2 * Copyright (C) 2006-2020 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * Copyright (c) 2014 Volker RĂ¼melin
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
68 ENUM(ike_sa_state_names
, IKE_CREATED
, IKE_DESTROYING
,
79 typedef struct private_ike_sa_t private_ike_sa_t
;
80 typedef struct attribute_entry_t attribute_entry_t
;
83 * Private data of an ike_sa_t object.
85 struct private_ike_sa_t
{
93 * Identifier for the current IKE_SA.
95 ike_sa_id_t
*ike_sa_id
;
98 * IKE version of this SA.
100 ike_version_t version
;
103 * unique numerical ID for this IKE_SA.
108 * Current state of the IKE_SA
110 ike_sa_state_t state
;
113 * IKE configuration used to set up this IKE_SA
118 * Peer and authentication information to establish IKE_SA.
120 peer_cfg_t
*peer_cfg
;
123 * currently used authentication ruleset, local
128 * currently used authentication constraints, remote
130 auth_cfg_t
*other_auth
;
133 * Array of completed local authentication rounds (as auth_cfg_t)
138 * Array of completed remote authentication rounds (as auth_cfg_t)
140 array_t
*other_auths
;
143 * Selected IKE proposal
145 proposal_t
*proposal
;
148 * Juggles tasks to process messages
150 task_manager_t
*task_manager
;
153 * Address of local host
158 * Address of remote host
164 * Are we mediation server
166 bool is_mediation_server
;
169 * Server reflexive host
171 host_t
*server_reflexive_host
;
180 * Identification used for us
182 identification_t
*my_id
;
185 * Identification used for other
187 identification_t
*other_id
;
190 * set of extensions the peer supports
192 ike_extension_t extensions
;
195 * set of condition flags currently enabled for this IKE_SA
197 ike_condition_t conditions
;
200 * Array containing the child sa's of the current IKE_SA.
205 * keymat of this IKE_SA
210 * Virtual IPs on local host
215 * Virtual IPs on remote host
220 * List of configuration attributes (attribute_entry_t)
225 * list of peer's addresses, additional ones transmitted via MOBIKE
227 array_t
*peer_addresses
;
230 * previously value of received DESTINATION_IP hash
232 chunk_t nat_detection_dest
;
235 * NAT keep alive interval
237 uint32_t keepalive_interval
;
240 * The scheduled keep alive job, if any
242 send_keepalive_job_t
*keepalive_job
;
245 * interval for retries during initiation (e.g. if DNS resolution failed),
246 * 0 to disable (default)
248 uint32_t retry_initiate_interval
;
251 * TRUE if a retry_initiate_job has been queued
253 bool retry_initiate_queued
;
256 * Timestamps for this IKE_SA
258 uint32_t stats
[STAT_MAX
];
261 * how many times we have retried so far (keyingtries)
266 * local host address to be used for IKE, set via MIGRATE kernel message
271 * remote host address to be used for IKE, set via MIGRATE kernel message
276 * Flush auth configs once established?
281 * Maximum length of a single fragment, 0 for address-specific defaults
283 size_t fragment_size
;
286 * Whether to follow IKEv2 redirects
288 bool follow_redirects
;
291 * Original gateway address from which we got redirected
293 host_t
*redirected_from
;
296 * Timestamps of redirect attempts to handle loops
298 array_t
*redirected_at
;
301 * Inbound interface ID
306 * Outbound interface ID
312 * Entry to maintain install configuration attributes during IKE_SA lifetime
314 struct attribute_entry_t
{
315 /** handler used to install this attribute */
316 attribute_handler_t
*handler
;
317 /** attribute type */
318 configuration_attribute_type_t type
;
319 /** attribute data */
324 * get the time of the latest traffic processed by the kernel
326 static time_t get_use_time(private_ike_sa_t
* this, bool inbound
)
328 enumerator_t
*enumerator
;
329 child_sa_t
*child_sa
;
330 time_t use_time
, current
;
334 use_time
= this->stats
[STAT_INBOUND
];
338 use_time
= this->stats
[STAT_OUTBOUND
];
341 enumerator
= array_create_enumerator(this->child_sas
);
342 while (enumerator
->enumerate(enumerator
, &child_sa
))
344 child_sa
->get_usestats(child_sa
, inbound
, ¤t
, NULL
, NULL
);
345 use_time
= max(use_time
, current
);
347 enumerator
->destroy(enumerator
);
352 METHOD(ike_sa_t
, get_unique_id
, uint32_t,
353 private_ike_sa_t
*this)
355 return this->unique_id
;
358 METHOD(ike_sa_t
, get_name
, char*,
359 private_ike_sa_t
*this)
363 return this->peer_cfg
->get_name(this->peer_cfg
);
368 METHOD(ike_sa_t
, get_statistic
, uint32_t,
369 private_ike_sa_t
*this, statistic_t kind
)
373 return this->stats
[kind
];
378 METHOD(ike_sa_t
, set_statistic
, void,
379 private_ike_sa_t
*this, statistic_t kind
, uint32_t value
)
383 this->stats
[kind
] = value
;
387 METHOD(ike_sa_t
, get_my_host
, host_t
*,
388 private_ike_sa_t
*this)
390 return this->my_host
;
393 METHOD(ike_sa_t
, set_my_host
, void,
394 private_ike_sa_t
*this, host_t
*me
)
396 DESTROY_IF(this->my_host
);
400 METHOD(ike_sa_t
, get_other_host
, host_t
*,
401 private_ike_sa_t
*this)
403 return this->other_host
;
406 METHOD(ike_sa_t
, set_other_host
, void,
407 private_ike_sa_t
*this, host_t
*other
)
409 DESTROY_IF(this->other_host
);
410 this->other_host
= other
;
413 METHOD(ike_sa_t
, get_redirected_from
, host_t
*,
414 private_ike_sa_t
*this)
416 return this->redirected_from
;
419 METHOD(ike_sa_t
, get_peer_cfg
, peer_cfg_t
*,
420 private_ike_sa_t
*this)
422 return this->peer_cfg
;
425 METHOD(ike_sa_t
, set_peer_cfg
, void,
426 private_ike_sa_t
*this, peer_cfg_t
*peer_cfg
)
428 peer_cfg
->get_ref(peer_cfg
);
429 DESTROY_IF(this->peer_cfg
);
430 this->peer_cfg
= peer_cfg
;
434 this->ike_cfg
= peer_cfg
->get_ike_cfg(peer_cfg
);
435 this->ike_cfg
->get_ref(this->ike_cfg
);
438 this->if_id_in
= peer_cfg
->get_if_id(peer_cfg
, TRUE
);
439 this->if_id_out
= peer_cfg
->get_if_id(peer_cfg
, FALSE
);
440 allocate_unique_if_ids(&this->if_id_in
, &this->if_id_out
);
443 METHOD(ike_sa_t
, get_auth_cfg
, auth_cfg_t
*,
444 private_ike_sa_t
*this, bool local
)
448 return this->my_auth
;
450 return this->other_auth
;
453 METHOD(ike_sa_t
, add_auth_cfg
, void,
454 private_ike_sa_t
*this, bool local
, auth_cfg_t
*cfg
)
458 array_insert(this->my_auths
, ARRAY_TAIL
, cfg
);
462 array_insert(this->other_auths
, ARRAY_TAIL
, cfg
);
466 METHOD(ike_sa_t
, create_auth_cfg_enumerator
, enumerator_t
*,
467 private_ike_sa_t
*this, bool local
)
471 return array_create_enumerator(this->my_auths
);
473 return array_create_enumerator(this->other_auths
);
477 * Flush the stored authentication round information
479 static void flush_auth_cfgs(private_ike_sa_t
*this)
483 this->my_auth
->purge(this->my_auth
, FALSE
);
484 this->other_auth
->purge(this->other_auth
, FALSE
);
486 while (array_remove(this->my_auths
, ARRAY_TAIL
, &cfg
))
490 while (array_remove(this->other_auths
, ARRAY_TAIL
, &cfg
))
496 METHOD(ike_sa_t
, verify_peer_certificate
, bool,
497 private_ike_sa_t
*this)
499 enumerator_t
*e1
, *e2
, *certs
;
500 auth_cfg_t
*cfg
, *cfg_done
;
501 certificate_t
*peer
, *cert
;
504 auth_cfg_wrapper_t
*wrapper
;
505 time_t not_before
, not_after
;
506 bool valid
= TRUE
, found
;
508 if (this->state
!= IKE_ESTABLISHED
)
510 DBG1(DBG_IKE
, "unable to verify peer certificate in state %N",
511 ike_sa_state_names
, this->state
);
515 if (!this->flush_auth_cfg
&&
516 lib
->settings
->get_bool(lib
->settings
,
517 "%s.flush_auth_cfg", FALSE
, lib
->ns
))
518 { /* we can do this check only once if auth configs are flushed */
519 DBG1(DBG_IKE
, "unable to verify peer certificate as authentication "
520 "information has been flushed");
523 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED
,
526 e1
= this->peer_cfg
->create_auth_cfg_enumerator(this->peer_cfg
, FALSE
);
527 e2
= array_create_enumerator(this->other_auths
);
528 while (e1
->enumerate(e1
, &cfg
))
530 if (!e2
->enumerate(e2
, &cfg_done
))
531 { /* this should not happen as the authentication should never have
536 if ((uintptr_t)cfg_done
->get(cfg_done
,
537 AUTH_RULE_AUTH_CLASS
) != AUTH_CLASS_PUBKEY
)
541 peer
= cfg_done
->get(cfg_done
, AUTH_RULE_SUBJECT_CERT
);
544 DBG1(DBG_IKE
, "no subject certificate found, skipping certificate "
548 if (!peer
->get_validity(peer
, NULL
, ¬_before
, ¬_after
))
550 DBG1(DBG_IKE
, "peer certificate invalid (valid from %T to %T)",
551 ¬_before
, FALSE
, ¬_after
, FALSE
);
555 key
= peer
->get_public_key(peer
);
558 DBG1(DBG_IKE
, "unable to retrieve public key, skipping certificate "
562 DBG1(DBG_IKE
, "verifying peer certificate");
563 /* serve received certificates */
564 wrapper
= auth_cfg_wrapper_create(cfg_done
);
565 lib
->credmgr
->add_local_set(lib
->credmgr
, &wrapper
->set
, FALSE
