Coverage Report

Created: 2026-06-10 06:27

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/strongswan/src/libcharon/sa/ike_sa.c
Line
Count
Source
1
/*
2
 * Copyright (C) 2006-2024 Tobias Brunner
3
 * Copyright (C) 2006 Daniel Roethlisberger
4
 * Copyright (C) 2005-2009 Martin Willi
5
 * Copyright (C) 2005 Jan Hutter
6
 *
7
 * Copyright (C) secunet Security Networks AG
8
 *
9
 * This program is free software; you can redistribute it and/or modify it
10
 * under the terms of the GNU General Public License as published by the
11
 * Free Software Foundation; either version 2 of the License, or (at your
12
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
13
 *
14
 * This program is distributed in the hope that it will be useful, but
15
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
17
 * for more details.
18
 */
19
20
/*
21
 * Copyright (c) 2014 Volker RĂ¼melin
22
 *
23
 * Permission is hereby granted, free of charge, to any person obtaining a copy
24
 * of this software and associated documentation files (the "Software"), to deal
25
 * in the Software without restriction, including without limitation the rights
26
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27
 * copies of the Software, and to permit persons to whom the Software is
28
 * furnished to do so, subject to the following conditions:
29
 *
30
 * The above copyright notice and this permission notice shall be included in
31
 * all copies or substantial portions of the Software.
32
 *
33
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39
 * THE SOFTWARE.
40
 */
41
42
#include <string.h>
43
#include <sys/stat.h>
44
#include <errno.h>
45
#include <time.h>
46
47
#include "ike_sa.h"
48
49
#include <library.h>
50
#include <daemon.h>
51
#include <collections/array.h>
52
#include <utils/lexparser.h>
53
#include <processing/jobs/retransmit_job.h>
54
#include <processing/jobs/delete_ike_sa_job.h>
55
#include <processing/jobs/send_dpd_job.h>
56
#include <processing/jobs/send_keepalive_job.h>
57
#include <processing/jobs/rekey_ike_sa_job.h>
58
#include <processing/jobs/retry_initiate_job.h>
59
#include <sa/ikev2/tasks/ike_auth_lifetime.h>
60
#include <sa/ikev2/tasks/ike_reauth_complete.h>
61
#include <sa/ikev2/tasks/ike_redirect.h>
62
#include <credentials/sets/auth_cfg_wrapper.h>
63
64
#ifdef ME
65
#include <sa/ikev2/tasks/ike_me.h>
66
#include <processing/jobs/initiate_mediation_job.h>
67
#endif
68
69
ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING,
70
  "CREATED",
71
  "CONNECTING",
72
  "ESTABLISHED",
73
  "PASSIVE",
74
  "REKEYING",
75
  "REKEYED",
76
  "DELETING",
77
  "DESTROYING",
78
);
79
80
typedef struct private_ike_sa_t private_ike_sa_t;
81
typedef struct attribute_entry_t attribute_entry_t;
82
83
/**
84
 * Private data of an ike_sa_t object.
85
 */
86
struct private_ike_sa_t {
87
88
  /**
89
   * Public members
90
   */
91
  ike_sa_t public;
92
93
  /**
94
   * Identifier for the current IKE_SA.
95
   */
96
  ike_sa_id_t *ike_sa_id;
97
98
  /**
99
   * IKE version of this SA.
100
   */
101
  ike_version_t version;
102
103
  /**
104
   * unique numerical ID for this IKE_SA.
105
   */
106
  uint32_t unique_id;
107
108
  /**
109
   * Current state of the IKE_SA
110
   */
111
  ike_sa_state_t state;
112
113
  /**
114
   * IKE configuration used to set up this IKE_SA
115
   */
116
  ike_cfg_t *ike_cfg;
117
118
  /**
119
   * Peer and authentication information to establish IKE_SA.
120
   */
121
  peer_cfg_t *peer_cfg;
122
123
  /**
124
   * currently used authentication ruleset, local
125
   */
126
  auth_cfg_t *my_auth;
127
128
  /**
129
   * currently used authentication constraints, remote
130
   */
131
  auth_cfg_t *other_auth;
132
133
  /**
134
   * Array of completed local authentication rounds (as auth_cfg_t)
135
   */
136
  array_t *my_auths;
137
138
  /**
139
   * Array of completed remote authentication rounds (as auth_cfg_t)
140
   */
141
  array_t *other_auths;
142
143
  /**
144
   * Selected IKE proposal
145
   */
146
  proposal_t *proposal;
147
148
  /**
149
   * Juggles tasks to process messages
150
   */
151
  task_manager_t *task_manager;
152
153
  /**
154
   * Address of local host
155
   */
156
  host_t *my_host;
157
158
  /**
159
   * Address of remote host
160
   */
161
  host_t *other_host;
162
163
#ifdef ME
164
  /**
165
   * Are we mediation server
166
   */
167
  bool is_mediation_server;
168
169
  /**
170
   * Server reflexive host
171
   */
172
  host_t *server_reflexive_host;
173
174
  /**
175
   * Connect ID
176
   */
177
  chunk_t connect_id;
178
#endif /* ME */
179
180
  /**
181
   * Identification used for us
182
   */
183
  identification_t *my_id;
184
185
  /**
186
   * Identification used for other
187
   */
188
  identification_t *other_id;
189
190
  /**
191
   * Set of extensions the peer supports
192
   */
193
  ike_extension_t extensions;
194
195
  /**
196
   * Set of private xtensions the peer supports
197
   */
198
  ike_extension_t private_extensions;
199
200
  /**
201
   * Set of condition flags currently enabled for this IKE_SA
202
   */
203
  ike_condition_t conditions;
204
205
  /**
206
   * Set of private condition flags currently enabled for this IKE_SA
207
   */
208
  ike_condition_t private_conditions;
209
210
  /**
211
   * Array containing the child sa's of the current IKE_SA.
212
   */
213
  array_t *child_sas;
214
215
  /**
216
   * keymat of this IKE_SA
217
   */
218
  keymat_t *keymat;
219
220
  /**
221
   * Virtual IPs on local host
222
   */
223
  array_t *my_vips;
224
225
  /**
226
   * Virtual IPs on remote host
227
   */
228
  array_t *other_vips;
229
230
  /**
231
   * List of configuration attributes (attribute_entry_t)
232
   */
233
  array_t *attributes;
234
235
  /**
236
   * list of peer's addresses, additional ones transmitted via MOBIKE
237
   */
238
  array_t *peer_addresses;
239
240
  /**
241
   * previously value of received DESTINATION_IP hash
242
   */
243
  chunk_t nat_detection_dest;
244
245
  /**
246
   * NAT keep alive interval
247
   */
248
  uint32_t keepalive_interval;
249
250
  /**
251
   * Time the NAT keep alive interval may be exceeded before triggering a DPD
252
   * instead of a NAT keep alive
253
   */
254
  uint32_t keepalive_dpd_margin;
255
256
  /**
257
   * The scheduled keep alive job, if any
258
   */
259
  send_keepalive_job_t *keepalive_job;
260
261
  /**
262
   * interval for retries during initiation (e.g. if DNS resolution failed),
263
   * 0 to disable (default)
264
   */
265
  uint32_t retry_initiate_interval;
266
267
  /**
268
   * TRUE if a retry_initiate_job has been queued
269
   */
270
  bool retry_initiate_queued;
271
272
  /**
273
   * Timestamps for this IKE_SA
274
   */
275
  uint32_t stats[STAT_MAX];
276
277
  /**
278
   * how many times we have retried so far (keyingtries)
279
   */
280
  uint32_t keyingtry;
281
282
  /**
283
   * local host address to be used for IKE, set via MIGRATE kernel message
284
   */
285
  host_t *local_host;
286
287
  /**
288
   * remote host address to be used for IKE, set via MIGRATE kernel message
289
   */
290
  host_t *remote_host;
291
292
  /**
293
   * Flush auth configs once established?
294
   */
295
  bool flush_auth_cfg;
296
297
  /**
298
   * Maximum length of a single fragment, 0 for address-specific defaults
299
   */
300
  size_t fragment_size;
301
302
  /**
303
   * Whether to follow IKEv2 redirects
304
   */
305
  bool follow_redirects;
306
307
  /**
308
   * Original gateway address from which we got redirected
309
   */
310
  host_t *redirected_from;
311
312
  /**
313
   * Timestamps of redirect attempts to handle loops
314
   */
315
  array_t *redirected_at;
316
317
  /**
318
   * Inbound interface ID
319
   */
320
  uint32_t if_id_in;
321
322
  /**
323
   * Outbound interface ID
324
   */
325
  uint32_t if_id_out;
326
};
327
328
/**
329
 * Entry to maintain install configuration attributes during IKE_SA lifetime
330
 */
331
struct attribute_entry_t {
332
  /** handler used to install this attribute */
333
  attribute_handler_t *handler;
334
  /** attribute type */
335
  configuration_attribute_type_t type;
336
  /** attribute data */
337
  chunk_t data;
338
};
339
340
/**
341
 * Determine the fragment size based on the address family of the remote host.
342
 */
343
static void determine_fragment_size(private_ike_sa_t *this)
344
0
{
345
0
  int family;
346
347
0
  family = this->other_host->get_family(this->other_host);
348
349
0
  this->fragment_size = lib->settings->get_int(lib->settings,
350
0
      "%s.fragment_size_v%hhu", 0, lib->ns, (family == AF_INET ? 4 : 6));
351
352
0
  if (!this->fragment_size)
353
0
  {
354
0
    this->fragment_size = lib->settings->get_int(lib->settings,
355
0
      "%s.fragment_size", 1280, lib->ns);
356
0
  }
357
358
0
  if (!this->fragment_size)
359
0
  {
360
0
    this->fragment_size = (family == AF_INET) ? 576 : 1280;
361
0
  }
362
0
}
363
364
/**
365
 * get the time of the latest traffic processed by the kernel
366
 */
367
static time_t get_use_time(private_ike_sa_t* this, bool inbound)
368
0
{
369
0
  enumerator_t *enumerator;
370
0
  child_sa_t *child_sa;
371
0
  time_t use_time, current;
372
373
0
  if (inbound)
374
0
  {
375
0
    use_time = this->stats[STAT_INBOUND];
376
0
  }
377
0
  else
378
0
  {
379
0
    use_time = this->stats[STAT_OUTBOUND];
380
0
  }
381
382
  /* only consider IPsec traffic if we use UDP-encapsulation and they take
383
   * the same path */
384
0
  if (this->public.has_condition(&this->public, COND_NAT_ANY))
385
0
  {
386
0
    enumerator = array_create_enumerator(this->child_sas);
387
0
    while (enumerator->enumerate(enumerator, &child_sa))
388
0
    {
389
0
      child_sa->get_usestats(child_sa, inbound, &current, NULL, NULL);
390
0
      use_time = max(use_time, current);
391
0
    }
392
0
    enumerator->destroy(enumerator);
393
0
  }
394
0
  return use_time;
395
0
}
396
397
METHOD(ike_sa_t, get_unique_id, uint32_t,
398
  private_ike_sa_t *this)
399
0
{
400
0
  return this->unique_id;
401
0
}
402
403
METHOD(ike_sa_t, get_name, char*,
404
  private_ike_sa_t *this)
405
0
{
406
0
  if (this->peer_cfg)
407
0
  {
408
0
    return this->peer_cfg->get_name(this->peer_cfg);
409
0
  }
410
0
  return "(unnamed)";
411
0
}
412
413
METHOD(ike_sa_t, get_statistic, uint32_t,
414
  private_ike_sa_t *this, statistic_t kind)
415
0
{
416
0
  if (kind < STAT_MAX)
417
0
  {
418
0
    return this->stats[kind];
419
0
  }
420
0
  return 0;
421
0
}
422
423
METHOD(ike_sa_t, set_statistic, void,
424
  private_ike_sa_t *this, statistic_t kind, uint32_t value)
425
0
{
426
0
  if (kind < STAT_MAX)
427
0
  {
428
0
    this->stats[kind] = value;
429
0
  }
430
0
}
431
432
METHOD(ike_sa_t, get_my_host, host_t*,
433
  private_ike_sa_t *this)
434
0
{
435
0
  return this->my_host;
436
0
}
437
438
METHOD(ike_sa_t, set_my_host, void,
439
  private_ike_sa_t *this, host_t *me)
440
0
{
441
0
  DESTROY_IF(this->my_host);
442
0
  this->my_host = me;
443
0
}
444
445
METHOD(ike_sa_t, get_other_host, host_t*,
446
  private_ike_sa_t *this)
447
0
{
448
0
  return this->other_host;
449
0
}
450
451
METHOD(ike_sa_t, set_other_host, void,
452
  private_ike_sa_t *this, host_t *other)
453
0
{
454
0
  DESTROY_IF(this->other_host);
455
0
  this->other_host = other;
456
0
  determine_fragment_size(this);
457
0
}
458
459
METHOD(ike_sa_t, get_redirected_from, host_t*,
460
  private_ike_sa_t *this)
461
0
{
462
0
  return this->redirected_from;
463
0
}
464
465
METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*,
466
  private_ike_sa_t *this)
467
0
{
468
0
  return this->peer_cfg;
469
0
}
470
471
METHOD(ike_sa_t, set_peer_cfg, void,
472
  private_ike_sa_t *this, peer_cfg_t *peer_cfg)
473
0
{
474
0
  peer_cfg->get_ref(peer_cfg);
475
0
  DESTROY_IF(this->peer_cfg);
476
0
  this->peer_cfg = peer_cfg;
477
478
0
  DESTROY_IF(this->ike_cfg);
479
0
  this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg);
480
0
  this->ike_cfg->get_ref(this->ike_cfg);
481
482
0
  this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE);
483
0
  this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE);
484
0
  allocate_unique_if_ids(&this->if_id_in, &this->if_id_out);
485
0
}
486
487
METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*,
488
  private_ike_sa_t *this, bool local)
489
0
{
490
0
  if (local)
491
0
  {
492
0
    return this->my_auth;
493
0
  }
494
0
  return this->other_auth;
495
0
}
496
497
METHOD(ike_sa_t, add_auth_cfg, void,
498
  private_ike_sa_t *this, bool local, auth_cfg_t *cfg)
499
0
{
500
0
  if (local)
501
0
  {
502
0
    array_insert(this->my_auths, ARRAY_TAIL, cfg);
503
0
  }
504
0
  else
505
0
  {
506
0
    array_insert(this->other_auths, ARRAY_TAIL, cfg);
507
0
  }
508
0
}
509
510
METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*,
511
  private_ike_sa_t *this, bool local)
512
0
{
513
0
  if (local)
514
0
  {
515
0
    return array_create_enumerator(this->my_auths);
516
0
  }
517
0
  return array_create_enumerator(this->other_auths);
518
0
}
519
520
/**
521
 * Flush the stored authentication round information
522
 */
523
static void flush_auth_cfgs(private_ike_sa_t *this)
524
0
{
525
0
  auth_cfg_t *cfg;
526
527
0
  this->my_auth->purge(this->my_auth, FALSE);
528
0
  this->other_auth->purge(this->other_auth, FALSE);
529
530
0
  while (array_remove(this->my_auths, ARRAY_TAIL, &cfg))
531
0
  {
532
0
    cfg->destroy(cfg);
533
0
  }
534
0
  while (array_remove(this->other_auths, ARRAY_TAIL, &cfg))
535
0
  {
536
0
    cfg->destroy(cfg);
537
0
  }
538
0
}
539
540
METHOD(ike_sa_t, verify_peer_certificate, bool,
541
  private_ike_sa_t *this)
542
0
{
543
0
  enumerator_t *e1, *e2, *certs;
544
0
  auth_cfg_t *cfg, *cfg_done;
545
0
  certificate_t *peer, *cert;
546
0
  public_key_t *key;
547
0
  auth_cfg_t *auth;
548
0
  auth_cfg_wrapper_t *wrapper;
549
0
  time_t not_before, not_after;
550
0
  bool valid = TRUE, found;
551
552
0
  if (this->state != IKE_ESTABLISHED)
553
0
  {
554
0
    DBG1(DBG_IKE, "unable to verify peer certificate in state %N",
555
0
       ike_sa_state_names, this->state);
556
0
    return FALSE;
557
0
  }
558
559
0
  if (!this->flush_auth_cfg &&
560
0
    lib->settings->get_bool(lib->settings,
561
0
                "%s.flush_auth_cfg", FALSE, lib->ns))
562
0
  { /* we can do this check only once if auth configs are flushed */
563
0
    DBG1(DBG_IKE, "unable to verify peer certificate as authentication "
