Annotation of embedaddon/strongswan/src/libcharon/sa/ike_sa.c, revision 1.1.1.2
1.1 misho 1: /*
1.1.1.2 ! misho 2: * Copyright (C) 2006-2020 Tobias Brunner
1.1 misho 3: * Copyright (C) 2006 Daniel Roethlisberger
4: * Copyright (C) 2005-2009 Martin Willi
5: * Copyright (C) 2005 Jan Hutter
6: * HSR Hochschule fuer Technik Rapperswil
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: /*
20: * Copyright (c) 2014 Volker RĂ¼melin
21: *
22: * Permission is hereby granted, free of charge, to any person obtaining a copy
23: * of this software and associated documentation files (the "Software"), to deal
24: * in the Software without restriction, including without limitation the rights
25: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
26: * copies of the Software, and to permit persons to whom the Software is
27: * furnished to do so, subject to the following conditions:
28: *
29: * The above copyright notice and this permission notice shall be included in
30: * all copies or substantial portions of the Software.
31: *
32: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
33: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
34: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
35: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
36: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
37: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
38: * THE SOFTWARE.
39: */
40:
41: #include <string.h>
42: #include <sys/stat.h>
43: #include <errno.h>
44: #include <time.h>
45:
46: #include "ike_sa.h"
47:
48: #include <library.h>
49: #include <daemon.h>
50: #include <collections/array.h>
51: #include <utils/lexparser.h>
52: #include <processing/jobs/retransmit_job.h>
53: #include <processing/jobs/delete_ike_sa_job.h>
54: #include <processing/jobs/send_dpd_job.h>
55: #include <processing/jobs/send_keepalive_job.h>
56: #include <processing/jobs/rekey_ike_sa_job.h>
57: #include <processing/jobs/retry_initiate_job.h>
58: #include <sa/ikev2/tasks/ike_auth_lifetime.h>
59: #include <sa/ikev2/tasks/ike_reauth_complete.h>
60: #include <sa/ikev2/tasks/ike_redirect.h>
61: #include <credentials/sets/auth_cfg_wrapper.h>
62:
63: #ifdef ME
64: #include <sa/ikev2/tasks/ike_me.h>
65: #include <processing/jobs/initiate_mediation_job.h>
66: #endif
67:
68: ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
69: "CREATED",
70: "CONNECTING",
71: "ESTABLISHED",
72: "PASSIVE",
73: "REKEYING",
74: "REKEYED",
75: "DELETING",
76: "DESTROYING",
77: );
78:
79: typedef struct private_ike_sa_t private_ike_sa_t;
80: typedef struct attribute_entry_t attribute_entry_t;
81:
82: /**
83: * Private data of an ike_sa_t object.
84: */
85: struct private_ike_sa_t {
86:
87: /**
88: * Public members
89: */
90: ike_sa_t public;
91:
92: /**
93: * Identifier for the current IKE_SA.
94: */
95: ike_sa_id_t *ike_sa_id;
96:
97: /**
98: * IKE version of this SA.
99: */
100: ike_version_t version;
101:
102: /**
103: * unique numerical ID for this IKE_SA.
104: */
105: uint32_t unique_id;
106:
107: /**
108: * Current state of the IKE_SA
109: */
110: ike_sa_state_t state;
111:
112: /**
113: * IKE configuration used to set up this IKE_SA
114: */
115: ike_cfg_t *ike_cfg;
116:
117: /**
118: * Peer and authentication information to establish IKE_SA.
119: */
120: peer_cfg_t *peer_cfg;
121:
122: /**
123: * currently used authentication ruleset, local
124: */
125: auth_cfg_t *my_auth;
126:
127: /**
128: * currently used authentication constraints, remote
129: */
130: auth_cfg_t *other_auth;
131:
132: /**
133: * Array of completed local authentication rounds (as auth_cfg_t)
134: */
135: array_t *my_auths;
136:
137: /**
138: * Array of completed remote authentication rounds (as auth_cfg_t)
139: */
140: array_t *other_auths;
141:
142: /**
143: * Selected IKE proposal
144: */
145: proposal_t *proposal;
146:
147: /**
148: * Juggles tasks to process messages
149: */
150: task_manager_t *task_manager;
151:
152: /**
153: * Address of local host
154: */
155: host_t *my_host;
156:
157: /**
158: * Address of remote host
159: */
160: host_t *other_host;
161:
162: #ifdef ME
163: /**
164: * Are we mediation server
165: */
166: bool is_mediation_server;
167:
168: /**
169: * Server reflexive host
170: */
171: host_t *server_reflexive_host;
172:
173: /**
174: * Connect ID
175: */
176: chunk_t connect_id;
177: #endif /* ME */
178:
179: /**
180: * Identification used for us
181: */
182: identification_t *my_id;
183:
184: /**
185: * Identification used for other
186: */
187: identification_t *other_id;
188:
189: /**
190: * set of extensions the peer supports
191: */
192: ike_extension_t extensions;
193:
194: /**
195: * set of condition flags currently enabled for this IKE_SA
196: */
197: ike_condition_t conditions;
198:
199: /**
200: * Array containing the child sa's of the current IKE_SA.
201: */
202: array_t *child_sas;
203:
204: /**
205: * keymat of this IKE_SA
206: */
207: keymat_t *keymat;
208:
209: /**
210: * Virtual IPs on local host
211: */
212: array_t *my_vips;
213:
214: /**
215: * Virtual IPs on remote host
216: */
217: array_t *other_vips;
218:
219: /**
220: * List of configuration attributes (attribute_entry_t)
221: */
222: array_t *attributes;
223:
224: /**
225: * list of peer's addresses, additional ones transmitted via MOBIKE
226: */
227: array_t *peer_addresses;
228:
229: /**
230: * previously value of received DESTINATION_IP hash
231: */
232: chunk_t nat_detection_dest;
233:
234: /**
235: * NAT keep alive interval
236: */
237: uint32_t keepalive_interval;
238:
239: /**
1.1.1.2 ! misho 240: * Time the NAT keep alive interval may be exceeded before triggering a DPD
! 241: * instead of a NAT keep alive
! 242: */
! 243: uint32_t keepalive_dpd_margin;
! 244:
! 245: /**
1.1 misho 246: * The scheduled keep alive job, if any
247: */
248: send_keepalive_job_t *keepalive_job;
249:
250: /**
251: * interval for retries during initiation (e.g. if DNS resolution failed),
252: * 0 to disable (default)
253: */
254: uint32_t retry_initiate_interval;
255:
256: /**
257: * TRUE if a retry_initiate_job has been queued
258: */
259: bool retry_initiate_queued;
260:
261: /**
262: * Timestamps for this IKE_SA
263: */
264: uint32_t stats[STAT_MAX];
265:
266: /**
267: * how many times we have retried so far (keyingtries)
268: */
269: uint32_t keyingtry;
270:
271: /**
272: * local host address to be used for IKE, set via MIGRATE kernel message
273: */
274: host_t *local_host;
275:
276: /**
277: * remote host address to be used for IKE, set via MIGRATE kernel message
278: */
279: host_t *remote_host;
280:
281: /**
282: * Flush auth configs once established?
283: */
284: bool flush_auth_cfg;
285:
286: /**
287: * Maximum length of a single fragment, 0 for address-specific defaults
288: */
289: size_t fragment_size;
290:
291: /**
292: * Whether to follow IKEv2 redirects
293: */
294: bool follow_redirects;
295:
296: /**
297: * Original gateway address from which we got redirected
298: */
299: host_t *redirected_from;
300:
301: /**
302: * Timestamps of redirect attempts to handle loops
303: */
304: array_t *redirected_at;
305:
306: /**
307: * Inbound interface ID
308: */
309: uint32_t if_id_in;
310:
311: /**
312: * Outbound interface ID
313: */
314: uint32_t if_id_out;
315: };
316:
317: /**
318: * Entry to maintain install configuration attributes during IKE_SA lifetime
319: */
320: struct attribute_entry_t {
321: /** handler used to install this attribute */
322: attribute_handler_t *handler;
323: /** attribute type */
324: configuration_attribute_type_t type;
325: /** attribute data */
326: chunk_t data;
327: };
328:
329: /**
330: * get the time of the latest traffic processed by the kernel
331: */
332: static time_t get_use_time(private_ike_sa_t* this, bool inbound)
333: {
334: enumerator_t *enumerator;
335: child_sa_t *child_sa;
336: time_t use_time, current;
337:
338: if (inbound)
339: {
340: use_time = this->stats[STAT_INBOUND];
341: }
342: else
343: {
344: use_time = this->stats[STAT_OUTBOUND];
345: }
346:
347: enumerator = array_create_enumerator(this->child_sas);
348: while (enumerator->enumerate(enumerator, &child_sa))
349: {
350: child_sa->get_usestats(child_sa, inbound, ¤t, NULL, NULL);
351: use_time = max(use_time, current);
352: }
353: enumerator->destroy(enumerator);
354:
355: return use_time;
356: }
357:
358: METHOD(ike_sa_t, get_unique_id, uint32_t,
359: private_ike_sa_t *this)
360: {
361: return this->unique_id;
362: }
363:
364: METHOD(ike_sa_t, get_name, char*,
365: private_ike_sa_t *this)
366: {
367: if (this->peer_cfg)
368: {
369: return this->peer_cfg->get_name(this->peer_cfg);
370: }
371: return "(unnamed)";
372: }
373:
374: METHOD(ike_sa_t, get_statistic, uint32_t,
375: private_ike_sa_t *this, statistic_t kind)
376: {
377: if (kind < STAT_MAX)
378: {
379: return this->stats[kind];
380: }
381: return 0;
382: }
383:
384: METHOD(ike_sa_t, set_statistic, void,
385: private_ike_sa_t *this, statistic_t kind, uint32_t value)
386: {
387: if (kind < STAT_MAX)
388: {
389: this->stats[kind] = value;
390: }
391: }
392:
393: METHOD(ike_sa_t, get_my_host, host_t*,
394: private_ike_sa_t *this)
395: {
396: return this->my_host;
397: }
398:
399: METHOD(ike_sa_t, set_my_host, void,
400: private_ike_sa_t *this, host_t *me)
401: {
402: DESTROY_IF(this->my_host);
403: this->my_host = me;
404: }
405:
406: METHOD(ike_sa_t, get_other_host, host_t*,
407: private_ike_sa_t *this)
408: {
409: return this->other_host;
410: }
411:
412: METHOD(ike_sa_t, set_other_host, void,
413: private_ike_sa_t *this, host_t *other)
414: {
415: DESTROY_IF(this->other_host);
416: this->other_host = other;
417: }
418:
419: METHOD(ike_sa_t, get_redirected_from, host_t*,
420: private_ike_sa_t *this)
421: {
422: return this->redirected_from;
423: }
424:
425: METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
426: private_ike_sa_t *this)
427: {
428: return this->peer_cfg;
429: }
430:
431: METHOD(ike_sa_t, set_peer_cfg, void,
432: private_ike_sa_t *this, peer_cfg_t *peer_cfg)
433: {
434: peer_cfg->get_ref(peer_cfg);
435: DESTROY_IF(this->peer_cfg);
436: this->peer_cfg = peer_cfg;
437:
438: if (!this->ike_cfg)
439: {
440: this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
441: this->ike_cfg->get_ref(this->ike_cfg);
442: }
443:
444: this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE);
445: this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE);
446: allocate_unique_if_ids(&this->if_id_in, &this->if_id_out);
447: }
448:
449: METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
450: private_ike_sa_t *this, bool local)
451: {
452: if (local)
453: {
454: return this->my_auth;
455: }
456: return this->other_auth;
457: }
458:
459: METHOD(ike_sa_t, add_auth_cfg, void,
460: private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
461: {
462: if (local)
463: {
464: array_insert(this->my_auths, ARRAY_TAIL, cfg);
465: }
466: else
467: {
468: array_insert(this->other_auths, ARRAY_TAIL, cfg);
469: }
470: }
471:
472: METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
473: private_ike_sa_t *this, bool local)
474: {
475: if (local)
476: {
477: return array_create_enumerator(this->my_auths);
478: }
479: return array_create_enumerator(this->other_auths);
480: }
481:
482: /**
483: * Flush the stored authentication round information
484: */
485: static void flush_auth_cfgs(private_ike_sa_t *this)
486: {
487: auth_cfg_t *cfg;
488:
489: this->my_auth->purge(this->my_auth, FALSE);
490: this->other_auth->purge(this->other_auth, FALSE);
491:
492: while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
493: {
494: cfg->destroy(cfg);
495: }
496: while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
497: {
498: cfg->destroy(cfg);
499: }
500: }
501:
502: METHOD(ike_sa_t, verify_peer_certificate, bool,
503: private_ike_sa_t *this)
504: {
505: enumerator_t *e1, *e2, *certs;