);
566 certs
= lib
->credmgr
->create_trusted_enumerator(lib
->credmgr
,
567 key
->get_type(key
), peer
->get_subject(peer
), TRUE
);
571 while (certs
->enumerate(certs
, &cert
, &auth
))
573 if (peer
->equals(peer
, cert
))
575 cfg_done
->add(cfg_done
, AUTH_RULE_CERT_VALIDATION_SUSPENDED
,
577 cfg_done
->merge(cfg_done
, auth
, FALSE
);
578 valid
= cfg_done
->complies(cfg_done
, cfg
, TRUE
);
583 certs
->destroy(certs
);
584 lib
->credmgr
->remove_local_set(lib
->credmgr
, &wrapper
->set
);
585 wrapper
->destroy(wrapper
);
586 if (!found
|| !valid
)
595 if (this->flush_auth_cfg
)
597 this->flush_auth_cfg
= FALSE
;
598 flush_auth_cfgs(this);
603 METHOD(ike_sa_t
, get_proposal
, proposal_t
*,
604 private_ike_sa_t
*this)
606 return this->proposal
;
609 METHOD(ike_sa_t
, set_proposal
, void,
610 private_ike_sa_t
*this, proposal_t
*proposal
)
612 DESTROY_IF(this->proposal
);
613 this->proposal
= proposal
->clone(proposal
, 0);
616 METHOD(ike_sa_t
, set_message_id
, void,
617 private_ike_sa_t
*this, bool initiate
, uint32_t mid
)
621 this->task_manager
->reset(this->task_manager
, mid
, UINT_MAX
);
625 this->task_manager
->reset(this->task_manager
, UINT_MAX
, mid
);
629 METHOD(ike_sa_t
, get_message_id
, uint32_t,
630 private_ike_sa_t
*this, bool initiate
)
632 return this->task_manager
->get_mid(this->task_manager
, initiate
);
635 METHOD(ike_sa_t
, send_keepalive
, void,
636 private_ike_sa_t
*this, bool scheduled
)
638 time_t last_out
, now
, diff
;
642 this->keepalive_job
= NULL
;
644 if (!this->keepalive_interval
|| this->state
== IKE_PASSIVE
)
645 { /* keepalives disabled either by configuration or for passive IKE_SAs */
648 if (!(this->conditions
& COND_NAT_HERE
) || (this->conditions
& COND_STALE
))
649 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
653 last_out
= get_use_time(this, FALSE
);
654 now
= time_monotonic(NULL
);
656 diff
= now
- last_out
;
658 if (diff
>= this->keepalive_interval
)
663 packet
= packet_create();
664 packet
->set_source(packet
, this->my_host
->clone(this->my_host
));
665 packet
->set_destination(packet
, this->other_host
->clone(this->other_host
));
666 data
.ptr
= malloc(1);
669 packet
->set_data(packet
, data
);
670 DBG1(DBG_IKE
, "sending keep alive to %#H", this->other_host
);
671 charon
->sender
->send_no_marker(charon
->sender
, packet
);
672 this->stats
[STAT_OUTBOUND
] = now
;
675 if (!this->keepalive_job
)
677 this->keepalive_job
= send_keepalive_job_create(this->ike_sa_id
);
678 lib
->scheduler
->schedule_job(lib
->scheduler
, (job_t
*)this->keepalive_job
,
679 this->keepalive_interval
- diff
);
683 METHOD(ike_sa_t
, get_ike_cfg
, ike_cfg_t
*,
684 private_ike_sa_t
*this)
686 return this->ike_cfg
;
689 METHOD(ike_sa_t
, set_ike_cfg
, void,
690 private_ike_sa_t
*this, ike_cfg_t
*ike_cfg
)
692 DESTROY_IF(this->ike_cfg
);
693 ike_cfg
->get_ref(ike_cfg
);
694 this->ike_cfg
= ike_cfg
;
697 METHOD(ike_sa_t
, enable_extension
, void,
698 private_ike_sa_t
*this, ike_extension_t extension
)
700 this->extensions
|= extension
;
703 METHOD(ike_sa_t
, supports_extension
, bool,
704 private_ike_sa_t
*this, ike_extension_t extension
)
706 return (this->extensions
& extension
) != FALSE
;
709 METHOD(ike_sa_t
, has_condition
, bool,
710 private_ike_sa_t
*this, ike_condition_t condition
)
712 return (this->conditions
& condition
) != FALSE
;
715 METHOD(ike_sa_t
, set_condition
, void,
716 private_ike_sa_t
*this, ike_condition_t condition
, bool enable
)
718 if (has_condition(this, condition
) != enable
)
722 this->conditions
|= condition
;
726 DBG1(DBG_IKE
, "local host is behind NAT, sending keep alives");
727 this->conditions
|= COND_NAT_ANY
;
728 send_keepalive(this, FALSE
);
731 DBG1(DBG_IKE
, "remote host is behind NAT");
732 this->conditions
|= COND_NAT_ANY
;
735 DBG1(DBG_IKE
, "faking NAT situation to enforce UDP encapsulation");
736 this->conditions
|= COND_NAT_ANY
;
744 this->conditions
&= ~condition
;
749 DBG1(DBG_IKE
, "%s host is not behind NAT anymore",
750 condition
== COND_NAT_HERE
? "local" : "remote");
753 set_condition(this, COND_NAT_ANY
,
754 has_condition(this, COND_NAT_HERE
) ||
755 has_condition(this, COND_NAT_THERE
) ||
756 has_condition(this, COND_NAT_FAKE
));
759 send_keepalive(this, FALSE
);
768 METHOD(ike_sa_t
, send_dpd
, status_t
,
769 private_ike_sa_t
*this)
773 bool task_queued
= FALSE
;
775 if (this->state
== IKE_PASSIVE
)
777 return INVALID_STATE
;
779 if (this->version
== IKEV1
&& this->state
== IKE_REKEYING
)
780 { /* don't send DPDs for rekeyed IKEv1 SAs */
783 delay
= this->peer_cfg
->get_dpd(this->peer_cfg
);
784 if (this->task_manager
->busy(this->task_manager
))
786 /* an exchange is in the air, no need to start a DPD check */
791 /* check if there was any inbound traffic */
793 last_in
= get_use_time(this, TRUE
);
794 now
= time_monotonic(NULL
);
795 diff
= now
- last_in
;
796 if (!delay
|| diff
>= delay
)
798 /* too long ago, initiate dead peer detection */
799 DBG1(DBG_IKE
, "sending DPD request");
800 this->task_manager
->queue_dpd(this->task_manager
);
805 /* recheck in "interval" seconds */
808 job
= (job_t
*)send_dpd_job_create(this->ike_sa_id
);
809 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, delay
- diff
);
813 return this->task_manager
->initiate(this->task_manager
);
818 METHOD(ike_sa_t
, get_state
, ike_sa_state_t
,
819 private_ike_sa_t
*this)
824 METHOD(ike_sa_t
, set_state
, void,
825 private_ike_sa_t
*this, ike_sa_state_t state
)
827 bool trigger_dpd
= FALSE
, keepalives
= FALSE
;
829 DBG2(DBG_IKE
, "IKE_SA %s[%d] state change: %N => %N",
830 get_name(this), this->unique_id
,
831 ike_sa_state_names
, this->state
,
832 ike_sa_state_names
, state
);
836 case IKE_ESTABLISHED
:
838 if (this->state
== IKE_CONNECTING
||
839 this->state
== IKE_PASSIVE
)
844 /* calculate rekey, reauth and lifetime */
845 this->stats
[STAT_ESTABLISHED
] = time_monotonic(NULL
);
847 /* schedule rekeying if we have a time which is smaller than
848 * an already scheduled rekeying */
849 t
= this->peer_cfg
->get_rekey_time(this->peer_cfg
, TRUE
);
850 if (t
&& (this->stats
[STAT_REKEY
] == 0 ||
851 (this->stats
[STAT_REKEY
] > t
+ this->stats
[STAT_ESTABLISHED
])))
853 this->stats
[STAT_REKEY
] = t
+ this->stats
[STAT_ESTABLISHED
];
854 job
= (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, FALSE
);
855 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
856 DBG1(DBG_IKE
, "scheduling rekeying in %ds", t
);
858 t
= this->peer_cfg
->get_reauth_time(this->peer_cfg
, TRUE
);
859 if (t
&& (this->stats
[STAT_REAUTH
] == 0 ||
860 (this->stats
[STAT_REAUTH
] > t
+ this->stats
[STAT_ESTABLISHED
])))
862 this->stats
[STAT_REAUTH
] = t
+ this->stats
[STAT_ESTABLISHED
];
863 job
= (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
);
864 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
865 DBG1(DBG_IKE
, "scheduling reauthentication in %ds", t
);
867 t
= this->peer_cfg
->get_over_time(this->peer_cfg
);
868 if (this->stats
[STAT_REKEY
] || this->stats
[STAT_REAUTH
])
870 if (this->stats
[STAT_REAUTH
] == 0)
872 this->stats
[STAT_DELETE
] = this->stats
[STAT_REKEY
];
874 else if (this->stats
[STAT_REKEY
] == 0)
876 this->stats
[STAT_DELETE
] = this->stats
[STAT_REAUTH
];
880 this->stats
[STAT_DELETE
] = min(this->stats
[STAT_REKEY
],
881 this->stats
[STAT_REAUTH
]);
883 this->stats
[STAT_DELETE
] += t
;
884 t
= this->stats
[STAT_DELETE
] - this->stats
[STAT_ESTABLISHED
];
885 job
= (job_t
*)delete_ike_sa_job_create(this->ike_sa_id
, TRUE
);
886 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
887 DBG1(DBG_IKE
, "maximum IKE_SA lifetime %ds", t
);
889 trigger_dpd
= this->peer_cfg
->get_dpd(this->peer_cfg
);
892 /* Some peers delay the DELETE after rekeying an IKE_SA.
893 * If this delay is longer than our DPD delay, we would
894 * send a DPD request here. The IKE_SA is not ready to do
895 * so yet, so prevent that. */
896 this->stats
[STAT_INBOUND
] = this->stats
[STAT_ESTABLISHED
];
898 if (this->state
== IKE_PASSIVE
)
902 DESTROY_IF(this->redirected_from
);
903 this->redirected_from
= NULL
;
910 charon
->bus
->ike_state_change(charon
->bus
, &this->public, state
);
915 if (supports_extension(this, EXT_DPD
))
921 DBG1(DBG_IKE
, "DPD not supported by peer, disabled");
926 send_keepalive(this, FALSE
);
930 METHOD(ike_sa_t
, reset
, void,
931 private_ike_sa_t
*this, bool new_spi
)
933 /* reset the initiator SPI if requested */
936 charon
->ike_sa_manager
->new_initiator_spi(charon
->ike_sa_manager
,
939 /* when starting from scratch, connect to the original peer again e.g.