564
0
       "information has been flushed");
565
0
    return FALSE;
566
0
  }
567
0
  this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED,
568
0
                 FALSE);
569
570
0
  e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
571
0
  e2 = array_create_enumerator(this->other_auths);
572
0
  while (e1->enumerate(e1, &cfg))
573
0
  {
574
0
    if (!e2->enumerate(e2, &cfg_done))
575
0
    { /* this should not happen as the authentication should never have
576
       * succeeded */
577
0
      valid = FALSE;
578
0
      break;
579
0
    }
580
0
    if ((uintptr_t)cfg_done->get(cfg_done,
581
0
                   AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY)
582
0
    {
583
0
      continue;
584
0
    }
585
0
    peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT);
586
0
    if (!peer)
587
0
    {
588
0
      DBG1(DBG_IKE, "no subject certificate found, skipping certificate "
589
0
         "verification");
590
0
      continue;
591
0
    }
592
0
    if (!peer->get_validity(peer, NULL, &not_before, &not_after))
593
0
    {
594
0
      DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)",
595
0
         &not_before, FALSE, &not_after, FALSE);
596
0
      valid = FALSE;
597
0
      break;
598
0
    }
599
0
    key = peer->get_public_key(peer);
600
0
    if (!key)
601
0
    {
602
0
      DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate "
603
0
         "verification");
604
0
      continue;
605
0
    }
606
0
    DBG1(DBG_IKE, "verifying peer certificate");
607
    /* serve received certificates */
608
0
    wrapper = auth_cfg_wrapper_create(cfg_done);
609
0
    lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE);
610
0
    certs = lib->credmgr->create_trusted_enumerator(lib->credmgr,
611
0
              key->get_type(key), peer->get_subject(peer), TRUE);
612
0
    key->destroy(key);
613
614
0
    found = FALSE;
615
0
    while (certs->enumerate(certs, &cert, &auth))
616
0
    {
617
0
      if (peer->equals(peer, cert))
618
0
      {
619
0
        cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED,
620
0
                FALSE);
621
0
        cfg_done->merge(cfg_done, auth, FALSE);
622
0
        valid = cfg_done->complies(cfg_done, cfg, TRUE);
623
0
        found = TRUE;
624
0
        break;
625
0
      }
626
0
    }
627
0
    certs->destroy(certs);
628
0
    lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set);
629
0
    wrapper->destroy(wrapper);
630
0
    if (!found || !valid)
631
0
    {
632
0
      valid = FALSE;
633
0
      break;
634
0
    }
635
0
  }
636
0
  e1->destroy(e1);
637
0
  e2->destroy(e2);
638
639
0
  if (this->flush_auth_cfg)
640
0
  {
641
0
    this->flush_auth_cfg = FALSE;
642
0
    flush_auth_cfgs(this);
643
0
  }
644
0
  return valid;
645
0
}
646
647
METHOD(ike_sa_t, get_proposal, proposal_t*,
648
  private_ike_sa_t *this)
649
0
{
650
0
  return this->proposal;
651
0
}
652
653
METHOD(ike_sa_t, set_proposal, void,
654
  private_ike_sa_t *this, proposal_t *proposal)
655
0
{
656
0
  DESTROY_IF(this->proposal);
657
0
  this->proposal = proposal->clone(proposal, 0);
658
0
}
659
660
METHOD(ike_sa_t, set_message_id, void,
661
  private_ike_sa_t *this, bool initiate, uint32_t mid)
662
0
{
663
0
  if (initiate)
664
0
  {
665
0
    this->task_manager->reset(this->task_manager, mid, UINT_MAX);
666
0
  }
667
0
  else
668
0
  {
669
0
    this->task_manager->reset(this->task_manager, UINT_MAX, mid);
670
0
  }
671
0
}
672
673
METHOD(ike_sa_t, get_message_id, uint32_t,
674
  private_ike_sa_t *this, bool initiate)
675
0
{
676
0
  return this->task_manager->get_mid(this->task_manager, initiate);
677
0
}
678
679
/**
680
 * Set configured DSCP value on packet
681
 */
682
static void set_dscp(private_ike_sa_t *this, packet_t *packet)
683
0
{
684
0
  if (this->ike_cfg)
685
0
  {
686
0
    packet->set_dscp(packet, this->ike_cfg->get_dscp(this->ike_cfg));
687
0
  }
688
0
}
689
690
METHOD(ike_sa_t, send_keepalive, void,
691
  private_ike_sa_t *this, bool scheduled)
692
0
{
693
0
  time_t last_out, now, diff;
694
695
0
  if (scheduled)
696
0
  {
697
0
    this->keepalive_job = NULL;
698
0
  }
699
0
  if (!this->keepalive_interval || this->state == IKE_PASSIVE)
700
0
  { /* keepalives disabled either by configuration or for passive IKE_SAs */
701
0
    return;
702
0
  }
703
0
  if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE))
704
0
  { /* disable keepalives if we are not NATed anymore, or the SA is stale */
705
0
    return;
706
0
  }
707
708
0
  last_out = get_use_time(this, FALSE);
709
0
  now = time_monotonic(NULL);
710
711
0
  diff = now - last_out;
712
713
0
  if (this->keepalive_dpd_margin &&
714
0
    diff > (this->keepalive_interval + this->keepalive_dpd_margin))
715
0
  {
716
0
    if (!this->task_manager->busy(this->task_manager))
717
0
    {
718
0
      DBG1(DBG_IKE, "sending DPD instead of keep alive %ds after last "
719
0
         "outbound message", diff);
720
0
      this->task_manager->queue_dpd(this->task_manager);
721
0
      this->task_manager->initiate(this->task_manager);
722
0
    }
723
0
    diff = 0;
724
0
  }
725
0
  else if (diff >= this->keepalive_interval)
726
0
  {
727
0
    packet_t *packet;
728
0
    chunk_t data;
729
730
0
    packet = packet_create();
731
0
    packet->set_source(packet, this->my_host->clone(this->my_host));
732
0
    packet->set_destination(packet, this->other_host->clone(this->other_host));
733
0
    set_dscp(this, packet);
734
0
    data.ptr = malloc(1);
735
0
    data.ptr[0] = 0xFF;
736
0
    data.len = 1;
737
0
    packet->set_data(packet, data);
738
0
    DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host);
739
0
    charon->sender->send_no_marker(charon->sender, packet);
740
0
    this->stats[STAT_OUTBOUND] = now;
741
0
    diff = 0;
742
0
  }
743
0
  if (!this->keepalive_job)
744
0
  {
745
0
    this->keepalive_job = send_keepalive_job_create(this->ike_sa_id);
746
0
    lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job,
747
0
                   this->keepalive_interval - diff);
748
0
  }
749
0
}
750
751
METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*,
752
  private_ike_sa_t *this)
753
0
{
754
0
  return this->ike_cfg;
755
0
}
756
757
METHOD(ike_sa_t, set_ike_cfg, void,
758
  private_ike_sa_t *this, ike_cfg_t *ike_cfg)
759
0
{
760
0
  DESTROY_IF(this->ike_cfg);
761
0
  ike_cfg->get_ref(ike_cfg);
762
0
  this->ike_cfg = ike_cfg;
763
0
}
764
765
METHOD(ike_sa_t, enable_extension, void,
766
  private_ike_sa_t *this, ike_extension_t extension)
767
0
{
768
0
  ike_extension_t *ptr;
769
0
  ptr = (extension & EXT_PRIVATE_MARKER) ? &this->private_extensions
770
0
                       : &this->extensions;
771
0
  *ptr |= (extension & ~EXT_PRIVATE_MARKER);
772
0
}
773
774
METHOD(ike_sa_t, supports_extension, bool,
775
  private_ike_sa_t *this, ike_extension_t extension)
776
0
{
777
0
  ike_extension_t *ptr;
778
0
  ptr = (extension & EXT_PRIVATE_MARKER) ? &this->private_extensions
779
0
                       : &this->extensions;
780
0
  return (*ptr & extension) != 0;
781
0
}
782
783
METHOD(ike_sa_t, has_condition, bool,
784
  private_ike_sa_t *this, ike_condition_t condition)
785
0
{
786
0
  ike_condition_t *ptr;
787
0
  ptr = (condition & COND_PRIVATE_MARKER) ? &this->private_conditions
788
0
                        : &this->conditions;
789
0
  return (*ptr & condition) != 0;
790
0
}
791
792
METHOD(ike_sa_t, set_condition, void,
793
  private_ike_sa_t *this, ike_condition_t condition, bool enable)
794
0
{
795
0
  ike_condition_t *ptr;
796
797
0
  if (has_condition(this, condition) != enable)
798
0
  {
799
0
    ptr = (condition & COND_PRIVATE_MARKER) ? &this->private_conditions
800
0
                          : &this->conditions;
801
0
    if (enable)
802
0
    {
803
0
      *ptr |= (condition & ~COND_PRIVATE_MARKER);
804
0
      switch (condition)
805
0
      {
806
0
        case COND_NAT_HERE:
807
0
          DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
808
0
          this->conditions |= COND_NAT_ANY;
809
0
          send_keepalive(this, FALSE);
810
0
          break;
811
0
        case COND_NAT_THERE:
812
0
          DBG1(DBG_IKE, "remote host is behind NAT");
813
0
          this->conditions |= COND_NAT_ANY;
814
0
          break;
815
0
        case COND_NAT_FAKE:
816
0
          DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
817
0
          this->conditions |= COND_NAT_ANY;
818
0
          break;
819
0
        default:
820
0
          break;
821
0
      }
822
0
    }
823
0
    else
824
0
    {
825
0
      *ptr &= ~(condition & ~COND_PRIVATE_MARKER);
826
0
      switch (condition)
827
0
      {
828
0
        case COND_NAT_HERE:
829
0
        case COND_NAT_THERE:
830
0
          DBG1(DBG_IKE, "%s host is not behind NAT anymore",
831
0
             condition == COND_NAT_HERE ? "local" : "remote");
832
          /* fall-through */
833
0
        case COND_NAT_FAKE:
834
0
          set_condition(this, COND_NAT_ANY,
835
0
                  has_condition(this, COND_NAT_HERE) ||
836
0
                  has_condition(this, COND_NAT_THERE) ||
837
0
                  has_condition(this, COND_NAT_FAKE));
838
0
          break;
839
0
        case COND_STALE:
840
0
          send_keepalive(this, FALSE);
841
0
          break;
842
0
        default:
843
0
          break;
844
0
      }
845
0
    }
846
0
  }
847
0
}
848
849
METHOD(ike_sa_t, send_dpd, status_t,
850
  private_ike_sa_t *this)
851
0
{
852
0
  job_t *job;
853
0
  time_t diff, delay;
854
0
  bool task_queued = FALSE;
855
856
0
  if (this->state == IKE_PASSIVE)
857
0
  {
858
0
    return INVALID_STATE;
859
0
  }
860
0
  if (this->version == IKEV1 && this->state == IKE_REKEYING)
861
0
  { /* don't send DPDs for rekeyed IKEv1 SAs */
862
0
    return SUCCESS;
863
0
  }
864
0
  delay = this->peer_cfg->get_dpd(this->peer_cfg);
865
0
  if (this->task_manager->busy(this->task_manager))
866
0
  {
867
    /* an exchange is in the air, no need to start a DPD check */
868
0
    diff = 0;
869
0
  }
870
0
  else
871
0
  {
872
    /* check if there was any inbound traffic */
873
0
    time_t last_in, now;
874
0
    last_in = get_use_time(this, TRUE);
875
0
    now = time_monotonic(NULL);
876
0
    diff = now - last_in;
877
0
    if (!delay || diff >= delay)
878
0
    {
879
      /* too long ago, initiate dead peer detection */
880
0
      DBG1(DBG_IKE, "sending DPD request");
881
0
      this->task_manager->queue_dpd(this->task_manager);
882
0
      task_queued = TRUE;
883
0
      diff = 0;
884
0
    }
885
0
  }
886
  /* recheck in "interval" seconds */
887
0
  if (delay)
888
0
  {
889
0
    job = (job_t*)send_dpd_job_create(this->ike_sa_id);
890
0
    lib->scheduler->schedule_job(lib->scheduler, job, delay - diff);
891
0
  }
892
0
  if (task_queued)
893
0
  {
894
0
    return this->task_manager->initiate(this->task_manager);
895
0
  }
896
0
  return SUCCESS;
897
0
}
898
899
METHOD(ike_sa_t, get_state, ike_sa_state_t,
900
  private_ike_sa_t *this)
901
0
{
902
0
  return this->state;
903
0
}
904
905
METHOD(ike_sa_t, set_state, void,
906
  private_ike_sa_t *this, ike_sa_state_t state)
907
0
{
908
0
  bool trigger_dpd = FALSE, keepalives = FALSE;
909
910
0
  DBG2(DBG_IKE, "IKE_SA %s[%u] state change: %N => %N",
911
0
     get_name(this), this->unique_id,
912
0
     ike_sa_state_names, this->state,
913
0
     ike_sa_state_names, state);
914
915
0
  switch (state)
916
0
  {
917
0
    case IKE_ESTABLISHED:
918
0
    {
919
0
      if (this->state == IKE_CONNECTING ||
920
0
        this->state == IKE_PASSIVE)
921
0
      {
922
0
        job_t *job;
923
0
        uint32_t t;
924
925
        /* calculate rekey, reauth and lifetime */
926
0
        this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
927
928
        /* schedule rekeying if we have a time which is smaller than
929
         * an already scheduled rekeying */
930
0
        t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE);
931
0
        if (t && (this->stats[STAT_REKEY] == 0 ||
932
0
          (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED])))
933
0
        {
934
0
          this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED];
935
0
          job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE);
936
0
          lib->scheduler->schedule_job(lib->scheduler, job, t);
937
0
          DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
938
0
        }
939
0
        t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE);
940
0
        if (t && (this->stats[STAT_REAUTH] == 0 ||
941
0
          (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED])))
942
0
        {
943
0
          this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED];
944
0
          job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE);
945
0
          lib->scheduler->schedule_job(lib->scheduler, job, t);
946
0
          DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
947
0
        }
948
0
        else if (this->stats[STAT_REAUTH])
949
0
        {
950
0
          t = this->stats[STAT_REAUTH] - this->stats[STAT_ESTABLISHED];
951
0
          DBG1(DBG_IKE, "reauthentication already scheduled in %ds", t);
952
0
        }
953
0
        t = this->peer_cfg->get_over_time(this->peer_cfg);
954
0
        if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
955
0
        {
956
0
          if (this->stats[STAT_REAUTH] == 0)
957
0
          {
958
0
            this->stats[STAT_DELETE] = this->stats[STAT_REKEY];
959
0
          }
960
0
          else if (this->stats[STAT_REKEY] == 0)
961
0
          {
962
0
            this->stats[STAT_DELETE] = this->stats[STAT_REAUTH];
963
0
          }
964
0
          else
965
0
          {
966
0
            this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY],
967
0
                             this->stats[STAT_REAUTH]);
968
0
          }
969
0
          this->stats[STAT_DELETE] += t;
970
0
          t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED];
971
0
          job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
972
0
          lib->scheduler->schedule_job(lib->scheduler, job, t);
973
0
          DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
974
0
        }
975
0
        trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg);
976
0
        if (trigger_dpd)
977
0
        {
978
          /* Some peers delay the DELETE after rekeying an IKE_SA.
