address */
2204 new_priv
->remote_host
= other
;
2205 resolve_hosts(new_priv
);
2206 new_priv
->redirected_at
= array_create(sizeof(time_t), MAX_REDIRECTS
);
2207 while (array_remove(this->redirected_at
, ARRAY_HEAD
, &redirect
))
2209 array_insert(new_priv
->redirected_at
, ARRAY_TAIL
, &redirect
);
2211 if (reestablish_children(this, new, TRUE
) != DESTROY_ME
)
2214 new->queue_task(new, (task_t
*)ike_reauth_complete_create(new,
2217 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2219 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, new);
2220 charon
->bus
->set_sa(charon
->bus
, &this->public);
2224 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2226 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, new);
2227 charon
->bus
->set_sa(charon
->bus
, &this->public);
2232 * Redirect the current connecting SA to the given target host
2234 static bool redirect_connecting(private_ike_sa_t
*this, identification_t
*to
)
2238 other
= resolve_gateway_id(to
);
2244 DESTROY_IF(this->redirected_from
);
2245 this->redirected_from
= this->other_host
->clone(this->other_host
);
2246 DESTROY_IF(this->remote_host
);
2247 /* this allows us to force the remote address while we still properly
2248 * resolve the local address */
2249 this->remote_host
= other
;
2250 resolve_hosts(this);
2255 * Check if the current redirect exceeds the limits for redirects
2257 static bool redirect_count_exceeded(private_ike_sa_t
*this)
2259 time_t now
, redirect
;
2261 now
= time_monotonic(NULL
);
2262 /* remove entries outside the defined period */
2263 while (array_get(this->redirected_at
, ARRAY_HEAD
, &redirect
) &&
2264 now
- redirect
>= REDIRECT_LOOP_DETECT_PERIOD
)
2266 array_remove(this->redirected_at
, ARRAY_HEAD
, NULL
);
2268 if (array_count(this->redirected_at
) < MAX_REDIRECTS
)
2270 if (!this->redirected_at
)
2272 this->redirected_at
= array_create(sizeof(time_t), MAX_REDIRECTS
);
2274 array_insert(this->redirected_at
, ARRAY_TAIL
, &now
);
2280 METHOD(ike_sa_t
, handle_redirect
, bool,
2281 private_ike_sa_t
*this, identification_t
*gateway
)
2283 DBG1(DBG_IKE
, "redirected to %Y", gateway
);
2284 if (!this->follow_redirects
)
2286 DBG1(DBG_IKE
, "server sent REDIRECT even though we disabled it");
2289 if (redirect_count_exceeded(this))
2291 DBG1(DBG_IKE
, "only %d redirects are allowed within %d seconds",
2292 MAX_REDIRECTS
, REDIRECT_LOOP_DETECT_PERIOD
);
2296 switch (this->state
)
2298 case IKE_CONNECTING
:
2299 return redirect_connecting(this, gateway
);
2300 case IKE_ESTABLISHED
:
2301 return redirect_established(this, gateway
);
2303 DBG1(DBG_IKE
, "unable to handle redirect for IKE_SA in state %N",
2304 ike_sa_state_names
, this->state
);
2309 METHOD(ike_sa_t
, redirect
, status_t
,
2310 private_ike_sa_t
*this, identification_t
*gateway
)
2312 switch (this->state
)
2314 case IKE_CONNECTING
:
2315 case IKE_ESTABLISHED
:
2317 if (has_condition(this, COND_REDIRECTED
))
2318 { /* IKE_SA already got redirected */
2321 if (has_condition(this, COND_ORIGINAL_INITIATOR
))
2323 DBG1(DBG_IKE
, "unable to redirect IKE_SA as initiator");
2326 if (this->version
== IKEV1
)
2328 DBG1(DBG_IKE
, "unable to redirect IKEv1 SA");
2331 if (!supports_extension(this, EXT_IKE_REDIRECTION
))
2333 DBG1(DBG_IKE
, "client does not support IKE redirection");
2337 this->task_manager
->queue_task(this->task_manager
,
2338 (task_t
*)ike_redirect_create(&this->public, gateway
));
2340 return this->task_manager
->initiate(this->task_manager
);
2342 DBG1(DBG_IKE
, "unable to redirect IKE_SA in state %N",