940 * if we got redirected but weren't able to connect successfully */
941 if (this->redirected_from
)
943 this->redirected_from
->destroy(this->redirected_from
);
944 this->redirected_from
= NULL
;
945 /* we can't restore the original value, if there was any */
946 DESTROY_IF(this->remote_host
);
947 this->remote_host
= NULL
;
950 /* the responder ID is reset, as peer may choose another one */
951 if (this->ike_sa_id
->is_initiator(this->ike_sa_id
))
953 this->ike_sa_id
->set_responder_spi(this->ike_sa_id
, 0);
956 set_state(this, IKE_CREATED
);
958 flush_auth_cfgs(this);
960 this->keymat
->destroy(this->keymat
);
961 this->keymat
= keymat_create(this->version
,
962 this->ike_sa_id
->is_initiator(this->ike_sa_id
));
964 this->task_manager
->reset(this->task_manager
, 0, 0);
965 this->task_manager
->queue_ike(this->task_manager
);
968 METHOD(ike_sa_t
, get_keymat
, keymat_t
*,
969 private_ike_sa_t
*this)
974 METHOD(ike_sa_t
, add_virtual_ip
, void,
975 private_ike_sa_t
*this, bool local
, host_t
*ip
)
981 if (charon
->kernel
->get_interface(charon
->kernel
, this->my_host
,
984 DBG1(DBG_IKE
, "installing new virtual IP %H", ip
);
985 if (charon
->kernel
->add_ip(charon
->kernel
, ip
, -1,
988 array_insert_create(&this->my_vips
, ARRAY_TAIL
, ip
->clone(ip
));
992 DBG1(DBG_IKE
, "installing virtual IP %H failed", ip
);
998 DBG1(DBG_IKE
, "looking up interface for virtual IP %H failed", ip
);
1003 array_insert_create(&this->other_vips
, ARRAY_TAIL
, ip
->clone(ip
));
1008 METHOD(ike_sa_t
, clear_virtual_ips
, void,
1009 private_ike_sa_t
*this, bool local
)
1014 vips
= local
? this->my_vips
: this->other_vips
;
1015 if (!local
&& array_count(vips
))
1017 charon
->bus
->assign_vips(charon
->bus
, &this->public, FALSE
);
1019 while (array_remove(vips
, ARRAY_HEAD
, &vip
))
1023 charon
->kernel
->del_ip(charon
->kernel
, vip
, -1, TRUE
);
1029 METHOD(ike_sa_t
, create_virtual_ip_enumerator
, enumerator_t
*,
1030 private_ike_sa_t
*this, bool local
)
1034 return array_create_enumerator(this->my_vips
);
1036 return array_create_enumerator(this->other_vips
);
1039 METHOD(ike_sa_t
, add_peer_address
, void,
1040 private_ike_sa_t
*this, host_t
*host
)
1042 array_insert_create(&this->peer_addresses
, ARRAY_TAIL
, host
);
1045 METHOD(ike_sa_t
, create_peer_address_enumerator
, enumerator_t
*,
1046 private_ike_sa_t
*this)
1048 if (this->peer_addresses
)
1050 return array_create_enumerator(this->peer_addresses
);
1052 /* in case we don't have MOBIKE */
1053 return enumerator_create_single(this->other_host
, NULL
);
1056 METHOD(ike_sa_t
, clear_peer_addresses
, void,
1057 private_ike_sa_t
*this)
1059 array_destroy_offset(this->peer_addresses
, offsetof(host_t
, destroy
));
1060 this->peer_addresses
= NULL
;
1063 METHOD(ike_sa_t
, has_mapping_changed
, bool,
1064 private_ike_sa_t
*this, chunk_t hash
)
1066 if (this->nat_detection_dest
.ptr
== NULL
)
1068 this->nat_detection_dest
= chunk_clone(hash
);
1071 if (chunk_equals(hash
, this->nat_detection_dest
))
1075 free(this->nat_detection_dest
.ptr
);
1076 this->nat_detection_dest
= chunk_clone(hash
);
1080 METHOD(ike_sa_t
, float_ports
, void,
1081 private_ike_sa_t
*this)
1083 /* even if the remote port is not 500 (e.g. because the response was natted)
1084 * we switch the remote port if we used port 500 */
1085 if (this->other_host
->get_port(this->other_host
) == IKEV2_UDP_PORT
||
1086 this->my_host
->get_port(this->my_host
) == IKEV2_UDP_PORT
)
1088 this->other_host
->set_port(this->other_host
, IKEV2_NATT_PORT
);
1090 if (this->my_host
->get_port(this->my_host
) ==
1091 charon
->socket
->get_port(charon
->socket
, FALSE
))
1093 this->my_host
->set_port(this->my_host
,
1094 charon
->socket
->get_port(charon
->socket
, TRUE
));
1098 METHOD(ike_sa_t
, update_hosts
, void,
1099 private_ike_sa_t
*this, host_t
*me
, host_t
*other
, bool force
)
1101 bool update
= FALSE
;
1109 other
= this->other_host
;
1112 /* apply hosts on first received message */
1113 if (this->my_host
->is_anyaddr(this->my_host
) ||
1114 this->other_host
->is_anyaddr(this->other_host
))
1116 set_my_host(this, me
->clone(me
));
1117 set_other_host(this, other
->clone(other
));
1122 /* update our address in any case */
1123 if (force
&& !me
->equals(me
, this->my_host
))
1125 charon
->bus
->ike_update(charon
->bus
, &this->public, TRUE
, me
);
1126 set_my_host(this, me
->clone(me
));
1130 if (!other
->equals(other
, this->other_host
) &&
1131 (force
|| has_condition(this, COND_NAT_THERE
)))
1133 /* only update other's address if we are behind a static NAT,
1134 * which we assume is the case if we are not initiator */
1136 (!has_condition(this, COND_NAT_HERE
) ||
1137 !has_condition(this, COND_ORIGINAL_INITIATOR
)))
1139 charon
->bus
->ike_update(charon
->bus
, &this->public, FALSE
, other
);
1140 set_other_host(this, other
->clone(other
));
1146 /* update all associated CHILD_SAs, if required */
1149 enumerator_t
*enumerator
;
1150 child_sa_t
*child_sa
;
1151 linked_list_t
*vips
;
1153 vips
= linked_list_create_from_enumerator(
1154 array_create_enumerator(this->my_vips
));
1156 enumerator
= array_create_enumerator(this->child_sas
);
1157 while (enumerator
->enumerate(enumerator
, &child_sa
))
1159 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
1160 charon
->child_sa_manager
->add(charon
->child_sa_manager
,
1161 child_sa
, &this->public);
1163 if (child_sa
->update(child_sa
, this->my_host
, this->other_host
,
1164 vips
, has_condition(this, COND_NAT_ANY
)) == NOT_SUPPORTED
)
1166 this->public.rekey_child_sa(&this->public,
1167 child_sa
->get_protocol(child_sa
),
1168 child_sa
->get_spi(child_sa
, TRUE
));
1172 enumerator
->destroy(enumerator
);
1174 vips
->destroy(vips
);
1179 * Set configured DSCP value on packet
1181 static void set_dscp(private_ike_sa_t
*this, packet_t
*packet
)
1185 /* prefer IKE config on peer_cfg, as its selection is more accurate
1186 * then the initial IKE config */
1189 ike_cfg
= this->peer_cfg
->get_ike_cfg(this->peer_cfg
);
1193 ike_cfg
= this->ike_cfg
;
1197 packet
->set_dscp(packet
, ike_cfg
->get_dscp(ike_cfg
));
1201 METHOD(ike_sa_t
, generate_message
, status_t
,
1202 private_ike_sa_t
*this, message_t
*message
, packet_t
**packet
)
1206 if (message
->is_encoded(message
))
1207 { /* already encoded in task, but set DSCP value */
1208 *packet
= message
->get_packet(message
);
1209 set_dscp(this, *packet
);
1212 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
1213 message
->set_ike_sa_id(message
, this->ike_sa_id
);
1214 charon
->bus
->message(charon
->bus
, message
, FALSE
, TRUE
);
1215 status
= message
->generate(message
, this->keymat
, packet
);
1216 if (status
== SUCCESS
)
1218 set_dscp(this, *packet
);
1219 charon
->bus
->message(charon
->bus
, message
, FALSE
, FALSE
);
1224 CALLBACK(filter_fragments
, bool,
1225 private_ike_sa_t
*this, enumerator_t
*orig
, va_list args
)
1227 packet_t
*fragment
, **packet
;
1229 VA_ARGS_VGET(args
, packet
);
1231 if (orig
->enumerate(orig
, &fragment
))
1233 *packet
= fragment
->clone(fragment
);
1234 set_dscp(this, *packet
);
1240 METHOD(ike_sa_t
, generate_message_fragmented
, status_t
,
1241 private_ike_sa_t
*this, message_t
*message
, enumerator_t
**packets
)
1243 enumerator_t
*fragments
;
1246 bool use_frags
= FALSE
;
1247 bool pre_generated
= FALSE
;
1251 switch (this->ike_cfg
->fragmentation(this->ike_cfg
))
1253 case FRAGMENTATION_FORCE
:
1256 case FRAGMENTATION_YES
:
1257 use_frags
= supports_extension(this, EXT_IKE_FRAGMENTATION
);
1258 if (use_frags
&& this->version
== IKEV1
&&
1259 supports_extension(this, EXT_MS_WINDOWS
))
1261 /* It seems Windows 7 and 8 peers only accept proprietary
1262 * fragmented messages if they expect certificates. */
1263 use_frags
= message
->get_payload(message
,
1264 PLV1_CERTIFICATE
) != NULL
;
1273 status
= generate_message(this, message
, &packet
);
1274 if (status
!= SUCCESS
)
1278 *packets
= enumerator_create_single(packet
, NULL
);
1282 pre_generated
= message
->is_encoded(message
);
1283 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
1284 message
->set_ike_sa_id(message
, this->ike_sa_id
);
1287 charon
->bus
->message(charon
->bus
, message
, FALSE
, TRUE
);
1289 status
= message
->fragment(message
, this->keymat
, this->fragment_size
,
1291 if (status
== SUCCESS
)
1295 charon
->bus
->message(charon
->bus
, message
, FALSE
, FALSE
);
1297 *packets
= enumerator_create_filter(fragments
, filter_fragments
,
1303 METHOD(ike_sa_t
, set_kmaddress
, void,
1304 private_ike_sa_t
*this, host_t
*local
, host_t
*remote
)
1306 DESTROY_IF(this->local_host
);
1307 DESTROY_IF(this->remote_host
);
1308 this->local_host
= local
->clone(local
);
1309 this->remote_host
= remote
->clone(remote
);
1313 METHOD(ike_sa_t
, act_as_mediation_server
, void,
1314 private_ike_sa_t
*this)
1316 charon
->mediation_manager
->update_sa_id(charon
->mediation_manager
,
1317 this->other_id
, this->ike_sa_id
);
1318 this->is_mediation_server
= TRUE
;
1321 METHOD(ike_sa_t
, get_server_reflexive_host
, host_t
*,
1322 private_ike_sa_t
*this)
1324 return this->server_reflexive_host
;
1327 METHOD(ike_sa_t
, set_server_reflexive_host
, void,
1328 private_ike_sa_t
*this, host_t
*host
)
1330 DESTROY_IF(this->server_reflexive_host
);
1331 this->server_reflexive_host
= host
;
1334 METHOD(ike_sa_t
, get_connect_id
, chunk_t
,
1335 private_ike_sa_t
*this)
1337 return this->connect_id
;
1340 METHOD(ike_sa_t
, respond
, status_t
,
1341 private_ike_sa_t
*this, identification_t
*peer_id
, chunk_t connect_id
)
1343 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1344 task
->respond(task
, peer_id
, connect_id
);
1345 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1346 return this->task_manager
->initiate(this->task_manager
);
1349 METHOD(ike_sa_t
, callback
, status_t
,
1350 private_ike_sa_t
*this, identification_t
*peer_id
)
1352 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1353 task
->callback(task
, peer_id