979
           * If this delay is longer than our DPD delay, we would
980
           * send a DPD request here. The IKE_SA is not ready to do
981
           * so yet, so prevent that. */
982
0
          this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED];
983
0
        }
984
0
        if (this->state == IKE_PASSIVE)
985
0
        {
986
0
          keepalives = TRUE;
987
0
        }
988
0
        DESTROY_IF(this->redirected_from);
989
0
        this->redirected_from = NULL;
990
0
      }
991
0
      break;
992
0
    }
993
0
    default:
994
0
      break;
995
0
  }
996
0
  charon->bus->ike_state_change(charon->bus, &this->public, state);
997
0
  this->state = state;
998
999
0
  if (trigger_dpd)
1000
0
  {
1001
0
    if (supports_extension(this, EXT_DPD))
1002
0
    {
1003
0
      send_dpd(this);
1004
0
    }
1005
0
    else
1006
0
    {
1007
0
      DBG1(DBG_IKE, "DPD not supported by peer, disabled");
1008
0
    }
1009
0
  }
1010
0
  if (keepalives)
1011
0
  {
1012
0
    send_keepalive(this, FALSE);
1013
0
  }
1014
0
}
1015
1016
METHOD(ike_sa_t, reset, void,
1017
  private_ike_sa_t *this, bool new_spi)
1018
0
{
1019
  /* reset the initiator SPI if requested */
1020
0
  if (new_spi)
1021
0
  {
1022
0
    charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager,
1023
0
                          &this->public);
1024
1025
    /* when starting from scratch, connect to the original peer again e.g.
1026
     * if we got redirected but weren't able to connect successfully */
1027
0
    if (this->redirected_from)
1028
0
    {
1029
0
      this->redirected_from->destroy(this->redirected_from);
1030
0
      this->redirected_from = NULL;
1031
      /* we can't restore the original value, if there was any */
1032
0
      DESTROY_IF(this->remote_host);
1033
0
      this->remote_host = NULL;
1034
0
    }
1035
0
  }
1036
  /* the responder ID is reset, as peer may choose another one */
1037
0
  if (this->ike_sa_id->is_initiator(this->ike_sa_id))
1038
0
  {
1039
0
    this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
1040
0
  }
1041
1042
0
  set_state(this, IKE_CREATED);
1043
1044
0
  flush_auth_cfgs(this);
1045
1046
0
  this->keymat->destroy(this->keymat);
1047
0
  this->keymat = keymat_create(this->version,
1048
0
              this->ike_sa_id->is_initiator(this->ike_sa_id));
1049
1050
0
  this->task_manager->reset(this->task_manager, 0, 0);
1051
0
  this->task_manager->queue_ike(this->task_manager);
1052
0
}
1053
1054
METHOD(ike_sa_t, get_keymat, keymat_t*,
1055
  private_ike_sa_t *this)
1056
0
{
1057
0
  return this->keymat;
1058
0
}
1059
1060
METHOD(ike_sa_t, add_virtual_ip, void,
1061
  private_ike_sa_t *this, bool local, host_t *ip)
1062
0
{
1063
0
  if (local)
1064
0
  {
1065
0
    char *iface;
1066
1067
0
    if (charon->kernel->get_interface(charon->kernel, this->my_host,
1068
0
                      &iface))
1069
0
    {
1070
0
      DBG1(DBG_IKE, "installing new virtual IP %H", ip);
1071
0
      if (charon->kernel->add_ip(charon->kernel, ip, -1,
1072
0
                     iface) == SUCCESS)
1073
0
      {
1074
0
        array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip));
1075
0
      }
1076
0
      else
1077
0
      {
1078
0
        DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
1079
0
      }
1080
0
      free(iface);
1081
0
    }
1082
0
    else
1083
0
    {
1084
0
      DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip);
1085
0
    }
1086
0
  }
1087
0
  else
1088
0
  {
1089
0
    array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip));
1090
0
  }
1091
0
}
1092
1093
1094
METHOD(ike_sa_t, clear_virtual_ips, void,
1095
  private_ike_sa_t *this, bool local)
1096
0
{
1097
0
  array_t *vips;
1098
0
  host_t *vip;
1099
1100
0
  vips = local ? this->my_vips : this->other_vips;
1101
0
  if (!local && array_count(vips))
1102
0
  {
1103
0
    charon->bus->assign_vips(charon->bus, &this->public, FALSE);
1104
0
  }
1105
0
  while (array_remove(vips, ARRAY_HEAD, &vip))
1106
0
  {
1107
0
    if (local)
1108
0
    {
1109
0
      charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
1110
0
    }
1111
0
    vip->destroy(vip);
1112
0
  }
1113
0
}
1114
1115
METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*,
1116
  private_ike_sa_t *this, bool local)
1117
0
{
1118
0
  if (local)
1119
0
  {
1120
0
    return array_create_enumerator(this->my_vips);
1121
0
  }
1122
0
  return array_create_enumerator(this->other_vips);
1123
0
}
1124
1125
METHOD(ike_sa_t, add_peer_address, void,
1126
  private_ike_sa_t *this, host_t *host)
1127
0
{
1128
0
  array_insert_create(&this->peer_addresses, ARRAY_TAIL, host);
1129
0
}
1130
1131
METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*,
1132
  private_ike_sa_t *this)
1133
0
{
1134
0
  if (this->peer_addresses)
1135
0
  {
1136
0
    return array_create_enumerator(this->peer_addresses);
1137
0
  }
1138
  /* in case we don't have MOBIKE */
1139
0
  return enumerator_create_single(this->other_host, NULL);
1140
0
}
1141
1142
METHOD(ike_sa_t, clear_peer_addresses, void,
1143
  private_ike_sa_t *this)
1144
0
{
1145
0
  array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
1146
0
  this->peer_addresses = NULL;
1147
0
}
1148
1149
METHOD(ike_sa_t, has_mapping_changed, bool,
1150
  private_ike_sa_t *this, chunk_t hash)
1151
0
{
1152
0
  if (this->nat_detection_dest.ptr == NULL)
1153
0
  {
1154
0
    this->nat_detection_dest = chunk_clone(hash);
1155
0
    return FALSE;
1156
0
  }
1157
0
  if (chunk_equals(hash, this->nat_detection_dest))
1158
0
  {
1159
0
    return FALSE;
1160
0
  }
1161
0
  free(this->nat_detection_dest.ptr);
1162
0
  this->nat_detection_dest = chunk_clone(hash);
1163
0
  return TRUE;
1164
0
}
1165
1166
METHOD(ike_sa_t, float_ports, void,
1167
     private_ike_sa_t *this)
1168
0
{
1169
  /* even if the remote port is not 500 (e.g. because the response was natted)
1170
   * we switch the remote port if we used port 500 */
1171
0
  if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT ||
1172
0
    this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT)
1173
0
  {
1174
0
    this->other_host->set_port(this->other_host, IKEV2_NATT_PORT);
1175
0
  }
1176
0
  if (this->my_host->get_port(this->my_host) ==
1177
0
      charon->socket->get_port(charon->socket, FALSE))
1178
0
  {
1179
0
    this->my_host->set_port(this->my_host,
1180
0
                charon->socket->get_port(charon->socket, TRUE));
1181
0
  }
1182
0
}
1183
1184
METHOD(ike_sa_t, update_hosts, void,
1185
  private_ike_sa_t *this, host_t *me, host_t *other, update_hosts_flag_t flags)
1186
0
{
1187
0
  host_t *new_me = NULL, *new_other = NULL;
1188
0
  bool silent = FALSE;
1189
1190
0
  if (me == NULL)
1191
0
  {
1192
0
    me = this->my_host;
1193
0
  }
1194
0
  if (other == NULL)
1195
0
  {
1196
0
    other = this->other_host;
1197
0
  }
1198
1199
  /* apply hosts on first received message */
1200
0
  if (this->my_host->is_anyaddr(this->my_host) ||
1201
0
    this->other_host->is_anyaddr(this->other_host))
1202
0
  {
1203
0
    new_me = me;
1204
0
    new_other = other;
1205
0
    silent = TRUE;
1206
0
  }
1207
0
  else
1208
0
  {
1209
    /* update our address only if forced */
1210
0
    if ((flags & UPDATE_HOSTS_FORCE_LOCAL) && !me->equals(me, this->my_host))
1211
0
    {
1212
0
      new_me = me;
1213
0
    }
1214
1215
0
    if (!other->equals(other, this->other_host) &&
1216
0
      ((flags & UPDATE_HOSTS_FORCE_REMOTE) || has_condition(this, COND_NAT_THERE)))
1217
0
    {
1218
      /* only update other's address if we are behind a static NAT,
1219
       * which we assume is the case if we are not initiator */
1220
0
      if ((flags & UPDATE_HOSTS_FORCE_REMOTE) ||
1221
0
        (!has_condition(this, COND_NAT_HERE) ||
1222
0
         !has_condition(this, COND_ORIGINAL_INITIATOR)))
1223
0
      {
1224
0
        new_other = other;
1225
0
      }
1226
0
    }
1227
0
  }
1228
1229
0
  if (new_me || new_other || (flags & UPDATE_HOSTS_FORCE_CHILDREN))
1230
0
  {
1231
0
    enumerator_t *enumerator;
1232
0
    child_sa_t *child_sa;
1233
0
    linked_list_t *vips;
1234
1235
0
    if ((new_me || new_other) && !silent)
1236
0
    {
1237
0
      charon->bus->ike_update(charon->bus, &this->public,
1238
0
                  new_me ?: this->my_host,
1239
0
                  new_other ?: this->other_host);
1240
0
    }
1241
0
    if (new_me)
1242
0
    {
1243
0
      if (this->state == IKE_ESTABLISHED)
1244
0
      {
1245
0
        DBG1(DBG_IKE, "local endpoint changed from %#H to %#H",
1246
0
           this->my_host, new_me);
1247
0
      }
1248
0
      else
1249
0
      {
1250
0
        DBG2(DBG_IKE, "local endpoint changed from %#H to %#H",
1251
0
           this->my_host, new_me);
1252
0
      }
1253
0
      set_my_host(this, new_me->clone(new_me));
1254
0
    }
1255
0
    if (new_other)
1256
0
    {
1257
0
      if (this->state == IKE_ESTABLISHED)
1258
0
      {
1259
0
        DBG1(DBG_IKE, "remote endpoint changed from %#H to %#H",
1260
0
           this->other_host, new_other);
1261
0
      }
1262
0
      else
1263
0
      {
1264
0
        DBG2(DBG_IKE, "remote endpoint changed from %#H to %#H",
1265
0
           this->other_host, new_other);
1266
0
      }
1267
0
      set_other_host(this, new_other->clone(new_other));
1268
0
    }
1269
1270
0
    vips = linked_list_create_from_enumerator(
1271
0
                  array_create_enumerator(this->my_vips));
1272
1273
0
    enumerator = array_create_enumerator(this->child_sas);
1274
0
    while (enumerator->enumerate(enumerator, &child_sa))
1275
0
    {
1276
0
      charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
1277
0
      charon->child_sa_manager->add(charon->child_sa_manager,
1278
0
                      child_sa, &this->public);
1279
1280
0
      if (child_sa->update(child_sa, this->my_host, this->other_host,
1281
0
          vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED)
1282
0
      {
1283
0
        this->public.rekey_child_sa(&this->public,
1284
0
            child_sa->get_protocol(child_sa),
1285
0
            child_sa->get_spi(child_sa, TRUE));
1286
0
      }
1287
1288
0
    }
1289
0
    enumerator->destroy(enumerator);
1290
1291
0
    vips->destroy(vips);
1292
0
  }
1293
0
}
1294
1295
METHOD(ike_sa_t, generate_message, status_t,
1296
  private_ike_sa_t *this, message_t *message, packet_t **packet)
1297
0
{
1298
0
  status_t status;
1299
1300
0
  if (message->is_encoded(message))
1301
0
  { /* already encoded in task, but set DSCP value */
1302
0
    *packet = message->get_packet(message);
1303
0
    set_dscp(this, *packet);
1304
0
    return SUCCESS;
1305
0
  }
1306
0
  this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1307
0
  message->set_ike_sa_id(message, this->ike_sa_id);
1308
0
  charon->bus->message(charon->bus, message, FALSE, TRUE);
1309
0
  status = message->generate(message, this->keymat, packet);
1310
0
  if (status == SUCCESS)
1311
0
  {
1312
0
    set_dscp(this, *packet);
1313
0
    charon->bus->message(charon->bus, message, FALSE, FALSE);
1314
0
  }
1315
0
  return status;
1316
0
}
1317
1318
CALLBACK(filter_fragments, bool,
1319
  private_ike_sa_t *this, enumerator_t *orig, va_list args)
1320
0
{
1321
0
  packet_t *fragment, **packet;
1322
1323
0
  VA_ARGS_VGET(args, packet);
1324
1325
0
  if (orig->enumerate(orig, &fragment))
1326
0
  {
1327
0
    *packet = fragment->clone(fragment);
1328
0
    set_dscp(this, *packet);
1329
0
    return TRUE;
1330
0
  }
1331
0
  return FALSE;
1332
0
}
1333
1334
METHOD(ike_sa_t, generate_message_fragmented, status_t,
1335
  private_ike_sa_t *this, message_t *message, enumerator_t **packets)
1336
0
{
1337
0
  enumerator_t *fragments;
1338
0
  packet_t *packet;
1339
0
  status_t status;
1340
0
  bool use_frags = FALSE;
1341
0
  bool pre_generated = FALSE;
1342
1343
0
  if (this->ike_cfg)
1344
0
  {
1345
0
    switch (this->ike_cfg->fragmentation(this->ike_cfg))
1346
0
    {
1347
0
      case FRAGMENTATION_FORCE:
1348
0
        use_frags = TRUE;
1349
0
        break;
1350
0
      case FRAGMENTATION_YES:
1351
0
        use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION);
1352
0
        if (use_frags && this->version == IKEV1 &&
1353
0
          supports_extension(this, EXT_MS_WINDOWS))
1354
0
        {
1355
          /* It seems Windows 7 and 8 peers only accept proprietary
1356
           * fragmented messages if they expect certificates. */
1357
0
          use_frags = message->get_payload(message,
1358
0
                           PLV1_CERTIFICATE) != NULL;
1359
0
        }
1360
0
        break;
1361
0
      default:
1362
0
        break;
1363
0
    }
1364
0
  }
1365
0
  if (!use_frags)
1366
0
  {
1367
0
    status = generate_message(this, message, &packet);
1368
0
    if (status != SUCCESS)
1369
0
    {
1370
0
      return status;
1371
0
    }
1372
0
    *packets = enumerator_create_single(packet, NULL);
1373
0
    return SUCCESS;
1374
0
  }
1375
1376
0
  pre_generated = message->is_encoded(message);
1377
0
  this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
1378
0
  message->set_ike_sa_id(message, this->ike_sa_id);
1379
0
  if (!pre_generated)
1380
0
  {
1381
0
    charon->bus->message(charon->bus, message, FALSE, TRUE);
1382
0
  }
1383
0
  status = message->fragment(message, this->keymat, this->fragment_size,