2343 ike_sa_state_names
, this->state
);
2344 return INVALID_STATE
;
2348 METHOD(ike_sa_t
, retransmit
, status_t
,
2349 private_ike_sa_t
*this, uint32_t message_id
)
2351 if (this->state
== IKE_PASSIVE
)
2353 return INVALID_STATE
;
2355 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
2356 if (this->task_manager
->retransmit(this->task_manager
, message_id
) != SUCCESS
)
2358 /* send a proper signal to brief interested bus listeners */
2359 switch (this->state
)
2361 case IKE_CONNECTING
:
2363 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2364 uint32_t tries
= this->peer_cfg
->get_keyingtries(this->peer_cfg
);
2365 charon
->bus
->alert(charon
->bus
, ALERT_PEER_INIT_UNREACHABLE
,
2368 if (tries
== 0 || tries
> this->keyingtry
)
2370 DBG1(DBG_IKE
, "peer not responding, trying again (%d/%d)",
2371 this->keyingtry
+ 1, tries
);
2373 resolve_hosts(this);
2374 return this->task_manager
->initiate(this->task_manager
);
2376 DBG1(DBG_IKE
, "establishing IKE_SA failed, peer not responding");
2378 if (this->version
== IKEV1
&& array_count(this->child_sas
))
2380 enumerator_t
*enumerator
;
2381 child_sa_t
*child_sa
;
2383 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2384 * in this state with CHILD_SAs), try again from scratch */
2385 DBG1(DBG_IKE
, "reauthentication failed, trying to "
2386 "reestablish IKE_SA");
2388 /* trigger down events for the CHILD_SAs, as no down event
2389 * is triggered below for IKE SAs in this state */
2390 enumerator
= array_create_enumerator(this->child_sas
);
2391 while (enumerator
->enumerate(enumerator
, &child_sa
))
2393 if (child_sa
->get_state(child_sa
) != CHILD_REKEYED
&&
2394 child_sa
->get_state(child_sa
) != CHILD_DELETED
)
2396 charon
->bus
->child_updown(charon
->bus
, child_sa
,
2400 enumerator
->destroy(enumerator
);
2405 DBG1(DBG_IKE
, "proper IKE_SA delete failed, peer not responding");
2406 if (has_condition(this, COND_REAUTHENTICATING
) &&
2407 !lib
->settings
->get_bool(lib
->settings
,
2408 "%s.make_before_break", FALSE
, lib
->ns
))
2410 DBG1(DBG_IKE
, "delete during reauthentication failed, "
2411 "trying to reestablish IKE_SA anyway");
2416 DBG1(DBG_IKE
, "rekeying IKE_SA failed, peer not responding");
2422 if (this->state
!= IKE_CONNECTING
&&
2423 this->state
!= IKE_REKEYED
)
2425 charon
->bus
->ike_updown(charon
->bus
, &this->public, FALSE
);
2432 METHOD(ike_sa_t
, set_auth_lifetime
, status_t
,
2433 private_ike_sa_t
*this, uint32_t lifetime
)
2435 uint32_t diff
, hard
, soft
, now
;
2438 diff
= this->peer_cfg
->get_over_time(this->peer_cfg
);
2439 now
= time_monotonic(NULL
);
2440 hard
= now
+ lifetime
;
2443 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2444 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2445 send_update
= this->state
== IKE_ESTABLISHED
&& this->version
== IKEV2
&&
2446 !has_condition(this, COND_ORIGINAL_INITIATOR
) &&
2447 (array_count(this->other_vips
) != 0 ||
2448 has_condition(this, COND_EAP_AUTHENTICATED
));
2450 if (lifetime
< diff
)
2452 this->stats
[STAT_REAUTH
] = now
;
2456 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, "
2457 "starting reauthentication", lifetime
);
2458 lib
->processor
->queue_job(lib
->processor
,
2459 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
));
2462 else if (this->stats
[STAT_REAUTH
] == 0 ||
2463 this->stats
[STAT_REAUTH
] > soft
)
2465 this->stats
[STAT_REAUTH
] = soft
;
2468 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, scheduling "
2469 "reauthentication in %ds", lifetime
, lifetime