);
1354 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1355 return this->task_manager
->initiate(this->task_manager
);
1358 METHOD(ike_sa_t
, relay
, status_t
,
1359 private_ike_sa_t
*this, identification_t
*requester
, chunk_t connect_id
,
1360 chunk_t connect_key
, linked_list_t
*endpoints
, bool response
)
1362 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1363 task
->relay(task
, requester
, connect_id
, connect_key
, endpoints
, response
);
1364 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1365 return this->task_manager
->initiate(this->task_manager
);
1368 METHOD(ike_sa_t
, initiate_mediation
, status_t
,
1369 private_ike_sa_t
*this, peer_cfg_t
*mediated_cfg
)
1371 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1372 task
->connect(task
, mediated_cfg
->get_peer_id(mediated_cfg
));
1373 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1374 return this->task_manager
->initiate(this->task_manager
);
1377 METHOD(ike_sa_t
, initiate_mediated
, status_t
,
1378 private_ike_sa_t
*this, host_t
*me
, host_t
*other
, chunk_t connect_id
)
1380 set_my_host(this, me
->clone(me
));
1381 set_other_host(this, other
->clone(other
));
1382 chunk_free(&this->connect_id
);
1383 this->connect_id
= chunk_clone(connect_id
);
1384 return this->task_manager
->initiate(this->task_manager
);
1389 * Resolve DNS host in configuration
1391 static void resolve_hosts(private_ike_sa_t
*this)
1394 int family
= AF_UNSPEC
;
1396 switch (charon
->socket
->supported_families(charon
->socket
))
1398 case SOCKET_FAMILY_IPV4
:
1401 case SOCKET_FAMILY_IPV6
:
1404 case SOCKET_FAMILY_BOTH
:
1405 case SOCKET_FAMILY_NONE
:
1409 /* if an IP address is set locally, use the same family to resolve remote */
1410 if (family
== AF_UNSPEC
&& !this->remote_host
)
1412 if (this->local_host
)
1414 family
= this->local_host
->get_family(this->local_host
);
1418 family
= ike_cfg_get_family(this->ike_cfg
, TRUE
);
1422 if (this->remote_host
)
1424 host
= this->remote_host
->clone(this->remote_host
);
1425 host
->set_port(host
, IKEV2_UDP_PORT
);
1429 host
= this->ike_cfg
->resolve_other(this->ike_cfg
, family
);
1433 if (!host
->is_anyaddr(host
) ||
1434 this->other_host
->is_anyaddr(this->other_host
))
1435 { /* don't set to %any if we currently have an address, but the
1436 * address family might have changed */
1437 set_other_host(this, host
);
1440 { /* reuse the original port as some implementations might not like
1441 * initial IKE messages on other ports */
1442 this->other_host
->set_port(this->other_host
, host
->get_port(host
));
1443 host
->destroy(host
);
1447 if (this->local_host
)
1449 host
= this->local_host
->clone(this->local_host
);
1450 host
->set_port(host
, charon
->socket
->get_port(charon
->socket
, FALSE
));
1454 /* use same address family as for other */
1455 if (!this->other_host
->is_anyaddr(this->other_host
))
1457 family
= this->other_host
->get_family(this->other_host
);
1459 host
= this->ike_cfg
->resolve_me(this->ike_cfg
, family
);
1461 if (host
&& host
->is_anyaddr(host
) &&
1462 !this->other_host
->is_anyaddr(this->other_host
))
1464 host
->destroy(host
);
1465 host
= charon
->kernel
->get_source_addr(charon
->kernel
,
1466 this->other_host
, NULL
);
1469 host
->set_port(host
, this->ike_cfg
->get_my_port(this->ike_cfg
));
1472 { /* fallback to address family specific %any(6), if configured */
1473 host
= this->ike_cfg
->resolve_me(this->ike_cfg
, family
);
1479 set_my_host(this, host
);
1483 METHOD(ike_sa_t
, initiate
, status_t
,
1484 private_ike_sa_t
*this, child_cfg_t
*child_cfg
, uint32_t reqid
,
1485 traffic_selector_t
*tsi
, traffic_selector_t
*tsr
)
1487 bool defer_initiate
= FALSE
;
1489 if (this->state
== IKE_CREATED
)
1491 if (this->my_host
->is_anyaddr(this->my_host
) ||
1492 this->other_host
->is_anyaddr(this->other_host
))
1494 resolve_hosts(this);
1497 if (this->other_host
->is_anyaddr(this->other_host
)
1499 && !this->peer_cfg
->get_mediated_by(this->peer_cfg
)
1505 addr
= this->ike_cfg
->get_other_addr(this->ike_cfg
);
1506 if (!this->retry_initiate_interval
)
1508 DBG1(DBG_IKE
, "unable to resolve %s, initiate aborted",
1510 DESTROY_IF(child_cfg
);
1511 charon
->bus
->alert(charon
->bus
, ALERT_PEER_ADDR_FAILED
);
1514 DBG1(DBG_IKE
, "unable to resolve %s, retrying in %ds",
1515 addr
, this->retry_initiate_interval
);
1516 defer_initiate
= TRUE
;
1519 set_condition(this, COND_ORIGINAL_INITIATOR
, TRUE
);
1520 this->task_manager
->queue_ike(this->task_manager
);
1524 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
1526 if (this->state
== IKE_ESTABLISHED
)
1528 /* mediation connection is already established, retrigger state
1529 * change to notify bus listeners */
1530 DBG1(DBG_IKE
, "mediation connection is already up");
1531 set_state(this, IKE_ESTABLISHED
);
1533 DESTROY_IF(child_cfg
);
1539 /* normal IKE_SA with CHILD_SA */
1540 this->task_manager
->queue_child(this->task_manager
, child_cfg
, reqid
,
1543 if (this->peer_cfg
->get_mediated_by(this->peer_cfg
))
1545 /* mediated connection, initiate mediation process */
1546 job_t
*job
= (job_t
*)initiate_mediation_job_create(this->ike_sa_id
);
1547 lib
->processor
->queue_job(lib
->processor
, job
);
1555 if (!this->retry_initiate_queued
)
1557 job_t
*job
= (job_t
*)retry_initiate_job_create(this->ike_sa_id
);
1558 lib
->scheduler
->schedule_job(lib
->scheduler
, (job_t
*)job
,
1559 this->retry_initiate_interval
);
1560 this->retry_initiate_queued
= TRUE
;
1564 this->retry_initiate_queued
= FALSE
;
1565 return this->task_manager
->initiate(this->task_manager
);
1568 METHOD(ike_sa_t
, retry_initiate
, status_t
,
1569 private_ike_sa_t
*this)
1571 if (this->retry_initiate_queued
)
1573 this->retry_initiate_queued
= FALSE
;
1574 return initiate(this, NULL
, 0, NULL
, NULL
);
1579 METHOD(ike_sa_t
, process_message
, status_t
,
1580 private_ike_sa_t
*this, message_t
*message
)
1584 if (this->state
== IKE_PASSIVE
)
1585 { /* do not handle messages in passive state */
1588 if (message
->get_major_version(message
) != this->version
)
1590 DBG1(DBG_IKE
, "ignoring %N IKEv%u exchange on %N SA",
1591 exchange_type_names
, message
->get_exchange_type(message
),
1592 message
->get_major_version(message
),
1593 ike_version_names
, this->version
);
1594 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1595 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1598 status
= this->task_manager
->process_message(this->task_manager
, message
);
1599 if (this->flush_auth_cfg
&& this->state
== IKE_ESTABLISHED
)
1601 /* authentication completed but if the online validation is suspended we
1602 * need the auth cfgs until we did the delayed verification, we flush
1603 * them afterwards */
1604 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED
))
1606 this->flush_auth_cfg
= FALSE
;
1607 flush_auth_cfgs(this);
1613 METHOD(ike_sa_t
, get_id
, ike_sa_id_t
*,
1614 private_ike_sa_t
*this)
1616 return this->ike_sa_id
;
1619 METHOD(ike_sa_t
, get_version
, ike_version_t
,
1620 private_ike_sa_t
*this)
1622 return this->version
;
1625 METHOD(ike_sa_t
, get_my_id
, identification_t
*,
1626 private_ike_sa_t
*this)
1631 METHOD(ike_sa_t
, set_my_id
, void,
1632 private_ike_sa_t
*this, identification_t
*me
)
1634 DESTROY_IF(this->my_id
);
1638 METHOD(ike_sa_t
, get_other_id
, identification_t
*,
1639 private_ike_sa_t
*this)
1641 return this->other_id
;
1644 METHOD(ike_sa_t
, get_other_eap_id
, identification_t
*,
1645 private_ike_sa_t
*this)
1647 identification_t
*id
= NULL
, *current
;
1648 enumerator_t
*enumerator
;
1651 enumerator
= array_create_enumerator(this->other_auths
);
1652 while (enumerator
->enumerate(enumerator
, &cfg
))
1654 /* prefer EAP-Identity of last round */
1655 current
= cfg
->get(cfg
, AUTH_RULE_EAP_IDENTITY
);
1656 if (!current
|| current
->get_type(current
) == ID_ANY
)
1658 current
= cfg
->get(cfg
, AUTH_RULE_XAUTH_IDENTITY
);
1660 if (!current
|| current
->get_type(current
) == ID_ANY
)
1662 current
= cfg
->get(cfg
, AUTH_RULE_IDENTITY
);
1664 if (current
&& current
->get_type(current
) != ID_ANY
)
1670 enumerator
->destroy(enumerator
);
1675 return this->other_id
;
1678 METHOD(ike_sa_t
, set_other_id
, void,
1679 private_ike_sa_t
*this, identification_t
*other
)
1681 DESTROY_IF(this->other_id
);
1682 this->other_id
= other
;
1685 METHOD(ike_sa_t
, get_if_id
, uint32_t,
1686 private_ike_sa_t
*this, bool inbound
)
1688 return inbound
? this->if_id_in
: this->if_id_out
;
1691 METHOD(ike_sa_t
, add_child_sa
, void,
1692 private_ike_sa_t
*this, child_sa_t
*child_sa
)
1694 array_insert_create(&this->child_sas
, ARRAY_TAIL
, child_sa
);
1695 charon
->child_sa_manager
->add(charon
->child_sa_manager
,
1696 child_sa
, &this->public);
1699 METHOD(ike_sa_t
, get_child_sa
, child_sa_t
*,
1700 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
, bool inbound
)
1702 enumerator_t
*enumerator
;
1703 child_sa_t
*current
, *found
= NULL
;
1705 enumerator
= array_create_enumerator(this->child_sas
);
1706 while (enumerator
->enumerate(enumerator
, (void**)¤t
))
1708 if (current
->get_spi(current
, inbound
) == spi
&&
1709 current
->get_protocol(current
) == protocol
)
1714 enumerator
->destroy(enumerator
);
1718 METHOD(ike_sa_t
, get_child_count
, int,
1719 private_ike_sa_t
*this)
1721 return array_count(this->child_sas
);
1725 * Private data of a create_child_sa_enumerator()
1728 /** implements enumerator */
1729 enumerator_t
public;
1730 /** inner array enumerator */
1731 enumerator_t
*inner
;
1733 child_sa_t
*current
;
1734 } child_enumerator_t
;
1736 METHOD(enumerator_t
, child_enumerate
, bool,
1737 child_enumerator_t
*this, va_list args
)
1739 child_sa_t
**child_sa
;
1741 VA_ARGS_VGET(args
, child_sa
);
1742 if (this->inner
->enumerate(this->inner
, &this->current
))
1744 *child_sa
= this->current
;
1750 METHOD(enumerator_t
, child_enumerator_destroy
, void,
1751 child_enumerator_t
*this)
1753 this->inner
->destroy(this->inner
);