506: auth_cfg_t *cfg, *cfg_done;
507: certificate_t *peer, *cert;
508: public_key_t *key;
509: auth_cfg_t *auth;
510: auth_cfg_wrapper_t *wrapper;
511: time_t not_before, not_after;
512: bool valid = TRUE, found;
513:
514: if (this->state != IKE_ESTABLISHED)
515: {
516: DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
517: ike_sa_state_names, this->state);
518: return FALSE;
519: }
520:
521: if (!this->flush_auth_cfg &&
522: lib->settings->get_bool(lib->settings,
523: "%s.flush_auth_cfg", FALSE, lib->ns))
524: { /* we can do this check only once if auth configs are flushed */
525: DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
526: "information has been flushed");
527: return FALSE;
528: }
529: this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
530: FALSE);
531:
532: e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
533: e2 = array_create_enumerator(this->other_auths);
534: while (e1->enumerate(e1, &cfg))
535: {
536: if (!e2->enumerate(e2, &cfg_done))
537: { /* this should not happen as the authentication should never have
538: * succeeded */
539: valid = FALSE;
540: break;
541: }
542: if ((uintptr_t)cfg_done->get(cfg_done,
543: AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
544: {
545: continue;
546: }
547: peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
548: if (!peer)
549: {
550: DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
551: "verification");
552: continue;
553: }
554: if (!peer->get_validity(peer, NULL, ¬_before, ¬_after))
555: {
556: DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
557: ¬_before, FALSE, ¬_after, FALSE);
558: valid = FALSE;
559: break;
560: }
561: key = peer->get_public_key(peer);
562: if (!key)
563: {
564: DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
565: "verification");
566: continue;
567: }
568: DBG1(DBG_IKE, "verifying peer certificate");
569: /* serve received certificates */
570: wrapper = auth_cfg_wrapper_create(cfg_done);
571: lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
572: certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
573: key->get_type(key), peer->get_subject(peer), TRUE);
574: key->destroy(key);
575:
576: found = FALSE;
577: while (certs->enumerate(certs, &cert, &auth))
578: {
579: if (peer->equals(peer, cert))
580: {
581: cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
582: FALSE);
583: cfg_done->merge(cfg_done, auth, FALSE);
584: valid = cfg_done->complies(cfg_done, cfg, TRUE);
585: found = TRUE;
586: break;
587: }
588: }
589: certs->destroy(certs);
590: lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
591: wrapper->destroy(wrapper);
592: if (!found || !valid)
593: {
594: valid = FALSE;
595: break;
596: }
597: }
598: e1->destroy(e1);
599: e2->destroy(e2);
600:
601: if (this->flush_auth_cfg)
602: {
603: this->flush_auth_cfg = FALSE;
604: flush_auth_cfgs(this);
605: }
606: return valid;
607: }
608:
609: METHOD(ike_sa_t, get_proposal, proposal_t*,
610: private_ike_sa_t *this)
611: {
612: return this->proposal;
613: }
614:
615: METHOD(ike_sa_t, set_proposal, void,
616: private_ike_sa_t *this, proposal_t *proposal)
617: {
618: DESTROY_IF(this->proposal);
619: this->proposal = proposal->clone(proposal, 0);
620: }
621:
622: METHOD(ike_sa_t, set_message_id, void,
623: private_ike_sa_t *this, bool initiate, uint32_t mid)
624: {
625: if (initiate)
626: {
627: this->task_manager->reset(this->task_manager, mid, UINT_MAX);
628: }
629: else
630: {
631: this->task_manager->reset(this->task_manager, UINT_MAX, mid);
632: }
633: }
634:
635: METHOD(ike_sa_t, get_message_id, uint32_t,
636: private_ike_sa_t *this, bool initiate)
637: {
638: return this->task_manager->get_mid(this->task_manager, initiate);
639: }
640:
641: METHOD(ike_sa_t, send_keepalive, void,
642: private_ike_sa_t *this, bool scheduled)
643: {
644: time_t last_out, now, diff;
645:
646: if (scheduled)
647: {
648: this->keepalive_job = NULL;
649: }
650: if (!this->keepalive_interval || this->state == IKE_PASSIVE)
651: { /* keepalives disabled either by configuration or for passive IKE_SAs */
652: return;
653: }
654: if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
655: { /* disable keepalives if we are not NATed anymore, or the SA is stale */
656: return;
657: }
658:
659: last_out = get_use_time(this, FALSE);
660: now = time_monotonic(NULL);
661:
662: diff = now - last_out;
663:
1.1.1.2 ! misho 664: if (this->keepalive_dpd_margin &&
! 665: diff > (this->keepalive_interval + this->keepalive_dpd_margin))
! 666: {
! 667: if (!this->task_manager->busy(this->task_manager))
! 668: {
! 669: DBG1(DBG_IKE, "sending DPD instead of keep alive %ds after last "
! 670: "outbound message", diff);
! 671: this->task_manager->queue_dpd(this->task_manager);
! 672: this->task_manager->initiate(this->task_manager);
! 673: }
! 674: diff = 0;
! 675: }
! 676: else if (diff >= this->keepalive_interval)
1.1 misho 677: {
678: packet_t *packet;
679: chunk_t data;
680:
681: packet = packet_create();
682: packet->set_source(packet, this->my_host->clone(this->my_host));
683: packet->set_destination(packet, this->other_host->clone(this->other_host));
684: data.ptr = malloc(1);
685: data.ptr[0] = 0xFF;
686: data.len = 1;
687: packet->set_data(packet, data);
688: DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
689: charon->sender->send_no_marker(charon->sender, packet);
1.1.1.2 ! misho 690: this->stats[STAT_OUTBOUND] = now;
1.1 misho 691: diff = 0;
692: }
693: if (!this->keepalive_job)
694: {
695: this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
696: lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
697: this->keepalive_interval - diff);
698: }
699: }
700:
701: METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
702: private_ike_sa_t *this)
703: {
704: return this->ike_cfg;
705: }
706:
707: METHOD(ike_sa_t, set_ike_cfg, void,
708: private_ike_sa_t *this, ike_cfg_t *ike_cfg)
709: {
710: DESTROY_IF(this->ike_cfg);
711: ike_cfg->get_ref(ike_cfg);
712: this->ike_cfg = ike_cfg;
713: }
714:
715: METHOD(ike_sa_t, enable_extension, void,
716: private_ike_sa_t *this, ike_extension_t extension)
717: {
718: this->extensions |= extension;
719: }
720:
721: METHOD(ike_sa_t, supports_extension, bool,
722: private_ike_sa_t *this, ike_extension_t extension)
723: {
724: return (this->extensions & extension) != FALSE;
725: }
726:
727: METHOD(ike_sa_t, has_condition, bool,
728: private_ike_sa_t *this, ike_condition_t condition)
729: {
730: return (this->conditions & condition) != FALSE;
731: }
732:
733: METHOD(ike_sa_t, set_condition, void,
734: private_ike_sa_t *this, ike_condition_t condition, bool enable)
735: {
736: if (has_condition(this, condition) != enable)
737: {
738: if (enable)
739: {
740: this->conditions |= condition;
741: switch (condition)
742: {
743: case COND_NAT_HERE:
744: DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
745: this->conditions |= COND_NAT_ANY;
746: send_keepalive(this, FALSE);
747: break;
748: case COND_NAT_THERE:
749: DBG1(DBG_IKE, "remote host is behind NAT");
750: this->conditions |= COND_NAT_ANY;
751: break;
752: case COND_NAT_FAKE:
753: DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
754: this->conditions |= COND_NAT_ANY;
755: break;
756: default:
757: break;
758: }
759: }
760: else
761: {
762: this->conditions &= ~condition;
763: switch (condition)
764: {
765: case COND_NAT_HERE:
766: case COND_NAT_THERE:
767: DBG1(DBG_IKE, "%s host is not behind NAT anymore",
768: condition == COND_NAT_HERE ? "local" : "remote");
769: /* fall-through */
770: case COND_NAT_FAKE:
771: set_condition(this, COND_NAT_ANY,
772: has_condition(this, COND_NAT_HERE) ||
773: has_condition(this, COND_NAT_THERE) ||
774: has_condition(this, COND_NAT_FAKE));
775: break;
776: case COND_STALE:
777: send_keepalive(this, FALSE);
778: break;
779: default:
780: break;
781: }
782: }
783: }
784: }
785:
786: METHOD(ike_sa_t, send_dpd, status_t,
787: private_ike_sa_t *this)
788: {
789: job_t *job;
790: time_t diff, delay;
791: bool task_queued = FALSE;
792:
793: if (this->state == IKE_PASSIVE)
794: {
795: return INVALID_STATE;
796: }
797: if (this->version == IKEV1 && this->state == IKE_REKEYING)
798: { /* don't send DPDs for rekeyed IKEv1 SAs */
799: return SUCCESS;
800: }
801: delay = this->peer_cfg->get_dpd(this->peer_cfg);
802: if (this->task_manager->busy(this->task_manager))
803: {
804: /* an exchange is in the air, no need to start a DPD check */
805: diff = 0;
806: }
807: else
808: {
809: /* check if there was any inbound traffic */
810: time_t last_in, now;
811: last_in = get_use_time(this, TRUE);
812: now = time_monotonic(NULL);
813: diff = now - last_in;
814: if (!delay || diff >= delay)
815: {
816: /* too long ago, initiate dead peer detection */
817: DBG1(DBG_IKE, "sending DPD request");
818: this->task_manager->queue_dpd(this->task_manager);
819: task_queued = TRUE;
820: diff = 0;
821: }
822: }
823: /* recheck in "interval" seconds */
824: if (delay)
825: {
826: job = (job_t*)send_dpd_job_create(this->ike_sa_id);
827: lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
828: }
829: if (task_queued)
830: {
831: return this->task_manager->initiate(this->task_manager);
832: }
833: return SUCCESS;
834: }
835:
836: METHOD(ike_sa_t, get_state, ike_sa_state_t,
837: private_ike_sa_t *this)
838: {
839: return this->state;
840: }
841:
842: METHOD(ike_sa_t, set_state, void,
843: private_ike_sa_t *this, ike_sa_state_t state)
844: {
845: bool trigger_dpd = FALSE, keepalives = FALSE;
846:
847: DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
848: get_name(this), this->unique_id,
849: ike_sa_state_names, this->state,
850: ike_sa_state_names, state);
851:
852: switch (state)
853: {
854: case IKE_ESTABLISHED:
855: {
856: if (this->state == IKE_CONNECTING ||
857: this->state == IKE_PASSIVE)
858: {
859: job_t *job;
860: uint32_t t;
861:
862: /* calculate rekey, reauth and lifetime */
863: this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
864:
865: /* schedule rekeying if we have a time which is smaller than
866: * an already scheduled rekeying */
867: t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
868: if (t && (this->stats[STAT_REKEY] == 0 ||
869: (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
870: {
871: this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
872: job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
873: lib->scheduler->schedule_job(lib->scheduler, job, t);
874: DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
875: }
876: t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
877: if (t && (this->stats[STAT_REAUTH] == 0 ||
878: (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
879: {
880: this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
881: job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
882: lib->scheduler->schedule_job(lib->scheduler, job, t);
883: DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
884: }
885: t = this->peer_cfg->get_over_time(this->peer_cfg);
886: if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
887: {
888: if (this->stats[STAT_REAUTH] == 0)
889: {
890: this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
891: }
892: else if (this->stats[STAT_REKEY] == 0)
893: {
894: this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
895: }
896: else
897: {
898: this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
899: this->stats[STAT_REAUTH]);
900: }
901: this->stats[STAT_DELETE] += t;
902: t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
903: job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
904: lib->scheduler->schedule_job(lib->scheduler, job, t);
905: DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
906: }
907: trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
908: if (trigger_dpd)
909: {
910: /* Some peers delay the DELETE after rekeying an IKE_SA.
