]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/sa/ike_sa.c
projects / thirdparty / strongswan.git / blob
? search:


b44c157d94934df2d3c0ef5f224b254d37792510
[thirdparty/strongswan.git] / src / libcharon / sa / ike_sa.c
1 /*
2 * Copyright (C) 2006-2020 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /*
20 * Copyright (c) 2014 Volker RĂ¼melin
21 *
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
28 *
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
31 *
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38 * THE SOFTWARE.
39 */
40
41 #include <string.h>
42 #include <sys/stat.h>
43 #include <errno.h>
44 #include <time.h>
45
46 #include "ike_sa.h"
47
48 #include <library.h>
49 #include <daemon.h>
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
62
63 #ifdef ME
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
66 #endif
67
68 ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
69 "CREATED",
70 "CONNECTING",
71 "ESTABLISHED",
72 "PASSIVE",
73 "REKEYING",
74 "REKEYED",
75 "DELETING",
76 "DESTROYING",
77 );
78
79 typedef struct private_ike_sa_t private_ike_sa_t;
80 typedef struct attribute_entry_t attribute_entry_t;
81
82 /**
83 * Private data of an ike_sa_t object.
84 */
85 struct private_ike_sa_t {
86
87 /**
88 * Public members
89 */
90 ike_sa_t public;
91
92 /**
93 * Identifier for the current IKE_SA.
94 */
95 ike_sa_id_t *ike_sa_id;
96
97 /**
98 * IKE version of this SA.
99 */
100 ike_version_t version;
101
102 /**
103 * unique numerical ID for this IKE_SA.
104 */
105 uint32_t unique_id;
106
107 /**
108 * Current state of the IKE_SA
109 */
110 ike_sa_state_t state;
111
112 /**
113 * IKE configuration used to set up this IKE_SA
114 */
115 ike_cfg_t *ike_cfg;
116
117 /**
118 * Peer and authentication information to establish IKE_SA.
119 */
120 peer_cfg_t *peer_cfg;
121
122 /**
123 * currently used authentication ruleset, local
124 */
125 auth_cfg_t *my_auth;
126
127 /**
128 * currently used authentication constraints, remote
129 */
130 auth_cfg_t *other_auth;
131
132 /**
133 * Array of completed local authentication rounds (as auth_cfg_t)
134 */
135 array_t *my_auths;
136
137 /**
138 * Array of completed remote authentication rounds (as auth_cfg_t)
139 */
140 array_t *other_auths;
141
142 /**
143 * Selected IKE proposal
144 */
145 proposal_t *proposal;
146
147 /**
148 * Juggles tasks to process messages
149 */
150 task_manager_t *task_manager;
151
152 /**
153 * Address of local host
154 */
155 host_t *my_host;
156
157 /**
158 * Address of remote host
159 */
160 host_t *other_host;
161
162 #ifdef ME
163 /**
164 * Are we mediation server
165 */
166 bool is_mediation_server;
167
168 /**
169 * Server reflexive host
170 */
171 host_t *server_reflexive_host;
172
173 /**
174 * Connect ID
175 */
176 chunk_t connect_id;
177 #endif /* ME */
178
179 /**
180 * Identification used for us
181 */
182 identification_t *my_id;
183
184 /**
185 * Identification used for other
186 */
187 identification_t *other_id;
188
189 /**
190 * set of extensions the peer supports
191 */
192 ike_extension_t extensions;
193
194 /**
195 * set of condition flags currently enabled for this IKE_SA
196 */
197 ike_condition_t conditions;
198
199 /**
200 * Array containing the child sa's of the current IKE_SA.
201 */
202 array_t *child_sas;
203
204 /**
205 * keymat of this IKE_SA
206 */
207 keymat_t *keymat;
208
209 /**
210 * Virtual IPs on local host
211 */
212 array_t *my_vips;
213
214 /**
215 * Virtual IPs on remote host
216 */
217 array_t *other_vips;
218
219 /**
220 * List of configuration attributes (attribute_entry_t)
221 */
222 array_t *attributes;
223
224 /**
225 * list of peer's addresses, additional ones transmitted via MOBIKE
226 */
227 array_t *peer_addresses;
228
229 /**
230 * previously value of received DESTINATION_IP hash
231 */
232 chunk_t nat_detection_dest;
233
234 /**
235 * NAT keep alive interval
236 */
237 uint32_t keepalive_interval;
238
239 /**
240 * The scheduled keep alive job, if any
241 */
242 send_keepalive_job_t *keepalive_job;
243
244 /**
245 * interval for retries during initiation (e.g. if DNS resolution failed),
246 * 0 to disable (default)
247 */
248 uint32_t retry_initiate_interval;
249
250 /**
251 * TRUE if a retry_initiate_job has been queued
252 */
253 bool retry_initiate_queued;
254
255 /**
256 * Timestamps for this IKE_SA
257 */
258 uint32_t stats[STAT_MAX];
259
260 /**
261 * how many times we have retried so far (keyingtries)
262 */
263 uint32_t keyingtry;
264
265 /**
266 * local host address to be used for IKE, set via MIGRATE kernel message
267 */
268 host_t *local_host;
269
270 /**
271 * remote host address to be used for IKE, set via MIGRATE kernel message
272 */
273 host_t *remote_host;
274
275 /**
276 * Flush auth configs once established?
277 */
278 bool flush_auth_cfg;
279
280 /**
281 * Maximum length of a single fragment, 0 for address-specific defaults
282 */
283 size_t fragment_size;
284
285 /**
286 * Whether to follow IKEv2 redirects
287 */
288 bool follow_redirects;
289
290 /**
291 * Original gateway address from which we got redirected
292 */
293 host_t *redirected_from;
294
295 /**
296 * Timestamps of redirect attempts to handle loops
297 */
298 array_t *redirected_at;
299
300 /**
301 * Inbound interface ID
302 */
303 uint32_t if_id_in;
304
305 /**
306 * Outbound interface ID
307 */
308 uint32_t if_id_out;
309 };
310
311 /**
312 * Entry to maintain install configuration attributes during IKE_SA lifetime
313 */
314 struct attribute_entry_t {
315 /** handler used to install this attribute */
316 attribute_handler_t *handler;
317 /** attribute type */
318 configuration_attribute_type_t type;
319 /** attribute data */
320 chunk_t data;
321 };
322
323 /**
324 * get the time of the latest traffic processed by the kernel
325 */
326 static time_t get_use_time(private_ike_sa_t* this, bool inbound)
327 {
328 enumerator_t *enumerator;
329 child_sa_t *child_sa;
330 time_t use_time, current;
331
332 if (inbound)
333 {
334 use_time = this->stats[STAT_INBOUND];
335 }
336 else
337 {
338 use_time = this->stats[STAT_OUTBOUND];
339 }
340
341 enumerator = array_create_enumerator(this->child_sas);
342 while (enumerator->enumerate(enumerator, &child_sa))
343 {
344 child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
345 use_time = max(use_time, current);
346 }
347 enumerator->destroy(enumerator);
348
349 return use_time;
350 }
351
352 METHOD(ike_sa_t, get_unique_id, uint32_t,
353 private_ike_sa_t *this)
354 {
355 return this->unique_id;
356 }
357
358 METHOD(ike_sa_t, get_name, char*,
359 private_ike_sa_t *this)
360 {
361 if (this->peer_cfg)
362 {
363 return this->peer_cfg->get_name(this->peer_cfg);
364 }
365 return "(unnamed)";
366 }
367
368 METHOD(ike_sa_t, get_statistic, uint32_t,
369 private_ike_sa_t *this, statistic_t kind)
370 {
371 if (kind < STAT_MAX)
372 {
373 return this->stats[kind];
374 }
375 return 0;
376 }
377
378 METHOD(ike_sa_t, set_statistic, void,
379 private_ike_sa_t *this, statistic_t kind, uint32_t value)
380 {
381 if (kind < STAT_MAX)
382 {
383 this->stats[kind] = value;
384 }
385 }
386
387 METHOD(ike_sa_t, get_my_host, host_t*,
388 private_ike_sa_t *this)
389 {
390 return this->my_host;
391 }
392
393 METHOD(ike_sa_t, set_my_host, void,
394 private_ike_sa_t *this, host_t *me)
395 {
396 DESTROY_IF(this->my_host);
397 this->my_host = me;
398 }
399
400 METHOD(ike_sa_t, get_other_host, host_t*,
401 private_ike_sa_t *this)
402 {
403 return this->other_host;
404 }
405
406 METHOD(ike_sa_t, set_other_host, void,
407 private_ike_sa_t *this, host_t *other)
408 {
409 DESTROY_IF(this->other_host);
410 this->other_host = other;
411 }
412
413 METHOD(ike_sa_t, get_redirected_from, host_t*,
414 private_ike_sa_t *this)
415 {
416 return this->redirected_from;
417 }
418
419 METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
420 private_ike_sa_t *this)
421 {
422 return this->peer_cfg;
423 }
424
425 METHOD(ike_sa_t, set_peer_cfg, void,
426 private_ike_sa_t *this, peer_cfg_t *peer_cfg)
427 {
428 peer_cfg->get_ref(peer_cfg);
429 DESTROY_IF(this->peer_cfg);
430 this->peer_cfg = peer_cfg;
431
432 if (!this->ike_cfg)
433 {
434 this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
435 this->ike_cfg->get_ref(this->ike_cfg);
436 }
437
438 this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE);
439 this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE);
440 allocate_unique_if_ids(&this->if_id_in, &this->if_id_out);
441 }
442
443 METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
444 private_ike_sa_t *this, bool local)
445 {
446 if (local)
447 {
448 return this->my_auth;
449 }
450 return this->other_auth;
451 }
452
453 METHOD(ike_sa_t, add_auth_cfg, void,
454 private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
455 {
456 if (local)
457 {
458 array_insert(this->my_auths, ARRAY_TAIL, cfg);
459 }
460 else
461 {
462 array_insert(this->other_auths, ARRAY_TAIL, cfg);
463 }
464 }
465
466 METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
467 private_ike_sa_t *this, bool local)
468 {
469 if (local)
470 {
471 return array_create_enumerator(this->my_auths);
472 }
473 return array_create_enumerator(this->other_auths);
474 }
475
476 /**
477 * Flush the stored authentication round information
478 */
479 static void flush_auth_cfgs(private_ike_sa_t *this)
480 {
481 auth_cfg_t *cfg;
482
483 this->my_auth->purge(this->my_auth, FALSE);
484 this->other_auth->purge(this->other_auth, FALSE);
485
486 while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
487 {
488 cfg->destroy(cfg);
489 }
490 while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
491 {
492 cfg->destroy(cfg);
493 }
494 }
495
496 METHOD(ike_sa_t, verify_peer_certificate, bool,
497 private_ike_sa_t *this)
498 {
499 enumerator_t *e1, *e2, *certs;
500 auth_cfg_t *cfg, *cfg_done;
501 certificate_t *peer, *cert;
502 public_key_t *key;
503 auth_cfg_t *auth;
504 auth_cfg_wrapper_t *wrapper;
505 time_t not_before, not_after;
506 bool valid = TRUE, found;
507
508 if (this->state != IKE_ESTABLISHED)
509 {
510 DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
511 ike_sa_state_names, this->state);
512 return FALSE;
513 }
514
515 if (!this->flush_auth_cfg &&
516 lib->settings->get_bool(lib->settings,
517 "%s.flush_auth_cfg", FALSE, lib->ns))
518 { /* we can do this check only once if auth configs are flushed */
519 DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
520 "information has been flushed");
521 return FALSE;
522 }
523 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
524 FALSE);
525
526 e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
527 e2 = array_create_enumerator(this->other_auths);
528 while (e1->enumerate(e1, &cfg))
529 {
530 if (!e2->enumerate(e2, &cfg_done))
531 { /* this should not happen as the authentication should never have
532 * succeeded */
533 valid = FALSE;
534 break;
535 }
536 if ((uintptr_t)cfg_done->get(cfg_done,