- diff
);
2470 lib
->scheduler
->schedule_job(lib
->scheduler
,
2471 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
),
2477 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, "
2478 "reauthentication already scheduled in %ds", lifetime
,
2479 this->stats
[STAT_REAUTH
] - time_monotonic(NULL
));
2480 send_update
= FALSE
;
2482 /* give at least some seconds to reauthenticate */
2483 this->stats
[STAT_DELETE
] = max(hard
, now
+ 10);
2488 ike_auth_lifetime_t
*task
;
2490 task
= ike_auth_lifetime_create(&this->public, TRUE
);
2491 this->task_manager
->queue_task(this->task_manager
, &task
->task
);
2492 return this->task_manager
->initiate(this->task_manager
);
2499 * Check if the current combination of source and destination address is still
2502 static bool is_current_path_valid(private_ike_sa_t
*this)
2507 if (supports_extension(this, EXT_MOBIKE
) &&
2508 lib
->settings
->get_bool(lib
->settings
,
2509 "%s.prefer_best_path", FALSE
, lib
->ns
))
2511 /* check if the current path is the best path; migrate otherwise */
2512 src
= charon
->kernel
->get_source_addr(charon
->kernel
, this->other_host
,
2516 valid
= src
->ip_equals(src
, this->my_host
);
2521 DBG1(DBG_IKE
, "old path is not preferred anymore");
2525 src
= charon
->kernel
->get_source_addr(charon
->kernel
, this->other_host
,
2529 if (src
->ip_equals(src
, this->my_host
))
2537 DBG1(DBG_IKE
, "old path is not available anymore, try to find another");
2543 * Check if we have any path avialable for this IKE SA.
2545 static bool is_any_path_valid(private_ike_sa_t
*this)
2548 enumerator_t
*enumerator
;
2549 host_t
*src
= NULL
, *addr
;
2550 int family
= AF_UNSPEC
;
2552 switch (charon
->socket
->supported_families(charon
->socket
))
2554 case SOCKET_FAMILY_IPV4
:
2557 case SOCKET_FAMILY_IPV6
:
2560 case SOCKET_FAMILY_BOTH
:
2561 case SOCKET_FAMILY_NONE
:
2565 enumerator
= create_peer_address_enumerator(this);
2566 while (enumerator
->enumerate(enumerator
, &addr
))
2568 if (family
!= AF_UNSPEC
&& addr
->get_family(addr
) != family
)
2572 DBG1(DBG_IKE
, "looking for a route to %H ...", addr
);
2573 src
= charon
->kernel
->get_source_addr(charon
->kernel
, addr
, NULL
);
2579 enumerator
->destroy(enumerator
);
2588 METHOD(ike_sa_t
, roam
, status_t
,
2589 private_ike_sa_t
*this, bool address
)
2591 switch (this->state
)
2595 case IKE_DESTROYING
:
2604 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2605 * without config assigned */
2608 if (this->version
== IKEV1
)
2609 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2610 * have to reestablish from scratch (reauth is not enough) */
2614 /* ignore roam events if MOBIKE is not supported/enabled and the local
2615 * address is statically configured */
2616 if (!supports_extension(this, EXT_MOBIKE
) &&
2617 ike_cfg_has_address(this->ike_cfg
, this->my_host
, TRUE
))
2619 DBG2(DBG_IKE
, "keeping statically configured path %H - %H",
2620 this->my_host
, this->other_host
);
2624 /* keep existing path if possible */
2625 if (is_current_path_valid(this))
2627 DBG2(DBG_IKE
, "keeping connection path %H - %H",
2628 this->my_host
, this->other_host
);
2629 set_condition(this, COND_STALE
, FALSE
);
2631 if (supports_extension(this, EXT_MOBIKE
) && address
)
2632 { /* if any addresses changed, send an updated list */
2633 DBG1(DBG_IKE
, "sending address list update using MOBIKE");
2634 this->task_manager
->queue_mobike(this->task_manager
, FALSE
, TRUE
);
2635 return this->task_manager
->initiate(this->task_manager
);
2640 if (!is_any_path_valid(this))