1384
0
                 &fragments);
1385
0
  if (status == SUCCESS)
1386
0
  {
1387
0
    if (!pre_generated)
1388
0
    {
1389
0
      charon->bus->message(charon->bus, message, FALSE, FALSE);
1390
0
    }
1391
0
    *packets = enumerator_create_filter(fragments, filter_fragments,
1392
0
                      this, NULL);
1393
0
  }
1394
0
  return status;
1395
0
}
1396
1397
METHOD(ike_sa_t, set_kmaddress, void,
1398
  private_ike_sa_t *this, host_t *local, host_t *remote)
1399
0
{
1400
0
  DESTROY_IF(this->local_host);
1401
0
  DESTROY_IF(this->remote_host);
1402
0
  this->local_host = local->clone(local);
1403
0
  this->remote_host = remote->clone(remote);
1404
0
}
1405
1406
#ifdef ME
1407
METHOD(ike_sa_t, act_as_mediation_server, void,
1408
  private_ike_sa_t *this)
1409
{
1410
  charon->mediation_manager->update_sa_id(charon->mediation_manager,
1411
      this->other_id, this->ike_sa_id);
1412
  this->is_mediation_server = TRUE;
1413
}
1414
1415
METHOD(ike_sa_t, get_server_reflexive_host, host_t*,
1416
  private_ike_sa_t *this)
1417
{
1418
  return this->server_reflexive_host;
1419
}
1420
1421
METHOD(ike_sa_t, set_server_reflexive_host, void,
1422
  private_ike_sa_t *this, host_t *host)
1423
{
1424
  DESTROY_IF(this->server_reflexive_host);
1425
  this->server_reflexive_host = host;
1426
}
1427
1428
METHOD(ike_sa_t, get_connect_id, chunk_t,
1429
  private_ike_sa_t *this)
1430
{
1431
  return this->connect_id;
1432
}
1433
1434
METHOD(ike_sa_t, respond, status_t,
1435
  private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id)
1436
{
1437
  ike_me_t *task = ike_me_create(&this->public, TRUE);
1438
  task->respond(task, peer_id, connect_id);
1439
  this->task_manager->queue_task(this->task_manager, (task_t*)task);
1440
  return this->task_manager->initiate(this->task_manager);
1441
}
1442
1443
METHOD(ike_sa_t, callback, status_t,
1444
  private_ike_sa_t *this, identification_t *peer_id)
1445
{
1446
  ike_me_t *task = ike_me_create(&this->public, TRUE);
1447
  task->callback(task, peer_id);
1448
  this->task_manager->queue_task(this->task_manager, (task_t*)task);
1449
  return this->task_manager->initiate(this->task_manager);
1450
}
1451
1452
METHOD(ike_sa_t, relay, status_t,
1453
  private_ike_sa_t *this, identification_t *requester, chunk_t connect_id,
1454
  chunk_t connect_key, linked_list_t *endpoints, bool response)
1455
{
1456
  ike_me_t *task = ike_me_create(&this->public, TRUE);
1457
  task->relay(task, requester, connect_id, connect_key, endpoints, response);
1458
  this->task_manager->queue_task(this->task_manager, (task_t*)task);
1459
  return this->task_manager->initiate(this->task_manager);
1460
}
1461
1462
METHOD(ike_sa_t, initiate_mediation, status_t,
1463
  private_ike_sa_t *this, peer_cfg_t *mediated_cfg)
1464
{
1465
  ike_me_t *task = ike_me_create(&this->public, TRUE);
1466
  task->connect(task, mediated_cfg->get_peer_id(mediated_cfg));
1467
  this->task_manager->queue_task(this->task_manager, (task_t*)task);
1468
  return this->task_manager->initiate(this->task_manager);
1469
}
1470
1471
METHOD(ike_sa_t, initiate_mediated, status_t,
1472
  private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id)
1473
{
1474
  set_my_host(this, me->clone(me));
1475
  set_other_host(this, other->clone(other));
1476
  chunk_free(&this->connect_id);
1477
  this->connect_id = chunk_clone(connect_id);
1478
  return this->task_manager->initiate(this->task_manager);
1479
}
1480
#endif /* ME */
1481
1482
/**
1483
 * Resolve DNS host in configuration
1484
 */
1485
static void resolve_hosts(private_ike_sa_t *this)
1486
0
{
1487
0
  host_t *host;
1488
0
  int family = AF_UNSPEC;
1489
1490
0
  switch (charon->socket->supported_families(charon->socket))
1491
0
  {
1492
0
    case SOCKET_FAMILY_IPV4:
1493
0
      family = AF_INET;
1494
0
      break;
1495
0
    case SOCKET_FAMILY_IPV6:
1496
0
      family = AF_INET6;
1497
0
      break;
1498
0
    case SOCKET_FAMILY_BOTH:
1499
0
    case SOCKET_FAMILY_NONE:
1500
0
      break;
1501
0
  }
1502
1503
  /* if an IP address is set locally, use the same family to resolve remote */
1504
0
  if (family == AF_UNSPEC && !this->remote_host)
1505
0
  {
1506
0
    if (this->local_host)
1507
0
    {
1508
0
      family = this->local_host->get_family(this->local_host);
1509
0
    }
1510
0
    else
1511
0
    {
1512
0
      family = ike_cfg_get_family(this->ike_cfg, TRUE);
1513
0
    }
1514
0
  }
1515
1516
0
  if (this->remote_host)
1517
0
  {
1518
0
    host = this->remote_host->clone(this->remote_host);
1519
0
    host->set_port(host, IKEV2_UDP_PORT);
1520
0
  }
1521
0
  else
1522
0
  {
1523
0
    host = this->ike_cfg->resolve_other(this->ike_cfg, family);
1524
0
  }
1525
0
  if (host)
1526
0
  {
1527
0
    if (!host->is_anyaddr(host) ||
1528
0
      this->other_host->is_anyaddr(this->other_host))
1529
0
    { /* don't set to %any if we currently have an address, but the
1530
       * address family might have changed */
1531
0
      set_other_host(this, host);
1532
0
    }
1533
0
    else
1534
0
    { /* reuse the original port as some implementations might not like
1535
       * initial IKE messages on other ports */
1536
0
      this->other_host->set_port(this->other_host, host->get_port(host));
1537
0
      host->destroy(host);
1538
0
    }
1539
0
  }
1540
1541
0
  if (this->local_host)
1542
0
  {
1543
0
    host = this->local_host->clone(this->local_host);
1544
0
    host->set_port(host, charon->socket->get_port(charon->socket, FALSE));
1545
0
  }
1546
0
  else
1547
0
  {
1548
    /* use same address family as for other */
1549
0
    if (!this->other_host->is_anyaddr(this->other_host))
1550
0
    {
1551
0
      family = this->other_host->get_family(this->other_host);
1552
0
    }
1553
0
    host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1554
1555
0
    if (host && host->is_anyaddr(host) &&
1556
0
      !this->other_host->is_anyaddr(this->other_host))
1557
0
    {
1558
0
      host->destroy(host);
1559
0
      host = charon->kernel->get_source_addr(charon->kernel,
1560
0
                           this->other_host, NULL);
1561
0
      if (host)
1562
0
      {
1563
0
        host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg));
1564
0
      }
1565
0
      else
1566
0
      { /* fallback to address family specific %any(6), if configured */
1567
0
        host = this->ike_cfg->resolve_me(this->ike_cfg, family);
1568
0
      }
1569
0
    }
1570
0
  }
1571
0
  if (host)
1572
0
  {
1573
0
    set_my_host(this, host);
1574
0
  }
1575
0
}
1576
1577
METHOD(ike_sa_t, initiate, status_t,
1578
  private_ike_sa_t *this, child_cfg_t *child_cfg, child_init_args_t *args)
1579
0
{
1580
0
  bool defer_initiate = FALSE;
1581
1582
0
  if (this->state == IKE_CREATED)
1583
0
  {
1584
0
    if (this->my_host->is_anyaddr(this->my_host) ||
1585
0
      this->other_host->is_anyaddr(this->other_host))
1586
0
    {
1587
0
      resolve_hosts(this);
1588
0
    }
1589
1590
0
    if (this->other_host->is_anyaddr(this->other_host)
1591
#ifdef ME
1592
      && !this->peer_cfg->get_mediated_by(this->peer_cfg)
1593
#endif /* ME */
1594
0
      )
1595
0
    {
1596
0
      if (!this->retry_initiate_interval)
1597
0
      {
1598
0
        DBG1(DBG_IKE, "unable to resolve %s, initiate aborted",
1599
0
           this->ike_cfg->get_other_addr(this->ike_cfg));
1600
0
        DESTROY_IF(child_cfg);
1601
0
        charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED);
1602
0
        return DESTROY_ME;
1603
0
      }
1604
0
      DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds",
1605
0
         this->ike_cfg->get_other_addr(this->ike_cfg),
1606
0
         this->retry_initiate_interval);
1607
0
      defer_initiate = TRUE;
1608
0
    }
1609
1610
0
    set_condition(this, COND_ORIGINAL_INITIATOR, TRUE);
1611
0
    this->task_manager->queue_ike(this->task_manager);
1612
0
  }
1613
1614
#ifdef ME
1615
  if (this->peer_cfg->is_mediation(this->peer_cfg))
1616
  {
1617
    if (this->state == IKE_ESTABLISHED)
1618
    {
1619
      /* mediation connection is already established, retrigger state
1620
       * change to notify bus listeners */
1621
      DBG1(DBG_IKE, "mediation connection is already up");
1622
      set_state(this, IKE_ESTABLISHED);
1623
    }
1624
    DESTROY_IF(child_cfg);
1625
  }
1626
  else
1627
#endif /* ME */
1628
0
  if (child_cfg)
1629
0
  {
1630
    /* normal IKE_SA with CHILD_SA */
1631
0
    this->task_manager->queue_child(this->task_manager, child_cfg, args, NULL);
1632
#ifdef ME
1633
    if (this->peer_cfg->get_mediated_by(this->peer_cfg))
1634
    {
1635
      /* mediated connection, initiate mediation process */
1636
      job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id);
1637
      lib->processor->queue_job(lib->processor, job);
1638
      return SUCCESS;
1639
    }
1640
#endif /* ME */
1641
0
  }
1642
1643
0
  if (defer_initiate)
1644
0
  {
1645
0
    if (!this->retry_initiate_queued)
1646
0
    {
1647
0
      job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id);
1648
0
      lib->scheduler->schedule_job(lib->scheduler, (job_t*)job,
1649
0
                     this->retry_initiate_interval);
1650
0
      this->retry_initiate_queued = TRUE;
1651
0
    }
1652
0
    return SUCCESS;
1653
0
  }
1654
0
  this->retry_initiate_queued = FALSE;
1655
0
  return this->task_manager->initiate(this->task_manager);
1656
0
}
1657
1658
METHOD(ike_sa_t, retry_initiate, status_t,
1659
  private_ike_sa_t *this)
1660
0
{
1661
0
  if (this->retry_initiate_queued)
1662
0
  {
1663
0
    this->retry_initiate_queued = FALSE;
1664
0
    return initiate(this, NULL, NULL);
1665
0
  }
1666
0
  return SUCCESS;
1667
0
}
1668
1669
METHOD(ike_sa_t, process_message, status_t,
1670
  private_ike_sa_t *this, message_t *message)
1671
0
{
1672
0
  status_t status;
1673
1674
0
  if (this->state == IKE_PASSIVE)
1675
0
  { /* do not handle messages in passive state */
1676
0
    return FAILED;
1677
0
  }
1678
0
  if (message->get_major_version(message) != this->version)
1679
0
  {
1680
0
    DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA",
1681
0
       exchange_type_names, message->get_exchange_type(message),
1682
0
       message->get_major_version(message),
1683
0
       ike_version_names, this->version);
1684
    /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1
1685
     * INVALID_MAJOR_VERSION on an IKEv2 SA. */
1686
0
    return FAILED;
1687
0
  }
1688
0
  status = this->task_manager->process_message(this->task_manager, message);
1689
0
  if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED)
1690
0
  {
1691
    /* authentication completed but if the online validation is suspended we
1692
     * need the auth cfgs until we did the delayed verification, we flush
1693
     * them afterwards */
1694
0
    if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED))
1695
0
    {
1696
0
      this->flush_auth_cfg = FALSE;
1697
0
      flush_auth_cfgs(this);
1698
0
    }
1699
0
  }
1700
0
  return status;
1701
0
}
1702
1703
METHOD(ike_sa_t, get_id, ike_sa_id_t*,
1704
  private_ike_sa_t *this)
1705
0
{
1706
0
  return this->ike_sa_id;
1707
0
}
1708
1709
METHOD(ike_sa_t, get_version, ike_version_t,
1710
  private_ike_sa_t *this)
1711
0
{
1712
0
  return this->version;
1713
0
}
1714
1715
METHOD(ike_sa_t, get_my_id, identification_t*,
1716
  private_ike_sa_t *this)
1717
0
{
1718
0
  return this->my_id;
1719
0
}
1720
1721
METHOD(ike_sa_t, set_my_id, void,
1722
  private_ike_sa_t *this, identification_t *me)
1723
0
{
1724
0
  DESTROY_IF(this->my_id);
1725
0
  this->my_id = me;
1726
0
}
1727
1728
METHOD(ike_sa_t, get_other_id, identification_t*,
1729
  private_ike_sa_t *this)
1730
0
{
1731
0
  return this->other_id;
1732
0
}
1733
1734
METHOD(ike_sa_t, get_other_eap_id, identification_t*,
1735
  private_ike_sa_t *this)
1736
0
{
1737
0
  identification_t *id = NULL, *current;
1738
0
  enumerator_t *enumerator;
1739
0
  auth_cfg_t *cfg;
1740
1741
0
  enumerator = array_create_enumerator(this->other_auths);
1742
0
  while (enumerator->enumerate(enumerator, &cfg))
1743
0
  {
1744
    /* prefer EAP-Identity of last round */
1745
0
    current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY);
1746
0
    if (!current || current->get_type(current) == ID_ANY)
1747
0
    {
1748
0
      current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY);
1749
0
    }
1750
0
    if (!current || current->get_type(current) == ID_ANY)
1751
0
    {
1752
0
      current = cfg->get(cfg, AUTH_RULE_IDENTITY);
1753
0
    }
1754
0
    if (current && current->get_type(current) != ID_ANY)
1755
0
    {
1756
0
      id = current;
1757
0
      continue;
1758
0
    }
1759
0
  }
1760
0
  enumerator->destroy(enumerator);
1761
0
  if (id)
1762
0
  {
1763
0
    return id;
1764
0
  }
1765
0
  return this->other_id;
1766
0
}
1767
1768
METHOD(ike_sa_t, set_other_id, void,
1769
  private_ike_sa_t *this, identification_t *other)
1770
0
{
1771
0
  DESTROY_IF(this->other_id);
1772
0
  this->other_id = other;
1773
0
}
1774
1775
METHOD(ike_sa_t, get_if_id, uint32_t,
1776
  private_ike_sa_t *this, bool inbound)
1777
0
{
1778
0
  return inbound ? this->if_id_in : this->if_id_out;
1779
0
}
1780
1781
/**
1782
 * Sort CHILD_SAs by config and CPU ID so SAs without ID are enumerated first.
