/src/strongswan/src/libcharon/sa/ike_sa.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (C) 2006-2024 Tobias Brunner |
3 | | * Copyright (C) 2006 Daniel Roethlisberger |
4 | | * Copyright (C) 2005-2009 Martin Willi |
5 | | * Copyright (C) 2005 Jan Hutter |
6 | | * |
7 | | * Copyright (C) secunet Security Networks AG |
8 | | * |
9 | | * This program is free software; you can redistribute it and/or modify it |
10 | | * under the terms of the GNU General Public License as published by the |
11 | | * Free Software Foundation; either version 2 of the License, or (at your |
12 | | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
13 | | * |
14 | | * This program is distributed in the hope that it will be useful, but |
15 | | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
16 | | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
17 | | * for more details. |
18 | | */ |
19 | | |
20 | | /* |
21 | | * Copyright (c) 2014 Volker RĂ¼melin |
22 | | * |
23 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
24 | | * of this software and associated documentation files (the "Software"), to deal |
25 | | * in the Software without restriction, including without limitation the rights |
26 | | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
27 | | * copies of the Software, and to permit persons to whom the Software is |
28 | | * furnished to do so, subject to the following conditions: |
29 | | * |
30 | | * The above copyright notice and this permission notice shall be included in |
31 | | * all copies or substantial portions of the Software. |
32 | | * |
33 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
34 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
35 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
36 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
37 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
38 | | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN |
39 | | * THE SOFTWARE. |
40 | | */ |
41 | | |
42 | | #include <string.h> |
43 | | #include <sys/stat.h> |
44 | | #include <errno.h> |
45 | | #include <time.h> |
46 | | |
47 | | #include "ike_sa.h" |
48 | | |
49 | | #include <library.h> |
50 | | #include <daemon.h> |
51 | | #include <collections/array.h> |
52 | | #include <utils/lexparser.h> |
53 | | #include <processing/jobs/retransmit_job.h> |
54 | | #include <processing/jobs/delete_ike_sa_job.h> |
55 | | #include <processing/jobs/send_dpd_job.h> |
56 | | #include <processing/jobs/send_keepalive_job.h> |
57 | | #include <processing/jobs/rekey_ike_sa_job.h> |
58 | | #include <processing/jobs/retry_initiate_job.h> |
59 | | #include <sa/ikev2/tasks/ike_auth_lifetime.h> |
60 | | #include <sa/ikev2/tasks/ike_reauth_complete.h> |
61 | | #include <sa/ikev2/tasks/ike_redirect.h> |
62 | | #include <credentials/sets/auth_cfg_wrapper.h> |
63 | | |
64 | | #ifdef ME |
65 | | #include <sa/ikev2/tasks/ike_me.h> |
66 | | #include <processing/jobs/initiate_mediation_job.h> |
67 | | #endif |
68 | | |
69 | | ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING, |
70 | | "CREATED", |
71 | | "CONNECTING", |
72 | | "ESTABLISHED", |
73 | | "PASSIVE", |
74 | | "REKEYING", |
75 | | "REKEYED", |
76 | | "DELETING", |
77 | | "DESTROYING", |
78 | | ); |
79 | | |
80 | | typedef struct private_ike_sa_t private_ike_sa_t; |
81 | | typedef struct attribute_entry_t attribute_entry_t; |
82 | | |
83 | | /** |
84 | | * Private data of an ike_sa_t object. |
85 | | */ |
86 | | struct private_ike_sa_t { |
87 | | |
88 | | /** |
89 | | * Public members |
90 | | */ |
91 | | ike_sa_t public; |
92 | | |
93 | | /** |
94 | | * Identifier for the current IKE_SA. |
95 | | */ |
96 | | ike_sa_id_t *ike_sa_id; |
97 | | |
98 | | /** |
99 | | * IKE version of this SA. |
100 | | */ |
101 | | ike_version_t version; |
102 | | |
103 | | /** |
104 | | * unique numerical ID for this IKE_SA. |
105 | | */ |
106 | | uint32_t unique_id; |
107 | | |
108 | | /** |
109 | | * Current state of the IKE_SA |
110 | | */ |
111 | | ike_sa_state_t state; |
112 | | |
113 | | /** |
114 | | * IKE configuration used to set up this IKE_SA |
115 | | */ |
116 | | ike_cfg_t *ike_cfg; |
117 | | |
118 | | /** |
119 | | * Peer and authentication information to establish IKE_SA. |
120 | | */ |
121 | | peer_cfg_t *peer_cfg; |
122 | | |
123 | | /** |
124 | | * currently used authentication ruleset, local |
125 | | */ |
126 | | auth_cfg_t *my_auth; |
127 | | |
128 | | /** |
129 | | * currently used authentication constraints, remote |
130 | | */ |
131 | | auth_cfg_t *other_auth; |
132 | | |
133 | | /** |
134 | | * Array of completed local authentication rounds (as auth_cfg_t) |
135 | | */ |
136 | | array_t *my_auths; |
137 | | |
138 | | /** |
139 | | * Array of completed remote authentication rounds (as auth_cfg_t) |
140 | | */ |
141 | | array_t *other_auths; |
142 | | |
143 | | /** |
144 | | * Selected IKE proposal |
145 | | */ |
146 | | proposal_t *proposal; |
147 | | |
148 | | /** |
149 | | * Juggles tasks to process messages |
150 | | */ |
151 | | task_manager_t *task_manager; |
152 | | |
153 | | /** |
154 | | * Address of local host |
155 | | */ |
156 | | host_t *my_host; |
157 | | |
158 | | /** |
159 | | * Address of remote host |
160 | | */ |
161 | | host_t *other_host; |
162 | | |
163 | | #ifdef ME |
164 | | /** |
165 | | * Are we mediation server |
166 | | */ |
167 | | bool is_mediation_server; |
168 | | |
169 | | /** |
170 | | * Server reflexive host |
171 | | */ |
172 | | host_t *server_reflexive_host; |
173 | | |
174 | | /** |
175 | | * Connect ID |
176 | | */ |
177 | | chunk_t connect_id; |
178 | | #endif /* ME */ |
179 | | |
180 | | /** |
181 | | * Identification used for us |
182 | | */ |
183 | | identification_t *my_id; |
184 | | |
185 | | /** |
186 | | * Identification used for other |
187 | | */ |
188 | | identification_t *other_id; |
189 | | |