911: * If this delay is longer than our DPD delay, we would
912: * send a DPD request here. The IKE_SA is not ready to do
913: * so yet, so prevent that. */
914: this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
915: }
916: if (this->state == IKE_PASSIVE)
917: {
918: keepalives = TRUE;
919: }
920: DESTROY_IF(this->redirected_from);
921: this->redirected_from = NULL;
922: }
923: break;
924: }
925: default:
926: break;
927: }
928: charon->bus->ike_state_change(charon->bus, &this->public, state);
929: this->state = state;
930:
931: if (trigger_dpd)
932: {
933: if (supports_extension(this, EXT_DPD))
934: {
935: send_dpd(this);
936: }
937: else
938: {
939: DBG1(DBG_IKE, "DPD not supported by peer, disabled");
940: }
941: }
942: if (keepalives)
943: {
944: send_keepalive(this, FALSE);
945: }
946: }
947:
948: METHOD(ike_sa_t, reset, void,
949: private_ike_sa_t *this, bool new_spi)
950: {
951: /* reset the initiator SPI if requested */
952: if (new_spi)
953: {
954: charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager,
955: &this->public);
1.1.1.2 ! misho 956:
! 957: /* when starting from scratch, connect to the original peer again e.g.
! 958: * if we got redirected but weren't able to connect successfully */
! 959: if (this->redirected_from)
! 960: {
! 961: this->redirected_from->destroy(this->redirected_from);
! 962: this->redirected_from = NULL;
! 963: /* we can't restore the original value, if there was any */
! 964: DESTROY_IF(this->remote_host);
! 965: this->remote_host = NULL;
! 966: }
1.1 misho 967: }
968: /* the responder ID is reset, as peer may choose another one */
969: if (this->ike_sa_id->is_initiator(this->ike_sa_id))
970: {
971: this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
972: }
973:
974: set_state(this, IKE_CREATED);
975:
976: flush_auth_cfgs(this);
977:
978: this->keymat->destroy(this->keymat);
979: this->keymat = keymat_create(this->version,
980: this->ike_sa_id->is_initiator(this->ike_sa_id));
981:
982: this->task_manager->reset(this->task_manager, 0, 0);
983: this->task_manager->queue_ike(this->task_manager);
984: }
985:
986: METHOD(ike_sa_t, get_keymat, keymat_t*,
987: private_ike_sa_t *this)
988: {
989: return this->keymat;
990: }
991:
992: METHOD(ike_sa_t, add_virtual_ip, void,
993: private_ike_sa_t *this, bool local, host_t *ip)
994: {
995: if (local)
996: {
997: char *iface;
998:
999: if (charon->kernel->get_interface(charon->kernel, this->my_host,
1000: &iface))
1001: {
1002: DBG1(DBG_IKE, "installing new virtual IP %H", ip);
1003: if (charon->kernel->add_ip(charon->kernel, ip, -1,
1004: iface) == SUCCESS)
1005: {
1006: array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
1007: }
1008: else
1009: {
1010: DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
1011: }
1012: free(iface);
1013: }
1014: else
1015: {
1016: DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
1017: }
1018: }
1019: else
1020: {
1021: array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
1022: }
1023: }
1024:
1025:
1026: METHOD(ike_sa_t, clear_virtual_ips, void,
1027: private_ike_sa_t *this, bool local)
1028: {
1029: array_t *vips;
1030: host_t *vip;
1031:
1032: vips = local ? this->my_vips : this->other_vips;
1033: if (!local && array_count(vips))
1034: {
1035: charon->bus->assign_vips(charon->bus, &this->public, FALSE);
1036: }
1037: while (array_remove(vips, ARRAY_HEAD, &vip))
1038: {
1039: if (local)
1040: {
1041: charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
1042: }
1043: vip->destroy(vip);
1044: }
1045: }
1046:
1047: METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
1048: private_ike_sa_t *this, bool local)
1049: {
1050: if (local)
1051: {
1052: return array_create_enumerator(this->my_vips);
1053: }
1054: return array_create_enumerator(this->other_vips);
1055: }
1056:
1057: METHOD(ike_sa_t, add_peer_address, void,
1058: private_ike_sa_t *this, host_t *host)
1059: {
1060: array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
1061: }
1062:
1063: METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
1064: private_ike_sa_t *this)
1065: {
1066: if (this->peer_addresses)
1067: {
1068: return array_create_enumerator(this->peer_addresses);
1069: }
1070: /* in case we don't have MOBIKE */
1071: return enumerator_create_single(this->other_host, NULL);
1072: }
1073:
1074: METHOD(ike_sa_t, clear_peer_addresses, void,
1075: private_ike_sa_t *this)
1076: {
1077: array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
1078: this->peer_addresses = NULL;
1079: }
1080:
1081: METHOD(ike_sa_t, has_mapping_changed, bool,
1082: private_ike_sa_t *this, chunk_t hash)
1083: {
1084: if (this->nat_detection_dest.ptr == NULL)
1085: {
1086: this->nat_detection_dest = chunk_clone(hash);
1087: return FALSE;
1088: }
1089: if (chunk_equals(hash, this->nat_detection_dest))
1090: {
1091: return FALSE;
1092: }
1093: free(this->nat_detection_dest.ptr);
1094: this->nat_detection_dest = chunk_clone(hash);
1095: return TRUE;
1096: }
1097:
1098: METHOD(ike_sa_t, float_ports, void,
1099: private_ike_sa_t *this)
1100: {
1101: /* even if the remote port is not 500 (e.g. because the response was natted)
1102: * we switch the remote port if we used port 500 */
1103: if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
1104: this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
1105: {
1106: this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
1107: }
1108: if (this->my_host->get_port(this->my_host) ==
1109: charon->socket->get_port(charon->socket, FALSE))
1110: {
1111: this->my_host->set_port(this->my_host,
1112: charon->socket->get_port(charon->socket, TRUE));
1113: }
1114: }
1115:
1116: METHOD(ike_sa_t, update_hosts, void,
1.1.1.2 ! misho 1117: private_ike_sa_t *this, host_t *me, host_t *other, update_hosts_flag_t flags)
1.1 misho 1118: {
1.1.1.2 ! misho 1119: host_t *new_me = NULL, *new_other = NULL;
! 1120: bool silent = FALSE;
1.1 misho 1121:
1122: if (me == NULL)
1123: {
1124: me = this->my_host;
1125: }
1126: if (other == NULL)
1127: {
1128: other = this->other_host;
1129: }
1130:
1131: /* apply hosts on first received message */
1132: if (this->my_host->is_anyaddr(this->my_host) ||
1133: this->other_host->is_anyaddr(this->other_host))
1134: {
1.1.1.2 ! misho 1135: new_me = me;
! 1136: new_other = other;
! 1137: silent = TRUE;
1.1 misho 1138: }
1139: else
1140: {
1.1.1.2 ! misho 1141: /* update our address only if forced */
! 1142: if ((flags & UPDATE_HOSTS_FORCE_LOCAL) && !me->equals(me, this->my_host))
1.1 misho 1143: {
1.1.1.2 ! misho 1144: new_me = me;
1.1 misho 1145: }
1146:
1147: if (!other->equals(other, this->other_host) &&
1.1.1.2 ! misho 1148: ((flags & UPDATE_HOSTS_FORCE_REMOTE) || has_condition(this, COND_NAT_THERE)))
1.1 misho 1149: {
1150: /* only update other's address if we are behind a static NAT,
1151: * which we assume is the case if we are not initiator */
1.1.1.2 ! misho 1152: if ((flags & UPDATE_HOSTS_FORCE_REMOTE) ||
1.1 misho 1153: (!has_condition(this, COND_NAT_HERE) ||
1154: !has_condition(this, COND_ORIGINAL_INITIATOR)))
1155: {
1.1.1.2 ! misho 1156: new_other = other;
1.1 misho 1157: }
1158: }
1159: }
1160:
1.1.1.2 ! misho 1161: if (new_me || new_other || (flags & UPDATE_HOSTS_FORCE_CHILDREN))
1.1 misho 1162: {
1163: enumerator_t *enumerator;
1164: child_sa_t *child_sa;
1165: linked_list_t *vips;
1166:
1.1.1.2 ! misho 1167: if ((new_me || new_other) && !silent)
! 1168: {
! 1169: charon->bus->ike_update(charon->bus, &this->public,
! 1170: new_me ?: this->my_host,
! 1171: new_other ?: this->other_host);
! 1172: }
! 1173: if (new_me)
! 1174: {
! 1175: set_my_host(this, new_me->clone(new_me));
! 1176: }
! 1177: if (new_other)
! 1178: {
! 1179: set_other_host(this, new_other->clone(new_other));
! 1180: }
! 1181:
1.1 misho 1182: vips = linked_list_create_from_enumerator(
1183: array_create_enumerator(this->my_vips));
1184:
1185: enumerator = array_create_enumerator(this->child_sas);
1186: while (enumerator->enumerate(enumerator, &child_sa))
1187: {
1188: charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1189: charon->child_sa_manager->add(charon->child_sa_manager,
1190: child_sa, &this->public);
1191:
1192: if (child_sa->update(child_sa, this->my_host, this->other_host,
1193: vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1194: {
1195: this->public.rekey_child_sa(&this->public,
1196: child_sa->get_protocol(child_sa),
1197: child_sa->get_spi(child_sa, TRUE));
1198: }
1199:
1200: }
1201: enumerator->destroy(enumerator);
1202:
1203: vips->destroy(vips);
1204: }
1205: }
1206:
1207: /**
1208: * Set configured DSCP value on packet
1209: */
1210: static void set_dscp(private_ike_sa_t *this, packet_t *packet)
1211: {
1212: ike_cfg_t *ike_cfg;
1213:
1214: /* prefer IKE config on peer_cfg, as its selection is more accurate
1215: * then the initial IKE config */
1216: if (this->peer_cfg)
1217: {
1218: ike_cfg = this->peer_cfg->get_ike_cfg(this->peer_cfg);
1219: }
1220: else
1221: {
1222: ike_cfg = this->ike_cfg;
1223: }
1224: if (ike_cfg)
1225: {
1226: packet->set_dscp(packet, ike_cfg->get_dscp(ike_cfg));
1227: }
1228: }
1229:
1230: METHOD(ike_sa_t, generate_message, status_t,
1231: private_ike_sa_t *this, message_t *message, packet_t **packet)
1232: {
1233: status_t status;
1234:
1235: if (message->is_encoded(message))
1236: { /* already encoded in task, but set DSCP value */
1237: *packet = message->get_packet(message);
1238: set_dscp(this, *packet);
1239: return SUCCESS;
1240: }
1241: this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1242: message->set_ike_sa_id(message, this->ike_sa_id);
1243: charon->bus->message(charon->bus, message, FALSE, TRUE);
1244: status = message->generate(message, this->keymat, packet);
1245: if (status == SUCCESS)
1246: {
1247: set_dscp(this, *packet);
1248: charon->bus->message(charon->bus, message, FALSE, FALSE);
1249: }
1250: return status;
1251: }
1252:
1253: CALLBACK(filter_fragments, bool,
1254: private_ike_sa_t *this, enumerator_t *orig, va_list args)
1255: {
1256: packet_t *fragment, **packet;
1257:
1258: VA_ARGS_VGET(args, packet);
1259:
1260: if (orig->enumerate(orig, &fragment))
1261: {
1262: *packet = fragment->clone(fragment);
1263: set_dscp(this, *packet);
1264: return TRUE;
1265: }
1266: return FALSE;
1267: }
1268:
1269: METHOD(ike_sa_t, generate_message_fragmented, status_t,
1270: private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1271: {
1272: enumerator_t *fragments;
1273: packet_t *packet;
1274: status_t status;
1275: bool use_frags = FALSE;
1276: bool pre_generated = FALSE;
1277:
1278: if (this->ike_cfg)
1279: {
1280: switch (this->ike_cfg->fragmentation(this->ike_cfg))
1281: {
1282: case FRAGMENTATION_FORCE:
1283: use_frags = TRUE;
1284: break;
1285: case FRAGMENTATION_YES:
1286: use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1287: if (use_frags && this->version == IKEV1 &&