537 AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
538 {
539 continue;
540 }
541 peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
542 if (!peer)
543 {
544 DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
545 "verification");
546 continue;
547 }
548 if (!peer->get_validity(peer, NULL, &not_before, &not_after))
549 {
550 DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
551 &not_before, FALSE, &not_after, FALSE);
552 valid = FALSE;
553 break;
554 }
555 key = peer->get_public_key(peer);
556 if (!key)
557 {
558 DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
559 "verification");
560 continue;
561 }
562 DBG1(DBG_IKE, "verifying peer certificate");
563 /* serve received certificates */
564 wrapper = auth_cfg_wrapper_create(cfg_done);
565 lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
566 certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
567 key->get_type(key), peer->get_subject(peer), TRUE);
568 key->destroy(key);
569
570 found = FALSE;
571 while (certs->enumerate(certs, &cert, &auth))
572 {
573 if (peer->equals(peer, cert))
574 {
575 cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
576 FALSE);
577 cfg_done->merge(cfg_done, auth, FALSE);
578 valid = cfg_done->complies(cfg_done, cfg, TRUE);
579 found = TRUE;
580 break;
581 }
582 }
583 certs->destroy(certs);
584 lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
585 wrapper->destroy(wrapper);
586 if (!found || !valid)
587 {
588 valid = FALSE;
589 break;
590 }
591 }
592 e1->destroy(e1);
593 e2->destroy(e2);
594
595 if (this->flush_auth_cfg)
596 {
597 this->flush_auth_cfg = FALSE;
598 flush_auth_cfgs(this);
599 }
600 return valid;
601 }
602
603 METHOD(ike_sa_t, get_proposal, proposal_t*,
604 private_ike_sa_t *this)
605 {
606 return this->proposal;
607 }
608
609 METHOD(ike_sa_t, set_proposal, void,
610 private_ike_sa_t *this, proposal_t *proposal)
611 {
612 DESTROY_IF(this->proposal);
613 this->proposal = proposal->clone(proposal, 0);
614 }
615
616 METHOD(ike_sa_t, set_message_id, void,
617 private_ike_sa_t *this, bool initiate, uint32_t mid)
618 {
619 if (initiate)
620 {
621 this->task_manager->reset(this->task_manager, mid, UINT_MAX);
622 }
623 else
624 {
625 this->task_manager->reset(this->task_manager, UINT_MAX, mid);
626 }
627 }
628
629 METHOD(ike_sa_t, get_message_id, uint32_t,
630 private_ike_sa_t *this, bool initiate)
631 {
632 return this->task_manager->get_mid(this->task_manager, initiate);
633 }
634
635 METHOD(ike_sa_t, send_keepalive, void,
636 private_ike_sa_t *this, bool scheduled)
637 {
638 time_t last_out, now, diff;
639
640 if (scheduled)
641 {
642 this->keepalive_job = NULL;
643 }
644 if (!this->keepalive_interval || this->state == IKE_PASSIVE)
645 { /* keepalives disabled either by configuration or for passive IKE_SAs */
646 return;
647 }
648 if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
649 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
650 return;
651 }
652
653 last_out = get_use_time(this, FALSE);
654 now = time_monotonic(NULL);
655
656 diff = now - last_out;
657
658 if (diff >= this->keepalive_interval)
659 {
660 packet_t *packet;
661 chunk_t data;
662
663 packet = packet_create();
664 packet->set_source(packet, this->my_host->clone(this->my_host));
665 packet->set_destination(packet, this->other_host->clone(this->other_host));
666 data.ptr = malloc(1);
667 data.ptr[0] = 0xFF;
668 data.len = 1;
669 packet->set_data(packet, data);
670 DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
671 charon->sender->send_no_marker(charon->sender, packet);
672 this->stats[STAT_OUTBOUND] = now;
673 diff = 0;
674 }
675 if (!this->keepalive_job)
676 {
677 this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
678 lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
679 this->keepalive_interval - diff);
680 }
681 }
682
683 METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
684 private_ike_sa_t *this)
685 {
686 return this->ike_cfg;
687 }
688
689 METHOD(ike_sa_t, set_ike_cfg, void,
690 private_ike_sa_t *this, ike_cfg_t *ike_cfg)
691 {
692 DESTROY_IF(this->ike_cfg);
693 ike_cfg->get_ref(ike_cfg);
694 this->ike_cfg = ike_cfg;
695 }
696
697 METHOD(ike_sa_t, enable_extension, void,
698 private_ike_sa_t *this, ike_extension_t extension)
699 {
700 this->extensions |= extension;
701 }
702
703 METHOD(ike_sa_t, supports_extension, bool,
704 private_ike_sa_t *this, ike_extension_t extension)
705 {
706 return (this->extensions & extension) != FALSE;
707 }
708
709 METHOD(ike_sa_t, has_condition, bool,
710 private_ike_sa_t *this, ike_condition_t condition)
711 {
712 return (this->conditions & condition) != FALSE;
713 }
714
715 METHOD(ike_sa_t, set_condition, void,
716 private_ike_sa_t *this, ike_condition_t condition, bool enable)
717 {
718 if (has_condition(this, condition) != enable)
719 {
720 if (enable)
721 {
722 this->conditions |= condition;
723 switch (condition)
724 {
725 case COND_NAT_HERE:
726 DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
727 this->conditions |= COND_NAT_ANY;
728 send_keepalive(this, FALSE);
729 break;
730 case COND_NAT_THERE:
731 DBG1(DBG_IKE, "remote host is behind NAT");
732 this->conditions |= COND_NAT_ANY;
733 break;
734 case COND_NAT_FAKE:
735 DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
736 this->conditions |= COND_NAT_ANY;
737 break;
738 default:
739 break;
740 }
741 }
742 else
743 {
744 this->conditions &= ~condition;
745 switch (condition)
746 {
747 case COND_NAT_HERE:
748 case COND_NAT_THERE:
749 DBG1(DBG_IKE, "%s host is not behind NAT anymore",
750 condition == COND_NAT_HERE ? "local" : "remote");
751 /* fall-through */
752 case COND_NAT_FAKE:
753 set_condition(this, COND_NAT_ANY,
754 has_condition(this, COND_NAT_HERE) ||
755 has_condition(this, COND_NAT_THERE) ||
756 has_condition(this, COND_NAT_FAKE));
757 break;
758 case COND_STALE:
759 send_keepalive(this, FALSE);
760 break;
761 default:
762 break;
763 }
764 }
765 }
766 }
767
768 METHOD(ike_sa_t, send_dpd, status_t,
769 private_ike_sa_t *this)
770 {
771 job_t *job;
772 time_t diff, delay;
773 bool task_queued = FALSE;
774
775 if (this->state == IKE_PASSIVE)
776 {
777 return INVALID_STATE;
778 }
779 if (this->version == IKEV1 && this->state == IKE_REKEYING)
780 { /* don't send DPDs for rekeyed IKEv1 SAs */
781 return SUCCESS;
782 }
783 delay = this->peer_cfg->get_dpd(this->peer_cfg);
784 if (this->task_manager->busy(this->task_manager))
785 {
786 /* an exchange is in the air, no need to start a DPD check */
787 diff = 0;
788 }
789 else
790 {
791 /* check if there was any inbound traffic */
792 time_t last_in, now;
793 last_in = get_use_time(this, TRUE);
794 now = time_monotonic(NULL);
795 diff = now - last_in;
796 if (!delay || diff >= delay)
797 {
798 /* too long ago, initiate dead peer detection */
799 DBG1(DBG_IKE, "sending DPD request");
800 this->task_manager->queue_dpd(this->task_manager);
801 task_queued = TRUE;
802 diff = 0;
803 }
804 }
805 /* recheck in "interval" seconds */
806 if (delay)
807 {
808 job = (job_t*)send_dpd_job_create(this->ike_sa_id);
809 lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
810 }
811 if (task_queued)
812 {
813 return this->task_manager->initiate(this->task_manager);
814 }
815 return SUCCESS;
816 }
817
818 METHOD(ike_sa_t, get_state, ike_sa_state_t,
819 private_ike_sa_t *this)
820 {
821 return this->state;
822 }
823
824 METHOD(ike_sa_t, set_state, void,
825 private_ike_sa_t *this, ike_sa_state_t state)
826 {
827 bool trigger_dpd = FALSE, keepalives = FALSE;
828
829 DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
830 get_name(this), this->unique_id,
831 ike_sa_state_names, this->state,
832 ike_sa_state_names, state);
833
834 switch (state)
835 {
836 case IKE_ESTABLISHED:
837 {
838 if (this->state == IKE_CONNECTING ||
839 this->state == IKE_PASSIVE)
840 {
841 job_t *job;
842 uint32_t t;
843
844 /* calculate rekey, reauth and lifetime */
845 this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
846
847 /* schedule rekeying if we have a time which is smaller than
848 * an already scheduled rekeying */
849 t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
850 if (t && (this->stats[STAT_REKEY] == 0 ||
851 (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
852 {
853 this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
854 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
855 lib->scheduler->schedule_job(lib->scheduler, job, t);
856 DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
857 }
858 t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
859 if (t && (this->stats[STAT_REAUTH] == 0 ||
860 (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
861 {
862 this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
863 job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
864 lib->scheduler->schedule_job(lib->scheduler, job, t);
865 DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
866 }
867 t = this->peer_cfg->get_over_time(this->peer_cfg);
868 if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
869 {
870 if (this->stats[STAT_REAUTH] == 0)
871 {
872 this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
873 }
874 else if (this->stats[STAT_REKEY] == 0)
875 {
876 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
877 }
878 else
879 {
880 this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
881 this->stats[STAT_REAUTH]);
882 }
883 this->stats[STAT_DELETE] += t;
884 t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
885 job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
886 lib->scheduler->schedule_job(lib->scheduler, job, t);
887 DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
888 }
889 trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
890 if (trigger_dpd)
891 {
892 /* Some peers delay the DELETE after rekeying an IKE_SA.
893 * If this delay is longer than our DPD delay, we would
894 * send a DPD request here. The IKE_SA is not ready to do
895 * so yet, so prevent that. */
896 this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
897 }
898 if (this->state == IKE_PASSIVE)
899 {
900 keepalives = TRUE;
901 }
902 DESTROY_IF(this->redirected_from);
903 this->redirected_from = NULL;
904 }
905 break;
906 }
907 default:
908 break;
909 }
910 charon->bus->ike_state_change(charon->bus, &this->public, state);
911 this->state = state;
912
913 if (trigger_dpd)
914 {
915 if (supports_extension(this, EXT_DPD))
916 {
917 send_dpd(this);
918 }
919 else
920 {
921 DBG1(DBG_IKE, "DPD not supported by peer, disabled");
922 }
923 }
924 if (keepalives)
925 {
926 send_keepalive(this, FALSE);
927 }
928 }
929
930 METHOD(ike_sa_t, reset, void,
931 private_ike_sa_t *this, bool new_spi)
932 {
933 /* reset the initiator SPI if requested */
934 if (new_spi)
935 {
936 charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager,
937 &this->public);
938
939 /* when starting from scratch, connect to the original peer again e.g.
