]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/ike_sa.c
projects / thirdparty / strongswan.git / blob
? search:


3d576a0e89a67b6e76e636ed744e88bdbec3a551
[thirdparty/strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2018 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
62
63 #ifdef ME
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
66 #endif
67
68 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
69 "CREATED",
70 "CONNECTING",
71 "ESTABLISHED",
72 "PASSIVE",
73 "REKEYING",
74 "REKEYED",
75 "DELETING",
76 "DESTROYING",
77 );
78
79 typedef struct private_ike_sa_t private_ike_sa_t;
80 typedef struct attribute_entry_t attribute_entry_t;
81
82 /**
83 * Private data of an ike_sa_t object.
84 */
85 struct private_ike_sa_t {
86
87 /**
88 * Public members
89 */
90 ike_sa_t public;
91
92 /**
93 * Identifier for the current IKE_SA.
94 */
95 ike_sa_id_t *ike_sa_id;
96
97 /**
98 * IKE version of this SA.
99 */
100 ike_version_t version;
101
102 /**
103 * unique numerical ID for this IKE_SA.
104 */
105 uint32_t unique_id;
106
107 /**
108 * Current state of the IKE_SA
109 */
110 ike_sa_state_t state;
111
112 /**
113 * IKE configuration used to set up this IKE_SA
114 */
115 ike_cfg_t *ike_cfg;
116
117 /**
118 * Peer and authentication information to establish IKE_SA.
119 */
120 peer_cfg_t *peer_cfg;
121
122 /**
123 * currently used authentication ruleset, local
124 */
125 auth_cfg_t *my_auth;
126
127 /**
128 * currently used authentication constraints, remote
129 */
130 auth_cfg_t *other_auth;
131
132 /**
133 * Array of completed local authentication rounds (as auth_cfg_t)
134 */
135 array_t *my_auths;
136
137 /**
138 * Array of completed remote authentication rounds (as auth_cfg_t)
139 */
140 array_t *other_auths;
141
142 /**
143 * Selected IKE proposal
144 */
145 proposal_t *proposal;
146
147 /**
148 * Juggles tasks to process messages
149 */
150 task_manager_t *task_manager;
151
152 /**
153 * Address of local host
154 */
155 host_t *my_host;
156
157 /**
158 * Address of remote host
159 */
160 host_t *other_host;
161
162 #ifdef ME
163 /**
164 * Are we mediation server
165 */
166 bool is_mediation_server;
167
168 /**
169 * Server reflexive host
170 */
171 host_t *server_reflexive_host;
172
173 /**
174 * Connect ID
175 */
176 chunk_t connect_id;
177 #endif /* ME */
178
179 /**
180 * Identification used for us
181 */
182 identification_t *my_id;
183
184 /**
185 * Identification used for other
186 */
187 identification_t *other_id;
188
189 /**
190 * set of extensions the peer supports
191 */
192 ike_extension_t extensions;
193
194 /**
195 * set of condition flags currently enabled for this IKE_SA
196 */
197 ike_condition_t conditions;
198
199 /**
200 * Array containing the child sa's of the current IKE_SA.
201 */
202 array_t *child_sas;
203
204 /**
205 * keymat of this IKE_SA
206 */
207 keymat_t *keymat;
208
209 /**
210 * Virtual IPs on local host
211 */
212 array_t *my_vips;
213
214 /**
215 * Virtual IPs on remote host
216 */
217 array_t *other_vips;
218
219 /**
220 * List of configuration attributes (attribute_entry_t)
221 */
222 array_t *attributes;
223
224 /**
225 * list of peer's addresses, additional ones transmitted via MOBIKE
226 */
227 array_t *peer_addresses;
228
229 /**
230 * previously value of received DESTINATION_IP hash
231 */
232 chunk_t nat_detection_dest;
233
234 /**
235 * NAT keep alive interval
236 */
237 uint32_t keepalive_interval;
238
239 /**
240 * The schedueld keep alive job, if any
241 */
242 send_keepalive_job_t *keepalive_job;
243
244 /**
245 * interval for retries during initiation (e.g. if DNS resolution failed),
246 * 0 to disable (default)
247 */
248 uint32_t retry_initiate_interval;
249
250 /**
251 * TRUE if a retry_initiate_job has been queued
252 */
253 bool retry_initiate_queued;
254
255 /**
256 * Timestamps for this IKE_SA
257 */
258 uint32_t stats[STAT_MAX];
259
260 /**
261 * how many times we have retried so far (keyingtries)
262 */
263 uint32_t keyingtry;
264
265 /**
266 * local host address to be used for IKE, set via MIGRATE kernel message
267 */
268 host_t *local_host;
269
270 /**
271 * remote host address to be used for IKE, set via MIGRATE kernel message
272 */
273 host_t *remote_host;
274
275 /**
276 * Flush auth configs once established?
277 */
278 bool flush_auth_cfg;
279
280 /**
281 * Maximum length of a single fragment, 0 for address-specific defaults
282 */
283 size_t fragment_size;
284
285 /**
286 * Whether to follow IKEv2 redirects
287 */
288 bool follow_redirects;
289
290 /**
291 * Original gateway address from which we got redirected
292 */
293 host_t *redirected_from;
294
295 /**
296 * Timestamps of redirect attempts to handle loops
297 */
298 array_t *redirected_at;
299 };
300
301 /**
302 * Entry to maintain install configuration attributes during IKE_SA lifetime
303 */
304 struct attribute_entry_t {
305 /** handler used to install this attribute */
306 attribute_handler_t *handler;
307 /** attribute type */
308 configuration_attribute_type_t type;
309 /** attribute data */
310 chunk_t data;
311 };
312
313 /**
314 * get the time of the latest traffic processed by the kernel
315 */
316 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
317 {
318 enumerator_t *enumerator;
319 child_sa_t *child_sa;
320 time_t use_time, current;
321
322 if (inbound)
323 {
324 use_time = this->stats[STAT_INBOUND];
325 }
326 else
327 {
328 use_time = this->stats[STAT_OUTBOUND];
329 }
330
331 enumerator = array_create_enumerator(this->child_sas);
332 while (enumerator->enumerate(enumerator, &child_sa))
333 {
334 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
335 use_time = max(use_time, current);
336 }
337 enumerator->destroy(enumerator);
338
339 return use_time;
340 }
341
342 METHOD(ike_sa_t, get_unique_id, uint32_t,
343 private_ike_sa_t *this)
344 {
345 return this->unique_id;
346 }
347
348 METHOD(ike_sa_t, get_name, char*,
349 private_ike_sa_t *this)
350 {
351 if (this->peer_cfg)
352 {
353 return this->peer_cfg->get_name(this->peer_cfg);
354 }
355 return "(unnamed)";
356 }
357
358 METHOD(ike_sa_t, get_statistic, uint32_t,
359 private_ike_sa_t *this, statistic_t kind)
360 {
361 if (kind < STAT_MAX)
362 {
363 return this->stats[kind];
364 }
365 return 0;
366 }
367
368 METHOD(ike_sa_t, set_statistic, void,
369 private_ike_sa_t *this, statistic_t kind, uint32_t value)
370 {
371 if (kind < STAT_MAX)
372 {
373 this->stats[kind] = value;
374 }
375 }
376
377 METHOD(ike_sa_t, get_my_host, host_t*,
378 private_ike_sa_t *this)
379 {
380 return this->my_host;
381 }
382
383 METHOD(ike_sa_t, set_my_host, void,
384 private_ike_sa_t *this, host_t *me)
385 {
386 DESTROY_IF(this->my_host);
387 this->my_host = me;
388 }
389
390 METHOD(ike_sa_t, get_other_host, host_t*,
391 private_ike_sa_t *this)
392 {
393 return this->other_host;
394 }
395
396 METHOD(ike_sa_t, set_other_host, void,
397 private_ike_sa_t *this, host_t *other)
398 {
399 DESTROY_IF(this->other_host);
400 this->other_host = other;
401 }
402
403 METHOD(ike_sa_t, get_redirected_from, host_t*,
404 private_ike_sa_t *this)
405 {
406 return this->redirected_from;
407 }
408
409 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
410 private_ike_sa_t *this)
411 {
412 return this->peer_cfg;
413 }
414
415 METHOD(ike_sa_t, set_peer_cfg, void,
416 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
417 {
418 peer_cfg->get_ref(peer_cfg);
419 DESTROY_IF(this->peer_cfg);
420 this->peer_cfg = peer_cfg;
421
422 if (this->ike_cfg == NULL)
423 {
424 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
425 this->ike_cfg->get_ref(this->ike_cfg);
426 }
427 }
428
429 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
430 private_ike_sa_t *this, bool local)
431 {
432 if (local)
433 {
434 return this->my_auth;
435 }
436 return this->other_auth;
437 }
438
439 METHOD(ike_sa_t, add_auth_cfg, void,
440 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
441 {
442 if (local)
443 {
444 array_insert(this->my_auths, ARRAY_TAIL, cfg);
445 }
446 else
447 {
448 array_insert(this->other_auths, ARRAY_TAIL, cfg);
449 }
450 }
451
452 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
453 private_ike_sa_t *this, bool local)
454 {
455 if (local)
456 {
457 return array_create_enumerator(this->my_auths);
458 }
459 return array_create_enumerator(this->other_auths);
460 }
461
462 /**
463 * Flush the stored authentication round information
464 */
465 static void flush_auth_cfgs(private_ike_sa_t *this)
466 {
467 auth_cfg_t *cfg;
468
469 this->my_auth->purge(this->my_auth, FALSE);
470 this->other_auth->purge(this->other_auth, FALSE);
471
472 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
473 {
474 cfg->destroy(cfg);
475 }
476 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
477 {
478 cfg->destroy(cfg);
479 }
480 }
481
482 METHOD(ike_sa_t, verify_peer_certificate, bool,
483 private_ike_sa_t *this)
484 {
485 enumerator_t *e1, *e2, *certs;
486 auth_cfg_t *cfg, *cfg_done;
487 certificate_t *peer, *cert;
488 public_key_t *key;
489 auth_cfg_t *auth;
490 auth_cfg_wrapper_t *wrapper;
491 time_t not_before, not_after;
492 bool valid = TRUE, found;
493
494 if (this->state != IKE_ESTABLISHED)
495 {
496 DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
497 ike_sa_state_names, this->state);
498 return FALSE;
499 }
500
501 if (!this->flush_auth_cfg &&
502 lib->settings->get_bool(lib->settings,
503 "%s.flush_auth_cfg", FALSE, lib->ns))
504 { /* we can do this check only once if auth configs are flushed */
505 DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
506 "information has been flushed");
507 return FALSE;
508 }
509 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
510 FALSE);
511
512 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
513 e2 = array_create_enumerator(this->other_auths);
514 while (e1->enumerate(e1, &cfg))
515 {
516 if (!e2->enumerate(e2, &cfg_done))
