2 * Copyright (C) 2006-2019 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * Copyright (c) 2014 Volker RĂ¼melin
22 * Permission is hereby granted, free of charge, to any person obtaining a copy
23 * of this software and associated documentation files (the "Software"), to deal
24 * in the Software without restriction, including without limitation the rights
25 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26 * copies of the Software, and to permit persons to whom the Software is
27 * furnished to do so, subject to the following conditions:
29 * The above copyright notice and this permission notice shall be included in
30 * all copies or substantial portions of the Software.
32 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
50 #include <collections/array.h>
51 #include <utils/lexparser.h>
52 #include <processing/jobs/retransmit_job.h>
53 #include <processing/jobs/delete_ike_sa_job.h>
54 #include <processing/jobs/send_dpd_job.h>
55 #include <processing/jobs/send_keepalive_job.h>
56 #include <processing/jobs/rekey_ike_sa_job.h>
57 #include <processing/jobs/retry_initiate_job.h>
58 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59 #include <sa/ikev2/tasks/ike_reauth_complete.h>
60 #include <sa/ikev2/tasks/ike_redirect.h>
61 #include <credentials/sets/auth_cfg_wrapper.h>
64 #include <sa/ikev2/tasks/ike_me.h>
65 #include <processing/jobs/initiate_mediation_job.h>
68 ENUM(ike_sa_state_names
, IKE_CREATED
, IKE_DESTROYING
,
79 typedef struct private_ike_sa_t private_ike_sa_t
;
80 typedef struct attribute_entry_t attribute_entry_t
;
83 * Private data of an ike_sa_t object.
85 struct private_ike_sa_t
{
93 * Identifier for the current IKE_SA.
95 ike_sa_id_t
*ike_sa_id
;
98 * IKE version of this SA.
100 ike_version_t version
;
103 * unique numerical ID for this IKE_SA.
108 * Current state of the IKE_SA
110 ike_sa_state_t state
;
113 * IKE configuration used to set up this IKE_SA
118 * Peer and authentication information to establish IKE_SA.
120 peer_cfg_t
*peer_cfg
;
123 * currently used authentication ruleset, local
128 * currently used authentication constraints, remote
130 auth_cfg_t
*other_auth
;
133 * Array of completed local authentication rounds (as auth_cfg_t)
138 * Array of completed remote authentication rounds (as auth_cfg_t)
140 array_t
*other_auths
;
143 * Selected IKE proposal
145 proposal_t
*proposal
;
148 * Juggles tasks to process messages
150 task_manager_t
*task_manager
;
153 * Address of local host
158 * Address of remote host
164 * Are we mediation server
166 bool is_mediation_server
;
169 * Server reflexive host
171 host_t
*server_reflexive_host
;
180 * Identification used for us
182 identification_t
*my_id
;
185 * Identification used for other
187 identification_t
*other_id
;
190 * set of extensions the peer supports
192 ike_extension_t extensions
;
195 * set of condition flags currently enabled for this IKE_SA
197 ike_condition_t conditions
;
200 * Array containing the child sa's of the current IKE_SA.
205 * keymat of this IKE_SA
210 * Virtual IPs on local host
215 * Virtual IPs on remote host
220 * List of configuration attributes (attribute_entry_t)
225 * list of peer's addresses, additional ones transmitted via MOBIKE
227 array_t
*peer_addresses
;
230 * previously value of received DESTINATION_IP hash
232 chunk_t nat_detection_dest
;
235 * NAT keep alive interval
237 uint32_t keepalive_interval
;
240 * The schedueld keep alive job, if any
242 send_keepalive_job_t
*keepalive_job
;
245 * interval for retries during initiation (e.g. if DNS resolution failed),
246 * 0 to disable (default)
248 uint32_t retry_initiate_interval
;
251 * TRUE if a retry_initiate_job has been queued
253 bool retry_initiate_queued
;
256 * Timestamps for this IKE_SA
258 uint32_t stats
[STAT_MAX
];
261 * how many times we have retried so far (keyingtries)
266 * local host address to be used for IKE, set via MIGRATE kernel message
271 * remote host address to be used for IKE, set via MIGRATE kernel message
276 * Flush auth configs once established?
281 * Maximum length of a single fragment, 0 for address-specific defaults
283 size_t fragment_size
;
286 * Whether to follow IKEv2 redirects
288 bool follow_redirects
;
291 * Original gateway address from which we got redirected
293 host_t
*redirected_from
;
296 * Timestamps of redirect attempts to handle loops
298 array_t
*redirected_at
;
301 * Inbound interface ID
306 * Outbound interface ID
312 * Entry to maintain install configuration attributes during IKE_SA lifetime
314 struct attribute_entry_t
{
315 /** handler used to install this attribute */
316 attribute_handler_t
*handler
;
317 /** attribute type */
318 configuration_attribute_type_t type
;
319 /** attribute data */
324 * get the time of the latest traffic processed by the kernel
326 static time_t get_use_time(private_ike_sa_t
* this, bool inbound
)
328 enumerator_t
*enumerator
;
329 child_sa_t
*child_sa
;
330 time_t use_time
, current
;
334 use_time
= this->stats
[STAT_INBOUND
];
338 use_time
= this->stats
[STAT_OUTBOUND
];
341 enumerator
= array_create_enumerator(this->child_sas
);
342 while (enumerator
->enumerate(enumerator
, &child_sa
))
344 child_sa
->get_usestats(child_sa
, inbound
, ¤t
, NULL
, NULL
);
345 use_time
= max(use_time
, current
);
347 enumerator
->destroy(enumerator
);
352 METHOD(ike_sa_t
, get_unique_id
, uint32_t,
353 private_ike_sa_t
*this)
355 return this->unique_id
;
358 METHOD(ike_sa_t
, get_name
, char*,
359 private_ike_sa_t
*this)
363 return this->peer_cfg
->get_name(this->peer_cfg
);
368 METHOD(ike_sa_t
, get_statistic
, uint32_t,
369 private_ike_sa_t
*this, statistic_t kind
)
373 return this->stats
[kind
];
378 METHOD(ike_sa_t
, set_statistic
, void,
379 private_ike_sa_t
*this, statistic_t kind
, uint32_t value
)
383 this->stats
[kind
] = value
;
387 METHOD(ike_sa_t
, get_my_host
, host_t
*,
388 private_ike_sa_t
*this)
390 return this->my_host
;
393 METHOD(ike_sa_t
, set_my_host
, void,
394 private_ike_sa_t
*this, host_t
*me
)
396 DESTROY_IF(this->my_host
);
400 METHOD(ike_sa_t
, get_other_host
, host_t
*,
401 private_ike_sa_t
*this)
403 return this->other_host
;
406 METHOD(ike_sa_t
, set_other_host
, void,
407 private_ike_sa_t
*this, host_t
*other
)
409 DESTROY_IF(this->other_host
);
410 this->other_host
= other
;
413 METHOD(ike_sa_t
, get_redirected_from
, host_t
*,
414 private_ike_sa_t
*this)
416 return this->redirected_from
;
419 METHOD(ike_sa_t
, get_peer_cfg
, peer_cfg_t
*,
420 private_ike_sa_t
*this)
422 return this->peer_cfg
;
425 METHOD(ike_sa_t
, set_peer_cfg
, void,
426 private_ike_sa_t
*this, peer_cfg_t
*peer_cfg
)
428 peer_cfg
->get_ref(peer_cfg
);
429 DESTROY_IF(this->peer_cfg
);
430 this->peer_cfg
= peer_cfg
;
434 this->ike_cfg
= peer_cfg
->get_ike_cfg(peer_cfg
);
435 this->ike_cfg
->get_ref(this->ike_cfg
);
438 this->if_id_in
= peer_cfg
->get_if_id(peer_cfg
, TRUE
);
439 this->if_id_out
= peer_cfg
->get_if_id(peer_cfg
, FALSE
);
440 allocate_unique_if_ids(&this->if_id_in
, &this->if_id_out
);
443 METHOD(ike_sa_t
, get_auth_cfg
, auth_cfg_t
*,
444 private_ike_sa_t
*this, bool local
)
448 return this->my_auth
;
450 return this->other_auth
;
453 METHOD(ike_sa_t
, add_auth_cfg
, void,
454 private_ike_sa_t
*this, bool local
, auth_cfg_t
*cfg
)
458 array_insert(this->my_auths
, ARRAY_TAIL
, cfg
);
462 array_insert(this->other_auths
, ARRAY_TAIL
, cfg
);
466 METHOD(ike_sa_t
, create_auth_cfg_enumerator
, enumerator_t
*,
467 private_ike_sa_t
*this, bool local
)
471 return array_create_enumerator(this->my_auths
);
473 return array_create_enumerator(this->other_auths
);
477 * Flush the stored authentication round information
479 static void flush_auth_cfgs(private_ike_sa_t
*this)
483 this->my_auth
->purge(this->my_auth
, FALSE
);
484 this->other_auth
->purge(this->other_auth
, FALSE
);
486 while (array_remove(this->my_auths
, ARRAY_TAIL
, &cfg
))
490 while (array_remove(this->other_auths
, ARRAY_TAIL
, &cfg
))
496 METHOD(ike_sa_t
, verify_peer_certificate
, bool,
497 private_ike_sa_t
*this)
499 enumerator_t
*e1
, *e2
, *certs
;
500 auth_cfg_t
*cfg
, *cfg_done
;
501 certificate_t
*peer
, *cert
;
504 auth_cfg_wrapper_t
*wrapper
;
505 time_t not_before
, not_after
;
506 bool valid
= TRUE
, found
;
508 if (this->state
!= IKE_ESTABLISHED
)
510 DBG1(DBG_IKE
, "unable to verify peer certificate in state %N",
511 ike_sa_state_names
, this->state
);
515 if (!this->flush_auth_cfg
&&
516 lib
->settings
->get_bool(lib
->settings
,
517 "%s.flush_auth_cfg", FALSE
, lib
->ns
))
518 { /* we can do this check only once if auth configs are flushed */
519 DBG1(DBG_IKE
, "unable to verify peer certificate as authentication "
520 "information has been flushed");
523 this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED
,
526 e1
= this->peer_cfg
->create_auth_cfg_enumerator(this->peer_cfg
, FALSE
);
527 e2
= array_create_enumerator(this->other_auths
);
528 while (e1
->enumerate(e1
, &cfg
))
530 if (!e2
->enumerate(e2
, &cfg_done
))
531 { /* this should not happen as the authentication should never have
536 if ((uintptr_t)cfg_done
->get(cfg_done
,
537 AUTH_RULE_AUTH_CLASS
) != AUTH_CLASS_PUBKEY
)
541 peer
= cfg_done
->get(cfg_done
, AUTH_RULE_SUBJECT_CERT
);
544 DBG1(DBG_IKE
, "no subject certificate found, skipping certificate "
548 if (!peer
->get_validity(peer
, NULL
, ¬_before
, ¬_after
))
550 DBG1(DBG_IKE
, "peer certificate invalid (valid from %T to %T)",
551 ¬_before
, FALSE
, ¬_after
, FALSE
);
555 key
= peer
->get_public_key(peer
);
558 DBG1(DBG_IKE
, "unable to retrieve public key, skipping certificate "
562 DBG1(DBG_IKE
, "verifying peer certificate");
563 /* serve received certificates */
564 wrapper
= auth_cfg_wrapper_create(cfg_done
);
565 lib
->credmgr
->add_local_set(lib
->credmgr
, &wrapper
->set
, FALSE
);
566 certs
= lib
->credmgr
->create_trusted_enumerator(lib
->credmgr
,
567 key
->get_type(key
), peer
->get_subject(peer
), TRUE
);
571 while (certs
->enumerate(certs
, &cert
, &auth
))
573 if (peer
->equals(peer
, cert
))
575 cfg_done
->add(cfg_done
, AUTH_RULE_CERT_VALIDATION_SUSPENDED
,
577 cfg_done
->merge(cfg_done
, auth
, FALSE
);
578 valid
= cfg_done
->complies(cfg_done
, cfg
, TRUE
);
583 certs
->destroy(certs
);
584 lib
->credmgr
->remove_local_set(lib
->credmgr
, &wrapper
->set
);
585 wrapper
->destroy(wrapper
);
586 if (!found
|| !valid
)
595 if (this->flush_auth_cfg
)
597 this->flush_auth_cfg
= FALSE
;
598 flush_auth_cfgs(this);
603 METHOD(ike_sa_t
, get_proposal
, proposal_t
*,
604 private_ike_sa_t
*this)
606 return this->proposal
;
609 METHOD(ike_sa_t
, set_proposal
, void,
610 private_ike_sa_t
*this, proposal_t
*proposal
)
612 DESTROY_IF(this->proposal
);
613 this->proposal
= proposal
->clone(proposal
);
616 METHOD(ike_sa_t
, set_message_id
, void,
617 private_ike_sa_t
*this, bool initiate
, uint32_t mid
)
621 this->task_manager
->reset(this->task_manager
, mid
, UINT_MAX
);
625 this->task_manager
->reset(this->task_manager
, UINT_MAX
, mid
);
629 METHOD(ike_sa_t
, get_message_id
, uint32_t,
630 private_ike_sa_t
*this, bool initiate
)
632 return this->task_manager
->get_mid(this->task_manager
, initiate
);
635 METHOD(ike_sa_t
, send_keepalive
, void,
636 private_ike_sa_t
*this, bool scheduled
)
638 time_t last_out
, now
, diff
;
642 this->keepalive_job
= NULL
;
644 if (!this->keepalive_interval
|| this->state
== IKE_PASSIVE
)
645 { /* keepalives disabled either by configuration or for passive IKE_SAs */
648 if (!(this->conditions
& COND_NAT_HERE
) || (this->conditions
& COND_STALE
))
649 { /* disable keepalives if we are not NATed anymore, or the SA is stale */
653 last_out
= get_use_time(this, FALSE
);
654 now
= time_monotonic(NULL
);
656 diff
= now
- last_out
;
658 if (diff
>= this->keepalive_interval
)
663 packet
= packet_create();
664 packet
->set_source(packet
, this->my_host
->clone(this->my_host
));
665 packet
->set_destination(packet
, this->other_host
->clone(this->other_host
));
666 data
.ptr
= malloc(1);
669 packet
->set_data(packet
, data
);
670 DBG1(DBG_IKE
, "sending keep alive to %#H", this->other_host
);
671 charon
->sender
->send_no_marker(charon
->sender
, packet
);
674 if (!this->keepalive_job
)
676 this->keepalive_job
= send_keepalive_job_create(this->ike_sa_id
);
677 lib
->scheduler
->schedule_job(lib
->scheduler
, (job_t
*)this->keepalive_job
,
678 this->keepalive_interval
- diff
);
682 METHOD(ike_sa_t
, get_ike_cfg
, ike_cfg_t
*,
683 private_ike_sa_t
*this)
685 return this->ike_cfg
;
688 METHOD(ike_sa_t
, set_ike_cfg
, void,
689 private_ike_sa_t
*this, ike_cfg_t
*ike_cfg
)
691 DESTROY_IF(this->ike_cfg
);
692 ike_cfg
->get_ref(ike_cfg
);
693 this->ike_cfg
= ike_cfg
;
696 METHOD(ike_sa_t
, enable_extension
, void,
697 private_ike_sa_t
*this, ike_extension_t extension
)
699 this->extensions
|= extension
;
702 METHOD(ike_sa_t
, supports_extension
, bool,
703 private_ike_sa_t
*this, ike_extension_t extension
)
705 return (this->extensions
& extension
) != FALSE
;
708 METHOD(ike_sa_t
, has_condition
, bool,
709 private_ike_sa_t
*this, ike_condition_t condition
)
711 return (this->conditions
& condition
) != FALSE
;
714 METHOD(ike_sa_t
, set_condition
, void,
715 private_ike_sa_t
*this, ike_condition_t condition
, bool enable
)
717 if (has_condition(this, condition
) != enable
)
721 this->conditions
|= condition
;
725 DBG1(DBG_IKE
, "local host is behind NAT, sending keep alives");
726 this->conditions
|= COND_NAT_ANY
;
727 send_keepalive(this, FALSE
);
730 DBG1(DBG_IKE
, "remote host is behind NAT");
731 this->conditions
|= COND_NAT_ANY
;
734 DBG1(DBG_IKE
, "faking NAT situation to enforce UDP encapsulation");
735 this->conditions
|= COND_NAT_ANY
;
743 this->conditions
&= ~condition
;
748 DBG1(DBG_IKE
, "%s host is not behind NAT anymore",
749 condition
== COND_NAT_HERE
? "local" : "remote");
752 set_condition(this, COND_NAT_ANY
,
753 has_condition(this, COND_NAT_HERE
) ||
754 has_condition(this, COND_NAT_THERE
) ||
755 has_condition(this, COND_NAT_FAKE
));
758 send_keepalive(this, FALSE
);
767 METHOD(ike_sa_t
, send_dpd
, status_t
,
768 private_ike_sa_t
*this)
772 bool task_queued
= FALSE
;
774 if (this->state
== IKE_PASSIVE
)
776 return INVALID_STATE
;
778 if (this->version
== IKEV1
&& this->state
== IKE_REKEYING
)
779 { /* don't send DPDs for rekeyed IKEv1 SAs */
782 delay
= this->peer_cfg
->get_dpd(this->peer_cfg
);
783 if (this->task_manager
->busy(this->task_manager
))
785 /* an exchange is in the air, no need to start a DPD check */
790 /* check if there was any inbound traffic */
792 last_in
= get_use_time(this, TRUE
);
793 now
= time_monotonic(NULL
);
794 diff
= now
- last_in
;
795 if (!delay
|| diff
>= delay
)
797 /* too long ago, initiate dead peer detection */
798 DBG1(DBG_IKE
, "sending DPD request");
799 this->task_manager
->queue_dpd(this->task_manager
);
804 /* recheck in "interval" seconds */
807 job
= (job_t
*)send_dpd_job_create(this->ike_sa_id
);
808 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, delay
- diff
);
812 return this->task_manager
->initiate(this->task_manager
);
817 METHOD(ike_sa_t
, get_state
, ike_sa_state_t
,
818 private_ike_sa_t
*this)
823 METHOD(ike_sa_t
, set_state
, void,
824 private_ike_sa_t
*this, ike_sa_state_t state
)
826 bool trigger_dpd
= FALSE
, keepalives
= FALSE
;
828 DBG2(DBG_IKE
, "IKE_SA %s[%d] state change: %N => %N",
829 get_name(this), this->unique_id
,
830 ike_sa_state_names
, this->state
,
831 ike_sa_state_names
, state
);
835 case IKE_ESTABLISHED
:
837 if (this->state
== IKE_CONNECTING
||
838 this->state
== IKE_PASSIVE
)
843 /* calculate rekey, reauth and lifetime */
844 this->stats
[STAT_ESTABLISHED
] = time_monotonic(NULL
);
846 /* schedule rekeying if we have a time which is smaller than
847 * an already scheduled rekeying */
848 t
= this->peer_cfg
->get_rekey_time(this->peer_cfg
, TRUE
);
849 if (t
&& (this->stats
[STAT_REKEY
] == 0 ||
850 (this->stats
[STAT_REKEY
] > t
+ this->stats
[STAT_ESTABLISHED
])))
852 this->stats
[STAT_REKEY
] = t
+ this->stats
[STAT_ESTABLISHED
];
853 job
= (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, FALSE
);
854 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
855 DBG1(DBG_IKE
, "scheduling rekeying in %ds", t
);
857 t
= this->peer_cfg
->get_reauth_time(this->peer_cfg
, TRUE
);
858 if (t
&& (this->stats
[STAT_REAUTH
] == 0 ||
859 (this->stats
[STAT_REAUTH
] > t
+ this->stats
[STAT_ESTABLISHED
])))
861 this->stats
[STAT_REAUTH
] = t
+ this->stats
[STAT_ESTABLISHED
];
862 job
= (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
);
863 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
864 DBG1(DBG_IKE
, "scheduling reauthentication in %ds", t
);
866 t
= this->peer_cfg
->get_over_time(this->peer_cfg
);
867 if (this->stats
[STAT_REKEY
] || this->stats
[STAT_REAUTH
])
869 if (this->stats
[STAT_REAUTH
] == 0)
871 this->stats
[STAT_DELETE
] = this->stats
[STAT_REKEY
];
873 else if (this->stats
[STAT_REKEY
] == 0)
875 this->stats
[STAT_DELETE
] = this->stats
[STAT_REAUTH
];
879 this->stats
[STAT_DELETE
] = min(this->stats
[STAT_REKEY
],
880 this->stats
[STAT_REAUTH
]);
882 this->stats
[STAT_DELETE
] += t
;
883 t
= this->stats
[STAT_DELETE
] - this->stats
[STAT_ESTABLISHED
];
884 job
= (job_t
*)delete_ike_sa_job_create(this->ike_sa_id
, TRUE
);
885 lib
->scheduler
->schedule_job(lib
->scheduler
, job
, t
);
886 DBG1(DBG_IKE
, "maximum IKE_SA lifetime %ds", t
);
888 trigger_dpd
= this->peer_cfg
->get_dpd(this->peer_cfg
);
891 /* Some peers delay the DELETE after rekeying an IKE_SA.