2642 DBG1(DBG_IKE
, "no route found to reach %H, MOBIKE update deferred",
2644 set_condition(this, COND_STALE
, TRUE
);
2647 set_condition(this, COND_STALE
, FALSE
);
2649 /* update addresses with mobike, if supported ... */
2650 if (supports_extension(this, EXT_MOBIKE
))
2652 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
2653 { /* responder updates the peer about changed address config */
2654 DBG1(DBG_IKE
, "sending address list update using MOBIKE, "
2655 "implicitly requesting an address change");
2660 DBG1(DBG_IKE
, "requesting address change using MOBIKE");
2662 this->task_manager
->queue_mobike(this->task_manager
, TRUE
, address
);
2663 return this->task_manager
->initiate(this->task_manager
);
2666 /* ... reauth if not */
2667 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
2668 { /* responder does not reauthenticate */
2669 set_condition(this, COND_STALE
, TRUE
);
2672 DBG1(DBG_IKE
, "reauthenticating IKE_SA due to address change");
2673 /* since our previous path is not valid anymore, try and find a new one */
2674 resolve_hosts(this);
2675 return reauth(this);
2678 METHOD(ike_sa_t
, add_configuration_attribute
, void,
2679 private_ike_sa_t
*this, attribute_handler_t
*handler
,
2680 configuration_attribute_type_t type
, chunk_t data
)
2682 attribute_entry_t entry
= {
2685 .data
= chunk_clone(data
),
2687 array_insert(this->attributes
, ARRAY_TAIL
, &entry
);
2690 CALLBACK(filter_attribute
, bool,
2691 void *null
, enumerator_t
*orig
, va_list args
)
2693 attribute_entry_t
*entry
;
2694 configuration_attribute_type_t
*type
;
2698 VA_ARGS_VGET(args
, type
, data
, handled
);
2700 if (orig
->enumerate(orig
, &entry
))
2702 *type
= entry
->type
;
2703 *data
= entry
->data
;
2704 *handled
= entry
->handler
!= NULL
;
2710 METHOD(ike_sa_t
, create_attribute_enumerator
, enumerator_t
*,
2711 private_ike_sa_t
*this)
2713 return enumerator_create_filter(array_create_enumerator(this->attributes
),
2714 filter_attribute
, NULL
, NULL
);
2717 METHOD(ike_sa_t
, create_task_enumerator
, enumerator_t
*,
2718 private_ike_sa_t
*this, task_queue_t queue
)
2720 return this->task_manager
->create_task_enumerator(this->task_manager
, queue
);
2723 METHOD(ike_sa_t
, remove_task
, void,
2724 private_ike_sa_t
*this, enumerator_t
*enumerator
)
2726 return this->task_manager
->remove_task(this->task_manager
, enumerator
);
2729 METHOD(ike_sa_t
, flush_queue
, void,
2730 private_ike_sa_t
*this, task_queue_t queue
)
2732 this->task_manager
->flush_queue(this->task_manager
, queue
);
2735 METHOD(ike_sa_t
, queue_task
, void,
2736 private_ike_sa_t
*this, task_t
*task
)
2738 this->task_manager
->queue_task(this->task_manager
, task
);
2741 METHOD(ike_sa_t
, queue_task_delayed
, void,
2742 private_ike_sa_t
*this, task_t
*task
, uint32_t delay
)
2744 this->task_manager
->queue_task_delayed(this->task_manager
, task
, delay
);
2748 * Migrate and queue child-creating tasks from another IKE_SA
2750 static void migrate_child_tasks(private_ike_sa_t
*this, ike_sa_t
*other
,
2753 enumerator_t
*enumerator
;
2756 enumerator
= other
->create_task_enumerator(other
, queue
);
2757 while (enumerator
->enumerate(enumerator
, &task
))
2759 if (task
->get_type(task
) == TASK_CHILD_CREATE
||
2760 task
->get_type(task
) == TASK_QUICK_MODE
)
2762 other
->remove_task(other
, enumerator
);
2763 task
->migrate(task
, &this->public);
2764 queue_task(this, task
);
2767 enumerator
->destroy(enumerator
);
2770 METHOD(ike_sa_t
, adopt_child_tasks
, void,
2771 private_ike_sa_t
*this, ike_sa_t