190 | | /** |
191 | | * Set of extensions the peer supports |
192 | | */ |
193 | | ike_extension_t extensions; |
194 | | |
195 | | /** |
196 | | * Set of private xtensions the peer supports |
197 | | */ |
198 | | ike_extension_t private_extensions; |
199 | | |
200 | | /** |
201 | | * Set of condition flags currently enabled for this IKE_SA |
202 | | */ |
203 | | ike_condition_t conditions; |
204 | | |
205 | | /** |
206 | | * Set of private condition flags currently enabled for this IKE_SA |
207 | | */ |
208 | | ike_condition_t private_conditions; |
209 | | |
210 | | /** |
211 | | * Array containing the child sa's of the current IKE_SA. |
212 | | */ |
213 | | array_t *child_sas; |
214 | | |
215 | | /** |
216 | | * keymat of this IKE_SA |
217 | | */ |
218 | | keymat_t *keymat; |
219 | | |
220 | | /** |
221 | | * Virtual IPs on local host |
222 | | */ |
223 | | array_t *my_vips; |
224 | | |
225 | | /** |
226 | | * Virtual IPs on remote host |
227 | | */ |
228 | | array_t *other_vips; |
229 | | |
230 | | /** |
231 | | * List of configuration attributes (attribute_entry_t) |
232 | | */ |
233 | | array_t *attributes; |
234 | | |
235 | | /** |
236 | | * list of peer's addresses, additional ones transmitted via MOBIKE |
237 | | */ |
238 | | array_t *peer_addresses; |
239 | | |
240 | | /** |
241 | | * previously value of received DESTINATION_IP hash |
242 | | */ |
243 | | chunk_t nat_detection_dest; |
244 | | |
245 | | /** |
246 | | * NAT keep alive interval |
247 | | */ |
248 | | uint32_t keepalive_interval; |
249 | | |
250 | | /** |
251 | | * Time the NAT keep alive interval may be exceeded before triggering a DPD |
252 | | * instead of a NAT keep alive |
253 | | */ |
254 | | uint32_t keepalive_dpd_margin; |
255 | | |
256 | | /** |
257 | | * The scheduled keep alive job, if any |
258 | | */ |
259 | | send_keepalive_job_t *keepalive_job; |
260 | | |
261 | | /** |
262 | | * interval for retries during initiation (e.g. if DNS resolution failed), |
263 | | * 0 to disable (default) |
264 | | */ |
265 | | uint32_t retry_initiate_interval; |
266 | | |
267 | | /** |
268 | | * TRUE if a retry_initiate_job has been queued |
269 | | */ |
270 | | bool retry_initiate_queued; |
271 | | |
272 | | /** |
273 | | * Timestamps for this IKE_SA |
274 | | */ |
275 | | uint32_t stats[STAT_MAX]; |
276 | | |
277 | | /** |
278 | | * how many times we have retried so far (keyingtries) |
279 | | */ |
280 | | uint32_t keyingtry; |
281 | | |
282 | | /** |
283 | | * local host address to be used for IKE, set via MIGRATE kernel message |
284 | | */ |
285 | | host_t *local_host; |
286 | | |
287 | | /** |
288 | | * remote host address to be used for IKE, set via MIGRATE kernel message |
289 | | */ |
290 | | host_t *remote_host; |
291 | | |
292 | | /** |
293 | | * Flush auth configs once established? |
294 | | */ |
295 | | bool flush_auth_cfg; |
296 | | |
297 | | /** |
298 | | * Maximum length of a single fragment, 0 for address-specific defaults |
299 | | */ |
300 | | size_t fragment_size; |
301 | | |
302 | | /** |
303 | | * Whether to follow IKEv2 redirects |
304 | | */ |
305 | | bool follow_redirects; |
306 | | |
307 | | /** |
308 | | * Original gateway address from which we got redirected |
309 | | */ |
310 | | host_t *redirected_from; |
311 | | |
312 | | /** |
313 | | * Timestamps of redirect attempts to handle loops |
314 | | */ |
315 | | array_t *redirected_at; |
316 | | |
317 | | /** |
318 | | * Inbound interface ID |
319 | | */ |
320 | | uint32_t if_id_in; |
321 | | |
322 | | /** |
323 | | * Outbound interface ID |
324 | | */ |
325 | | uint32_t if_id_out; |
326 | | }; |
327 | | |
328 | | /** |
329 | | * Entry to maintain install configuration attributes during IKE_SA lifetime |
330 | | */ |
331 | | struct attribute_entry_t { |
332 | | /** handler used to install this attribute */ |
333 | | attribute_handler_t *handler; |
334 | | /** attribute type */ |
335 | | configuration_attribute_type_t type; |
336 | | /** attribute data */ |
337 | | chunk_t data; |
338 | | }; |
339 | | |
340 | | /** |
341 | | * Determine the fragment size based on the address family of the remote host. |
342 | | */ |
343 | | static void determine_fragment_size(private_ike_sa_t *this) |
344 | 0 | { |
345 | 0 | int family; |
346 | |
|
347 | 0 | family = this->other_host->get_family(this->other_host); |
348 | |
|
349 | 0 | this->fragment_size = lib->settings->get_int(lib->settings, |
350 | 0 | "%s.fragment_size_v%hhu", 0, lib->ns, (family == AF_INET ? 4 : 6)); |
351 | |
|
352 | 0 | if (!this->fragment_size) |
353 | 0 | { |
354 | 0 | this->fragment_size = lib->settings->get_int(lib->settings, |
355 | 0 | "%s.fragment_size", 1280, lib->ns); |
356 | 0 | } |
357 | |
|
358 | 0 | if (!this->fragment_size) |
359 | 0 | { |
360 | 0 | this->fragment_size = (family == AF_INET) ? 576 : 1280; |
361 | 0 | } |
362 | 0 | } |
363 | | |
364 | | /** |
365 | | * get the time of the latest traffic processed by the kernel |
366 | | */ |
367 | | static time_t get_use_time(private_ike_sa_t* this, bool inbound) |
368 | 0 | { |
369 | 0 | enumerator_t *enumerator; |
370 | 0 | child_sa_t *child_sa; |
371 | 0 | time_t use_time, current; |
372 | |
|
373 | 0 | if (inbound) |
374 | 0 | { |
375 | 0 | use_time = this->stats[STAT_INBOUND]; |
376 | 0 | } |
377 | 0 | else |
378 | 0 | { |
379 | 0 | use_time = this->stats[STAT_OUTBOUND]; |
380 | 0 | } |
381 | | |
382 | | /* only consider IPsec traffic if we use UDP-encapsulation and they take |
383 | | * the same path */ |
384 | 0 | if (this->public.has_condition(&this->public, COND_NAT_ANY)) |
385 | 0 | { |
386 | 0 | enumerator = array_create_enumerator(this->child_sas); |
387 | 0 | while (enumerator->enumerate(enumerator, &child_sa)) |
388 | 0 | { |
389 | 0 | child_sa->get_usestats(child_sa, inbound, ¤t, NULL, NULL); |
390 | 0 | use_time = max(use_time, current); |
391 | 0 | } |