940 * if we got redirected but weren't able to connect successfully */
941 if (this->redirected_from)
942 {
943 this->redirected_from->destroy(this->redirected_from);
944 this->redirected_from = NULL;
945 /* we can't restore the original value, if there was any */
946 DESTROY_IF(this->remote_host);
947 this->remote_host = NULL;
948 }
949 }
950 /* the responder ID is reset, as peer may choose another one */
951 if (this->ike_sa_id->is_initiator(this->ike_sa_id))
952 {
953 this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
954 }
955
956 set_state(this, IKE_CREATED);
957
958 flush_auth_cfgs(this);
959
960 this->keymat->destroy(this->keymat);
961 this->keymat = keymat_create(this->version,
962 this->ike_sa_id->is_initiator(this->ike_sa_id));
963
964 this->task_manager->reset(this->task_manager, 0, 0);
965 this->task_manager->queue_ike(this->task_manager);
966 }
967
968 METHOD(ike_sa_t, get_keymat, keymat_t*,
969 private_ike_sa_t *this)
970 {
971 return this->keymat;
972 }
973
974 METHOD(ike_sa_t, add_virtual_ip, void,
975 private_ike_sa_t *this, bool local, host_t *ip)
976 {
977 if (local)
978 {
979 char *iface;
980
981 if (charon->kernel->get_interface(charon->kernel, this->my_host,
982 &iface))
983 {
984 DBG1(DBG_IKE, "installing new virtual IP %H", ip);
985 if (charon->kernel->add_ip(charon->kernel, ip, -1,
986 iface) == SUCCESS)
987 {
988 array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
989 }
990 else
991 {
992 DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
993 }
994 free(iface);
995 }
996 else
997 {
998 DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
999 }
1000 }
1001 else
1002 {
1003 array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
1004 }
1005 }
1006
1007
1008 METHOD(ike_sa_t, clear_virtual_ips, void,
1009 private_ike_sa_t *this, bool local)
1010 {
1011 array_t *vips;
1012 host_t *vip;
1013
1014 vips = local ? this->my_vips : this->other_vips;
1015 if (!local && array_count(vips))
1016 {
1017 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
1018 }
1019 while (array_remove(vips, ARRAY_HEAD, &vip))
1020 {
1021 if (local)
1022 {
1023 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
1024 }
1025 vip->destroy(vip);
1026 }
1027 }
1028
1029 METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
1030 private_ike_sa_t *this, bool local)
1031 {
1032 if (local)
1033 {
1034 return array_create_enumerator(this->my_vips);
1035 }
1036 return array_create_enumerator(this->other_vips);
1037 }
1038
1039 METHOD(ike_sa_t, add_peer_address, void,
1040 private_ike_sa_t *this, host_t *host)
1041 {
1042 array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
1043 }
1044
1045 METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
1046 private_ike_sa_t *this)
1047 {
1048 if (this->peer_addresses)
1049 {
1050 return array_create_enumerator(this->peer_addresses);
1051 }
1052 /* in case we don't have MOBIKE */
1053 return enumerator_create_single(this->other_host, NULL);
1054 }
1055
1056 METHOD(ike_sa_t, clear_peer_addresses, void,
1057 private_ike_sa_t *this)
1058 {
1059 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
1060 this->peer_addresses = NULL;
1061 }
1062
1063 METHOD(ike_sa_t, has_mapping_changed, bool,
1064 private_ike_sa_t *this, chunk_t hash)
1065 {
1066 if (this->nat_detection_dest.ptr == NULL)
1067 {
1068 this->nat_detection_dest = chunk_clone(hash);
1069 return FALSE;
1070 }
1071 if (chunk_equals(hash, this->nat_detection_dest))
1072 {
1073 return FALSE;
1074 }
1075 free(this->nat_detection_dest.ptr);
1076 this->nat_detection_dest = chunk_clone(hash);
1077 return TRUE;
1078 }
1079
1080 METHOD(ike_sa_t, float_ports, void,
1081 private_ike_sa_t *this)
1082 {
1083 /* even if the remote port is not 500 (e.g. because the response was natted)
1084 * we switch the remote port if we used port 500 */
1085 if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
1086 this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
1087 {
1088 this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
1089 }
1090 if (this->my_host->get_port(this->my_host) ==
1091 charon->socket->get_port(charon->socket, FALSE))
1092 {
1093 this->my_host->set_port(this->my_host,
1094 charon->socket->get_port(charon->socket, TRUE));
1095 }
1096 }
1097
1098 METHOD(ike_sa_t, update_hosts, void,
1099 private_ike_sa_t *this, host_t *me, host_t *other, bool force)
1100 {
1101 bool update = FALSE;
1102
1103 if (me == NULL)
1104 {
1105 me = this->my_host;
1106 }
1107 if (other == NULL)
1108 {
1109 other = this->other_host;
1110 }
1111
1112 /* apply hosts on first received message */
1113 if (this->my_host->is_anyaddr(this->my_host) ||
1114 this->other_host->is_anyaddr(this->other_host))
1115 {
1116 set_my_host(this, me->clone(me));
1117 set_other_host(this, other->clone(other));
1118 update = TRUE;
1119 }
1120 else
1121 {
1122 /* update our address in any case */
1123 if (force && !me->equals(me, this->my_host))
1124 {
1125 charon->bus->ike_update(charon->bus, &this->public, TRUE, me);
1126 set_my_host(this, me->clone(me));
1127 update = TRUE;
1128 }
1129
1130 if (!other->equals(other, this->other_host) &&
1131 (force || has_condition(this, COND_NAT_THERE)))
1132 {
1133 /* only update other's address if we are behind a static NAT,
1134 * which we assume is the case if we are not initiator */
1135 if (force ||
1136 (!has_condition(this, COND_NAT_HERE) ||
1137 !has_condition(this, COND_ORIGINAL_INITIATOR)))
1138 {
1139 charon->bus->ike_update(charon->bus, &this->public, FALSE, other);
1140 set_other_host(this, other->clone(other));
1141 update = TRUE;
1142 }
1143 }
1144 }
1145
1146 /* update all associated CHILD_SAs, if required */
1147 if (update)
1148 {
1149 enumerator_t *enumerator;
1150 child_sa_t *child_sa;
1151 linked_list_t *vips;
1152
1153 vips = linked_list_create_from_enumerator(
1154 array_create_enumerator(this->my_vips));
1155
1156 enumerator = array_create_enumerator(this->child_sas);
1157 while (enumerator->enumerate(enumerator, &child_sa))
1158 {
1159 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1160 charon->child_sa_manager->add(charon->child_sa_manager,
1161 child_sa, &this->public);
1162
1163 if (child_sa->update(child_sa, this->my_host, this->other_host,
1164 vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1165 {
1166 this->public.rekey_child_sa(&this->public,
1167 child_sa->get_protocol(child_sa),
1168 child_sa->get_spi(child_sa, TRUE));
1169 }
1170
1171 }
1172 enumerator->destroy(enumerator);
1173
1174 vips->destroy(vips);
1175 }
1176 }
1177
1178 /**
1179 * Set configured DSCP value on packet
1180 */
1181 static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1182 {
1183 ike_cfg_t *ike_cfg;
1184
1185 /* prefer IKE config on peer_cfg, as its selection is more accurate
1186 * then the initial IKE config */
1187 if (this->peer_cfg)
1188 {
1189 ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1190 }
1191 else
1192 {
1193 ike_cfg = this->ike_cfg;
1194 }
1195 if (ike_cfg)
1196 {
1197 packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1198 }
1199 }
1200
1201 METHOD(ike_sa_t, generate_message, status_t,
1202 private_ike_sa_t *this, message_t *message, packet_t **packet)
1203 {
1204 status_t status;
1205
1206 if (message->is_encoded(message))
1207 { /* already encoded in task, but set DSCP value */
1208 *packet = message->get_packet(message);
1209 set_dscp(this, *packet);
1210 return SUCCESS;
1211 }
1212 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1213 message->set_ike_sa_id(message, this->ike_sa_id);
1214 charon->bus->message(charon->bus, message, FALSE, TRUE);
1215 status = message->generate(message, this->keymat, packet);
1216 if (status == SUCCESS)
1217 {
1218 set_dscp(this, *packet);
1219 charon->bus->message(charon->bus, message, FALSE, FALSE);
1220 }
1221 return status;
1222 }
1223
1224 CALLBACK(filter_fragments, bool,
1225 private_ike_sa_t *this, enumerator_t *orig, va_list args)
1226 {
1227 packet_t *fragment, **packet;
1228
1229 VA_ARGS_VGET(args, packet);
1230
1231 if (orig->enumerate(orig, &fragment))
1232 {
1233 *packet = fragment->clone(fragment);
1234 set_dscp(this, *packet);
1235 return TRUE;
1236 }
1237 return FALSE;
1238 }
1239
1240 METHOD(ike_sa_t, generate_message_fragmented, status_t,
1241 private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1242 {
1243 enumerator_t *fragments;
1244 packet_t *packet;
1245 status_t status;
1246 bool use_frags = FALSE;
1247 bool pre_generated = FALSE;
1248
1249 if (this->ike_cfg)
1250 {
1251 switch (this->ike_cfg->fragmentation(this->ike_cfg))
1252 {
1253 case FRAGMENTATION_FORCE:
1254 use_frags = TRUE;
1255 break;
1256 case FRAGMENTATION_YES:
1257 use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1258 if (use_frags && this->version == IKEV1 &&
1259 supports_extension(this, EXT_MS_WINDOWS))
1260 {
1261 /* It seems Windows 7 and 8 peers only accept proprietary
1262 * fragmented messages if they expect certificates. */
1263 use_frags = message->get_payload(message,
1264 PLV1_CERTIFICATE) != NULL;
1265 }
1266 break;
1267 default:
1268 break;
1269 }
1270 }
1271 if (!use_frags)
1272 {
1273 status = generate_message(this, message, &packet);
1274 if (status != SUCCESS)
1275 {
1276 return status;
1277 }
1278 *packets = enumerator_create_single(packet, NULL);
1279 return SUCCESS;
1280 }
1281
1282 pre_generated = message->is_encoded(message);
1283 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1284 message->set_ike_sa_id(message, this->ike_sa_id);
1285 if (!pre_generated)
1286 {
1287 charon->bus->message(charon->bus, message, FALSE, TRUE);
1288 }
1289 status = message->fragment(message, this->keymat, this->fragment_size,
1290 &fragments);
1291 if (status == SUCCESS)
1292 {
1293 if (!pre_generated)
1294 {
1295 charon->bus->message(charon->bus, message, FALSE, FALSE);
1296 }
1297 *packets = enumerator_create_filter(fragments, filter_fragments,
1298 this, NULL);
1299 }
1300 return status;
1301 }
1302
1303 METHOD(ike_sa_t, set_kmaddress, void,
1304 private_ike_sa_t *this, host_t *local, host_t *remote)
1305 {
1306 DESTROY_IF(this->local_host);
1307 DESTROY_IF(this->remote_host);
1308 this->local_host = local->clone(local);
1309 this->remote_host = remote->clone(remote);
1310 }
1311
1312 #ifdef ME
1313 METHOD(ike_sa_t, act_as_mediation_server, void,
1314 private_ike_sa_t *this)
1315 {
1316 charon->mediation_manager->update_sa_id(charon->mediation_manager,
1317 this->other_id, this->ike_sa_id);
1318 this->is_mediation_server = TRUE;
1319 }
1320
1321 METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1322 private_ike_sa_t *this)
1323 {
1324 return this->server_reflexive_host;
1325 }
1326
1327 METHOD(ike_sa_t, set_server_reflexive_host, void,
1328 private_ike_sa_t *this, host_t *host)
1329 {
1330 DESTROY_IF(this->server_reflexive_host);
1331 this->server_reflexive_host = host;
1332 }
1333
1334 METHOD(ike_sa_t, get_connect_id, chunk_t,
1335 private_ike_sa_t *this)
1336 {
1337 return this->connect_id;
1338 }
1339
1340 METHOD(ike_sa_t, respond, status_t,
1341 private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1342 {
1343 ike_me_t *task = ike_me_create(&this->public, TRUE);
1344 task->respond(task, peer_id, connect_id);
1345 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1346 return this->task_manager->initiate(this->task_manager);
1347 }
1348
1349 METHOD(ike_sa_t, callback, status_t,
1350 private_ike_sa_t *this, identification_t *peer_id)
1351 {
1352 ike_me_t *task = ike_me_create(&this->public, TRUE);