1288: supports_extension(this, EXT_MS_WINDOWS))
1289: {
1290: /* It seems Windows 7 and 8 peers only accept proprietary
1291: * fragmented messages if they expect certificates. */
1292: use_frags = message->get_payload(message,
1293: PLV1_CERTIFICATE) != NULL;
1294: }
1295: break;
1296: default:
1297: break;
1298: }
1299: }
1300: if (!use_frags)
1301: {
1302: status = generate_message(this, message, &packet);
1303: if (status != SUCCESS)
1304: {
1305: return status;
1306: }
1307: *packets = enumerator_create_single(packet, NULL);
1308: return SUCCESS;
1309: }
1310:
1311: pre_generated = message->is_encoded(message);
1312: this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1313: message->set_ike_sa_id(message, this->ike_sa_id);
1314: if (!pre_generated)
1315: {
1316: charon->bus->message(charon->bus, message, FALSE, TRUE);
1317: }
1318: status = message->fragment(message, this->keymat, this->fragment_size,
1319: &fragments);
1320: if (status == SUCCESS)
1321: {
1322: if (!pre_generated)
1323: {
1324: charon->bus->message(charon->bus, message, FALSE, FALSE);
1325: }
1326: *packets = enumerator_create_filter(fragments, filter_fragments,
1327: this, NULL);
1328: }
1329: return status;
1330: }
1331:
1332: METHOD(ike_sa_t, set_kmaddress, void,
1333: private_ike_sa_t *this, host_t *local, host_t *remote)
1334: {
1335: DESTROY_IF(this->local_host);
1336: DESTROY_IF(this->remote_host);
1337: this->local_host = local->clone(local);
1338: this->remote_host = remote->clone(remote);
1339: }
1340:
1341: #ifdef ME
1342: METHOD(ike_sa_t, act_as_mediation_server, void,
1343: private_ike_sa_t *this)
1344: {
1345: charon->mediation_manager->update_sa_id(charon->mediation_manager,
1346: this->other_id, this->ike_sa_id);
1347: this->is_mediation_server = TRUE;
1348: }
1349:
1350: METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1351: private_ike_sa_t *this)
1352: {
1353: return this->server_reflexive_host;
1354: }
1355:
1356: METHOD(ike_sa_t, set_server_reflexive_host, void,
1357: private_ike_sa_t *this, host_t *host)
1358: {
1359: DESTROY_IF(this->server_reflexive_host);
1360: this->server_reflexive_host = host;
1361: }
1362:
1363: METHOD(ike_sa_t, get_connect_id, chunk_t,
1364: private_ike_sa_t *this)
1365: {
1366: return this->connect_id;
1367: }
1368:
1369: METHOD(ike_sa_t, respond, status_t,
1370: private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1371: {
1372: ike_me_t *task = ike_me_create(&this->public, TRUE);
1373: task->respond(task, peer_id, connect_id);
1374: this->task_manager->queue_task(this->task_manager, (task_t*)task);
1375: return this->task_manager->initiate(this->task_manager);
1376: }
1377:
1378: METHOD(ike_sa_t, callback, status_t,
1379: private_ike_sa_t *this, identification_t *peer_id)
1380: {
1381: ike_me_t *task = ike_me_create(&this->public, TRUE);
1382: task->callback(task, peer_id);
1383: this->task_manager->queue_task(this->task_manager, (task_t*)task);
1384: return this->task_manager->initiate(this->task_manager);
1385: }
1386:
1387: METHOD(ike_sa_t, relay, status_t,
1388: private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1389: chunk_t connect_key, linked_list_t *endpoints, bool response)
1390: {
1391: ike_me_t *task = ike_me_create(&this->public, TRUE);
1392: task->relay(task, requester, connect_id, connect_key, endpoints, response);
1393: this->task_manager->queue_task(this->task_manager, (task_t*)task);
1394: return this->task_manager->initiate(this->task_manager);
1395: }
1396:
1397: METHOD(ike_sa_t, initiate_mediation, status_t,
1398: private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1399: {
1400: ike_me_t *task = ike_me_create(&this->public, TRUE);
1401: task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1402: this->task_manager->queue_task(this->task_manager, (task_t*)task);
1403: return this->task_manager->initiate(this->task_manager);
1404: }
1405:
1406: METHOD(ike_sa_t, initiate_mediated, status_t,
1407: private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1408: {
1409: set_my_host(this, me->clone(me));
1410: set_other_host(this, other->clone(other));
1411: chunk_free(&this->connect_id);
1412: this->connect_id = chunk_clone(connect_id);
1413: return this->task_manager->initiate(this->task_manager);
1414: }
1415: #endif /* ME */
1416:
1417: /**
1418: * Resolve DNS host in configuration
1419: */
1420: static void resolve_hosts(private_ike_sa_t *this)
1421: {
1422: host_t *host;
1423: int family = AF_UNSPEC;
1424:
1425: switch (charon->socket->supported_families(charon->socket))
1426: {
1427: case SOCKET_FAMILY_IPV4:
1428: family = AF_INET;
1429: break;
1430: case SOCKET_FAMILY_IPV6:
1431: family = AF_INET6;
1432: break;
1433: case SOCKET_FAMILY_BOTH:
1434: case SOCKET_FAMILY_NONE:
1435: break;
1436: }
1437:
1438: /* if an IP address is set locally, use the same family to resolve remote */
1439: if (family == AF_UNSPEC && !this->remote_host)
1440: {
1441: if (this->local_host)
1442: {
1443: family = this->local_host->get_family(this->local_host);
1444: }
1445: else
1446: {
1447: family = ike_cfg_get_family(this->ike_cfg, TRUE);
1448: }
1449: }
1450:
1451: if (this->remote_host)
1452: {
1453: host = this->remote_host->clone(this->remote_host);
1454: host->set_port(host, IKEV2_UDP_PORT);
1455: }
1456: else
1457: {
1458: host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1459: }
1460: if (host)
1461: {
1462: if (!host->is_anyaddr(host) ||
1463: this->other_host->is_anyaddr(this->other_host))
1464: { /* don't set to %any if we currently have an address, but the
1465: * address family might have changed */
1466: set_other_host(this, host);
1467: }
1468: else
1469: { /* reuse the original port as some implementations might not like
1470: * initial IKE messages on other ports */
1471: this->other_host->set_port(this->other_host, host->get_port(host));
1472: host->destroy(host);
1473: }
1474: }
1475:
1476: if (this->local_host)
1477: {
1478: host = this->local_host->clone(this->local_host);
1479: host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1480: }
1481: else
1482: {
1483: /* use same address family as for other */
1484: if (!this->other_host->is_anyaddr(this->other_host))
1485: {
1486: family = this->other_host->get_family(this->other_host);
1487: }
1488: host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1489:
1490: if (host && host->is_anyaddr(host) &&
1491: !this->other_host->is_anyaddr(this->other_host))
1492: {
1493: host->destroy(host);
1494: host = charon->kernel->get_source_addr(charon->kernel,
1495: this->other_host, NULL);
1496: if (host)
1497: {
1498: host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1499: }
1500: else
1501: { /* fallback to address family specific %any(6), if configured */
1502: host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1503: }
1504: }
1505: }
1506: if (host)
1507: {
1508: set_my_host(this, host);
1509: }
1510: }
1511:
1512: METHOD(ike_sa_t, initiate, status_t,
1513: private_ike_sa_t *this, child_cfg_t *child_cfg, uint32_t reqid,
1514: traffic_selector_t *tsi, traffic_selector_t *tsr)
1515: {
1516: bool defer_initiate = FALSE;
1517:
1518: if (this->state == IKE_CREATED)
1519: {
1520: if (this->my_host->is_anyaddr(this->my_host) ||
1521: this->other_host->is_anyaddr(this->other_host))
1522: {
1523: resolve_hosts(this);
1524: }
1525:
1526: if (this->other_host->is_anyaddr(this->other_host)
1527: #ifdef ME
1528: && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1529: #endif /* ME */
1530: )
1531: {
1532: char *addr;
1533:
1534: addr = this->ike_cfg->get_other_addr(this->ike_cfg);
1535: if (!this->retry_initiate_interval)
1536: {
1537: DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1538: addr);
1539: DESTROY_IF(child_cfg);
1540: charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1541: return DESTROY_ME;
1542: }
1543: DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1544: addr, this->retry_initiate_interval);
1545: defer_initiate = TRUE;
1546: }
1547:
1548: set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1549: this->task_manager->queue_ike(this->task_manager);
1550: }
1551:
1552: #ifdef ME
1553: if (this->peer_cfg->is_mediation(this->peer_cfg))
1554: {
1555: if (this->state == IKE_ESTABLISHED)
1556: {
1557: /* mediation connection is already established, retrigger state
1558: * change to notify bus listeners */
1559: DBG1(DBG_IKE, "mediation connection is already up");
1560: set_state(this, IKE_ESTABLISHED);
1561: }
1562: DESTROY_IF(child_cfg);
1563: }
1564: else
1565: #endif /* ME */
1566: if (child_cfg)
1567: {
1568: /* normal IKE_SA with CHILD_SA */
1569: this->task_manager->queue_child(this->task_manager, child_cfg, reqid,
1570: tsi, tsr);
1571: #ifdef ME
1572: if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1573: {
1574: /* mediated connection, initiate mediation process */
1575: job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1576: lib->processor->queue_job(lib->processor, job);
1577: return SUCCESS;
1578: }
1579: #endif /* ME */
1580: }
1581:
1582: if (defer_initiate)
1583: {
1584: if (!this->retry_initiate_queued)
1585: {
1586: job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1587: lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1588: this->retry_initiate_interval);
1589: this->retry_initiate_queued = TRUE;
1590: }
1591: return SUCCESS;
1592: }
1593: this->retry_initiate_queued = FALSE;
1594: return this->task_manager->initiate(this->task_manager);
1595: }
1596:
1597: METHOD(ike_sa_t, retry_initiate, status_t,
1598: private_ike_sa_t *this)
1599: {
1600: if (this->retry_initiate_queued)
1601: {
1602: this->retry_initiate_queued = FALSE;
1603: return initiate(this, NULL, 0, NULL, NULL);
1604: }
1605: return SUCCESS;
1606: }
1607:
1608: METHOD(ike_sa_t, process_message, status_t,
1609: private_ike_sa_t *this, message_t *message)
1610: {
1611: status_t status;
1612:
1613: if (this->state == IKE_PASSIVE)
1614: { /* do not handle messages in passive state */
1615: return FAILED;
1616: }
1617: if (message->get_major_version(message) != this->version)
1618: {
1619: DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1620: exchange_type_names, message->get_exchange_type(message),
1621: message->get_major_version(message),
1622: ike_version_names, this->version);
1623: /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1624: * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1625: return FAILED;
1626: }
1627: status = this->task_manager->process_message(this->task_manager, message);
1628: if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1629: {
1630: /* authentication completed but if the online validation is suspended we
1631: * need the auth cfgs until we did the delayed verification, we flush
1632: * them afterwards */
1633: if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
1634: {
1635: this->flush_auth_cfg = FALSE;