*other
)
2773 migrate_child_tasks(this, other
, TASK_QUEUE_ACTIVE
);
2774 migrate_child_tasks(this, other
, TASK_QUEUE_QUEUED
);
2777 METHOD(ike_sa_t
, inherit_pre
, void,
2778 private_ike_sa_t
*this, ike_sa_t
*other_public
)
2780 private_ike_sa_t
*other
= (private_ike_sa_t
*)other_public
;
2782 /* apply config and hosts */
2783 set_peer_cfg(this, other
->peer_cfg
);
2784 set_my_host(this, other
->my_host
->clone(other
->my_host
));
2785 set_other_host(this, other
->other_host
->clone(other
->other_host
));
2787 /* apply extensions and conditions with a few exceptions */
2788 this->extensions
= other
->extensions
;
2789 this->conditions
= other
->conditions
;
2790 this->conditions
&= ~COND_STALE
;
2791 this->conditions
&= ~COND_REAUTHENTICATING
;
2794 METHOD(ike_sa_t
, inherit_post
, void,
2795 private_ike_sa_t
*this, ike_sa_t
*other_public
)
2797 private_ike_sa_t
*other
= (private_ike_sa_t
*)other_public
;
2798 child_sa_t
*child_sa
;
2799 enumerator_t
*enumerator
;
2800 attribute_entry_t entry
;
2804 /* apply hosts and ids */
2805 this->my_host
->destroy(this->my_host
);
2806 this->other_host
->destroy(this->other_host
);
2807 this->my_id
->destroy(this->my_id
);
2808 this->other_id
->destroy(this->other_id
);
2809 this->my_host
= other
->my_host
->clone(other
->my_host
);
2810 this->other_host
= other
->other_host
->clone(other
->other_host
);
2811 this->my_id
= other
->my_id
->clone(other
->my_id
);
2812 this->other_id
= other
->other_id
->clone(other
->other_id
);
2814 /* apply assigned virtual IPs... */
2815 while (array_remove(other
->my_vips
, ARRAY_HEAD
, &vip
))
2817 array_insert_create(&this->my_vips
, ARRAY_TAIL
, vip
);
2819 while (array_remove(other
->other_vips
, ARRAY_HEAD
, &vip
))
2821 array_insert_create(&this->other_vips
, ARRAY_TAIL
, vip
);
2824 /* MOBIKE additional addresses */
2825 while (array_remove(other
->peer_addresses
, ARRAY_HEAD
, &vip
))
2827 array_insert_create(&this->peer_addresses
, ARRAY_TAIL
, vip
);
2830 /* authentication information */
2831 enumerator
= array_create_enumerator(other
->my_auths
);
2832 while (enumerator
->enumerate(enumerator
, &cfg
))
2834 array_insert(this->my_auths
, ARRAY_TAIL
, cfg
->clone(cfg
));
2836 enumerator
->destroy(enumerator
);
2837 enumerator
= array_create_enumerator(other
->other_auths
);
2838 while (enumerator
->enumerate(enumerator
, &cfg
))
2840 array_insert(this->other_auths
, ARRAY_TAIL
, cfg
->clone(cfg
));
2842 enumerator
->destroy(enumerator
);
2844 /* ... and configuration attributes */
2845 while (array_remove(other
->attributes
, ARRAY_HEAD
, &entry
))
2847 array_insert(this->attributes
, ARRAY_TAIL
, &entry
);
2850 /* inherit all conditions */
2851 this->conditions
= other
->conditions
;
2852 if (this->conditions
& COND_NAT_HERE
)
2854 send_keepalive(this, FALSE
);
2858 if (other
->is_mediation_server
)
2860 act_as_mediation_server(this);
2862 else if (other
->server_reflexive_host
)
2864 this->server_reflexive_host
= other
->server_reflexive_host
->clone(
2865 other
->server_reflexive_host
);
2869 /* adopt all children */
2870 while (array_remove(other
->child_sas
, ARRAY_HEAD
, &child_sa
))
2872 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
2873 add_child_sa(this, child_sa
);
2876 /* move pending tasks to the new IKE_SA */
2877 this->task_manager
->adopt_tasks(this->task_manager
, other
->task_manager
);
2879 /* reauthentication timeout survives a rekeying */
2880 if (other
->stats
[STAT_REAUTH
])
2882 time_t reauth
, delete, now
= time_monotonic(NULL
);
2884 this->stats