1353 task->callback(task, peer_id);
1354 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1355 return this->task_manager->initiate(this->task_manager);
1356 }
1357
1358 METHOD(ike_sa_t, relay, status_t,
1359 private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1360 chunk_t connect_key, linked_list_t *endpoints, bool response)
1361 {
1362 ike_me_t *task = ike_me_create(&this->public, TRUE);
1363 task->relay(task, requester, connect_id, connect_key, endpoints, response);
1364 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1365 return this->task_manager->initiate(this->task_manager);
1366 }
1367
1368 METHOD(ike_sa_t, initiate_mediation, status_t,
1369 private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1370 {
1371 ike_me_t *task = ike_me_create(&this->public, TRUE);
1372 task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1373 this->task_manager->queue_task(this->task_manager, (task_t*)task);
1374 return this->task_manager->initiate(this->task_manager);
1375 }
1376
1377 METHOD(ike_sa_t, initiate_mediated, status_t,
1378 private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1379 {
1380 set_my_host(this, me->clone(me));
1381 set_other_host(this, other->clone(other));
1382 chunk_free(&this->connect_id);
1383 this->connect_id = chunk_clone(connect_id);
1384 return this->task_manager->initiate(this->task_manager);
1385 }
1386 #endif /* ME */
1387
1388 /**
1389 * Resolve DNS host in configuration
1390 */
1391 static void resolve_hosts(private_ike_sa_t *this)
1392 {
1393 host_t *host;
1394 int family = AF_UNSPEC;
1395
1396 switch (charon->socket->supported_families(charon->socket))
1397 {
1398 case SOCKET_FAMILY_IPV4:
1399 family = AF_INET;
1400 break;
1401 case SOCKET_FAMILY_IPV6:
1402 family = AF_INET6;
1403 break;
1404 case SOCKET_FAMILY_BOTH:
1405 case SOCKET_FAMILY_NONE:
1406 break;
1407 }
1408
1409 /* if an IP address is set locally, use the same family to resolve remote */
1410 if (family == AF_UNSPEC && !this->remote_host)
1411 {
1412 if (this->local_host)
1413 {
1414 family = this->local_host->get_family(this->local_host);
1415 }
1416 else
1417 {
1418 family = ike_cfg_get_family(this->ike_cfg, TRUE);
1419 }
1420 }
1421
1422 if (this->remote_host)
1423 {
1424 host = this->remote_host->clone(this->remote_host);
1425 host->set_port(host, IKEV2_UDP_PORT);
1426 }
1427 else
1428 {
1429 host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1430 }
1431 if (host)
1432 {
1433 if (!host->is_anyaddr(host) ||
1434 this->other_host->is_anyaddr(this->other_host))
1435 { /* don't set to %any if we currently have an address, but the
1436 * address family might have changed */
1437 set_other_host(this, host);
1438 }
1439 else
1440 { /* reuse the original port as some implementations might not like
1441 * initial IKE messages on other ports */
1442 this->other_host->set_port(this->other_host, host->get_port(host));
1443 host->destroy(host);
1444 }
1445 }
1446
1447 if (this->local_host)
1448 {
1449 host = this->local_host->clone(this->local_host);
1450 host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1451 }
1452 else
1453 {
1454 /* use same address family as for other */
1455 if (!this->other_host->is_anyaddr(this->other_host))
1456 {
1457 family = this->other_host->get_family(this->other_host);
1458 }
1459 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1460
1461 if (host && host->is_anyaddr(host) &&
1462 !this->other_host->is_anyaddr(this->other_host))
1463 {
1464 host->destroy(host);
1465 host = charon->kernel->get_source_addr(charon->kernel,
1466 this->other_host, NULL);
1467 if (host)
1468 {
1469 host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1470 }
1471 else
1472 { /* fallback to address family specific %any(6), if configured */
1473 host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1474 }
1475 }
1476 }
1477 if (host)
1478 {
1479 set_my_host(this, host);
1480 }
1481 }
1482
1483 METHOD(ike_sa_t, initiate, status_t,
1484 private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid,
1485 traffic_selector_t *tsi, traffic_selector_t *tsr)
1486 {
1487 bool defer_initiate = FALSE;
1488
1489 if (this->state == IKE_CREATED)
1490 {
1491 if (this->my_host->is_anyaddr(this->my_host) ||
1492 this->other_host->is_anyaddr(this->other_host))
1493 {
1494 resolve_hosts(this);
1495 }
1496
1497 if (this->other_host->is_anyaddr(this->other_host)
1498 #ifdef ME
1499 && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1500 #endif /* ME */
1501 )
1502 {
1503 char *addr;
1504
1505 addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1506 if (!this->retry_initiate_interval)
1507 {
1508 DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1509 addr);
1510 DESTROY_IF(child_cfg);
1511 charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1512 return DESTROY_ME;
1513 }
1514 DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1515 addr, this->retry_initiate_interval);
1516 defer_initiate = TRUE;
1517 }
1518
1519 set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1520 this->task_manager->queue_ike(this->task_manager);
1521 }
1522
1523 #ifdef ME
1524 if (this->peer_cfg->is_mediation(this->peer_cfg))
1525 {
1526 if (this->state == IKE_ESTABLISHED)
1527 {
1528 /* mediation connection is already established, retrigger state
1529 * change to notify bus listeners */
1530 DBG1(DBG_IKE, "mediation connection is already up");
1531 set_state(this, IKE_ESTABLISHED);
1532 }
1533 DESTROY_IF(child_cfg);
1534 }
1535 else
1536 #endif /* ME */
1537 if (child_cfg)
1538 {
1539 /* normal IKE_SA with CHILD_SA */
1540 this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1541 tsi, tsr);
1542 #ifdef ME
1543 if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1544 {
1545 /* mediated connection, initiate mediation process */
1546 job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1547 lib->processor->queue_job(lib->processor, job);
1548 return SUCCESS;
1549 }
1550 #endif /* ME */
1551 }
1552
1553 if (defer_initiate)
1554 {
1555 if (!this->retry_initiate_queued)
1556 {
1557 job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1558 lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1559 this->retry_initiate_interval);
1560 this->retry_initiate_queued = TRUE;
1561 }
1562 return SUCCESS;
1563 }
1564 this->retry_initiate_queued = FALSE;
1565 return this->task_manager->initiate(this->task_manager);
1566 }
1567
1568 METHOD(ike_sa_t, retry_initiate, status_t,
1569 private_ike_sa_t *this)
1570 {
1571 if (this->retry_initiate_queued)
1572 {
1573 this->retry_initiate_queued = FALSE;
1574 return initiate(this, NULL, 0, NULL, NULL);
1575 }
1576 return SUCCESS;
1577 }
1578
1579 METHOD(ike_sa_t, process_message, status_t,
1580 private_ike_sa_t *this, message_t *message)
1581 {
1582 status_t status;
1583
1584 if (this->state == IKE_PASSIVE)
1585 { /* do not handle messages in passive state */
1586 return FAILED;
1587 }
1588 if (message->get_major_version(message) != this->version)
1589 {
1590 DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1591 exchange_type_names, message->get_exchange_type(message),
1592 message->get_major_version(message),
1593 ike_version_names, this->version);
1594 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1595 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1596 return FAILED;
1597 }
1598 status = this->task_manager->process_message(this->task_manager, message);
1599 if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1600 {
1601 /* authentication completed but if the online validation is suspended we
1602 * need the auth cfgs until we did the delayed verification, we flush
1603 * them afterwards */
1604 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
1605 {
1606 this->flush_auth_cfg = FALSE;
1607 flush_auth_cfgs(this);
1608 }
1609 }
1610 return status;
1611 }
1612
1613 METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1614 private_ike_sa_t *this)
1615 {
1616 return this->ike_sa_id;
1617 }
1618
1619 METHOD(ike_sa_t, get_version, ike_version_t,
1620 private_ike_sa_t *this)
1621 {
1622 return this->version;
1623 }
1624
1625 METHOD(ike_sa_t, get_my_id, identification_t*,
1626 private_ike_sa_t *this)
1627 {
1628 return this->my_id;
1629 }
1630
1631 METHOD(ike_sa_t, set_my_id, void,
1632 private_ike_sa_t *this, identification_t *me)
1633 {
1634 DESTROY_IF(this->my_id);
1635 this->my_id = me;
1636 }
1637
1638 METHOD(ike_sa_t, get_other_id, identification_t*,
1639 private_ike_sa_t *this)
1640 {
1641 return this->other_id;
1642 }
1643
1644 METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1645 private_ike_sa_t *this)
1646 {
1647 identification_t *id = NULL, *current;
1648 enumerator_t *enumerator;
1649 auth_cfg_t *cfg;
1650
1651 enumerator = array_create_enumerator(this->other_auths);
1652 while (enumerator->enumerate(enumerator, &cfg))
1653 {
1654 /* prefer EAP-Identity of last round */
1655 current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1656 if (!current || current->get_type(current) == ID_ANY)
1657 {
1658 current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1659 }
1660 if (!current || current->get_type(current) == ID_ANY)
1661 {
1662 current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1663 }
1664 if (current && current->get_type(current) != ID_ANY)
1665 {
1666 id = current;
1667 continue;
1668 }
1669 }
1670 enumerator->destroy(enumerator);
1671 if (id)
1672 {
1673 return id;
1674 }
1675 return this->other_id;
1676 }
1677
1678 METHOD(ike_sa_t, set_other_id, void,
1679 private_ike_sa_t *this, identification_t *other)
1680 {
1681 DESTROY_IF(this->other_id);
1682 this->other_id = other;
1683 }
1684
1685 METHOD(ike_sa_t, get_if_id, uint32_t,
1686 private_ike_sa_t *this, bool inbound)
1687 {
1688 return inbound ? this->if_id_in : this->if_id_out;
1689 }
1690
1691 METHOD(ike_sa_t, add_child_sa, void,
1692 private_ike_sa_t *this, child_sa_t *child_sa)
1693 {
1694 array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1695 charon->child_sa_manager->add(charon->child_sa_manager,
1696 child_sa, &this->public);
1697 }
1698
1699 METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1700 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
1701 {
1702 enumerator_t *enumerator;
1703 child_sa_t *current, *found = NULL;
1704
1705 enumerator = array_create_enumerator(this->child_sas);
1706 while (enumerator->enumerate(enumerator, (void**)&current))
1707 {
1708 if (current->get_spi(current, inbound) == spi &&
1709 current->get_protocol(current) == protocol)
1710 {
1711 found = current;
1712 }
1713 }
1714 enumerator->destroy(enumerator);
1715 return found;
1716 }
1717
1718 METHOD(ike_sa_t, get_child_count, int,
1719 private_ike_sa_t *this)
1720 {
1721 return array_count(this->child_sas);
1722 }
1723
1724 /**
1725 * Private data of a create_child_sa_enumerator()
1726 */
1727 typedef struct {
1728 /** implements enumerator */
1729 enumerator_t public;
1730 /** inner array enumerator */
1731 enumerator_t *inner;
1732 /** current item */
1733 child_sa_t *current;
1734 } child_enumerator_t;
1735
1736 METHOD(enumerator_t, child_enumerate, bool,
1737 child_enumerator_t *this, va_list args)
1738 {
1739 child_sa_t **child_sa;
1740
1741 VA_ARGS_VGET(args, child_sa);
1742 if (this->inner->enumerate(this->inner, &this->current))
1743 {
1744 *child_sa = this->current;
1745 return TRUE;
1746 }
1747 return FALSE;
1748 }
1749
1750 METHOD(enumerator_t, child_enumerator_destroy, void,
1751 child_enumerator_t *this)
1752 {
1753 this->inner->destroy(this->inner);