892 * If this delay is longer than our DPD delay, we would
893 * send a DPD request here. The IKE_SA is not ready to do
894 * so yet, so prevent that. */
895 this->stats
[STAT_INBOUND
] = this->stats
[STAT_ESTABLISHED
];
897 if (this->state
== IKE_PASSIVE
)
901 DESTROY_IF(this->redirected_from
);
902 this->redirected_from
= NULL
;
909 charon
->bus
->ike_state_change(charon
->bus
, &this->public, state
);
914 if (supports_extension(this, EXT_DPD
))
920 DBG1(DBG_IKE
, "DPD not supported by peer, disabled");
925 send_keepalive(this, FALSE
);
929 METHOD(ike_sa_t
, reset
, void,
930 private_ike_sa_t
*this, bool new_spi
)
932 /* reset the initiator SPI if requested */
935 charon
->ike_sa_manager
->new_initiator_spi(charon
->ike_sa_manager
,
938 /* the responder ID is reset, as peer may choose another one */
939 if (this->ike_sa_id
->is_initiator(this->ike_sa_id
))
941 this->ike_sa_id
->set_responder_spi(this->ike_sa_id
, 0);
944 set_state(this, IKE_CREATED
);
946 flush_auth_cfgs(this);
948 this->keymat
->destroy(this->keymat
);
949 this->keymat
= keymat_create(this->version
,
950 this->ike_sa_id
->is_initiator(this->ike_sa_id
));
952 this->task_manager
->reset(this->task_manager
, 0, 0);
953 this->task_manager
->queue_ike(this->task_manager
);
956 METHOD(ike_sa_t
, get_keymat
, keymat_t
*,
957 private_ike_sa_t
*this)
962 METHOD(ike_sa_t
, add_virtual_ip
, void,
963 private_ike_sa_t
*this, bool local
, host_t
*ip
)
969 if (charon
->kernel
->get_interface(charon
->kernel
, this->my_host
,
972 DBG1(DBG_IKE
, "installing new virtual IP %H", ip
);
973 if (charon
->kernel
->add_ip(charon
->kernel
, ip
, -1,
976 array_insert_create(&this->my_vips
, ARRAY_TAIL
, ip
->clone(ip
));
980 DBG1(DBG_IKE
, "installing virtual IP %H failed", ip
);
986 DBG1(DBG_IKE
, "looking up interface for virtual IP %H failed", ip
);
991 array_insert_create(&this->other_vips
, ARRAY_TAIL
, ip
->clone(ip
));
996 METHOD(ike_sa_t
, clear_virtual_ips
, void,
997 private_ike_sa_t
*this, bool local
)
1002 vips
= local
? this->my_vips
: this->other_vips
;
1003 if (!local
&& array_count(vips
))
1005 charon
->bus
->assign_vips(charon
->bus
, &this->public, FALSE
);
1007 while (array_remove(vips
, ARRAY_HEAD
, &vip
))
1011 charon
->kernel
->del_ip(charon
->kernel
, vip
, -1, TRUE
);
1017 METHOD(ike_sa_t
, create_virtual_ip_enumerator
, enumerator_t
*,
1018 private_ike_sa_t
*this, bool local
)
1022 return array_create_enumerator(this->my_vips
);
1024 return array_create_enumerator(this->other_vips
);
1027 METHOD(ike_sa_t
, add_peer_address
, void,
1028 private_ike_sa_t
*this, host_t
*host
)
1030 array_insert_create(&this->peer_addresses
, ARRAY_TAIL
, host
);
1033 METHOD(ike_sa_t
, create_peer_address_enumerator
, enumerator_t
*,
1034 private_ike_sa_t
*this)
1036 if (this->peer_addresses
)
1038 return array_create_enumerator(this->peer_addresses
);
1040 /* in case we don't have MOBIKE */
1041 return enumerator_create_single(this->other_host
, NULL
);
1044 METHOD(ike_sa_t
, clear_peer_addresses
, void,
1045 private_ike_sa_t
*this)
1047 array_destroy_offset(this->peer_addresses
, offsetof(host_t
, destroy
));
1048 this->peer_addresses
= NULL
;
1051 METHOD(ike_sa_t
, has_mapping_changed
, bool,
1052 private_ike_sa_t
*this, chunk_t hash
)
1054 if (this->nat_detection_dest
.ptr
== NULL
)
1056 this->nat_detection_dest
= chunk_clone(hash
);
1059 if (chunk_equals(hash
, this->nat_detection_dest
))
1063 free(this->nat_detection_dest
.ptr
);
1064 this->nat_detection_dest
= chunk_clone(hash
);
1068 METHOD(ike_sa_t
, float_ports
, void,
1069 private_ike_sa_t
*this)
1071 /* even if the remote port is not 500 (e.g. because the response was natted)
1072 * we switch the remote port if we used port 500 */
1073 if (this->other_host
->get_port(this->other_host
) == IKEV2_UDP_PORT
||
1074 this->my_host
->get_port(this->my_host
) == IKEV2_UDP_PORT
)
1076 this->other_host
->set_port(this->other_host
, IKEV2_NATT_PORT
);
1078 if (this->my_host
->get_port(this->my_host
) ==
1079 charon
->socket
->get_port(charon
->socket
, FALSE
))
1081 this->my_host
->set_port(this->my_host
,
1082 charon
->socket
->get_port(charon
->socket
, TRUE
));
1086 METHOD(ike_sa_t
, update_hosts
, void,
1087 private_ike_sa_t
*this, host_t
*me
, host_t
*other
, bool force
)
1089 bool update
= FALSE
;
1097 other
= this->other_host
;
1100 /* apply hosts on first received message */
1101 if (this->my_host
->is_anyaddr(this->my_host
) ||
1102 this->other_host
->is_anyaddr(this->other_host
))
1104 set_my_host(this, me
->clone(me
));
1105 set_other_host(this, other
->clone(other
));
1110 /* update our address in any case */
1111 if (force
&& !me
->equals(me
, this->my_host
))
1113 charon
->bus
->ike_update(charon
->bus
, &this->public, TRUE
, me
);
1114 set_my_host(this, me
->clone(me
));
1118 if (!other
->equals(other
, this->other_host
) &&
1119 (force
|| has_condition(this, COND_NAT_THERE
)))
1121 /* only update other's address if we are behind a static NAT,
1122 * which we assume is the case if we are not initiator */
1124 (!has_condition(this, COND_NAT_HERE
) ||
1125 !has_condition(this, COND_ORIGINAL_INITIATOR
)))
1127 charon
->bus
->ike_update(charon
->bus
, &this->public, FALSE
, other
);
1128 set_other_host(this, other
->clone(other
));
1134 /* update all associated CHILD_SAs, if required */
1137 enumerator_t
*enumerator
;
1138 child_sa_t
*child_sa
;
1139 linked_list_t
*vips
;
1141 vips
= linked_list_create_from_enumerator(
1142 array_create_enumerator(this->my_vips
));
1144 enumerator
= array_create_enumerator(this->child_sas
);
1145 while (enumerator
->enumerate(enumerator
, &child_sa
))
1147 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
1148 charon
->child_sa_manager
->add(charon
->child_sa_manager
,
1149 child_sa
, &this->public);
1151 if (child_sa
->update(child_sa
, this->my_host
, this->other_host
,
1152 vips
, has_condition(this, COND_NAT_ANY
)) == NOT_SUPPORTED
)
1154 this->public.rekey_child_sa(&this->public,
1155 child_sa
->get_protocol(child_sa
),
1156 child_sa
->get_spi(child_sa
, TRUE
));
1160 enumerator
->destroy(enumerator
);
1162 vips
->destroy(vips
);
1167 * Set configured DSCP value on packet
1169 static void set_dscp(private_ike_sa_t
*this, packet_t
*packet
)
1173 /* prefer IKE config on peer_cfg, as its selection is more accurate
1174 * then the initial IKE config */
1177 ike_cfg
= this->peer_cfg
->get_ike_cfg(this->peer_cfg
);
1181 ike_cfg
= this->ike_cfg
;
1185 packet
->set_dscp(packet
, ike_cfg
->get_dscp(ike_cfg
));
1189 METHOD(ike_sa_t
, generate_message
, status_t
,
1190 private_ike_sa_t
*this, message_t
*message
, packet_t
**packet
)
1194 if (message
->is_encoded(message
))
1195 { /* already encoded in task, but set DSCP value */
1196 *packet
= message
->get_packet(message
);
1197 set_dscp(this, *packet
);
1200 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
1201 message
->set_ike_sa_id(message
, this->ike_sa_id
);
1202 charon
->bus
->message(charon
->bus
, message
, FALSE
, TRUE
);
1203 status
= message
->generate(message
, this->keymat
, packet
);
1204 if (status
== SUCCESS
)
1206 set_dscp(this, *packet
);
1207 charon
->bus
->message(charon
->bus
, message
, FALSE
, FALSE
);
1212 CALLBACK(filter_fragments
, bool,
1213 private_ike_sa_t
*this, enumerator_t
*orig
, va_list args
)
1215 packet_t
*fragment
, **packet
;
1217 VA_ARGS_VGET(args
, packet
);
1219 if (orig
->enumerate(orig
, &fragment
))
1221 *packet
= fragment
->clone(fragment
);
1222 set_dscp(this, *packet
);
1228 METHOD(ike_sa_t
, generate_message_fragmented
, status_t
,
1229 private_ike_sa_t
*this, message_t
*message
, enumerator_t
**packets
)
1231 enumerator_t
*fragments
;
1234 bool use_frags
= FALSE
;
1235 bool pre_generated
= FALSE
;
1239 switch (this->ike_cfg
->fragmentation(this->ike_cfg
))
1241 case FRAGMENTATION_FORCE
:
1244 case FRAGMENTATION_YES
:
1245 use_frags
= supports_extension(this, EXT_IKE_FRAGMENTATION
);
1246 if (use_frags
&& this->version
== IKEV1
&&
1247 supports_extension(this, EXT_MS_WINDOWS
))
1249 /* It seems Windows 7 and 8 peers only accept proprietary
1250 * fragmented messages if they expect certificates. */
1251 use_frags
= message
->get_payload(message
,
1252 PLV1_CERTIFICATE
) != NULL
;
1261 status
= generate_message(this, message
, &packet
);
1262 if (status
!= SUCCESS
)
1266 *packets
= enumerator_create_single(packet
, NULL
);
1270 pre_generated
= message
->is_encoded(message
);
1271 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
1272 message
->set_ike_sa_id(message
, this->ike_sa_id
);
1275 charon
->bus
->message(charon
->bus
, message
, FALSE
, TRUE
);
1277 status
= message
->fragment(message
, this->keymat
, this->fragment_size
,
1279 if (status
== SUCCESS
)
1283 charon
->bus
->message(charon
->bus
, message
, FALSE
, FALSE
);
1285 *packets
= enumerator_create_filter(fragments
, filter_fragments
,
1291 METHOD(ike_sa_t
, set_kmaddress
, void,
1292 private_ike_sa_t
*this, host_t
*local
, host_t
*remote
)
1294 DESTROY_IF(this->local_host
);
1295 DESTROY_IF(this->remote_host
);
1296 this->local_host
= local
->clone(local
);
1297 this->remote_host
= remote
->clone(remote
);
1301 METHOD(ike_sa_t
, act_as_mediation_server
, void,
1302 private_ike_sa_t
*this)
1304 charon
->mediation_manager
->update_sa_id(charon
->mediation_manager
,
1305 this->other_id
, this->ike_sa_id
);
1306 this->is_mediation_server
= TRUE
;
1309 METHOD(ike_sa_t
, get_server_reflexive_host
, host_t
*,
1310 private_ike_sa_t
*this)
1312 return this->server_reflexive_host
;
1315 METHOD(ike_sa_t
, set_server_reflexive_host
, void,
1316 private_ike_sa_t
*this, host_t
*host
)
1318 DESTROY_IF(this->server_reflexive_host
);
1319 this->server_reflexive_host
= host
;
1322 METHOD(ike_sa_t
, get_connect_id
, chunk_t
,
1323 private_ike_sa_t
*this)
1325 return this->connect_id
;
1328 METHOD(ike_sa_t
, respond
, status_t
,
1329 private_ike_sa_t
*this, identification_t
*peer_id