392 | 0 | enumerator->destroy(enumerator); |
393 | 0 | } |
394 | 0 | return use_time; |
395 | 0 | } |
396 | | |
397 | | METHOD(ike_sa_t, get_unique_id, uint32_t, |
398 | | private_ike_sa_t *this) |
399 | 0 | { |
400 | 0 | return this->unique_id; |
401 | 0 | } |
402 | | |
403 | | METHOD(ike_sa_t, get_name, char*, |
404 | | private_ike_sa_t *this) |
405 | 0 | { |
406 | 0 | if (this->peer_cfg) |
407 | 0 | { |
408 | 0 | return this->peer_cfg->get_name(this->peer_cfg); |
409 | 0 | } |
410 | 0 | return "(unnamed)"; |
411 | 0 | } |
412 | | |
413 | | METHOD(ike_sa_t, get_statistic, uint32_t, |
414 | | private_ike_sa_t *this, statistic_t kind) |
415 | 0 | { |
416 | 0 | if (kind < STAT_MAX) |
417 | 0 | { |
418 | 0 | return this->stats[kind]; |
419 | 0 | } |
420 | 0 | return 0; |
421 | 0 | } |
422 | | |
423 | | METHOD(ike_sa_t, set_statistic, void, |
424 | | private_ike_sa_t *this, statistic_t kind, uint32_t value) |
425 | 0 | { |
426 | 0 | if (kind < STAT_MAX) |
427 | 0 | { |
428 | 0 | this->stats[kind] = value; |
429 | 0 | } |
430 | 0 | } |
431 | | |
432 | | METHOD(ike_sa_t, get_my_host, host_t*, |
433 | | private_ike_sa_t *this) |
434 | 0 | { |
435 | 0 | return this->my_host; |
436 | 0 | } |
437 | | |
438 | | METHOD(ike_sa_t, set_my_host, void, |
439 | | private_ike_sa_t *this, host_t *me) |
440 | 0 | { |
441 | 0 | DESTROY_IF(this->my_host); |
442 | 0 | this->my_host = me; |
443 | 0 | } |
444 | | |
445 | | METHOD(ike_sa_t, get_other_host, host_t*, |
446 | | private_ike_sa_t *this) |
447 | 0 | { |
448 | 0 | return this->other_host; |
449 | 0 | } |
450 | | |
451 | | METHOD(ike_sa_t, set_other_host, void, |
452 | | private_ike_sa_t *this, host_t *other) |
453 | 0 | { |
454 | 0 | DESTROY_IF(this->other_host); |
455 | 0 | this->other_host = other; |
456 | 0 | determine_fragment_size(this); |
457 | 0 | } |
458 | | |
459 | | METHOD(ike_sa_t, get_redirected_from, host_t*, |
460 | | private_ike_sa_t *this) |
461 | 0 | { |
462 | 0 | return this->redirected_from; |
463 | 0 | } |
464 | | |
465 | | METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*, |
466 | | private_ike_sa_t *this) |
467 | 0 | { |
468 | 0 | return this->peer_cfg; |
469 | 0 | } |
470 | | |
471 | | METHOD(ike_sa_t, set_peer_cfg, void, |
472 | | private_ike_sa_t *this, peer_cfg_t *peer_cfg) |
473 | 0 | { |
474 | 0 | peer_cfg->get_ref(peer_cfg); |
475 | 0 | DESTROY_IF(this->peer_cfg); |
476 | 0 | this->peer_cfg = peer_cfg; |
477 | |
|
478 | 0 | DESTROY_IF(this->ike_cfg); |
479 | 0 | this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); |
480 | 0 | this->ike_cfg->get_ref(this->ike_cfg); |
481 | |
|
482 | 0 | this->if_id_in = peer_cfg->get_if_id(peer_cfg, TRUE); |
483 | 0 | this->if_id_out = peer_cfg->get_if_id(peer_cfg, FALSE); |
484 | 0 | allocate_unique_if_ids(&this->if_id_in, &this->if_id_out); |
485 | 0 | } |
486 | | |
487 | | METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*, |
488 | | private_ike_sa_t *this, bool local) |
489 | 0 | { |
490 | 0 | if (local) |
491 | 0 | { |
492 | 0 | return this->my_auth; |
493 | 0 | } |
494 | 0 | return this->other_auth; |
495 | 0 | } |
496 | | |
497 | | METHOD(ike_sa_t, add_auth_cfg, void, |
498 | | private_ike_sa_t *this, bool local, auth_cfg_t *cfg) |
499 | 0 | { |
500 | 0 | if (local) |
501 | 0 | { |
502 | 0 | array_insert(this->my_auths, ARRAY_TAIL, cfg); |
503 | 0 | } |
504 | 0 | else |
505 | 0 | { |
506 | 0 | array_insert(this->other_auths, ARRAY_TAIL, cfg); |
507 | 0 | } |
508 | 0 | } |
509 | | |
510 | | METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*, |
511 | | private_ike_sa_t *this, bool local) |
512 | 0 | { |
513 | 0 | if (local) |
514 | 0 | { |
515 | 0 | return array_create_enumerator(this->my_auths); |
516 | 0 | } |
517 | 0 | return array_create_enumerator(this->other_auths); |
518 | 0 | } |
519 | | |
520 | | /** |
521 | | * Flush the stored authentication round information |
522 | | */ |
523 | | static void flush_auth_cfgs(private_ike_sa_t *this) |
524 | 0 | { |
525 | 0 | auth_cfg_t *cfg; |
526 | |
|
527 | 0 | this->my_auth->purge(this->my_auth, FALSE); |
528 | 0 | this->other_auth->purge(this->other_auth, FALSE); |
529 | |
|
530 | 0 | while (array_remove(this->my_auths, ARRAY_TAIL, &cfg)) |
531 | 0 | { |
532 | 0 | cfg->destroy(cfg); |
533 | 0 | } |
534 | 0 | while (array_remove(this->other_auths, ARRAY_TAIL, &cfg)) |
535 | 0 | { |
536 | 0 | cfg->destroy(cfg); |
537 | 0 | } |
538 | 0 | } |
539 | | |
540 | | METHOD(ike_sa_t, verify_peer_certificate, bool, |
541 | | private_ike_sa_t *this) |
542 | 0 | { |
543 | 0 | enumerator_t *e1, *e2, *certs; |
544 | 0 | auth_cfg_t *cfg, *cfg_done; |
545 | 0 | certificate_t *peer, *cert; |
546 | 0 | public_key_t *key; |
547 | 0 | auth_cfg_t *auth; |
548 | 0 | auth_cfg_wrapper_t *wrapper; |
549 | 0 | time_t not_before, not_after; |
550 | 0 | bool valid = TRUE, found; |
551 | |
|
552 | 0 | if (this->state != IKE_ESTABLISHED) |
553 | 0 | { |
554 | 0 | DBG1(DBG_IKE, "unable to verify peer certificate in state %N", |
555 | 0 | ike_sa_state_names, this->state); |
556 | 0 | return FALSE; |
557 | 0 | } |
558 | | |
559 | 0 | if (!this->flush_auth_cfg && |
560 | 0 | lib->settings->get_bool(lib->settings, |
561 | 0 | "%s.flush_auth_cfg", FALSE, lib->ns)) |
562 | 0 | { /* we can do this check only once if auth configs are flushed */ |
563 | 0 | DBG1(DBG_IKE, "unable to verify peer certificate as authentication " |
564 | 0 | "information has been flushed"); |
565 | 0 | return FALSE; |
566 | 0 | } |
567 | 0 | this->public.set_condition(&this->public, COND_ONLINE_VALIDATION_SUSPENDED, |
568 | 0 | FALSE); |
569 | |
|
570 | 0 | e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE); |
571 | 0 | e2 = array_create_enumerator(this->other_auths); |
572 | 0 | while (e1->enumerate(e1, &cfg)) |
573 | 0 | { |
574 | 0 | if (!e2->enumerate(e2, &cfg_done)) |