1636: flush_auth_cfgs(this);
1637: }
1638: }
1639: return status;
1640: }
1641:
1642: METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1643: private_ike_sa_t *this)
1644: {
1645: return this->ike_sa_id;
1646: }
1647:
1648: METHOD(ike_sa_t, get_version, ike_version_t,
1649: private_ike_sa_t *this)
1650: {
1651: return this->version;
1652: }
1653:
1654: METHOD(ike_sa_t, get_my_id, identification_t*,
1655: private_ike_sa_t *this)
1656: {
1657: return this->my_id;
1658: }
1659:
1660: METHOD(ike_sa_t, set_my_id, void,
1661: private_ike_sa_t *this, identification_t *me)
1662: {
1663: DESTROY_IF(this->my_id);
1664: this->my_id = me;
1665: }
1666:
1667: METHOD(ike_sa_t, get_other_id, identification_t*,
1668: private_ike_sa_t *this)
1669: {
1670: return this->other_id;
1671: }
1672:
1673: METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1674: private_ike_sa_t *this)
1675: {
1676: identification_t *id = NULL, *current;
1677: enumerator_t *enumerator;
1678: auth_cfg_t *cfg;
1679:
1680: enumerator = array_create_enumerator(this->other_auths);
1681: while (enumerator->enumerate(enumerator, &cfg))
1682: {
1683: /* prefer EAP-Identity of last round */
1684: current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1685: if (!current || current->get_type(current) == ID_ANY)
1686: {
1687: current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1688: }
1689: if (!current || current->get_type(current) == ID_ANY)
1690: {
1691: current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1692: }
1693: if (current && current->get_type(current) != ID_ANY)
1694: {
1695: id = current;
1696: continue;
1697: }
1698: }
1699: enumerator->destroy(enumerator);
1700: if (id)
1701: {
1702: return id;
1703: }
1704: return this->other_id;
1705: }
1706:
1707: METHOD(ike_sa_t, set_other_id, void,
1708: private_ike_sa_t *this, identification_t *other)
1709: {
1710: DESTROY_IF(this->other_id);
1711: this->other_id = other;
1712: }
1713:
1714: METHOD(ike_sa_t, get_if_id, uint32_t,
1715: private_ike_sa_t *this, bool inbound)
1716: {
1717: return inbound ? this->if_id_in : this->if_id_out;
1718: }
1719:
1720: METHOD(ike_sa_t, add_child_sa, void,
1721: private_ike_sa_t *this, child_sa_t *child_sa)
1722: {
1723: array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1724: charon->child_sa_manager->add(charon->child_sa_manager,
1725: child_sa, &this->public);
1726: }
1727:
1728: METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1729: private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
1730: {
1731: enumerator_t *enumerator;
1732: child_sa_t *current, *found = NULL;
1733:
1734: enumerator = array_create_enumerator(this->child_sas);
1735: while (enumerator->enumerate(enumerator, (void**)¤t))
1736: {
1737: if (current->get_spi(current, inbound) == spi &&
1738: current->get_protocol(current) == protocol)
1739: {
1740: found = current;
1741: }
1742: }
1743: enumerator->destroy(enumerator);
1744: return found;
1745: }
1746:
1747: METHOD(ike_sa_t, get_child_count, int,
1748: private_ike_sa_t *this)
1749: {
1750: return array_count(this->child_sas);
1751: }
1752:
1753: /**
1754: * Private data of a create_child_sa_enumerator()
1755: */
1756: typedef struct {
1757: /** implements enumerator */
1758: enumerator_t public;
1759: /** inner array enumerator */
1760: enumerator_t *inner;
1761: /** current item */
1762: child_sa_t *current;
1763: } child_enumerator_t;
1764:
1765: METHOD(enumerator_t, child_enumerate, bool,
1766: child_enumerator_t *this, va_list args)
1767: {
1768: child_sa_t **child_sa;
1769:
1770: VA_ARGS_VGET(args, child_sa);
1771: if (this->inner->enumerate(this->inner, &this->current))
1772: {
1773: *child_sa = this->current;
1774: return TRUE;
1775: }
1776: return FALSE;
1777: }
1778:
1779: METHOD(enumerator_t, child_enumerator_destroy, void,
1780: child_enumerator_t *this)
1781: {
1782: this->inner->destroy(this->inner);
1783: free(this);
1784: }
1785:
1786: METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1787: private_ike_sa_t *this)
1788: {
1789: child_enumerator_t *enumerator;
1790:
1791: INIT(enumerator,
1792: .public = {
1793: .enumerate = enumerator_enumerate_default,
1794: .venumerate = _child_enumerate,
1795: .destroy = _child_enumerator_destroy,
1796: },
1797: .inner = array_create_enumerator(this->child_sas),
1798: );
1799: return &enumerator->public;
1800: }
1801:
1802: METHOD(ike_sa_t, remove_child_sa, void,
1803: private_ike_sa_t *this, enumerator_t *enumerator)
1804: {
1805: child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1806:
1807: charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1808: array_remove_at(this->child_sas, ce->inner);
1809: }
1810:
1811: METHOD(ike_sa_t, rekey_child_sa, status_t,
1812: private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1813: {
1814: if (this->state == IKE_PASSIVE)
1815: {
1816: return INVALID_STATE;
1817: }
1818: this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1819: return this->task_manager->initiate(this->task_manager);
1820: }
1821:
1822: METHOD(ike_sa_t, delete_child_sa, status_t,
1823: private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
1824: {
1825: if (this->state == IKE_PASSIVE)
1826: {
1827: return INVALID_STATE;
1828: }
1829: this->task_manager->queue_child_delete(this->task_manager,
1830: protocol, spi, expired);
1831: return this->task_manager->initiate(this->task_manager);
1832: }
1833:
1834: METHOD(ike_sa_t, destroy_child_sa, status_t,
1835: private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1836: {
1837: enumerator_t *enumerator;
1838: child_sa_t *child_sa;
1839: status_t status = NOT_FOUND;
1840:
1841: enumerator = create_child_sa_enumerator(this);
1842: while (enumerator->enumerate(enumerator, (void**)&child_sa))
1843: {
1844: if (child_sa->get_protocol(child_sa) == protocol &&
1845: child_sa->get_spi(child_sa, TRUE) == spi)
1846: {
1847: remove_child_sa(this, enumerator);
1848: child_sa->destroy(child_sa);
1849: status = SUCCESS;
1850: break;
1851: }
1852: }
1853: enumerator->destroy(enumerator);
1854: return status;
1855: }
1856:
1857: METHOD(ike_sa_t, delete_, status_t,
1858: private_ike_sa_t *this, bool force)
1859: {
1860: status_t status = DESTROY_ME;
1861:
1862: switch (this->state)
1863: {
1864: case IKE_ESTABLISHED:
1865: case IKE_REKEYING:
1866: if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
1867: !(this->version == IKEV1 && this->state == IKE_REKEYING))
1868: { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1869: * IKEv1 SAs */
1870: charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1871: }
1872: this->task_manager->queue_ike_delete(this->task_manager);
1873: status = this->task_manager->initiate(this->task_manager);
1874: break;
1875: case IKE_CREATED:
1876: DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1877: break;
1878: case IKE_PASSIVE:
1879: break;
1880: default:
1881: DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1882: ike_sa_state_names, this->state);
1883: force = TRUE;
1884: break;
1885: }
1886:
1887: if (force)
1888: {
1889: status = DESTROY_ME;
1890:
1891: if (this->version == IKEV2)
1892: { /* for IKEv1 we trigger this in the ISAKMP delete task */
1893: switch (this->state)
1894: {
1895: case IKE_ESTABLISHED:
1896: case IKE_REKEYING:
1897: case IKE_DELETING:
1898: charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1899: default:
1900: break;
1901: }
1902: }
1903: }
1904: return status;
1905: }
1906:
1907: METHOD(ike_sa_t, rekey, status_t,
1908: private_ike_sa_t *this)
1909: {
1910: if (this->state == IKE_PASSIVE)
1911: {
1912: return INVALID_STATE;
1913: }
1914: this->task_manager->queue_ike_rekey(this->task_manager);
1915: return this->task_manager->initiate(this->task_manager);
1916: }
1917:
1918: METHOD(ike_sa_t, reauth, status_t,
1919: private_ike_sa_t *this)
1920: {
1921: if (this->state == IKE_PASSIVE)
1922: {
1923: return INVALID_STATE;
1924: }
1925: if (this->state == IKE_CONNECTING)
1926: {
1927: DBG0(DBG_IKE, "reinitiating IKE_SA %s[%d]",
1928: get_name(this), this->unique_id);
1929: reset(this, TRUE);
1930: return this->task_manager->initiate(this->task_manager);
1931: }
1932: /* we can't reauthenticate as responder when we use EAP or virtual IPs.
1933: * If the peer does not support RFC4478, there is no way to keep the
1934: * IKE_SA up. */
1935: if (!has_condition(this, COND_ORIGINAL_INITIATOR))
1936: {
1937: DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
1938: if (array_count(this->other_vips) != 0 ||
1939: has_condition(this, COND_XAUTH_AUTHENTICATED) ||
1940: has_condition(this, COND_EAP_AUTHENTICATED)
1941: #ifdef ME
1942: /* as mediation server we too cannot reauth the IKE_SA */
1943: || this->is_mediation_server
1944: #endif /* ME */
1945: )
1946: {
1947: time_t del, now;
1948:
1949: del = this->stats[STAT_DELETE];
1950: now = time_monotonic(NULL);
1951: DBG1(DBG_IKE, "IKE_SA %s[%d] will timeout in %V",
1952: get_name(this), this->unique_id, &now, &del);
1953: return FAILED;
1954: }
1955: else
1956: {
1957: DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d] actively",
1958: get_name(this), this->unique_id);
1959: }
1960: }
1961: else
1962: {
1963: DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%d]",
1964: get_name(this), this->unique_id);
1965: }
1966: set_condition(this, COND_REAUTHENTICATING, TRUE);
1967: this->task_manager->queue_ike_reauth(this->task_manager);
1968: return this->task_manager->initiate(this->task_manager);
1969: }
1970:
1971: /**
1972: * Check if any tasks of a specific type are queued in the given queue.
1973: */
1974: static bool is_task_queued(private_ike_sa_t *this, task_queue_t queue,
1975: task_type_t type)
1976: {
1977: enumerator_t *enumerator;
1978: task_t *task;
1979: bool found = FALSE;
1980:
1981: enumerator = this->task_manager->create_task_enumerator(this->task_manager,
1982: queue);
1983: while (enumerator->enumerate(enumerator, &task))
1984: {
1985: if (task->get_type(task) == type)
1986: {
1987: found = TRUE;
1988: break;
1989: }
1990: }
1991: enumerator->destroy(enumerator);
1992: return found;
1993: }
1994:
1995: /**
1996: * Check if any tasks to create CHILD_SAs are queued in the given queue.
1997: */
1998: static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
1999: {
2000: return is_task_queued(this, queue,
2001: this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE);
2002: }
2003:
2004: /**
2005: * Check if any tasks to delete the IKE_SA are queued in the given queue.
2006: */
2007: static bool is_delete_queued(private_ike_sa_t *this, task_queue_t queue)
2008: {
2009: return is_task_queued(this, queue,
2010: this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE);
2011: }
2012:
2013: /**
2014: * Reestablish CHILD_SAs and migrate queued tasks.
2015: *
2016: * If force is true all SAs are restarted, otherwise their close/dpd_action
2017: * is followed.