, chunk_t connect_id
)
1331 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1332 task
->respond(task
, peer_id
, connect_id
);
1333 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1334 return this->task_manager
->initiate(this->task_manager
);
1337 METHOD(ike_sa_t
, callback
, status_t
,
1338 private_ike_sa_t
*this, identification_t
*peer_id
)
1340 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1341 task
->callback(task
, peer_id
);
1342 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1343 return this->task_manager
->initiate(this->task_manager
);
1346 METHOD(ike_sa_t
, relay
, status_t
,
1347 private_ike_sa_t
*this, identification_t
*requester
, chunk_t connect_id
,
1348 chunk_t connect_key
, linked_list_t
*endpoints
, bool response
)
1350 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1351 task
->relay(task
, requester
, connect_id
, connect_key
, endpoints
, response
);
1352 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1353 return this->task_manager
->initiate(this->task_manager
);
1356 METHOD(ike_sa_t
, initiate_mediation
, status_t
,
1357 private_ike_sa_t
*this, peer_cfg_t
*mediated_cfg
)
1359 ike_me_t
*task
= ike_me_create(&this->public, TRUE
);
1360 task
->connect(task
, mediated_cfg
->get_peer_id(mediated_cfg
));
1361 this->task_manager
->queue_task(this->task_manager
, (task_t
*)task
);
1362 return this->task_manager
->initiate(this->task_manager
);
1365 METHOD(ike_sa_t
, initiate_mediated
, status_t
,
1366 private_ike_sa_t
*this, host_t
*me
, host_t
*other
, chunk_t connect_id
)
1368 set_my_host(this, me
->clone(me
));
1369 set_other_host(this, other
->clone(other
));
1370 chunk_free(&this->connect_id
);
1371 this->connect_id
= chunk_clone(connect_id
);
1372 return this->task_manager
->initiate(this->task_manager
);
1377 * Resolve DNS host in configuration
1379 static void resolve_hosts(private_ike_sa_t
*this)
1382 int family
= AF_UNSPEC
;
1384 switch (charon
->socket
->supported_families(charon
->socket
))
1386 case SOCKET_FAMILY_IPV4
:
1389 case SOCKET_FAMILY_IPV6
:
1392 case SOCKET_FAMILY_BOTH
:
1393 case SOCKET_FAMILY_NONE
:
1397 /* if an IP address is set locally, use the same family to resolve remote */
1398 if (family
== AF_UNSPEC
&& !this->remote_host
)
1400 if (this->local_host
)
1402 family
= this->local_host
->get_family(this->local_host
);
1406 family
= ike_cfg_get_family(this->ike_cfg
, TRUE
);
1410 if (this->remote_host
)
1412 host
= this->remote_host
->clone(this->remote_host
);
1413 host
->set_port(host
, IKEV2_UDP_PORT
);
1417 host
= this->ike_cfg
->resolve_other(this->ike_cfg
, family
);
1421 if (!host
->is_anyaddr(host
) ||
1422 this->other_host
->is_anyaddr(this->other_host
))
1423 { /* don't set to %any if we currently have an address, but the
1424 * address family might have changed */
1425 set_other_host(this, host
);
1428 { /* reuse the original port as some implementations might not like
1429 * initial IKE messages on other ports */
1430 this->other_host
->set_port(this->other_host
, host
->get_port(host
));
1431 host
->destroy(host
);
1435 if (this->local_host
)
1437 host
= this->local_host
->clone(this->local_host
);
1438 host
->set_port(host
, charon
->socket
->get_port(charon
->socket
, FALSE
));
1442 /* use same address family as for other */
1443 if (!this->other_host
->is_anyaddr(this->other_host
))
1445 family
= this->other_host
->get_family(this->other_host
);
1447 host
= this->ike_cfg
->resolve_me(this->ike_cfg
, family
);
1449 if (host
&& host
->is_anyaddr(host
) &&
1450 !this->other_host
->is_anyaddr(this->other_host
))
1452 host
->destroy(host
);
1453 host
= charon
->kernel
->get_source_addr(charon
->kernel
,
1454 this->other_host
, NULL
);
1457 host
->set_port(host
, this->ike_cfg
->get_my_port(this->ike_cfg
));
1460 { /* fallback to address family specific %any(6), if configured */
1461 host
= this->ike_cfg
->resolve_me(this->ike_cfg
, family
);
1467 set_my_host(this, host
);
1471 METHOD(ike_sa_t
, initiate
, status_t
,
1472 private_ike_sa_t
*this, child_cfg_t
*child_cfg
, uint32_t reqid
,
1473 traffic_selector_t
*tsi
, traffic_selector_t
*tsr
)
1475 bool defer_initiate
= FALSE
;
1477 if (this->state
== IKE_CREATED
)
1479 if (this->my_host
->is_anyaddr(this->my_host
) ||
1480 this->other_host
->is_anyaddr(this->other_host
))
1482 resolve_hosts(this);
1485 if (this->other_host
->is_anyaddr(this->other_host
)
1487 && !this->peer_cfg
->get_mediated_by(this->peer_cfg
)
1493 addr
= this->ike_cfg
->get_other_addr(this->ike_cfg
);
1494 if (!this->retry_initiate_interval
)
1496 DBG1(DBG_IKE
, "unable to resolve %s, initiate aborted",
1498 DESTROY_IF(child_cfg
);
1499 charon
->bus
->alert(charon
->bus
, ALERT_PEER_ADDR_FAILED
);
1502 DBG1(DBG_IKE
, "unable to resolve %s, retrying in %ds",
1503 addr
, this->retry_initiate_interval
);
1504 defer_initiate
= TRUE
;
1507 set_condition(this, COND_ORIGINAL_INITIATOR
, TRUE
);
1508 this->task_manager
->queue_ike(this->task_manager
);
1512 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
1514 if (this->state
== IKE_ESTABLISHED
)
1516 /* mediation connection is already established, retrigger state
1517 * change to notify bus listeners */
1518 DBG1(DBG_IKE
, "mediation connection is already up");
1519 set_state(this, IKE_ESTABLISHED
);
1521 DESTROY_IF(child_cfg
);
1527 /* normal IKE_SA with CHILD_SA */
1528 this->task_manager
->queue_child(this->task_manager
, child_cfg
, reqid
,
1531 if (this->peer_cfg
->get_mediated_by(this->peer_cfg
))
1533 /* mediated connection, initiate mediation process */
1534 job_t
*job
= (job_t
*)initiate_mediation_job_create(this->ike_sa_id
);
1535 lib
->processor
->queue_job(lib
->processor
, job
);
1543 if (!this->retry_initiate_queued
)
1545 job_t
*job
= (job_t
*)retry_initiate_job_create(this->ike_sa_id
);
1546 lib
->scheduler
->schedule_job(lib
->scheduler
, (job_t
*)job
,
1547 this->retry_initiate_interval
);
1548 this->retry_initiate_queued
= TRUE
;
1552 this->retry_initiate_queued
= FALSE
;
1553 return this->task_manager
->initiate(this->task_manager
);
1556 METHOD(ike_sa_t
, retry_initiate
, status_t
,
1557 private_ike_sa_t
*this)
1559 if (this->retry_initiate_queued
)
1561 this->retry_initiate_queued
= FALSE
;
1562 return initiate(this, NULL
, 0, NULL
, NULL
);
1567 METHOD(ike_sa_t
, process_message
, status_t
,
1568 private_ike_sa_t
*this, message_t
*message
)
1572 if (this->state
== IKE_PASSIVE
)
1573 { /* do not handle messages in passive state */
1576 if (message
->get_major_version(message
) != this->version
)
1578 DBG1(DBG_IKE
, "ignoring %N IKEv%u exchange on %N SA",
1579 exchange_type_names
, message
->get_exchange_type(message
),
1580 message
->get_major_version(message
),
1581 ike_version_names
, this->version
);
1582 /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1583 * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1586 status
= this->task_manager
->process_message(this->task_manager
, message
);
1587 if (this->flush_auth_cfg
&& this->state
== IKE_ESTABLISHED
)
1589 /* authentication completed but if the online validation is suspended we
1590 * need the auth cfgs until we did the delayed verification, we flush
1591 * them afterwards */
1592 if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED
))
1594 this->flush_auth_cfg
= FALSE
;
1595 flush_auth_cfgs(this);
1601 METHOD(ike_sa_t
, get_id
, ike_sa_id_t
*,
1602 private_ike_sa_t
*this)
1604 return this->ike_sa_id
;
1607 METHOD(ike_sa_t
, get_version
, ike_version_t
,
1608 private_ike_sa_t
*this)
1610 return this->version
;
1613 METHOD(ike_sa_t
, get_my_id
, identification_t
*,
1614 private_ike_sa_t
*this)
1619 METHOD(ike_sa_t
, set_my_id
, void,
1620 private_ike_sa_t
*this, identification_t
*me
)
1622 DESTROY_IF(this->my_id
);
1626 METHOD(ike_sa_t
, get_other_id
, identification_t
*,
1627 private_ike_sa_t
*this)
1629 return this->other_id
;
1632 METHOD(ike_sa_t
, get_other_eap_id
, identification_t
*,
1633 private_ike_sa_t
*this)
1635 identification_t
*id
= NULL
, *current
;
1636 enumerator_t
*enumerator
;
1639 enumerator
= array_create_enumerator(this->other_auths
);
1640 while (enumerator
->enumerate(enumerator
, &cfg
))
1642 /* prefer EAP-Identity of last round */
1643 current
= cfg
->get(cfg
, AUTH_RULE_EAP_IDENTITY
);
1644 if (!current
|| current
->get_type(current
) == ID_ANY
)
1646 current
= cfg
->get(cfg
, AUTH_RULE_XAUTH_IDENTITY
);
1648 if (!current
|| current
->get_type(current
) == ID_ANY
)
1650 current
= cfg
->get(cfg
, AUTH_RULE_IDENTITY
);
1652 if (current
&& current
->get_type(current
) != ID_ANY
)
1658 enumerator
->destroy(enumerator
);
1663 return this->other_id
;
1666 METHOD(ike_sa_t
, set_other_id
, void,
1667 private_ike_sa_t
*this, identification_t
*other
)
1669 DESTROY_IF(this->other_id
);
1670 this->other_id
= other
;
1673 METHOD(ike_sa_t
, get_if_id
, uint32_t,
1674 private_ike_sa_t
*this, bool inbound
)
1676 return inbound
? this->if_id_in
: this->if_id_out
;
1679 METHOD(ike_sa_t
, add_child_sa
, void,
1680 private_ike_sa_t
*this, child_sa_t
*child_sa
)
1682 array_insert_create(&this->child_sas
, ARRAY_TAIL
, child_sa
);
1683 charon
->child_sa_manager
->add(charon
->child_sa_manager
,
1684 child_sa
, &this->public);
1687 METHOD(ike_sa_t
, get_child_sa
, child_sa_t
*,
1688 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
, bool inbound
)
1690 enumerator_t
*enumerator
;
1691 child_sa_t
*current
, *found
= NULL
;
1693 enumerator
= array_create_enumerator(this->child_sas
);
1694 while (enumerator
->enumerate(enumerator
, (void**)¤t
))
1696 if (current
->get_spi(current
, inbound
) == spi
&&
1697 current
->get_protocol(current
) == protocol
)
1702 enumerator
->destroy(enumerator
);
1706 METHOD(ike_sa_t
, get_child_count
, int,
1707 private_ike_sa_t
*this)
1709 return array_count(this->child_sas
);
1713 * Private data of a create_child_sa_enumerator()
1716 /** implements enumerator */
1717 enumerator_t
public;
1718 /** inner array enumerator */