575 | 0 | { /* this should not happen as the authentication should never have |
576 | | * succeeded */ |
577 | 0 | valid = FALSE; |
578 | 0 | break; |
579 | 0 | } |
580 | 0 | if ((uintptr_t)cfg_done->get(cfg_done, |
581 | 0 | AUTH_RULE_AUTH_CLASS) != AUTH_CLASS_PUBKEY) |
582 | 0 | { |
583 | 0 | continue; |
584 | 0 | } |
585 | 0 | peer = cfg_done->get(cfg_done, AUTH_RULE_SUBJECT_CERT); |
586 | 0 | if (!peer) |
587 | 0 | { |
588 | 0 | DBG1(DBG_IKE, "no subject certificate found, skipping certificate " |
589 | 0 | "verification"); |
590 | 0 | continue; |
591 | 0 | } |
592 | 0 | if (!peer->get_validity(peer, NULL, ¬_before, ¬_after)) |
593 | 0 | { |
594 | 0 | DBG1(DBG_IKE, "peer certificate invalid (valid from %T to %T)", |
595 | 0 | ¬_before, FALSE, ¬_after, FALSE); |
596 | 0 | valid = FALSE; |
597 | 0 | break; |
598 | 0 | } |
599 | 0 | key = peer->get_public_key(peer); |
600 | 0 | if (!key) |
601 | 0 | { |
602 | 0 | DBG1(DBG_IKE, "unable to retrieve public key, skipping certificate " |
603 | 0 | "verification"); |
604 | 0 | continue; |
605 | 0 | } |
606 | 0 | DBG1(DBG_IKE, "verifying peer certificate"); |
607 | | /* serve received certificates */ |
608 | 0 | wrapper = auth_cfg_wrapper_create(cfg_done); |
609 | 0 | lib->credmgr->add_local_set(lib->credmgr, &wrapper->set, FALSE); |
610 | 0 | certs = lib->credmgr->create_trusted_enumerator(lib->credmgr, |
611 | 0 | key->get_type(key), peer->get_subject(peer), TRUE); |
612 | 0 | key->destroy(key); |
613 | |
|
614 | 0 | found = FALSE; |
615 | 0 | while (certs->enumerate(certs, &cert, &auth)) |
616 | 0 | { |
617 | 0 | if (peer->equals(peer, cert)) |
618 | 0 | { |
619 | 0 | cfg_done->add(cfg_done, AUTH_RULE_CERT_VALIDATION_SUSPENDED, |
620 | 0 | FALSE); |
621 | 0 | cfg_done->merge(cfg_done, auth, FALSE); |
622 | 0 | valid = cfg_done->complies(cfg_done, cfg, TRUE); |
623 | 0 | found = TRUE; |
624 | 0 | break; |
625 | 0 | } |
626 | 0 | } |
627 | 0 | certs->destroy(certs); |
628 | 0 | lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); |
629 | 0 | wrapper->destroy(wrapper); |
630 | 0 | if (!found || !valid) |
631 | 0 | { |
632 | 0 | valid = FALSE; |
633 | 0 | break; |
634 | 0 | } |
635 | 0 | } |
636 | 0 | e1->destroy(e1); |
637 | 0 | e2->destroy(e2); |
638 | |
|
639 | 0 | if (this->flush_auth_cfg) |
640 | 0 | { |
641 | 0 | this->flush_auth_cfg = FALSE; |
642 | 0 | flush_auth_cfgs(this); |
643 | 0 | } |
644 | 0 | return valid; |
645 | 0 | } |
646 | | |
647 | | METHOD(ike_sa_t, get_proposal, proposal_t*, |
648 | | private_ike_sa_t *this) |
649 | 0 | { |
650 | 0 | return this->proposal; |
651 | 0 | } |
652 | | |
653 | | METHOD(ike_sa_t, set_proposal, void, |
654 | | private_ike_sa_t *this, proposal_t *proposal) |
655 | 0 | { |
656 | 0 | DESTROY_IF(this->proposal); |
657 | 0 | this->proposal = proposal->clone(proposal, 0); |
658 | 0 | } |
659 | | |
660 | | METHOD(ike_sa_t, set_message_id, void, |
661 | | private_ike_sa_t *this, bool initiate, uint32_t mid) |
662 | 0 | { |
663 | 0 | if (initiate) |
664 | 0 | { |
665 | 0 | this->task_manager->reset(this->task_manager, mid, UINT_MAX); |
666 | 0 | } |
667 | 0 | else |
668 | 0 | { |
669 | 0 | this->task_manager->reset(this->task_manager, UINT_MAX, mid); |
670 | 0 | } |
671 | 0 | } |
672 | | |
673 | | METHOD(ike_sa_t, get_message_id, uint32_t, |
674 | | private_ike_sa_t *this, bool initiate) |
675 | 0 | { |
676 | 0 | return this->task_manager->get_mid(this->task_manager, initiate); |
677 | 0 | } |
678 | | |
679 | | /** |
680 | | * Set configured DSCP value on packet |
681 | | */ |
682 | | static void set_dscp(private_ike_sa_t *this, packet_t *packet) |
683 | 0 | { |
684 | 0 | if (this->ike_cfg) |
685 | 0 | { |
686 | 0 | packet->set_dscp(packet, this->ike_cfg->get_dscp(this->ike_cfg)); |
687 | 0 | } |
688 | 0 | } |
689 | | |
690 | | METHOD(ike_sa_t, send_keepalive, void, |
691 | | private_ike_sa_t *this, bool scheduled) |
692 | 0 | { |
693 | 0 | time_t last_out, now, diff; |
694 | |
|
695 | 0 | if (scheduled) |
696 | 0 | { |
697 | 0 | this->keepalive_job = NULL; |
698 | 0 | } |
699 | 0 | if (!this->keepalive_interval || this->state == IKE_PASSIVE) |
700 | 0 | { /* keepalives disabled either by configuration or for passive IKE_SAs */ |
701 | 0 | return; |
702 | 0 | } |
703 | 0 | if (!(this->conditions & COND_NAT_HERE) || (this->conditions & COND_STALE)) |
704 | 0 | { /* disable keepalives if we are not NATed anymore, or the SA is stale */ |
705 | 0 | return; |
706 | 0 | } |
707 | | |
708 | 0 | last_out = get_use_time(this, FALSE); |
709 | 0 | now = time_monotonic(NULL); |
710 | |
|
711 | 0 | diff = now - last_out; |
712 | |
|
713 | 0 | if (this->keepalive_dpd_margin && |
714 | 0 | diff > (this->keepalive_interval + this->keepalive_dpd_margin)) |
715 | 0 | { |
716 | 0 | if (!this->task_manager->busy(this->task_manager)) |
717 | 0 | { |
718 | 0 | DBG1(DBG_IKE, "sending DPD instead of keep alive %ds after last " |
719 | 0 | "outbound message", diff); |
720 | 0 | this->task_manager->queue_dpd(this->task_manager); |
721 | 0 | this->task_manager->initiate(this->task_manager); |
722 | 0 | } |
723 | 0 | diff = 0; |
724 | 0 | } |
725 | 0 | else if (diff >= this->keepalive_interval) |
726 | 0 | { |
727 | 0 | packet_t *packet; |
728 | 0 | chunk_t data; |
729 | |
|
730 | 0 | packet = packet_create(); |
731 | 0 | packet->set_source(packet, this->my_host->clone(this->my_host)); |
732 | 0 | packet->set_destination(packet, this->other_host->clone(this->other_host)); |
733 | 0 | set_dscp(this, packet); |
734 | 0 | data.ptr = malloc(1); |
735 | 0 | data.ptr[0] = 0xFF; |
736 | 0 | data.len = 1; |
737 | 0 | packet->set_data(packet, data); |
738 | 0 | DBG1(DBG_IKE, "sending keep alive to %#H", this->other_host); |
739 | 0 | charon->sender->send_no_marker(charon->sender, packet); |
740 | 0 | this->stats[STAT_OUTBOUND] = now; |
741 | 0 | diff = 0; |
742 | 0 | } |
743 | 0 | if (!this->keepalive_job) |