517 { /* this should not happen as the authentication should never have
518 * succeeded */
519 valid = FALSE;
520 break;
521 }
522 if ((uintptr_t)cfg_done->get(cfg_done,
523 AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
524 {
525 continue;
526 }
527 peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
528 if (!peer)
529 {
530 DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
531 "verification");
532 continue;
533 }
534 if (!peer->get_validity(peer, NULL, &not_before, &not_after))
535 {
536 DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
537 &not_before, FALSE, &not_after, FALSE);
538 valid = FALSE;
539 break;
540 }
541 key = peer->get_public_key(peer);
542 if (!key)
543 {
544 DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
545 "verification");
546 continue;
547 }
548 DBG1(DBG_IKE, "verifying peer certificate");
549 /* serve received certificates */
550 wrapper = auth_cfg_wrapper_create(cfg_done);
551 lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
552 certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
553 key->get_type(key), peer->get_subject(peer), TRUE);
554 key->destroy(key);
555
556 found = FALSE;
557 while (certs->enumerate(certs, &cert, &auth))
558 {
559 if (peer->equals(peer, cert))
560 {
561 cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
562 FALSE);
563 cfg_done->merge(cfg_done, auth, FALSE);
564 valid = cfg_done->complies(cfg_done, cfg, TRUE);
565 found = TRUE;
566 break;
567 }
568 }
569 certs->destroy(certs);
570 lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
571 wrapper->destroy(wrapper);
572 if (!found || !valid)
573 {
574 valid = FALSE;
575 break;
576 }
577 }
578 e1->destroy(e1);
579 e2->destroy(e2);
580
581 if (this->flush_auth_cfg)
582 {
583 this->flush_auth_cfg = FALSE;
584 flush_auth_cfgs(this);
585 }
586 return valid;
587 }
588
589 METHOD(ike_sa_t, get_proposal, proposal_t*,
590 private_ike_sa_t *this)
591 {
592 return this->proposal;
593 }
594
595 METHOD(ike_sa_t, set_proposal, void,
596 private_ike_sa_t *this, proposal_t *proposal)
597 {
598 DESTROY_IF(this->proposal);
599 this->proposal = proposal->clone(proposal);
600 }
601
602 METHOD(ike_sa_t, set_message_id, void,
603 private_ike_sa_t *this, bool initiate, uint32_t mid)
604 {
605 if (initiate)
606 {
607 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
608 }
609 else
610 {
611 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
612 }
613 }
614
615 METHOD(ike_sa_t, get_message_id, uint32_t,
616 private_ike_sa_t *this, bool initiate)
617 {
618 return this->task_manager->get_mid(this->task_manager, initiate);
619 }
620
621 METHOD(ike_sa_t, send_keepalive, void,
622 private_ike_sa_t *this, bool scheduled)
623 {
624 time_t last_out, now, diff;
625
626 if (scheduled)
627 {
628 this->keepalive_job = NULL;
629 }
630 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
631 { /* keepalives disabled either by configuration or for passive IKE_SAs */
632 return;
633 }
634 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
635 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
636 return;
637 }
638
639 last_out = get_use_time(this, FALSE);
640 now = time_monotonic(NULL);
641
642 diff = now - last_out;
643
644 if (diff >= this->keepalive_interval)
645 {
646 packet_t *packet;
647 chunk_t data;
648
649 packet = packet_create();
650 packet->set_source(packet, this->my_host->clone(this->my_host));
651 packet->set_destination(packet, this->other_host->clone(this->other_host));
652 data.ptr = malloc(1);
653 data.ptr[0] = 0xFF;
654 data.len = 1;
655 packet->set_data(packet, data);
656 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
657 charon->sender->send_no_marker(charon->sender, packet);
658 diff = 0;
659 }
660 if (!this->keepalive_job)
661 {
662 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
663 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
664 this->keepalive_interval - diff);
665 }
666 }
667
668 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
669 private_ike_sa_t *this)
670 {
671 return this->ike_cfg;
672 }
673
674 METHOD(ike_sa_t, set_ike_cfg, void,
675 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
676 {
677 DESTROY_IF(this->ike_cfg);
678 ike_cfg->get_ref(ike_cfg);
679 this->ike_cfg = ike_cfg;
680 }
681
682 METHOD(ike_sa_t, enable_extension, void,
683 private_ike_sa_t *this, ike_extension_t extension)
684 {
685 this->extensions |= extension;
686 }
687
688 METHOD(ike_sa_t, supports_extension, bool,
689 private_ike_sa_t *this, ike_extension_t extension)
690 {
691 return (this->extensions & extension) != FALSE;
692 }
693
694 METHOD(ike_sa_t, has_condition, bool,
695 private_ike_sa_t *this, ike_condition_t condition)
696 {
697 return (this->conditions & condition) != FALSE;
698 }
699
700 METHOD(ike_sa_t, set_condition, void,
701 private_ike_sa_t *this, ike_condition_t condition, bool enable)
702 {
703 if (has_condition(this, condition) != enable)
704 {
705 if (enable)
706 {
707 this->conditions |= condition;
708 switch (condition)
709 {
710 case COND_NAT_HERE:
711 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
712 this->conditions |= COND_NAT_ANY;
713 send_keepalive(this, FALSE);
714 break;
715 case COND_NAT_THERE:
716 DBG1(DBG_IKE, "remote host is behind NAT");
717 this->conditions |= COND_NAT_ANY;
718 break;
719 case COND_NAT_FAKE:
720 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
721 this->conditions |= COND_NAT_ANY;
722 break;
723 default:
724 break;
725 }
726 }
727 else
728 {
729 this->conditions &= ~condition;
730 switch (condition)
731 {
732 case COND_NAT_HERE:
733 case COND_NAT_THERE:
734 DBG1(DBG_IKE, "%s host is not behind NAT anymore",
735 condition == COND_NAT_HERE ? "local" : "remote");
736 /* fall-through */
737 case COND_NAT_FAKE:
738 set_condition(this, COND_NAT_ANY,
739 has_condition(this, COND_NAT_HERE) ||
740 has_condition(this, COND_NAT_THERE) ||
741 has_condition(this, COND_NAT_FAKE));
742 break;
743 case COND_STALE:
744 send_keepalive(this, FALSE);
745 break;
746 default:
747 break;
748 }
749 }
750 }
751 }
752
753 METHOD(ike_sa_t, send_dpd, status_t,
754 private_ike_sa_t *this)
755 {
756 job_t *job;
757 time_t diff, delay;
758 bool task_queued = FALSE;
759
760 if (this->state == IKE_PASSIVE)
761 {
762 return INVALID_STATE;
763 }
764 if (this->version == IKEV1 && this->state == IKE_REKEYING)
765 { /* don't send DPDs for rekeyed IKEv1 SAs */
766 return SUCCESS;
767 }
768 delay = this->peer_cfg->get_dpd(this->peer_cfg);
769 if (this->task_manager->busy(this->task_manager))
770 {
771 /* an exchange is in the air, no need to start a DPD check */
772 diff = 0;
773 }
774 else
775 {
776 /* check if there was any inbound traffic */
777 time_t last_in, now;
778 last_in = get_use_time(this, TRUE);
779 now = time_monotonic(NULL);
780 diff = now - last_in;
781 if (!delay || diff >= delay)
782 {
783 /* too long ago, initiate dead peer detection */
784 DBG1(DBG_IKE, "sending DPD request");
785 this->task_manager->queue_dpd(this->task_manager);
786 task_queued = TRUE;
787 diff = 0;
788 }
789 }
790 /* recheck in "interval" seconds */
791 if (delay)
792 {
793 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
794 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
795 }
796 if (task_queued)
797 {
798 return this->task_manager->initiate(this->task_manager);
799 }
800 return SUCCESS;
801 }
802
803 METHOD(ike_sa_t, get_state, ike_sa_state_t,
804 private_ike_sa_t *this)
805 {
806 return this->state;
807 }
808
809 METHOD(ike_sa_t, set_state, void,
810 private_ike_sa_t *this, ike_sa_state_t state)
811 {
812 bool trigger_dpd = FALSE, keepalives = FALSE;
813
814 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
815 get_name(this), this->unique_id,
816 ike_sa_state_names, this->state,
817 ike_sa_state_names, state);
818
819 switch (state)
820 {
821 case IKE_ESTABLISHED:
822 {
823 if (this->state == IKE_CONNECTING ||
824 this->state == IKE_PASSIVE)
825 {
826 job_t *job;
827 uint32_t t;
828
829 /* calculate rekey, reauth and lifetime */
830 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
831
832 /* schedule rekeying if we have a time which is smaller than
833 * an already scheduled rekeying */
834 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
835 if (t && (this->stats[STAT_REKEY] == 0 ||
836 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
837 {
838 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
839 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
840 lib->scheduler->schedule_job(lib->scheduler, job, t);
841 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
842 }
843 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
844 if (t && (this->stats[STAT_REAUTH] == 0 ||
845 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
846 {
847 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
848 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
849 lib->scheduler->schedule_job(lib->scheduler, job, t);
850 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
851 }
852 t = this->peer_cfg->get_over_time(this->peer_cfg);
853 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
854 {
855 if (this->stats[STAT_REAUTH] == 0)
856 {
857 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
858 }
859 else if (this->stats[STAT_REKEY] == 0)
860 {
861 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
862 }
863 else
864 {
865 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
866 this->stats[STAT_REAUTH]);
867 }
868 this->stats[STAT_DELETE] += t;
869 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
870 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
871 lib->scheduler->schedule_job(lib->scheduler, job, t);
872 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
873 }
874 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
875 if (trigger_dpd)
876 {
877 /* Some peers delay the DELETE after rekeying an IKE_SA.