1719 enumerator_t
*inner
;
1721 child_sa_t
*current
;
1722 } child_enumerator_t
;
1724 METHOD(enumerator_t
, child_enumerate
, bool,
1725 child_enumerator_t
*this, va_list args
)
1727 child_sa_t
**child_sa
;
1729 VA_ARGS_VGET(args
, child_sa
);
1730 if (this->inner
->enumerate(this->inner
, &this->current
))
1732 *child_sa
= this->current
;
1738 METHOD(enumerator_t
, child_enumerator_destroy
, void,
1739 child_enumerator_t
*this)
1741 this->inner
->destroy(this->inner
);
1745 METHOD(ike_sa_t
, create_child_sa_enumerator
, enumerator_t
*,
1746 private_ike_sa_t
*this)
1748 child_enumerator_t
*enumerator
;
1752 .enumerate
= enumerator_enumerate_default
,
1753 .venumerate
= _child_enumerate
,
1754 .destroy
= _child_enumerator_destroy
,
1756 .inner
= array_create_enumerator(this->child_sas
),
1758 return &enumerator
->public;
1761 METHOD(ike_sa_t
, remove_child_sa
, void,
1762 private_ike_sa_t
*this, enumerator_t
*enumerator
)
1764 child_enumerator_t
*ce
= (child_enumerator_t
*)enumerator
;
1766 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, ce
->current
);
1767 array_remove_at(this->child_sas
, ce
->inner
);
1770 METHOD(ike_sa_t
, rekey_child_sa
, status_t
,
1771 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
)
1773 if (this->state
== IKE_PASSIVE
)
1775 return INVALID_STATE
;
1777 this->task_manager
->queue_child_rekey(this->task_manager
, protocol
, spi
);
1778 return this->task_manager
->initiate(this->task_manager
);
1781 METHOD(ike_sa_t
, delete_child_sa
, status_t
,
1782 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
, bool expired
)
1784 if (this->state
== IKE_PASSIVE
)
1786 return INVALID_STATE
;
1788 this->task_manager
->queue_child_delete(this->task_manager
,
1789 protocol
, spi
, expired
);
1790 return this->task_manager
->initiate(this->task_manager
);
1793 METHOD(ike_sa_t
, destroy_child_sa
, status_t
,
1794 private_ike_sa_t
*this, protocol_id_t protocol
, uint32_t spi
)
1796 enumerator_t
*enumerator
;
1797 child_sa_t
*child_sa
;
1798 status_t status
= NOT_FOUND
;
1800 enumerator
= create_child_sa_enumerator(this);
1801 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
1803 if (child_sa
->get_protocol(child_sa
) == protocol
&&
1804 child_sa
->get_spi(child_sa
, TRUE
) == spi
)
1806 remove_child_sa(this, enumerator
);
1807 child_sa
->destroy(child_sa
);
1812 enumerator
->destroy(enumerator
);
1816 METHOD(ike_sa_t
, delete_
, status_t
,
1817 private_ike_sa_t
*this, bool force
)
1819 status_t status
= DESTROY_ME
;
1821 switch (this->state
)
1823 case IKE_ESTABLISHED
:
1825 if (time_monotonic(NULL
) >= this->stats
[STAT_DELETE
] &&
1826 !(this->version
== IKEV1
&& this->state
== IKE_REKEYING
))
1827 { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1829 charon
->bus
->alert(charon
->bus
, ALERT_IKE_SA_EXPIRED
);
1831 this->task_manager
->queue_ike_delete(this->task_manager
);
1832 status
= this->task_manager
->initiate(this->task_manager
);
1835 DBG1(DBG_IKE
, "deleting unestablished IKE_SA");
1840 DBG1(DBG_IKE
, "destroying IKE_SA in state %N without notification",
1841 ike_sa_state_names
, this->state
);
1848 status
= DESTROY_ME
;
1850 if (this->version
== IKEV2
)
1851 { /* for IKEv1 we trigger this in the ISAKMP delete task */
1852 switch (this->state
)
1854 case IKE_ESTABLISHED
:
1857 charon
->bus
->ike_updown(charon
->bus
, &this->public, FALSE
);
1866 METHOD(ike_sa_t
, rekey
, status_t
,
1867 private_ike_sa_t
*this)
1869 if (this->state
== IKE_PASSIVE
)
1871 return INVALID_STATE
;
1873 this->task_manager
->queue_ike_rekey(this->task_manager
);
1874 return this->task_manager
->initiate(this->task_manager
);
1877 METHOD(ike_sa_t
, reauth
, status_t
,
1878 private_ike_sa_t
*this)
1880 if (this->state
== IKE_PASSIVE
)
1882 return INVALID_STATE
;
1884 if (this->state
== IKE_CONNECTING
)
1886 DBG0(DBG_IKE
, "reinitiating IKE_SA %s[%d]",
1887 get_name(this), this->unique_id
);
1889 return this->task_manager
->initiate(this->task_manager
);
1891 /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1892 * If the peer does not support RFC4478, there is no way to keep the
1894 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
1896 DBG1(DBG_IKE
, "initiator did not reauthenticate as requested");
1897 if (array_count(this->other_vips
) != 0 ||
1898 has_condition(this, COND_XAUTH_AUTHENTICATED
) ||
1899 has_condition(this, COND_EAP_AUTHENTICATED
)
1901 /* as mediation server we too cannot reauth the IKE_SA */
1902 || this->is_mediation_server
1908 del
= this->stats
[STAT_DELETE
];
1909 now
= time_monotonic(NULL
);
1910 DBG1(DBG_IKE
, "IKE_SA %s[%d] will timeout in %V",
1911 get_name(this), this->unique_id
, &now
, &del
);
1916 DBG0(DBG_IKE
, "reauthenticating IKE_SA %s[%d] actively",
1917 get_name(this), this->unique_id
);
1922 DBG0(DBG_IKE
, "reauthenticating IKE_SA %s[%d]",
1923 get_name(this), this->unique_id
);
1925 set_condition(this, COND_REAUTHENTICATING
, TRUE
);
1926 this->task_manager
->queue_ike_reauth(this->task_manager
);
1927 return this->task_manager
->initiate(this->task_manager
);
1931 * Check if tasks to create CHILD_SAs are queued in the given queue
1933 static bool is_child_queued(private_ike_sa_t
*this, task_queue_t queue
)
1935 enumerator_t
*enumerator
;
1939 enumerator
= this->task_manager
->create_task_enumerator(this->task_manager
,
1941 while (enumerator
->enumerate(enumerator
, &task
))
1943 if (task
->get_type(task
) == TASK_CHILD_CREATE
||
1944 task
->get_type(task
) == TASK_QUICK_MODE
)
1950 enumerator
->destroy(enumerator
);
1955 * Reestablish CHILD_SAs and migrate queued tasks.
1957 * If force is true all SAs are restarted, otherwise their close/dpd_action
1960 static status_t
reestablish_children(private_ike_sa_t
*this, ike_sa_t
*new,
1963 enumerator_t
*enumerator
;
1964 child_sa_t
*child_sa
;
1965 child_cfg_t
*child_cfg
;
1967 status_t status
= FAILED
;
1969 /* handle existing CHILD_SAs */
1970 enumerator
= create_child_sa_enumerator(this);
1971 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
1973 switch (child_sa
->get_state(child_sa
))
1977 /* ignore CHILD_SAs in these states */
1984 action
= ACTION_RESTART
;
1987 { /* only restart CHILD_SAs that are configured accordingly */
1988 if (this->state
== IKE_DELETING
)
1990 action
= child_sa
->get_close_action(child_sa
);
1994 action
= child_sa
->get_dpd_action(child_sa
);
1999 case ACTION_RESTART
:
2000 child_cfg
= child_sa
->get_config(child_sa
);
2001 DBG1(DBG_IKE
, "restarting CHILD_SA %s",
2002 child_cfg
->get_name(child_cfg
));
2003 child_cfg
->get_ref(child_cfg
);
2004 status
= new->initiate(new, child_cfg
,
2005 child_sa
->get_reqid(child_sa
), NULL
, NULL
);
2010 if (status
== DESTROY_ME
)
2015 enumerator
->destroy(enumerator
);
2016 /* adopt any active or queued CHILD-creating tasks */
2017 if (status
!= DESTROY_ME
)
2019 new->adopt_child_tasks(new, &this->public);
2020 if (new->get_state(new) == IKE_CREATED
)
2022 status
= new->initiate(new, NULL
, 0, NULL
, NULL
);
2028 METHOD(ike_sa_t
, reestablish
, status_t
,
2029 private_ike_sa_t
*this)
2034 enumerator_t
*enumerator
;
2035 child_sa_t
*child_sa
;
2036 bool restart
= FALSE
;
2037 status_t status
= FAILED
;
2039 if (has_condition(this, COND_REAUTHENTICATING
))
2040 { /* only reauthenticate if we have children */
2041 if (array_count(this->child_sas
) == 0
2043 /* allow reauth of mediation connections without CHILD_SAs */
2044 && !this->peer_cfg
->is_mediation(this->peer_cfg
)
2048 DBG1(DBG_IKE
, "unable to reauthenticate IKE_SA, no CHILD_SA "
2057 { /* check if we have children to keep up at all */
2058 enumerator
= array_create_enumerator(this->child_sas
);
2059 while (enumerator
->enumerate(enumerator
, (void**)&child_sa
))
2061 switch (child_sa
->get_state(child_sa
))
2065 /* ignore CHILD_SAs in these states */
2070 if (this->state
== IKE_DELETING
)
2072 action
= child_sa
->get_close_action(child_sa
);
2076 action
= child_sa
->get_dpd_action(child_sa
);
2080 case ACTION_RESTART
:
2084 charon
->traps
->install(charon
->traps
, this->peer_cfg
,
2085 child_sa
->get_config(child_sa
));
2091 enumerator
->destroy(enumerator
);
2092 /* check if we have tasks that recreate children */
2095 restart
= is_child_queued(this, TASK_QUEUE_ACTIVE
) ||
2096 is_child_queued(this, TASK_QUEUE_QUEUED
);
2099 /* mediation connections have no children, keep them up anyway */
2100 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
2111 /* check if we are able to reestablish this IKE_SA */
2112 if (!has_condition(this, COND_ORIGINAL_INITIATOR
) &&
2113 (array_count(this->other_vips
) != 0 ||
2114 has_condition(this, COND_EAP_AUTHENTICATED
)
2116 || this->is_mediation_server
2120 DBG1(DBG_IKE
, "unable to reestablish IKE_SA due to asymmetric setup");
2124 new = charon
->ike_sa_manager
->checkout_new(charon
->ike_sa_manager
,
2125 this->version
, TRUE
);
2130 new->set_peer_cfg(new, this->peer_cfg
);
2131 host
= this->other_host
;
2132 new->set_other_host(new, host
->clone(host
));
2133 host
= this->my_host
;
2134 new->set_my_host(new, host
->clone(host
));
2135 charon
->bus
->ike_reestablish_pre(charon
->bus
, &this->public, new);
2136 if (!has_condition(this, COND_REAUTHENTICATING
))
2137 { /* reauthenticate to the same addresses, but resolve hosts if
2138 * reestablishing (old addresses serve as fallback) */
2139 resolve_hosts((private_ike_sa_t
*)new);
2141 /* if we already have a virtual IP, we reuse it */
2142 enumerator
= array_create_enumerator(this->my_vips
);
2143 while (enumerator
->enumerate(enumerator
, &host
))
2145 new->add_virtual_ip(new, TRUE
, host
);
2147 enumerator
->destroy(enumerator
);
2150 if (this->peer_cfg
->is_mediation(this->peer_cfg
))
2152 status
= new->initiate(new, NULL
, 0, NULL
, NULL
);
2157 status
= reestablish_children(this, new,
2158 has_condition(this, COND_REAUTHENTICATING
));
2161 if (status
== DESTROY_ME
)
2163 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2165 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, new);