2018: */
2019: static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
2020: bool force)
2021: {
2022: enumerator_t *enumerator;
2023: child_sa_t *child_sa;
2024: child_cfg_t *child_cfg;
2025: action_t action;
2026: status_t status = FAILED;
2027:
2028: /* handle existing CHILD_SAs */
2029: enumerator = create_child_sa_enumerator(this);
2030: while (enumerator->enumerate(enumerator, (void**)&child_sa))
2031: {
2032: switch (child_sa->get_state(child_sa))
2033: {
2034: case CHILD_REKEYED:
2035: case CHILD_DELETED:
2036: /* ignore CHILD_SAs in these states */
2037: continue;
2038: default:
2039: break;
2040: }
2041: if (force)
2042: {
2043: action = ACTION_RESTART;
2044: }
2045: else
2046: { /* only restart CHILD_SAs that are configured accordingly */
2047: if (this->state == IKE_DELETING)
2048: {
2049: action = child_sa->get_close_action(child_sa);
2050: }
2051: else
2052: {
2053: action = child_sa->get_dpd_action(child_sa);
2054: }
2055: }
2056: switch (action)
2057: {
2058: case ACTION_RESTART:
2059: child_cfg = child_sa->get_config(child_sa);
2060: DBG1(DBG_IKE, "restarting CHILD_SA %s",
2061: child_cfg->get_name(child_cfg));
2062: child_cfg->get_ref(child_cfg);
2063: status = new->initiate(new, child_cfg,
2064: child_sa->get_reqid(child_sa), NULL, NULL);
2065: break;
2066: default:
2067: continue;
2068: }
2069: if (status == DESTROY_ME)
2070: {
2071: break;
2072: }
2073: }
2074: enumerator->destroy(enumerator);
2075: /* adopt any active or queued CHILD-creating tasks */
2076: if (status != DESTROY_ME)
2077: {
2078: new->adopt_child_tasks(new, &this->public);
2079: if (new->get_state(new) == IKE_CREATED)
2080: {
2081: status = new->initiate(new, NULL, 0, NULL, NULL);
2082: }
2083: }
2084: return status;
2085: }
2086:
2087: METHOD(ike_sa_t, reestablish, status_t,
2088: private_ike_sa_t *this)
2089: {
2090: ike_sa_t *new;
2091: host_t *host;
2092: action_t action;
2093: enumerator_t *enumerator;
2094: child_sa_t *child_sa;
2095: bool restart = FALSE;
2096: status_t status = FAILED;
2097:
2098: if (is_delete_queued(this, TASK_QUEUE_QUEUED))
2099: { /* don't reestablish IKE_SAs that have explicitly been deleted in the
2100: * mean time */
2101: return FAILED;
2102: }
2103:
2104: if (has_condition(this, COND_REAUTHENTICATING))
2105: { /* only reauthenticate if we have children */
2106: if (array_count(this->child_sas) == 0
2107: #ifdef ME
2108: /* allow reauth of mediation connections without CHILD_SAs */
2109: && !this->peer_cfg->is_mediation(this->peer_cfg)
2110: #endif /* ME */
2111: )
2112: {
2113: DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2114: "to recreate");
2115: }
2116: else
2117: {
2118: restart = TRUE;
2119: }
2120: }
2121: else
2122: { /* check if we have children to keep up at all */
2123: enumerator = array_create_enumerator(this->child_sas);
2124: while (enumerator->enumerate(enumerator, (void**)&child_sa))
2125: {
2126: switch (child_sa->get_state(child_sa))
2127: {
2128: case CHILD_REKEYED:
2129: case CHILD_DELETED:
2130: /* ignore CHILD_SAs in these states */
2131: continue;
2132: default:
2133: break;
2134: }
2135: if (this->state == IKE_DELETING)
2136: {
2137: action = child_sa->get_close_action(child_sa);
2138: }
2139: else
2140: {
2141: action = child_sa->get_dpd_action(child_sa);
2142: }
2143: switch (action)
2144: {
2145: case ACTION_RESTART:
2146: restart = TRUE;
2147: break;
2148: case ACTION_ROUTE:
2149: charon->traps->install(charon->traps, this->peer_cfg,
2150: child_sa->get_config(child_sa));
2151: break;
2152: default:
2153: break;
2154: }
2155: }
2156: enumerator->destroy(enumerator);
2157: /* check if we have tasks that recreate children */
2158: if (!restart)
2159: {
2160: restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
2161: is_child_queued(this, TASK_QUEUE_QUEUED);
2162: }
2163: #ifdef ME
2164: /* mediation connections have no children, keep them up anyway */
2165: if (this->peer_cfg->is_mediation(this->peer_cfg))
2166: {
2167: restart = TRUE;
2168: }
2169: #endif /* ME */
2170: }
2171: if (!restart)
2172: {
2173: return FAILED;
2174: }
2175:
2176: /* check if we are able to reestablish this IKE_SA */
2177: if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2178: (array_count(this->other_vips) != 0 ||
2179: has_condition(this, COND_EAP_AUTHENTICATED)
2180: #ifdef ME
2181: || this->is_mediation_server
2182: #endif /* ME */
2183: ))
2184: {
2185: DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
2186: return FAILED;
2187: }
2188:
1.1.1.2 ! misho 2189: new = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
! 2190: this->version, TRUE);
1.1 misho 2191: if (!new)
2192: {
2193: return FAILED;
2194: }
2195: new->set_peer_cfg(new, this->peer_cfg);
2196: host = this->other_host;
2197: new->set_other_host(new, host->clone(host));
2198: host = this->my_host;
2199: new->set_my_host(new, host->clone(host));
2200: charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2201: if (!has_condition(this, COND_REAUTHENTICATING))
2202: { /* reauthenticate to the same addresses, but resolve hosts if
2203: * reestablishing (old addresses serve as fallback) */
2204: resolve_hosts((private_ike_sa_t*)new);
2205: }
2206: /* if we already have a virtual IP, we reuse it */
2207: enumerator = array_create_enumerator(this->my_vips);
2208: while (enumerator->enumerate(enumerator, &host))
2209: {
2210: new->add_virtual_ip(new, TRUE, host);
2211: }
2212: enumerator->destroy(enumerator);
2213:
2214: #ifdef ME
2215: if (this->peer_cfg->is_mediation(this->peer_cfg))
2216: {
2217: status = new->initiate(new, NULL, 0, NULL, NULL);
2218: }
2219: else
2220: #endif /* ME */
2221: {
2222: status = reestablish_children(this, new,
2223: has_condition(this, COND_REAUTHENTICATING));
2224: }
2225:
2226: if (status == DESTROY_ME)
2227: {
2228: charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2229: FALSE);
2230: charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2231: status = FAILED;
2232: }
2233: else
2234: {
2235: charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2236: TRUE);
2237: charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2238: status = SUCCESS;
2239: }
2240: charon->bus->set_sa(charon->bus, &this->public);
2241: return status;
2242: }
2243:
2244: /**
2245: * Resolve the given gateway ID
2246: */
2247: static host_t *resolve_gateway_id(identification_t *gateway)
2248: {
2249: char gw[BUF_LEN];
2250: host_t *addr;
2251:
2252: snprintf(gw, sizeof(gw), "%Y", gateway);
2253: gw[sizeof(gw)-1] = '\0';
2254: addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2255: if (!addr)
2256: {
2257: DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2258: gateway);
2259: }
2260: return addr;
2261: }
2262:
2263: /**
2264: * Redirect the current SA to the given target host
2265: */
2266: static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2267: {
2268: private_ike_sa_t *new_priv;
2269: ike_sa_t *new;
2270: host_t *other;
2271: time_t redirect;
2272:
1.1.1.2 ! misho 2273: new = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
! 2274: this->version, TRUE);
1.1 misho 2275: if (!new)
2276: {
2277: return FALSE;
2278: }
2279: new_priv = (private_ike_sa_t*)new;
2280: new->set_peer_cfg(new, this->peer_cfg);
2281: new_priv->redirected_from = this->other_host->clone(this->other_host);
2282: charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2283: other = resolve_gateway_id(to);
2284: if (other)
2285: {
2286: set_my_host(new_priv, this->my_host->clone(this->my_host));
2287: /* this allows us to force the remote address while we still properly
2288: * resolve the local address */
2289: new_priv->remote_host = other;
2290: resolve_hosts(new_priv);
2291: new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2292: while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2293: {
2294: array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2295: }
2296: if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2297: {
2298: #ifdef USE_IKEV2
2299: new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2300: this->ike_sa_id));
2301: #endif
2302: charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2303: TRUE);
2304: charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2305: charon->bus->set_sa(charon->bus, &this->public);
2306: return TRUE;
2307: }
2308: }
2309: charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2310: FALSE);
2311: charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2312: charon->bus->set_sa(charon->bus, &this->public);
2313: return FALSE;
2314: }
2315:
2316: /**
2317: * Redirect the current connecting SA to the given target host
2318: */
2319: static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2320: {
2321: host_t *other;
2322:
2323: other = resolve_gateway_id(to);
2324: if (!other)
2325: {
2326: return FALSE;
2327: }
2328: reset(this, TRUE);
2329: DESTROY_IF(this->redirected_from);
2330: this->redirected_from = this->other_host->clone(this->other_host);
2331: /* this allows us to force the remote address while we still properly
2332: * resolve the local address */
1.1.1.2 ! misho 2333: DESTROY_IF(this->remote_host);
1.1 misho 2334: this->remote_host = other;
2335: resolve_hosts(this);
2336: return TRUE;
2337: }
2338:
2339: /**
2340: * Check if the current redirect exceeds the limits for redirects
2341: */
2342: static bool redirect_count_exceeded(private_ike_sa_t *this)
2343: {
2344: time_t now, redirect;
2345:
2346: now = time_monotonic(NULL);
2347: /* remove entries outside the defined period */
2348: while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2349: now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2350: {
2351: array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2352: }
2353: if (array_count(this->redirected_at) < MAX_REDIRECTS)
2354: {
2355: if (!this->redirected_at)
2356: {
2357: this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2358: }
2359: array_insert(this->redirected_at, ARRAY_TAIL, &now);
2360: return FALSE;
2361: }
2362: return TRUE;
2363: }
2364:
2365: METHOD(ike_sa_t, handle_redirect, bool,
2366: private_ike_sa_t *this, identification_t *gateway)
2367: {
2368: DBG1(DBG_IKE, "redirected to %Y", gateway);
2369: if (!this->follow_redirects)
2370: {
2371: DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2372: return FALSE;
2373: }
2374: if (redirect_count_exceeded(this))
2375: {
2376: DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2377: MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2378: return FALSE;
2379: }
2380:
2381: switch (this->state)
2382: {
2383: case IKE_CONNECTING:
2384: return redirect_connecting(this, gateway);
2385: case IKE_ESTABLISHED:
2386: return redirect_established(this, gateway);
2387: default:
2388: DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2389: ike_sa_state_names, this->state);
2390: return FALSE;
2391: }
2392: }
2393:
2394: METHOD(ike_sa_t, redirect, status_t,
2395: private_ike_sa_t *this, identification_t *gateway)
2396: {
2397: switch (this->state)
2398: {
2399: case IKE_CONNECTING:
2400: case IKE_ESTABLISHED:
2401: case IKE_REKEYING:
2402: if (has_condition(this, COND_REDIRECTED))
2403: { /* IKE_SA already got redirected */
2404: return SUCCESS;
2405: }
2406: if (has_condition(this, COND_ORIGINAL_INITIATOR))
2407: {
2408: DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2409: return FAILED;
2410: }
2411: if (this->version == IKEV1)
2412: {
2413: DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2414: return FAILED;
2415: }
2416: if (!supports_extension(this, EXT_IKE_REDIRECTION))
2417: {
2418: DBG1(DBG_IKE, "client does not support IKE redirection");
2419: return FAILED;
2420: }
2421: #ifdef USE_IKEV2
2422: this->task_manager->queue_task(this->task_manager,
2423: (task_t*)ike_redirect_create(&this->public, gateway));
2424: #endif
2425: return this->task_manager->initiate(this->task_manager);
2426: default:
2427: DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2428: ike_sa_state_names, this->state);
2429: return INVALID_STATE;
2430: }
2431: }
2432:
2433: METHOD(ike_sa_t, retransmit, status_t,
2434: private_ike_sa_t *this, uint32_t message_id)
2435: {
2436: if (this->state == IKE_PASSIVE)
2437: {
2438: return INVALID_STATE;
2439: }
1.1.1.2 ! misho 2440: switch (this->task_manager->retransmit(this->task_manager, message_id))
1.1 misho 2441: {
1.1.1.2 ! misho 2442: case SUCCESS:
! 2443: this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
! 2444: return SUCCESS;
! 2445: case INVALID_STATE:
! 2446: return INVALID_STATE;
! 2447: default:
! 2448: break;
! 2449: }
! 2450: /* send a proper signal to brief interested bus listeners */
! 2451: switch (this->state)
! 2452: {
! 2453: case IKE_CONNECTING:
1.1 misho 2454: {
1.1.1.2 ! misho 2455: /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
! 2456: uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
! 2457: charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
! 2458: this->keyingtry);
! 2459: this->keyingtry++;
! 2460: if (tries == 0 || tries > this->keyingtry)
! 2461: {
! 2462: DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
! 2463: this->keyingtry + 1, tries);
! 2464: reset(this, TRUE);
! 2465: resolve_hosts(this);
! 2466: return this->task_manager->initiate(this->task_manager);
! 2467: }
! 2468: DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
! 2469:
! 2470: if (this->version == IKEV1 && array_count(this->child_sas))
! 2471: {
! 2472: enumerator_t *enumerator;
! 2473: child_sa_t *child_sa;
! 2474:
! 2475: /* if reauthenticating an IKEv1 SA failed (assumed for an SA
! 2476: * in this state with CHILD_SAs), try again from scratch */
! 2477: DBG1(DBG_IKE, "reauthentication failed, trying to "
! 2478: "reestablish IKE_SA");
! 2479: reestablish(this);
! 2480: /* trigger down events for the CHILD_SAs, as no down event
! 2481: * is triggered below for IKE SAs in this state */
! 2482: enumerator = array_create_enumerator(this->child_sas);
! 2483: while (enumerator->enumerate(enumerator, &child_sa))
1.1 misho 2484: {
1.1.1.2 ! misho 2485: if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
! 2486: child_sa->get_state(child_sa) != CHILD_DELETED)
1.1 misho 2487: {
1.1.1.2 ! misho 2488: charon->bus->child_updown(charon->bus, child_sa,
! 2489: FALSE);
1.1 misho 2490: }
2491: }
1.1.1.2 ! misho 2492: enumerator->destroy(enumerator);
1.1 misho 2493: }
1.1.1.2 ! misho 2494: break;
1.1 misho 2495: }
1.1.1.2 ! misho 2496: case IKE_DELETING:
! 2497: DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
! 2498: if (has_condition(this, COND_REAUTHENTICATING) &&
! 2499: !lib->settings->get_bool(lib->settings,
! 2500: "%s.make_before_break", FALSE, lib->ns))
! 2501: {
! 2502: DBG1(DBG_IKE, "delete during reauthentication failed, "
! 2503: "trying to reestablish IKE_SA anyway");
! 2504: reestablish(this);
! 2505: }
! 2506: break;
! 2507: case IKE_REKEYING:
! 2508: DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
! 2509: /* FALL */
! 2510: default:
! 2511: reestablish(this);
! 2512: break;
1.1 misho 2513: }
1.1.1.2 ! misho 2514: if (this->state != IKE_CONNECTING &&
! 2515: this->state != IKE_REKEYED)
! 2516: {
! 2517: charon->bus->ike_updown(charon->bus, &this->public, FALSE);
! 2518: }
! 2519: return DESTROY_ME;
1.1 misho 2520: }
2521:
2522: METHOD(ike_sa_t, set_auth_lifetime, status_t,
2523: private_ike_sa_t *this, uint32_t lifetime)
2524: {
2525: uint32_t diff, hard, soft, now;
2526: bool send_update;
2527:
2528: diff = this->peer_cfg->get_over_time(this->peer_cfg);
2529: now = time_monotonic(NULL);
2530: hard = now + lifetime;
2531: soft = hard - diff;
2532:
2533: /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2534: * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2535: send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2536: !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2537: (array_count(this->other_vips) != 0 ||
2538: has_condition(this, COND_EAP_AUTHENTICATED));
2539:
2540: if (lifetime < diff)
2541: {
2542: this->stats[STAT_REAUTH] = now;
2543:
2544: if (!send_update)
2545: {
2546: DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2547: "starting reauthentication", lifetime);
2548: lib->processor->queue_job(lib->processor,
2549: (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2550: }
2551: }
2552: else if (this->stats[STAT_REAUTH] == 0 ||
2553: this->stats[STAT_REAUTH] > soft)
2554: {
2555: this->stats[STAT_REAUTH] = soft;
2556: if (!send_update)
2557: {
2558: DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2559: "reauthentication in %ds", lifetime, lifetime - diff);
2560: lib->scheduler->schedule_job(lib->scheduler,
2561: (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2562: lifetime - diff);
2563: }
2564: }
2565: else
2566: {
2567: DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2568: "reauthentication already scheduled in %ds", lifetime,
2569: this->stats[STAT_REAUTH] - time_monotonic(NULL));
2570: send_update = FALSE;
2571: }
2572: /* give at least some seconds to reauthenticate */
2573: this->stats[STAT_DELETE] = max(hard, now + 10);
2574:
2575: #ifdef USE_IKEV2
2576: if (send_update)
2577: {
2578: ike_auth_lifetime_t *task;
2579:
2580: task = ike_auth_lifetime_create(&this->public, TRUE);
2581: this->task_manager->queue_task(this->task_manager, &task->task);
2582: return this->task_manager->initiate(this->task_manager);
2583: }
2584: #endif
2585: return SUCCESS;
2586: }
2587:
2588: /**
2589: * Check if the current combination of source and destination address is still
2590: * valid.