1754 free(this);
1755 }
1756
1757 METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1758 private_ike_sa_t *this)
1759 {
1760 child_enumerator_t *enumerator;
1761
1762 INIT(enumerator,
1763 .public = {
1764 .enumerate = enumerator_enumerate_default,
1765 .venumerate = _child_enumerate,
1766 .destroy = _child_enumerator_destroy,
1767 },
1768 .inner = array_create_enumerator(this->child_sas),
1769 );
1770 return &enumerator->public;
1771 }
1772
1773 METHOD(ike_sa_t, remove_child_sa, void,
1774 private_ike_sa_t *this, enumerator_t *enumerator)
1775 {
1776 child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1777
1778 charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1779 array_remove_at(this->child_sas, ce->inner);
1780 }
1781
1782 METHOD(ike_sa_t, rekey_child_sa, status_t,
1783 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1784 {
1785 if (this->state == IKE_PASSIVE)
1786 {
1787 return INVALID_STATE;
1788 }
1789 this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1790 return this->task_manager->initiate(this->task_manager);
1791 }
1792
1793 METHOD(ike_sa_t, delete_child_sa, status_t,
1794 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
1795 {
1796 if (this->state == IKE_PASSIVE)
1797 {
1798 return INVALID_STATE;
1799 }
1800 this->task_manager->queue_child_delete(this->task_manager,
1801 protocol, spi, expired);
1802 return this->task_manager->initiate(this->task_manager);
1803 }
1804
1805 METHOD(ike_sa_t, destroy_child_sa, status_t,
1806 private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1807 {
1808 enumerator_t *enumerator;
1809 child_sa_t *child_sa;
1810 status_t status = NOT_FOUND;
1811
1812 enumerator = create_child_sa_enumerator(this);
1813 while (enumerator->enumerate(enumerator, (void**)&child_sa))
1814 {
1815 if (child_sa->get_protocol(child_sa) == protocol &&
1816 child_sa->get_spi(child_sa, TRUE) == spi)
1817 {
1818 remove_child_sa(this, enumerator);
1819 child_sa->destroy(child_sa);
1820 status = SUCCESS;
1821 break;
1822 }
1823 }
1824 enumerator->destroy(enumerator);
1825 return status;
1826 }
1827
1828 METHOD(ike_sa_t, delete_, status_t,
1829 private_ike_sa_t *this, bool force)
1830 {
1831 status_t status = DESTROY_ME;
1832
1833 switch (this->state)
1834 {
1835 case IKE_ESTABLISHED:
1836 case IKE_REKEYING:
1837 if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
1838 !(this->version == IKEV1 && this->state == IKE_REKEYING))
1839 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1840 * IKEv1 SAs */
1841 charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1842 }
1843 this->task_manager->queue_ike_delete(this->task_manager);
1844 status = this->task_manager->initiate(this->task_manager);
1845 break;
1846 case IKE_CREATED:
1847 DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1848 break;
1849 case IKE_PASSIVE:
1850 break;
1851 default:
1852 DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1853 ike_sa_state_names, this->state);
1854 force = TRUE;
1855 break;
1856 }
1857
1858 if (force)
1859 {
1860 status = DESTROY_ME;
1861
1862 if (this->version == IKEV2)
1863 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1864 switch (this->state)
1865 {
1866 case IKE_ESTABLISHED:
1867 case IKE_REKEYING:
1868 case IKE_DELETING:
1869 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1870 default:
1871 break;
1872 }
1873 }
1874 }
1875 return status;
1876 }
1877
1878 METHOD(ike_sa_t, rekey, status_t,
1879 private_ike_sa_t *this)
1880 {
1881 if (this->state == IKE_PASSIVE)
1882 {
1883 return INVALID_STATE;
1884 }
1885 this->task_manager->queue_ike_rekey(this->task_manager);
1886 return this->task_manager->initiate(this->task_manager);
1887 }
1888
1889 METHOD(ike_sa_t, reauth, status_t,
1890 private_ike_sa_t *this)
1891 {
1892 if (this->state == IKE_PASSIVE)
1893 {
1894 return INVALID_STATE;
1895 }
1896 if (this->state == IKE_CONNECTING)
1897 {
1898 DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1899 get_name(this), this->unique_id);
1900 reset(this, TRUE);
1901 return this->task_manager->initiate(this->task_manager);
1902 }
1903 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1904 * If the peer does not support RFC4478, there is no way to keep the
1905 * IKE_SA up. */
1906 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1907 {
1908 DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1909 if (array_count(this->other_vips) != 0 ||
1910 has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1911 has_condition(this, COND_EAP_AUTHENTICATED)
1912 #ifdef ME
1913 /* as mediation server we too cannot reauth the IKE_SA */
1914 || this->is_mediation_server
1915 #endif /* ME */
1916 )
1917 {
1918 time_t del, now;
1919
1920 del = this->stats[STAT_DELETE];
1921 now = time_monotonic(NULL);
1922 DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1923 get_name(this), this->unique_id, &now, &del);
1924 return FAILED;
1925 }
1926 else
1927 {
1928 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1929 get_name(this), this->unique_id);
1930 }
1931 }
1932 else
1933 {
1934 DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1935 get_name(this), this->unique_id);
1936 }
1937 set_condition(this, COND_REAUTHENTICATING, TRUE);
1938 this->task_manager->queue_ike_reauth(this->task_manager);
1939 return this->task_manager->initiate(this->task_manager);
1940 }
1941
1942 /**
1943 * Check if any tasks of a specific type are queued in the given queue.
1944 */
1945 static bool is_task_queued(private_ike_sa_t *this, task_queue_t queue,
1946 task_type_t type)
1947 {
1948 enumerator_t *enumerator;
1949 task_t *task;
1950 bool found = FALSE;
1951
1952 enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1953 queue);
1954 while (enumerator->enumerate(enumerator, &task))
1955 {
1956 if (task->get_type(task) == type)
1957 {
1958 found = TRUE;
1959 break;
1960 }
1961 }
1962 enumerator->destroy(enumerator);
1963 return found;
1964 }
1965
1966 /**
1967 * Check if any tasks to create CHILD_SAs are queued in the given queue.
1968 */
1969 static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1970 {
1971 return is_task_queued(this, queue,
1972 this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE);
1973 }
1974
1975 /**
1976 * Check if any tasks to delete the IKE_SA are queued in the given queue.
1977 */
1978 static bool is_delete_queued(private_ike_sa_t *this, task_queue_t queue)
1979 {
1980 return is_task_queued(this, queue,
1981 this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE);
1982 }
1983
1984 /**
1985 * Reestablish CHILD_SAs and migrate queued tasks.
1986 *
1987 * If force is true all SAs are restarted, otherwise their close/dpd_action
1988 * is followed.
1989 */
1990 static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
1991 bool force)
1992 {
1993 enumerator_t *enumerator;
1994 child_sa_t *child_sa;
1995 child_cfg_t *child_cfg;
1996 action_t action;
1997 status_t status = FAILED;
1998
1999 /* handle existing CHILD_SAs */
2000 enumerator = create_child_sa_enumerator(this);
2001 while (enumerator->enumerate(enumerator, (void**)&child_sa))
2002 {
2003 switch (child_sa->get_state(child_sa))
2004 {
2005 case CHILD_REKEYED:
2006 case CHILD_DELETED:
2007 /* ignore CHILD_SAs in these states */
2008 continue;
2009 default:
2010 break;
2011 }
2012 if (force)
2013 {
2014 action = ACTION_RESTART;
2015 }
2016 else
2017 { /* only restart CHILD_SAs that are configured accordingly */
2018 if (this->state == IKE_DELETING)
2019 {
2020 action = child_sa->get_close_action(child_sa);
2021 }
2022 else
2023 {
2024 action = child_sa->get_dpd_action(child_sa);
2025 }
2026 }
2027 switch (action)
2028 {
2029 case ACTION_RESTART:
2030 child_cfg = child_sa->get_config(child_sa);
2031 DBG1(DBG_IKE, "restarting CHILD_SA %s",
2032 child_cfg->get_name(child_cfg));
2033 child_cfg->get_ref(child_cfg);
2034 status = new->initiate(new, child_cfg,
2035 child_sa->get_reqid(child_sa), NULL, NULL);
2036 break;
2037 default:
2038 continue;
2039 }
2040 if (status == DESTROY_ME)
2041 {
2042 break;
2043 }
2044 }
2045 enumerator->destroy(enumerator);
2046 /* adopt any active or queued CHILD-creating tasks */
2047 if (status != DESTROY_ME)
2048 {
2049 new->adopt_child_tasks(new, &this->public);
2050 if (new->get_state(new) == IKE_CREATED)
2051 {
2052 status = new->initiate(new, NULL, 0, NULL, NULL);
2053 }
2054 }
2055 return status;
2056 }
2057
2058 METHOD(ike_sa_t, reestablish, status_t,
2059 private_ike_sa_t *this)
2060 {
2061 ike_sa_t *new;
2062 host_t *host;
2063 action_t action;
2064 enumerator_t *enumerator;
2065 child_sa_t *child_sa;
2066 bool restart = FALSE;
2067 status_t status = FAILED;
2068
2069 if (is_delete_queued(this, TASK_QUEUE_QUEUED))
2070 { /* don't reestablish IKE_SAs that have explicitly been deleted in the
2071 * mean time */
2072 return FAILED;
2073 }
2074
2075 if (has_condition(this, COND_REAUTHENTICATING))
2076 { /* only reauthenticate if we have children */
2077 if (array_count(this->child_sas) == 0
2078 #ifdef ME
2079 /* allow reauth of mediation connections without CHILD_SAs */
2080 && !this->peer_cfg->is_mediation(this->peer_cfg)
2081 #endif /* ME */
2082 )
2083 {
2084 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2085 "to recreate");
2086 }
2087 else
2088 {
2089 restart = TRUE;
2090 }
2091 }
2092 else
2093 { /* check if we have children to keep up at all */
2094 enumerator = array_create_enumerator(this->child_sas);
2095 while (enumerator->enumerate(enumerator, (void**)&child_sa))
2096 {
2097 switch (child_sa->get_state(child_sa))
2098 {
2099 case CHILD_REKEYED:
2100 case CHILD_DELETED:
2101 /* ignore CHILD_SAs in these states */
2102 continue;
2103 default:
2104 break;
2105 }
2106 if (this->state == IKE_DELETING)
2107 {
2108 action = child_sa->get_close_action(child_sa);
2109 }
2110 else
2111 {
2112 action = child_sa->get_dpd_action(child_sa);
2113 }
2114 switch (action)
2115 {
2116 case ACTION_RESTART:
2117 restart = TRUE;
2118 break;
2119 case ACTION_ROUTE:
2120 charon->traps->install(charon->traps, this->peer_cfg,
2121 child_sa->get_config(child_sa));
2122 break;
2123 default:
2124 break;
2125 }
2126 }
2127 enumerator->destroy(enumerator);
2128 /* check if we have tasks that recreate children */
2129 if (!restart)
2130 {
2131 restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
2132 is_child_queued(this, TASK_QUEUE_QUEUED);
2133 }
2134 #ifdef ME
2135 /* mediation connections have no children, keep them up anyway */
2136 if (this->peer_cfg->is_mediation(this->peer_cfg))
2137 {
2138 restart = TRUE;
2139 }
2140 #endif /* ME */
2141 }
2142 if (!restart)
2143 {
2144 return FAILED;
2145 }
2146
2147 /* check if we are able to reestablish this IKE_SA */
2148 if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2149 (array_count(this->other_vips) != 0 ||
2150 has_condition(this, COND_EAP_AUTHENTICATED)
2151 #ifdef ME
2152 || this->is_mediation_server
2153 #endif /* ME */
2154 ))
2155 {
2156 DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
2157 return FAILED;
2158 }
2159
2160 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2161 this->version, TRUE);
2162 if (!new)
2163 {
2164 return FAILED;
2165 }
2166 new->set_peer_cfg(new, this->peer_cfg);
2167 host = this->other_host;
2168 new->set_other_host(new, host->clone(host));
2169 host = this->my_host;
2170 new->set_my_host(new, host->clone(host));
2171 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2172 if (!has_condition(this, COND_REAUTHENTICATING))
2173 { /* reauthenticate to the same addresses, but resolve hosts if