878 * If this delay is longer than our DPD delay, we would
879 * send a DPD request here. The IKE_SA is not ready to do
880 * so yet, so prevent that. */
881 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
882 }
883 if (this->state == IKE_PASSIVE)
884 {
885 keepalives = TRUE;
886 }
887 DESTROY_IF(this->redirected_from);
888 this->redirected_from = NULL;
889 }
890 break;
891 }
892 default:
893 break;
894 }
895 charon->bus->ike_state_change(charon->bus, &this->public, state);
896 this->state = state;
897
898 if (trigger_dpd)
899 {
900 if (supports_extension(this, EXT_DPD))
901 {
902 send_dpd(this);
903 }
904 else
905 {
906 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
907 }
908 }
909 if (keepalives)
910 {
911 send_keepalive(this, FALSE);
912 }
913 }
914
915 METHOD(ike_sa_t, reset, void,
916 private_ike_sa_t *this, bool new_spi)
917 {
918 /* reset the initiator SPI if requested */
919 if (new_spi)
920 {
921 charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager,
922 &this->public);
923 }
924 /* the responder ID is reset, as peer may choose another one */
925 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
926 {
927 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
928 }
929
930 set_state(this, IKE_CREATED);
931
932 flush_auth_cfgs(this);
933
934 this->keymat->destroy(this->keymat);
935 this->keymat = keymat_create(this->version,
936 this->ike_sa_id->is_initiator(this->ike_sa_id));
937
938 this->task_manager->reset(this->task_manager, 0, 0);
939 this->task_manager->queue_ike(this->task_manager);
940 }
941
942 METHOD(ike_sa_t, get_keymat, keymat_t*,
943 private_ike_sa_t *this)
944 {
945 return this->keymat;
946 }
947
948 METHOD(ike_sa_t, add_virtual_ip, void,
949 private_ike_sa_t *this, bool local, host_t *ip)
950 {
951 if (local)
952 {
953 char *iface;
954
955 if (charon->kernel->get_interface(charon->kernel, this->my_host,
956 &iface))
957 {
958 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
959 if (charon->kernel->add_ip(charon->kernel, ip, -1,
960 iface) == SUCCESS)
961 {
962 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
963 }
964 else
965 {
966 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
967 }
968 free(iface);
969 }
970 else
971 {
972 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
973 }
974 }
975 else
976 {
977 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
978 }
979 }
980
981
982 METHOD(ike_sa_t, clear_virtual_ips, void,
983 private_ike_sa_t *this, bool local)
984 {
985 array_t *vips;
986 host_t *vip;
987
988 vips = local ? this->my_vips : this->other_vips;
989 if (!local && array_count(vips))
990 {
991 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
992 }
993 while (array_remove(vips, ARRAY_HEAD, &vip))
994 {
995 if (local)
996 {
997 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
998 }
999 vip->destroy(vip);
1000 }
1001 }
1002
1003 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
1004 private_ike_sa_t *this, bool local)
1005 {
1006 if (local)
1007 {
1008 return array_create_enumerator(this->my_vips);
1009 }
1010 return array_create_enumerator(this->other_vips);
1011 }
1012
1013 METHOD(ike_sa_t, add_peer_address, void,
1014 private_ike_sa_t *this, host_t *host)
1015 {
1016 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
1017 }
1018
1019 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
1020 private_ike_sa_t *this)
1021 {
1022 if (this->peer_addresses)
1023 {
1024 return array_create_enumerator(this->peer_addresses);
1025 }
1026 /* in case we don't have MOBIKE */
1027 return enumerator_create_single(this->other_host, NULL);
1028 }
1029
1030 METHOD(ike_sa_t, clear_peer_addresses, void,
1031 private_ike_sa_t *this)
1032 {
1033 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
1034 this->peer_addresses = NULL;
1035 }
1036
1037 METHOD(ike_sa_t, has_mapping_changed, bool,
1038 private_ike_sa_t *this, chunk_t hash)
1039 {
1040 if (this->nat_detection_dest.ptr == NULL)
1041 {
1042 this->nat_detection_dest = chunk_clone(hash);
1043 return FALSE;
1044 }
1045 if (chunk_equals(hash, this->nat_detection_dest))
1046 {
1047 return FALSE;
1048 }
1049 free(this->nat_detection_dest.ptr);
1050 this->nat_detection_dest = chunk_clone(hash);
1051 return TRUE;
1052 }
1053
1054 METHOD(ike_sa_t, float_ports, void,
1055 private_ike_sa_t *this)
1056 {
1057 /* even if the remote port is not 500 (e.g. because the response was natted)
1058 * we switch the remote port if we used port 500 */
1059 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
1060 this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
1061 {
1062 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
1063 }
1064 if (this->my_host->get_port(this->my_host) ==
1065 charon->socket->get_port(charon->socket, FALSE))
1066 {
1067 this->my_host->set_port(this->my_host,
1068 charon->socket->get_port(charon->socket, TRUE));
1069 }
1070 }
1071
1072 METHOD(ike_sa_t, update_hosts, void,
1073 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
1074 {
1075 bool update = FALSE;
1076
1077 if (me == NULL)
1078 {
1079 me = this->my_host;
1080 }
1081 if (other == NULL)
1082 {
1083 other = this->other_host;
1084 }
1085
1086 /* apply hosts on first received message */
1087 if (this->my_host->is_anyaddr(this->my_host) ||
1088 this->other_host->is_anyaddr(this->other_host))
1089 {
1090 set_my_host(this, me->clone(me));
1091 set_other_host(this, other->clone(other));
1092 update = TRUE;
1093 }
1094 else
1095 {
1096 /* update our address in any case */
1097 if (force && !me->equals(me, this->my_host))
1098 {
1099 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
1100 set_my_host(this, me->clone(me));
1101 update = TRUE;
1102 }
1103
1104 if (!other->equals(other, this->other_host) &&
1105 (force || has_condition(this, COND_NAT_THERE)))
1106 {
1107 /* only update other's address if we are behind a static NAT,
1108 * which we assume is the case if we are not initiator */
1109 if (force ||
1110 (!has_condition(this, COND_NAT_HERE) ||
1111 !has_condition(this, COND_ORIGINAL_INITIATOR)))
1112 {
1113 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
1114 set_other_host(this, other->clone(other));
1115 update = TRUE;
1116 }
1117 }
1118 }
1119
1120 /* update all associated CHILD_SAs, if required */
1121 if (update)
1122 {
1123 enumerator_t *enumerator;
1124 child_sa_t *child_sa;
1125 linked_list_t *vips;
1126
1127 vips = linked_list_create_from_enumerator(
1128 array_create_enumerator(this->my_vips));
1129
1130 enumerator = array_create_enumerator(this->child_sas);
1131 while (enumerator->enumerate(enumerator, &child_sa))
1132 {
1133 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1134 charon->child_sa_manager->add(charon->child_sa_manager,
1135 child_sa, &this->public);
1136
1137 if (child_sa->update(child_sa, this->my_host, this->other_host,
1138 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1139 {
1140 this->public.rekey_child_sa(&this->public,
1141 child_sa->get_protocol(child_sa),
1142 child_sa->get_spi(child_sa, TRUE));
1143 }
1144
1145 }
1146 enumerator->destroy(enumerator);
1147
1148 vips->destroy(vips);
1149 }
1150 }
1151
1152 /**
1153 * Set configured DSCP value on packet
1154 */
1155 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1156 {
1157 ike_cfg_t *ike_cfg;
1158
1159 /* prefer IKE config on peer_cfg, as its selection is more accurate
1160 * then the initial IKE config */
1161 if (this->peer_cfg)
1162 {
1163 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1164 }
1165 else
1166 {
1167 ike_cfg = this->ike_cfg;
1168 }
1169 if (ike_cfg)
1170 {
1171 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1172 }
1173 }
1174
1175 METHOD(ike_sa_t, generate_message, status_t,
1176 private_ike_sa_t *this, message_t *message, packet_t **packet)
1177 {
1178 status_t status;
1179
1180 if (message->is_encoded(message))
1181 { /* already encoded in task, but set DSCP value */
1182 *packet = message->get_packet(message);
1183 set_dscp(this, *packet);
1184 return SUCCESS;
1185 }
1186 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1187 message->set_ike_sa_id(message, this->ike_sa_id);
1188 charon->bus->message(charon->bus, message, FALSE, TRUE);
1189 status = message->generate(message, this->keymat, packet);
1190 if (status == SUCCESS)
1191 {
1192 set_dscp(this, *packet);
1193 charon->bus->message(charon->bus, message, FALSE, FALSE);
1194 }
1195 return status;
1196 }
1197
1198 CALLBACK(filter_fragments, bool,
1199 private_ike_sa_t *this, enumerator_t *orig, va_list args)
1200 {
1201 packet_t *fragment, **packet;
1202
1203 VA_ARGS_VGET(args, packet);
1204
1205 if (orig->enumerate(orig, &fragment))
1206 {
1207 *packet = fragment->clone(fragment);
1208 set_dscp(this, *packet);
1209 return TRUE;
1210 }
1211 return FALSE;
1212 }
1213
1214 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1215 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1216 {
1217 enumerator_t *fragments;
1218 packet_t *packet;
1219 status_t status;
1220 bool use_frags = FALSE;
1221 bool pre_generated = FALSE;
1222
1223 if (this->ike_cfg)
1224 {
1225 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1226 {
1227 case FRAGMENTATION_FORCE:
1228 use_frags = TRUE;
1229 break;
1230 case FRAGMENTATION_YES:
1231 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1232 if (use_frags && this->version == IKEV1 &&
1233 supports_extension(this, EXT_MS_WINDOWS))
1234 {
1235 /* It seems Windows 7 and 8 peers only accept proprietary
1236 * fragmented messages if they expect certificates. */
1237 use_frags = message->get_payload(message,
1238 PLV1_CERTIFICATE) != NULL;
1239 }
1240 break;
1241 default:
1242 break;
1243 }
1244 }
1245 if (!use_frags)
1246 {
1247 status = generate_message(this, message, &packet);
1248 if (status != SUCCESS)
1249 {
1250 return status;
1251 }
1252 *packets = enumerator_create_single(packet, NULL);
1253 return SUCCESS;
1254 }
1255
1256 pre_generated = message->is_encoded(message);
1257 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1258 message->set_ike_sa_id(message, this->ike_sa_id);
1259 if (!pre_generated)
1260 {
1261 charon->bus->message(charon->bus, message, FALSE, TRUE);
1262 }
1263 status = message->fragment(message, this->keymat, this->fragment_size,
1264 &fragments);
1265 if (status == SUCCESS)
1266 {
1267 if (!pre_generated)
1268 {
1269 charon->bus->message(charon->bus, message, FALSE, FALSE);
1270 }
1271 *packets = enumerator_create_filter(fragments, filter_fragments,
1272 this, NULL);
1273 }
1274 return status;
1275 }
1276
1277 METHOD(ike_sa_t, set_kmaddress, void,
1278 private_ike_sa_t *this, host_t *local, host_t *remote)
1279 {
1280 DESTROY_IF(this->local_host);
1281 DESTROY_IF(this->remote_host);
1282 this->local_host = local->clone(local);
1283 this->remote_host = remote->clone(remote);
1284 }
1285
1286 #ifdef ME
1287 METHOD(ike_sa_t, act_as_mediation_server, void,
1288 private_ike_sa_t *this)
1289 {
1290 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1291 this->other_id, this->ike_sa_id);
1292 this->is_mediation_server = TRUE;
1293 }
1294
1295 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1296 private_ike_sa_t *this)
1297 {
1298 return this->server_reflexive_host;
1299 }
1300
1301 METHOD(ike_sa_t, set_server_reflexive_host, void,
1302 private_ike_sa_t *this, host_t *host)
1303 {
1304 DESTROY_IF(this->server_reflexive_host);
1305 this->server_reflexive_host = host;
1306 }
1307
1308 METHOD(ike_sa_t, get_connect_id, chunk_t,
1309 private_ike_sa_t *this)
1310 {
1311 return this->connect_id;
1312 }
1313
1314 METHOD(ike_sa_t, respond, status_t,
1315 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1316 {
1317 ike_me_t *task = ike_me_create(&this->public, TRUE);
1318 task->respond(task, peer_id, connect_id);
1319 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1320 return this->task_manager->initiate(this->task_manager);
1321 }
1322
1323 METHOD(ike_sa_t, callback, status_t,
1324 private_ike_sa_t *this, identification_t *peer_id)
1325 {
1326 ike_me_t *task = ike_me_create(&this->public, TRUE);
1327 task->callback(task, peer_id);
1328 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1329 return this->task_manager->initiate(this->task_manager);
1330 }
1331
1332 METHOD(ike_sa_t, relay, status_t,
1333 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1334 chunk_t connect_key, linked_list_t *endpoints, bool response)
1335 {
1336 ike_me_t *task = ike_me_create(&this->public, TRUE);
1337 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1338 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1339 return this->task_manager->initiate(this->task_manager);
1340 }
1341
1342 METHOD(ike_sa_t, initiate_mediation, status_t,
1343 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1344 {
1345 ike_me_t *task = ike_me_create(&this->public, TRUE);
1346 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1347 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1348 return this->task_manager->initiate(this->task_manager);
1349 }
1350
1351 METHOD(ike_sa_t, initiate_mediated, status_t,
1352 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1353 {
1354 set_my_host(this, me->clone(me));
1355 set_other_host(this, other->clone(other));
1356 chunk_free(&this->connect_id);
1357 this->connect_id = chunk_clone(connect_id);
1358 return this->task_manager->initiate(this->task_manager);
1359 }
1360 #endif /* ME */
1361
1362 /**
1363 * Resolve DNS host in configuration
1364 */
1365 static void resolve_hosts(private_ike_sa_t *this)
1366 {
1367 host_t *host;
1368 int family = AF_UNSPEC;
1369
1370 switch (charon->socket->supported_families(charon->socket))
1371 {
1372 case SOCKET_FAMILY_IPV4:
1373 family = AF_INET;
1374 break;
1375 case SOCKET_FAMILY_IPV6:
1376 family = AF_INET6;
1377 break;
1378 case SOCKET_FAMILY_BOTH:
1379 case SOCKET_FAMILY_NONE:
1380 break;
1381 }
1382
1383 /* if an IP address is set locally, use the same family to resolve remote */
1384 if (family == AF_UNSPEC && !this->remote_host)
1385 {
1386 if (this->local_host)
1387 {
1388 family = this->local_host->get_family(this->local_host);
1389 }
1390 else
1391 {
1392 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1393 }
1394 }
1395
1396 if (this->remote_host)
1397 {
1398 host = this->remote_host->clone(this->remote_host);
1399 host->set_port(host, IKEV2_UDP_PORT);
1400 }
1401 else
1402 {
1403 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1404 }
1405 if (host)
1406 {
1407 if (!host->is_anyaddr(host) ||
1408 this->other_host->is_anyaddr(this->other_host))
1409 { /* don't set to %any if we currently have an address, but the
1410 * address family might have changed */
1411 set_other_host(this, host);
1412 }
1413 else
1414 { /* reuse the original port as some implementations might not like
1415 * initial IKE messages on other ports */
1416 this->other_host->set_port(this->other_host, host->get_port(host));
1417 host->destroy(host);
1418 }
1419 }
1420
1421 if (this->local_host)
1422 {
1423 host = this->local_host->clone(this->local_host);
1424 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1425 }
1426 else
1427 {
1428 /* use same address family as for other */
1429 if (!this->other_host->is_anyaddr(this->other_host))
1430 {
1431 family = this->other_host->get_family(this->other_host);
1432 }
1433 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1434
1435 if (host && host->is_anyaddr(host) &&
1436 !this->other_host->is_anyaddr(this->other_host))
1437 {
1438 host->destroy(host);
1439 host = charon->kernel->get_source_addr(charon->kernel,
1440 this->other_host, NULL);
1441 if (host)
1442 {
1443 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1444 }
1445 else
1446 { /* fallback to address family specific %any(6), if configured */
1447 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1448 }
1449 }
1450 }
1451 if (host)
1452 {
1453 set_my_host(this, host);
1454 }
1455 }
1456
1457 METHOD(ike_sa_t, initiate, status_t,
1458 private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid,
1459 traffic_selector_t *tsi, traffic_selector_t *tsr)
1460 {
1461 bool defer_initiate = FALSE;
1462
1463 if (this->state == IKE_CREATED)
1464 {
1465 if (this->my_host->is_anyaddr(this->my_host) ||
1466 this->other_host->is_anyaddr(this->other_host))
1467 {
1468 resolve_hosts(this);
1469 }
1470
1471 if (this->other_host->is_anyaddr(this->other_host)
1472 #ifdef ME
1473 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1474 #endif /* ME */
1475 )
1476 {
1477 char *addr;
1478
1479 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1480 if (!this->retry_initiate_interval)
1481 {
1482 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1483 addr);
1484 DESTROY_IF(child_cfg);
1485 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1486 return DESTROY_ME;
1487 }
1488 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1489 addr, this->retry_initiate_interval);
1490 defer_initiate = TRUE;
1491 }
1492
1493 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1494 this->task_manager->queue_ike(this->task_manager);
1495 }
1496
1497 #ifdef ME
1498 if (this->peer_cfg->is_mediation(this->peer_cfg))
1499 {
1500 if (this->state == IKE_ESTABLISHED)
1501 {
1502 /* mediation connection is already established, retrigger state
1503 * change to notify bus listeners */
1504 DBG1(DBG_IKE, "mediation connection is already up");
1505 set_state(this, IKE_ESTABLISHED);
1506 }
1507 DESTROY_IF(child_cfg);
1508 }
1509 else
1510 #endif /* ME */
1511 if (child_cfg)
1512 {
1513 /* normal IKE_SA with CHILD_SA */
1514 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1515 tsi, tsr);
1516 #ifdef ME
1517 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1518 {
1519 /* mediated connection, initiate mediation process */
1520 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1521 lib->processor->queue_job(lib->processor, job);
1522 return SUCCESS;
1523 }
1524 #endif /* ME */
1525 }
1526
1527 if (defer_initiate)
1528 {
1529 if (!this->retry_initiate_queued)
1530 {
1531 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1532 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1533 this->retry_initiate_interval);
1534 this->retry_initiate_queued = TRUE;
1535 }
1536 return SUCCESS;
1537 }
1538 this->retry_initiate_queued = FALSE;
1539 return this->task_manager->initiate(this->task_manager);
1540 }
1541
1542 METHOD(ike_sa_t, retry_initiate, status_t,
1543 private_ike_sa_t *this)
1544 {
1545 if (this->retry_initiate_queued)
1546 {
1547 this->retry_initiate_queued = FALSE;
1548 return initiate(this, NULL, 0, NULL, NULL);
1549 }
1550 return SUCCESS;
1551 }
1552
1553 METHOD(ike_sa_t, process_message, status_t,
1554 private_ike_sa_t *this, message_t *message)
1555 {
1556 status_t status;
1557
1558 if (this->state == IKE_PASSIVE)
1559 { /* do not handle messages in passive state */
1560 return FAILED;
1561 }
1562 if (message->get_major_version(message) != this->version)
1563 {
1564 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1565 exchange_type_names, message->get_exchange_type(message),
1566 message->get_major_version(message),
1567 ike_version_names, this->version);
1568 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1569 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1570 return FAILED;
1571 }
1572 status = this->task_manager->process_message(this->task_manager, message);
1573 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1574 {
1575 /* authentication completed but if the online validation is suspended we
1576 * need the auth cfgs until we did the delayed verification, we flush
1577 * them afterwards */
1578 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
1579 {
1580 this->flush_auth_cfg = FALSE;
1581 flush_auth_cfgs(this);
1582 }
1583 }
1584 return status;
1585 }
1586
1587 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1588 private_ike_sa_t *this)
1589 {
1590 return this->ike_sa_id;
1591 }
1592
1593 METHOD(ike_sa_t, get_version, ike_version_t,
1594 private_ike_sa_t *this)
1595 {
1596 return this->version;
1597 }
1598
1599 METHOD(ike_sa_t, get_my_id, identification_t*,
1600 private_ike_sa_t *this)
1601 {
1602 return this->my_id;
1603 }
1604
1605 METHOD(ike_sa_t, set_my_id, void,
1606 private_ike_sa_t *this, identification_t *me)
1607 {
1608 DESTROY_IF(this->my_id);
1609 this->my_id = me;
1610 }
1611
1612 METHOD(ike_sa_t, get_other_id, identification_t*,
1613 private_ike_sa_t *this)
1614 {
1615 return this->other_id;
1616 }
1617
1618 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1619 private_ike_sa_t *this)
1620 {
1621 identification_t *id = NULL, *current;
1622 enumerator_t *enumerator;
1623 auth_cfg_t *cfg;
1624
1625 enumerator = array_create_enumerator(this->other_auths);
1626 while (enumerator->enumerate(enumerator, &cfg))
1627 {
1628 /* prefer EAP-Identity of last round */
1629 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1630 if (!current || current->get_type(current) == ID_ANY)
1631 {
1632 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1633 }
1634 if (!current || current->get_type(current) == ID_ANY)
1635 {
1636 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1637 }
1638 if (current && current->get_type(current) != ID_ANY)
1639 {
1640 id = current;
1641 continue;
1642 }
1643 }
1644 enumerator->destroy(enumerator);
1645 if (id)
1646 {
1647 return id;
1648 }
1649 return this->other_id;
1650 }
1651
1652 METHOD(ike_sa_t, set_other_id, void,
1653 private_ike_sa_t *this, identification_t *other)
1654 {
1655 DESTROY_IF(this->other_id);
1656 this->other_id = other;
1657 }
1658
1659 METHOD(ike_sa_t, add_child_sa, void,
1660 private_ike_sa_t *this, child_sa_t *child_sa)
1661 {
1662 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1663 charon->child_sa_manager->add(charon->child_sa_manager,
1664 child_sa, &this->public);
1665 }
1666
1667 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1668 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
1669 {
1670 enumerator_t *enumerator;
1671 child_sa_t *current, *found = NULL;
1672
1673 enumerator = array_create_enumerator(this->child_sas);
1674 while (enumerator->enumerate(enumerator, (void**)&current))
1675 {
1676 if (current->get_spi(current, inbound) == spi &&
1677 current->get_protocol(current) == protocol)
1678 {
1679 found = current;
1680 }
1681 }
1682 enumerator->destroy(enumerator);
1683 return found;
1684 }
1685
1686 METHOD(ike_sa_t, get_child_count, int,
1687 private_ike_sa_t *this)
1688 {
1689 return array_count(this->child_sas);
1690 }
1691
1692 /**
1693 * Private data of a create_child_sa_enumerator()
1694 */
1695 typedef struct {
1696 /** implements enumerator */
1697 enumerator_t public;
1698 /** inner array enumerator */
1699 enumerator_t *inner;
1700 /** current item */
1701 child_sa_t *current;
1702 } child_enumerator_t;
1703
1704 METHOD(enumerator_t, child_enumerate, bool,
1705 child_enumerator_t *this, va_list args)
1706 {
1707 child_sa_t **child_sa;
1708
1709 VA_ARGS_VGET(args, child_sa);
1710 if (this->inner->enumerate(this->inner, &this->current))
1711 {
1712 *child_sa = this->current;
1713 return TRUE;
1714 }
1715 return FALSE;
1716 }
1717
1718 METHOD(enumerator_t, child_enumerator_destroy, void,
1719 child_enumerator_t *this)
1720 {
1721 this->inner->destroy(this->inner);
1722 free(this);
1723 }
1724
1725 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1726 private_ike_sa_t *this)
1727 {
1728 child_enumerator_t *enumerator;
1729
1730 INIT(enumerator,
1731 .public = {
1732 .enumerate = enumerator_enumerate_default,
1733 .venumerate = _child_enumerate,
1734 .destroy = _child_enumerator_destroy,
1735 },
1736 .inner = array_create_enumerator(this->child_sas),
1737 );
1738 return &enumerator->public;
1739 }
1740
1741 METHOD(ike_sa_t, remove_child_sa, void,
1742 private_ike_sa_t *this, enumerator_t *enumerator)
1743 {
1744 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1745
1746 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1747 array_remove_at(this->child_sas, ce->inner);
1748 }
1749
1750 METHOD(ike_sa_t, rekey_child_sa, status_t,
1751 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1752 {
1753 if (this->state == IKE_PASSIVE)
1754 {
1755 return INVALID_STATE;
1756 }
1757 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1758 return this->task_manager->initiate(this->task_manager);
1759 }
1760
1761 METHOD(ike_sa_t, delete_child_sa, status_t,
1762 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
1763 {
1764 if (this->state == IKE_PASSIVE)
1765 {
1766 return INVALID_STATE;
1767 }
1768 this->task_manager->queue_child_delete(this->task_manager,
1769 protocol, spi, expired);
1770 return this->task_manager->initiate(this->task_manager);
1771 }
1772
1773 METHOD(ike_sa_t, destroy_child_sa, status_t,
1774 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1775 {
1776 enumerator_t *enumerator;
1777 child_sa_t *child_sa;
1778 status_t status = NOT_FOUND;
1779
1780 enumerator = create_child_sa_enumerator(this);
1781 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1782 {
1783 if (child_sa->get_protocol(child_sa) == protocol &&
1784 child_sa->get_spi(child_sa, TRUE) == spi)
1785 {
1786 remove_child_sa(this, enumerator);
1787 child_sa->destroy(child_sa);
1788 status = SUCCESS;
1789 break;
1790 }
1791 }
1792 enumerator->destroy(enumerator);
1793 return status;
1794 }
1795
1796 METHOD(ike_sa_t, delete_, status_t,
1797 private_ike_sa_t *this, bool force)
1798 {
1799 status_t status = DESTROY_ME;
1800
1801 switch (this->state)
1802 {
1803 case IKE_ESTABLISHED:
1804 case IKE_REKEYING:
1805 if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
1806 !(this->version == IKEV1 && this->state == IKE_REKEYING))
1807 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1808 * IKEv1 SAs */
1809 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1810 }
1811 this->task_manager->queue_ike_delete(this->task_manager);
1812 status = this->task_manager->initiate(this->task_manager);
1813 break;
1814 case IKE_CREATED:
1815 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1816 break;
1817 case IKE_PASSIVE:
1818 break;
1819 default:
1820 DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1821 ike_sa_state_names, this->state);
1822 force = TRUE;
1823 break;
1824 }
1825
1826 if (force)
1827 {
1828 status = DESTROY_ME;
1829
1830 if (this->version == IKEV2)
1831 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1832 switch (this->state)
1833 {
1834 case IKE_ESTABLISHED:
1835 case IKE_REKEYING:
1836 case IKE_DELETING:
1837 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1838 default:
1839 break;
1840 }
1841 }
1842 }
1843 return status;
1844 }
1845
1846 METHOD(ike_sa_t, rekey, status_t,
1847 private_ike_sa_t *this)
1848 {
1849 if (this->state == IKE_PASSIVE)
1850 {
1851 return INVALID_STATE;
1852 }
1853 this->task_manager->queue_ike_rekey(this->task_manager);
1854 return this->task_manager->initiate(this->task_manager);
1855 }
1856
1857 METHOD(ike_sa_t, reauth, status_t,
1858 private_ike_sa_t *this)
1859 {
1860 if (this->state == IKE_PASSIVE)
1861 {
1862 return INVALID_STATE;
1863 }
1864 if (this->state == IKE_CONNECTING)
1865 {
1866 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1867 get_name(this), this->unique_id);
1868 reset(this, TRUE);
1869 return this->task_manager->initiate(this->task_manager);
1870 }
1871 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1872 * If the peer does not support RFC4478, there is no way to keep the
1873 * IKE_SA up. */
1874 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1875 {
1876 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1877 if (array_count(this->other_vips) != 0 ||
1878 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1879 has_condition(this, COND_EAP_AUTHENTICATED)
1880 #ifdef ME
1881 /* as mediation server we too cannot reauth the IKE_SA */
1882 || this->is_mediation_server
1883 #endif /* ME */
1884 )
1885 {
1886 time_t del, now;
1887
1888 del = this->stats[STAT_DELETE];
1889 now = time_monotonic(NULL);
1890 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1891 get_name(this), this->unique_id, &now, &del);
1892 return FAILED;
1893 }
1894 else
1895 {
1896 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1897 get_name(this), this->unique_id);
1898 }
1899 }
1900 else
1901 {
1902 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1903 get_name(this), this->unique_id);
1904 }
1905 set_condition(this, COND_REAUTHENTICATING, TRUE);
1906 this->task_manager->queue_ike_reauth(this->task_manager);
1907 return this->task_manager->initiate(this->task_manager);
1908 }
1909
1910 /**
1911 * Check if tasks to create CHILD_SAs are queued in the given queue
1912 */
1913 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1914 {
1915 enumerator_t *enumerator;
1916 task_t *task;
1917 bool found = FALSE;
1918
1919 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1920 queue);
1921 while (enumerator->enumerate(enumerator, &task))
1922 {
1923 if (task->get_type(task) == TASK_CHILD_CREATE ||
1924 task->get_type(task) == TASK_QUICK_MODE)
1925 {
1926 found = TRUE;
1927 break;
1928 }
1929 }
1930 enumerator->destroy(enumerator);
1931 return found;
1932 }
1933
1934 /**
1935 * Reestablish CHILD_SAs and migrate queued tasks.
1936 *
1937 * If force is true all SAs are restarted, otherwise their close/dpd_action
1938 * is followed.
1939 */
1940 static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
1941 bool force)
1942 {
1943 enumerator_t *enumerator;
1944 child_sa_t *child_sa;
1945 child_cfg_t *child_cfg;
1946 action_t action;
1947 status_t status = FAILED;
1948
1949 /* handle existing CHILD_SAs */
1950 enumerator = create_child_sa_enumerator(this);
1951 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1952 {
1953 switch (child_sa->get_state(child_sa))
1954 {
1955 case CHILD_REKEYED:
1956 case CHILD_DELETED:
1957 /* ignore CHILD_SAs in these states */
1958 continue;
1959 default:
1960 break;
1961 }
1962 if (force)
1963 {
1964 action = ACTION_RESTART;
1965 }
1966 else
1967 { /* only restart CHILD_SAs that are configured accordingly */
1968 if (this->state == IKE_DELETING)
1969 {
1970 action = child_sa->get_close_action(child_sa);
1971 }
1972 else
1973 {
1974 action = child_sa->get_dpd_action(child_sa);
1975 }
1976 }
1977 switch (action)
1978 {
1979 case ACTION_RESTART:
1980 child_cfg = child_sa->get_config(child_sa);
1981 DBG1(DBG_IKE, "restarting CHILD_SA %s",
1982 child_cfg->get_name(child_cfg));
1983 child_cfg->get_ref(child_cfg);
1984 status = new->initiate(new, child_cfg,
1985 child_sa->get_reqid(child_sa), NULL, NULL);
1986 break;
1987 default:
1988 continue;
1989 }
1990 if (status == DESTROY_ME)
1991 {
1992 break;
1993 }
1994 }
1995 enumerator->destroy(enumerator);
1996 /* adopt any active or queued CHILD-creating tasks */
1997 if (status != DESTROY_ME)
1998 {
1999 new->adopt_child_tasks(new, &this->public);
2000 if (new->get_state(new) == IKE_CREATED)
2001 {
2002 status = new->initiate(new, NULL, 0, NULL, NULL);
2003 }
2004 }
2005 return status;
2006 }
2007
2008 METHOD(ike_sa_t, reestablish, status_t,
2009 private_ike_sa_t *this)
2010 {
2011 ike_sa_t *new;
2012 host_t *host;
2013 action_t action;
2014 enumerator_t *enumerator;
2015 child_sa_t *child_sa;
2016 bool restart = FALSE;
2017 status_t status = FAILED;
2018
2019 if (has_condition(this, COND_REAUTHENTICATING))
2020 { /* only reauthenticate if we have children */
2021 if (array_count(this->child_sas) == 0
2022 #ifdef ME
2023 /* allow reauth of mediation connections without CHILD_SAs */
2024 && !this->peer_cfg->is_mediation(this->peer_cfg)
2025 #endif /* ME */
2026 )
2027 {
2028 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2029 "to recreate");
2030 }
2031 else
2032 {
2033 restart = TRUE;
2034 }
2035 }
2036 else
2037 { /* check if we have children to keep up at all */
2038 enumerator = array_create_enumerator(this->child_sas);
2039 while (enumerator->enumerate(enumerator, (void**)&child_sa))
2040 {
2041 switch (child_sa->get_state(child_sa))
2042 {
2043 case CHILD_REKEYED:
2044 case CHILD_DELETED:
2045 /* ignore CHILD_SAs in these states */
2046 continue;
2047 default:
2048 break;
2049 }
2050 if (this->state == IKE_DELETING)
2051 {
2052 action = child_sa->get_close_action(child_sa);
2053 }
2054 else
2055 {
2056 action = child_sa->get_dpd_action(child_sa);
2057 }
2058 switch (action)
2059 {
2060 case ACTION_RESTART:
2061 restart = TRUE;
2062 break;
2063 case ACTION_ROUTE:
2064 charon->traps->install(charon->traps, this->peer_cfg,
2065 child_sa->get_config(child_sa));
2066 break;
2067 default:
2068 break;
2069 }
2070 }
2071 enumerator->destroy(enumerator);
2072 /* check if we have tasks that recreate children */
2073 if (!restart)
2074 {
2075 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
2076 is_child_queued(this, TASK_QUEUE_QUEUED);
2077 }
2078 #ifdef ME
2079 /* mediation connections have no children, keep them up anyway */
2080 if (this->peer_cfg->is_mediation(this->peer_cfg))
2081 {
2082 restart = TRUE;
2083 }
2084 #endif /* ME */
2085 }
2086 if (!restart)
2087 {
2088 return FAILED;
2089 }
2090
2091 /* check if we are able to reestablish this IKE_SA */
2092 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2093 (array_count(this->other_vips) != 0 ||
2094 has_condition(this, COND_EAP_AUTHENTICATED)
2095 #ifdef ME
2096 || this->is_mediation_server
2097 #endif /* ME */
2098 ))
2099 {
2100 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
2101 return FAILED;
2102 }
2103
2104 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2105 this->version, TRUE);
2106 if (!new)
2107 {
2108 return FAILED;
2109 }
2110 new->set_peer_cfg(new, this->peer_cfg);
2111 host = this->other_host;
2112 new->set_other_host(new, host->clone(host));
2113 host = this->my_host;
2114 new->set_my_host(new, host->clone(host));
2115 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2116 if (!has_condition(this, COND_REAUTHENTICATING))
2117 { /* reauthenticate to the same addresses, but resolve hosts if
2118 * reestablishing (old addresses serve as fallback) */
2119 resolve_hosts((private_ike_sa_t*)new);
2120 }