744 | 0 | { |
745 | 0 | this->keepalive_job = send_keepalive_job_create(this->ike_sa_id); |
746 | 0 | lib->scheduler->schedule_job(lib->scheduler, (job_t*)this->keepalive_job, |
747 | 0 | this->keepalive_interval - diff); |
748 | 0 | } |
749 | 0 | } |
750 | | |
751 | | METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, |
752 | | private_ike_sa_t *this) |
753 | 0 | { |
754 | 0 | return this->ike_cfg; |
755 | 0 | } |
756 | | |
757 | | METHOD(ike_sa_t, set_ike_cfg, void, |
758 | | private_ike_sa_t *this, ike_cfg_t *ike_cfg) |
759 | 0 | { |
760 | 0 | DESTROY_IF(this->ike_cfg); |
761 | 0 | ike_cfg->get_ref(ike_cfg); |
762 | 0 | this->ike_cfg = ike_cfg; |
763 | 0 | } |
764 | | |
765 | | METHOD(ike_sa_t, enable_extension, void, |
766 | | private_ike_sa_t *this, ike_extension_t extension) |
767 | 0 | { |
768 | 0 | ike_extension_t *ptr; |
769 | 0 | ptr = (extension & EXT_PRIVATE_MARKER) ? &this->private_extensions |
770 | 0 | : &this->extensions; |
771 | 0 | *ptr |= (extension & ~EXT_PRIVATE_MARKER); |
772 | 0 | } |
773 | | |
774 | | METHOD(ike_sa_t, supports_extension, bool, |
775 | | private_ike_sa_t *this, ike_extension_t extension) |
776 | 0 | { |
777 | 0 | ike_extension_t *ptr; |
778 | 0 | ptr = (extension & EXT_PRIVATE_MARKER) ? &this->private_extensions |
779 | 0 | : &this->extensions; |
780 | 0 | return (*ptr & extension) != 0; |
781 | 0 | } |
782 | | |
783 | | METHOD(ike_sa_t, has_condition, bool, |
784 | | private_ike_sa_t *this, ike_condition_t condition) |
785 | 0 | { |
786 | 0 | ike_condition_t *ptr; |
787 | 0 | ptr = (condition & COND_PRIVATE_MARKER) ? &this->private_conditions |
788 | 0 | : &this->conditions; |
789 | 0 | return (*ptr & condition) != 0; |
790 | 0 | } |
791 | | |
792 | | METHOD(ike_sa_t, set_condition, void, |
793 | | private_ike_sa_t *this, ike_condition_t condition, bool enable) |
794 | 0 | { |
795 | 0 | ike_condition_t *ptr; |
796 | |
|
797 | 0 | if (has_condition(this, condition) != enable) |
798 | 0 | { |
799 | 0 | ptr = (condition & COND_PRIVATE_MARKER) ? &this->private_conditions |
800 | 0 | : &this->conditions; |
801 | 0 | if (enable) |
802 | 0 | { |
803 | 0 | *ptr |= (condition & ~COND_PRIVATE_MARKER); |
804 | 0 | switch (condition) |
805 | 0 | { |
806 | 0 | case COND_NAT_HERE: |
807 | 0 | DBG1(DBG_IKE, "local host is behind NAT, sending keep alives"); |
808 | 0 | this->conditions |= COND_NAT_ANY; |
809 | 0 | send_keepalive(this, FALSE); |
810 | 0 | break; |
811 | 0 | case COND_NAT_THERE: |
812 | 0 | DBG1(DBG_IKE, "remote host is behind NAT"); |
813 | 0 | this->conditions |= COND_NAT_ANY; |
814 | 0 | break; |
815 | 0 | case COND_NAT_FAKE: |
816 | 0 | DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation"); |
817 | 0 | this->conditions |= COND_NAT_ANY; |
818 | 0 | break; |
819 | 0 | default: |
820 | 0 | break; |
821 | 0 | } |
822 | 0 | } |
823 | 0 | else |
824 | 0 | { |
825 | 0 | *ptr &= ~(condition & ~COND_PRIVATE_MARKER); |
826 | 0 | switch (condition) |
827 | 0 | { |
828 | 0 | case COND_NAT_HERE: |
829 | 0 | case COND_NAT_THERE: |
830 | 0 | DBG1(DBG_IKE, "%s host is not behind NAT anymore", |
831 | 0 | condition == COND_NAT_HERE ? "local" : "remote"); |
832 | | /* fall-through */ |
833 | 0 | case COND_NAT_FAKE: |
834 | 0 | set_condition(this, COND_NAT_ANY, |
835 | 0 | has_condition(this, COND_NAT_HERE) || |
836 | 0 | has_condition(this, COND_NAT_THERE) || |
837 | 0 | has_condition(this, COND_NAT_FAKE)); |
838 | 0 | break; |
839 | 0 | case COND_STALE: |
840 | 0 | send_keepalive(this, FALSE); |
841 | 0 | break; |
842 | 0 | default: |
843 | 0 | break; |
844 | 0 | } |
845 | 0 | } |
846 | 0 | } |
847 | 0 | } |
848 | | |
849 | | METHOD(ike_sa_t, send_dpd, status_t, |
850 | | private_ike_sa_t *this) |
851 | 0 | { |
852 | 0 | job_t *job; |
853 | 0 | time_t diff, delay; |
854 | 0 | bool task_queued = FALSE; |
855 | |
|
856 | 0 | if (this->state == IKE_PASSIVE) |
857 | 0 | { |
858 | 0 | return INVALID_STATE; |
859 | 0 | } |
860 | 0 | if (this->version == IKEV1 && this->state == IKE_REKEYING) |
861 | 0 | { /* don't send DPDs for rekeyed IKEv1 SAs */ |
862 | 0 | return SUCCESS; |
863 | 0 | } |
864 | 0 | delay = this->peer_cfg->get_dpd(this->peer_cfg); |
865 | 0 | if (this->task_manager->busy(this->task_manager)) |
866 | 0 | { |
867 | | /* an exchange is in the air, no need to start a DPD check */ |
868 | 0 | diff = 0; |
869 | 0 | } |
870 | 0 | else |
871 | 0 | { |
872 | | /* check if there was any inbound traffic */ |
873 | 0 | time_t last_in, now; |
874 | 0 | last_in = get_use_time(this, TRUE); |
875 | 0 | now = time_monotonic(NULL); |
876 | 0 | diff = now - last_in; |
877 | 0 | if (!delay || diff >= delay) |
878 | 0 | { |
879 | | /* too long ago, initiate dead peer detection */ |
880 | 0 | DBG1(DBG_IKE, "sending DPD request"); |
881 | 0 | this->task_manager->queue_dpd(this->task_manager); |
882 | 0 | task_queued = TRUE; |
883 | 0 | diff = 0; |
884 | 0 | } |
885 | 0 | } |
886 | | /* recheck in "interval" seconds */ |
887 | 0 | if (delay) |
888 | 0 | { |
889 | 0 | job = (job_t*)send_dpd_job_create(this->ike_sa_id); |
890 | 0 | lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); |
891 | 0 | } |
892 | 0 | if (task_queued) |
893 | 0 | { |
894 | 0 | return this->task_manager->initiate(this->task_manager); |
895 | 0 | } |
896 | 0 | return SUCCESS; |
897 | 0 | } |
898 | | |
899 | | METHOD(ike_sa_t, get_state, ike_sa_state_t, |
900 | | private_ike_sa_t *this) |
901 | 0 | { |
902 | 0 | return this->state; |
903 | 0 | } |
904 | | |
905 | | METHOD(ike_sa_t, set_state, void, |
906 | | private_ike_sa_t *this, ike_sa_state_t state) |
907 | 0 | { |
908 | 0 | bool trigger_dpd = FALSE, keepalives = FALSE; |
909 | |
|
910 | 0 | DBG2(DBG_IKE, "IKE_SA %s[%u] state change: %N => %N", |
911 | 0 | get_name(this), this->unique_id, |
912 | 0 | ike_sa_state_names, this->state, |
913 | 0 | ike_sa_state_names, state); |
914 | |
|
915 | 0 | switch (state) |
916 | 0 | { |
917 | 0 | case IKE_ESTABLISHED: |
918 | 0 | { |
919 | 0 | if (this->state == IKE_CONNECTING || |
920 | 0 | this->state == IKE_PASSIVE) |
921 | 0 | { |
922 | 0 | job_t *job; |
923 | 0 | uint32_t t; |
924 | | |
925 | | /* calculate rekey, reauth and lifetime */ |
926 | 0 | this->stats[STAT_ESTABLISHED] = time_monotonic(NULL); |
927 | | |
928 | | /* schedule rekeying if we have a time which is smaller than |
929 | | * an already scheduled rekeying */ |
930 | 0 | t = this->peer_cfg->get_rekey_time(this->peer_cfg, TRUE); |
931 | 0 | if (t && (this->stats[STAT_REKEY] == 0 || |
932 | 0 | (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED]))) |
933 | 0 | { |
934 | 0 | this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED]; |
935 | 0 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE); |
936 | 0 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
937 | 0 | DBG1(DBG_IKE, "scheduling rekeying in %ds", t); |
938 | 0 | } |
939 | 0 | t = this->peer_cfg->get_reauth_time(this->peer_cfg, TRUE); |
940 | 0 | if (t && (this->stats[STAT_REAUTH] == 0 || |
941 | 0 | (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED]))) |
942 | 0 | { |
943 | 0 | this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED]; |
944 | 0 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE); |
945 | 0 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
946 | 0 | DBG1(DBG_IKE, "scheduling reauthentication in %ds", t); |
947 | 0 | } |
948 | 0 | else if (this->stats[STAT_REAUTH]) |
949 | 0 | { |
950 | 0 | t = this->stats[STAT_REAUTH] - this->stats[STAT_ESTABLISHED]; |
951 | 0 | DBG1(DBG_IKE, "reauthentication already scheduled in %ds", t); |
952 | 0 | } |
953 | 0 | t = this->peer_cfg->get_over_time(this->peer_cfg); |
954 | 0 | if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH]) |
955 | 0 | { |
956 | 0 | if (this->stats[STAT_REAUTH] == 0) |
957 | 0 | { |
958 | 0 | this->stats[STAT_DELETE] = this->stats[STAT_REKEY]; |
959 | 0 | } |
960 | 0 | else if (this->stats[STAT_REKEY] == 0) |
961 | 0 | { |
962 | 0 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH]; |
963 | 0 | } |
964 | 0 | else |
965 | 0 | { |
966 | 0 | this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY], |
967 | 0 | this->stats[STAT_REAUTH]); |
968 | 0 | } |
969 | 0 | this->stats[STAT_DELETE] += t; |
970 | 0 | t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED]; |
971 | 0 | job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); |
972 | 0 | lib->scheduler->schedule_job(lib->scheduler, job, t); |
973 | 0 | DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t); |
974 | 0 | } |
975 | 0 | trigger_dpd = this->peer_cfg->get_dpd(this->peer_cfg); |
976 | 0 | if (trigger_dpd) |
977 | 0 | { |
978 | | /* Some peers delay the DELETE after rekeying an IKE_SA. |
979 | | * If this delay is longer than our DPD delay, we would |
980 | | * send a DPD request here. The IKE_SA is not ready to do |
981 | | * so yet, so prevent that. */ |
982 | 0 | this->stats[STAT_INBOUND] = this->stats[STAT_ESTABLISHED]; |
983 | 0 | } |
984 | 0 | if (this->state == IKE_PASSIVE) |
985 | 0 | { |
986 | 0 | keepalives = TRUE; |
987 | 0 | } |
988 | 0 | DESTROY_IF(this->redirected_from); |
989 | 0 | this->redirected_from = NULL; |
990 | 0 | } |
991 | 0 | break; |
992 | 0 | } |
993 | 0 | default: |
994 | 0 | break; |
995 | 0 | } |
996 | 0 | charon->bus->ike_state_change(charon->bus, &this->public, state); |
997 | 0 | this->state = state; |
998 | |
|
999 | 0 | if (trigger_dpd) |
1000 | 0 | { |
1001 | 0 | if (supports_extension(this, EXT_DPD)) |
1002 | 0 | { |
1003 | 0 | send_dpd(this); |
1004 | 0 | } |
1005 | 0 | else |
1006 | 0 | { |
1007 | 0 | DBG1(DBG_IKE, "DPD not supported by peer, disabled"); |
1008 | 0 | } |
1009 | 0 | } |
1010 | 0 | if (keepalives) |
1011 | 0 | { |
1012 | 0 | send_keepalive(this, FALSE); |
1013 | 0 | } |
1014 | 0 | } |
1015 | | |
1016 | | METHOD(ike_sa_t, reset, void, |
1017 | | private_ike_sa_t *this, bool new_spi) |
1018 | 0 | { |
1019 | | /* reset the initiator SPI if requested */ |
1020 | 0 | if (new_spi) |
1021 | 0 | { |
1022 | 0 | charon->ike_sa_manager->new_initiator_spi(charon->ike_sa_manager, |
1023 | 0 | &this->public); |
1024 | | |
1025 | | /* when starting from scratch, connect to the original peer again e.g. |
1026 | | * if we got redirected but weren't able to connect successfully */ |
1027 | 0 | if (this->redirected_from) |
1028 | 0 | { |
1029 | 0 | this->redirected_from->destroy(this->redirected_from); |
1030 | 0 | this->redirected_from = NULL; |
1031 | | /* we can't restore the original value, if there was any */ |
1032 | 0 | DESTROY_IF(this->remote_host); |
1033 | 0 | this->remote_host = NULL; |
1034 | 0 | } |
1035 | 0 | } |
1036 | | /* the responder ID is reset, as peer may choose another one */ |
1037 | 0 | if (this->ike_sa_id->is_initiator(this->ike_sa_id)) |
1038 | 0 | { |
1039 | 0 | this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0); |
1040 | 0 | } |
1041 | |
|
1042 | 0 | set_state(this, IKE_CREATED); |
1043 | |
|
1044 | 0 | flush_auth_cfgs(this); |
1045 | |
|
1046 | 0 | this->keymat->destroy(this->keymat); |
1047 | 0 | this->keymat = keymat_create(this->version, |
1048 | 0 | this->ike_sa_id->is_initiator(this->ike_sa_id)); |
1049 | |
|
1050 | 0 | this->task_manager->reset(this->task_manager, 0, 0); |
1051 | 0 | this->task_manager->queue_ike(this->task_manager); |
1052 | 0 | } |
1053 | | |
1054 | | METHOD(ike_sa_t, get_keymat, keymat_t*, |
1055 | | private_ike_sa_t *this) |
1056 | 0 | { |
1057 | 0 | return this->keymat; |
1058 | 0 | } |
1059 | | |
1060 | | METHOD(ike_sa_t, add_virtual_ip, void, |
1061 | | private_ike_sa_t *this, bool local, host_t *ip) |
1062 | 0 | { |
1063 | 0 | if (local) |
1064 | 0 | { |
1065 | 0 | char *iface; |
1066 | |
|
1067 | 0 | if (charon->kernel->get_interface(charon->kernel, this->my_host, |
1068 | 0 | &iface)) |
1069 | 0 | { |
1070 | 0 | DBG1(DBG_IKE, "installing new virtual IP %H", ip); |
1071 | 0 | if (charon->kernel->add_ip(charon->kernel, ip, -1, |
1072 | 0 | iface) == SUCCESS) |
1073 | 0 | { |
1074 | 0 | array_insert_create(&this->my_vips, ARRAY_TAIL, ip->clone(ip)); |
1075 | 0 | } |
1076 | 0 | else |
1077 | 0 | { |
1078 | 0 | DBG1(DBG_IKE, "installing virtual IP %H failed", ip); |
1079 | 0 | } |
1080 | 0 | free(iface); |
1081 | 0 | } |
1082 | 0 | else |
1083 | 0 | { |
1084 | 0 | DBG1(DBG_IKE, "looking up interface for virtual IP %H failed", ip); |
1085 | 0 | } |
1086 | 0 | } |
1087 | 0 | else |
1088 | 0 | { |
1089 | 0 | array_insert_create(&this->other_vips, ARRAY_TAIL, ip->clone(ip)); |
1090 | 0 | } |
1091 | 0 | } |
1092 | | |
1093 | | |
1094 | | METHOD(ike_sa_t, clear_virtual_ips, void, |
1095 | | private_ike_sa_t *this, bool local) |
1096 | 0 | { |
1097 | 0 | array_t *vips; |
1098 | 0 | host_t *vip; |
1099 | |
|
1100 | 0 | vips = local ? this->my_vips : this->other_vips; |
1101 | 0 | if (!local && array_count(vips)) |
1102 | 0 | { |
1103 | 0 | charon->bus->assign_vips(charon->bus, &this->public, FALSE); |
1104 | 0 | } |
1105 | 0 | while (array_remove(vips, ARRAY_HEAD, &vip)) |
1106 | 0 | { |
1107 | 0 | if (local) |
1108 | 0 | { |
1109 | 0 | charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); |
1110 | 0 | } |
1111 | 0 | vip->destroy(vip); |
1112 | 0 | } |
1113 | 0 | } |
1114 | | |
1115 | | METHOD(ike_sa_t, create_virtual_ip_enumerator, enumerator_t*, |
1116 | | private_ike_sa_t *this, bool local) |
1117 | 0 | { |
1118 | 0 | if (local) |
1119 | 0 | { |
1120 | 0 | return array_create_enumerator(this->my_vips); |
1121 | 0 | } |
1122 | 0 | return array_create_enumerator(this->other_vips); |
1123 | 0 | } |
1124 | | |
1125 | | METHOD(ike_sa_t, add_peer_address, void, |
1126 | | private_ike_sa_t *this, host_t *host) |
1127 | 0 | { |
1128 | 0 | array_insert_create(&this->peer_addresses, ARRAY_TAIL, host); |
1129 | 0 | } |
1130 | | |
1131 | | METHOD(ike_sa_t, create_peer_address_enumerator, enumerator_t*, |
1132 | | private_ike_sa_t *this) |
1133 | 0 | { |
1134 | 0 | if (this->peer_addresses) |
1135 | 0 | { |
1136 | 0 | return array_create_enumerator(this->peer_addresses); |
1137 | 0 | } |
1138 | | /* in case we don't have MOBIKE */ |
1139 | 0 | return enumerator_create_single(this->other_host, NULL); |
1140 | 0 | } |
1141 | | |
1142 | | METHOD(ike_sa_t, clear_peer_addresses, void, |
1143 | | private_ike_sa_t *this) |
1144 | 0 | { |
1145 | 0 | array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy)); |
1146 | 0 | this->peer_addresses = NULL; |
1147 | 0 | } |
1148 | | |
1149 | | METHOD(ike_sa_t, has_mapping_changed, bool, |
1150 | | private_ike_sa_t *this, chunk_t hash) |
1151 | 0 | { |
1152 | 0 | if (this->nat_detection_dest.ptr == NULL) |
1153 | 0 | { |
1154 | 0 | this->nat_detection_dest = chunk_clone(hash); |
1155 | 0 | return FALSE; |
1156 | 0 | } |
1157 | 0 | if (chunk_equals(hash, this->nat_detection_dest)) |
1158 | 0 | { |
1159 | 0 | return FALSE; |
1160 | 0 | } |
1161 | 0 | free(this->nat_detection_dest.ptr); |
1162 | 0 | this->nat_detection_dest = chunk_clone(hash); |
1163 | 0 | return TRUE; |
1164 | 0 | } |
1165 | | |
1166 | | METHOD(ike_sa_t, float_ports, void, |
1167 | | private_ike_sa_t *this) |
1168 | 0 | { |
1169 | | /* even if the remote port is not 500 (e.g. because the response was natted) |
1170 | | * we switch the remote port if we used port 500 */ |
1171 | 0 | if (this->other_host->get_port(this->other_host) == IKEV2_UDP_PORT || |
1172 | 0 | this->my_host->get_port(this->my_host) == IKEV2_UDP_PORT) |
1173 | 0 | { |
1174 | 0 | this->other_host->set_port(this->other_host, IKEV2_NATT_PORT); |
1175 | 0 | } |
1176 | 0 | if (this->my_host->get_port(this->my_host) == |
1177 | 0 | charon->socket->get_port(charon->socket, FALSE)) |
1178 | 0 | { |
1179 | 0 | this->my_host->set_port(this->my_host, |
1180 | 0 | charon->socket->get_port(charon->socket, TRUE)); |
1181 | 0 | } |
1182 | 0 | } |
1183 | | |
1184 | | METHOD(ike_sa_t, update_hosts, void, |
1185 | | private_ike_sa_t *this, host_t *me, host_t *other, update_hosts_flag_t flags) |
1186 | 0 | { |
1187 | 0 | host_t *new_me = NULL, *new_other = NULL; |
1188 | 0 | bool silent = FALSE; |
1189 | |
|
1190 | 0 | if (me == NULL) |
1191 | 0 | { |
1192 | 0 | me = this->my_host; |
1193 | 0 | } |
1194 | 0 | if (other == NULL) |
1195 | 0 | { |
1196 | 0 | other = this->other_host; |
1197 | 0 | } |
1198 | | |
1199 | | /* apply hosts on first received message */ |
1200 | 0 | if (this->my_host->is_anyaddr(this->my_host) || |
1201 | 0 | this->other_host->is_anyaddr(this->other_host)) |
1202 | 0 | { |
1203 | 0 | new_me = me; |
1204 | 0 | new_other = other; |
1205 | 0 | silent = TRUE; |
1206 | 0 | } |
1207 | 0 | else |
1208 | 0 | { |
1209 | | /* update our address only if forced */ |
1210 | 0 | if ((flags & UPDATE_HOSTS_FORCE_LOCAL) && !me->equals(me, this->my_host)) |
1211 | 0 | { |
1212 | 0 | new_me = me; |
1213 | 0 | } |
1214 | |
|
1215 | 0 | if (!other->equals(other, this->other_host) && |
1216 | 0 | ((flags & UPDATE_HOSTS_FORCE_REMOTE) || has_condition(this, COND_NAT_THERE))) |
1217 | 0 | { |
1218 | | /* only update other's address if we are behind a static NAT, |
1219 | | * which we assume is the case if we are not initiator */ |
1220 | 0 | if ((flags & UPDATE_HOSTS_FORCE_REMOTE) || |
1221 | 0 | (!has_condition(this, COND_NAT_HERE) || |
1222 | 0 | !has_condition(this, COND_ORIGINAL_INITIATOR))) |
1223 | 0 | { |
1224 | 0 | new_other = other; |
1225 | 0 | } |
1226 | 0 | } |
1227 | 0 | } |
1228 | |
|
1229 | 0 | if (new_me || new_other || (flags & UPDATE_HOSTS_FORCE_CHILDREN)) |
1230 | 0 | { |
1231 | 0 | enumerator_t *enumerator; |
1232 | 0 | child_sa_t *child_sa; |
1233 | 0 | linked_list_t *vips; |
1234 | |
|