2591: */
2592: static bool is_current_path_valid(private_ike_sa_t *this)
2593: {
2594: bool valid = FALSE;
2595: host_t *src;
2596:
2597: if (supports_extension(this, EXT_MOBIKE) &&
2598: lib->settings->get_bool(lib->settings,
2599: "%s.prefer_best_path", FALSE, lib->ns))
2600: {
2601: /* check if the current path is the best path; migrate otherwise */
2602: src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2603: NULL);
2604: if (src)
2605: {
2606: valid = src->ip_equals(src, this->my_host);
2607: src->destroy(src);
2608: }
2609: if (!valid)
2610: {
2611: DBG1(DBG_IKE, "old path is not preferred anymore");
2612: }
2613: return valid;
2614: }
2615: src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2616: this->my_host);
2617: if (src)
2618: {
2619: if (src->ip_equals(src, this->my_host))
2620: {
2621: valid = TRUE;
2622: }
2623: src->destroy(src);
2624: }
2625: if (!valid)
2626: {
2627: DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2628: }
2629: return valid;
2630: }
2631:
2632: /**
2633: * Check if we have any path available for this IKE SA.
2634: */
2635: static bool is_any_path_valid(private_ike_sa_t *this)
2636: {
2637: bool valid = FALSE;
2638: enumerator_t *enumerator;
2639: host_t *src = NULL, *addr;
2640: int family = AF_UNSPEC;
2641:
2642: switch (charon->socket->supported_families(charon->socket))
2643: {
2644: case SOCKET_FAMILY_IPV4:
2645: family = AF_INET;
2646: break;
2647: case SOCKET_FAMILY_IPV6:
2648: family = AF_INET6;
2649: break;
2650: case SOCKET_FAMILY_BOTH:
2651: case SOCKET_FAMILY_NONE:
2652: break;
2653: }
2654:
2655: enumerator = create_peer_address_enumerator(this);
2656: while (enumerator->enumerate(enumerator, &addr))
2657: {
2658: if (family != AF_UNSPEC && addr->get_family(addr) != family)
2659: {
2660: continue;
2661: }
2662: DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2663: src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2664: if (src)
2665: {
2666: break;
2667: }
2668: }
2669: enumerator->destroy(enumerator);
2670: if (src)
2671: {
2672: valid = TRUE;
2673: src->destroy(src);
2674: }
2675: return valid;
2676: }
2677:
2678: METHOD(ike_sa_t, roam, status_t,
2679: private_ike_sa_t *this, bool address)
2680: {
2681: switch (this->state)
2682: {
2683: case IKE_CREATED:
2684: case IKE_DELETING:
2685: case IKE_DESTROYING:
2686: case IKE_PASSIVE:
2687: case IKE_REKEYED:
2688: return SUCCESS;
2689: default:
2690: break;
2691: }
2692:
2693: if (!this->ike_cfg)
2694: { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2695: * without config assigned */
2696: return SUCCESS;
2697: }
2698: if (this->version == IKEV1)
2699: { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2700: * have to reestablish from scratch (reauth is not enough) */
2701: return SUCCESS;
2702: }
2703:
2704: /* ignore roam events if MOBIKE is not supported/enabled and the local
2705: * address is statically configured */
2706: if (!supports_extension(this, EXT_MOBIKE) &&
2707: ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
2708: {
2709: DBG2(DBG_IKE, "keeping statically configured path %H - %H",
2710: this->my_host, this->other_host);
2711: return SUCCESS;
2712: }
2713:
2714: /* keep existing path if possible */
2715: if (is_current_path_valid(this))
2716: {
2717: DBG2(DBG_IKE, "keeping connection path %H - %H",
2718: this->my_host, this->other_host);
2719: set_condition(this, COND_STALE, FALSE);
2720:
2721: if (supports_extension(this, EXT_MOBIKE) && address)
2722: { /* if any addresses changed, send an updated list */
2723: DBG1(DBG_IKE, "sending address list update using MOBIKE");
2724: this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2725: return this->task_manager->initiate(this->task_manager);
2726: }
1.1.1.2 ! misho 2727: if (lib->settings->get_bool(lib->settings,
! 2728: "%s.check_current_path", FALSE, lib->ns) &&
! 2729: !this->task_manager->busy(this->task_manager))
! 2730: {
! 2731: DBG1(DBG_IKE, "checking if current path still works using DPD");
! 2732: this->task_manager->queue_dpd(this->task_manager);
! 2733: return this->task_manager->initiate(this->task_manager);
! 2734: }
1.1 misho 2735: return SUCCESS;
2736: }
2737:
2738: if (!is_any_path_valid(this))
2739: {
2740: DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2741: this->other_host);
2742: set_condition(this, COND_STALE, TRUE);
2743: return SUCCESS;
2744: }
2745: set_condition(this, COND_STALE, FALSE);
2746:
2747: /* update addresses with mobike, if supported ... */
2748: if (supports_extension(this, EXT_MOBIKE))
2749: {
2750: if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2751: { /* responder updates the peer about changed address config */
2752: DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2753: "implicitly requesting an address change");
2754: address = TRUE;
2755: }
2756: else
2757: {
2758: DBG1(DBG_IKE, "requesting address change using MOBIKE");
2759: }
2760: this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2761: return this->task_manager->initiate(this->task_manager);
2762: }
2763:
2764: /* ... reauth if not */
2765: if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2766: { /* responder does not reauthenticate */
2767: set_condition(this, COND_STALE, TRUE);
2768: return SUCCESS;
2769: }
2770: DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2771: /* since our previous path is not valid anymore, try and find a new one */
2772: resolve_hosts(this);
2773: return reauth(this);
2774: }
2775:
2776: METHOD(ike_sa_t, add_configuration_attribute, void,
2777: private_ike_sa_t *this, attribute_handler_t *handler,
2778: configuration_attribute_type_t type, chunk_t data)
2779: {
2780: attribute_entry_t entry = {
2781: .handler = handler,
2782: .type = type,
2783: .data = chunk_clone(data),
2784: };
2785: array_insert(this->attributes, ARRAY_TAIL, &entry);
2786: }
2787:
2788: CALLBACK(filter_attribute, bool,
2789: void *null, enumerator_t *orig, va_list args)
2790: {
2791: attribute_entry_t *entry;
2792: configuration_attribute_type_t *type;
2793: chunk_t *data;
2794: bool *handled;
2795:
2796: VA_ARGS_VGET(args, type, data, handled);
2797:
2798: if (orig->enumerate(orig, &entry))
2799: {
2800: *type = entry->type;
2801: *data = entry->data;
2802: *handled = entry->handler != NULL;
2803: return TRUE;
2804: }
2805: return FALSE;
2806: }
2807:
2808: METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2809: private_ike_sa_t *this)
2810: {
2811: return enumerator_create_filter(array_create_enumerator(this->attributes),
2812: filter_attribute, NULL, NULL);
2813: }
2814:
2815: METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2816: private_ike_sa_t *this, task_queue_t queue)
2817: {
2818: return this->task_manager->create_task_enumerator(this->task_manager, queue);
2819: }
2820:
2821: METHOD(ike_sa_t, remove_task, void,
2822: private_ike_sa_t *this, enumerator_t *enumerator)
2823: {
2824: return this->task_manager->remove_task(this->task_manager, enumerator);
2825: }
2826:
2827: METHOD(ike_sa_t, flush_queue, void,
2828: private_ike_sa_t *this, task_queue_t queue)
2829: {
2830: this->task_manager->flush_queue(this->task_manager, queue);
2831: }
2832:
2833: METHOD(ike_sa_t, queue_task, void,
2834: private_ike_sa_t *this, task_t *task)
2835: {
2836: this->task_manager->queue_task(this->task_manager, task);
2837: }
2838:
2839: METHOD(ike_sa_t, queue_task_delayed, void,
2840: private_ike_sa_t *this, task_t *task, uint32_t delay)
2841: {
2842: this->task_manager->queue_task_delayed(this->task_manager, task, delay);
2843: }
2844:
2845: /**
2846: * Migrate and queue child-creating tasks from another IKE_SA
2847: */
2848: static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
2849: task_queue_t queue)
2850: {
2851: enumerator_t *enumerator;
2852: task_t *task;
2853:
2854: enumerator = other->create_task_enumerator(other, queue);
2855: while (enumerator->enumerate(enumerator, &task))
2856: {
2857: if (task->get_type(task) == TASK_CHILD_CREATE ||
2858: task->get_type(task) == TASK_QUICK_MODE)
2859: {
2860: other->remove_task(other, enumerator);
2861: task->migrate(task, &this->public);
2862: queue_task(this, task);
2863: }
2864: }
2865: enumerator->destroy(enumerator);
2866: }
2867:
2868: METHOD(ike_sa_t, adopt_child_tasks, void,
2869: private_ike_sa_t *this, ike_sa_t *other)
2870: {
2871: migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
2872: migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
2873: }
2874:
2875: METHOD(ike_sa_t, inherit_pre, void,
2876: private_ike_sa_t *this, ike_sa_t *other_public)
2877: {
2878: private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2879:
2880: /* apply config and hosts */
2881: set_peer_cfg(this, other->peer_cfg);
2882: set_my_host(this, other->my_host->clone(other->my_host));
2883: set_other_host(this, other->other_host->clone(other->other_host));
2884:
2885: /* apply extensions and conditions with a few exceptions */
2886: this->extensions = other->extensions;
2887: this->conditions = other->conditions;
2888: this->conditions &= ~COND_STALE;
2889: this->conditions &= ~COND_REAUTHENTICATING;
2890: }
2891:
2892: METHOD(ike_sa_t, inherit_post, void,
2893: private_ike_sa_t *this, ike_sa_t *other_public)
2894: {
2895: private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2896: child_sa_t *child_sa;
2897: enumerator_t *enumerator;
2898: attribute_entry_t entry;
2899: auth_cfg_t *cfg;
2900: host_t *vip;
2901:
2902: /* apply hosts and ids */
2903: this->my_host->destroy(this->my_host);
2904: this->other_host->destroy(this->other_host);
2905: this->my_id->destroy(this->my_id);
2906: this->other_id->destroy(this->other_id);
2907: this->my_host = other->my_host->clone(other->my_host);
2908: this->other_host = other->other_host->clone(other->other_host);
2909: this->my_id = other->my_id->clone(other->my_id);
2910: this->other_id = other->other_id->clone(other->other_id);
2911: this->if_id_in = other->if_id_in;
2912: this->if_id_out = other->if_id_out;
2913:
2914: /* apply assigned virtual IPs... */
2915: while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2916: {
2917: array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2918: }
2919: while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2920: {
2921: array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2922: }
2923:
2924: /* MOBIKE additional addresses */
2925: while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2926: {
2927: array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2928: }
2929:
2930: /* authentication information */
2931: enumerator = array_create_enumerator(other->my_auths);
2932: while (enumerator->enumerate(enumerator, &cfg))
2933: {
2934: array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
2935: }
2936: enumerator->destroy(enumerator);
2937: enumerator = array_create_enumerator(other->other_auths);
2938: while (enumerator->enumerate(enumerator, &cfg))
2939: {
2940: array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
2941: }
2942: enumerator->destroy(enumerator);
2943:
2944: /* ... and configuration attributes */
2945: while (array_remove(other->attributes, ARRAY_HEAD, &entry))
2946: {
2947: array_insert(this->attributes, ARRAY_TAIL, &entry);