2121 /* if we already have a virtual IP, we reuse it */
2122 enumerator = array_create_enumerator(this->my_vips);
2123 while (enumerator->enumerate(enumerator, &host))
2124 {
2125 new->add_virtual_ip(new, TRUE, host);
2126 }
2127 enumerator->destroy(enumerator);
2128
2129 #ifdef ME
2130 if (this->peer_cfg->is_mediation(this->peer_cfg))
2131 {
2132 status = new->initiate(new, NULL, 0, NULL, NULL);
2133 }
2134 else
2135 #endif /* ME */
2136 {
2137 status = reestablish_children(this, new,
2138 has_condition(this, COND_REAUTHENTICATING));
2139 }
2140
2141 if (status == DESTROY_ME)
2142 {
2143 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2144 FALSE);
2145 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2146 status = FAILED;
2147 }
2148 else
2149 {
2150 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2151 TRUE);
2152 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2153 status = SUCCESS;
2154 }
2155 charon->bus->set_sa(charon->bus, &this->public);
2156 return status;
2157 }
2158
2159 /**
2160 * Resolve the given gateway ID
2161 */
2162 static host_t *resolve_gateway_id(identification_t *gateway)
2163 {
2164 char gw[BUF_LEN];
2165 host_t *addr;
2166
2167 snprintf(gw, sizeof(gw), "%Y", gateway);
2168 gw[sizeof(gw)-1] = '\0';
2169 addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2170 if (!addr)
2171 {
2172 DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2173 gateway);
2174 }
2175 return addr;
2176 }
2177
2178 /**
2179 * Redirect the current SA to the given target host
2180 */
2181 static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2182 {
2183 private_ike_sa_t *new_priv;
2184 ike_sa_t *new;
2185 host_t *other;
2186 time_t redirect;
2187
2188 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2189 this->version, TRUE);
2190 if (!new)
2191 {
2192 return FALSE;
2193 }
2194 new_priv = (private_ike_sa_t*)new;
2195 new->set_peer_cfg(new, this->peer_cfg);
2196 new_priv->redirected_from = this->other_host->clone(this->other_host);
2197 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2198 other = resolve_gateway_id(to);
2199 if (other)
2200 {
2201 set_my_host(new_priv, this->my_host->clone(this->my_host));
2202 /* this allows us to force the remote address while we still properly
2203 * resolve the local address */
2204 new_priv->remote_host = other;
2205 resolve_hosts(new_priv);
2206 new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2207 while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2208 {
2209 array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2210 }
2211 if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2212 {
2213 #ifdef USE_IKEV2
2214 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2215 this->ike_sa_id));
2216 #endif
2217 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2218 TRUE);
2219 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2220 charon->bus->set_sa(charon->bus, &this->public);
2221 return TRUE;
2222 }
2223 }
2224 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2225 FALSE);
2226 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2227 charon->bus->set_sa(charon->bus, &this->public);
2228 return FALSE;
2229 }
2230
2231 /**
2232 * Redirect the current connecting SA to the given target host
2233 */
2234 static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2235 {
2236 host_t *other;
2237
2238 other = resolve_gateway_id(to);
2239 if (!other)
2240 {
2241 return FALSE;
2242 }
2243 reset(this, TRUE);
2244 DESTROY_IF(this->redirected_from);
2245 this->redirected_from = this->other_host->clone(this->other_host);
2246 DESTROY_IF(this->remote_host);
2247 /* this allows us to force the remote address while we still properly
2248 * resolve the local address */
2249 this->remote_host = other;
2250 resolve_hosts(this);
2251 return TRUE;
2252 }
2253
2254 /**
2255 * Check if the current redirect exceeds the limits for redirects
2256 */
2257 static bool redirect_count_exceeded(private_ike_sa_t *this)
2258 {
2259 time_t now, redirect;
2260
2261 now = time_monotonic(NULL);
2262 /* remove entries outside the defined period */
2263 while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2264 now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2265 {
2266 array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2267 }
2268 if (array_count(this->redirected_at) < MAX_REDIRECTS)
2269 {
2270 if (!this->redirected_at)
2271 {
2272 this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2273 }
2274 array_insert(this->redirected_at, ARRAY_TAIL, &now);
2275 return FALSE;
2276 }
2277 return TRUE;
2278 }
2279
2280 METHOD(ike_sa_t, handle_redirect, bool,
2281 private_ike_sa_t *this, identification_t *gateway)
2282 {
2283 DBG1(DBG_IKE, "redirected to %Y", gateway);
2284 if (!this->follow_redirects)
2285 {
2286 DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2287 return FALSE;
2288 }
2289 if (redirect_count_exceeded(this))
2290 {
2291 DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2292 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2293 return FALSE;
2294 }
2295
2296 switch (this->state)
2297 {
2298 case IKE_CONNECTING:
2299 return redirect_connecting(this, gateway);
2300 case IKE_ESTABLISHED:
2301 return redirect_established(this, gateway);
2302 default:
2303 DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2304 ike_sa_state_names, this->state);
2305 return FALSE;
2306 }
2307 }
2308
2309 METHOD(ike_sa_t, redirect, status_t,
2310 private_ike_sa_t *this, identification_t *gateway)
2311 {
2312 switch (this->state)
2313 {
2314 case IKE_CONNECTING:
2315 case IKE_ESTABLISHED:
2316 case IKE_REKEYING:
2317 if (has_condition(this, COND_REDIRECTED))
2318 { /* IKE_SA already got redirected */
2319 return SUCCESS;
2320 }
2321 if (has_condition(this, COND_ORIGINAL_INITIATOR))
2322 {
2323 DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2324 return FAILED;
2325 }
2326 if (this->version == IKEV1)
2327 {
2328 DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2329 return FAILED;
2330 }
2331 if (!supports_extension(this, EXT_IKE_REDIRECTION))
2332 {
2333 DBG1(DBG_IKE, "client does not support IKE redirection");
2334 return FAILED;
2335 }
2336 #ifdef USE_IKEV2
2337 this->task_manager->queue_task(this->task_manager,
2338 (task_t*)ike_redirect_create(&this->public, gateway));
2339 #endif
2340 return this->task_manager->initiate(this->task_manager);
2341 default:
2342 DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2343 ike_sa_state_names, this->state);
2344 return INVALID_STATE;
2345 }
2346 }
2347
2348 METHOD(ike_sa_t, retransmit, status_t,
2349 private_ike_sa_t *this, uint32_t message_id)
2350 {
2351 if (this->state == IKE_PASSIVE)
2352 {
2353 return INVALID_STATE;
2354 }
2355 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2356 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
2357 {
2358 /* send a proper signal to brief interested bus listeners */
2359 switch (this->state)
2360 {
2361 case IKE_CONNECTING:
2362 {
2363 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2364 uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2365 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2366 this->keyingtry);
2367 this->keyingtry++;
2368 if (tries == 0 || tries > this->keyingtry)
2369 {
2370 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2371 this->keyingtry + 1, tries);
2372 reset(this, TRUE);
2373 resolve_hosts(this);
2374 return this->task_manager->initiate(this->task_manager);
2375 }
2376 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2377
2378 if (this->version == IKEV1 && array_count(this->child_sas))
2379 {
2380 enumerator_t *enumerator;
2381 child_sa_t *child_sa;
2382
2383 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2384 * in this state with CHILD_SAs), try again from scratch */
2385 DBG1(DBG_IKE, "reauthentication failed, trying to "
2386 "reestablish IKE_SA");
2387 reestablish(this);
2388 /* trigger down events for the CHILD_SAs, as no down event
2389 * is triggered below for IKE SAs in this state */
2390 enumerator = array_create_enumerator(this->child_sas);
2391 while (enumerator->enumerate(enumerator, &child_sa))
2392 {
2393 if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
2394 child_sa->get_state(child_sa) != CHILD_DELETED)
2395 {
2396 charon->bus->child_updown(charon->bus, child_sa,
2397 FALSE);
2398 }
2399 }
2400 enumerator->destroy(enumerator);
2401 }
2402 break;
2403 }
2404 case IKE_DELETING:
2405 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2406 if (has_condition(this, COND_REAUTHENTICATING) &&
2407 !lib->settings->get_bool(lib->settings,
2408 "%s.make_before_break", FALSE, lib->ns))
2409 {
2410 DBG1(DBG_IKE, "delete during reauthentication failed, "
2411 "trying to reestablish IKE_SA anyway");
2412 reestablish(this);
2413 }
2414 break;
2415 case IKE_REKEYING:
2416 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2417 /* FALL */
2418 default:
2419 reestablish(this);
2420 break;
2421 }
2422 if (this->state != IKE_CONNECTING &&
2423 this->state != IKE_REKEYED)
2424 {
2425 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2426 }
2427 return DESTROY_ME;
2428 }
2429 return SUCCESS;
2430 }
2431
2432 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2433 private_ike_sa_t *this, uint32_t lifetime)
2434 {
2435 uint32_t diff, hard, soft, now;
2436 bool send_update;
2437
2438 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2439 now = time_monotonic(NULL);
2440 hard = now + lifetime;
2441 soft = hard - diff;
2442
2443 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2444 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2445 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2446 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2447 (array_count(this->other_vips) != 0 ||
2448 has_condition(this, COND_EAP_AUTHENTICATED));
2449
2450 if (lifetime < diff)
2451 {
2452 this->stats[STAT_REAUTH] = now;
2453
2454 if (!send_update)
2455 {
2456 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2457 "starting reauthentication", lifetime);
2458 lib->processor->queue_job(lib->processor,
2459 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2460 }
2461 }
2462 else if (this->stats[STAT_REAUTH] == 0 ||
2463 this->stats[STAT_REAUTH] > soft)
2464 {
2465 this->stats[STAT_REAUTH] = soft;
2466 if (!send_update)
2467 {
2468 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2469 "reauthentication in %ds", lifetime, lifetime - diff);
2470 lib->scheduler->schedule_job(lib->scheduler,
2471 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2472 lifetime - diff);
2473 }
2474 }
2475 else
2476 {
2477 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2478 "reauthentication already scheduled in %ds", lifetime,
2479 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2480 send_update = FALSE;
2481 }
2482 /* give at least some seconds to reauthenticate */
2483 this->stats[STAT_DELETE] = max(hard, now + 10);
2484
2485 #ifdef USE_IKEV2
2486 if (send_update)
2487 {
2488 ike_auth_lifetime_t *task;
2489
2490 task = ike_auth_lifetime_create(&this->public, TRUE);
2491 this->task_manager->queue_task(this->task_manager, &task->task);
2492 return this->task_manager->initiate(this->task_manager);
2493 }
2494 #endif
2495 return SUCCESS;
2496 }
2497
2498 /**
2499 * Check if the current combination of source and destination address is still
2500 * valid.