1783
 */
1784
static int child_sa_sort(const void *a_pub, const void *b_pub, void *user)
1785
0
{
1786
0
  child_sa_t *a = (child_sa_t*)a_pub, *b = (child_sa_t*)b_pub;
1787
0
  child_cfg_t *cfg = a->get_config(a);
1788
1789
0
  if (!cfg->equals(cfg, b->get_config(b)))
1790
0
  { /* use the unique IDs of unrelated SAs to maintain insertion order */
1791
0
    return a->get_unique_id(a) - b->get_unique_id(b);
1792
0
  }
1793
  /* otherwise use the CPU ID, making sure an SA without ID comes first */
1794
0
  return a->get_cpu(a) == CPU_ID_MAX ? -1 : a->get_cpu(a) - b->get_cpu(b);
1795
0
}
1796
1797
METHOD(ike_sa_t, add_child_sa, void,
1798
  private_ike_sa_t *this, child_sa_t *child_sa)
1799
0
{
1800
0
  array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa);
1801
0
  array_sort(this->child_sas, child_sa_sort, NULL);
1802
0
  charon->child_sa_manager->add(charon->child_sa_manager,
1803
0
                  child_sa, &this->public);
1804
0
}
1805
1806
METHOD(ike_sa_t, get_child_sa, child_sa_t*,
1807
  private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound)
1808
0
{
1809
0
  enumerator_t *enumerator;
1810
0
  child_sa_t *current, *found = NULL;
1811
1812
0
  enumerator = array_create_enumerator(this->child_sas);
1813
0
  while (enumerator->enumerate(enumerator, (void**)&current))
1814
0
  {
1815
0
    if (current->get_spi(current, inbound) == spi &&
1816
0
      current->get_protocol(current) == protocol)
1817
0
    {
1818
0
      found = current;
1819
0
    }
1820
0
  }
1821
0
  enumerator->destroy(enumerator);
1822
0
  return found;
1823
0
}
1824
1825
METHOD(ike_sa_t, get_child_count, int,
1826
  private_ike_sa_t *this)
1827
0
{
1828
0
  return array_count(this->child_sas);
1829
0
}
1830
1831
/**
1832
 * Private data of a create_child_sa_enumerator()
1833
 */
1834
typedef struct {
1835
  /** implements enumerator */
1836
  enumerator_t public;
1837
  /** inner array enumerator */
1838
  enumerator_t *inner;
1839
  /** current item */
1840
  child_sa_t *current;
1841
} child_enumerator_t;
1842
1843
METHOD(enumerator_t, child_enumerate, bool,
1844
  child_enumerator_t *this, va_list args)
1845
0
{
1846
0
  child_sa_t **child_sa;
1847
1848
0
  VA_ARGS_VGET(args, child_sa);
1849
0
  if (this->inner->enumerate(this->inner, &this->current))
1850
0
  {
1851
0
    *child_sa = this->current;
1852
0
    return TRUE;
1853
0
  }
1854
0
  return FALSE;
1855
0
}
1856
1857
METHOD(enumerator_t, child_enumerator_destroy, void,
1858
  child_enumerator_t *this)
1859
0
{
1860
0
  this->inner->destroy(this->inner);
1861
0
  free(this);
1862
0
}
1863
1864
METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*,
1865
  private_ike_sa_t *this)
1866
0
{
1867
0
  child_enumerator_t *enumerator;
1868
1869
0
  INIT(enumerator,
1870
0
    .public = {
1871
0
      .enumerate = enumerator_enumerate_default,
1872
0
      .venumerate = _child_enumerate,
1873
0
      .destroy = _child_enumerator_destroy,
1874
0
    },
1875
0
    .inner = array_create_enumerator(this->child_sas),
1876
0
  );
1877
0
  return &enumerator->public;
1878
0
}
1879
1880
METHOD(ike_sa_t, remove_child_sa, void,
1881
  private_ike_sa_t *this, enumerator_t *enumerator)
1882
0
{
1883
0
  child_enumerator_t *ce = (child_enumerator_t*)enumerator;
1884
1885
0
  charon->child_sa_manager->remove(charon->child_sa_manager, ce->current);
1886
0
  array_remove_at(this->child_sas, ce->inner);
1887
0
}
1888
1889
METHOD(ike_sa_t, rekey_child_sa, status_t,
1890
  private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1891
0
{
1892
0
  if (this->state == IKE_PASSIVE)
1893
0
  {
1894
0
    return INVALID_STATE;
1895
0
  }
1896
0
  this->task_manager->queue_child_rekey(this->task_manager, protocol, spi);
1897
0
  return this->task_manager->initiate(this->task_manager);
1898
0
}
1899
1900
METHOD(ike_sa_t, delete_child_sa, status_t,
1901
  private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired)
1902
0
{
1903
0
  if (this->state == IKE_PASSIVE)
1904
0
  {
1905
0
    return INVALID_STATE;
1906
0
  }
1907
0
  this->task_manager->queue_child_delete(this->task_manager,
1908
0
                       protocol, spi, expired);
1909
0
  return this->task_manager->initiate(this->task_manager);
1910
0
}
1911
1912
METHOD(ike_sa_t, destroy_child_sa, status_t,
1913
  private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi)
1914
0
{
1915
0
  enumerator_t *enumerator;
1916
0
  child_sa_t *child_sa;
1917
0
  status_t status = NOT_FOUND;
1918
1919
0
  enumerator = create_child_sa_enumerator(this);
1920
0
  while (enumerator->enumerate(enumerator, (void**)&child_sa))
1921
0
  {
1922
0
    if (child_sa->get_protocol(child_sa) == protocol &&
1923
0
      child_sa->get_spi(child_sa, TRUE) == spi)
1924
0
    {
1925
0
      remove_child_sa(this, enumerator);
1926
0
      child_sa->destroy(child_sa);
1927
0
      status = SUCCESS;
1928
0
      break;
1929
0
    }
1930
0
  }
1931
0
  enumerator->destroy(enumerator);
1932
0
  return status;
1933
0
}
1934
1935
METHOD(ike_sa_t, delete_, status_t,
1936
  private_ike_sa_t *this, bool force)
1937
0
{
1938
0
  status_t status = DESTROY_ME;
1939
1940
0
  switch (this->state)
1941
0
  {
1942
0
    case IKE_ESTABLISHED:
1943
0
    case IKE_REKEYING:
1944
0
    case IKE_REKEYED:
1945
0
      if (time_monotonic(NULL) >= this->stats[STAT_DELETE] &&
1946
0
        !(this->version == IKEV1 && this->state == IKE_REKEYING))
1947
0
      { /* IKE_SA hard lifetime hit, ignored for reauthenticated
1948
         * IKEv1 SAs */
1949
0
        charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED);
1950
0
      }
1951
0
      this->task_manager->queue_ike_delete(this->task_manager);
1952
0
      status = this->task_manager->initiate(this->task_manager);
1953
0
      break;
1954
0
    case IKE_CREATED:
1955
0
      DBG1(DBG_IKE, "deleting unestablished IKE_SA");
1956
0
      break;
1957
0
    case IKE_PASSIVE:
1958
0
      break;
1959
0
    default:
1960
0
      DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification",
1961
0
         ike_sa_state_names, this->state);
1962
0
      force = TRUE;
1963
0
      break;
1964
0
  }
1965
1966
0
  if (force)
1967
0
  {
1968
0
    status = DESTROY_ME;
1969
1970
0
    if (this->version == IKEV2)
1971
0
    { /* for IKEv1 we trigger this in the ISAKMP delete task */
1972
0
      switch (this->state)
1973
0
      {
1974
0
        case IKE_ESTABLISHED:
1975
0
        case IKE_REKEYING:
1976
0
        case IKE_DELETING:
1977
0
          charon->bus->ike_updown(charon->bus, &this->public, FALSE);
1978
0
        default:
1979
0
          break;
1980
0
      }
1981
0
    }
1982
0
  }
1983
0
  return status;
1984
0
}
1985
1986
METHOD(ike_sa_t, rekey, status_t,
1987
  private_ike_sa_t *this)
1988
0
{
1989
0
  if (this->state == IKE_PASSIVE ||
1990
0
    has_condition(this, COND_REAUTHENTICATING))
1991
0
  {
1992
0
    return INVALID_STATE;
1993
0
  }
1994
0
  this->task_manager->queue_ike_rekey(this->task_manager);
1995
0
  return this->task_manager->initiate(this->task_manager);
1996
0
}
1997
1998
/*
1999
 * Described in header
2000
 */
2001
bool ike_sa_can_reauthenticate(ike_sa_t *public)
2002
0
{
2003
0
  private_ike_sa_t *this = (private_ike_sa_t*)public;
2004
2005
0
  return array_count(this->other_vips) == 0 &&
2006
0
       !has_condition(this, COND_XAUTH_AUTHENTICATED) &&
2007
0
       !has_condition(this, COND_EAP_AUTHENTICATED)
2008
#ifdef ME
2009
      /* as mediation server we too cannot reauth the IKE_SA */
2010
      && !this->is_mediation_server
2011
#endif /* ME */
2012
0
      ;
2013
0
}
2014
2015
METHOD(ike_sa_t, reauth, status_t,
2016
  private_ike_sa_t *this)
2017
0
{
2018
0
  if (this->state == IKE_PASSIVE)
2019
0
  {
2020
0
    return INVALID_STATE;
2021
0
  }
2022
0
  if (this->state == IKE_CONNECTING)
2023
0
  {
2024
0
    DBG0(DBG_IKE, "reinitiating IKE_SA %s[%u]",
2025
0
       get_name(this), this->unique_id);
2026
0
    reset(this, TRUE);
2027
0
    return this->task_manager->initiate(this->task_manager);
2028
0
  }
2029
  /* we can't reauthenticate as responder when we use EAP or virtual IPs.
2030
   * If the peer does not support RFC4478, there is no way to keep the
2031
   * IKE_SA up. */
2032
0
  if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2033
0
    !ike_sa_can_reauthenticate(&this->public))
2034
0
  {
2035
#if DEBUG_LEVEL >= 1
2036
    time_t del = this->stats[STAT_DELETE];
2037
    time_t now = time_monotonic(NULL);
2038
    DBG1(DBG_IKE, "initiator did not reauthenticate as requested, IKE_SA "
2039
       "%s[%u] will timeout in %V", get_name(this), this->unique_id,
2040
       &now, &del);
2041
#endif
2042
0
    return FAILED;
2043
0
  }
2044
0
  DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%u]",
2045
0
     get_name(this), this->unique_id);
2046
0
  set_condition(this, COND_REAUTHENTICATING, TRUE);
2047
0
  this->task_manager->queue_ike_reauth(this->task_manager);
2048
0
  return this->task_manager->initiate(this->task_manager);
2049
0
}
2050
2051
/**
2052
 * Check if any tasks of a specific type are queued in the given queue.
2053
 */
2054
static bool is_task_queued(private_ike_sa_t *this, task_queue_t queue,
2055
               task_type_t type)
2056
0
{
2057
0
  enumerator_t *enumerator;
2058
0
  task_t *task;
2059
0
  bool found = FALSE;
2060
2061
0
  enumerator = this->task_manager->create_task_enumerator(this->task_manager,
2062
0
                              queue);
2063
0
  while (enumerator->enumerate(enumerator, &task))
2064
0
  {
2065
0
    if (task->get_type(task) == type)
2066
0
    {
2067
0
      found = TRUE;
2068
0
      break;
2069
0
    }
2070
0
  }
2071
0
  enumerator->destroy(enumerator);
2072
0
  return found;
2073
0
}
2074
2075
/**
2076
 * Check if any tasks to create CHILD_SAs are queued in the given queue.
2077
 */
2078
static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue)
2079
0
{
2080
0
  return is_task_queued(this, queue,
2081
0
        this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE);
2082
0
}
2083
2084
/*
2085
 * Described in header
2086
 */
2087
bool ike_sa_is_delete_queued(ike_sa_t *ike_sa)
2088
0
{
2089
0
  private_ike_sa_t *this = (private_ike_sa_t*)ike_sa;
2090
0
  return is_task_queued(this, TASK_QUEUE_QUEUED,
2091
0
        this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE);
2092
0
}
2093
2094
/**
2095
 * Reestablish CHILD_SAs and migrate queued tasks.
2096
 *
2097
 * If force is true all SAs are restarted, otherwise their close/dpd_action
2098
 * is followed.