[STAT_REAUTH
] = other
->stats
[STAT_REAUTH
];
2885 reauth
= this->stats
[STAT_REAUTH
] - now
;
2886 delete = reauth
+ this->peer_cfg
->get_over_time(this->peer_cfg
);
2887 this->stats
[STAT_DELETE
] = this->stats
[STAT_REAUTH
] + delete;
2888 DBG1(DBG_IKE
, "rescheduling reauthentication in %ds after rekeying, "
2889 "lifetime reduced to %ds", reauth
, delete);
2890 lib
->scheduler
->schedule_job(lib
->scheduler
,
2891 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
), reauth
);
2892 lib
->scheduler
->schedule_job(lib
->scheduler
,
2893 (job_t
*)delete_ike_sa_job_create(this->ike_sa_id
, TRUE
), delete);
2897 METHOD(ike_sa_t
, destroy
, void,
2898 private_ike_sa_t
*this)
2900 attribute_entry_t entry
;
2901 child_sa_t
*child_sa
;
2904 charon
->bus
->set_sa(charon
->bus
, &this->public);
2906 set_state(this, IKE_DESTROYING
);
2907 if (this->task_manager
)
2909 this->task_manager
->flush(this->task_manager
);
2912 /* remove attributes first, as we pass the IKE_SA to the handler */
2913 charon
->bus
->handle_vips(charon
->bus
, &this->public, FALSE
);
2914 while (array_remove(this->attributes
, ARRAY_TAIL
, &entry
))
2918 charon
->attributes
->release(charon
->attributes
, entry
.handler
,
2919 &this->public, entry
.type
, entry
.data
);
2921 free(entry
.data
.ptr
);
2923 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2924 * routes that the CHILD_SA tries to uninstall. */
2925 while (array_remove(this->child_sas
, ARRAY_TAIL
, &child_sa
))
2927 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
2928 child_sa
->destroy(child_sa
);
2930 while (array_remove(this->my_vips
, ARRAY_TAIL
, &vip
))
2932 charon
->kernel
->del_ip(charon
->kernel
, vip
, -1, TRUE
);
2935 if (array_count(this->other_vips
))
2937 charon
->bus
->assign_vips(charon
->bus
, &this->public, FALSE
);
2939 while (array_remove(this->other_vips
, ARRAY_TAIL
, &vip
))
2943 linked_list_t
*pools
;
2945 pools
= linked_list_create_from_enumerator(
2946 this->peer_cfg
->create_pool_enumerator(this->peer_cfg
));
2947 charon
->attributes
->release_address(charon
->attributes
,
2948 pools
, vip
, &this->public);
2949 pools
->destroy(pools
);
2954 /* unset SA after here to avoid usage by the listeners */
2955 charon
->bus
->set_sa(charon
->bus
, NULL
);
2957 array_destroy(this->child_sas
);
2958 DESTROY_IF(this->task_manager
);
2959 DESTROY_IF(this->keymat
);
2960 array_destroy(this->attributes
);
2961 array_destroy(this->my_vips
);
2962 array_destroy(this->other_vips
);
2963 array_destroy_offset(this->peer_addresses
, offsetof(host_t
, destroy
));
2965 if (this->is_mediation_server
)
2967 charon
->mediation_manager
->remove(charon
->mediation_manager
,
2970 DESTROY_IF(this->server_reflexive_host
);
2971 chunk_free(&this->connect_id
);
2973 free(this->nat_detection_dest
.ptr
);
2975 DESTROY_IF(this->my_host
);
2976 DESTROY_IF(this->other_host
);
2977 DESTROY_IF(this->my_id
);
2978 DESTROY_IF(this->other_id
);
2979 DESTROY_IF(this->local_host
);
2980 DESTROY_IF(this->remote_host
);
2981 DESTROY_IF(this->redirected_from
);
2982 array_destroy(this->redirected_at
);
2984 DESTROY_IF(this->ike_cfg
);
2985 DESTROY_IF(this->peer_cfg
);
2986 DESTROY_IF(this->proposal
);
2987 this->my_auth
->destroy(this->my_auth
);
2988 this->other_auth
->destroy(this->other_auth
);
2989 array_destroy_offset(this->my_auths
, offsetof(auth_cfg_t
, destroy
));
2990 array_destroy_offset(this->other_auths
, offsetof(auth_cfg_t
, destroy
));
2992 this->ike_sa_id
->destroy(this->ike_sa_id
);
2997 * Described in header.