1757 METHOD(ike_sa_t
, create_child_sa_enumerator
, enumerator_t
*,
1758 private_ike_sa_t
*this)
1760 child_enumerator_t
*enumerator
;
1764 .enumerate
= enumerator_enumerate_default
,
1765 .venumerate
= _child_enumerate
,
1766 .destroy
= _child_enumerator_destroy
,
1768 .inner
= array_create_enumerator(this->child_sas
),
1770 return &enumerator
->public;
1773 METHOD(ike_sa_t
, remove_child_sa
, void,
1774 private_ike_sa_t
*this, enumerator_t
*enumerator
)
1776 child_enumerator_t
*ce
= (child_enumerator_t
*)enumerator
;
1778 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, ce
->current
);
1779 array_remove_at(this->child_sas
, ce
->inner
);
1782 METHOD(ike_sa_t
, rekey_child_sa
, status_t
,
1783 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
)
1785 if (this->state
== IKE_PASSIVE
)
1787 return INVALID_STATE
;
1789 this->task_manager
->queue_child_rekey(this->task_manager
, protocol
, spi
);
1790 return this->task_manager
->initiate(this->task_manager
);
1793 METHOD(ike_sa_t
, delete_child_sa
, status_t
,
1794 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
, bool expired
)
1796 if (this->state
== IKE_PASSIVE
)
1798 return INVALID_STATE
;
1800 this->task_manager
->queue_child_delete(this->task_manager
,
1801 protocol
, spi
, expired
);
1802 return this->task_manager
->initiate(this->task_manager
);
1805 METHOD(ike_sa_t
, destroy_child_sa
, status_t
,
1806 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
)
1808 enumerator_t
*enumerator
;
1809 child_sa_t
*child_sa
;
1810 status_t status
= NOT_FOUND
;
1812 enumerator
= create_child_sa_enumerator(this);
1813 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
1815 if (child_sa
->get_protocol(child_sa
) == protocol
&&
1816 child_sa
->get_spi(child_sa
, TRUE
) == spi
)
1818 remove_child_sa(this, enumerator
);
1819 child_sa
->destroy(child_sa
);
1824 enumerator
->destroy(enumerator
);
1828 METHOD(ike_sa_t
, delete_
, status_t
,
1829 private_ike_sa_t
*this, bool force
)
1831 status_t status
= DESTROY_ME
;
1833 switch (this->state
)
1835 case IKE_ESTABLISHED
:
1837 if (time_monotonic(NULL
) >= this->stats
[STAT_DELETE
] &&
1838 !(this->version
== IKEV1
&& this->state
== IKE_REKEYING
))
1839 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1841 charon
->bus
->alert(charon
->bus
, ALERT_IKE_SA_EXPIRED
);
1843 this->task_manager
->queue_ike_delete(this->task_manager
);
1844 status
= this->task_manager
->initiate(this->task_manager
);
1847 DBG1(DBG_IKE
, "deleting unestablished IKE_SA");
1852 DBG1(DBG_IKE
, "destroying IKE_SA in state %N without notification",
1853 ike_sa_state_names
, this->state
);
1860 status
= DESTROY_ME
;
1862 if (this->version
== IKEV2
)
1863 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1864 switch (this->state
)
1866 case IKE_ESTABLISHED
:
1869 charon
->bus
->ike_updown(charon
->bus
, &this->public, FALSE
);
1878 METHOD(ike_sa_t
, rekey
, status_t
,
1879 private_ike_sa_t
*this)
1881 if (this->state
== IKE_PASSIVE
)
1883 return INVALID_STATE
;
1885 this->task_manager
->queue_ike_rekey(this->task_manager
);
1886 return this->task_manager
->initiate(this->task_manager
);
1889 METHOD(ike_sa_t
, reauth
, status_t
,
1890 private_ike_sa_t
*this)
1892 if (this->state
== IKE_PASSIVE
)
1894 return INVALID_STATE
;
1896 if (this->state
== IKE_CONNECTING
)
1898 DBG0(DBG_IKE
, "reinitiating IKE_SA %s[%d]",
1899 get_name(this), this->unique_id
);
1901 return this->task_manager
->initiate(this->task_manager
);
1903 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1904 * If the peer does not support RFC4478, there is no way to keep the
1906 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
1908 DBG1(DBG_IKE
, "initiator did not reauthenticate as requested");
1909 if (array_count(this->other_vips
) != 0 ||
1910 has_condition(this, COND_XAUTH_AUTHENTICATED
) ||
1911 has_condition(this, COND_EAP_AUTHENTICATED
)
1913 /* as mediation server we too cannot reauth the IKE_SA */
1914 || this->is_mediation_server
1920 del
= this->stats
[STAT_DELETE
];
1921 now
= time_monotonic(NULL
);
1922 DBG1(DBG_IKE
, "IKE_SA %s[%d] will timeout in %V",
1923 get_name(this), this->unique_id
, &now
, &del
);
1928 DBG0(DBG_IKE
, "reauthenticating IKE_SA %s[%d] actively",
1929 get_name(this), this->unique_id
);
1934 DBG0(DBG_IKE
, "reauthenticating IKE_SA %s[%d]",
1935 get_name(this), this->unique_id
);
1937 set_condition(this, COND_REAUTHENTICATING
, TRUE
);
1938 this->task_manager
->queue_ike_reauth(this->task_manager
);
1939 return this->task_manager
->initiate(this->task_manager
);
1943 * Check if any tasks of a specific type are queued in the given queue.
1945 static bool is_task_queued(private_ike_sa_t
*this, task_queue_t queue
,
1948 enumerator_t
*enumerator
;
1952 enumerator
= this->task_manager
->create_task_enumerator(this->task_manager
,
1954 while (enumerator
->enumerate(enumerator
, &task
))
1956 if (task
->get_type(task
) == type
)
1962 enumerator
->destroy(enumerator
);
1967 * Check if any tasks to create CHILD_SAs are queued in the given queue.
1969 static bool is_child_queued(private_ike_sa_t
*this, task_queue_t queue
)
1971 return is_task_queued(this, queue
,
1972 this->version
== IKEV1
? TASK_QUICK_MODE
: TASK_CHILD_CREATE
);
1976 * Check if any tasks to delete the IKE_SA are queued in the given queue.
1978 static bool is_delete_queued(private_ike_sa_t
*this, task_queue_t queue
)
1980 return is_task_queued(this, queue
,
1981 this->version
== IKEV1
? TASK_ISAKMP_DELETE
: TASK_IKE_DELETE
);
1985 * Reestablish CHILD_SAs and migrate queued tasks.
1987 * If force is true all SAs are restarted, otherwise their close/dpd_action
1990 static status_t
reestablish_children(private_ike_sa_t
*this, ike_sa_t
*new,
1993 enumerator_t
*enumerator
;
1994 child_sa_t
*child_sa
;
1995 child_cfg_t
*child_cfg
;
1997 status_t status
= FAILED
;
1999 /* handle existing CHILD_SAs */
2000 enumerator
= create_child_sa_enumerator(this);
2001 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
2003 switch (child_sa
->get_state(child_sa
))
2007 /* ignore CHILD_SAs in these states */
2014 action
= ACTION_RESTART
;
2017 { /* only restart CHILD_SAs that are configured accordingly */
2018 if (this->state
== IKE_DELETING
)
2020 action
= child_sa
->get_close_action(child_sa
);
2024 action
= child_sa
->get_dpd_action(child_sa
);
2029 case ACTION_RESTART
:
2030 child_cfg
= child_sa
->get_config(child_sa
);
2031 DBG1(DBG_IKE
, "restarting CHILD_SA %s",
2032 child_cfg
->get_name(child_cfg
));
2033 child_cfg
->get_ref(child_cfg
);
2034 status
= new->initiate(new, child_cfg
,
2035 child_sa
->get_reqid(child_sa
), NULL
, NULL
);
2040 if (status
== DESTROY_ME
)
2045 enumerator
->destroy(enumerator
);
2046 /* adopt any active or queued CHILD-creating tasks */
2047 if (status
!= DESTROY_ME
)
2049 new->adopt_child_tasks(new, &this->public);
2050 if (new->get_state(new) == IKE_CREATED
)
2052 status
= new->initiate(new, NULL
, 0, NULL
, NULL
);
2058 METHOD(ike_sa_t
, reestablish
, status_t
,
2059 private_ike_sa_t
*this)
2064 enumerator_t
*enumerator
;
2065 child_sa_t
*child_sa
;
2066 bool restart
= FALSE
;
2067 status_t status
= FAILED
;
2069 if (is_delete_queued(this, TASK_QUEUE_QUEUED
))
2070 { /* don't reestablish IKE_SAs that have explicitly been deleted in the
2075 if (has_condition(this, COND_REAUTHENTICATING
))
2076 { /* only reauthenticate if we have children */
2077 if (array_count(this->child_sas
) == 0
2079 /* allow reauth of mediation connections without CHILD_SAs */
2080 && !this->peer_cfg
->is_mediation(this->peer_cfg
)
2084 DBG1(DBG_IKE
, "unable to reauthenticate IKE_SA, no CHILD_SA "
2093 { /* check if we have children to keep up at all */
2094 enumerator
= array_create_enumerator(this->child_sas
);
2095 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
2097 switch (child_sa
->get_state(child_sa
))
2101 /* ignore CHILD_SAs in these states */
2106 if (this->state
== IKE_DELETING
)
2108 action
= child_sa
->get_close_action(child_sa
);
2112 action
= child_sa
->get_dpd_action(child_sa
);
2116 case ACTION_RESTART
:
2120 charon
->traps
->install(charon
->traps
, this->peer_cfg
,
2121 child_sa
->get_config(child_sa
));
2127 enumerator
->destroy(enumerator
);
2128 /* check if we have tasks that recreate children */
2131 restart
= is_child_queued(this, TASK_QUEUE_ACTIVE
) ||
2132 is_child_queued(this, TASK_QUEUE_QUEUED
);
2135 /* mediation connections have no children, keep them up anyway */
2136 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
2147 /* check if we are able to reestablish this IKE_SA */
2148 if (!has_condition(this, COND_ORIGINAL_INITIATOR
) &&
2149 (array_count(this->other_vips
) != 0 ||
2150 has_condition(this, COND_EAP_AUTHENTICATED
)
2152 || this->is_mediation_server
2156 DBG1(DBG_IKE
, "unable to reestablish IKE_SA due to asymmetric setup");
2160 new = charon
->ike_sa_manager
->checkout_new(charon
->ike_sa_manager
,
2161 this->version
, TRUE
);
2166 new->set_peer_cfg(new, this->peer_cfg
);
2167 host
= this->other_host
;
2168 new->set_other_host(new, host
->clone(host
));
2169 host
= this->my_host
;
2170 new->set_my_host(new, host
->clone(host
));
2171 charon
->bus
->ike_reestablish_pre(charon
->bus
, &this->public, new);
2172 if (!has_condition(this, COND_REAUTHENTICATING
))
2173 { /* reauthenticate to the same addresses, but resolve hosts if
2174 * reestablishing (old addresses serve as fallback) */
2175 resolve_hosts((private_ike_sa_t
*)new);
2177 /* if we already have a virtual IP, we reuse it */
2178 enumerator
= array_create_enumerator(this->my_vips
);
2179 while (enumerator
->enumerate(enumerator
, &host
))
2181 new->add_virtual_ip(new, TRUE
, host
);
2183 enumerator
->destroy(enumerator
);
2186 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
2188 status
= new->initiate(new, NULL
, 0, NULL
, NULL
);
2193 status
= reestablish_children(this, new,
2194 has_condition(this, COND_REAUTHENTICATING
));
2197 if (status
== DESTROY_ME
)