2099
 */
2100
static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new,
2101
                   bool force)
2102
0
{
2103
0
  private_ike_sa_t *other = (private_ike_sa_t*)new;
2104
0
  enumerator_t *enumerator;
2105
0
  child_sa_t *child_sa;
2106
0
  child_cfg_t *child_cfg;
2107
0
  action_t action;
2108
2109
  /* handle existing CHILD_SAs */
2110
0
  enumerator = create_child_sa_enumerator(this);
2111
0
  while (enumerator->enumerate(enumerator, (void**)&child_sa))
2112
0
  {
2113
0
    switch (child_sa->get_state(child_sa))
2114
0
    {
2115
0
      case CHILD_REKEYED:
2116
0
      case CHILD_DELETED:
2117
        /* ignore CHILD_SAs in these states */
2118
0
        continue;
2119
0
      default:
2120
0
        break;
2121
0
    }
2122
0
    if (force)
2123
0
    {
2124
0
      action = ACTION_START;
2125
0
    }
2126
0
    else
2127
0
    { /* only restart CHILD_SAs that are configured accordingly */
2128
0
      if (this->state == IKE_DELETING)
2129
0
      {
2130
0
        action = child_sa->get_close_action(child_sa);
2131
0
      }
2132
0
      else
2133
0
      {
2134
0
        action = child_sa->get_dpd_action(child_sa);
2135
0
      }
2136
0
    }
2137
0
    if (action & ACTION_START)
2138
0
    {
2139
0
      child_cfg = child_sa->get_config(child_sa);
2140
0
      DBG1(DBG_IKE, "restarting CHILD_SA %s",
2141
0
         child_cfg->get_name(child_cfg));
2142
0
      other->task_manager->queue_child(other->task_manager,
2143
0
                       child_cfg->get_ref(child_cfg),
2144
0
                       NULL, child_sa);
2145
0
    }
2146
0
  }
2147
0
  enumerator->destroy(enumerator);
2148
2149
  /* adopt any active or queued CHILD-creating tasks */
2150
0
  new->adopt_child_tasks(new, &this->public);
2151
2152
0
  return new->initiate(new, NULL, NULL);
2153
0
}
2154
2155
METHOD(ike_sa_t, reestablish, status_t,
2156
  private_ike_sa_t *this)
2157
0
{
2158
0
  ike_sa_t *new;
2159
0
  host_t *host;
2160
0
  action_t action;
2161
0
  enumerator_t *enumerator;
2162
0
  child_sa_t *child_sa;
2163
0
  bool restart = FALSE;
2164
0
  status_t status = FAILED;
2165
2166
0
  if (ike_sa_is_delete_queued((ike_sa_t*)this))
2167
0
  { /* don't reestablish IKE_SAs that have explicitly been deleted in the
2168
     * mean time */
2169
0
    return FAILED;
2170
0
  }
2171
2172
0
  if (has_condition(this, COND_REAUTHENTICATING))
2173
0
  { /* only reauthenticate if we have children */
2174
0
    if (array_count(this->child_sas) == 0
2175
#ifdef ME
2176
      /* allow reauth of mediation connections without CHILD_SAs */
2177
      && !this->peer_cfg->is_mediation(this->peer_cfg)
2178
#endif /* ME */
2179
0
      )
2180
0
    {
2181
0
      DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2182
0
         "to recreate");
2183
0
    }
2184
0
    else
2185
0
    {
2186
0
      restart = TRUE;
2187
0
    }
2188
0
  }
2189
0
  else
2190
0
  { /* check if we have children to keep up at all */
2191
0
    enumerator = array_create_enumerator(this->child_sas);
2192
0
    while (enumerator->enumerate(enumerator, (void**)&child_sa))
2193
0
    {
2194
0
      switch (child_sa->get_state(child_sa))
2195
0
      {
2196
0
        case CHILD_REKEYED:
2197
0
        case CHILD_DELETED:
2198
          /* ignore CHILD_SAs in these states */
2199
0
          continue;
2200
0
        default:
2201
0
          break;
2202
0
      }
2203
0
      if (this->state == IKE_DELETING)
2204
0
      {
2205
0
        action = child_sa->get_close_action(child_sa);
2206
0
      }
2207
0
      else
2208
0
      {
2209
0
        action = child_sa->get_dpd_action(child_sa);
2210
0
      }
2211
0
      if (action & ACTION_TRAP)
2212
0
      {
2213
0
        charon->traps->install(charon->traps, this->peer_cfg,
2214
0
                     child_sa->get_config(child_sa));
2215
0
      }
2216
0
      if (action & ACTION_START)
2217
0
      {
2218
0
        restart = TRUE;
2219
0
      }
2220
0
    }
2221
0
    enumerator->destroy(enumerator);
2222
    /* check if we have tasks that recreate children */
2223
0
    if (!restart)
2224
0
    {
2225
0
      restart = is_child_queued(this, TASK_QUEUE_ACTIVE) ||
2226
0
            is_child_queued(this, TASK_QUEUE_QUEUED);
2227
0
    }
2228
#ifdef ME
2229
    /* mediation connections have no children, keep them up anyway */
2230
    if (this->peer_cfg->is_mediation(this->peer_cfg))
2231
    {
2232
      restart = TRUE;
2233
    }
2234
#endif /* ME */
2235
0
  }
2236
0
  if (!restart)
2237
0
  {
2238
0
    return FAILED;
2239
0
  }
2240
2241
  /* check if we are able to reestablish this IKE_SA */
2242
0
  if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
2243
0
    (array_count(this->other_vips) != 0 ||
2244
0
     has_condition(this, COND_EAP_AUTHENTICATED)
2245
#ifdef ME
2246
     || this->is_mediation_server
2247
#endif /* ME */
2248
0
    ))
2249
0
  {
2250
0
    DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup");
2251
0
    return FAILED;
2252
0
  }
2253
2254
0
  new = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
2255
0
                       this->version, TRUE);
2256
0
  if (!new)
2257
0
  {
2258
0
    return FAILED;
2259
0
  }
2260
0
  new->set_peer_cfg(new, this->peer_cfg);
2261
0
  host = this->other_host;
2262
0
  new->set_other_host(new, host->clone(host));
2263
0
  host = this->my_host;
2264
0
  new->set_my_host(new, host->clone(host));
2265
0
  charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2266
0
  if (!has_condition(this, COND_REAUTHENTICATING))
2267
0
  { /* reauthenticate to the same addresses, but resolve hosts if
2268
     * reestablishing (old addresses serve as fallback) */
2269
0
    resolve_hosts((private_ike_sa_t*)new);
2270
0
  }
2271
  /* if we already have a virtual IP, we reuse it */
2272
0
  enumerator = array_create_enumerator(this->my_vips);
2273
0
  while (enumerator->enumerate(enumerator, &host))
2274
0
  {
2275
0
    new->add_virtual_ip(new, TRUE, host);
2276
0
  }
2277
0
  enumerator->destroy(enumerator);
2278
2279
#ifdef ME
2280
  if (this->peer_cfg->is_mediation(this->peer_cfg))
2281
  {
2282
    status = new->initiate(new, NULL, NULL);
2283
  }
2284
  else
2285
#endif /* ME */
2286
0
  {
2287
0
    status = reestablish_children(this, new,
2288
0
                  has_condition(this, COND_REAUTHENTICATING));
2289
0
  }
2290
2291
0
  if (status == DESTROY_ME)
2292
0
  {
2293
0
    charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2294
0
                      FALSE);
2295
0
    charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2296
0
    status = FAILED;
2297
0
  }
2298
0
  else
2299
0
  {
2300
0
    charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2301
0
                      TRUE);
2302
0
    charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2303
0
    status = SUCCESS;
2304
0
  }
2305
0
  charon->bus->set_sa(charon->bus, &this->public);
2306
0
  return status;
2307
0
}
2308
2309
/**
2310
 * Resolve the given gateway ID
2311
 */
2312
static host_t *resolve_gateway_id(identification_t *gateway)
2313
0
{
2314
0
  char gw[BUF_LEN];
2315
0
  host_t *addr;
2316
2317
0
  snprintf(gw, sizeof(gw), "%Y", gateway);
2318
0
  gw[sizeof(gw)-1] = '\0';
2319
0
  addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT);
2320
0
  if (!addr)
2321
0
  {
2322
0
    DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed",
2323
0
       gateway);
2324
0
  }
2325
0
  return addr;
2326
0
}
2327
2328
/**
2329
 * Redirect the current SA to the given target host
2330
 */
2331
static bool redirect_established(private_ike_sa_t *this, identification_t *to)
2332
0
{
2333
0
  private_ike_sa_t *new_priv;
2334
0
  ike_sa_t *new;
2335
0
  host_t *other;
2336
0
  time_t redirect;
2337
2338
0
  new = charon->ike_sa_manager->create_new(charon->ike_sa_manager,
2339
0
                       this->version, TRUE);
2340
0
  if (!new)
2341
0
  {
2342
0
    return FALSE;
2343
0
  }
2344
  /* mark the SA so it won't get reused even though it's established */
2345
0
  set_condition(this, COND_REDIRECTED, TRUE);
2346
2347
0
  new_priv = (private_ike_sa_t*)new;
2348
0
  new->set_peer_cfg(new, this->peer_cfg);
2349
0
  new_priv->redirected_from = this->other_host->clone(this->other_host);
2350
0
  charon->bus->ike_reestablish_pre(charon->bus, &this->public, new);
2351
0
  other = resolve_gateway_id(to);
2352
0
  if (other)
2353
0
  {
2354
0
    set_my_host(new_priv, this->my_host->clone(this->my_host));
2355
    /* this allows us to force the remote address while we still properly
2356
     * resolve the local address */
2357
0
    new_priv->remote_host = other;
2358
0
    resolve_hosts(new_priv);
2359
0
    new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2360
0
    while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect))
2361
0
    {
2362
0
      array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect);
2363
0
    }
2364
0
    if (reestablish_children(this, new, TRUE) != DESTROY_ME)
2365
0
    {
2366
0
#ifdef USE_IKEV2
2367
0
      new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2368
0
                               this->ike_sa_id));
2369
0
#endif
2370
0
      charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2371
0
                        TRUE);
2372
0
      charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2373
0
      charon->bus->set_sa(charon->bus, &this->public);
2374
0
      return TRUE;
2375
0
    }
2376
0
  }
2377
0
  charon->bus->ike_reestablish_post(charon->bus, &this->public, new,
2378
0
                    FALSE);
2379
0
  charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2380
0
  charon->bus->set_sa(charon->bus, &this->public);
2381
0
  return FALSE;
2382
0
}
2383
2384
/**
2385
 * Redirect the current connecting SA to the given target host
2386
 */
2387
static bool redirect_connecting(private_ike_sa_t *this, identification_t *to)
2388
0
{
2389
0
  host_t *other;
2390
2391
0
  other = resolve_gateway_id(to);
2392
0
  if (!other)
2393
0
  {
2394
0
    return FALSE;
2395
0
  }
2396
0
  reset(this, TRUE);
2397
0
  DESTROY_IF(this->redirected_from);
2398
0
  this->redirected_from = this->other_host->clone(this->other_host);
2399
  /* this allows us to force the remote address while we still properly
2400
   * resolve the local address */
2401
0
  DESTROY_IF(this->remote_host);
2402
0
  this->remote_host = other;
2403
0
  resolve_hosts(this);
2404
0
  return TRUE;
2405
0
}
2406
2407
/**
2408
 * Check if the current redirect exceeds the limits for redirects
2409
 */
2410
static bool redirect_count_exceeded(private_ike_sa_t *this)
2411
0
{
2412
0
  time_t now, redirect;
2413
2414
0
  now = time_monotonic(NULL);
2415
  /* remove entries outside the defined period */
2416
0
  while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) &&
2417
0
       now - redirect >= REDIRECT_LOOP_DETECT_PERIOD)
2418
0
  {
2419
0
    array_remove(this->redirected_at, ARRAY_HEAD, NULL);
2420
0
  }
2421
0
  if (array_count(this->redirected_at) < MAX_REDIRECTS)
2422
0
  {
2423
0
    if (!this->redirected_at)
2424
0
    {
2425
0
      this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS);
2426
0
    }
2427
0
    array_insert(this->redirected_at, ARRAY_TAIL, &now);
2428
0
    return FALSE;
2429
0
  }
2430
0
  return TRUE;
2431
0
}
2432
2433
METHOD(ike_sa_t, handle_redirect, bool,
2434
  private_ike_sa_t *this, identification_t *gateway)
2435
0
{
2436
0
  DBG1(DBG_IKE, "redirected to %Y", gateway);
2437
0
  if (!this->follow_redirects)
2438
0
  {
2439
0
    DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it");
2440
0
    return FALSE;
2441
0
  }
2442
0
  if (redirect_count_exceeded(this))
2443
0
  {
2444
0
    DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds",
2445
0
       MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD);
2446
0
    return FALSE;
2447
0
  }
2448
2449
0
  switch (this->state)
2450
0
  {
2451
0
    case IKE_CONNECTING:
2452
0
      if (!has_condition(this, COND_AUTHENTICATED))
2453
0
      {
2454
0
        return redirect_connecting(this, gateway);
2455
0
      }
2456
      /* fall-through during IKE_AUTH if authenticated */
2457
0
    case IKE_ESTABLISHED:
2458
0
      return redirect_established(this, gateway);
2459
0
    default:
2460
0
      DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N",
2461
0
         ike_sa_state_names, this->state);
2462
0
      return FALSE;
2463
0
  }
2464
0
}
2465
2466
METHOD(ike_sa_t, redirect, status_t,
2467
  private_ike_sa_t *this, identification_t *gateway)
2468
0
{
2469
0
  switch (this->state)
2470
0
  {
2471
0
    case IKE_CONNECTING:
2472
0
    case IKE_ESTABLISHED:
2473
0
    case IKE_REKEYING:
2474
0
      if (has_condition(this, COND_REDIRECTED))
2475
0
      { /* IKE_SA already got redirected */
2476
0
        return SUCCESS;
2477
0
      }
2478
0
      if (has_condition(this, COND_ORIGINAL_INITIATOR))
2479
0
      {
2480
0
        DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator");
2481
0
        return FAILED;
2482
0
      }
2483
0
      if (this->version == IKEV1)
2484
0
      {
2485
0
        DBG1(DBG_IKE, "unable to redirect IKEv1 SA");
2486
0
        return FAILED;
2487
0
      }
2488
0
      if (!supports_extension(this, EXT_IKE_REDIRECTION))
2489
0
      {
2490
0
        DBG1(DBG_IKE, "client does not support IKE redirection");
2491
0
        return FAILED;
2492
0
      }
2493
0
#ifdef USE_IKEV2
2494
0
      this->task_manager->queue_task(this->task_manager,
2495
0
            (task_t*)ike_redirect_create(&this->public, gateway));
2496
0
#endif
2497
0
      return this->task_manager->initiate(this->task_manager);
2498
0
    default:
2499
0
      DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N",
2500
0
         ike_sa_state_names, this->state);
2501
0
      return INVALID_STATE;
2502
0
  }
2503
0
}
2504
2505
METHOD(ike_sa_t, retransmit, status_t,
2506
  private_ike_sa_t *this, uint32_t message_id)
2507
0
{
2508
0
  if (this->state == IKE_PASSIVE)
2509
0
  {
2510
0
    return INVALID_STATE;
2511
0
  }
2512
0
  switch (this->task_manager->retransmit(this->task_manager, message_id))
2513
0
  {
2514
0
    case SUCCESS:
2515
0
      this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
2516
0
      return SUCCESS;
2517
0
    case INVALID_STATE:
2518
0
      return INVALID_STATE;
2519
0
    default:
2520
0
      break;
2521
0
  }
2522
  /* send a proper signal to brief interested bus listeners */
2523
0
  switch (this->state)
2524
0
  {
2525
0
    case IKE_CONNECTING:
2526
0
    {
2527
      /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */
2528
0
      uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg);
2529
0
      charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE,
2530
0
                 this->keyingtry);
2531
0
      this->keyingtry++;
2532
0
      if (tries == 0 || tries > this->keyingtry)
2533
0
      {
2534
0
        DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
2535
0
           this->keyingtry + 1, tries);
2536
0
        reset(this, TRUE);
2537
0
        resolve_hosts(this);
2538
0
        return this->task_manager->initiate(this->task_manager);
2539
0
      }
2540
0
      DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
2541
2542
0
      if (this->version == IKEV1 && array_count(this->child_sas))
2543
0
      {
2544
0
        enumerator_t *enumerator;
2545
0
        child_sa_t *child_sa;
2546
2547
        /* if reauthenticating an IKEv1 SA failed (assumed for an SA
2548
         * in this state with CHILD_SAs), try again from scratch */
2549
0
        DBG1(DBG_IKE, "reauthentication failed, trying to "
2550
0
           "reestablish IKE_SA");
2551
0
        reestablish(this);
2552
        /* trigger down events for the CHILD_SAs, as no down event
2553
         * is triggered below for IKE SAs in this state */
2554
0
        enumerator = array_create_enumerator(this->child_sas);
2555
0
        while (enumerator->enumerate(enumerator, &child_sa))
2556
0
        {
2557
0
          if (child_sa->get_state(child_sa) != CHILD_REKEYED &&
2558
0
            child_sa->get_state(child_sa) != CHILD_DELETED)
2559
0
          {
2560
0
            charon->bus->child_updown(charon->bus, child_sa,
2561
0
                          FALSE);
2562
0
          }
2563
0
        }
2564
0
        enumerator->destroy(enumerator);
2565
0
      }
2566
0
      break;
2567
0
    }
2568
0
    case IKE_DELETING:
2569
0
      DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
2570
0
      if (has_condition(this, COND_REAUTHENTICATING) &&
2571
0
        !lib->settings->get_bool(lib->settings,
2572
0
                  "%s.make_before_break", TRUE, lib->ns))
2573
0
      {
2574
0
        DBG1(DBG_IKE, "delete during reauthentication failed, "
2575
0
           "trying to reestablish IKE_SA anyway");
2576
0
        reestablish(this);
2577
0
      }
2578
0
      break;
2579
0
    case IKE_REKEYING:
2580
0
      DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
2581
      /* FALL */
2582
0
    default:
2583
0
      reestablish(this);
2584
0
      break;
2585
0
  }
2586
0
  if (this->state != IKE_CONNECTING &&
2587
0
    this->state != IKE_REKEYED)
2588
0
  {
2589
0
    charon->bus->ike_updown(charon->bus, &this->public, FALSE);
2590
0
  }
2591
0
  return DESTROY_ME;
2592
0
}
2593
2594
METHOD(ike_sa_t, set_auth_lifetime, status_t,
2595
  private_ike_sa_t *this, uint32_t lifetime)
2596
0
{
2597
0
  uint32_t diff, hard, soft, now;
2598
0
  bool send_update;
2599
2600
0
  diff = this->peer_cfg->get_over_time(this->peer_cfg);
2601
0
  now = time_monotonic(NULL);
2602
0
  hard = now + lifetime;
2603
0
  soft = hard - diff;
2604
2605
  /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime.
2606
   * We send the notify in IKE_AUTH if not yet ESTABLISHED. */
2607
0
  send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 &&
2608
0
          !has_condition(this, COND_ORIGINAL_INITIATOR) &&
2609
0
          (array_count(this->other_vips) != 0 ||
2610
0
          has_condition(this, COND_EAP_AUTHENTICATED));
2611
2612
0
  if (lifetime < diff)
2613
0
  {
2614
0
    this->stats[STAT_REAUTH] = now;
2615
2616
0
    if (!send_update)
2617
0
    {
2618
0
      DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2619
0
         "starting reauthentication", lifetime);
2620
0
      lib->processor->queue_job(lib->processor,
2621
0
          (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE));
2622
0
    }
2623
0
  }
2624
0
  else if (this->stats[STAT_REAUTH] == 0 ||
2625
0
       this->stats[STAT_REAUTH] > soft)
2626
0
  {
2627
0
    this->stats[STAT_REAUTH] = soft;
2628
0
    if (!send_update)
2629
0
    {
2630
0
      DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling "
2631
0
         "reauthentication in %ds", lifetime, lifetime - diff);
2632
0
      lib->scheduler->schedule_job(lib->scheduler,
2633
0
            (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE),
2634
0
            lifetime - diff);
2635
0
    }
2636
0
  }
2637
0
  else
2638
0
  {
2639
0
    DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
2640
0
       "reauthentication already scheduled in %ds", lifetime,
2641
0
       this->stats[STAT_REAUTH] - time_monotonic(NULL));
2642
0
    send_update = FALSE;
2643
0
  }
2644
  /* give at least some seconds to reauthenticate */
2645
0
  this->stats[STAT_DELETE] = max(hard, now + 10);
2646
2647
0
#ifdef USE_IKEV2
2648
0
  if (send_update)
2649
0
  {
2650
0
    ike_auth_lifetime_t *task;
2651
2652
0
    task = ike_auth_lifetime_create(&this->public, TRUE);
2653
0
    this->task_manager->queue_task(this->task_manager, &task->task);
2654
0
    return this->task_manager->initiate(this->task_manager);
2655
0
  }
2656
0
#endif
2657
0
  return SUCCESS;
2658
0
}
2659
2660
/**
2661
 * Check if the current combination of source and destination address is still
2662
 * valid.
2663
 */
2664
static bool is_current_path_valid(private_ike_sa_t *this)
2665
0
{
2666
0
  bool valid = FALSE;
2667
0
  host_t *src;
2668
2669
0
  if (supports_extension(this, EXT_MOBIKE) &&
2670
0
    lib->settings->get_bool(lib->settings,
2671
0
                "%s.prefer_best_path", FALSE, lib->ns))
2672
0
  {
2673
    /* check if the current path is the best path; migrate otherwise */
2674
0
    src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2675
0
                        NULL);
2676
0
    if (src)
2677
0
    {
2678
0
      valid = src->ip_equals(src, this->my_host);
2679
0
      src->destroy(src);
2680
0
    }
2681
0
    if (!valid)
2682
0
    {
2683
0
      DBG1(DBG_IKE, "old path is not preferred anymore");
2684
0
    }
2685
0
    return valid;
2686
0
  }
2687
0
  src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
2688
0
                      this->my_host);
2689
0
  if (src)
2690
0
  {
2691
0
    if (src->ip_equals(src, this->my_host))
2692
0
    {
2693
0
      valid = TRUE;
2694
0
    }
2695
0
    src->destroy(src);
2696
0
  }
2697
0
  if (!valid)
2698
0
  {
2699
0
    DBG1(DBG_IKE, "old path is not available anymore, try to find another");
2700
0
  }
2701
0
  return valid;
2702
0
}
2703
2704
/**
2705
 * Check if we have any path available for this IKE SA.
2706
 */
2707
static bool is_any_path_valid(private_ike_sa_t *this)
2708
0
{
2709
0
  bool valid = FALSE;
2710
0
  enumerator_t *enumerator;
2711
0
  host_t *src = NULL, *addr;
2712
0
  int family = AF_UNSPEC;
2713
2714
0
  switch (charon->socket->supported_families(charon->socket))
2715
0
  {
2716
0
    case SOCKET_FAMILY_IPV4:
2717
0
      family = AF_INET;
2718
0
      break;
2719
0
    case SOCKET_FAMILY_IPV6:
2720
0
      family = AF_INET6;
2721
0
      break;
2722
0
    case SOCKET_FAMILY_BOTH:
2723
0
    case SOCKET_FAMILY_NONE:
2724
0
      break;
2725
0
  }
2726
2727
0
  enumerator = create_peer_address_enumerator(this);
2728
0
  while (enumerator->enumerate(enumerator, &addr))
2729
0
  {
2730
0
    if (family != AF_UNSPEC && addr->get_family(addr) != family)
2731
0
    {
2732
0
      continue;
2733
0
    }
2734
0
    DBG1(DBG_IKE, "looking for a route to %H ...", addr);
2735
0
    src = charon->kernel->get_source_addr(charon->kernel, addr, NULL);
2736
0
    if (src)
2737
0
    {
2738
0
      break;
2739
0
    }
2740
0
  }
2741
0
  enumerator->destroy(enumerator);
2742
0
  if (src)
2743
0
  {
2744
0
    valid = TRUE;
2745
0
    src->destroy(src);
2746
0
  }
2747
0
  return valid;
2748
0
}
2749
2750
METHOD(ike_sa_t, roam, status_t,
2751
  private_ike_sa_t *this, bool address)
2752
0
{
2753
0
  switch (this->state)
2754
0
  {
2755
0
    case IKE_CREATED:
2756
0
    case IKE_DELETING:
2757
0
    case IKE_DESTROYING:
2758
0
    case IKE_PASSIVE:
2759
0
    case IKE_REKEYED:
2760
0
      return SUCCESS;
2761
0
    default:
2762
0
      break;
2763
0
  }
2764
2765
0
  if (!this->ike_cfg)
2766
0
  { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and
2767
     * without config assigned */
2768
0
    return SUCCESS;
2769
0
  }
2770
0
  if (this->version == IKEV1)
2771
0
  { /* ignore roam events for IKEv1 where we don't have MOBIKE and would
2772
     * have to reestablish from scratch (reauth is not enough) */
2773
0
    return SUCCESS;
2774
0
  }
2775
2776
  /* ignore roam events if MOBIKE is not supported/enabled and the local
2777
   * address is statically configured */
2778
0
  if (!supports_extension(this, EXT_MOBIKE) &&
2779
0
    ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
2780
0
  {
2781
0
    DBG2(DBG_IKE, "keeping statically configured path %H - %H",
2782
0
       this->my_host, this->other_host);
2783
0
    return SUCCESS;
2784
0
  }
2785
2786
  /* keep existing path if possible */
2787
0
  if (is_current_path_valid(this))
2788
0
  {
2789
0
    DBG2(DBG_IKE, "keeping connection path %H - %H",
2790
0
       this->my_host, this->other_host);
2791
0
    set_condition(this, COND_STALE, FALSE);
2792
2793
0
    if (supports_extension(this, EXT_MOBIKE) && address)
2794
0
    { /* if any addresses changed, send an updated list */
2795
0
      DBG1(DBG_IKE, "sending address list update using MOBIKE");
2796
0
      this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE);
2797
0
      return this->task_manager->initiate(this->task_manager);
2798
0
    }
2799
0
    if (lib->settings->get_bool(lib->settings,
2800
0
                "%s.check_current_path", FALSE, lib->ns) &&
2801
0
      !this->task_manager->busy(this->task_manager))
2802
0
    {
2803
0
      DBG1(DBG_IKE, "checking if current path still works using DPD");
2804
0
      this->task_manager->queue_dpd(this->task_manager);
2805
0
      return this->task_manager->initiate(this->task_manager);
2806
0
    }
2807
0
    return SUCCESS;
2808
0
  }
2809
2810
0
  if (!is_any_path_valid(this))
2811
0
  {
2812
0
    DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
2813
0
       this->other_host);
2814
0
    set_condition(this, COND_STALE, TRUE);
2815
0
    return SUCCESS;
2816
0
  }
2817
0
  set_condition(this, COND_STALE, FALSE);
2818
2819
  /* update addresses with mobike, if supported ... */
2820
0
  if (supports_extension(this, EXT_MOBIKE))
2821
0
  {
2822
0
    if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2823
0
    { /* responder updates the peer about changed address config */
2824
0
      DBG1(DBG_IKE, "sending address list update using MOBIKE, "
2825
0
         "implicitly requesting an address change");
2826
0
      address = TRUE;
2827
0
    }
2828
0
    else
2829
0
    {
2830
0
      DBG1(DBG_IKE, "requesting address change using MOBIKE");
2831
0
    }
2832
0
    this->task_manager->queue_mobike(this->task_manager, TRUE, address);
2833
0
    return this->task_manager->initiate(this->task_manager);
2834
0
  }
2835
2836
  /* ... reauth if not */
2837
0
  if (!has_condition(this, COND_ORIGINAL_INITIATOR))
2838
0
  { /* responder does not reauthenticate */
2839
0
    set_condition(this, COND_STALE, TRUE);
2840
0
    return SUCCESS;
2841
0
  }
2842
0
  DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
2843
  /* since our previous path is not valid anymore, try and find a new one */
2844
0
  resolve_hosts(this);
2845
0
  return reauth(this);
2846
0
}
2847
2848
METHOD(ike_sa_t, add_configuration_attribute, void,
2849
  private_ike_sa_t *this, attribute_handler_t *handler,
2850
  configuration_attribute_type_t type, chunk_t data)
2851
0
{
2852
0
  attribute_entry_t entry = {
2853
0
    .handler = handler,
2854
0
    .type = type,
2855
0
    .data = chunk_clone(data),
2856
0
  };
2857
0
  array_insert(this->attributes, ARRAY_TAIL, &entry);
2858
0
}
2859
2860
CALLBACK(filter_attribute, bool,
2861
  void *null, enumerator_t *orig, va_list args)
2862
0
{
2863
0
  attribute_entry_t *entry;
2864
0
  configuration_attribute_type_t *type;
2865
0
  chunk_t *data;
2866
0
  bool *handled;
2867
2868
0
  VA_ARGS_VGET(args, type, data, handled);
2869
2870
0
  if (orig->enumerate(orig, &entry))
2871
0
  {
2872
0
    *type = entry->type;
2873
0
    *data = entry->data;
2874
0
    *handled = entry->handler != NULL;
2875
0
    return TRUE;
2876
0
  }
2877
0
  return FALSE;
2878
0
}
2879
2880
METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*,
2881
  private_ike_sa_t *this)
2882
0
{
2883
0
  return enumerator_create_filter(array_create_enumerator(this->attributes),
2884
0
                  filter_attribute, NULL, NULL);
2885
0
}
2886
2887
METHOD(ike_sa_t, create_task_enumerator, enumerator_t*,
2888
  private_ike_sa_t *this, task_queue_t queue)
2889
0
{
2890
0
  return this->task_manager->create_task_enumerator(this->task_manager, queue);
2891
0
}
2892
2893
METHOD(ike_sa_t, remove_task, void,
2894
  private_ike_sa_t *this, enumerator_t *enumerator)
2895
0
{
2896
0
  return this->task_manager->remove_task(this->task_manager, enumerator);
2897
0
}
2898
2899
METHOD(ike_sa_t, flush_queue, void,
2900
  private_ike_sa_t *this, task_queue_t queue)
2901
0
{
2902
0
  this->task_manager->flush_queue(this->task_manager, queue);
2903
0
}
2904
2905
METHOD(ike_sa_t, queue_task, void,
2906
  private_ike_sa_t *this, task_t *task)
2907
0
{
2908
0
  this->task_manager->queue_task(this->task_manager, task);
2909
0
}
2910
2911
METHOD(ike_sa_t, queue_task_delayed, void,
2912
  private_ike_sa_t *this, task_t *task, uint32_t delay)
2913
0
{
2914
0
  this->task_manager->queue_task_delayed(this->task_manager, task, delay);
2915
0
}
2916
2917
/**
2918
 * Migrate and queue child-creating tasks from another IKE_SA
2919
 */
2920
static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other,
2921
                task_queue_t queue)
2922
0
{
2923
0
  enumerator_t *enumerator;
2924
0
  task_t *task;
2925
2926
0
  enumerator = other->create_task_enumerator(other, queue);
2927
0
  while (enumerator->enumerate(enumerator, &task))
2928
0
  {
2929
0
    if (task->get_type(task) == TASK_CHILD_CREATE ||
2930
0
      task->get_type(task) == TASK_QUICK_MODE)
2931
0
    {
2932
0
      other->remove_task(other, enumerator);
2933
0
      task->migrate(task, &this->public);
2934
0
      queue_task(this, task);
2935
0
    }
2936
0
  }
2937
0
  enumerator->destroy(enumerator);
2938
0
}
2939
2940
METHOD(ike_sa_t, adopt_child_tasks, void,
2941
  private_ike_sa_t *this, ike_sa_t *other)
2942
0
{
2943
0
  migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE);
2944
0
  migrate_child_tasks(this, other, TASK_QUEUE_QUEUED);
2945
0
}
2946
2947
METHOD(ike_sa_t, inherit_pre, void,
2948
  private_ike_sa_t *this, ike_sa_t *other_public)
2949
0
{
2950
0
  private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2951
2952
  /* apply config and hosts */
2953
0
  set_peer_cfg(this, other->peer_cfg);
2954
0
  set_my_host(this, other->my_host->clone(other->my_host));
2955
0
  set_other_host(this, other->other_host->clone(other->other_host));
2956
2957
  /* apply extensions and conditions with a few exceptions */
2958
0
  this->extensions = other->extensions;
2959
0
  this->private_extensions = other->private_extensions;
2960
0
  this->conditions = other->conditions;
2961
0
  this->private_conditions = other->private_conditions;
2962
0
  this->conditions &= ~COND_STALE;
2963
0
  this->conditions &= ~COND_REAUTHENTICATING;
2964
0
}
2965
2966
METHOD(ike_sa_t, inherit_post, void,
2967
  private_ike_sa_t *this, ike_sa_t *other_public)
2968
0
{
2969
0
  private_ike_sa_t *other = (private_ike_sa_t*)other_public;
2970
0
  child_sa_t *child_sa;
2971
0
  enumerator_t *enumerator;
2972
0
  attribute_entry_t entry;
2973
0
  auth_cfg_t *cfg;
2974
0
  host_t *vip;
2975
2976
  /* apply hosts and ids */
2977
0
  set_my_host(this, other->my_host->clone(other->my_host));
2978
0
  set_other_host(this, other->other_host->clone(other->other_host));
2979
0
  set_my_id(this, other->my_id->clone(other->my_id));
2980
0
  set_other_id(this, other->other_id->clone(other->other_id));
2981
0
  this->if_id_in = other->if_id_in;
2982
0
  this->if_id_out = other->if_id_out;
2983
2984
  /* apply assigned virtual IPs... */
2985
0
  while (array_remove(other->my_vips, ARRAY_HEAD, &vip))
2986
0
  {
2987
0
    array_insert_create(&this->my_vips, ARRAY_TAIL, vip);
2988
0
  }
2989
0
  while (array_remove(other->other_vips, ARRAY_HEAD, &vip))
2990
0
  {
2991
0
    array_insert_create(&this->other_vips, ARRAY_TAIL, vip);
2992
0
  }
2993
2994
  /* MOBIKE additional addresses */
2995
0
  while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip))
2996
0
  {
2997
0
    array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip);
2998
0
  }
2999
3000
  /* authentication information */
3001
0
  enumerator = array_create_enumerator(other->my_auths);
3002
0
  while (enumerator->enumerate(enumerator, &cfg))
3003
0
  {
3004
0
    array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg));
3005
0
  }
3006
0
  enumerator->destroy(enumerator);
3007
0
  enumerator = array_create_enumerator(other->other_auths);
3008
0
  while (enumerator->enumerate(enumerator, &cfg))