2999 ike_sa_t
* ike_sa_create(ike_sa_id_t
*ike_sa_id
, bool initiator
,
3000 ike_version_t version
)
3002 private_ike_sa_t
*this;
3003 static refcount_t unique_id
= 0;
3005 if (version
== IKE_ANY
)
3006 { /* prefer IKEv2 if protocol not specified */
3016 .get_version
= _get_version
,
3017 .get_state
= _get_state
,
3018 .set_state
= _set_state
,
3019 .get_name
= _get_name
,
3020 .get_statistic
= _get_statistic
,
3021 .set_statistic
= _set_statistic
,
3022 .process_message
= _process_message
,
3023 .initiate
= _initiate
,
3024 .retry_initiate
= _retry_initiate
,
3025 .get_ike_cfg
= _get_ike_cfg
,
3026 .set_ike_cfg
= _set_ike_cfg
,
3027 .get_peer_cfg
= _get_peer_cfg
,
3028 .set_peer_cfg
= _set_peer_cfg
,
3029 .get_auth_cfg
= _get_auth_cfg
,
3030 .create_auth_cfg_enumerator
= _create_auth_cfg_enumerator
,
3031 .verify_peer_certificate
= _verify_peer_certificate
,
3032 .add_auth_cfg
= _add_auth_cfg
,
3033 .get_proposal
= _get_proposal
,
3034 .set_proposal
= _set_proposal
,
3036 .get_my_host
= _get_my_host
,
3037 .set_my_host
= _set_my_host
,
3038 .get_other_host
= _get_other_host
,
3039 .set_other_host
= _set_other_host
,
3040 .set_message_id
= _set_message_id
,
3041 .get_message_id
= _get_message_id
,
3042 .float_ports
= _float_ports
,
3043 .update_hosts
= _update_hosts
,
3044 .get_my_id
= _get_my_id
,
3045 .set_my_id
= _set_my_id
,
3046 .get_other_id
= _get_other_id
,
3047 .set_other_id
= _set_other_id
,
3048 .get_other_eap_id
= _get_other_eap_id
,
3049 .enable_extension
= _enable_extension
,
3050 .supports_extension
= _supports_extension
,
3051 .set_condition
= _set_condition
,
3052 .has_condition
= _has_condition
,
3053 .create_peer_address_enumerator
= _create_peer_address_enumerator
,
3054 .add_peer_address
= _add_peer_address
,
3055 .clear_peer_addresses
= _clear_peer_addresses
,
3056 .has_mapping_changed
= _has_mapping_changed
,
3057 .retransmit
= _retransmit
,
3059 .destroy
= _destroy
,
3060 .send_dpd
= _send_dpd
,
3061 .send_keepalive
= _send_keepalive
,
3062 .redirect
= _redirect
,
3063 .handle_redirect
= _handle_redirect
,
3064 .get_redirected_from
= _get_redirected_from
,
3065 .get_keymat
= _get_keymat
,
3066 .add_child_sa
= _add_child_sa
,
3067 .get_child_sa
= _get_child_sa
,
3068 .get_child_count
= _get_child_count
,
3069 .create_child_sa_enumerator
= _create_child_sa_enumerator
,
3070 .remove_child_sa
= _remove_child_sa
,
3071 .rekey_child_sa
= _rekey_child_sa
,
3072 .delete_child_sa
= _delete_child_sa
,
3073 .destroy_child_sa
= _destroy_child_sa
,
3076 .reestablish
= _reestablish
,
3077 .set_auth_lifetime
= _set_auth_lifetime
,
3079 .inherit_pre
= _inherit_pre
,
3080 .inherit_post
= _inherit_post
,
3081 .generate_message
= _generate_message
,
3082 .generate_message_fragmented
= _generate_message_fragmented