2174 * reestablishing (old addresses serve as fallback) */
2175 resolve_hosts((private_ike_sa_t*)new);
2176 }
2177 /* if we already have a virtual IP, we reuse it */
2178 enumerator = array_create_enumerator(this->my_vips);
2179 while (enumerator->enumerate(enumerator, &host))
2180 {
2181 new->add_virtual_ip(new, TRUE, host);
2182 }
2183 enumerator->destroy(enumerator);
2184
2185 #ifdef ME
2186 if (this->peer_cfg->is_mediation(this->peer_cfg))
2187 {
2188 status = new->initiate(new, NULL, 0, NULL, NULL);
2189 }
2190 else
2191 #endif /* ME */
2192 {
2193 status = reestablish_children(this, new,
2194 has_condition(this, COND_REAUTHENTICATING));
2195 }
2196
2197 if (status == DESTROY_ME)
2198 {
2199 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2200 FALSE);
2201 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2202 status = FAILED;
2203 }
2204 else
2205 {
2206 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2207 TRUE);
2208 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2209 status = SUCCESS;
2210 }
2211 charon->bus->set_sa(charon->bus, &this->public);
2212 return status;
2213 }
2214
2215 /**
2216 * Resolve the given gateway ID
2217 */
2218 static host_t *resolve_gateway_id(identification_t *gateway)
2219 {
2220 char gw[BUF_LEN];
2221 host_t *addr;
2222
2223 snprintf(gw, sizeof(gw), "%Y", gateway);
2224 gw[sizeof(gw)-1] = '\0';
2225 addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2226 if (!addr)
2227 {
2228 DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2229 gateway);
2230 }
2231 return addr;
2232 }
2233
2234 /**
2235 * Redirect the current SA to the given target host
2236 */
2237 static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2238 {
2239 private_ike_sa_t *new_priv;
2240 ike_sa_t *new;
2241 host_t *other;
2242 time_t redirect;
2243
2244 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
2245 this->version, TRUE);
2246 if (!new)
2247 {
2248 return FALSE;
2249 }
2250 new_priv = (private_ike_sa_t*)new;
2251 new->set_peer_cfg(new, this->peer_cfg);
2252 new_priv->redirected_from = this->other_host->clone(this->other_host);
2253 charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2254 other = resolve_gateway_id(to);
2255 if (other)
2256 {
2257 set_my_host(new_priv, this->my_host->clone(this->my_host));
2258 /* this allows us to force the remote address while we still properly
2259 * resolve the local address */
2260 new_priv->remote_host = other;
2261 resolve_hosts(new_priv);
2262 new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2263 while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2264 {
2265 array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2266 }
2267 if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2268 {
2269 #ifdef USE_IKEV2
2270 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2271 this->ike_sa_id));
2272 #endif
2273 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2274 TRUE);
2275 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2276 charon->bus->set_sa(charon->bus, &this->public);
2277 return TRUE;
2278 }
2279 }
2280 charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2281 FALSE);
2282 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2283 charon->bus->set_sa(charon->bus, &this->public);
2284 return FALSE;
2285 }
2286
2287 /**
2288 * Redirect the current connecting SA to the given target host
2289 */
2290 static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2291 {
2292 host_t *other;
2293
2294 other = resolve_gateway_id(to);
2295 if (!other)
2296 {
2297 return FALSE;
2298 }
2299 reset(this, TRUE);
2300 DESTROY_IF(this->redirected_from);
2301 this->redirected_from = this->other_host->clone(this->other_host);
2302 /* this allows us to force the remote address while we still properly
2303 * resolve the local address */
2304 DESTROY_IF(this->remote_host);
2305 this->remote_host = other;
2306 resolve_hosts(this);
2307 return TRUE;
2308 }
2309
2310 /**
2311 * Check if the current redirect exceeds the limits for redirects
2312 */
2313 static bool redirect_count_exceeded(private_ike_sa_t *this)
2314 {
2315 time_t now, redirect;
2316
2317 now = time_monotonic(NULL);
2318 /* remove entries outside the defined period */
2319 while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2320 now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2321 {
2322 array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2323 }
2324 if (array_count(this->redirected_at) < MAX_REDIRECTS)
2325 {
2326 if (!this->redirected_at)
2327 {
2328 this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2329 }
2330 array_insert(this->redirected_at, ARRAY_TAIL, &now);
2331 return FALSE;
2332 }
2333 return TRUE;
2334 }
2335
2336 METHOD(ike_sa_t, handle_redirect, bool,
2337 private_ike_sa_t *this, identification_t *gateway)
2338 {
2339 DBG1(DBG_IKE, "redirected to %Y", gateway);
2340 if (!this->follow_redirects)
2341 {
2342 DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2343 return FALSE;
2344 }
2345 if (redirect_count_exceeded(this))
2346 {
2347 DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2348 MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2349 return FALSE;
2350 }
2351
2352 switch (this->state)
2353 {
2354 case IKE_CONNECTING:
2355 return redirect_connecting(this, gateway);
2356 case IKE_ESTABLISHED:
2357 return redirect_established(this, gateway);
2358 default:
2359 DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2360 ike_sa_state_names, this->state);
2361 return FALSE;
2362 }
2363 }
2364
2365 METHOD(ike_sa_t, redirect, status_t,
2366 private_ike_sa_t *this, identification_t *gateway)
2367 {
2368 switch (this->state)
2369 {
2370 case IKE_CONNECTING:
2371 case IKE_ESTABLISHED:
2372 case IKE_REKEYING:
2373 if (has_condition(this, COND_REDIRECTED))
2374 { /* IKE_SA already got redirected */
2375 return SUCCESS;
2376 }
2377 if (has_condition(this, COND_ORIGINAL_INITIATOR))
2378 {
2379 DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2380 return FAILED;
2381 }
2382 if (this->version == IKEV1)
2383 {
2384 DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2385 return FAILED;
2386 }
2387 if (!supports_extension(this, EXT_IKE_REDIRECTION))
2388 {
2389 DBG1(DBG_IKE, "client does not support IKE redirection");
2390 return FAILED;
2391 }
2392 #ifdef USE_IKEV2
2393 this->task_manager->queue_task(this->task_manager,
2394 (task_t*)ike_redirect_create(&this->public, gateway));
2395 #endif
2396 return this->task_manager->initiate(this->task_manager);
2397 default:
2398 DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2399 ike_sa_state_names, this->state);
2400 return INVALID_STATE;
2401 }
2402 }
2403
2404 METHOD(ike_sa_t, retransmit, status_t,
2405 private_ike_sa_t *this, uint32_t message_id)
2406 {
2407 if (this->state == IKE_PASSIVE)
2408 {
2409 return INVALID_STATE;
2410 }
2411 this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2412 if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
2413 {
2414 /* send a proper signal to brief interested bus listeners */
2415 switch (this->state)
2416 {
2417 case IKE_CONNECTING:
2418 {
2419 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2420 uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2421 charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2422 this->keyingtry);
2423 this->keyingtry++;
2424 if (tries == 0 || tries > this->keyingtry)
2425 {
2426 DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2427 this->keyingtry + 1, tries);
2428 reset(this, TRUE);
2429 resolve_hosts(this);
2430 return this->task_manager->initiate(this->task_manager);
2431 }
2432 DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2433
2434 if (this->version == IKEV1 && array_count(this->child_sas))
2435 {
2436 enumerator_t *enumerator;
2437 child_sa_t *child_sa;
2438
2439 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2440 * in this state with CHILD_SAs), try again from scratch */
2441 DBG1(DBG_IKE, "reauthentication failed, trying to "
2442 "reestablish IKE_SA");
2443 reestablish(this);
2444 /* trigger down events for the CHILD_SAs, as no down event
2445 * is triggered below for IKE SAs in this state */
2446 enumerator = array_create_enumerator(this->child_sas);
2447 while (enumerator->enumerate(enumerator, &child_sa))
2448 {
2449 if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
2450 child_sa->get_state(child_sa) != CHILD_DELETED)
2451 {
2452 charon->bus->child_updown(charon->bus, child_sa,
2453 FALSE);
2454 }
2455 }
2456 enumerator->destroy(enumerator);
2457 }
2458 break;
2459 }
2460 case IKE_DELETING:
2461 DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2462 if (has_condition(this, COND_REAUTHENTICATING) &&
2463 !lib->settings->get_bool(lib->settings,
2464 "%s.make_before_break", FALSE, lib->ns))
2465 {
2466 DBG1(DBG_IKE, "delete during reauthentication failed, "
2467 "trying to reestablish IKE_SA anyway");
2468 reestablish(this);
2469 }
2470 break;
2471 case IKE_REKEYING:
2472 DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2473 /* FALL */
2474 default:
2475 reestablish(this);
2476 break;
2477 }
2478 if (this->state != IKE_CONNECTING &&
2479 this->state != IKE_REKEYED)
2480 {
2481 charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2482 }
2483 return DESTROY_ME;
2484 }
2485 return SUCCESS;
2486 }
2487
2488 METHOD(ike_sa_t, set_auth_lifetime, status_t,
2489 private_ike_sa_t *this, uint32_t lifetime)
2490 {
2491 uint32_t diff, hard, soft, now;
2492 bool send_update;
2493
2494 diff = this->peer_cfg->get_over_time(this->peer_cfg);
2495 now = time_monotonic(NULL);
2496 hard = now + lifetime;
2497 soft = hard - diff;
2498
2499 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2500 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2501 send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2502 !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2503 (array_count(this->other_vips) != 0 ||
2504 has_condition(this, COND_EAP_AUTHENTICATED));
2505
2506 if (lifetime < diff)
2507 {
2508 this->stats[STAT_REAUTH] = now;
2509
2510 if (!send_update)
2511 {
2512 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2513 "starting reauthentication", lifetime);
2514 lib->processor->queue_job(lib->processor,
2515 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2516 }
2517 }
2518 else if (this->stats[STAT_REAUTH] == 0 ||
2519 this->stats[STAT_REAUTH] > soft)
2520 {
2521 this->stats[STAT_REAUTH] = soft;
2522 if (!send_update)
2523 {
2524 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2525 "reauthentication in %ds", lifetime, lifetime - diff);
2526 lib->scheduler->schedule_job(lib->scheduler,
2527 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2528 lifetime - diff);
2529 }
2530 }
2531 else
2532 {
2533 DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2534 "reauthentication already scheduled in %ds", lifetime,
2535 this->stats[STAT_REAUTH] - time_monotonic(NULL));
2536 send_update = FALSE;
2537 }
2538 /* give at least some seconds to reauthenticate */
2539 this->stats[STAT_DELETE] = max(hard, now + 10);
2540
2541 #ifdef USE_IKEV2
2542 if (send_update)
2543 {
2544 ike_auth_lifetime_t *task;
2545
2546 task = ike_auth_lifetime_create(&this->public, TRUE);
2547 this->task_manager->queue_task(this->task_manager, &task->task);
2548 return this->task_manager->initiate(this->task_manager);
2549 }
2550 #endif
2551 return SUCCESS;
2552 }
2553
2554 /**
2555 * Check if the current combination of source and destination address is still
2556 * valid.