3009
0
  {
3010
0
    array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg));
3011
0
  }
3012
0
  enumerator->destroy(enumerator);
3013
3014
  /* ... and configuration attributes */
3015
0
  while (array_remove(other->attributes, ARRAY_HEAD, &entry))
3016
0
  {
3017
0
    array_insert(this->attributes, ARRAY_TAIL, &entry);
3018
0
  }
3019
3020
0
  if (this->conditions & COND_NAT_HERE)
3021
0
  {
3022
0
    send_keepalive(this, FALSE);
3023
0
  }
3024
3025
#ifdef ME
3026
  if (other->is_mediation_server)
3027
  {
3028
    act_as_mediation_server(this);
3029
  }
3030
  else if (other->server_reflexive_host)
3031
  {
3032
    this->server_reflexive_host = other->server_reflexive_host->clone(
3033
        other->server_reflexive_host);
3034
  }
3035
#endif /* ME */
3036
3037
  /* adopt all children */
3038
0
  while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa))
3039
0
  {
3040
0
    charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
3041
0
    add_child_sa(this, child_sa);
3042
0
  }
3043
3044
  /* move pending tasks to the new IKE_SA */
3045
0
  this->task_manager->adopt_tasks(this->task_manager, other->task_manager);
3046
3047
  /* reauthentication timeout survives a rekeying */
3048
0
  if (other->stats[STAT_REAUTH])
3049
0
  {
3050
0
    time_t reauth, delete, now = time_monotonic(NULL);
3051
3052
0
    this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH];
3053
0
    reauth = max(0, this->stats[STAT_REAUTH] - now);
3054
0
    delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg);
3055
0
    this->stats[STAT_DELETE] = now + delete;
3056
0
    DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
3057
0
       "lifetime reduced to %ds", reauth, delete);
3058
0
    lib->scheduler->schedule_job(lib->scheduler,
3059
0
        (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth);
3060
0
    lib->scheduler->schedule_job(lib->scheduler,
3061
0
        (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete);
3062
0
  }
3063
0
}
3064
3065
METHOD(ike_sa_t, destroy, void,
3066
  private_ike_sa_t *this)
3067
0
{
3068
0
  attribute_entry_t entry;
3069
0
  child_sa_t *child_sa;
3070
0
  host_t *vip;
3071
3072
0
  charon->bus->set_sa(charon->bus, &this->public);
3073
3074
0
  set_state(this, IKE_DESTROYING);
3075
0
  if (this->task_manager)
3076
0
  {
3077
0
    this->task_manager->flush(this->task_manager);
3078
0
  }
3079
3080
  /* remove attributes first, as we pass the IKE_SA to the handler */
3081
0
  charon->bus->handle_vips(charon->bus, &this->public, FALSE);
3082
0
  while (array_remove(this->attributes, ARRAY_TAIL, &entry))
3083
0
  {
3084
0
    if (entry.handler)
3085
0
    {
3086
0
      charon->attributes->release(charon->attributes, entry.handler,
3087
0
                    &this->public, entry.type, entry.data);
3088
0
    }
3089
0
    free(entry.data.ptr);
3090
0
  }
3091
  /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill
3092
   * routes that the CHILD_SA tries to uninstall. */
3093
0
  while (array_remove(this->child_sas, ARRAY_HEAD, &child_sa))
3094
0
  {
3095
0
    charon->child_sa_manager->remove(charon->child_sa_manager, child_sa);
3096
0
    child_sa->destroy(child_sa);
3097
0
  }
3098
0
  while (array_remove(this->my_vips, ARRAY_TAIL, &vip))
3099
0
  {
3100
0
    charon->kernel->del_ip(charon->kernel, vip, -1, TRUE);
3101
0
    vip->destroy(vip);
3102
0
  }
3103
0
  if (array_count(this->other_vips))
3104
0
  {
3105
0
    charon->bus->assign_vips(charon->bus, &this->public, FALSE);
3106
0
  }
3107
0
  while (array_remove(this->other_vips, ARRAY_TAIL, &vip))
3108
0
  {
3109
0
    if (this->peer_cfg)
3110
0
    {
3111
0
      linked_list_t *pools;
3112
3113
0
      pools = linked_list_create_from_enumerator(
3114
0
            this->peer_cfg->create_pool_enumerator(this->peer_cfg));
3115
0
      charon->attributes->release_address(charon->attributes,
3116
0
                        pools, vip, &this->public);
3117
0
      pools->destroy(pools);
3118
0
    }
3119
0
    vip->destroy(vip);
3120
0
  }
3121
3122
  /* unset SA after here to avoid usage by the listeners */
3123
0
  charon->bus->set_sa(charon->bus, NULL);
3124
3125
0
  array_destroy(this->child_sas);
3126
0
  DESTROY_IF(this->task_manager);
3127
0
  DESTROY_IF(this->keymat);
3128
0
  array_destroy(this->attributes);
3129
0
  array_destroy(this->my_vips);
3130
0
  array_destroy(this->other_vips);
3131
0
  array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy));
3132
#ifdef ME
3133
  if (this->is_mediation_server)
3134
  {
3135
    charon->mediation_manager->remove(charon->mediation_manager,
3136
                      this->ike_sa_id);
3137
  }
3138
  DESTROY_IF(this->server_reflexive_host);
3139
  chunk_free(&this->connect_id);
3140
#endif /* ME */
3141
0
  free(this->nat_detection_dest.ptr);
3142
3143
0
  DESTROY_IF(this->my_host);
3144
0
  DESTROY_IF(this->other_host);
3145
0
  DESTROY_IF(this->my_id);
3146
0
  DESTROY_IF(this->other_id);
3147
0
  DESTROY_IF(this->local_host);
3148
0
  DESTROY_IF(this->remote_host);
3149
0
  DESTROY_IF(this->redirected_from);
3150
0
  array_destroy(this->redirected_at);
3151
3152
0
  DESTROY_IF(this->ike_cfg);
3153
0
  DESTROY_IF(this->peer_cfg);
3154
0
  DESTROY_IF(this->proposal);
3155
0
  this->my_auth->destroy(this->my_auth);
3156
0
  this->other_auth->destroy(this->other_auth);
3157
0
  array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy));
3158
0
  array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy));
3159
3160
0
  this->ike_sa_id->destroy(this->ike_sa_id);
3161
0
  free(this);
3162
0
}
3163
3164
/*
3165
 * Described in header.
3166
 */
3167
ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
3168
             ike_version_t version)
3169
0
{
3170
0
  private_ike_sa_t *this;
3171
0
  static refcount_t unique_id = 0;
3172
3173
0
  if (version == IKE_ANY)
3174
0
  { /* prefer IKEv2 if protocol not specified */
3175
0
#ifdef USE_IKEV2
3176
0
    version = IKEV2;
3177
#else
3178
    version = IKEV1;
3179
#endif
3180
0
  }
3181
3182
0
  INIT(this,
3183
0
    .public = {
3184
0
      .get_version = _get_version,
3185
0
      .get_state = _get_state,
3186
0
      .set_state = _set_state,
3187
0
      .get_name = _get_name,
3188
0
      .get_statistic = _get_statistic,
3189
0
      .set_statistic = _set_statistic,
3190
0
      .process_message = _process_message,
3191
0
      .initiate = _initiate,
3192
0
      .retry_initiate = _retry_initiate,
3193
0
      .get_ike_cfg = _get_ike_cfg,
3194
0
      .set_ike_cfg = _set_ike_cfg,
3195
0
      .get_peer_cfg = _get_peer_cfg,
3196
0
      .set_peer_cfg = _set_peer_cfg,
3197
0
      .get_auth_cfg = _get_auth_cfg,
3198
0
      .create_auth_cfg_enumerator = _create_auth_cfg_enumerator,
3199
0
      .verify_peer_certificate = _verify_peer_certificate,
3200
0
      .add_auth_cfg = _add_auth_cfg,
3201
0
      .get_proposal = _get_proposal,
3202
0
      .set_proposal = _set_proposal,
3203
0
      .get_id = _get_id,
3204
0
      .get_my_host = _get_my_host,
3205
0
      .set_my_host = _set_my_host,
3206
0
      .get_other_host = _get_other_host,
3207
0
      .set_other_host = _set_other_host,
3208
0
      .set_message_id = _set_message_id,
3209
0
      .get_message_id = _get_message_id,
3210
0
      .float_ports = _float_ports,
3211
0
      .update_hosts = _update_hosts,
3212
0
      .get_my_id = _get_my_id,
3213
0
      .set_my_id = _set_my_id,
3214
0
      .get_other_id = _get_other_id,
3215
0
      .set_other_id = _set_other_id,
3216
0
      .get_other_eap_id = _get_other_eap_id,
3217
0
      .enable_extension = _enable_extension,
3218
0
      .supports_extension = _supports_extension,
3219
0
      .set_condition = _set_condition,
3220
0
      .has_condition = _has_condition,
3221
0
      .create_peer_address_enumerator = _create_peer_address_enumerator,
3222
0
      .add_peer_address = _add_peer_address,
3223
0
      .clear_peer_addresses = _clear_peer_addresses,
3224
0
      .has_mapping_changed = _has_mapping_changed,
3225
0
      .retransmit = _retransmit,
3226
0
      .delete = _delete_,
3227
0
      .destroy = _destroy,
3228
0
      .send_dpd = _send_dpd,
3229
0
      .send_keepalive = _send_keepalive,
3230
0
      .redirect = _redirect,
3231
0
      .handle_redirect = _handle_redirect,
3232
0
      .get_redirected_from = _get_redirected_from,
3233
0
      .get_keymat = _get_keymat,
3234
0
      .add_child_sa = _add_child_sa,
3235
0
      .get_child_sa = _get_child_sa,
3236
0
      .get_child_count = _get_child_count,
3237
0
      .create_child_sa_enumerator = _create_child_sa_enumerator,
3238
0
      .remove_child_sa = _remove_child_sa,
3239
0
      .rekey_child_sa = _rekey_child_sa,
3240
0
      .delete_child_sa = _delete_child_sa,
3241
0
      .destroy_child_sa = _destroy_child_sa,
3242
0
      .rekey = _rekey,
3243
0
      .reauth = _reauth,
3244
0
      .reestablish = _reestablish,
3245
0
      .set_auth_lifetime = _set_auth_lifetime,
3246
0
      .roam = _roam,
3247
0
      .inherit_pre = _inherit_pre,
3248
0
      .inherit_post = _inherit_post,
3249
0
      .generate_message = _generate_message,
3250
0
      .generate_message_fragmented = _generate_message_fragmented,
3251
0
      .reset = _reset,
3252
0
      .get_unique_id = _get_unique_id,
3253
0
      .add_virtual_ip = _add_virtual_ip,
3254
0
      .clear_virtual_ips = _clear_virtual_ips,
3255
0
      .create_virtual_ip_enumerator = _create_virtual_ip_enumerator,
3256
0
      .add_configuration_attribute = _add_configuration_attribute,
3257
0
      .create_attribute_enumerator = _create_attribute_enumerator,
3258
0
      .get_if_id = _get_if_id,
3259
0
      .set_kmaddress = _set_kmaddress,
3260
0
      .create_task_enumerator = _create_task_enumerator,
3261
0
      .remove_task = _remove_task,
3262
0
      .flush_queue = _flush_queue,
3263
0
      .queue_task = _queue_task,
3264
0
      .queue_task_delayed = _queue_task_delayed,
3265
0
      .adopt_child_tasks = _adopt_child_tasks,
3266
0
    },
3267
0
    .ike_sa_id = ike_sa_id->clone(ike_sa_id),
3268
0
    .version = version,
3269
0
    .my_host = host_create_any(AF_INET),
3270
0
    .other_host = host_create_any(AF_INET),
3271
0
    .my_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3272
0
    .other_id = identification_create_from_encoding(ID_ANY, chunk_empty),
3273
0
    .keymat = keymat_create(version, initiator),
3274
0
    .state = IKE_CREATED,
3275
0
    .stats[STAT_INBOUND] = time_monotonic(NULL),
3276
0
    .stats[STAT_OUTBOUND] = time_monotonic(NULL),
3277
0
    .my_auth = auth_cfg_create(),
3278
0
    .other_auth = auth_cfg_create(),
3279
0
    .my_auths = array_create(0, 0),
3280
0
    .other_auths = array_create(0, 0),
3281
0
    .attributes = array_create(sizeof(attribute_entry_t), 0),
3282
0
    .unique_id = ref_get_nonzero(&unique_id),
3283
0
    .keepalive_interval = lib->settings->get_time(lib->settings,
3284
0
                "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns),
3285
0
    .keepalive_dpd_margin = lib->settings->get_time(lib->settings,
3286
0
                "%s.keep_alive_dpd_margin", 0, lib->ns),
3287
0
    .retry_initiate_interval = lib->settings->get_time(lib->settings,
3288
0
                "%s.retry_initiate_interval", 0, lib->ns),
3289
0
    .flush_auth_cfg = lib->settings->get_bool(lib->settings,
3290
0
                "%s.flush_auth_cfg", FALSE, lib->ns),
3291
0
    .follow_redirects = lib->settings->get_bool(lib->settings,
3292
0
                "%s.follow_redirects", TRUE, lib->ns),
3293
0
  );
3294
3295
#ifdef ME
3296
  this->public.act_as_mediation_server = _act_as_mediation_server;
3297
  this->public.get_server_reflexive_host = _get_server_reflexive_host;
3298
  this->public.set_server_reflexive_host = _set_server_reflexive_host;
3299
  this->public.get_connect_id = _get_connect_id;
3300
  this->public.initiate_mediation = _initiate_mediation;
3301
  this->public.initiate_mediated = _initiate_mediated;
3302
  this->public.relay = _relay;
3303
  this->public.callback = _callback;
3304
  this->public.respond = _respond;
3305
#endif /* ME */
3306
3307
0
  if (version == IKEV2)
3308
0
  { /* always supported with IKEv2 */
3309
0
    enable_extension(this, EXT_DPD);
3310
0
  }
3311
3312
0
  this->task_manager = task_manager_create(&this->public);
3313
0
  this->my_host->set_port(this->my_host,
3314
0
              charon->socket->get_port(charon->socket, FALSE));
3315
3316
0
  if (!this->task_manager || !this->keymat)
3317
0
  {
3318
0
    DBG1(DBG_IKE, "IKE version %d not supported", this->version);
3319
0
    destroy(this);
3320
0
    return NULL;
3321
0
  }
3322
0
  return &this->public;
3323
0
}
3324
3325
/**
3326
 * Check if we have a an address pool configured.
3327
 */
3328
static bool have_pool(private_ike_sa_t *this)
3329
0
{
3330
0
  enumerator_t *enumerator;
3331
0
  bool found = FALSE;
3332
3333
0
  if (this->peer_cfg)
3334
0
  {
3335
0
    enumerator = this->peer_cfg->create_pool_enumerator(this->peer_cfg);
3336
0
    found = enumerator->enumerate(enumerator, NULL);
3337
0
    enumerator->destroy(enumerator);
3338
0
  }
3339
0
  return found;
3340
0
}
3341
3342
/*
3343
 * Described in header
3344
 */
3345
linked_list_t *ike_sa_get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
3346
0
{
3347
0
  private_ike_sa_t *this = (private_ike_sa_t*)ike_sa;
3348
0
  enumerator_t *enumerator;
3349
0
  linked_list_t *list;
3350
0
  host_t *host;
3351
3352
0
  list = linked_list_create();
3353
0
  enumerator = create_virtual_ip_enumerator(this, local);
3354
0
  while (enumerator->enumerate(enumerator, &host))
3355
0
  {
3356
0
    list->insert_last(list, host);
3357
0
  }
3358
0
  enumerator->destroy(enumerator);
3359
3360
0
  if (!list->get_count(list))
3361
0
  { /* no virtual IPs assigned */
3362
0
    if (local)
3363
0
    {
3364
0
      list->insert_last(list, this->my_host);
3365
0
    }
3366
0
    else if (!have_pool(this))
3367
0
    { /* use remote host only if we don't have a pool configured */
3368
0
      list->insert_last(list, this->other_host);
3369
0
    }
3370
0
  }
3371
0
  return list;
3372
0
}