2948: }
2949:
2950: /* inherit all conditions */
2951: this->conditions = other->conditions;
2952: if (this->conditions & COND_NAT_HERE)
2953: {
2954: send_keepalive(this, FALSE);
2955: }
2956:
2957: #ifdef ME
2958: if (other->is_mediation_server)
2959: {
2960: act_as_mediation_server(this);
2961: }
2962: else if (other->server_reflexive_host)
2963: {
2964: this->server_reflexive_host = other->server_reflexive_host->clone(
2965: other->server_reflexive_host);
2966: }
2967: #endif /* ME */
2968:
2969: /* adopt all children */
2970: while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
2971: {
2972: charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
2973: add_child_sa(this, child_sa);
2974: }
2975:
2976: /* move pending tasks to the new IKE_SA */
2977: this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
2978:
2979: /* reauthentication timeout survives a rekeying */
2980: if (other->stats[STAT_REAUTH])
2981: {
2982: time_t reauth, delete, now = time_monotonic(NULL);
2983:
2984: this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
1.1.1.2 ! misho 2985: reauth = max(0, this->stats[STAT_REAUTH] - now);
1.1 misho 2986: delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
1.1.1.2 ! misho 2987: this->stats[STAT_DELETE] = now + delete;
1.1 misho 2988: DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
2989: "lifetime reduced to %ds", reauth, delete);
2990: lib->scheduler->schedule_job(lib->scheduler,
2991: (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
2992: lib->scheduler->schedule_job(lib->scheduler,
2993: (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
2994: }
2995: }
2996:
2997: METHOD(ike_sa_t, destroy, void,
2998: private_ike_sa_t *this)
2999: {
3000: attribute_entry_t entry;
3001: child_sa_t *child_sa;
3002: host_t *vip;
3003:
3004: charon->bus->set_sa(charon->bus, &this->public);
3005:
3006: set_state(this, IKE_DESTROYING);
3007: if (this->task_manager)
3008: {
3009: this->task_manager->flush(this->task_manager);
3010: }
3011:
3012: /* remove attributes first, as we pass the IKE_SA to the handler */
3013: charon->bus->handle_vips(charon->bus, &this->public, FALSE);
3014: while (array_remove(this->attributes, ARRAY_TAIL, &entry))
3015: {
3016: if (entry.handler)
3017: {
3018: charon->attributes->release(charon->attributes, entry.handler,
3019: &this->public, entry.type, entry.data);
3020: }
3021: free(entry.data.ptr);
3022: }
3023: /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
3024: * routes that the CHILD_SA tries to uninstall. */
3025: while (array_remove(this->child_sas, ARRAY_TAIL, &child_sa))
3026: {
3027: charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
3028: child_sa->destroy(child_sa);
3029: }
3030: while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
3031: {
3032: charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
3033: vip->destroy(vip);
3034: }
3035: if (array_count(this->other_vips))
3036: {
3037: charon->bus->assign_vips(charon->bus, &this->public, FALSE);
3038: }
3039: while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
3040: {
3041: if (this->peer_cfg)
3042: {
3043: linked_list_t *pools;
3044:
3045: pools = linked_list_create_from_enumerator(
3046: this->peer_cfg->create_pool_enumerator(this->peer_cfg));
3047: charon->attributes->release_address(charon->attributes,
3048: pools, vip, &this->public);
3049: pools->destroy(pools);
3050: }
3051: vip->destroy(vip);
3052: }
3053:
3054: /* unset SA after here to avoid usage by the listeners */
3055: charon->bus->set_sa(charon->bus, NULL);
3056:
3057: array_destroy(this->child_sas);
3058: DESTROY_IF(this->task_manager);
3059: DESTROY_IF(this->keymat);
3060: array_destroy(this->attributes);
3061: array_destroy(this->my_vips);
3062: array_destroy(this->other_vips);
3063: array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
3064: #ifdef ME
3065: if (this->is_mediation_server)
3066: {
3067: charon->mediation_manager->remove(charon->mediation_manager,
3068: this->ike_sa_id);
3069: }
3070: DESTROY_IF(this->server_reflexive_host);
3071: chunk_free(&this->connect_id);
3072: #endif /* ME */
3073: free(this->nat_detection_dest.ptr);
3074:
3075: DESTROY_IF(this->my_host);
3076: DESTROY_IF(this->other_host);
3077: DESTROY_IF(this->my_id);
3078: DESTROY_IF(this->other_id);
3079: DESTROY_IF(this->local_host);
3080: DESTROY_IF(this->remote_host);
3081: DESTROY_IF(this->redirected_from);
3082: array_destroy(this->redirected_at);
3083:
3084: DESTROY_IF(this->ike_cfg);
3085: DESTROY_IF(this->peer_cfg);
3086: DESTROY_IF(this->proposal);
3087: this->my_auth->destroy(this->my_auth);
3088: this->other_auth->destroy(this->other_auth);
3089: array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
3090: array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
3091:
3092: this->ike_sa_id->destroy(this->ike_sa_id);
3093: free(this);
3094: }
3095:
3096: /*
3097: * Described in header.
3098: */
3099: ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
3100: ike_version_t version)
3101: {
3102: private_ike_sa_t *this;
3103: static refcount_t unique_id = 0;
3104:
3105: if (version == IKE_ANY)
3106: { /* prefer IKEv2 if protocol not specified */
3107: #ifdef USE_IKEV2
3108: version = IKEV2;
3109: #else
3110: version = IKEV1;
3111: #endif
3112: }
3113:
3114: INIT(this,
3115: .public = {
3116: .get_version = _get_version,
3117: .get_state = _get_state,
3118: .set_state = _set_state,
3119: .get_name = _get_name,
3120: .get_statistic = _get_statistic,
3121: .set_statistic = _set_statistic,
3122: .process_message = _process_message,
3123: .initiate = _initiate,
3124: .retry_initiate = _retry_initiate,
3125: .get_ike_cfg = _get_ike_cfg,
3126: .set_ike_cfg = _set_ike_cfg,
3127: .get_peer_cfg = _get_peer_cfg,
3128: .set_peer_cfg = _set_peer_cfg,
3129: .get_auth_cfg = _get_auth_cfg,
3130: .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
3131: .verify_peer_certificate = _verify_peer_certificate,
3132: .add_auth_cfg = _add_auth_cfg,
3133: .get_proposal = _get_proposal,
3134: .set_proposal = _set_proposal,
3135: .get_id = _get_id,
3136: .get_my_host = _get_my_host,
3137: .set_my_host = _set_my_host,
3138: .get_other_host = _get_other_host,
3139: .set_other_host = _set_other_host,
3140: .set_message_id = _set_message_id,
3141: .get_message_id = _get_message_id,
3142: .float_ports = _float_ports,
3143: .update_hosts = _update_hosts,
3144: .get_my_id = _get_my_id,
3145: .set_my_id = _set_my_id,
3146: .get_other_id = _get_other_id,
3147: .set_other_id = _set_other_id,
3148: .get_other_eap_id = _get_other_eap_id,
3149: .enable_extension = _enable_extension,
3150: .supports_extension = _supports_extension,
3151: .set_condition = _set_condition,
3152: .has_condition = _has_condition,
3153: .create_peer_address_enumerator = _create_peer_address_enumerator,
3154: .add_peer_address = _add_peer_address,
3155: .clear_peer_addresses = _clear_peer_addresses,
3156: .has_mapping_changed = _has_mapping_changed,
3157: .retransmit = _retransmit,
3158: .delete = _delete_,
3159: .destroy = _destroy,
3160: .send_dpd = _send_dpd,
3161: .send_keepalive = _send_keepalive,
3162: .redirect = _redirect,
3163: .handle_redirect = _handle_redirect,
3164: .get_redirected_from = _get_redirected_from,
3165: .get_keymat = _get_keymat,
3166: .add_child_sa = _add_child_sa,
3167: .get_child_sa = _get_child_sa,
3168: .get_child_count = _get_child_count,
3169: .create_child_sa_enumerator = _create_child_sa_enumerator,
3170: .remove_child_sa = _remove_child_sa,
3171: .rekey_child_sa = _rekey_child_sa,
3172: .delete_child_sa = _delete_child_sa,
3173: .destroy_child_sa = _destroy_child_sa,
3174: .rekey = _rekey,
3175: .reauth = _reauth,
3176: .reestablish = _reestablish,
3177: .set_auth_lifetime = _set_auth_lifetime,
3178: .roam = _roam,
3179: .inherit_pre = _inherit_pre,
3180: .inherit_post = _inherit_post,
3181: .generate_message = _generate_message,
3182: .generate_message_fragmented = _generate_message_fragmented,
3183: .reset = _reset,
3184: .get_unique_id = _get_unique_id,
3185: .add_virtual_ip = _add_virtual_ip,
3186: .clear_virtual_ips = _clear_virtual_ips,
3187: .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
3188: .add_configuration_attribute = _add_configuration_attribute,
3189: .create_attribute_enumerator = _create_attribute_enumerator,
3190: .get_if_id = _get_if_id,
3191: .set_kmaddress = _set_kmaddress,
3192: .create_task_enumerator = _create_task_enumerator,
3193: .remove_task = _remove_task,
3194: .flush_queue = _flush_queue,
3195: .queue_task = _queue_task,
3196: .queue_task_delayed = _queue_task_delayed,
3197: .adopt_child_tasks = _adopt_child_tasks,
3198: #ifdef ME
3199: .act_as_mediation_server = _act_as_mediation_server,
3200: .get_server_reflexive_host = _get_server_reflexive_host,
3201: .set_server_reflexive_host = _set_server_reflexive_host,
3202: .get_connect_id = _get_connect_id,
3203: .initiate_mediation = _initiate_mediation,
3204: .initiate_mediated = _initiate_mediated,
3205: .relay = _relay,
3206: .callback = _callback,
3207: .respond = _respond,
3208: #endif /* ME */
3209: },
3210: .ike_sa_id = ike_sa_id->clone(ike_sa_id),
3211: .version = version,
3212: .my_host = host_create_any(AF_INET),
3213: .other_host = host_create_any(AF_INET),
3214: .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3215: .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3216: .keymat = keymat_create(version, initiator),
3217: .state = IKE_CREATED,
3218: .stats[STAT_INBOUND] = time_monotonic(NULL),
3219: .stats[STAT_OUTBOUND] = time_monotonic(NULL),
3220: .my_auth = auth_cfg_create(),
3221: .other_auth = auth_cfg_create(),
3222: .my_auths = array_create(0, 0),
3223: .other_auths = array_create(0, 0),
3224: .attributes = array_create(sizeof(attribute_entry_t), 0),
3225: .unique_id = ref_get(&unique_id),
3226: .keepalive_interval = lib->settings->get_time(lib->settings,
3227: "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
1.1.1.2 ! misho 3228: .keepalive_dpd_margin = lib->settings->get_time(lib->settings,
! 3229: "%s.keep_alive_dpd_margin", 0, lib->ns),
1.1 misho 3230: .retry_initiate_interval = lib->settings->get_time(lib->settings,
3231: "%s.retry_initiate_interval", 0, lib->ns),
3232: .flush_auth_cfg = lib->settings->get_bool(lib->settings,
3233: "%s.flush_auth_cfg", FALSE, lib->ns),
3234: .fragment_size = lib->settings->get_int(lib->settings,
3235: "%s.fragment_size", 1280, lib->ns),
3236: .follow_redirects = lib->settings->get_bool(lib->settings,
3237: "%s.follow_redirects", TRUE, lib->ns),
3238: );
3239:
3240: if (version == IKEV2)
3241: { /* always supported with IKEv2 */
3242: enable_extension(this, EXT_DPD);
3243: }
3244:
3245: this->task_manager = task_manager_create(&this->public);
3246: this->my_host->set_port(this->my_host,
3247: charon->socket->get_port(charon->socket, FALSE));
3248:
3249: if (!this->task_manager || !this->keymat)
3250: {
3251: DBG1(DBG_IKE, "IKE version %d not supported", this->version);
3252: destroy(this);
3253: return NULL;
3254: }
3255: return &this->public;
3256: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ike_sa.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa