Return to task_manager_v2.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa / ikev2 |
1.1 misho 1: /* 2: * Copyright (C) 2007-2018 Tobias Brunner 3: * Copyright (C) 2007-2010 Martin Willi 4: * HSR Hochschule fuer Technik Rapperswil 5: * 6: * This program is free software; you can redistribute it and/or modify it 7: * under the terms of the GNU General Public License as published by the 8: * Free Software Foundation; either version 2 of the License, or (at your 9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. 10: * 11: * This program is distributed in the hope that it will be useful, but 12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14: * for more details. 15: */ 16: 17: #include "task_manager_v2.h" 18: 19: #include <math.h> 20: 21: #include <collections/array.h> 22: #include <daemon.h> 23: #include <sa/ikev2/tasks/ike_init.h> 24: #include <sa/ikev2/tasks/ike_natd.h> 25: #include <sa/ikev2/tasks/ike_mobike.h> 26: #include <sa/ikev2/tasks/ike_auth.h> 27: #include <sa/ikev2/tasks/ike_auth_lifetime.h> 28: #include <sa/ikev2/tasks/ike_cert_pre.h> 29: #include <sa/ikev2/tasks/ike_cert_post.h> 30: #include <sa/ikev2/tasks/ike_rekey.h> 31: #include <sa/ikev2/tasks/ike_reauth.h> 32: #include <sa/ikev2/tasks/ike_reauth_complete.h> 33: #include <sa/ikev2/tasks/ike_redirect.h> 34: #include <sa/ikev2/tasks/ike_delete.h> 35: #include <sa/ikev2/tasks/ike_config.h> 36: #include <sa/ikev2/tasks/ike_dpd.h> 37: #include <sa/ikev2/tasks/ike_mid_sync.h> 38: #include <sa/ikev2/tasks/ike_vendor.h> 39: #include <sa/ikev2/tasks/ike_verify_peer_cert.h> 40: #include <sa/ikev2/tasks/child_create.h> 41: #include <sa/ikev2/tasks/child_rekey.h> 42: #include <sa/ikev2/tasks/child_delete.h> 43: #include <encoding/payloads/delete_payload.h> 44: #include <encoding/payloads/unknown_payload.h> 45: #include <processing/jobs/retransmit_job.h> 46: #include <processing/jobs/delete_ike_sa_job.h> 47: #include <processing/jobs/initiate_tasks_job.h> 48: 49: #ifdef ME 50: #include <sa/ikev2/tasks/ike_me.h> 51: #endif 52: 53: typedef struct private_task_manager_t private_task_manager_t; 54: typedef struct queued_task_t queued_task_t; 55: 56: /** 57: * private data of the task manager 58: */ 59: struct private_task_manager_t { 60: 61: /** 62: * public functions 63: */ 64: task_manager_v2_t public; 65: 66: /** 67: * associated IKE_SA we are serving 68: */ 69: ike_sa_t *ike_sa; 70: 71: /** 72: * Exchange we are currently handling as responder 73: */ 74: struct { 75: /** 76: * Message ID of the exchange 77: */ 78: uint32_t mid; 79: 80: /** 81: * packet(s) for retransmission 82: */ 83: array_t *packets; 84: 85: /** 86: * Helper to defragment the request 87: */ 88: message_t *defrag; 89: 90: } responding; 91: 92: /** 93: * Exchange we are currently handling as initiator 94: */ 95: struct { 96: /** 97: * Message ID of the exchange 98: */ 99: uint32_t mid; 100: 101: /** 102: * how many times we have retransmitted so far 103: */ 104: u_int retransmitted; 105: 106: /** 1.1.1.2 ! misho 107: * TRUE if any retransmits have been sent for this message (counter is ! 108: * reset if deferred) ! 109: */ ! 110: bool retransmit_sent; ! 111: ! 112: /** 1.1 misho 113: * packet(s) for retransmission 114: */ 115: array_t *packets; 116: 117: /** 118: * type of the initiated exchange 119: */ 120: exchange_type_t type; 121: 122: /** 123: * TRUE if exchange was deferred because no path was available 124: */ 125: bool deferred; 126: 127: /** 128: * Helper to defragment the response 129: */ 130: message_t *defrag; 131: 132: } initiating; 133: 134: /** 135: * Array of queued tasks not yet in action 136: */ 137: array_t *queued_tasks; 138: 139: /** 140: * Array of active tasks, initiated by ourselves 141: */ 142: array_t *active_tasks; 143: 144: /** 145: * Array of tasks initiated by peer 146: */ 147: array_t *passive_tasks; 148: 149: /** 150: * the task manager has been reset 151: */ 152: bool reset; 153: 154: /** 155: * Number of times we retransmit messages before giving up 156: */ 157: u_int retransmit_tries; 158: 159: /** 1.1.1.2 ! misho 160: * Maximum number of tries possible with current retransmission settings ! 161: * before overflowing the range of uint32_t, which we use for the timeout. ! 162: * Note that UINT32_MAX milliseconds equal nearly 50 days, so that doesn't ! 163: * make much sense without retransmit_limit anyway. ! 164: */ ! 165: u_int retransmit_tries_max; ! 166: ! 167: /** 1.1 misho 168: * Retransmission timeout 169: */ 170: double retransmit_timeout; 171: 172: /** 173: * Base to calculate retransmission timeout 174: */ 175: double retransmit_base; 176: 177: /** 178: * Jitter to apply to calculated retransmit timeout (in percent) 179: */ 180: u_int retransmit_jitter; 181: 182: /** 183: * Limit retransmit timeout to this value 184: */ 185: uint32_t retransmit_limit; 186: 187: /** 188: * Use make-before-break instead of break-before-make reauth? 189: */ 190: bool make_before_break; 191: }; 192: 193: /** 194: * Queued tasks 195: */ 196: struct queued_task_t { 197: 198: /** 199: * Queued task 200: */ 201: task_t *task; 202: 203: /** 204: * Time before which the task is not to be initiated 205: */ 206: timeval_t time; 207: }; 208: 209: /** 210: * Reset retransmission packet list 211: */ 212: static void clear_packets(array_t *array) 213: { 214: packet_t *packet; 215: 216: while (array_remove(array, ARRAY_TAIL, &packet)) 217: { 218: packet->destroy(packet); 219: } 220: } 221: 222: METHOD(task_manager_t, flush_queue, void, 223: private_task_manager_t *this, task_queue_t queue) 224: { 225: array_t *array; 226: task_t *task; 227: 228: switch (queue) 229: { 230: case TASK_QUEUE_ACTIVE: 231: array = this->active_tasks; 232: break; 233: case TASK_QUEUE_PASSIVE: 234: array = this->passive_tasks; 235: break; 236: case TASK_QUEUE_QUEUED: 237: array = this->queued_tasks; 238: break; 239: default: 240: return; 241: } 242: while (array_remove(array, ARRAY_TAIL, &task)) 243: { 244: if (queue == TASK_QUEUE_QUEUED) 245: { 246: queued_task_t *queued = (queued_task_t*)task; 247: task = queued->task; 248: free(queued); 249: } 250: task->destroy(task); 251: } 252: } 253: 254: METHOD(task_manager_t, flush, void, 255: private_task_manager_t *this) 256: { 257: flush_queue(this, TASK_QUEUE_QUEUED); 258: flush_queue(this, TASK_QUEUE_PASSIVE); 259: flush_queue(this, TASK_QUEUE_ACTIVE); 260: } 261: 262: /** 263: * Move a task of a specific type from the queue to the active list, if it is 264: * not delayed. 265: */ 266: static bool activate_task(private_task_manager_t *this, task_type_t type) 267: { 268: enumerator_t *enumerator; 269: queued_task_t *queued; 270: timeval_t now; 271: bool found = FALSE; 272: 273: time_monotonic(&now); 274: 275: enumerator = array_create_enumerator(this->queued_tasks); 276: while (enumerator->enumerate(enumerator, (void**)&queued)) 277: { 278: if (queued->task->get_type(queued->task) == type && 279: !timercmp(&now, &queued->time, <)) 280: { 281: DBG2(DBG_IKE, " activating %N task", task_type_names, type); 282: array_remove_at(this->queued_tasks, enumerator); 283: array_insert(this->active_tasks, ARRAY_TAIL, queued->task); 284: free(queued); 285: found = TRUE; 286: break; 287: } 288: } 289: enumerator->destroy(enumerator); 290: return found; 291: } 292: 293: /** 294: * Send packets in the given array (they get cloned). Optionally, the 295: * source and destination addresses are changed before sending it. 296: */ 297: static void send_packets(private_task_manager_t *this, array_t *packets, 298: host_t *src, host_t *dst) 299: { 300: packet_t *packet, *clone; 301: int i; 302: 303: for (i = 0; i < array_count(packets); i++) 304: { 305: array_get(packets, i, &packet); 306: clone = packet->clone(packet); 307: if (src) 308: { 309: clone->set_source(clone, src->clone(src)); 310: } 311: if (dst) 312: { 313: clone->set_destination(clone, dst->clone(dst)); 314: } 315: charon->sender->send(charon->sender, clone); 316: } 317: } 318: 319: /** 320: * Generates the given message and stores packet(s) in the given array 321: */ 322: static bool generate_message(private_task_manager_t *this, message_t *message, 323: array_t **packets) 324: { 325: enumerator_t *fragments; 326: packet_t *fragment; 327: 328: if (this->ike_sa->generate_message_fragmented(this->ike_sa, message, 329: &fragments) != SUCCESS) 330: { 331: return FALSE; 332: } 333: while (fragments->enumerate(fragments, &fragment)) 334: { 335: array_insert_create(packets, ARRAY_TAIL, fragment); 336: } 337: fragments->destroy(fragments); 338: array_compress(*packets); 339: return TRUE; 340: } 341: 342: METHOD(task_manager_t, retransmit, status_t, 343: private_task_manager_t *this, uint32_t message_id) 344: { 345: if (message_id == this->initiating.mid && 346: array_count(this->initiating.packets)) 347: { 1.1.1.2 ! misho 348: uint32_t timeout = UINT32_MAX, max_jitter; 1.1 misho 349: job_t *job; 350: enumerator_t *enumerator; 351: packet_t *packet; 352: task_t *task; 353: ike_mobike_t *mobike = NULL; 354: 355: array_get(this->initiating.packets, 0, &packet); 356: 357: /* check if we are retransmitting a MOBIKE routability check */ 358: if (this->initiating.type == INFORMATIONAL) 359: { 360: enumerator = array_create_enumerator(this->active_tasks); 361: while (enumerator->enumerate(enumerator, (void*)&task)) 362: { 363: if (task->get_type(task) == TASK_IKE_MOBIKE) 364: { 365: mobike = (ike_mobike_t*)task; 366: break; 367: } 368: } 369: enumerator->destroy(enumerator); 370: } 371: 372: if (!mobike || !mobike->is_probing(mobike)) 373: { 1.1.1.2 ! misho 374: if (this->initiating.retransmitted > this->retransmit_tries) 1.1 misho 375: { 376: DBG1(DBG_IKE, "giving up after %d retransmits", 377: this->initiating.retransmitted - 1); 378: charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT, 379: packet); 380: return DESTROY_ME; 381: } 1.1.1.2 ! misho 382: if (!this->retransmit_tries_max || ! 383: this->initiating.retransmitted <= this->retransmit_tries_max) ! 384: { ! 385: timeout = (uint32_t)(this->retransmit_timeout * 1000.0 * ! 386: pow(this->retransmit_base, this->initiating.retransmitted)); ! 387: } ! 388: if (this->retransmit_limit) ! 389: { ! 390: timeout = min(timeout, this->retransmit_limit); ! 391: } ! 392: if (this->retransmit_jitter) ! 393: { ! 394: max_jitter = (timeout / 100.0) * this->retransmit_jitter; ! 395: timeout -= max_jitter * (random() / (RAND_MAX + 1.0)); ! 396: } 1.1 misho 397: if (this->initiating.retransmitted) 398: { 399: DBG1(DBG_IKE, "retransmit %d of request with message ID %d", 400: this->initiating.retransmitted, message_id); 401: charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet, 402: this->initiating.retransmitted); 1.1.1.2 ! misho 403: this->initiating.retransmit_sent = TRUE; 1.1 misho 404: } 405: if (!mobike) 406: { 407: send_packets(this, this->initiating.packets, 408: this->ike_sa->get_my_host(this->ike_sa), 409: this->ike_sa->get_other_host(this->ike_sa)); 410: } 411: else 412: { 413: if (!mobike->transmit(mobike, packet)) 414: { 415: DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update " 416: "deferred"); 417: this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE); 418: this->initiating.deferred = TRUE; 1.1.1.2 ! misho 419: return INVALID_STATE; 1.1 misho 420: } 421: else if (mobike->is_probing(mobike)) 422: { 423: timeout = ROUTABILITY_CHECK_INTERVAL; 424: } 425: } 426: } 427: else 428: { /* for routability checks, we use a more aggressive behavior */ 429: if (this->initiating.retransmitted <= ROUTABILITY_CHECK_TRIES) 430: { 431: timeout = ROUTABILITY_CHECK_INTERVAL; 432: } 433: else 434: { 435: DBG1(DBG_IKE, "giving up after %d path probings", 436: this->initiating.retransmitted - 1); 437: return DESTROY_ME; 438: } 439: 440: if (this->initiating.retransmitted) 441: { 442: DBG1(DBG_IKE, "path probing attempt %d", 443: this->initiating.retransmitted); 444: } 445: /* TODO-FRAG: presumably these small packets are not fragmented, 446: * we should maybe ensure this is the case when generating them */ 447: if (!mobike->transmit(mobike, packet)) 448: { 449: DBG1(DBG_IKE, "no route found to reach peer, path probing " 450: "deferred"); 451: this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE); 452: this->initiating.deferred = TRUE; 1.1.1.2 ! misho 453: return INVALID_STATE; 1.1 misho 454: } 455: } 456: 457: this->initiating.retransmitted++; 458: job = (job_t*)retransmit_job_create(this->initiating.mid, 459: this->ike_sa->get_id(this->ike_sa)); 460: lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout); 1.1.1.2 ! misho 461: return SUCCESS; 1.1 misho 462: } 1.1.1.2 ! misho 463: return INVALID_STATE; 1.1 misho 464: } 465: 466: METHOD(task_manager_t, initiate, status_t, 467: private_task_manager_t *this) 468: { 469: enumerator_t *enumerator; 470: task_t *task; 471: message_t *message; 472: host_t *me, *other; 473: exchange_type_t exchange = 0; 474: 475: if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED) 476: { 477: DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress", 478: exchange_type_names, this->initiating.type); 479: /* do not initiate if we already have a message in the air */ 480: if (this->initiating.deferred) 481: { /* re-initiate deferred exchange */ 482: this->initiating.deferred = FALSE; 483: this->initiating.retransmitted = 0; 484: return retransmit(this, this->initiating.mid); 485: } 486: return SUCCESS; 487: } 488: 489: if (array_count(this->active_tasks) == 0) 490: { 491: DBG2(DBG_IKE, "activating new tasks"); 492: switch (this->ike_sa->get_state(this->ike_sa)) 493: { 494: case IKE_CREATED: 495: activate_task(this, TASK_IKE_VENDOR); 496: if (activate_task(this, TASK_IKE_INIT)) 497: { 498: this->initiating.mid = 0; 499: exchange = IKE_SA_INIT; 500: activate_task(this, TASK_IKE_NATD); 501: activate_task(this, TASK_IKE_CERT_PRE); 502: #ifdef ME 503: /* this task has to be activated before the TASK_IKE_AUTH 504: * task, because that task pregenerates the packet after 505: * which no payloads can be added to the message anymore. 506: */ 507: activate_task(this, TASK_IKE_ME); 508: #endif /* ME */ 509: activate_task(this, TASK_IKE_AUTH); 510: activate_task(this, TASK_IKE_CERT_POST); 511: activate_task(this, TASK_IKE_CONFIG); 512: activate_task(this, TASK_CHILD_CREATE); 513: activate_task(this, TASK_IKE_AUTH_LIFETIME); 514: activate_task(this, TASK_IKE_MOBIKE); 515: } 516: break; 517: case IKE_ESTABLISHED: 518: if (activate_task(this, TASK_IKE_MOBIKE)) 519: { 520: exchange = INFORMATIONAL; 521: break; 522: } 523: if (activate_task(this, TASK_IKE_DELETE)) 524: { 525: exchange = INFORMATIONAL; 526: break; 527: } 528: if (activate_task(this, TASK_IKE_REDIRECT)) 529: { 530: exchange = INFORMATIONAL; 531: break; 532: } 533: if (activate_task(this, TASK_CHILD_DELETE)) 534: { 535: exchange = INFORMATIONAL; 536: break; 537: } 538: if (activate_task(this, TASK_IKE_REAUTH)) 539: { 540: exchange = INFORMATIONAL; 541: break; 542: } 543: if (activate_task(this, TASK_CHILD_CREATE)) 544: { 545: exchange = CREATE_CHILD_SA; 546: break; 547: } 548: if (activate_task(this, TASK_CHILD_REKEY)) 549: { 550: exchange = CREATE_CHILD_SA; 551: break; 552: } 553: if (activate_task(this, TASK_IKE_REKEY)) 554: { 555: exchange = CREATE_CHILD_SA; 556: break; 557: } 558: if (activate_task(this, TASK_IKE_DPD)) 559: { 560: exchange = INFORMATIONAL; 561: break; 562: } 563: if (activate_task(this, TASK_IKE_AUTH_LIFETIME)) 564: { 565: exchange = INFORMATIONAL; 566: break; 567: } 568: #ifdef ME 569: if (activate_task(this, TASK_IKE_ME)) 570: { 571: exchange = ME_CONNECT; 572: break; 573: } 574: #endif /* ME */ 575: if (activate_task(this, TASK_IKE_REAUTH_COMPLETE)) 576: { 577: exchange = INFORMATIONAL; 578: break; 579: } 580: if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT)) 581: { 582: exchange = INFORMATIONAL; 583: break; 584: } 585: case IKE_REKEYING: 586: case IKE_REKEYED: 587: if (activate_task(this, TASK_IKE_DELETE)) 588: { 589: exchange = INFORMATIONAL; 590: break; 591: } 592: case IKE_DELETING: 593: default: 594: break; 595: } 596: } 597: else 598: { 599: DBG2(DBG_IKE, "reinitiating already active tasks"); 600: enumerator = array_create_enumerator(this->active_tasks); 601: while (enumerator->enumerate(enumerator, &task)) 602: { 603: DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task)); 604: switch (task->get_type(task)) 605: { 606: case TASK_IKE_INIT: 607: exchange = IKE_SA_INIT; 608: break; 609: case TASK_IKE_AUTH: 610: exchange = IKE_AUTH; 611: break; 612: case TASK_CHILD_CREATE: 613: case TASK_CHILD_REKEY: 614: case TASK_IKE_REKEY: 615: exchange = CREATE_CHILD_SA; 616: break; 617: case TASK_IKE_MOBIKE: 618: exchange = INFORMATIONAL; 619: break; 620: default: 621: continue; 622: } 623: break; 624: } 625: enumerator->destroy(enumerator); 626: } 627: 628: if (exchange == 0) 629: { 630: DBG2(DBG_IKE, "nothing to initiate"); 631: /* nothing to do yet... */ 632: return SUCCESS; 633: } 634: 635: me = this->ike_sa->get_my_host(this->ike_sa); 636: other = this->ike_sa->get_other_host(this->ike_sa); 637: 638: message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION); 639: message->set_message_id(message, this->initiating.mid); 640: message->set_source(message, me->clone(me)); 641: message->set_destination(message, other->clone(other)); 642: message->set_exchange_type(message, exchange); 643: this->initiating.type = exchange; 644: this->initiating.retransmitted = 0; 1.1.1.2 ! misho 645: this->initiating.retransmit_sent = FALSE; 1.1 misho 646: this->initiating.deferred = FALSE; 647: 648: enumerator = array_create_enumerator(this->active_tasks); 649: while (enumerator->enumerate(enumerator, &task)) 650: { 651: switch (task->build(task, message)) 652: { 653: case SUCCESS: 654: /* task completed, remove it */ 655: array_remove_at(this->active_tasks, enumerator); 656: task->destroy(task); 657: break; 658: case NEED_MORE: 659: /* processed, but task needs another exchange */ 660: break; 661: case FAILED: 662: default: 663: this->initiating.type = EXCHANGE_TYPE_UNDEFINED; 664: if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING && 665: this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED) 666: { 667: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 668: } 669: /* FALL */ 670: case DESTROY_ME: 671: /* critical failure, destroy IKE_SA */ 672: enumerator->destroy(enumerator); 673: message->destroy(message); 674: flush(this); 675: return DESTROY_ME; 676: } 677: } 678: enumerator->destroy(enumerator); 679: 680: /* update exchange type if a task changed it */ 681: this->initiating.type = message->get_exchange_type(message); 682: if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED) 683: { 684: message->destroy(message); 685: return initiate(this); 686: } 687: 688: if (!generate_message(this, message, &this->initiating.packets)) 689: { 690: /* message generation failed. There is nothing more to do than to 691: * close the SA */ 692: message->destroy(message); 693: flush(this); 694: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 695: return DESTROY_ME; 696: } 697: message->destroy(message); 698: 699: array_compress(this->active_tasks); 700: array_compress(this->queued_tasks); 701: 702: return retransmit(this, this->initiating.mid); 703: } 704: 705: /** 706: * handle an incoming response message 707: */ 708: static status_t process_response(private_task_manager_t *this, 709: message_t *message) 710: { 711: enumerator_t *enumerator; 712: task_t *task; 713: 714: if (message->get_exchange_type(message) != this->initiating.type) 715: { 716: DBG1(DBG_IKE, "received %N response, but expected %N", 717: exchange_type_names, message->get_exchange_type(message), 718: exchange_type_names, this->initiating.type); 719: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 720: return DESTROY_ME; 721: } 722: 723: /* handle fatal INVALID_SYNTAX notifies */ 724: switch (message->get_exchange_type(message)) 725: { 726: case CREATE_CHILD_SA: 727: case INFORMATIONAL: 728: if (message->get_notify(message, INVALID_SYNTAX)) 729: { 730: DBG1(DBG_IKE, "received %N notify error, destroying IKE_SA", 731: notify_type_names, INVALID_SYNTAX); 732: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 733: return DESTROY_ME; 734: } 735: break; 736: default: 737: break; 738: } 739: 740: enumerator = array_create_enumerator(this->active_tasks); 741: while (enumerator->enumerate(enumerator, &task)) 742: { 743: if (!task->pre_process) 744: { 745: continue; 746: } 747: switch (task->pre_process(task, message)) 748: { 749: case SUCCESS: 750: break; 751: case FAILED: 752: default: 753: /* just ignore the message */ 754: DBG1(DBG_IKE, "ignore invalid %N response", 755: exchange_type_names, message->get_exchange_type(message)); 756: enumerator->destroy(enumerator); 757: return SUCCESS; 758: case DESTROY_ME: 759: /* critical failure, destroy IKE_SA */ 760: enumerator->destroy(enumerator); 761: return DESTROY_ME; 762: } 763: } 764: enumerator->destroy(enumerator); 765: 1.1.1.2 ! misho 766: if (this->initiating.retransmit_sent) 1.1 misho 767: { 768: packet_t *packet = NULL; 769: array_get(this->initiating.packets, 0, &packet); 770: charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet); 771: } 772: 773: /* catch if we get reset while processing */ 774: this->reset = FALSE; 775: enumerator = array_create_enumerator(this->active_tasks); 776: while (enumerator->enumerate(enumerator, &task)) 777: { 778: switch (task->process(task, message)) 779: { 780: case SUCCESS: 781: /* task completed, remove it */ 782: array_remove_at(this->active_tasks, enumerator); 783: task->destroy(task); 784: break; 785: case NEED_MORE: 786: /* processed, but task needs another exchange */ 787: break; 788: case FAILED: 789: default: 790: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 791: /* FALL */ 792: case DESTROY_ME: 793: /* critical failure, destroy IKE_SA */ 794: array_remove_at(this->active_tasks, enumerator); 795: enumerator->destroy(enumerator); 796: task->destroy(task); 797: return DESTROY_ME; 798: } 799: if (this->reset) 800: { /* start all over again if we were reset */ 801: this->reset = FALSE; 802: enumerator->destroy(enumerator); 803: return initiate(this); 804: } 805: } 806: enumerator->destroy(enumerator); 807: 808: this->initiating.mid++; 809: this->initiating.type = EXCHANGE_TYPE_UNDEFINED; 810: clear_packets(this->initiating.packets); 811: 812: array_compress(this->active_tasks); 813: 814: return initiate(this); 815: } 816: 817: /** 818: * handle exchange collisions 819: */ 820: static bool handle_collisions(private_task_manager_t *this, task_t *task) 821: { 822: enumerator_t *enumerator; 823: task_t *active; 824: task_type_t type; 825: 826: type = task->get_type(task); 827: 828: /* do we have to check */ 829: if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY || 830: type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE) 831: { 832: /* find an exchange collision, and notify these tasks */ 833: enumerator = array_create_enumerator(this->active_tasks); 834: while (enumerator->enumerate(enumerator, &active)) 835: { 836: switch (active->get_type(active)) 837: { 838: case TASK_IKE_REKEY: 839: if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE) 840: { 841: ike_rekey_t *rekey = (ike_rekey_t*)active; 842: rekey->collide(rekey, task); 843: break; 844: } 845: continue; 846: case TASK_CHILD_REKEY: 847: if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE) 848: { 849: child_rekey_t *rekey = (child_rekey_t*)active; 850: rekey->collide(rekey, task); 851: break; 852: } 853: continue; 854: default: 855: continue; 856: } 857: enumerator->destroy(enumerator); 858: return TRUE; 859: } 860: enumerator->destroy(enumerator); 861: } 862: return FALSE; 863: } 864: 865: /** 866: * build a response depending on the "passive" task list 867: */ 868: static status_t build_response(private_task_manager_t *this, message_t *request) 869: { 870: enumerator_t *enumerator; 871: task_t *task; 872: message_t *message; 873: host_t *me, *other; 874: bool delete = FALSE, hook = FALSE, mid_sync = FALSE; 875: ike_sa_id_t *id = NULL; 876: uint64_t responder_spi = 0; 877: bool result; 878: 879: me = request->get_destination(request); 880: other = request->get_source(request); 881: 882: message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION); 883: message->set_exchange_type(message, request->get_exchange_type(request)); 884: /* send response along the path the request came in */ 885: message->set_source(message, me->clone(me)); 886: message->set_destination(message, other->clone(other)); 887: message->set_message_id(message, this->responding.mid); 888: message->set_request(message, FALSE); 889: 890: enumerator = array_create_enumerator(this->passive_tasks); 891: while (enumerator->enumerate(enumerator, (void*)&task)) 892: { 893: if (task->get_type(task) == TASK_IKE_MID_SYNC) 894: { 895: mid_sync = TRUE; 896: } 897: switch (task->build(task, message)) 898: { 899: case SUCCESS: 900: /* task completed, remove it */ 901: array_remove_at(this->passive_tasks, enumerator); 902: if (!handle_collisions(this, task)) 903: { 904: task->destroy(task); 905: } 906: break; 907: case NEED_MORE: 908: /* processed, but task needs another exchange */ 909: if (handle_collisions(this, task)) 910: { 911: array_remove_at(this->passive_tasks, enumerator); 912: } 913: break; 914: case FAILED: 915: default: 916: hook = TRUE; 917: /* FALL */ 918: case DESTROY_ME: 919: /* destroy IKE_SA, but SEND response first */ 920: if (handle_collisions(this, task)) 921: { 922: array_remove_at(this->passive_tasks, enumerator); 923: } 924: delete = TRUE; 925: break; 926: } 927: if (delete) 928: { 929: break; 930: } 931: } 932: enumerator->destroy(enumerator); 933: 934: /* RFC 5996, section 2.6 mentions that in the event of a failure during 935: * IKE_SA_INIT the responder's SPI will be 0 in the response, while it 936: * actually explicitly allows it to be non-zero. Since we use the responder 937: * SPI to create hashes in the IKE_SA manager we can only set the SPI to 938: * zero temporarily, otherwise checking the SA in would fail. */ 939: if (delete && request->get_exchange_type(request) == IKE_SA_INIT) 940: { 941: id = this->ike_sa->get_id(this->ike_sa); 942: responder_spi = id->get_responder_spi(id); 943: id->set_responder_spi(id, 0); 944: } 945: 946: /* message complete, send it */ 947: clear_packets(this->responding.packets); 948: result = generate_message(this, message, &this->responding.packets); 949: message->destroy(message); 950: if (id) 951: { 952: id->set_responder_spi(id, responder_spi); 953: } 954: if (!result) 955: { 956: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 957: return DESTROY_ME; 958: } 959: 960: send_packets(this, this->responding.packets, NULL, NULL); 961: if (delete) 962: { 963: if (hook) 964: { 965: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 966: } 967: return DESTROY_ME; 968: } 969: else if (mid_sync) 970: { 971: /* we don't want to resend messages to sync MIDs if requests with the 972: * previous MID arrive */ 973: clear_packets(this->responding.packets); 974: /* avoid increasing the expected message ID after handling a message 975: * to sync MIDs with MID 0 */ 976: return NEED_MORE; 977: } 978: 979: array_compress(this->passive_tasks); 980: 981: return SUCCESS; 982: } 983: 984: /** 985: * handle an incoming request message 986: */ 987: static status_t process_request(private_task_manager_t *this, 988: message_t *message) 989: { 990: enumerator_t *enumerator; 991: task_t *task = NULL; 992: payload_t *payload; 993: notify_payload_t *notify; 994: delete_payload_t *delete; 995: ike_sa_state_t state; 996: 997: if (array_count(this->passive_tasks) == 0) 998: { /* create tasks depending on request type, if not already some queued */ 999: state = this->ike_sa->get_state(this->ike_sa); 1000: switch (message->get_exchange_type(message)) 1001: { 1002: case IKE_SA_INIT: 1003: { 1004: task = (task_t*)ike_vendor_create(this->ike_sa, FALSE); 1005: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1006: task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL); 1007: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1008: task = (task_t*)ike_natd_create(this->ike_sa, FALSE); 1009: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1010: task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE); 1011: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1012: #ifdef ME 1013: task = (task_t*)ike_me_create(this->ike_sa, FALSE); 1014: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1015: #endif /* ME */ 1016: task = (task_t*)ike_auth_create(this->ike_sa, FALSE); 1017: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1018: task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE); 1019: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1020: task = (task_t*)ike_config_create(this->ike_sa, FALSE); 1021: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1022: task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE, 1023: NULL, NULL); 1024: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1025: task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE); 1026: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1027: task = (task_t*)ike_mobike_create(this->ike_sa, FALSE); 1028: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1029: break; 1030: } 1031: case CREATE_CHILD_SA: 1032: { /* FIXME: we should prevent this on mediation connections */ 1033: bool notify_found = FALSE, ts_found = FALSE; 1034: 1035: if (state == IKE_CREATED || 1036: state == IKE_CONNECTING) 1037: { 1038: DBG1(DBG_IKE, "received CREATE_CHILD_SA request for " 1039: "unestablished IKE_SA, rejected"); 1040: return FAILED; 1041: } 1042: 1043: enumerator = message->create_payload_enumerator(message); 1044: while (enumerator->enumerate(enumerator, &payload)) 1045: { 1046: switch (payload->get_type(payload)) 1047: { 1048: case PLV2_NOTIFY: 1049: { /* if we find a rekey notify, its CHILD_SA rekeying */ 1050: notify = (notify_payload_t*)payload; 1051: if (notify->get_notify_type(notify) == REKEY_SA && 1052: (notify->get_protocol_id(notify) == PROTO_AH || 1053: notify->get_protocol_id(notify) == PROTO_ESP)) 1054: { 1055: notify_found = TRUE; 1056: } 1057: break; 1058: } 1059: case PLV2_TS_INITIATOR: 1060: case PLV2_TS_RESPONDER: 1061: { /* if we don't find a TS, its IKE rekeying */ 1062: ts_found = TRUE; 1063: break; 1064: } 1065: default: 1066: break; 1067: } 1068: } 1069: enumerator->destroy(enumerator); 1070: 1071: if (ts_found) 1072: { 1073: if (notify_found) 1074: { 1075: task = (task_t*)child_rekey_create(this->ike_sa, 1076: PROTO_NONE, 0); 1077: } 1078: else 1079: { 1080: task = (task_t*)child_create_create(this->ike_sa, NULL, 1081: FALSE, NULL, NULL); 1082: } 1083: } 1084: else 1085: { 1086: task = (task_t*)ike_rekey_create(this->ike_sa, FALSE); 1087: } 1088: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1089: break; 1090: } 1091: case INFORMATIONAL: 1092: { 1093: enumerator = message->create_payload_enumerator(message); 1094: while (enumerator->enumerate(enumerator, &payload)) 1095: { 1096: switch (payload->get_type(payload)) 1097: { 1098: case PLV2_NOTIFY: 1099: { 1100: notify = (notify_payload_t*)payload; 1101: if (state == IKE_REKEYED) 1102: { 1103: DBG1(DBG_IKE, "received unexpected notify %N " 1104: "for rekeyed IKE_SA, ignored", 1105: notify_type_names, 1106: notify->get_notify_type(notify)); 1107: break; 1108: } 1109: switch (notify->get_notify_type(notify)) 1110: { 1111: case ADDITIONAL_IP4_ADDRESS: 1112: case ADDITIONAL_IP6_ADDRESS: 1113: case NO_ADDITIONAL_ADDRESSES: 1114: case UPDATE_SA_ADDRESSES: 1115: case NO_NATS_ALLOWED: 1116: case UNACCEPTABLE_ADDRESSES: 1117: case UNEXPECTED_NAT_DETECTED: 1118: case COOKIE2: 1119: case NAT_DETECTION_SOURCE_IP: 1120: case NAT_DETECTION_DESTINATION_IP: 1121: task = (task_t*)ike_mobike_create( 1122: this->ike_sa, FALSE); 1123: break; 1124: case AUTH_LIFETIME: 1125: task = (task_t*)ike_auth_lifetime_create( 1126: this->ike_sa, FALSE); 1127: break; 1128: case AUTHENTICATION_FAILED: 1129: /* initiator failed to authenticate us. 1130: * We use ike_delete to handle this, which 1131: * invokes all the required hooks. */ 1132: task = (task_t*)ike_delete_create( 1133: this->ike_sa, FALSE); 1134: break; 1135: case REDIRECT: 1136: task = (task_t*)ike_redirect_create( 1137: this->ike_sa, NULL); 1138: break; 1139: case IKEV2_MESSAGE_ID_SYNC: 1140: task = (task_t*)ike_mid_sync_create( 1141: this->ike_sa); 1142: break; 1143: default: 1144: break; 1145: } 1146: break; 1147: } 1148: case PLV2_DELETE: 1149: { 1150: delete = (delete_payload_t*)payload; 1151: if (delete->get_protocol_id(delete) == PROTO_IKE) 1152: { 1153: task = (task_t*)ike_delete_create(this->ike_sa, 1154: FALSE); 1155: } 1156: else 1157: { 1158: task = (task_t*)child_delete_create(this->ike_sa, 1159: PROTO_NONE, 0, FALSE); 1160: } 1161: break; 1162: } 1163: default: 1164: break; 1165: } 1166: if (task) 1167: { 1168: break; 1169: } 1170: } 1171: enumerator->destroy(enumerator); 1172: 1173: if (task == NULL) 1174: { 1175: task = (task_t*)ike_dpd_create(FALSE); 1176: } 1177: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1178: break; 1179: } 1180: #ifdef ME 1181: case ME_CONNECT: 1182: { 1183: task = (task_t*)ike_me_create(this->ike_sa, FALSE); 1184: array_insert(this->passive_tasks, ARRAY_TAIL, task); 1185: } 1186: #endif /* ME */ 1187: default: 1188: break; 1189: } 1190: } 1191: 1192: enumerator = array_create_enumerator(this->passive_tasks); 1193: while (enumerator->enumerate(enumerator, &task)) 1194: { 1195: if (!task->pre_process) 1196: { 1197: continue; 1198: } 1199: switch (task->pre_process(task, message)) 1200: { 1201: case SUCCESS: 1202: break; 1203: case FAILED: 1204: default: 1205: /* just ignore the message */ 1206: DBG1(DBG_IKE, "ignore invalid %N request", 1207: exchange_type_names, message->get_exchange_type(message)); 1208: enumerator->destroy(enumerator); 1209: switch (message->get_exchange_type(message)) 1210: { 1211: case IKE_SA_INIT: 1212: /* no point in keeping the SA when it was created with 1213: * an invalid IKE_SA_INIT message */ 1214: return DESTROY_ME; 1215: default: 1216: /* remove tasks we queued for this request */ 1217: flush_queue(this, TASK_QUEUE_PASSIVE); 1218: /* fall-through */ 1219: case IKE_AUTH: 1220: return NEED_MORE; 1221: } 1222: case DESTROY_ME: 1223: /* critical failure, destroy IKE_SA */ 1224: enumerator->destroy(enumerator); 1225: return DESTROY_ME; 1226: } 1227: } 1228: enumerator->destroy(enumerator); 1229: 1230: /* let the tasks process the message */ 1231: enumerator = array_create_enumerator(this->passive_tasks); 1232: while (enumerator->enumerate(enumerator, (void*)&task)) 1233: { 1234: switch (task->process(task, message)) 1235: { 1236: case SUCCESS: 1237: /* task completed, remove it */ 1238: array_remove_at(this->passive_tasks, enumerator); 1239: task->destroy(task); 1240: break; 1241: case NEED_MORE: 1242: /* processed, but task needs at least another call to build() */ 1243: break; 1244: case FAILED: 1245: default: 1246: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 1247: /* FALL */ 1248: case DESTROY_ME: 1249: /* critical failure, destroy IKE_SA */ 1250: array_remove_at(this->passive_tasks, enumerator); 1251: enumerator->destroy(enumerator); 1252: task->destroy(task); 1253: return DESTROY_ME; 1254: } 1255: } 1256: enumerator->destroy(enumerator); 1257: 1258: return build_response(this, message); 1259: } 1260: 1261: METHOD(task_manager_t, incr_mid, void, 1262: private_task_manager_t *this, bool initiate) 1263: { 1264: if (initiate) 1265: { 1266: this->initiating.mid++; 1267: } 1268: else 1269: { 1270: this->responding.mid++; 1271: } 1272: } 1273: 1274: METHOD(task_manager_t, get_mid, uint32_t, 1275: private_task_manager_t *this, bool initiate) 1276: { 1277: return initiate ? this->initiating.mid : this->responding.mid; 1278: } 1279: 1280: /** 1281: * Handle the given IKE fragment, if it is one. 1282: * 1283: * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was 1.1.1.2 ! misho 1284: * handled properly. Error states are returned if the fragment was invalid or 1.1 misho 1285: * the reassembled message could not have been processed properly. 1286: */ 1287: static status_t handle_fragment(private_task_manager_t *this, 1288: message_t **defrag, message_t *msg) 1289: { 1290: message_t *reassembled; 1291: status_t status; 1292: 1.1.1.2 ! misho 1293: if (*defrag && (*defrag)->get_message_id(*defrag) < msg->get_message_id(msg)) ! 1294: { ! 1295: /* clear fragments of an incompletely received retransmitted message */ ! 1296: (*defrag)->destroy(*defrag); ! 1297: *defrag = NULL; ! 1298: } 1.1 misho 1299: if (!msg->get_payload(msg, PLV2_FRAGMENT)) 1300: { 1301: return SUCCESS; 1302: } 1303: if (!*defrag) 1304: { 1305: *defrag = message_create_defrag(msg); 1306: if (!*defrag) 1307: { 1308: return FAILED; 1309: } 1310: } 1311: status = (*defrag)->add_fragment(*defrag, msg); 1312: if (status == SUCCESS) 1313: { 1314: /* reinject the reassembled message */ 1315: reassembled = *defrag; 1316: *defrag = NULL; 1317: status = this->ike_sa->process_message(this->ike_sa, reassembled); 1318: if (status == SUCCESS) 1319: { 1320: /* avoid processing the last fragment */ 1321: status = NEED_MORE; 1322: } 1323: reassembled->destroy(reassembled); 1324: } 1325: return status; 1326: } 1327: 1328: /** 1329: * Send a notify back to the sender 1330: */ 1331: static void send_notify_response(private_task_manager_t *this, 1332: message_t *request, notify_type_t type, 1333: chunk_t data) 1334: { 1335: message_t *response; 1336: packet_t *packet; 1337: host_t *me, *other; 1338: 1339: response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION); 1340: response->set_exchange_type(response, request->get_exchange_type(request)); 1341: response->set_request(response, FALSE); 1342: response->set_message_id(response, request->get_message_id(request)); 1343: response->add_notify(response, FALSE, type, data); 1344: me = this->ike_sa->get_my_host(this->ike_sa); 1345: if (me->is_anyaddr(me)) 1346: { 1347: me = request->get_destination(request); 1348: this->ike_sa->set_my_host(this->ike_sa, me->clone(me)); 1349: } 1350: other = this->ike_sa->get_other_host(this->ike_sa); 1351: if (other->is_anyaddr(other)) 1352: { 1353: other = request->get_source(request); 1354: this->ike_sa->set_other_host(this->ike_sa, other->clone(other)); 1355: } 1356: response->set_source(response, me->clone(me)); 1357: response->set_destination(response, other->clone(other)); 1358: if (this->ike_sa->generate_message(this->ike_sa, response, 1359: &packet) == SUCCESS) 1360: { 1361: charon->sender->send(charon->sender, packet); 1362: } 1363: response->destroy(response); 1364: } 1365: 1366: /** 1367: * Send an INVALID_SYNTAX notify and destroy the IKE_SA for authenticated 1368: * messages. 1369: */ 1370: static status_t send_invalid_syntax(private_task_manager_t *this, 1371: message_t *msg) 1372: { 1373: send_notify_response(this, msg, INVALID_SYNTAX, chunk_empty); 1374: incr_mid(this, FALSE); 1375: 1376: /* IKE_SA_INIT is currently the only type the parser accepts unprotected, 1377: * don't destroy the IKE_SA if such a message is invalid */ 1378: if (msg->get_exchange_type(msg) == IKE_SA_INIT) 1379: { 1380: return FAILED; 1381: } 1382: return DESTROY_ME; 1383: } 1384: 1385: /** 1386: * Parse the given message and verify that it is valid. 1387: */ 1388: static status_t parse_message(private_task_manager_t *this, message_t *msg) 1389: { 1390: status_t parse_status, status; 1391: uint8_t type = 0; 1392: 1393: parse_status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa)); 1394: 1395: if (parse_status == SUCCESS) 1396: { /* check for unsupported critical payloads */ 1397: enumerator_t *enumerator; 1398: unknown_payload_t *unknown; 1399: payload_t *payload; 1400: 1401: enumerator = msg->create_payload_enumerator(msg); 1402: while (enumerator->enumerate(enumerator, &payload)) 1403: { 1404: if (payload->get_type(payload) == PL_UNKNOWN) 1405: { 1406: unknown = (unknown_payload_t*)payload; 1407: if (unknown->is_critical(unknown)) 1408: { 1409: type = unknown->get_type(unknown); 1410: DBG1(DBG_ENC, "payload type %N is not supported, " 1411: "but payload is critical!", payload_type_names, type); 1412: parse_status = NOT_SUPPORTED; 1413: break; 1414: } 1415: } 1416: } 1417: enumerator->destroy(enumerator); 1418: } 1419: 1420: status = parse_status; 1421: 1422: if (parse_status != SUCCESS) 1423: { 1424: bool is_request = msg->get_request(msg); 1425: 1426: switch (parse_status) 1427: { 1428: case NOT_SUPPORTED: 1429: DBG1(DBG_IKE, "critical unknown payloads found"); 1430: if (is_request) 1431: { 1432: send_notify_response(this, msg, 1433: UNSUPPORTED_CRITICAL_PAYLOAD, 1434: chunk_from_thing(type)); 1435: incr_mid(this, FALSE); 1436: } 1437: break; 1438: case PARSE_ERROR: 1439: DBG1(DBG_IKE, "message parsing failed"); 1440: if (is_request) 1441: { 1442: status = send_invalid_syntax(this, msg); 1443: } 1444: break; 1445: case VERIFY_ERROR: 1446: DBG1(DBG_IKE, "message verification failed"); 1447: if (is_request) 1448: { 1449: status = send_invalid_syntax(this, msg); 1450: } 1451: break; 1452: case FAILED: 1453: DBG1(DBG_IKE, "integrity check failed"); 1454: /* ignored */ 1455: break; 1456: case INVALID_STATE: 1457: DBG1(DBG_IKE, "found encrypted message, but no keys available"); 1458: default: 1459: break; 1460: } 1461: DBG1(DBG_IKE, "%N %s with message ID %d processing failed", 1462: exchange_type_names, msg->get_exchange_type(msg), 1463: is_request ? "request" : "response", 1464: msg->get_message_id(msg)); 1465: 1466: charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg, 1467: parse_status); 1468: 1469: switch (this->ike_sa->get_state(this->ike_sa)) 1470: { 1471: case IKE_CREATED: 1472: /* invalid initiation attempt, close SA */ 1473: status = DESTROY_ME; 1474: break; 1475: case IKE_CONNECTING: 1476: case IKE_REKEYED: 1477: /* don't trigger updown event in these states */ 1478: break; 1479: default: 1480: if (status == DESTROY_ME) 1481: { 1482: charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE); 1483: } 1484: break; 1485: } 1486: } 1487: return status; 1488: } 1489: 1490: /** 1491: * Check if a message with message ID 0 looks like it is used to synchronize 1492: * the message IDs. 1493: */ 1494: static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg, 1495: bool strict) 1496: { 1497: enumerator_t *enumerator; 1498: notify_payload_t *notify; 1499: payload_t *payload; 1500: bool found = FALSE, other = FALSE; 1501: 1502: if (msg->get_exchange_type(msg) == INFORMATIONAL) 1503: { 1504: enumerator = msg->create_payload_enumerator(msg); 1505: while (enumerator->enumerate(enumerator, &payload)) 1506: { 1507: if (payload->get_type(payload) == PLV2_NOTIFY) 1508: { 1509: notify = (notify_payload_t*)payload; 1510: switch (notify->get_notify_type(notify)) 1511: { 1512: case IKEV2_MESSAGE_ID_SYNC: 1513: case IPSEC_REPLAY_COUNTER_SYNC: 1514: found = TRUE; 1515: continue; 1516: default: 1517: break; 1518: } 1519: } 1520: if (strict) 1521: { 1522: other = TRUE; 1523: break; 1524: } 1525: } 1526: enumerator->destroy(enumerator); 1527: } 1528: return found && !other; 1529: } 1530: 1531: /** 1532: * Check whether we should reject the given request message 1533: */ 1534: static inline bool reject_request(private_task_manager_t *this, 1535: message_t *msg) 1536: { 1537: ike_sa_state_t state; 1538: exchange_type_t type; 1539: ike_sa_id_t *ike_sa_id; 1540: bool reject = FALSE; 1541: 1542: state = this->ike_sa->get_state(this->ike_sa); 1543: type = msg->get_exchange_type(msg); 1544: 1545: /* reject initial messages if not received in specific states */ 1546: switch (type) 1547: { 1548: case IKE_SA_INIT: 1549: reject = state != IKE_CREATED; 1550: break; 1551: case IKE_AUTH: 1552: reject = state != IKE_CONNECTING; 1553: break; 1554: default: 1555: break; 1556: } 1557: 1558: if (!reject) 1559: { 1560: switch (state) 1561: { 1562: /* after rekeying we only expect a DELETE in an INFORMATIONAL */ 1563: case IKE_REKEYED: 1564: reject = type != INFORMATIONAL; 1565: break; 1566: /* also reject requests for half-open IKE_SAs as initiator */ 1567: case IKE_CREATED: 1568: case IKE_CONNECTING: 1569: ike_sa_id = this->ike_sa->get_id(this->ike_sa); 1570: reject = ike_sa_id->is_initiator(ike_sa_id); 1571: break; 1572: default: 1573: break; 1574: } 1575: } 1576: 1577: if (reject) 1578: { 1579: DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", exchange_type_names, 1580: type, ike_sa_state_names, state); 1581: } 1582: return reject; 1583: } 1584: /** 1585: * Check if a message with message ID 0 looks like it is used to synchronize 1586: * the message IDs and we are prepared to process it. 1587: * 1588: * Note: This is not called if the responder never sent a message before (i.e. 1589: * we expect MID 0). 1590: */ 1591: static bool is_mid_sync(private_task_manager_t *this, message_t *msg) 1592: { 1593: if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED && 1594: this->ike_sa->supports_extension(this->ike_sa, 1595: EXT_IKE_MESSAGE_ID_SYNC)) 1596: { 1597: return looks_like_mid_sync(this, msg, TRUE); 1598: } 1599: return FALSE; 1600: } 1601: 1602: METHOD(task_manager_t, process_message, status_t, 1603: private_task_manager_t *this, message_t *msg) 1604: { 1605: host_t *me, *other; 1606: status_t status; 1607: uint32_t mid; 1608: bool schedule_delete_job = FALSE; 1609: 1610: charon->bus->message(charon->bus, msg, TRUE, FALSE); 1611: status = parse_message(this, msg); 1612: if (status != SUCCESS) 1613: { 1614: return status; 1615: } 1616: 1617: me = msg->get_destination(msg); 1618: other = msg->get_source(msg); 1619: 1620: /* if this IKE_SA is virgin, we check for a config */ 1621: if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL) 1622: { 1623: ike_cfg_t *ike_cfg; 1624: 1625: ike_cfg = charon->backends->get_ike_cfg(charon->backends, 1626: me, other, IKEV2); 1627: if (ike_cfg == NULL) 1628: { 1629: /* no config found for these hosts, destroy */ 1630: DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N", 1631: me, other, notify_type_names, NO_PROPOSAL_CHOSEN); 1632: send_notify_response(this, msg, 1633: NO_PROPOSAL_CHOSEN, chunk_empty); 1634: return DESTROY_ME; 1635: } 1636: this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg); 1637: ike_cfg->destroy(ike_cfg); 1638: /* add a timeout if peer does not establish it completely */ 1639: schedule_delete_job = TRUE; 1640: } 1641: 1642: mid = msg->get_message_id(msg); 1643: if (msg->get_request(msg)) 1644: { 1645: if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg))) 1646: { 1647: if (reject_request(this, msg)) 1648: { 1649: return FAILED; 1650: } 1651: if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) 1.1.1.2 ! misho 1652: { /* only do implicit updates without MOBIKE, and only force ! 1653: * updates for IKE_AUTH (ports might change due to NAT-T) */ ! 1654: this->ike_sa->update_hosts(this->ike_sa, me, other, ! 1655: mid == 1 ? UPDATE_HOSTS_FORCE_ADDRS : 0); 1.1 misho 1656: } 1657: status = handle_fragment(this, &this->responding.defrag, msg); 1658: if (status != SUCCESS) 1659: { 1660: if (status == NEED_MORE) 1661: { 1662: this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, 1663: time_monotonic(NULL)); 1664: } 1665: return status; 1666: } 1667: charon->bus->message(charon->bus, msg, TRUE, TRUE); 1668: if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED) 1669: { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ 1670: return SUCCESS; 1671: } 1672: switch (process_request(this, msg)) 1673: { 1674: case SUCCESS: 1675: this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, 1676: time_monotonic(NULL)); 1677: this->responding.mid++; 1678: break; 1679: case NEED_MORE: 1680: break; 1681: default: 1682: flush(this); 1683: return DESTROY_ME; 1684: } 1685: } 1686: else if ((mid == this->responding.mid - 1) && 1687: array_count(this->responding.packets) && 1688: !(mid == 0 && looks_like_mid_sync(this, msg, FALSE))) 1689: { 1690: status = handle_fragment(this, &this->responding.defrag, msg); 1691: if (status != SUCCESS) 1692: { 1693: if (status == NEED_MORE) 1694: { 1695: this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, 1696: time_monotonic(NULL)); 1697: } 1698: return status; 1699: } 1700: DBG1(DBG_IKE, "received retransmit of request with ID %d, " 1701: "retransmitting response", mid); 1702: this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, 1703: time_monotonic(NULL)); 1704: charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg); 1705: send_packets(this, this->responding.packets, 1706: msg->get_destination(msg), msg->get_source(msg)); 1707: } 1708: else 1709: { 1710: DBG1(DBG_IKE, "received message ID %d, expected %d, ignored", 1711: mid, this->responding.mid); 1712: } 1713: } 1714: else 1715: { 1716: if (mid == this->initiating.mid) 1717: { 1718: if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED || 1719: this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING || 1720: msg->get_exchange_type(msg) != IKE_SA_INIT) 1721: { /* only do updates based on verified messages (or initial ones) */ 1722: if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) 1.1.1.2 ! misho 1723: { /* only do implicit updates without MOBIKE, we force an ! 1724: * update of the local address on IKE_SA_INIT as we might ! 1725: * not know it yet, but never for the remote address */ ! 1726: this->ike_sa->update_hosts(this->ike_sa, me, other, ! 1727: mid == 0 ? UPDATE_HOSTS_FORCE_LOCAL : 0); 1.1 misho 1728: } 1729: } 1730: status = handle_fragment(this, &this->initiating.defrag, msg); 1731: if (status != SUCCESS) 1732: { 1733: if (status == NEED_MORE) 1734: { 1735: this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, 1736: time_monotonic(NULL)); 1737: } 1738: return status; 1739: } 1740: charon->bus->message(charon->bus, msg, TRUE, TRUE); 1741: if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED) 1742: { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ 1743: return SUCCESS; 1744: } 1745: if (process_response(this, msg) != SUCCESS) 1746: { 1747: flush(this); 1748: return DESTROY_ME; 1749: } 1750: this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND, 1751: time_monotonic(NULL)); 1752: } 1753: else 1754: { 1755: DBG1(DBG_IKE, "received message ID %d, expected %d, ignored", 1756: mid, this->initiating.mid); 1757: return SUCCESS; 1758: } 1759: } 1760: 1761: if (schedule_delete_job) 1762: { 1763: ike_sa_id_t *ike_sa_id; 1764: job_t *job; 1765: 1766: ike_sa_id = this->ike_sa->get_id(this->ike_sa); 1767: job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE); 1768: lib->scheduler->schedule_job(lib->scheduler, job, 1769: lib->settings->get_int(lib->settings, 1770: "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT, 1771: lib->ns)); 1772: } 1773: return SUCCESS; 1774: } 1775: 1776: METHOD(task_manager_t, queue_task_delayed, void, 1777: private_task_manager_t *this, task_t *task, uint32_t delay) 1778: { 1779: queued_task_t *queued; 1780: timeval_t time; 1781: 1782: time_monotonic(&time); 1783: if (delay) 1784: { 1785: job_t *job; 1786: 1787: DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names, 1788: task->get_type(task), delay); 1789: time.tv_sec += delay; 1790: 1791: job = (job_t*)initiate_tasks_job_create( 1792: this->ike_sa->get_id(this->ike_sa)); 1793: lib->scheduler->schedule_job_tv(lib->scheduler, job, time); 1794: } 1795: else 1796: { 1797: DBG2(DBG_IKE, "queueing %N task", task_type_names, 1798: task->get_type(task)); 1799: } 1800: INIT(queued, 1801: .task = task, 1802: .time = time, 1803: ); 1804: array_insert(this->queued_tasks, ARRAY_TAIL, queued); 1805: } 1806: 1807: METHOD(task_manager_t, queue_task, void, 1808: private_task_manager_t *this, task_t *task) 1809: { 1810: queue_task_delayed(this, task, 0); 1811: } 1812: 1813: /** 1814: * Check if a given task has been queued already 1815: */ 1816: static bool has_queued(private_task_manager_t *this, task_type_t type) 1817: { 1818: enumerator_t *enumerator; 1819: bool found = FALSE; 1820: queued_task_t *queued; 1821: 1822: enumerator = array_create_enumerator(this->queued_tasks); 1823: while (enumerator->enumerate(enumerator, &queued)) 1824: { 1825: if (queued->task->get_type(queued->task) == type) 1826: { 1827: found = TRUE; 1828: break; 1829: } 1830: } 1831: enumerator->destroy(enumerator); 1832: return found; 1833: } 1834: 1835: METHOD(task_manager_t, queue_ike, void, 1836: private_task_manager_t *this) 1837: { 1838: if (!has_queued(this, TASK_IKE_VENDOR)) 1839: { 1840: queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE)); 1841: } 1842: if (!has_queued(this, TASK_IKE_INIT)) 1843: { 1844: queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL)); 1845: } 1846: if (!has_queued(this, TASK_IKE_NATD)) 1847: { 1848: queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE)); 1849: } 1850: if (!has_queued(this, TASK_IKE_CERT_PRE)) 1851: { 1852: queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE)); 1853: } 1854: if (!has_queued(this, TASK_IKE_AUTH)) 1855: { 1856: queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE)); 1857: } 1858: if (!has_queued(this, TASK_IKE_CERT_POST)) 1859: { 1860: queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE)); 1861: } 1862: if (!has_queued(this, TASK_IKE_CONFIG)) 1863: { 1864: queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE)); 1865: } 1866: if (!has_queued(this, TASK_IKE_AUTH_LIFETIME)) 1867: { 1868: queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE)); 1869: } 1870: if (!has_queued(this, TASK_IKE_MOBIKE)) 1871: { 1872: peer_cfg_t *peer_cfg; 1873: 1874: peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa); 1875: if (peer_cfg->use_mobike(peer_cfg)) 1876: { 1877: queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE)); 1878: } 1879: } 1880: #ifdef ME 1881: if (!has_queued(this, TASK_IKE_ME)) 1882: { 1883: queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE)); 1884: } 1885: #endif /* ME */ 1886: } 1887: 1888: METHOD(task_manager_t, queue_ike_rekey, void, 1889: private_task_manager_t *this) 1890: { 1891: queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE)); 1892: } 1893: 1894: /** 1895: * Start reauthentication using make-before-break 1896: */ 1897: static void trigger_mbb_reauth(private_task_manager_t *this) 1898: { 1899: enumerator_t *enumerator; 1900: child_sa_t *child_sa; 1901: child_cfg_t *cfg; 1902: peer_cfg_t *peer; 1903: ike_sa_t *new; 1904: host_t *host; 1905: queued_task_t *queued; 1906: bool children = FALSE; 1907: 1.1.1.2 ! misho 1908: new = charon->ike_sa_manager->create_new(charon->ike_sa_manager, 1.1 misho 1909: this->ike_sa->get_version(this->ike_sa), TRUE); 1910: if (!new) 1911: { /* shouldn't happen */ 1912: return; 1913: } 1914: 1915: peer = this->ike_sa->get_peer_cfg(this->ike_sa); 1916: new->set_peer_cfg(new, peer); 1917: host = this->ike_sa->get_other_host(this->ike_sa); 1918: new->set_other_host(new, host->clone(host)); 1919: host = this->ike_sa->get_my_host(this->ike_sa); 1920: new->set_my_host(new, host->clone(host)); 1921: enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE); 1922: while (enumerator->enumerate(enumerator, &host)) 1923: { 1924: new->add_virtual_ip(new, TRUE, host); 1925: } 1926: enumerator->destroy(enumerator); 1927: 1928: enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa); 1929: while (enumerator->enumerate(enumerator, &child_sa)) 1930: { 1931: child_create_t *child_create; 1932: 1933: switch (child_sa->get_state(child_sa)) 1934: { 1935: case CHILD_REKEYED: 1936: case CHILD_DELETED: 1937: /* ignore CHILD_SAs in these states */ 1938: continue; 1939: default: 1940: break; 1941: } 1942: cfg = child_sa->get_config(child_sa); 1943: child_create = child_create_create(new, cfg->get_ref(cfg), 1944: FALSE, NULL, NULL); 1945: child_create->use_reqid(child_create, child_sa->get_reqid(child_sa)); 1946: child_create->use_marks(child_create, 1947: child_sa->get_mark(child_sa, TRUE).value, 1948: child_sa->get_mark(child_sa, FALSE).value); 1949: /* interface IDs are not migrated as the new CHILD_SAs on old and new 1950: * IKE_SA go though regular updown events */ 1951: new->queue_task(new, &child_create->task); 1952: children = TRUE; 1953: } 1954: enumerator->destroy(enumerator); 1955: 1956: enumerator = array_create_enumerator(this->queued_tasks); 1957: while (enumerator->enumerate(enumerator, &queued)) 1958: { 1959: if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE) 1960: { 1961: queued->task->migrate(queued->task, new); 1962: new->queue_task(new, queued->task); 1963: array_remove_at(this->queued_tasks, enumerator); 1964: free(queued); 1965: children = TRUE; 1966: } 1967: } 1968: enumerator->destroy(enumerator); 1969: 1970: if (!children 1971: #ifdef ME 1972: /* allow reauth of mediation connections without CHILD_SAs */ 1973: && !peer->is_mediation(peer) 1974: #endif /* ME */ 1975: ) 1976: { 1977: charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); 1978: DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " 1979: "to recreate"); 1980: return; 1981: } 1982: 1983: /* suspend online revocation checking until the SA is established */ 1984: new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE); 1985: 1986: if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME) 1987: { 1988: new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new)); 1989: new->queue_task(new, (task_t*)ike_reauth_complete_create(new, 1990: this->ike_sa->get_id(this->ike_sa))); 1991: charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); 1992: } 1993: else 1994: { 1995: charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); 1996: DBG1(DBG_IKE, "reauthenticating IKE_SA failed"); 1997: } 1998: charon->bus->set_sa(charon->bus, this->ike_sa); 1999: } 2000: 2001: METHOD(task_manager_t, queue_ike_reauth, void, 2002: private_task_manager_t *this) 2003: { 2004: if (this->make_before_break) 2005: { 2006: return trigger_mbb_reauth(this); 2007: } 2008: queue_task(this, (task_t*)ike_reauth_create(this->ike_sa)); 2009: } 2010: 2011: METHOD(task_manager_t, queue_ike_delete, void, 2012: private_task_manager_t *this) 2013: { 2014: queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE)); 2015: } 2016: 2017: /** 2018: * There is no need to queue more than one mobike task, so this either returns 2019: * an already queued task or queues one if there is none yet. 2020: */ 2021: static ike_mobike_t *queue_mobike_task(private_task_manager_t *this) 2022: { 2023: enumerator_t *enumerator; 2024: queued_task_t *queued; 2025: ike_mobike_t *mobike = NULL; 2026: 2027: enumerator = array_create_enumerator(this->queued_tasks); 2028: while (enumerator->enumerate(enumerator, &queued)) 2029: { 2030: if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE) 2031: { 2032: mobike = (ike_mobike_t*)queued->task; 2033: break; 2034: } 2035: } 2036: enumerator->destroy(enumerator); 2037: 2038: if (!mobike) 2039: { 2040: mobike = ike_mobike_create(this->ike_sa, TRUE); 2041: queue_task(this, &mobike->task); 2042: } 2043: return mobike; 2044: } 2045: 2046: METHOD(task_manager_t, queue_mobike, void, 2047: private_task_manager_t *this, bool roam, bool address) 2048: { 2049: ike_mobike_t *mobike; 2050: 2051: mobike = queue_mobike_task(this); 2052: if (roam) 2053: { 2054: enumerator_t *enumerator; 2055: task_t *current; 2056: 2057: mobike->roam(mobike, address); 2058: 2059: /* enable path probing for a currently active MOBIKE task. This might 2060: * not be the case if an address appeared on a new interface while the 2061: * current address is not working but has not yet disappeared. */ 2062: enumerator = array_create_enumerator(this->active_tasks); 2063: while (enumerator->enumerate(enumerator, ¤t)) 2064: { 2065: if (current->get_type(current) == TASK_IKE_MOBIKE) 2066: { 2067: ike_mobike_t *active = (ike_mobike_t*)current; 2068: active->enable_probing(active); 2069: break; 2070: } 2071: } 2072: enumerator->destroy(enumerator); 2073: } 2074: else 2075: { 2076: mobike->addresses(mobike); 2077: } 2078: } 2079: 2080: METHOD(task_manager_t, queue_dpd, void, 2081: private_task_manager_t *this) 2082: { 2083: ike_mobike_t *mobike; 2084: 2085: if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) 2086: { 2087: #ifdef ME 2088: peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa); 2089: if (cfg->get_peer_id(cfg) || 2090: this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) 2091: #else 2092: if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR)) 2093: #endif 2094: { 2095: /* use mobike enabled DPD to detect NAT mapping changes */ 2096: mobike = queue_mobike_task(this); 2097: mobike->dpd(mobike); 2098: return; 2099: } 2100: } 2101: queue_task(this, (task_t*)ike_dpd_create(TRUE)); 2102: } 2103: 2104: METHOD(task_manager_t, queue_child, void, 2105: private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid, 2106: traffic_selector_t *tsi, traffic_selector_t *tsr) 2107: { 2108: child_create_t *task; 2109: 2110: task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr); 2111: if (reqid) 2112: { 2113: task->use_reqid(task, reqid); 2114: } 2115: queue_task(this, &task->task); 2116: } 2117: 2118: METHOD(task_manager_t, queue_child_rekey, void, 2119: private_task_manager_t *this, protocol_id_t protocol, uint32_t spi) 2120: { 2121: queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi)); 2122: } 2123: 2124: METHOD(task_manager_t, queue_child_delete, void, 2125: private_task_manager_t *this, protocol_id_t protocol, uint32_t spi, 2126: bool expired) 2127: { 2128: queue_task(this, (task_t*)child_delete_create(this->ike_sa, 2129: protocol, spi, expired)); 2130: } 2131: 2132: METHOD(task_manager_t, adopt_tasks, void, 2133: private_task_manager_t *this, task_manager_t *other_public) 2134: { 2135: private_task_manager_t *other = (private_task_manager_t*)other_public; 2136: queued_task_t *queued; 2137: timeval_t now; 2138: 2139: time_monotonic(&now); 2140: 2141: /* move queued tasks from other to this */ 2142: while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued)) 2143: { 2144: DBG2(DBG_IKE, "migrating %N task", task_type_names, 2145: queued->task->get_type(queued->task)); 2146: queued->task->migrate(queued->task, this->ike_sa); 2147: /* don't delay tasks on the new IKE_SA */ 2148: queued->time = now; 2149: array_insert(this->queued_tasks, ARRAY_HEAD, queued); 2150: } 2151: } 2152: 2153: METHOD(task_manager_t, busy, bool, 2154: private_task_manager_t *this) 2155: { 2156: return array_count(this->active_tasks) > 0; 2157: } 2158: 2159: METHOD(task_manager_t, reset, void, 2160: private_task_manager_t *this, uint32_t initiate, uint32_t respond) 2161: { 2162: enumerator_t *enumerator; 2163: queued_task_t *queued; 2164: task_t *task; 2165: timeval_t now; 2166: 2167: /* reset message counters and retransmit packets */ 2168: clear_packets(this->responding.packets); 2169: clear_packets(this->initiating.packets); 2170: DESTROY_IF(this->responding.defrag); 2171: DESTROY_IF(this->initiating.defrag); 2172: this->responding.defrag = NULL; 2173: this->initiating.defrag = NULL; 2174: if (initiate != UINT_MAX) 2175: { 2176: this->initiating.mid = initiate; 2177: } 2178: if (respond != UINT_MAX) 2179: { 2180: this->responding.mid = respond; 2181: } 2182: this->initiating.type = EXCHANGE_TYPE_UNDEFINED; 2183: 2184: time_monotonic(&now); 2185: /* reset queued tasks */ 2186: enumerator = array_create_enumerator(this->queued_tasks); 2187: while (enumerator->enumerate(enumerator, &queued)) 2188: { 2189: queued->time = now; 2190: queued->task->migrate(queued->task, this->ike_sa); 2191: } 2192: enumerator->destroy(enumerator); 2193: 2194: /* reset active tasks */ 2195: while (array_remove(this->active_tasks, ARRAY_TAIL, &task)) 2196: { 2197: task->migrate(task, this->ike_sa); 2198: INIT(queued, 2199: .task = task, 2200: .time = now, 2201: ); 2202: array_insert(this->queued_tasks, ARRAY_HEAD, queued); 2203: } 2204: 2205: this->reset = TRUE; 2206: } 2207: 2208: /** 2209: * Data for a task queue enumerator 2210: */ 2211: typedef struct { 2212: enumerator_t public; 2213: task_queue_t queue; 2214: enumerator_t *inner; 2215: queued_task_t *queued; 2216: } task_enumerator_t; 2217: 2218: METHOD(enumerator_t, task_enumerator_destroy, void, 2219: task_enumerator_t *this) 2220: { 2221: this->inner->destroy(this->inner); 2222: free(this); 2223: } 2224: 2225: METHOD(enumerator_t, task_enumerator_enumerate, bool, 2226: task_enumerator_t *this, va_list args) 2227: { 2228: task_t **task; 2229: 2230: VA_ARGS_VGET(args, task); 2231: if (this->queue == TASK_QUEUE_QUEUED) 2232: { 2233: if (this->inner->enumerate(this->inner, &this->queued)) 2234: { 2235: *task = this->queued->task; 2236: return TRUE; 2237: } 2238: } 2239: else if (this->inner->enumerate(this->inner, task)) 2240: { 2241: return TRUE; 2242: } 2243: return FALSE; 2244: } 2245: 2246: METHOD(task_manager_t, create_task_enumerator, enumerator_t*, 2247: private_task_manager_t *this, task_queue_t queue) 2248: { 2249: task_enumerator_t *enumerator; 2250: 2251: INIT(enumerator, 2252: .public = { 2253: .enumerate = enumerator_enumerate_default, 2254: .venumerate = _task_enumerator_enumerate, 2255: .destroy = _task_enumerator_destroy, 2256: }, 2257: .queue = queue, 2258: ); 2259: switch (queue) 2260: { 2261: case TASK_QUEUE_ACTIVE: 2262: enumerator->inner = array_create_enumerator(this->active_tasks); 2263: break; 2264: case TASK_QUEUE_PASSIVE: 2265: enumerator->inner = array_create_enumerator(this->passive_tasks); 2266: break; 2267: case TASK_QUEUE_QUEUED: 2268: enumerator->inner = array_create_enumerator(this->queued_tasks); 2269: break; 2270: default: 2271: enumerator->inner = enumerator_create_empty(); 2272: break; 2273: } 2274: return &enumerator->public; 2275: } 2276: 2277: METHOD(task_manager_t, remove_task, void, 2278: private_task_manager_t *this, enumerator_t *enumerator_public) 2279: { 2280: task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public; 2281: 2282: switch (enumerator->queue) 2283: { 2284: case TASK_QUEUE_ACTIVE: 2285: array_remove_at(this->active_tasks, enumerator->inner); 2286: break; 2287: case TASK_QUEUE_PASSIVE: 2288: array_remove_at(this->passive_tasks, enumerator->inner); 2289: break; 2290: case TASK_QUEUE_QUEUED: 2291: array_remove_at(this->queued_tasks, enumerator->inner); 2292: free(enumerator->queued); 2293: enumerator->queued = NULL; 2294: break; 2295: default: 2296: break; 2297: } 2298: } 2299: 2300: METHOD(task_manager_t, destroy, void, 2301: private_task_manager_t *this) 2302: { 2303: flush(this); 2304: 2305: array_destroy(this->active_tasks); 2306: array_destroy(this->queued_tasks); 2307: array_destroy(this->passive_tasks); 2308: 2309: clear_packets(this->responding.packets); 2310: array_destroy(this->responding.packets); 2311: clear_packets(this->initiating.packets); 2312: array_destroy(this->initiating.packets); 2313: DESTROY_IF(this->responding.defrag); 2314: DESTROY_IF(this->initiating.defrag); 2315: free(this); 2316: } 2317: 2318: /* 2319: * see header file 2320: */ 2321: task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa) 2322: { 2323: private_task_manager_t *this; 2324: 2325: INIT(this, 2326: .public = { 2327: .task_manager = { 2328: .process_message = _process_message, 2329: .queue_task = _queue_task, 2330: .queue_task_delayed = _queue_task_delayed, 2331: .queue_ike = _queue_ike, 2332: .queue_ike_rekey = _queue_ike_rekey, 2333: .queue_ike_reauth = _queue_ike_reauth, 2334: .queue_ike_delete = _queue_ike_delete, 2335: .queue_mobike = _queue_mobike, 2336: .queue_child = _queue_child, 2337: .queue_child_rekey = _queue_child_rekey, 2338: .queue_child_delete = _queue_child_delete, 2339: .queue_dpd = _queue_dpd, 2340: .initiate = _initiate, 2341: .retransmit = _retransmit, 2342: .incr_mid = _incr_mid, 2343: .get_mid = _get_mid, 2344: .reset = _reset, 2345: .adopt_tasks = _adopt_tasks, 2346: .busy = _busy, 2347: .create_task_enumerator = _create_task_enumerator, 2348: .remove_task = _remove_task, 2349: .flush = _flush, 2350: .flush_queue = _flush_queue, 2351: .destroy = _destroy, 2352: }, 2353: }, 2354: .ike_sa = ike_sa, 2355: .initiating.type = EXCHANGE_TYPE_UNDEFINED, 2356: .queued_tasks = array_create(0, 0), 2357: .active_tasks = array_create(0, 0), 2358: .passive_tasks = array_create(0, 0), 2359: .retransmit_tries = lib->settings->get_int(lib->settings, 2360: "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns), 2361: .retransmit_timeout = lib->settings->get_double(lib->settings, 2362: "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns), 2363: .retransmit_base = lib->settings->get_double(lib->settings, 2364: "%s.retransmit_base", RETRANSMIT_BASE, lib->ns), 2365: .retransmit_jitter = min(lib->settings->get_int(lib->settings, 2366: "%s.retransmit_jitter", 0, lib->ns), RETRANSMIT_JITTER_MAX), 2367: .retransmit_limit = lib->settings->get_int(lib->settings, 2368: "%s.retransmit_limit", 0, lib->ns) * 1000, 2369: .make_before_break = lib->settings->get_bool(lib->settings, 2370: "%s.make_before_break", FALSE, lib->ns), 2371: ); 2372: 1.1.1.2 ! misho 2373: if (this->retransmit_base > 1) ! 2374: { /* based on 1000 * timeout * base^try */ ! 2375: this->retransmit_tries_max = log(UINT32_MAX/ ! 2376: (1000.0 * this->retransmit_timeout))/ ! 2377: log(this->retransmit_base); ! 2378: } 1.1 misho 2379: return &this->public; 2380: }