2557 */
2558 static bool is_current_path_valid(private_ike_sa_t *this)
2559 {
2560 bool valid = FALSE;
2561 host_t *src;
2562
2563 if (supports_extension(this, EXT_MOBIKE) &&
2564 lib->settings->get_bool(lib->settings,
2565 "%s.prefer_best_path", FALSE, lib->ns))
2566 {
2567 /* check if the current path is the best path; migrate otherwise */
2568 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2569 NULL);
2570 if (src)
2571 {
2572 valid = src->ip_equals(src, this->my_host);
2573 src->destroy(src);
2574 }
2575 if (!valid)
2576 {
2577 DBG1(DBG_IKE, "old path is not preferred anymore");
2578 }
2579 return valid;
2580 }
2581 src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2582 this->my_host);
2583 if (src)
2584 {
2585 if (src->ip_equals(src, this->my_host))
2586 {
2587 valid = TRUE;
2588 }
2589 src->destroy(src);
2590 }
2591 if (!valid)
2592 {
2593 DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2594 }
2595 return valid;
2596 }
2597
2598 /**
2599 * Check if we have any path available for this IKE SA.
2600 */
2601 static bool is_any_path_valid(private_ike_sa_t *this)
2602 {
2603 bool valid = FALSE;
2604 enumerator_t *enumerator;
2605 host_t *src = NULL, *addr;
2606 int family = AF_UNSPEC;
2607
2608 switch (charon->socket->supported_families(charon->socket))
2609 {
2610 case SOCKET_FAMILY_IPV4:
2611 family = AF_INET;
2612 break;
2613 case SOCKET_FAMILY_IPV6:
2614 family = AF_INET6;
2615 break;
2616 case SOCKET_FAMILY_BOTH:
2617 case SOCKET_FAMILY_NONE:
2618 break;
2619 }
2620
2621 enumerator = create_peer_address_enumerator(this);
2622 while (enumerator->enumerate(enumerator, &addr))
2623 {
2624 if (family != AF_UNSPEC && addr->get_family(addr) != family)
2625 {
2626 continue;
2627 }
2628 DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2629 src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2630 if (src)
2631 {
2632 break;
2633 }
2634 }
2635 enumerator->destroy(enumerator);
2636 if (src)
2637 {
2638 valid = TRUE;
2639 src->destroy(src);
2640 }
2641 return valid;
2642 }
2643
2644 METHOD(ike_sa_t, roam, status_t,
2645 private_ike_sa_t *this, bool address)
2646 {
2647 switch (this->state)
2648 {
2649 case IKE_CREATED:
2650 case IKE_DELETING:
2651 case IKE_DESTROYING:
2652 case IKE_PASSIVE:
2653 case IKE_REKEYED:
2654 return SUCCESS;
2655 default:
2656 break;
2657 }
2658
2659 if (!this->ike_cfg)
2660 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2661 * without config assigned */
2662 return SUCCESS;
2663 }
2664 if (this->version == IKEV1)
2665 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2666 * have to reestablish from scratch (reauth is not enough) */
2667 return SUCCESS;
2668 }
2669
2670 /* ignore roam events if MOBIKE is not supported/enabled and the local
2671 * address is statically configured */
2672 if (!supports_extension(this, EXT_MOBIKE) &&
2673 ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
2674 {
2675 DBG2(DBG_IKE, "keeping statically configured path %H - %H",
2676 this->my_host, this->other_host);
2677 return SUCCESS;
2678 }
2679
2680 /* keep existing path if possible */
2681 if (is_current_path_valid(this))
2682 {
2683 DBG2(DBG_IKE, "keeping connection path %H - %H",
2684 this->my_host, this->other_host);
2685 set_condition(this, COND_STALE, FALSE);
2686
2687 if (supports_extension(this, EXT_MOBIKE) && address)
2688 { /* if any addresses changed, send an updated list */
2689 DBG1(DBG_IKE, "sending address list update using MOBIKE");
2690 this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2691 return this->task_manager->initiate(this->task_manager);
2692 }
2693 return SUCCESS;
2694 }
2695
2696 if (!is_any_path_valid(this))
2697 {
2698 DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2699 this->other_host);
2700 set_condition(this, COND_STALE, TRUE);
2701 return SUCCESS;
2702 }
2703 set_condition(this, COND_STALE, FALSE);
2704
2705 /* update addresses with mobike, if supported ... */
2706 if (supports_extension(this, EXT_MOBIKE))
2707 {
2708 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2709 { /* responder updates the peer about changed address config */
2710 DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2711 "implicitly requesting an address change");
2712 address = TRUE;
2713 }
2714 else
2715 {
2716 DBG1(DBG_IKE, "requesting address change using MOBIKE");
2717 }
2718 this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2719 return this->task_manager->initiate(this->task_manager);
2720 }
2721
2722 /* ... reauth if not */
2723 if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2724 { /* responder does not reauthenticate */
2725 set_condition(this, COND_STALE, TRUE);
2726 return SUCCESS;
2727 }
2728 DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2729 /* since our previous path is not valid anymore, try and find a new one */
2730 resolve_hosts(this);
2731 return reauth(this);
2732 }
2733
2734 METHOD(ike_sa_t, add_configuration_attribute, void,
2735 private_ike_sa_t *this, attribute_handler_t *handler,
2736 configuration_attribute_type_t type, chunk_t data)
2737 {
2738 attribute_entry_t entry = {
2739 .handler = handler,
2740 .type = type,
2741 .data = chunk_clone(data),
2742 };
2743 array_insert(this->attributes, ARRAY_TAIL, &entry);
2744 }
2745
2746 CALLBACK(filter_attribute, bool,
2747 void *null, enumerator_t *orig, va_list args)
2748 {
2749 attribute_entry_t *entry;
2750 configuration_attribute_type_t *type;
2751 chunk_t *data;
2752 bool *handled;
2753
2754 VA_ARGS_VGET(args, type, data, handled);
2755
2756 if (orig->enumerate(orig, &entry))
2757 {
2758 *type = entry->type;
2759 *data = entry->data;
2760 *handled = entry->handler != NULL;
2761 return TRUE;
2762 }
2763 return FALSE;
2764 }
2765
2766 METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2767 private_ike_sa_t *this)
2768 {
2769 return enumerator_create_filter(array_create_enumerator(this->attributes),
2770 filter_attribute, NULL, NULL);
2771 }
2772
2773 METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2774 private_ike_sa_t *this, task_queue_t queue)
2775 {
2776 return this->task_manager->create_task_enumerator(this->task_manager, queue);
2777 }
2778
2779 METHOD(ike_sa_t, remove_task, void,
2780 private_ike_sa_t *this, enumerator_t *enumerator)
2781 {
2782 return this->task_manager->remove_task(this->task_manager, enumerator);
2783 }
2784
2785 METHOD(ike_sa_t, flush_queue, void,
2786 private_ike_sa_t *this, task_queue_t queue)
2787 {
2788 this->task_manager->flush_queue(this->task_manager, queue);
2789 }
2790
2791 METHOD(ike_sa_t, queue_task, void,
2792 private_ike_sa_t *this, task_t *task)
2793 {
2794 this->task_manager->queue_task(this->task_manager, task);
2795 }
2796
2797 METHOD(ike_sa_t, queue_task_delayed, void,
2798 private_ike_sa_t *this, task_t *task, uint32_t delay)
2799 {
2800 this->task_manager->queue_task_delayed(this->task_manager, task, delay);
2801 }
2802
2803 /**
2804 * Migrate and queue child-creating tasks from another IKE_SA
2805 */
2806 static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
2807 task_queue_t queue)
2808 {
2809 enumerator_t *enumerator;
2810 task_t *task;
2811
2812 enumerator = other->create_task_enumerator(other, queue);
2813 while (enumerator->enumerate(enumerator, &task))
2814 {
2815 if (task->get_type(task) == TASK_CHILD_CREATE ||
2816 task->get_type(task) == TASK_QUICK_MODE)
2817 {
2818 other->remove_task(other, enumerator);
2819 task->migrate(task, &this->public);
2820 queue_task(this, task);
2821 }
2822 }
2823 enumerator->destroy(enumerator);
2824 }
2825
2826 METHOD(ike_sa_t, adopt_child_tasks, void,
2827 private_ike_sa_t *this, ike_sa_t *other)
2828 {
2829 migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
2830 migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
2831 }
2832
2833 METHOD(ike_sa_t, inherit_pre, void,
2834 private_ike_sa_t *this, ike_sa_t *other_public)
2835 {
2836 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2837
2838 /* apply config and hosts */
2839 set_peer_cfg(this, other->peer_cfg);
2840 set_my_host(this, other->my_host->clone(other->my_host));
2841 set_other_host(this, other->other_host->clone(other->other_host));
2842
2843 /* apply extensions and conditions with a few exceptions */
2844 this->extensions = other->extensions;
2845 this->conditions = other->conditions;
2846 this->conditions &= ~COND_STALE;
2847 this->conditions &= ~COND_REAUTHENTICATING;
2848 }
2849
2850 METHOD(ike_sa_t, inherit_post, void,
2851 private_ike_sa_t *this, ike_sa_t *other_public)
2852 {
2853 private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2854 child_sa_t *child_sa;
2855 enumerator_t *enumerator;
2856 attribute_entry_t entry;
2857 auth_cfg_t *cfg;
2858 host_t *vip;
2859
2860 /* apply hosts and ids */
2861 this->my_host->destroy(this->my_host);
2862 this->other_host->destroy(this->other_host);
2863 this->my_id->destroy(this->my_id);
2864 this->other_id->destroy(this->other_id);
2865 this->my_host = other->my_host->clone(other->my_host);
2866 this->other_host = other->other_host->clone(other->other_host);
2867 this->my_id = other->my_id->clone(other->my_id);
2868 this->other_id = other->other_id->clone(other->other_id);
2869 this->if_id_in = other->if_id_in;
2870 this->if_id_out = other->if_id_out;
2871
2872 /* apply assigned virtual IPs... */
2873 while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2874 {
2875 array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2876 }
2877 while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2878 {
2879 array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2880 }
2881
2882 /* MOBIKE additional addresses */
2883 while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2884 {
2885 array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2886 }
2887
2888 /* authentication information */
2889 enumerator = array_create_enumerator(other->my_auths);
2890 while (enumerator->enumerate(enumerator, &cfg))
2891 {
2892 array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2893 }
2894 enumerator->destroy(enumerator);
2895 enumerator = array_create_enumerator(other->other_auths);
2896 while (enumerator->enumerate(enumerator, &cfg))
2897 {
2898 array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2899 }
2900 enumerator->destroy(enumerator);
2901
2902 /* ... and configuration attributes */
2903 while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2904 {
2905 array_insert(this->attributes, ARRAY_TAIL, &entry);
2906 }
2907
2908 /* inherit all conditions */
2909 this->conditions = other->conditions;