2501 */
2502 static bool is_current_path_valid(private_ike_sa_t *this)
2503 {
2504 bool valid = FALSE;
2505 host_t *src;
2506
2507 if (supports_extension(this, EXT_MOBIKE) &&
2508 lib->settings->get_bool(lib->settings,
2509 "%s.prefer_best_path", FALSE, lib->ns))
2510 {
2511 /* check if the current path is the best path; migrate otherwise */
2512 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2513 NULL);
2514 if (src)
2515 {
2516 valid = src->ip_equals(src, this->my_host);
2517 src->destroy(src);
2518 }
2519 if (!valid)
2520 {
2521 DBG1(DBG_IKE, "old path is not preferred anymore");
2522 }
2523 return valid;
2524 }
2525 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2526 this->my_host);
2527 if (src)
2528 {
2529 if (src->ip_equals(src, this->my_host))
2530 {
2531 valid = TRUE;
2532 }
2533 src->destroy(src);
2534 }
2535 if (!valid)
2536 {
2537 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2538 }
2539 return valid;
2540 }
2541
2542 /**
2543 * Check if we have any path avialable for this IKE SA.
2544 */
2545 static bool is_any_path_valid(private_ike_sa_t *this)
2546 {
2547 bool valid = FALSE;
2548 enumerator_t *enumerator;
2549 host_t *src = NULL, *addr;
2550 int family = AF_UNSPEC;
2551
2552 switch (charon->socket->supported_families(charon->socket))
2553 {
2554 case SOCKET_FAMILY_IPV4:
2555 family = AF_INET;
2556 break;
2557 case SOCKET_FAMILY_IPV6:
2558 family = AF_INET6;
2559 break;
2560 case SOCKET_FAMILY_BOTH:
2561 case SOCKET_FAMILY_NONE:
2562 break;
2563 }
2564
2565 enumerator = create_peer_address_enumerator(this);
2566 while (enumerator->enumerate(enumerator, &addr))
2567 {
2568 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2569 {
2570 continue;
2571 }
2572 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2573 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2574 if (src)
2575 {
2576 break;
2577 }
2578 }
2579 enumerator->destroy(enumerator);
2580 if (src)
2581 {
2582 valid = TRUE;
2583 src->destroy(src);
2584 }
2585 return valid;
2586 }
2587
2588 METHOD(ike_sa_t, roam, status_t,
2589 private_ike_sa_t *this, bool address)
2590 {
2591 switch (this->state)
2592 {
2593 case IKE_CREATED:
2594 case IKE_DELETING:
2595 case IKE_DESTROYING:
2596 case IKE_PASSIVE:
2597 case IKE_REKEYED:
2598 return SUCCESS;
2599 default:
2600 break;
2601 }
2602
2603 if (!this->ike_cfg)
2604 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2605 * without config assigned */
2606 return SUCCESS;
2607 }
2608 if (this->version == IKEV1)
2609 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2610 * have to reestablish from scratch (reauth is not enough) */
2611 return SUCCESS;
2612 }
2613
2614 /* ignore roam events if MOBIKE is not supported/enabled and the local
2615 * address is statically configured */
2616 if (!supports_extension(this, EXT_MOBIKE) &&
2617 ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
2618 {
2619 DBG2(DBG_IKE, "keeping statically configured path %H - %H",
2620 this->my_host, this->other_host);
2621 return SUCCESS;
2622 }
2623
2624 /* keep existing path if possible */
2625 if (is_current_path_valid(this))
2626 {
2627 DBG2(DBG_IKE, "keeping connection path %H - %H",
2628 this->my_host, this->other_host);
2629 set_condition(this, COND_STALE, FALSE);
2630
2631 if (supports_extension(this, EXT_MOBIKE) && address)
2632 { /* if any addresses changed, send an updated list */
2633 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2634 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2635 return this->task_manager->initiate(this->task_manager);
2636 }
2637 return SUCCESS;
2638 }
2639
2640 if (!is_any_path_valid(this))
2641 {
2642 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2643 this->other_host);
2644 set_condition(this, COND_STALE, TRUE);
2645 return SUCCESS;
2646 }
2647 set_condition(this, COND_STALE, FALSE);
2648
2649 /* update addresses with mobike, if supported ... */
2650 if (supports_extension(this, EXT_MOBIKE))
2651 {
2652 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2653 { /* responder updates the peer about changed address config */
2654 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2655 "implicitly requesting an address change");
2656 address = TRUE;
2657 }
2658 else
2659 {
2660 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2661 }
2662 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2663 return this->task_manager->initiate(this->task_manager);
2664 }
2665
2666 /* ... reauth if not */
2667 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2668 { /* responder does not reauthenticate */
2669 set_condition(this, COND_STALE, TRUE);
2670 return SUCCESS;
2671 }
2672 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2673 /* since our previous path is not valid anymore, try and find a new one */
2674 resolve_hosts(this);
2675 return reauth(this);
2676 }
2677
2678 METHOD(ike_sa_t, add_configuration_attribute, void,
2679 private_ike_sa_t *this, attribute_handler_t *handler,
2680 configuration_attribute_type_t type, chunk_t data)
2681 {
2682 attribute_entry_t entry = {
2683 .handler = handler,
2684 .type = type,
2685 .data = chunk_clone(data),
2686 };
2687 array_insert(this->attributes, ARRAY_TAIL, &entry);
2688 }
2689
2690 CALLBACK(filter_attribute, bool,
2691 void *null, enumerator_t *orig, va_list args)
2692 {
2693 attribute_entry_t *entry;
2694 configuration_attribute_type_t *type;
2695 chunk_t *data;
2696 bool *handled;
2697
2698 VA_ARGS_VGET(args, type, data, handled);
2699
2700 if (orig->enumerate(orig, &entry))
2701 {
2702 *type = entry->type;
2703 *data = entry->data;
2704 *handled = entry->handler != NULL;
2705 return TRUE;
2706 }
2707 return FALSE;
2708 }
2709
2710 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2711 private_ike_sa_t *this)
2712 {
2713 return enumerator_create_filter(array_create_enumerator(this->attributes),
2714 filter_attribute, NULL, NULL);
2715 }
2716
2717 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2718 private_ike_sa_t *this, task_queue_t queue)
2719 {
2720 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2721 }
2722
2723 METHOD(ike_sa_t, remove_task, void,
2724 private_ike_sa_t *this, enumerator_t *enumerator)
2725 {
2726 return this->task_manager->remove_task(this->task_manager, enumerator);
2727 }
2728
2729 METHOD(ike_sa_t, flush_queue, void,
2730 private_ike_sa_t *this, task_queue_t queue)
2731 {
2732 this->task_manager->flush_queue(this->task_manager, queue);
2733 }
2734
2735 METHOD(ike_sa_t, queue_task, void,
2736 private_ike_sa_t *this, task_t *task)
2737 {
2738 this->task_manager->queue_task(this->task_manager, task);
2739 }
2740
2741 METHOD(ike_sa_t, queue_task_delayed, void,
2742 private_ike_sa_t *this, task_t *task, uint32_t delay)
2743 {
2744 this->task_manager->queue_task_delayed(this->task_manager, task, delay);
2745 }
2746
2747 /**
2748 * Migrate and queue child-creating tasks from another IKE_SA
2749 */
2750 static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
2751 task_queue_t queue)
2752 {
2753 enumerator_t *enumerator;
2754 task_t *task;
2755
2756 enumerator = other->create_task_enumerator(other, queue);
2757 while (enumerator->enumerate(enumerator, &task))
2758 {
2759 if (task->get_type(task) == TASK_CHILD_CREATE ||
2760 task->get_type(task) == TASK_QUICK_MODE)
2761 {
2762 other->remove_task(other, enumerator);
2763 task->migrate(task, &this->public);
2764 queue_task(this, task);
2765 }
2766 }
2767 enumerator->destroy(enumerator);
2768 }
2769
2770 METHOD(ike_sa_t, adopt_child_tasks, void,
2771 private_ike_sa_t *this, ike_sa_t *other)
2772 {
2773 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
2774 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
2775 }
2776
2777 METHOD(ike_sa_t, inherit_pre, void,
2778 private_ike_sa_t *this, ike_sa_t *other_public)
2779 {
2780 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2781
2782 /* apply config and hosts */
2783 set_peer_cfg(this, other->peer_cfg);
2784 set_my_host(this, other->my_host->clone(other->my_host));
2785 set_other_host(this, other->other_host->clone(other->other_host));
2786
2787 /* apply extensions and conditions with a few exceptions */
2788 this->extensions = other->extensions;
2789 this->conditions = other->conditions;
2790 this->conditions &= ~COND_STALE;
2791 this->conditions &= ~COND_REAUTHENTICATING;
2792 }
2793
2794 METHOD(ike_sa_t, inherit_post, void,
2795 private_ike_sa_t *this, ike_sa_t *other_public)
2796 {
2797 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2798 child_sa_t *child_sa;
2799 enumerator_t *enumerator;
2800 attribute_entry_t entry;
2801 auth_cfg_t *cfg;
2802 host_t *vip;
2803
2804 /* apply hosts and ids */
2805 this->my_host->destroy(this->my_host);
2806 this->other_host->destroy(this->other_host);
2807 this->my_id->destroy(this->my_id);
2808 this->other_id->destroy(this->other_id);
2809 this->my_host = other->my_host->clone(other->my_host);
2810 this->other_host = other->other_host->clone(other->other_host);
2811 this->my_id = other->my_id->clone(other->my_id);
2812 this->other_id = other->other_id->clone(other->other_id);
2813
2814 /* apply assigned virtual IPs... */
2815 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2816 {
2817 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2818 }
2819 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2820 {
2821 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2822 }
2823
2824 /* MOBIKE additional addresses */
2825 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2826 {
2827 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2828 }
2829
2830 /* authentication information */
2831 enumerator = array_create_enumerator(other->my_auths);
2832 while (enumerator->enumerate(enumerator, &cfg))
2833 {
2834 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2835 }
2836 enumerator->destroy(enumerator);
2837 enumerator = array_create_enumerator(other->other_auths);
2838 while (enumerator->enumerate(enumerator, &cfg))
2839 {
2840 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2841 }
2842 enumerator->destroy(enumerator);
2843
2844 /* ... and configuration attributes */
2845 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2846 {
2847 array_insert(this->attributes, ARRAY_TAIL, &entry);
2848 }
2849
2850 /* inherit all conditions */
2851 this->conditions = other->conditions;
2852 if (this->conditions & COND_NAT_HERE)