2199 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2201 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, new);
2206 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2208 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, new);
2211 charon
->bus
->set_sa(charon
->bus
, &this->public);
2216 * Resolve the given gateway ID
2218 static host_t
*resolve_gateway_id(identification_t
*gateway
)
2223 snprintf(gw
, sizeof(gw
), "%Y", gateway
);
2224 gw
[sizeof(gw
)-1] = '\0';
2225 addr
= host_create_from_dns(gw
, AF_UNSPEC
, IKEV2_UDP_PORT
);
2228 DBG1(DBG_IKE
, "unable to resolve gateway ID '%Y', redirect failed",
2235 * Redirect the current SA to the given target host
2237 static bool redirect_established(private_ike_sa_t
*this, identification_t
*to
)
2239 private_ike_sa_t
*new_priv
;
2244 new = charon
->ike_sa_manager
->checkout_new(charon
->ike_sa_manager
,
2245 this->version
, TRUE
);
2250 new_priv
= (private_ike_sa_t
*)new;
2251 new->set_peer_cfg(new, this->peer_cfg
);
2252 new_priv
->redirected_from
= this->other_host
->clone(this->other_host
);
2253 charon
->bus
->ike_reestablish_pre(charon
->bus
, &this->public, new);
2254 other
= resolve_gateway_id(to
);
2257 set_my_host(new_priv
, this->my_host
->clone(this->my_host
));
2258 /* this allows us to force the remote address while we still properly
2259 * resolve the local address */
2260 new_priv
->remote_host
= other
;
2261 resolve_hosts(new_priv
);
2262 new_priv
->redirected_at
= array_create(sizeof(time_t), MAX_REDIRECTS
);
2263 while (array_remove(this->redirected_at
, ARRAY_HEAD
, &redirect
))
2265 array_insert(new_priv
->redirected_at
, ARRAY_TAIL
, &redirect
);
2267 if (reestablish_children(this, new, TRUE
) != DESTROY_ME
)
2270 new->queue_task(new, (task_t
*)ike_reauth_complete_create(new,
2273 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2275 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, new);
2276 charon
->bus
->set_sa(charon
->bus
, &this->public);
2280 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2282 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, new);
2283 charon
->bus
->set_sa(charon
->bus
, &this->public);
2288 * Redirect the current connecting SA to the given target host
2290 static bool redirect_connecting(private_ike_sa_t
*this, identification_t
*to
)
2294 other
= resolve_gateway_id(to
);
2300 DESTROY_IF(this->redirected_from
);
2301 this->redirected_from
= this->other_host
->clone(this->other_host
);
2302 /* this allows us to force the remote address while we still properly
2303 * resolve the local address */
2304 DESTROY_IF(this->remote_host
);
2305 this->remote_host
= other
;
2306 resolve_hosts(this);
2311 * Check if the current redirect exceeds the limits for redirects
2313 static bool redirect_count_exceeded(private_ike_sa_t
*this)
2315 time_t now
, redirect
;
2317 now
= time_monotonic(NULL
);
2318 /* remove entries outside the defined period */
2319 while (array_get(this->redirected_at
, ARRAY_HEAD
, &redirect
) &&
2320 now
- redirect
>= REDIRECT_LOOP_DETECT_PERIOD
)
2322 array_remove(this->redirected_at
, ARRAY_HEAD
, NULL
);
2324 if (array_count(this->redirected_at
) < MAX_REDIRECTS
)
2326 if (!this->redirected_at
)
2328 this->redirected_at
= array_create(sizeof(time_t), MAX_REDIRECTS
);
2330 array_insert(this->redirected_at
, ARRAY_TAIL
, &now
);
2336 METHOD(ike_sa_t
, handle_redirect
, bool,
2337 private_ike_sa_t
*this, identification_t
*gateway
)
2339 DBG1(DBG_IKE
, "redirected to %Y", gateway
);
2340 if (!this->follow_redirects
)
2342 DBG1(DBG_IKE
, "server sent REDIRECT even though we disabled it");
2345 if (redirect_count_exceeded(this))
2347 DBG1(DBG_IKE
, "only %d redirects are allowed within %d seconds",
2348 MAX_REDIRECTS
, REDIRECT_LOOP_DETECT_PERIOD
);
2352 switch (this->state
)
2354 case IKE_CONNECTING
:
2355 return redirect_connecting(this, gateway
);
2356 case IKE_ESTABLISHED
:
2357 return redirect_established(this, gateway
);
2359 DBG1(DBG_IKE
, "unable to handle redirect for IKE_SA in state %N",
2360 ike_sa_state_names
, this->state
);
2365 METHOD(ike_sa_t
, redirect
, status_t
,
2366 private_ike_sa_t
*this, identification_t
*gateway
)
2368 switch (this->state
)
2370 case IKE_CONNECTING
:
2371 case IKE_ESTABLISHED
:
2373 if (has_condition(this, COND_REDIRECTED
))
2374 { /* IKE_SA already got redirected */
2377 if (has_condition(this, COND_ORIGINAL_INITIATOR
))
2379 DBG1(DBG_IKE
, "unable to redirect IKE_SA as initiator");
2382 if (this->version
== IKEV1
)
2384 DBG1(DBG_IKE
, "unable to redirect IKEv1 SA");
2387 if (!supports_extension(this, EXT_IKE_REDIRECTION
))
2389 DBG1(DBG_IKE
, "client does not support IKE redirection");
2393 this->task_manager
->queue_task(this->task_manager
,
2394 (task_t
*)ike_redirect_create(&this->public, gateway
));
2396 return this->task_manager
->initiate(this->task_manager
);
2398 DBG1(DBG_IKE
, "unable to redirect IKE_SA in state %N",
2399 ike_sa_state_names
, this->state
);
2400 return INVALID_STATE
;
2404 METHOD(ike_sa_t
, retransmit
, status_t
,
2405 private_ike_sa_t
*this, uint32_t message_id
)
2407 if (this->state
== IKE_PASSIVE
)
2409 return INVALID_STATE
;
2411 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
2412 if (this->task_manager
->retransmit(this->task_manager
, message_id
) != SUCCESS
)
2414 /* send a proper signal to brief interested bus listeners */
2415 switch (this->state
)
2417 case IKE_CONNECTING
:
2419 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2420 uint32_t tries
= this->peer_cfg
->get_keyingtries(this->peer_cfg
);
2421 charon
->bus
->alert(charon
->bus
, ALERT_PEER_INIT_UNREACHABLE
,
2424 if (tries
== 0 || tries
> this->keyingtry
)
2426 DBG1(DBG_IKE
, "peer not responding, trying again (%d/%d)",
2427 this->keyingtry
+ 1, tries
);
2429 resolve_hosts(this);
2430 return this->task_manager
->initiate(this->task_manager
);
2432 DBG1(DBG_IKE
, "establishing IKE_SA failed, peer not responding");
2434 if (this->version
== IKEV1
&& array_count(this->child_sas
))
2436 enumerator_t
*enumerator
;
2437 child_sa_t
*child_sa
;
2439 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2440 * in this state with CHILD_SAs), try again from scratch */
2441 DBG1(DBG_IKE
, "reauthentication failed, trying to "
2442 "reestablish IKE_SA");
2444 /* trigger down events for the CHILD_SAs, as no down event
2445 * is triggered below for IKE SAs in this state */
2446 enumerator
= array_create_enumerator(this->child_sas
);
2447 while (enumerator
->enumerate(enumerator
, &child_sa
))
2449 if (child_sa
->get_state(child_sa
) != CHILD_REKEYED
&&
2450 child_sa
->get_state(child_sa
) != CHILD_DELETED
)
2452 charon
->bus
->child_updown(charon
->bus
, child_sa
,
2456 enumerator
->destroy(enumerator
);
2461 DBG1(DBG_IKE
, "proper IKE_SA delete failed, peer not responding");
2462 if (has_condition(this, COND_REAUTHENTICATING
) &&
2463 !lib
->settings
->get_bool(lib
->settings
,
2464 "%s.make_before_break", FALSE
, lib
->ns
))
2466 DBG1(DBG_IKE
, "delete during reauthentication failed, "
2467 "trying to reestablish IKE_SA anyway");
2472 DBG1(DBG_IKE
, "rekeying IKE_SA failed, peer not responding");
2478 if (this->state
!= IKE_CONNECTING
&&
2479 this->state
!= IKE_REKEYED
)
2481 charon
->bus
->ike_updown(charon
->bus
, &this->public, FALSE
);
2488 METHOD(ike_sa_t
, set_auth_lifetime
, status_t
,
2489 private_ike_sa_t
*this, uint32_t lifetime
)
2491 uint32_t diff
, hard
, soft
, now
;
2494 diff
= this->peer_cfg
->get_over_time(this->peer_cfg
);
2495 now
= time_monotonic(NULL
);
2496 hard
= now
+ lifetime
;
2499 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2500 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2501 send_update
= this->state
== IKE_ESTABLISHED
&& this->version
== IKEV2
&&
2502 !has_condition(this, COND_ORIGINAL_INITIATOR
) &&
2503 (array_count(this->other_vips
) != 0 ||
2504 has_condition(this, COND_EAP_AUTHENTICATED
));
2506 if (lifetime
< diff
)
2508 this->stats
[STAT_REAUTH
] = now
;
2512 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, "
2513 "starting reauthentication", lifetime
);
2514 lib
->processor
->queue_job(lib
->processor
,
2515 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
));
2518 else if (this->stats
[STAT_REAUTH
] == 0 ||
2519 this->stats
[STAT_REAUTH
] > soft
)
2521 this->stats
[STAT_REAUTH
] = soft
;
2524 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, scheduling "
2525 "reauthentication in %ds", lifetime
, lifetime
- diff
);
2526 lib
->scheduler
->schedule_job(lib
->scheduler
,
2527 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
),
2533 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, "
2534 "reauthentication already scheduled in %ds", lifetime
,
2535 this->stats
[STAT_REAUTH
] - time_monotonic(NULL
));
2536 send_update
= FALSE
;
2538 /* give at least some seconds to reauthenticate */
2539 this->stats
[STAT_DELETE
] = max(hard
, now
+ 10);
2544 ike_auth_lifetime_t
*task
;
2546 task
= ike_auth_lifetime_create(&this->public, TRUE
);
2547 this->task_manager
->queue_task(this->task_manager
, &task
->task
);
2548 return this->task_manager
->initiate(this->task_manager
);
2555 * Check if the current combination of source and destination address is still
2558 static bool is_current_path_valid(private_ike_sa_t
*this)
2563 if (supports_extension(this, EXT_MOBIKE
) &&
2564 lib
->settings
->get_bool(lib
->settings
,
2565 "%s.prefer_best_path", FALSE
, lib
->ns
))
2567 /* check if the current path is the best path; migrate otherwise */
2568 src
= charon
->kernel
->get_source_addr(charon
->kernel
, this->other_host
,
2572 valid
= src
->ip_equals(src
, this->my_host
);
2577 DBG1(DBG_IKE
, "old path is not preferred anymore");
2581 src
= charon
->kernel
->get_source_addr(charon
->kernel
, this->other_host
,
2585 if (src
->ip_equals(src
, this->my_host
))
2593 DBG1(DBG_IKE
, "old path is not available anymore, try to find another");
2599 * Check if we have any path available for this IKE SA.
2601 static bool is_any_path_valid(private_ike_sa_t
*this)
2604 enumerator_t
*enumerator
;
2605 host_t
*src
= NULL
, *addr
;
2606 int family
= AF_UNSPEC
;
2608 switch (charon
->socket
->supported_families(charon
->socket
))
2610 case SOCKET_FAMILY_IPV4
:
2613 case SOCKET_FAMILY_IPV6
:
2616 case SOCKET_FAMILY_BOTH
:
2617 case SOCKET_FAMILY_NONE
:
2621 enumerator
= create_peer_address_enumerator(this);
2622 while (enumerator
->enumerate(enumerator
, &addr
))
2624 if (family
!= AF_UNSPEC
&& addr
->get_family(addr
) != family
)
2628 DBG1(DBG_IKE
, "looking for a route to %H ...", addr
);
2629 src
= charon
->kernel
->get_source_addr(charon
->kernel
, addr
, NULL
);
2635 enumerator
->destroy(enumerator
);
2644 METHOD(ike_sa_t
, roam
, status_t
,
2645 private_ike_sa_t
*this, bool address
)
2647 switch (this->state
)
2651 case IKE_DESTROYING
:
2660 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2661 * without config assigned */
2664 if (this->version
== IKEV1
)
2665 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2666 * have to reestablish from scratch (reauth is not enough) */
2670 /* ignore roam events if MOBIKE is not supported/enabled and the local
2671 * address is statically configured */
2672 if (!supports_extension(this, EXT_MOBIKE
) &&
2673 ike_cfg_has_address(this->ike_cfg
, this->my_host
, TRUE
))
2675 DBG2(DBG_IKE
, "keeping statically configured path %H - %H",
2676 this->my_host
, this->other_host
);
2680 /* keep existing path if possible */
2681 if (is_current_path_valid(this))
2683 DBG2(DBG_IKE
, "keeping connection path %H - %H",
2684 this->my_host
, this->other_host
);
2685 set_condition(this, COND_STALE
, FALSE
);
2687 if (supports_extension(this, EXT_MOBIKE
) && address
)
2688 { /* if any addresses changed, send an updated list */
2689 DBG1(DBG_IKE
, "sending address list update using MOBIKE");
2690 this->task_manager
->queue_mobike(this->task_manager
, FALSE
, TRUE
);
2691 return this->task_manager
->initiate(this->task_manager
);
2696 if (!is_any_path_valid(this))
2698 DBG1(DBG_IKE
, "no route found to reach %H, MOBIKE update deferred",
2700 set_condition(this, COND_STALE
, TRUE
);
2703 set_condition(this, COND_STALE
, FALSE
);
2705 /* update addresses with mobike, if supported ... */
2706 if (supports_extension(this, EXT_MOBIKE
))
2708 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
2709 { /* responder updates the peer about changed address config */
2710 DBG1(DBG_IKE
, "sending address list update using MOBIKE, "
2711 "implicitly requesting an address change");
2716 DBG1(DBG_IKE
, "requesting address change using MOBIKE");
2718 this->task_manager
->queue_mobike(this->task_manager
, TRUE
, address
);
2719 return this->task_manager
->initiate(this->task_manager
);
2722 /* ... reauth if not */
2723 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
2724 { /* responder does not reauthenticate */
2725 set_condition(this, COND_STALE
, TRUE
);
2728 DBG1(DBG_IKE
, "reauthenticating IKE_SA due to address change");
2729 /* since our previous path is not valid anymore, try and find a new one */
2730 resolve_hosts(this);
2731 return reauth(this);
2734 METHOD(ike_sa_t
, add_configuration_attribute
, void,
2735 private_ike_sa_t
*this, attribute_handler_t
*handler
,
2736 configuration_attribute_type_t type
, chunk_t data
)
2738 attribute_entry_t entry
= {
2741 .data
= chunk_clone(data
),
2743 array_insert(this->attributes
, ARRAY_TAIL
, &entry
);
2746 CALLBACK(filter_attribute
, bool,
2747 void *null
, enumerator_t
*orig
, va_list args
)
2749 attribute_entry_t
*entry
;
2750 configuration_attribute_type_t
*type
;
2754 VA_ARGS_VGET(args
, type
, data
, handled
);
2756 if (orig
->enumerate(orig
, &entry
))
2758 *type
= entry
->type
;
2759 *data
= entry
->data
;
2760 *handled
= entry
->handler
!= NULL
;
2766 METHOD(ike_sa_t
, create_attribute_enumerator
, enumerator_t
*,
2767 private_ike_sa_t
*this)
2769 return enumerator_create_filter(array_create_enumerator(this->attributes
),
2770 filter_attribute
, NULL
, NULL
);
2773 METHOD(ike_sa_t
, create_task_enumerator
, enumerator_t
*,
2774 private_ike_sa_t
*this, task_queue_t queue
)
2776 return this->task_manager
->create_task_enumerator(this->task_manager
, queue
);
2779 METHOD(ike_sa_t
, remove_task
, void,
2780 private_ike_sa_t
*this, enumerator_t
*enumerator
)
2782 return this->task_manager
->remove_task(this->task_manager
, enumerator
);
2785 METHOD(ike_sa_t
, flush_queue
, void,
2786 private_ike_sa_t
*this, task_queue_t queue
)
2788 this->task_manager
->flush_queue(this->task_manager
, queue
);
2791 METHOD(ike_sa_t
, queue_task
, void,
2792 private_ike_sa_t
*this, task_t
*task
)
2794 this->task_manager
->queue_task(this->task_manager
, task
);
2797 METHOD(ike_sa_t
, queue_task_delayed
, void,
2798 private_ike_sa_t
*this, task_t
*task
, uint32_t delay
)
2800 this->task_manager
->queue_task_delayed(this->task_manager
, task
, delay
);
2804 * Migrate and queue child-creating tasks from another IKE_SA
2806 static void migrate_child_tasks(private_ike_sa_t
*this, ike_sa_t
*other
,
2809 enumerator_t
*enumerator
;
2812 enumerator
= other
->create_task_enumerator(other
, queue
);
2813 while (enumerator
->enumerate(enumerator
, &task
))
2815 if (task
->get_type(task
) == TASK_CHILD_CREATE
||
2816 task
->get_type(task
) == TASK_QUICK_MODE
)
2818 other
->remove_task(other
, enumerator
);
2819 task
->migrate(task
, &this->public);
2820 queue_task(this, task
);
2823 enumerator
->destroy(enumerator
);
2826 METHOD(ike_sa_t
, adopt_child_tasks
, void,
2827 private_ike_sa_t
*this, ike_sa_t
*other
)
2829 migrate_child_tasks(this, other
, TASK_QUEUE_ACTIVE
);
2830 migrate_child_tasks(this, other
, TASK_QUEUE_QUEUED
);
2833 METHOD(ike_sa_t
, inherit_pre
, void,
2834 private_ike_sa_t
*this, ike_sa_t
*other_public
)
2836 private_ike_sa_t
*other
= (private_ike_sa_t
*)other_public
;
2838 /* apply config and hosts */
2839 set_peer_cfg(this, other
->peer_cfg
);
2840 set_my_host(this, other
->my_host
->clone(other
->my_host
));
2841 set_other_host(this, other
->other_host
->clone(other
->other_host
));
2843 /* apply extensions and conditions with a few exceptions */
2844 this->extensions
= other
->extensions
;
2845 this->conditions
= other
->conditions
;
2846 this->conditions
&= ~COND_STALE
;
2847 this->conditions
&= ~COND_REAUTHENTICATING
;
2850 METHOD(ike_sa_t
, inherit_post
, void,
2851 private_ike_sa_t
*this, ike_sa_t
*other_public
)
2853 private_ike_sa_t
*other
= (private_ike_sa_t
*)other_public
;
2854 child_sa_t
*child_sa
;
2855 enumerator_t
*enumerator
;
2856 attribute_entry_t entry
;
2860 /* apply hosts and ids */
2861 this->my_host
->destroy(this->my_host
);
2862 this->other_host
->destroy(this->other_host
);
2863 this->my_id
->destroy(this->my_id
);
2864 this->other_id
->destroy(this->other_id
);
2865 this->my_host
= other
->my_host
->clone(other
->my_host
);
2866 this->other_host
= other
->other_host
->clone(other
->other_host
);
2867 this->my_id
= other
->my_id
->clone(other
->my_id
);
2868 this->other_id
= other
->other_id
->clone(other
->other_id
);
2869 this->if_id_in
= other
->if_id_in
;
2870 this->if_id_out
= other
->if_id_out
;
2872 /* apply assigned virtual IPs... */
2873 while (array_remove(other
->my_vips
, ARRAY_HEAD
, &vip
))
2875 array_insert_create(&this->my_vips
, ARRAY_TAIL
, vip
);
2877 while (array_remove(other
->other_vips
, ARRAY_HEAD
, &vip
))
2879 array_insert_create(&this->other_vips
, ARRAY_TAIL
, vip
);
2882 /* MOBIKE additional addresses */
2883 while (array_remove(other
->peer_addresses
, ARRAY_HEAD
, &vip
))
2885 array_insert_create(&this->peer_addresses
, ARRAY_TAIL
, vip
);
2888 /* authentication information */
2889 enumerator
= array_create_enumerator(other
->my_auths
);
2890 while (enumerator
->enumerate(enumerator
, &cfg
))
2892 array_insert(this->my_auths
, ARRAY_TAIL
, cfg
->clone(cfg
));
2894 enumerator
->destroy(enumerator
);
2895 enumerator
= array_create_enumerator(other
->other_auths
);
2896 while (enumerator
->enumerate(enumerator
, &cfg
))
2898 array_insert(this->other_auths
, ARRAY_TAIL
, cfg
->clone(cfg
));
2900 enumerator
->destroy(enumerator
);
2902 /* ... and configuration attributes */
2903 while (array_remove(other
->attributes
, ARRAY_HEAD
, &entry
))
2905 array_insert(this->attributes
, ARRAY_TAIL
, &entry
);
2908 /* inherit all conditions */
2909 this->conditions
= other
->conditions
;
2910 if (this->conditions
& COND_NAT_HERE
)
2912 send_keepalive(this, FALSE
);
2916 if (other
->is_mediation_server
)
2918 act_as_mediation_server(this);
2920 else if (other
->server_reflexive_host
)
2922 this->server_reflexive_host
= other
->server_reflexive_host
->clone(
2923 other
->server_reflexive_host
);
2927 /* adopt all children */
2928 while (array_remove(other
->child_sas
, ARRAY_HEAD
, &child_sa
))
2930 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
2931 add_child_sa(this, child_sa
);
2934 /* move pending tasks to the new IKE_SA */
2935 this->task_manager
->adopt_tasks(this->task_manager
, other
->task_manager
);
2937 /* reauthentication timeout survives a rekeying */
2938 if (other
->stats
[STAT_REAUTH
])
2940 time_t reauth