2910 if (this->conditions & COND_NAT_HERE)
2911 {
2912 send_keepalive(this, FALSE);
2913 }
2914
2915 #ifdef ME
2916 if (other->is_mediation_server)
2917 {
2918 act_as_mediation_server(this);
2919 }
2920 else if (other->server_reflexive_host)
2921 {
2922 this->server_reflexive_host = other->server_reflexive_host->clone(
2923 other->server_reflexive_host);
2924 }
2925 #endif /* ME */
2926
2927 /* adopt all children */
2928 while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2929 {
2930 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2931 add_child_sa(this, child_sa);
2932 }
2933
2934 /* move pending tasks to the new IKE_SA */
2935 this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2936
2937 /* reauthentication timeout survives a rekeying */
2938 if (other->stats[STAT_REAUTH])
2939 {
2940 time_t reauth, delete, now = time_monotonic(NULL);
2941
2942 this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
2943 reauth = this->stats[STAT_REAUTH] - now;
2944 delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
2945 this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete;
2946 DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2947 "lifetime reduced to %ds", reauth, delete);
2948 lib->scheduler->schedule_job(lib->scheduler,
2949 (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2950 lib->scheduler->schedule_job(lib->scheduler,
2951 (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2952 }
2953 }
2954
2955 METHOD(ike_sa_t, destroy, void,
2956 private_ike_sa_t *this)
2957 {
2958 attribute_entry_t entry;
2959 child_sa_t *child_sa;
2960 host_t *vip;
2961
2962 charon->bus->set_sa(charon->bus, &this->public);
2963
2964 set_state(this, IKE_DESTROYING);
2965 if (this->task_manager)
2966 {
2967 this->task_manager->flush(this->task_manager);
2968 }
2969
2970 /* remove attributes first, as we pass the IKE_SA to the handler */
2971 charon->bus->handle_vips(charon->bus, &this->public, FALSE);
2972 while (array_remove(this->attributes, ARRAY_TAIL, &entry))
2973 {
2974 if (entry.handler)
2975 {
2976 charon->attributes->release(charon->attributes, entry.handler,
2977 &this->public, entry.type, entry.data);
2978 }
2979 free(entry.data.ptr);
2980 }
2981 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2982 * routes that the CHILD_SA tries to uninstall. */
2983 while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
2984 {
2985 charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2986 child_sa->destroy(child_sa);
2987 }
2988 while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
2989 {
2990 charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
2991 vip->destroy(vip);
2992 }
2993 if (array_count(this->other_vips))
2994 {
2995 charon->bus->assign_vips(charon->bus, &this->public, FALSE);
2996 }
2997 while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
2998 {
2999 if (this->peer_cfg)
3000 {
3001 linked_list_t *pools;
3002
3003 pools = linked_list_create_from_enumerator(
3004 this->peer_cfg->create_pool_enumerator(this->peer_cfg));
3005 charon->attributes->release_address(charon->attributes,
3006 pools, vip, &this->public);
3007 pools->destroy(pools);
3008 }
3009 vip->destroy(vip);
3010 }
3011
3012 /* unset SA after here to avoid usage by the listeners */
3013 charon->bus->set_sa(charon->bus, NULL);
3014
3015 array_destroy(this->child_sas);
3016 DESTROY_IF(this->task_manager);
3017 DESTROY_IF(this->keymat);
3018 array_destroy(this->attributes);
3019 array_destroy(this->my_vips);
3020 array_destroy(this->other_vips);
3021 array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
3022 #ifdef ME
3023 if (this->is_mediation_server)
3024 {
3025 charon->mediation_manager->remove(charon->mediation_manager,
3026 this->ike_sa_id);
3027 }
3028 DESTROY_IF(this->server_reflexive_host);
3029 chunk_free(&this->connect_id);
3030 #endif /* ME */
3031 free(this->nat_detection_dest.ptr);
3032
3033 DESTROY_IF(this->my_host);
3034 DESTROY_IF(this->other_host);
3035 DESTROY_IF(this->my_id);
3036 DESTROY_IF(this->other_id);
3037 DESTROY_IF(this->local_host);
3038 DESTROY_IF(this->remote_host);
3039 DESTROY_IF(this->redirected_from);
3040 array_destroy(this->redirected_at);
3041
3042 DESTROY_IF(this->ike_cfg);
3043 DESTROY_IF(this->peer_cfg);
3044 DESTROY_IF(this->proposal);
3045 this->my_auth->destroy(this->my_auth);
3046 this->other_auth->destroy(this->other_auth);
3047 array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
3048 array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
3049
3050 this->ike_sa_id->destroy(this->ike_sa_id);
3051 free(this);
3052 }
3053
3054 /*
3055 * Described in header.
3056 */
3057 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
3058 ike_version_t version)
3059 {
3060 private_ike_sa_t *this;
3061 static refcount_t unique_id = 0;
3062
3063 if (version == IKE_ANY)
3064 { /* prefer IKEv2 if protocol not specified */
3065 #ifdef USE_IKEV2
3066 version = IKEV2;
3067 #else
3068 version = IKEV1;
3069 #endif
3070 }
3071
3072 INIT(this,
3073 .public = {
3074 .get_version = _get_version,
3075 .get_state = _get_state,
3076 .set_state = _set_state,
3077 .get_name = _get_name,
3078 .get_statistic = _get_statistic,
3079 .set_statistic = _set_statistic,
3080 .process_message = _process_message,
3081 .initiate = _initiate,
3082 .retry_initiate = _retry_initiate,
3083 .get_ike_cfg = _get_ike_cfg,
3084 .set_ike_cfg = _set_ike_cfg,
3085 .get_peer_cfg = _get_peer_cfg,
3086 .set_peer_cfg = _set_peer_cfg,
3087 .get_auth_cfg = _get_auth_cfg,
3088 .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
3089 .verify_peer_certificate = _verify_peer_certificate,
3090 .add_auth_cfg = _add_auth_cfg,
3091 .get_proposal = _get_proposal,
3092 .set_proposal = _set_proposal,
3093 .get_id = _get_id,
3094 .get_my_host = _get_my_host,
3095 .set_my_host = _set_my_host,
3096 .get_other_host = _get_other_host,
3097 .set_other_host = _set_other_host,
3098 .set_message_id = _set_message_id,
3099 .get_message_id = _get_message_id,
3100 .float_ports = _float_ports,
3101 .update_hosts = _update_hosts,
3102 .get_my_id = _get_my_id,
3103 .set_my_id = _set_my_id,
3104 .get_other_id = _get_other_id,
3105 .set_other_id = _set_other_id,
3106 .get_other_eap_id = _get_other_eap_id,
3107 .enable_extension = _enable_extension,
3108 .supports_extension = _supports_extension,
3109 .set_condition = _set_condition,
3110 .has_condition = _has_condition,
3111 .create_peer_address_enumerator = _create_peer_address_enumerator,
3112 .add_peer_address = _add_peer_address,
3113 .clear_peer_addresses = _clear_peer_addresses,
3114 .has_mapping_changed = _has_mapping_changed,
3115 .retransmit = _retransmit,
3116 .delete = _delete_,
3117 .destroy = _destroy,
3118 .send_dpd = _send_dpd,
3119 .send_keepalive = _send_keepalive,
3120 .redirect = _redirect,
3121 .handle_redirect = _handle_redirect,
3122 .get_redirected_from = _get_redirected_from,
3123 .get_keymat = _get_keymat,
3124 .add_child_sa = _add_child_sa,
3125 .get_child_sa = _get_child_sa,
3126 .get_child_count = _get_child_count,
3127 .create_child_sa_enumerator = _create_child_sa_enumerator,
3128 .remove_child_sa = _remove_child_sa,
3129 .rekey_child_sa = _rekey_child_sa,
3130 .delete_child_sa = _delete_child_sa,
3131 .destroy_child_sa = _destroy_child_sa,
3132 .rekey = _rekey,
3133 .reauth = _reauth,
3134 .reestablish = _reestablish,
3135 .set_auth_lifetime = _set_auth_lifetime,
3136 .roam = _roam,
3137 .inherit_pre = _inherit_pre,
3138 .inherit_post = _inherit_post,
3139 .generate_message = _generate_message,
3140 .generate_message_fragmented = _generate_message_fragmented,
3141 .reset = _reset,
3142 .get_unique_id = _get_unique_id,
3143 .add_virtual_ip = _add_virtual_ip,
3144 .clear_virtual_ips = _clear_virtual_ips,
3145 .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
3146 .add_configuration_attribute = _add_configuration_attribute,
3147 .create_attribute_enumerator = _create_attribute_enumerator,
3148 .get_if_id = _get_if_id,
3149 .set_kmaddress = _set_kmaddress,
3150 .create_task_enumerator = _create_task_enumerator,
3151 .remove_task = _remove_task,
3152 .flush_queue = _flush_queue,
3153 .queue_task = _queue_task,
3154 .queue_task_delayed = _queue_task_delayed,
3155 .adopt_child_tasks = _adopt_child_tasks,
3156 #ifdef ME
3157 .act_as_mediation_server = _act_as_mediation_server,
3158 .get_server_reflexive_host = _get_server_reflexive_host,
3159 .set_server_reflexive_host = _set_server_reflexive_host,
3160 .get_connect_id = _get_connect_id,
3161 .initiate_mediation = _initiate_mediation,
3162 .initiate_mediated = _initiate_mediated,
3163 .relay = _relay,
3164 .callback = _callback,
3165 .respond = _respond,
3166 #endif /* ME */
3167 },
3168 .ike_sa_id = ike_sa_id->clone(ike_sa_id),
3169 .version = version,
3170 .my_host = host_create_any(AF_INET),
3171 .other_host = host_create_any(AF_INET),
3172 .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3173 .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3174 .keymat = keymat_create(version, initiator),
3175 .state = IKE_CREATED,
3176 .stats[STAT_INBOUND] = time_monotonic(NULL),
3177 .stats[STAT_OUTBOUND] = time_monotonic(NULL),
3178 .my_auth = auth_cfg_create(),
3179 .other_auth = auth_cfg_create(),
3180 .my_auths = array_create(0, 0),
3181 .other_auths = array_create(0, 0),
3182 .attributes = array_create(sizeof(attribute_entry_t), 0),
3183 .unique_id = ref_get(&unique_id),
3184 .keepalive_interval = lib->settings->get_time(lib->settings,
3185 "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
3186 .retry_initiate_interval = lib->settings->get_time(lib->settings,
3187 "%s.retry_initiate_interval", 0, lib->ns),
3188 .flush_auth_cfg = lib->settings->get_bool(lib->settings,
3189 "%s.flush_auth_cfg", FALSE, lib->ns),
3190 .fragment_size = lib->settings->get_int(lib->settings,
3191 "%s.fragment_size", 1280, lib->ns),
3192 .follow_redirects = lib->settings->get_bool(lib->settings,
3193 "%s.follow_redirects", TRUE, lib->ns),
3194 );
3195
3196 if (version == IKEV2)
3197 { /* always supported with IKEv2 */
3198 enable_extension(this, EXT_DPD);
3199 }
3200
3201 this->task_manager = task_manager_create(&this->public);
3202 this->my_host->set_port(this->my_host,
3203 charon->socket->get_port(charon->socket, FALSE));
3204
3205 if (!this->task_manager || !this->keymat)
3206 {
3207 DBG1(DBG_IKE, "IKE version %d not supported", this->version);
3208 destroy(this);
3209 return NULL;
3210 }
3211 return &this->public;
3212 }
Unnamed repository; edit this file 'description' to name the repository.