2853 {
2854 send_keepalive(this, FALSE);
2855 }
2856
2857 #ifdef ME
2858 if (other->is_mediation_server)
2859 {
2860 act_as_mediation_server(this);
2861 }
2862 else if (other->server_reflexive_host)
2863 {
2864 this->server_reflexive_host = other->server_reflexive_host->clone(
2865 other->server_reflexive_host);
2866 }
2867 #endif /* ME */
2868
2869 /* adopt all children */
2870 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2871 {
2872 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2873 add_child_sa(this, child_sa);
2874 }
2875
2876 /* move pending tasks to the new IKE_SA */
2877 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2878
2879 /* reauthentication timeout survives a rekeying */
2880 if (other->stats[STAT_REAUTH])
2881 {
2882 time_t reauth, delete, now = time_monotonic(NULL);
2883
2884 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2885 reauth = this->stats[STAT_REAUTH] - now;
2886 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2887 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2888 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2889 "lifetime reduced to %ds", reauth, delete);
2890 lib->scheduler->schedule_job(lib->scheduler,
2891 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2892 lib->scheduler->schedule_job(lib->scheduler,
2893 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2894 }
2895 }
2896
2897 METHOD(ike_sa_t, destroy, void,
2898 private_ike_sa_t *this)
2899 {
2900 attribute_entry_t entry;
2901 child_sa_t *child_sa;
2902 host_t *vip;
2903
2904 charon->bus->set_sa(charon->bus, &this->public);
2905
2906 set_state(this, IKE_DESTROYING);
2907 if (this->task_manager)
2908 {
2909 this->task_manager->flush(this->task_manager);
2910 }
2911
2912 /* remove attributes first, as we pass the IKE_SA to the handler */
2913 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2914 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2915 {
2916 if (entry.handler)
2917 {
2918 charon->attributes->release(charon->attributes, entry.handler,
2919 &this->public, entry.type, entry.data);
2920 }
2921 free(entry.data.ptr);
2922 }
2923 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2924 * routes that the CHILD_SA tries to uninstall. */
2925 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2926 {
2927 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2928 child_sa->destroy(child_sa);
2929 }
2930 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2931 {
2932 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
2933 vip->destroy(vip);
2934 }
2935 if (array_count(this->other_vips))
2936 {
2937 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2938 }
2939 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2940 {
2941 if (this->peer_cfg)
2942 {
2943 linked_list_t *pools;
2944
2945 pools = linked_list_create_from_enumerator(
2946 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
2947 charon->attributes->release_address(charon->attributes,
2948 pools, vip, &this->public);
2949 pools->destroy(pools);
2950 }
2951 vip->destroy(vip);
2952 }
2953
2954 /* unset SA after here to avoid usage by the listeners */
2955 charon->bus->set_sa(charon->bus, NULL);
2956
2957 array_destroy(this->child_sas);
2958 DESTROY_IF(this->task_manager);
2959 DESTROY_IF(this->keymat);
2960 array_destroy(this->attributes);
2961 array_destroy(this->my_vips);
2962 array_destroy(this->other_vips);
2963 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
2964 #ifdef ME
2965 if (this->is_mediation_server)
2966 {
2967 charon->mediation_manager->remove(charon->mediation_manager,
2968 this->ike_sa_id);
2969 }
2970 DESTROY_IF(this->server_reflexive_host);
2971 chunk_free(&this->connect_id);
2972 #endif /* ME */
2973 free(this->nat_detection_dest.ptr);
2974
2975 DESTROY_IF(this->my_host);
2976 DESTROY_IF(this->other_host);
2977 DESTROY_IF(this->my_id);
2978 DESTROY_IF(this->other_id);
2979 DESTROY_IF(this->local_host);
2980 DESTROY_IF(this->remote_host);
2981 DESTROY_IF(this->redirected_from);
2982 array_destroy(this->redirected_at);
2983
2984 DESTROY_IF(this->ike_cfg);
2985 DESTROY_IF(this->peer_cfg);
2986 DESTROY_IF(this->proposal);
2987 this->my_auth->destroy(this->my_auth);
2988 this->other_auth->destroy(this->other_auth);
2989 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
2990 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
2991
2992 this->ike_sa_id->destroy(this->ike_sa_id);
2993 free(this);
2994 }
2995
2996 /*
2997 * Described in header.
2998 */
2999 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
3000 ike_version_t version)
3001 {
3002 private_ike_sa_t *this;
3003 static refcount_t unique_id = 0;
3004
3005 if (version == IKE_ANY)
3006 { /* prefer IKEv2 if protocol not specified */
3007 #ifdef USE_IKEV2
3008 version = IKEV2;
3009 #else
3010 version = IKEV1;
3011 #endif
3012 }
3013
3014 INIT(this,
3015 .public = {
3016 .get_version = _get_version,
3017 .get_state = _get_state,
3018 .set_state = _set_state,
3019 .get_name = _get_name,
3020 .get_statistic = _get_statistic,
3021 .set_statistic = _set_statistic,
3022 .process_message = _process_message,
3023 .initiate = _initiate,
3024 .retry_initiate = _retry_initiate,
3025 .get_ike_cfg = _get_ike_cfg,
3026 .set_ike_cfg = _set_ike_cfg,
3027 .get_peer_cfg = _get_peer_cfg,
3028 .set_peer_cfg = _set_peer_cfg,
3029 .get_auth_cfg = _get_auth_cfg,
3030 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
3031 .verify_peer_certificate = _verify_peer_certificate,
3032 .add_auth_cfg = _add_auth_cfg,
3033 .get_proposal = _get_proposal,
3034 .set_proposal = _set_proposal,
3035 .get_id = _get_id,
3036 .get_my_host = _get_my_host,
3037 .set_my_host = _set_my_host,
3038 .get_other_host = _get_other_host,
3039 .set_other_host = _set_other_host,
3040 .set_message_id = _set_message_id,
3041 .get_message_id = _get_message_id,
3042 .float_ports = _float_ports,
3043 .update_hosts = _update_hosts,
3044 .get_my_id = _get_my_id,
3045 .set_my_id = _set_my_id,
3046 .get_other_id = _get_other_id,
3047 .set_other_id = _set_other_id,
3048 .get_other_eap_id = _get_other_eap_id,
3049 .enable_extension = _enable_extension,
3050 .supports_extension = _supports_extension,
3051 .set_condition = _set_condition,
3052 .has_condition = _has_condition,
3053 .create_peer_address_enumerator = _create_peer_address_enumerator,
3054 .add_peer_address = _add_peer_address,
3055 .clear_peer_addresses = _clear_peer_addresses,
3056 .has_mapping_changed = _has_mapping_changed,
3057 .retransmit = _retransmit,
3058 .delete = _delete_,
3059 .destroy = _destroy,
3060 .send_dpd = _send_dpd,
3061 .send_keepalive = _send_keepalive,
3062 .redirect = _redirect,
3063 .handle_redirect = _handle_redirect,
3064 .get_redirected_from = _get_redirected_from,
3065 .get_keymat = _get_keymat,
3066 .add_child_sa = _add_child_sa,
3067 .get_child_sa = _get_child_sa,
3068 .get_child_count = _get_child_count,
3069 .create_child_sa_enumerator = _create_child_sa_enumerator,
3070 .remove_child_sa = _remove_child_sa,
3071 .rekey_child_sa = _rekey_child_sa,
3072 .delete_child_sa = _delete_child_sa,
3073 .destroy_child_sa = _destroy_child_sa,
3074 .rekey = _rekey,
3075 .reauth = _reauth,
3076 .reestablish = _reestablish,
3077 .set_auth_lifetime = _set_auth_lifetime,
3078 .roam = _roam,
3079 .inherit_pre = _inherit_pre,
3080 .inherit_post = _inherit_post,
3081 .generate_message = _generate_message,
3082 .generate_message_fragmented = _generate_message_fragmented,
3083 .reset = _reset,
3084 .get_unique_id = _get_unique_id,
3085 .add_virtual_ip = _add_virtual_ip,
3086 .clear_virtual_ips = _clear_virtual_ips,
3087 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
3088 .add_configuration_attribute = _add_configuration_attribute,
3089 .create_attribute_enumerator = _create_attribute_enumerator,
3090 .set_kmaddress = _set_kmaddress,
3091 .create_task_enumerator = _create_task_enumerator,
3092 .remove_task = _remove_task,
3093 .flush_queue = _flush_queue,
3094 .queue_task = _queue_task,
3095 .queue_task_delayed = _queue_task_delayed,
3096 .adopt_child_tasks = _adopt_child_tasks,
3097 #ifdef ME
3098 .act_as_mediation_server = _act_as_mediation_server,
3099 .get_server_reflexive_host = _get_server_reflexive_host,
3100 .set_server_reflexive_host = _set_server_reflexive_host,
3101 .get_connect_id = _get_connect_id,
3102 .initiate_mediation = _initiate_mediation,
3103 .initiate_mediated = _initiate_mediated,
3104 .relay = _relay,
3105 .callback = _callback,
3106 .respond = _respond,
3107 #endif /* ME */
3108 },
3109 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
3110 .version = version,
3111 .my_host = host_create_any(AF_INET),
3112 .other_host = host_create_any(AF_INET),
3113 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3114 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3115 .keymat = keymat_create(version, initiator),
3116 .state = IKE_CREATED,
3117 .stats[STAT_INBOUND] = time_monotonic(NULL),
3118 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
3119 .my_auth = auth_cfg_create(),
3120 .other_auth = auth_cfg_create(),
3121 .my_auths = array_create(0, 0),
3122 .other_auths = array_create(0, 0),
3123 .attributes = array_create(sizeof(attribute_entry_t), 0),
3124 .unique_id = ref_get(&unique_id),
3125 .keepalive_interval = lib->settings->get_time(lib->settings,
3126 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
3127 .retry_initiate_interval = lib->settings->get_time(lib->settings,
3128 "%s.retry_initiate_interval", 0, lib->ns),
3129 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
3130 "%s.flush_auth_cfg", FALSE, lib->ns),
3131 .fragment_size = lib->settings->get_int(lib->settings,
3132 "%s.fragment_size", 1280, lib->ns),
3133 .follow_redirects = lib->settings->get_bool(lib->settings,
3134 "%s.follow_redirects", TRUE, lib->ns),
3135 );
3136
3137 if (version == IKEV2)
3138 { /* always supported with IKEv2 */
3139 enable_extension(this, EXT_DPD);
3140 }
3141
3142 this->task_manager = task_manager_create(&this->public);
3143 this->my_host->set_port(this->my_host,
3144 charon->socket->get_port(charon->socket, FALSE));
3145
3146 if (!this->task_manager || !this->keymat)
3147 {
3148 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
3149 destroy(this);
3150 return NULL;
3151 }
3152 return &this->public;
3153 }
Unnamed repository; edit this file 'description' to name the repository.