2170 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2172 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, new);
2175 charon
->bus
->set_sa(charon
->bus
, &this->public);
2180 * Resolve the given gateway ID
2182 static host_t
*resolve_gateway_id(identification_t
*gateway
)
2187 snprintf(gw
, sizeof(gw
), "%Y", gateway
);
2188 gw
[sizeof(gw
)-1] = '\0';
2189 addr
= host_create_from_dns(gw
, AF_UNSPEC
, IKEV2_UDP_PORT
);
2192 DBG1(DBG_IKE
, "unable to resolve gateway ID '%Y', redirect failed",
2199 * Redirect the current SA to the given target host
2201 static bool redirect_established(private_ike_sa_t
*this, identification_t
*to
)
2203 private_ike_sa_t
*new_priv
;
2208 new = charon
->ike_sa_manager
->checkout_new(charon
->ike_sa_manager
,
2209 this->version
, TRUE
);
2214 new_priv
= (private_ike_sa_t
*)new;
2215 new->set_peer_cfg(new, this->peer_cfg
);
2216 new_priv
->redirected_from
= this->other_host
->clone(this->other_host
);
2217 charon
->bus
->ike_reestablish_pre(charon
->bus
, &this->public, new);
2218 other
= resolve_gateway_id(to
);
2221 set_my_host(new_priv
, this->my_host
->clone(this->my_host
));
2222 /* this allows us to force the remote address while we still properly
2223 * resolve the local address */
2224 new_priv
->remote_host
= other
;
2225 resolve_hosts(new_priv
);
2226 new_priv
->redirected_at
= array_create(sizeof(time_t), MAX_REDIRECTS
);
2227 while (array_remove(this->redirected_at
, ARRAY_HEAD
, &redirect
))
2229 array_insert(new_priv
->redirected_at
, ARRAY_TAIL
, &redirect
);
2231 if (reestablish_children(this, new, TRUE
) != DESTROY_ME
)
2234 new->queue_task(new, (task_t
*)ike_reauth_complete_create(new,
2237 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2239 charon
->ike_sa_manager
->checkin(charon
->ike_sa_manager
, new);
2240 charon
->bus
->set_sa(charon
->bus
, &this->public);
2244 charon
->bus
->ike_reestablish_post(charon
->bus
, &this->public, new,
2246 charon
->ike_sa_manager
->checkin_and_destroy(charon
->ike_sa_manager
, new);
2247 charon
->bus
->set_sa(charon
->bus
, &this->public);
2252 * Redirect the current connecting SA to the given target host
2254 static bool redirect_connecting(private_ike_sa_t
*this, identification_t
*to
)
2258 other
= resolve_gateway_id(to
);
2264 DESTROY_IF(this->redirected_from
);
2265 this->redirected_from
= this->other_host
->clone(this->other_host
);
2266 DESTROY_IF(this->remote_host
);
2267 /* this allows us to force the remote address while we still properly
2268 * resolve the local address */
2269 this->remote_host
= other
;
2270 resolve_hosts(this);
2275 * Check if the current redirect exceeds the limits for redirects
2277 static bool redirect_count_exceeded(private_ike_sa_t
*this)
2279 time_t now
, redirect
;
2281 now
= time_monotonic(NULL
);
2282 /* remove entries outside the defined period */
2283 while (array_get(this->redirected_at
, ARRAY_HEAD
, &redirect
) &&
2284 now
- redirect
>= REDIRECT_LOOP_DETECT_PERIOD
)
2286 array_remove(this->redirected_at
, ARRAY_HEAD
, NULL
);
2288 if (array_count(this->redirected_at
) < MAX_REDIRECTS
)
2290 if (!this->redirected_at
)
2292 this->redirected_at
= array_create(sizeof(time_t), MAX_REDIRECTS
);
2294 array_insert(this->redirected_at
, ARRAY_TAIL
, &now
);
2300 METHOD(ike_sa_t
, handle_redirect
, bool,
2301 private_ike_sa_t
*this, identification_t
*gateway
)
2303 DBG1(DBG_IKE
, "redirected to %Y", gateway
);
2304 if (!this->follow_redirects
)
2306 DBG1(DBG_IKE
, "server sent REDIRECT even though we disabled it");
2309 if (redirect_count_exceeded(this))
2311 DBG1(DBG_IKE
, "only %d redirects are allowed within %d seconds",
2312 MAX_REDIRECTS
, REDIRECT_LOOP_DETECT_PERIOD
);
2316 switch (this->state
)
2318 case IKE_CONNECTING
:
2319 return redirect_connecting(this, gateway
);
2320 case IKE_ESTABLISHED
:
2321 return redirect_established(this, gateway
);
2323 DBG1(DBG_IKE
, "unable to handle redirect for IKE_SA in state %N",
2324 ike_sa_state_names
, this->state
);
2329 METHOD(ike_sa_t
, redirect
, status_t
,
2330 private_ike_sa_t
*this, identification_t
*gateway
)
2332 switch (this->state
)
2334 case IKE_CONNECTING
:
2335 case IKE_ESTABLISHED
:
2337 if (has_condition(this, COND_REDIRECTED
))
2338 { /* IKE_SA already got redirected */
2341 if (has_condition(this, COND_ORIGINAL_INITIATOR
))
2343 DBG1(DBG_IKE
, "unable to redirect IKE_SA as initiator");
2346 if (this->version
== IKEV1
)
2348 DBG1(DBG_IKE
, "unable to redirect IKEv1 SA");
2351 if (!supports_extension(this, EXT_IKE_REDIRECTION
))
2353 DBG1(DBG_IKE
, "client does not support IKE redirection");
2357 this->task_manager
->queue_task(this->task_manager
,
2358 (task_t
*)ike_redirect_create(&this->public, gateway
));
2360 return this->task_manager
->initiate(this->task_manager
);
2362 DBG1(DBG_IKE
, "unable to redirect IKE_SA in state %N",
2363 ike_sa_state_names
, this->state
);
2364 return INVALID_STATE
;
2368 METHOD(ike_sa_t
, retransmit
, status_t
,
2369 private_ike_sa_t
*this, uint32_t message_id
)
2371 if (this->state
== IKE_PASSIVE
)
2373 return INVALID_STATE
;
2375 this->stats
[STAT_OUTBOUND
] = time_monotonic(NULL
);
2376 if (this->task_manager
->retransmit(this->task_manager
, message_id
) != SUCCESS
)
2378 /* send a proper signal to brief interested bus listeners */
2379 switch (this->state
)
2381 case IKE_CONNECTING
:
2383 /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2384 uint32_t tries
= this->peer_cfg
->get_keyingtries(this->peer_cfg
);
2385 charon
->bus
->alert(charon
->bus
, ALERT_PEER_INIT_UNREACHABLE
,
2388 if (tries
== 0 || tries
> this->keyingtry
)
2390 DBG1(DBG_IKE
, "peer not responding, trying again (%d/%d)",
2391 this->keyingtry
+ 1, tries
);
2393 resolve_hosts(this);
2394 return this->task_manager
->initiate(this->task_manager
);
2396 DBG1(DBG_IKE
, "establishing IKE_SA failed, peer not responding");
2398 if (this->version
== IKEV1
&& array_count(this->child_sas
))
2400 enumerator_t
*enumerator
;
2401 child_sa_t
*child_sa
;
2403 /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2404 * in this state with CHILD_SAs), try again from scratch */
2405 DBG1(DBG_IKE
, "reauthentication failed, trying to "
2406 "reestablish IKE_SA");
2408 /* trigger down events for the CHILD_SAs, as no down event
2409 * is triggered below for IKE SAs in this state */
2410 enumerator
= array_create_enumerator(this->child_sas
);
2411 while (enumerator
->enumerate(enumerator
, &child_sa
))
2413 if (child_sa
->get_state(child_sa
) != CHILD_REKEYED
&&
2414 child_sa
->get_state(child_sa
) != CHILD_DELETED
)
2416 charon
->bus
->child_updown(charon
->bus
, child_sa
,
2420 enumerator
->destroy(enumerator
);
2425 DBG1(DBG_IKE
, "proper IKE_SA delete failed, peer not responding");
2426 if (has_condition(this, COND_REAUTHENTICATING
) &&
2427 !lib
->settings
->get_bool(lib
->settings
,
2428 "%s.make_before_break", FALSE
, lib
->ns
))
2430 DBG1(DBG_IKE
, "delete during reauthentication failed, "
2431 "trying to reestablish IKE_SA anyway");
2436 DBG1(DBG_IKE
, "rekeying IKE_SA failed, peer not responding");
2442 if (this->state
!= IKE_CONNECTING
&&
2443 this->state
!= IKE_REKEYED
)
2445 charon
->bus
->ike_updown(charon
->bus
, &this->public, FALSE
);
2452 METHOD(ike_sa_t
, set_auth_lifetime
, status_t
,
2453 private_ike_sa_t
*this, uint32_t lifetime
)
2455 uint32_t diff
, hard
, soft
, now
;
2458 diff
= this->peer_cfg
->get_over_time(this->peer_cfg
);
2459 now
= time_monotonic(NULL
);
2460 hard
= now
+ lifetime
;
2463 /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2464 * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2465 send_update
= this->state
== IKE_ESTABLISHED
&& this->version
== IKEV2
&&
2466 !has_condition(this, COND_ORIGINAL_INITIATOR
) &&
2467 (array_count(this->other_vips
) != 0 ||
2468 has_condition(this, COND_EAP_AUTHENTICATED
));
2470 if (lifetime
< diff
)
2472 this->stats
[STAT_REAUTH
] = now
;
2476 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, "
2477 "starting reauthentication", lifetime
);
2478 lib
->processor
->queue_job(lib
->processor
,
2479 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
));
2482 else if (this->stats
[STAT_REAUTH
] == 0 ||
2483 this->stats
[STAT_REAUTH
] > soft
)
2485 this->stats
[STAT_REAUTH
] = soft
;
2488 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, scheduling "
2489 "reauthentication in %ds", lifetime
, lifetime
- diff
);
2490 lib
->scheduler
->schedule_job(lib
->scheduler
,
2491 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
),
2497 DBG1(DBG_IKE
, "received AUTH_LIFETIME of %ds, "
2498 "reauthentication already scheduled in %ds", lifetime
,
2499 this->stats
[STAT_REAUTH
] - time_monotonic(NULL
));
2500 send_update
= FALSE
;
2502 /* give at least some seconds to reauthenticate */
2503 this->stats
[STAT_DELETE
] = max(hard
, now
+ 10);
2508 ike_auth_lifetime_t
*task
;
2510 task
= ike_auth_lifetime_create(&this->public, TRUE
);
2511 this->task_manager
->queue_task(this->task_manager
, &task
->task
);
2512 return this->task_manager
->initiate(this->task_manager
);
2519 * Check if the current combination of source and destination address is still
2522 static bool is_current_path_valid(private_ike_sa_t
*this)
2527 if (supports_extension(this, EXT_MOBIKE
) &&
2528 lib
->settings
->get_bool(lib
->settings
,
2529 "%s.prefer_best_path", FALSE
, lib
->ns
))
2531 /* check if the current path is the best path; migrate otherwise */
2532 src
= charon
->kernel
->get_source_addr(charon
->kernel
, this->other_host
,
2536 valid
= src
->ip_equals(src
, this->my_host
);
2541 DBG1(DBG_IKE
, "old path is not preferred anymore");
2545 src
= charon
->kernel
->get_source_addr(charon
->kernel
, this->other_host
,
2549 if (src
->ip_equals(src
, this->my_host
))
2557 DBG1(DBG_IKE
, "old path is not available anymore, try to find another");
2563 * Check if we have any path avialable for this IKE SA.