, delete, now
= time_monotonic(NULL
);
2942 this->stats
[STAT_REAUTH
] = other
->stats
[STAT_REAUTH
];
2943 reauth
= this->stats
[STAT_REAUTH
] - now
;
2944 delete = reauth
+ this->peer_cfg
->get_over_time(this->peer_cfg
);
2945 this->stats
[STAT_DELETE
] = this->stats
[STAT_REAUTH
] + delete;
2946 DBG1(DBG_IKE
, "rescheduling reauthentication in %ds after rekeying, "
2947 "lifetime reduced to %ds", reauth
, delete);
2948 lib
->scheduler
->schedule_job(lib
->scheduler
,
2949 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
), reauth
);
2950 lib
->scheduler
->schedule_job(lib
->scheduler
,
2951 (job_t
*)delete_ike_sa_job_create(this->ike_sa_id
, TRUE
), delete);
2955 METHOD(ike_sa_t
, destroy
, void,
2956 private_ike_sa_t
*this)
2958 attribute_entry_t entry
;
2959 child_sa_t
*child_sa
;
2962 charon
->bus
->set_sa(charon
->bus
, &this->public);
2964 set_state(this, IKE_DESTROYING
);
2965 if (this->task_manager
)
2967 this->task_manager
->flush(this->task_manager
);
2970 /* remove attributes first, as we pass the IKE_SA to the handler */
2971 charon
->bus
->handle_vips(charon
->bus
, &this->public, FALSE
);
2972 while (array_remove(this->attributes
, ARRAY_TAIL
, &entry
))
2976 charon
->attributes
->release(charon
->attributes
, entry
.handler
,
2977 &this->public, entry
.type
, entry
.data
);
2979 free(entry
.data
.ptr
);
2981 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2982 * routes that the CHILD_SA tries to uninstall. */
2983 while (array_remove(this->child_sas
, ARRAY_TAIL
, &child_sa
))
2985 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
2986 child_sa
->destroy(child_sa
);
2988 while (array_remove(this->my_vips
, ARRAY_TAIL
, &vip
))
2990 charon
->kernel
->del_ip(charon
->kernel
, vip
, -1, TRUE
);
2993 if (array_count(this->other_vips
))
2995 charon
->bus
->assign_vips(charon
->bus
, &this->public, FALSE
);
2997 while (array_remove(this->other_vips
, ARRAY_TAIL
, &vip
))
3001 linked_list_t
*pools
;
3003 pools
= linked_list_create_from_enumerator(
3004 this->peer_cfg
->create_pool_enumerator(this->peer_cfg
));
3005 charon
->attributes
->release_address(charon
->attributes
,
3006 pools
, vip
, &this->public);
3007 pools
->destroy(pools
);
3012 /* unset SA after here to avoid usage by the listeners */
3013 charon
->bus
->set_sa(charon
->bus
, NULL
);
3015 array_destroy(this->child_sas
);
3016 DESTROY_IF(this->task_manager
);
3017 DESTROY_IF(this->keymat
);
3018 array_destroy(this->attributes
);
3019 array_destroy(this->my_vips
);
3020 array_destroy(this->other_vips
);
3021 array_destroy_offset(this->peer_addresses
, offsetof(host_t
, destroy
));
3023 if (this->is_mediation_server
)
3025 charon
->mediation_manager
->remove(charon
->mediation_manager
,
3028 DESTROY_IF(this->server_reflexive_host
);
3029 chunk_free(&this->connect_id
);
3031 free(this->nat_detection_dest
.ptr
);
3033 DESTROY_IF(this->my_host
);
3034 DESTROY_IF(this->other_host
);
3035 DESTROY_IF(this->my_id
);
3036 DESTROY_IF(this->other_id
);
3037 DESTROY_IF(this->local_host
);
3038 DESTROY_IF(this->remote_host
);
3039 DESTROY_IF(this->redirected_from
);
3040 array_destroy(this->redirected_at
);
3042 DESTROY_IF(this->ike_cfg
);
3043 DESTROY_IF(this->peer_cfg
);
3044 DESTROY_IF(this->proposal
);
3045 this->my_auth
->destroy(this->my_auth
);
3046 this->other_auth
->destroy(this->other_auth
);
3047 array_destroy_offset(this->my_auths
, offsetof(auth_cfg_t
, destroy
));
3048 array_destroy_offset(this->other_auths
, offsetof(auth_cfg_t
, destroy
));
3050 this->ike_sa_id
->destroy(this->ike_sa_id
);
3055 * Described in header.
3057 ike_sa_t
* ike_sa_create(ike_sa_id_t
*ike_sa_id
, bool initiator
,
3058 ike_version_t version
)
3060 private_ike_sa_t
*this;
3061 static refcount_t unique_id
= 0;
3063 if (version
== IKE_ANY
)
3064 { /* prefer IKEv2 if protocol not specified */
3074 .get_version
= _get_version
,
3075 .get_state
= _get_state
,
3076 .set_state
= _set_state
,
3077 .get_name
= _get_name
,
3078 .get_statistic
= _get_statistic
,
3079 .set_statistic
= _set_statistic
,
3080 .process_message
= _process_message
,
3081 .initiate
= _initiate
,
3082 .retry_initiate
= _retry_initiate
,
3083 .get_ike_cfg
= _get_ike_cfg
,
3084 .set_ike_cfg
= _set_ike_cfg
,
3085 .get_peer_cfg
= _get_peer_cfg
,
3086 .set_peer_cfg
= _set_peer_cfg
,
3087 .get_auth_cfg
= _get_auth_cfg
,
3088 .create_auth_cfg_enumerator
= _create_auth_cfg_enumerator
,
3089 .verify_peer_certificate
= _verify_peer_certificate
,
3090 .add_auth_cfg
= _add_auth_cfg
,
3091 .get_proposal
= _get_proposal
,
3092 .set_proposal
= _set_proposal
,
3094 .get_my_host
= _get_my_host
,
3095 .set_my_host
= _set_my_host
,
3096 .get_other_host
= _get_other_host
,
3097 .set_other_host
= _set_other_host
,
3098 .set_message_id
= _set_message_id
,
3099 .get_message_id
= _get_message_id
,
3100 .float_ports
= _float_ports
,
3101 .update_hosts
= _update_hosts
,
3102 .get_my_id
= _get_my_id
,
3103 .set_my_id
= _set_my_id
,
3104 .get_other_id
= _get_other_id
,
3105 .set_other_id
= _set_other_id
,
3106 .get_other_eap_id
= _get_other_eap_id
,
3107 .enable_extension
= _enable_extension
,
3108 .supports_extension
= _supports_extension
,
3109 .set_condition
= _set_condition
,
3110 .has_condition
= _has_condition
,
3111 .create_peer_address_enumerator
= _create_peer_address_enumerator
,
3112 .add_peer_address
= _add_peer_address
,
3113 .clear_peer_addresses
= _clear_peer_addresses
,
3114 .has_mapping_changed
= _has_mapping_changed
,
3115 .retransmit
= _retransmit
,
3117 .destroy
= _destroy
,
3118 .send_dpd
= _send_dpd
,
3119 .send_keepalive
= _send_keepalive
,
3120 .redirect
= _redirect
,
3121 .handle_redirect
= _handle_redirect
,
3122 .get_redirected_from
= _get_redirected_from
,
3123 .get_keymat
= _get_keymat
,
3124 .add_child_sa
= _add_child_sa
,
3125 .get_child_sa
= _get_child_sa
,
3126 .get_child_count
= _get_child_count
,
3127 .create_child_sa_enumerator
= _create_child_sa_enumerator
,
3128 .remove_child_sa
= _remove_child_sa
,
3129 .rekey_child_sa
= _rekey_child_sa
,
3130 .delete_child_sa
= _delete_child_sa
,
3131 .destroy_child_sa
= _destroy_child_sa
,
3134 .reestablish
= _reestablish
,
3135 .set_auth_lifetime
= _set_auth_lifetime
,
3137 .inherit_pre
= _inherit_pre
,
3138 .inherit_post
= _inherit_post
,
3139 .generate_message
= _generate_message
,
3140 .generate_message_fragmented
= _generate_message_fragmented
,
3142 .get_unique_id
= _get_unique_id
,
3143 .add_virtual_ip
= _add_virtual_ip
,
3144 .clear_virtual_ips
= _clear_virtual_ips
,
3145 .create_virtual_ip_enumerator
= _create_virtual_ip_enumerator
,
3146 .add_configuration_attribute
= _add_configuration_attribute
,
3147 .create_attribute_enumerator
= _create_attribute_enumerator
,
3148 .get_if_id
= _get_if_id
,
3149 .set_kmaddress
= _set_kmaddress
,
3150 .create_task_enumerator
= _create_task_enumerator
,
3151 .remove_task
= _remove_task
,
3152 .flush_queue
= _flush_queue
,
3153 .queue_task
= _queue_task
,
3154 .queue_task_delayed
= _queue_task_delayed
,
3155 .adopt_child_tasks
= _adopt_child_tasks
,
3157 .act_as_mediation_server
= _act_as_mediation_server
,
3158 .get_server_reflexive_host
= _get_server_reflexive_host
,
3159 .set_server_reflexive_host
= _set_server_reflexive_host
,
3160 .get_connect_id
= _get_connect_id
,
3161 .initiate_mediation
= _initiate_mediation
,
3162 .initiate_mediated
= _initiate_mediated
,
3164 .callback
= _callback
,
3165 .respond
= _respond
,
3168 .ike_sa_id
= ike_sa_id
->clone(ike_sa_id
),
3170 .my_host
= host_create_any(AF_INET
),
3171 .other_host
= host_create_any(AF_INET
),
3172 .my_id
= identification_create_from_encoding(ID_ANY
, chunk_empty
),
3173 .other_id
= identification_create_from_encoding(ID_ANY
, chunk_empty
),
3174 .keymat
= keymat_create(version
, initiator
),
3175 .state
= IKE_CREATED
,
3176 .stats
[STAT_INBOUND
] = time_monotonic(NULL
),
3177 .stats
[STAT_OUTBOUND
] = time_monotonic(NULL
),
3178 .my_auth
= auth_cfg_create(),
3179 .other_auth
= auth_cfg_create(),
3180 .my_auths
= array_create(0, 0),
3181 .other_auths
= array_create(0, 0),
3182 .attributes
= array_create(sizeof(attribute_entry_t
), 0),
3183 .unique_id
= ref_get(&unique_id
),
3184 .keepalive_interval
= lib
->settings
->get_time(lib
->settings
,
3185 "%s.keep_alive", KEEPALIVE_INTERVAL
, lib
->ns
),
3186 .retry_initiate_interval
= lib
->settings
->get_time(lib
->settings
,
3187 "%s.retry_initiate_interval", 0, lib
->ns
),
3188 .flush_auth_cfg
= lib
->settings
->get_bool(lib
->settings
,
3189 "%s.flush_auth_cfg", FALSE
, lib
->ns
),
3190 .fragment_size
= lib
->settings
->get_int(lib
->settings
,
3191 "%s.fragment_size", 1280, lib
->ns
),
3192 .follow_redirects
= lib
->settings
->get_bool(lib
->settings
,
3193 "%s.follow_redirects", TRUE
, lib
->ns
),
3196 if (version
== IKEV2
)
3197 { /* always supported with IKEv2 */
3198 enable_extension(this, EXT_DPD
);
3201 this->task_manager
= task_manager_create(&this->public);
3202 this->my_host
->set_port(this->my_host
,
3203 charon
->socket
->get_port(charon
->socket
, FALSE
));
3205 if (!this->task_manager
|| !this->keymat
)
3207 DBG1(DBG_IKE
, "IKE version %d not supported", this->version
);
3211 return &this->public;