,
3084 .get_unique_id
= _get_unique_id
,
3085 .add_virtual_ip
= _add_virtual_ip
,
3086 .clear_virtual_ips
= _clear_virtual_ips
,
3087 .create_virtual_ip_enumerator
= _create_virtual_ip_enumerator
,
3088 .add_configuration_attribute
= _add_configuration_attribute
,
3089 .create_attribute_enumerator
= _create_attribute_enumerator
,
3090 .set_kmaddress
= _set_kmaddress
,
3091 .create_task_enumerator
= _create_task_enumerator
,
3092 .remove_task
= _remove_task
,
3093 .flush_queue
= _flush_queue
,
3094 .queue_task
= _queue_task
,
3095 .queue_task_delayed
= _queue_task_delayed
,
3096 .adopt_child_tasks
= _adopt_child_tasks
,
3098 .act_as_mediation_server
= _act_as_mediation_server
,
3099 .get_server_reflexive_host
= _get_server_reflexive_host
,
3100 .set_server_reflexive_host
= _set_server_reflexive_host
,
3101 .get_connect_id
= _get_connect_id
,
3102 .initiate_mediation
= _initiate_mediation
,
3103 .initiate_mediated
= _initiate_mediated
,
3105 .callback
= _callback
,
3106 .respond
= _respond
,
3109 .ike_sa_id
= ike_sa_id
->clone(ike_sa_id
),
3111 .my_host
= host_create_any(AF_INET
),
3112 .other_host
= host_create_any(AF_INET
),
3113 .my_id
= identification_create_from_encoding(ID_ANY
, chunk_empty
),
3114 .other_id
= identification_create_from_encoding(ID_ANY
, chunk_empty
),
3115 .keymat
= keymat_create(version
, initiator
),
3116 .state
= IKE_CREATED
,
3117 .stats
[STAT_INBOUND
] = time_monotonic(NULL
),
3118 .stats
[STAT_OUTBOUND
] = time_monotonic(NULL
),
3119 .my_auth
= auth_cfg_create(),
3120 .other_auth
= auth_cfg_create(),
3121 .my_auths
= array_create(0, 0),
3122 .other_auths
= array_create(0, 0),
3123 .attributes
= array_create(sizeof(attribute_entry_t
), 0),
3124 .unique_id
= ref_get(&unique_id
),
3125 .keepalive_interval
= lib
->settings
->get_time(lib
->settings
,
3126 "%s.keep_alive", KEEPALIVE_INTERVAL
, lib
->ns
),
3127 .retry_initiate_interval
= lib
->settings
->get_time(lib
->settings
,
3128 "%s.retry_initiate_interval", 0, lib
->ns
),
3129 .flush_auth_cfg
= lib
->settings
->get_bool(lib
->settings
,
3130 "%s.flush_auth_cfg", FALSE
, lib
->ns
),
3131 .fragment_size
= lib
->settings
->get_int(lib
->settings
,
3132 "%s.fragment_size", 1280, lib
->ns
),
3133 .follow_redirects
= lib
->settings
->get_bool(lib
->settings
,
3134 "%s.follow_redirects", TRUE
, lib
->ns
),
3137 if (version
== IKEV2
)
3138 { /* always supported with IKEv2 */
3139 enable_extension(this, EXT_DPD
);
3142 this->task_manager
= task_manager_create(&this->public);
3143 this->my_host
->set_port(this->my_host
,
3144 charon
->socket
->get_port(charon
->socket
, FALSE
));
3146 if (!this->task_manager
|| !this->keymat
)
3148 DBG1(DBG_IKE
, "IKE version %d not supported", this->version
);
3152 return &this->public;