2565 static bool is_any_path_valid(private_ike_sa_t
*this)
2568 enumerator_t
*enumerator
;
2569 host_t
*src
= NULL
, *addr
;
2570 int family
= AF_UNSPEC
;
2572 switch (charon
->socket
->supported_families(charon
->socket
))
2574 case SOCKET_FAMILY_IPV4
:
2577 case SOCKET_FAMILY_IPV6
:
2580 case SOCKET_FAMILY_BOTH
:
2581 case SOCKET_FAMILY_NONE
:
2585 enumerator
= create_peer_address_enumerator(this);
2586 while (enumerator
->enumerate(enumerator
, &addr
))
2588 if (family
!= AF_UNSPEC
&& addr
->get_family(addr
) != family
)
2592 DBG1(DBG_IKE
, "looking for a route to %H ...", addr
);
2593 src
= charon
->kernel
->get_source_addr(charon
->kernel
, addr
, NULL
);
2599 enumerator
->destroy(enumerator
);
2608 METHOD(ike_sa_t
, roam
, status_t
,
2609 private_ike_sa_t
*this, bool address
)
2611 switch (this->state
)
2615 case IKE_DESTROYING
:
2624 { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2625 * without config assigned */
2628 if (this->version
== IKEV1
)
2629 { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2630 * have to reestablish from scratch (reauth is not enough) */
2634 /* ignore roam events if MOBIKE is not supported/enabled and the local
2635 * address is statically configured */
2636 if (!supports_extension(this, EXT_MOBIKE
) &&
2637 ike_cfg_has_address(this->ike_cfg
, this->my_host
, TRUE
))
2639 DBG2(DBG_IKE
, "keeping statically configured path %H - %H",
2640 this->my_host
, this->other_host
);
2644 /* keep existing path if possible */
2645 if (is_current_path_valid(this))
2647 DBG2(DBG_IKE
, "keeping connection path %H - %H",
2648 this->my_host
, this->other_host
);
2649 set_condition(this, COND_STALE
, FALSE
);
2651 if (supports_extension(this, EXT_MOBIKE
) && address
)
2652 { /* if any addresses changed, send an updated list */
2653 DBG1(DBG_IKE
, "sending address list update using MOBIKE");
2654 this->task_manager
->queue_mobike(this->task_manager
, FALSE
, TRUE
);
2655 return this->task_manager
->initiate(this->task_manager
);
2660 if (!is_any_path_valid(this))
2662 DBG1(DBG_IKE
, "no route found to reach %H, MOBIKE update deferred",
2664 set_condition(this, COND_STALE
, TRUE
);
2667 set_condition(this, COND_STALE
, FALSE
);
2669 /* update addresses with mobike, if supported ... */
2670 if (supports_extension(this, EXT_MOBIKE
))
2672 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
2673 { /* responder updates the peer about changed address config */
2674 DBG1(DBG_IKE
, "sending address list update using MOBIKE, "
2675 "implicitly requesting an address change");
2680 DBG1(DBG_IKE
, "requesting address change using MOBIKE");
2682 this->task_manager
->queue_mobike(this->task_manager
, TRUE
, address
);
2683 return this->task_manager
->initiate(this->task_manager
);
2686 /* ... reauth if not */
2687 if (!has_condition(this, COND_ORIGINAL_INITIATOR
))
2688 { /* responder does not reauthenticate */
2689 set_condition(this, COND_STALE
, TRUE
);
2692 DBG1(DBG_IKE
, "reauthenticating IKE_SA due to address change");
2693 /* since our previous path is not valid anymore, try and find a new one */
2694 resolve_hosts(this);
2695 return reauth(this);
2698 METHOD(ike_sa_t
, add_configuration_attribute
, void,
2699 private_ike_sa_t
*this, attribute_handler_t
*handler
,
2700 configuration_attribute_type_t type
, chunk_t data
)
2702 attribute_entry_t entry
= {
2705 .data
= chunk_clone(data
),
2707 array_insert(this->attributes
, ARRAY_TAIL
, &entry
);
2710 CALLBACK(filter_attribute
, bool,
2711 void *null
, enumerator_t
*orig
, va_list args
)
2713 attribute_entry_t
*entry
;
2714 configuration_attribute_type_t
*type
;
2718 VA_ARGS_VGET(args
, type
, data
, handled
);
2720 if (orig
->enumerate(orig
, &entry
))
2722 *type
= entry
->type
;
2723 *data
= entry
->data
;
2724 *handled
= entry
->handler
!= NULL
;
2730 METHOD(ike_sa_t
, create_attribute_enumerator
, enumerator_t
*,
2731 private_ike_sa_t
*this)
2733 return enumerator_create_filter(array_create_enumerator(this->attributes
),
2734 filter_attribute
, NULL
, NULL
);
2737 METHOD(ike_sa_t
, create_task_enumerator
, enumerator_t
*,
2738 private_ike_sa_t
*this, task_queue_t queue
)
2740 return this->task_manager
->create_task_enumerator(this->task_manager
, queue
);
2743 METHOD(ike_sa_t
, remove_task
, void,
2744 private_ike_sa_t
*this, enumerator_t
*enumerator
)
2746 return this->task_manager
->remove_task(this->task_manager
, enumerator
);
2749 METHOD(ike_sa_t
, flush_queue
, void,
2750 private_ike_sa_t
*this, task_queue_t queue
)
2752 this->task_manager
->flush_queue(this->task_manager
, queue
);
2755 METHOD(ike_sa_t
, queue_task
, void,
2756 private_ike_sa_t
*this, task_t
*task
)
2758 this->task_manager
->queue_task(this->task_manager
, task
);
2761 METHOD(ike_sa_t
, queue_task_delayed
, void,
2762 private_ike_sa_t
*this, task_t
*task
, uint32_t delay
)
2764 this->task_manager
->queue_task_delayed(this->task_manager
, task
, delay
);
2768 * Migrate and queue child-creating tasks from another IKE_SA
2770 static void migrate_child_tasks(private_ike_sa_t
*this, ike_sa_t
*other
,
2773 enumerator_t
*enumerator
;
2776 enumerator
= other
->create_task_enumerator(other
, queue
);
2777 while (enumerator
->enumerate(enumerator
, &task
))
2779 if (task
->get_type(task
) == TASK_CHILD_CREATE
||
2780 task
->get_type(task
) == TASK_QUICK_MODE
)
2782 other
->remove_task(other
, enumerator
);
2783 task
->migrate(task
, &this->public);
2784 queue_task(this, task
);
2787 enumerator
->destroy(enumerator
);
2790 METHOD(ike_sa_t
, adopt_child_tasks
, void,
2791 private_ike_sa_t
*this, ike_sa_t
*other
)
2793 migrate_child_tasks(this, other
, TASK_QUEUE_ACTIVE
);
2794 migrate_child_tasks(this, other
, TASK_QUEUE_QUEUED
);
2797 METHOD(ike_sa_t
, inherit_pre
, void,
2798 private_ike_sa_t
*this, ike_sa_t
*other_public
)
2800 private_ike_sa_t
*other
= (private_ike_sa_t
*)other_public
;
2802 /* apply config and hosts */
2803 set_peer_cfg(this, other
->peer_cfg
);
2804 set_my_host(this, other
->my_host
->clone(other
->my_host
));
2805 set_other_host(this, other
->other_host
->clone(other
->other_host
));
2807 /* apply extensions and conditions with a few exceptions */
2808 this->extensions
= other
->extensions
;
2809 this->conditions
= other
->conditions
;
2810 this->conditions
&= ~COND_STALE
;
2811 this->conditions
&= ~COND_REAUTHENTICATING
;
2814 METHOD(ike_sa_t
, inherit_post
, void,
2815 private_ike_sa_t
*this, ike_sa_t
*other_public
)
2817 private_ike_sa_t
*other
= (private_ike_sa_t
*)other_public
;
2818 child_sa_t
*child_sa
;
2819 enumerator_t
*enumerator
;
2820 attribute_entry_t entry
;
2824 /* apply hosts and ids */
2825 this->my_host
->destroy(this->my_host
);
2826 this->other_host
->destroy(this->other_host
);
2827 this->my_id
->destroy(this->my_id
);
2828 this->other_id
->destroy(this->other_id
);
2829 this->my_host
= other
->my_host
->clone(other
->my_host
);
2830 this->other_host
= other
->other_host
->clone(other
->other_host
);
2831 this->my_id
= other
->my_id
->clone(other
->my_id
);
2832 this->other_id
= other
->other_id
->clone(other
->other_id
);
2833 this->if_id_in
= other
->if_id_in
;
2834 this->if_id_out
= other
->if_id_out
;
2836 /* apply assigned virtual IPs... */
2837 while (array_remove(other
->my_vips
, ARRAY_HEAD
, &vip
))
2839 array_insert_create(&this->my_vips
, ARRAY_TAIL
, vip
);
2841 while (array_remove(other
->other_vips
, ARRAY_HEAD
, &vip
))
2843 array_insert_create(&this->other_vips
, ARRAY_TAIL
, vip
);
2846 /* MOBIKE additional addresses */
2847 while (array_remove(other
->peer_addresses
, ARRAY_HEAD
, &vip
))
2849 array_insert_create(&this->peer_addresses
, ARRAY_TAIL
, vip
);
2852 /* authentication information */
2853 enumerator
= array_create_enumerator(other
->my_auths
);
2854 while (enumerator
->enumerate(enumerator
, &cfg
))
2856 array_insert(this->my_auths
, ARRAY_TAIL
, cfg
->clone(cfg
));
2858 enumerator
->destroy(enumerator
);
2859 enumerator
= array_create_enumerator(other
->other_auths
);
2860 while (enumerator
->enumerate(enumerator
, &cfg
))
2862 array_insert(this->other_auths
, ARRAY_TAIL
, cfg
->clone(cfg
));
2864 enumerator
->destroy(enumerator
);
2866 /* ... and configuration attributes */
2867 while (array_remove(other
->attributes
, ARRAY_HEAD
, &entry
))
2869 array_insert(this->attributes
, ARRAY_TAIL
, &entry
);
2872 /* inherit all conditions */
2873 this->conditions
= other
->conditions
;
2874 if (this->conditions
& COND_NAT_HERE
)
2876 send_keepalive(this, FALSE
);
2880 if (other
->is_mediation_server
)
2882 act_as_mediation_server(this);
2884 else if (other
->server_reflexive_host
)
2886 this->server_reflexive_host
= other
->server_reflexive_host
->clone(
2887 other
->server_reflexive_host
);
2891 /* adopt all children */
2892 while (array_remove(other
->child_sas
, ARRAY_HEAD
, &child_sa
))
2894 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
2895 add_child_sa(this, child_sa
);
2898 /* move pending tasks to the new IKE_SA */
2899 this->task_manager
->adopt_tasks(this->task_manager
, other
->task_manager
);
2901 /* reauthentication timeout survives a rekeying */
2902 if (other
->stats
[STAT_REAUTH
])
2904 time_t reauth
, delete, now
= time_monotonic(NULL
);
2906 this->stats
[STAT_REAUTH
] = other
->stats
[STAT_REAUTH
];
2907 reauth
= this->stats
[STAT_REAUTH
] - now
;
2908 delete = reauth
+ this->peer_cfg
->get_over_time(this->peer_cfg
);
2909 this->stats
[STAT_DELETE
] = this->stats
[STAT_REAUTH
] + delete;
2910 DBG1(DBG_IKE
, "rescheduling reauthentication in %ds after rekeying, "
2911 "lifetime reduced to %ds", reauth
, delete);
2912 lib
->scheduler
->schedule_job(lib
->scheduler
,
2913 (job_t
*)rekey_ike_sa_job_create(this->ike_sa_id
, TRUE
), reauth
);
2914 lib
->scheduler
->schedule_job(lib
->scheduler
,
2915 (job_t
*)delete_ike_sa_job_create(this->ike_sa_id
, TRUE
), delete);
2919 METHOD(ike_sa_t
, destroy
, void,
2920 private_ike_sa_t
*this)
2922 attribute_entry_t entry
;
2923 child_sa_t
*child_sa
;
2926 charon
->bus
->set_sa(charon
->bus
, &this->public);
2928 set_state(this, IKE_DESTROYING
);
2929 if (this->task_manager
)
2931 this->task_manager
->flush(this->task_manager
);
2934 /* remove attributes first, as we pass the IKE_SA to the handler */
2935 charon
->bus
->handle_vips(charon
->bus
, &this->public, FALSE
);
2936 while (array_remove(this->attributes
, ARRAY_TAIL
, &entry
))
2940 charon
->attributes
->release(charon
->attributes
, entry
.handler
,
2941 &this->public, entry
.type
, entry
.data
);
2943 free(entry
.data
.ptr
);
2945 /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
2946 * routes that the CHILD_SA tries to uninstall. */
2947 while (array_remove(this->child_sas
, ARRAY_TAIL
, &child_sa
))
2949 charon
->child_sa_manager
->remove(charon
->child_sa_manager
, child_sa
);
2950 child_sa
->destroy(child_sa
);
2952 while (array_remove(this->my_vips
, ARRAY_TAIL
, &vip
))
2954 charon
->kernel
->del_ip(charon
->kernel
, vip
, -1, TRUE
);
2957 if (array_count(this->other_vips
))
2959 charon
->bus
->assign_vips(charon
->bus
, &this->public, FALSE
);
2961 while (array_remove(this->other_vips
, ARRAY_TAIL
, &vip
))
2965 linked_list_t
*pools
;
2967 pools
= linked_list_create_from_enumerator(
2968 this->peer_cfg
->create_pool_enumerator(this->peer_cfg
));
2969 charon
->attributes
->release_address(charon
->attributes
,
2970 pools
, vip
, &this->public);
2971 pools
->destroy(pools
);
2976 /* unset SA after here to avoid usage by the listeners */
2977 charon
->bus
->set_sa(charon
->bus
, NULL
);
2979 array_destroy(this->child_sas
);
2980 DESTROY_IF(this->task_manager
);
2981 DESTROY_IF(this->keymat
);
2982 array_destroy(this->attributes
);
2983 array_destroy(this->my_vips
);
2984 array_destroy(this->other_vips
);
2985 array_destroy_offset(this->peer_addresses
, offsetof(host_t
, destroy
));
2987 if (this->is_mediation_server
)
2989 charon
->mediation_manager
->remove(charon
->mediation_manager
,
2992 DESTROY_IF(this->server_reflexive_host
);
2993 chunk_free(&this->connect_id
);
2995 free(this->nat_detection_dest
.ptr
);
2997 DESTROY_IF(this->my_host
);
2998 DESTROY_IF(this->other_host
);
2999 DESTROY_IF(this->my_id
);
3000 DESTROY_IF(this->other_id
);
3001 DESTROY_IF(this->local_host
);
3002 DESTROY_IF(this->remote_host
);
3003 DESTROY_IF(this->redirected_from
);
3004 array_destroy(this->redirected_at
);
3006 DESTROY_IF(this->ike_cfg
);
3007 DESTROY_IF(this->peer_cfg
);
3008 DESTROY_IF(this->proposal
);
3009 this->my_auth
->destroy(this->my_auth
);
3010 this->other_auth
->destroy(this->other_auth
);
3011 array_destroy_offset(this->my_auths
, offsetof(auth_cfg_t
, destroy
));
3012 array_destroy_offset(this->other_auths
, offsetof(auth_cfg_t
, destroy
));
3014 this->ike_sa_id
->destroy(this->ike_sa_id
);
3019 * Described in header.
3021 ike_sa_t
* ike_sa_create(ike_sa_id_t
*ike_sa_id
, bool initiator
,
3022 ike_version_t version
)
3024 private_ike_sa_t
*this;
3025 static refcount_t unique_id
= 0;
3027 if (version
== IKE_ANY
)
3028 { /* prefer IKEv2 if protocol not specified */
3038 .get_version
= _get_version
,
3039 .get_state
= _get_state
,
3040 .set_state
= _set_state
,
3041 .get_name
= _get_name
,
3042 .get_statistic
= _get_statistic
,
3043 .set_statistic
= _set_statistic
,
3044 .process_message
= _process_message
,
3045 .initiate
= _initiate
,
3046 .retry_initiate
= _retry_initiate
,
3047 .get_ike_cfg
= _get_ike_cfg
,
3048 .set_ike_cfg
= _set_ike_cfg
,
3049 .get_peer_cfg
= _get_peer_cfg
,
3050 .set_peer_cfg
= _set_peer_cfg
,
3051 .get_auth_cfg
= _get_auth_cfg
,
3052 .create_auth_cfg_enumerator
= _create_auth_cfg_enumerator
,
3053 .verify_peer_certificate
= _verify_peer_certificate
,
3054 .add_auth_cfg
= _add_auth_cfg
,
3055 .get_proposal
= _get_proposal
,
3056 .set_proposal
= _set_proposal
,
3058 .get_my_host
= _get_my_host
,
3059 .set_my_host
= _set_my_host
,
3060 .get_other_host
= _get_other_host
,
3061 .set_other_host
= _set_other_host
,
3062 .set_message_id
= _set_message_id
,
3063 .get_message_id
= _get_message_id
,
3064 .float_ports
= _float_ports
,
3065 .update_hosts
= _update_hosts
,
3066 .get_my_id
= _get_my_id
,
3067 .set_my_id
= _set_my_id
,
3068 .get_other_id
= _get_other_id
,
3069 .set_other_id
= _set_other_id
,
3070 .get_other_eap_id
= _get_other_eap_id
,
3071 .enable_extension
= _enable_extension
,
3072 .supports_extension
= _supports_extension
,
3073 .set_condition
= _set_condition
,
3074 .has_condition
= _has_condition
,
3075 .create_peer_address_enumerator
= _create_peer_address_enumerator
,
3076 .add_peer_address
= _add_peer_address
,
3077 .clear_peer_addresses
= _clear_peer_addresses
,
3078 .has_mapping_changed
= _has_mapping_changed
,
3079 .retransmit
= _retransmit
,
3081 .destroy
= _destroy
,
3082 .send_dpd
= _send_dpd
,
3083 .send_keepalive
= _send_keepalive
,
3084 .redirect
= _redirect
,
3085 .handle_redirect
= _handle_redirect
,
3086 .get_redirected_from
= _get_redirected_from
,
3087 .get_keymat
= _get_keymat
,
3088 .add_child_sa
= _add_child_sa
,
3089 .get_child_sa
= _get_child_sa
,
3090 .get_child_count
= _get_child_count
,
3091 .create_child_sa_enumerator
= _create_child_sa_enumerator
,
3092 .remove_child_sa
= _remove_child_sa
,
3093 .rekey_child_sa
= _rekey_child_sa
,
3094 .delete_child_sa
= _delete_child_sa
,
3095 .destroy_child_sa
= _destroy_child_sa
,
3098 .reestablish
= _reestablish
,
3099 .set_auth_lifetime
= _set_auth_lifetime
,
3101 .inherit_pre
= _inherit_pre
,
3102 .inherit_post
= _inherit_post
,
3103 .generate_message
= _generate_message
,
3104 .generate_message_fragmented
= _generate_message_fragmented
,
3106 .get_unique_id
= _get_unique_id
,
3107 .add_virtual_ip
= _add_virtual_ip
,
3108 .clear_virtual_ips
= _clear_virtual_ips
,
3109 .create_virtual_ip_enumerator
= _create_virtual_ip_enumerator
,
3110 .add_configuration_attribute
= _add_configuration_attribute
,
3111 .create_attribute_enumerator
= _create_attribute_enumerator
,
3112 .get_if_id
= _get_if_id
,
3113 .set_kmaddress
= _set_kmaddress
,
3114 .create_task_enumerator
= _create_task_enumerator
,
3115 .remove_task
= _remove_task
,
3116 .flush_queue
= _flush_queue
,
3117 .queue_task
= _queue_task
,
3118 .queue_task_delayed
= _queue_task_delayed
,
3119 .adopt_child_tasks
= _adopt_child_tasks
,
3121 .act_as_mediation_server
= _act_as_mediation_server
,
3122 .get_server_reflexive_host
= _get_server_reflexive_host
,
3123 .set_server_reflexive_host
= _set_server_reflexive_host
,
3124 .get_connect_id
= _get_connect_id
,
3125 .initiate_mediation
= _initiate_mediation
,
3126 .initiate_mediated
= _initiate_mediated
,
3128 .callback
= _callback
,
3129 .respond
= _respond
,
3132 .ike_sa_id
= ike_sa_id
->clone(ike_sa_id
),
3134 .my_host
= host_create_any(AF_INET
),
3135 .other_host
= host_create_any(AF_INET
),
3136 .my_id
= identification_create_from_encoding(ID_ANY
, chunk_empty
),
3137 .other_id
= identification_create_from_encoding(ID_ANY
, chunk_empty
),
3138 .keymat
= keymat_create(version
, initiator
),
3139 .state
= IKE_CREATED
,
3140 .stats
[STAT_INBOUND
] = time_monotonic(NULL
),
3141 .stats
[STAT_OUTBOUND
] = time_monotonic(NULL
),
3142 .my_auth
= auth_cfg_create(),
3143 .other_auth
= auth_cfg_create(),
3144 .my_auths
= array_create(0, 0),
3145 .other_auths
= array_create(0, 0),
3146 .attributes
= array_create(sizeof(attribute_entry_t
), 0),
3147 .unique_id
= ref_get(&unique_id
),
3148 .keepalive_interval
= lib
->settings
->get_time(lib
->settings
,
3149 "%s.keep_alive", KEEPALIVE_INTERVAL
, lib
->ns
),
3150 .retry_initiate_interval
= lib
->settings
->get_time(lib
->settings
,
3151 "%s.retry_initiate_interval", 0, lib
->ns
),
3152 .flush_auth_cfg
= lib
->settings
->get_bool(lib
->settings
,
3153 "%s.flush_auth_cfg", FALSE
, lib
->ns
),
3154 .fragment_size
= lib
->settings
->get_int(lib
->settings
,
3155 "%s.fragment_size", 1280, lib
->ns
),
3156 .follow_redirects
= lib
->settings
->get_bool(lib
->settings
,
3157 "%s.follow_redirects", TRUE
, lib
->ns
),
3160 if (version
== IKEV2
)
3161 { /* always supported with IKEv2 */
3162 enable_extension(this, EXT_DPD
);
3165 this->task_manager
= task_manager_create(&this->public);
3166 this->my_host
->set_port(this->my_host
,
3167 charon
->socket
->get_port(charon
->socket
, FALSE
));
3169 if (!this->task_manager
|| !this->keymat
)
3171 DBG1(DBG_IKE
, "IKE version %d not supported", this->version
);
3175 return &this->public;