1235 | 0 | if ((new_me || new_other) && !silent) |
1236 | 0 | { |
1237 | 0 | charon->bus->ike_update(charon->bus, &this->public, |
1238 | 0 | new_me ?: this->my_host, |
1239 | 0 | new_other ?: this->other_host); |
1240 | 0 | } |
1241 | 0 | if (new_me) |
1242 | 0 | { |
1243 | 0 | if (this->state == IKE_ESTABLISHED) |
1244 | 0 | { |
1245 | 0 | DBG1(DBG_IKE, "local endpoint changed from %#H to %#H", |
1246 | 0 | this->my_host, new_me); |
1247 | 0 | } |
1248 | 0 | else |
1249 | 0 | { |
1250 | 0 | DBG2(DBG_IKE, "local endpoint changed from %#H to %#H", |
1251 | 0 | this->my_host, new_me); |
1252 | 0 | } |
1253 | 0 | set_my_host(this, new_me->clone(new_me)); |
1254 | 0 | } |
1255 | 0 | if (new_other) |
1256 | 0 | { |
1257 | 0 | if (this->state == IKE_ESTABLISHED) |
1258 | 0 | { |
1259 | 0 | DBG1(DBG_IKE, "remote endpoint changed from %#H to %#H", |
1260 | 0 | this->other_host, new_other); |
1261 | 0 | } |
1262 | 0 | else |
1263 | 0 | { |
1264 | 0 | DBG2(DBG_IKE, "remote endpoint changed from %#H to %#H", |
1265 | 0 | this->other_host, new_other); |
1266 | 0 | } |
1267 | 0 | set_other_host(this, new_other->clone(new_other)); |
1268 | 0 | } |
1269 | |
|
1270 | 0 | vips = linked_list_create_from_enumerator( |
1271 | 0 | array_create_enumerator(this->my_vips)); |
1272 | |
|
1273 | 0 | enumerator = array_create_enumerator(this->child_sas); |
1274 | 0 | while (enumerator->enumerate(enumerator, &child_sa)) |
1275 | 0 | { |
1276 | 0 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
1277 | 0 | charon->child_sa_manager->add(charon->child_sa_manager, |
1278 | 0 | child_sa, &this->public); |
1279 | |
|
1280 | 0 | if (child_sa->update(child_sa, this->my_host, this->other_host, |
1281 | 0 | vips, has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED) |
1282 | 0 | { |
1283 | 0 | this->public.rekey_child_sa(&this->public, |
1284 | 0 | child_sa->get_protocol(child_sa), |
1285 | 0 | child_sa->get_spi(child_sa, TRUE)); |
1286 | 0 | } |
1287 | |
|
1288 | 0 | } |
1289 | 0 | enumerator->destroy(enumerator); |
1290 | |
|
1291 | 0 | vips->destroy(vips); |
1292 | 0 | } |
1293 | 0 | } |
1294 | | |
1295 | | METHOD(ike_sa_t, generate_message, status_t, |
1296 | | private_ike_sa_t *this, message_t *message, packet_t **packet) |
1297 | 0 | { |
1298 | 0 | status_t status; |
1299 | |
|
1300 | 0 | if (message->is_encoded(message)) |
1301 | 0 | { /* already encoded in task, but set DSCP value */ |
1302 | 0 | *packet = message->get_packet(message); |
1303 | 0 | set_dscp(this, *packet); |
1304 | 0 | return SUCCESS; |
1305 | 0 | } |
1306 | 0 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
1307 | 0 | message->set_ike_sa_id(message, this->ike_sa_id); |
1308 | 0 | charon->bus->message(charon->bus, message, FALSE, TRUE); |
1309 | 0 | status = message->generate(message, this->keymat, packet); |
1310 | 0 | if (status == SUCCESS) |
1311 | 0 | { |
1312 | 0 | set_dscp(this, *packet); |
1313 | 0 | charon->bus->message(charon->bus, message, FALSE, FALSE); |
1314 | 0 | } |
1315 | 0 | return status; |
1316 | 0 | } |
1317 | | |
1318 | | CALLBACK(filter_fragments, bool, |
1319 | | private_ike_sa_t *this, enumerator_t *orig, va_list args) |
1320 | 0 | { |
1321 | 0 | packet_t *fragment, **packet; |
1322 | |
|
1323 | 0 | VA_ARGS_VGET(args, packet); |
1324 | |
|
1325 | 0 | if (orig->enumerate(orig, &fragment)) |
1326 | 0 | { |
1327 | 0 | *packet = fragment->clone(fragment); |
1328 | 0 | set_dscp(this, *packet); |
1329 | 0 | return TRUE; |
1330 | 0 | } |
1331 | 0 | return FALSE; |
1332 | 0 | } |
1333 | | |
1334 | | METHOD(ike_sa_t, generate_message_fragmented, status_t, |
1335 | | private_ike_sa_t *this, message_t *message, enumerator_t **packets) |
1336 | 0 | { |
1337 | 0 | enumerator_t *fragments; |
1338 | 0 | packet_t *packet; |
1339 | 0 | status_t status; |
1340 | 0 | bool use_frags = FALSE; |
1341 | 0 | bool pre_generated = FALSE; |
1342 | |
|
1343 | 0 | if (this->ike_cfg) |
1344 | 0 | { |
1345 | 0 | switch (this->ike_cfg->fragmentation(this->ike_cfg)) |
1346 | 0 | { |
1347 | 0 | case FRAGMENTATION_FORCE: |
1348 | 0 | use_frags = TRUE; |
1349 | 0 | break; |
1350 | 0 | case FRAGMENTATION_YES: |
1351 | 0 | use_frags = supports_extension(this, EXT_IKE_FRAGMENTATION); |
1352 | 0 | if (use_frags && this->version == IKEV1 && |
1353 | 0 | supports_extension(this, EXT_MS_WINDOWS)) |
1354 | 0 | { |
1355 | | /* It seems Windows 7 and 8 peers only accept proprietary |
1356 | | * fragmented messages if they expect certificates. */ |
1357 | 0 | use_frags = message->get_payload(message, |
1358 | 0 | PLV1_CERTIFICATE) != NULL; |
1359 | 0 | } |
1360 | 0 | break; |
1361 | 0 | default: |
1362 | 0 | break; |
1363 | 0 | } |
1364 | 0 | } |
1365 | 0 | if (!use_frags) |
1366 | 0 | { |
1367 | 0 | status = generate_message(this, message, &packet); |
1368 | 0 | if (status != SUCCESS) |
1369 | 0 | { |
1370 | 0 | return status; |
1371 | 0 | } |
1372 | 0 | *packets = enumerator_create_single(packet, NULL); |
1373 | 0 | return SUCCESS; |
1374 | 0 | } |
1375 | | |
1376 | 0 | pre_generated = message->is_encoded(message); |
1377 | 0 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
1378 | 0 | message->set_ike_sa_id(message, this->ike_sa_id); |
1379 | 0 | if (!pre_generated) |
1380 | 0 | { |
1381 | 0 | charon->bus->message(charon->bus, message, FALSE, TRUE); |
1382 | 0 | } |
1383 | 0 | status = message->fragment(message, this->keymat, this->fragment_size, |
1384 | 0 | &fragments); |
1385 | 0 | if (status == SUCCESS) |
1386 | 0 | { |
1387 | 0 | if (!pre_generated) |
1388 | 0 | { |
1389 | 0 | charon->bus->message(charon->bus, message, FALSE, FALSE); |
1390 | 0 | } |
1391 | 0 | *packets = enumerator_create_filter(fragments, filter_fragments, |
1392 | 0 | this, NULL); |
1393 | 0 | } |
1394 | 0 | return status; |
1395 | 0 | } |
1396 | | |
1397 | | METHOD(ike_sa_t, set_kmaddress, void, |
1398 | | private_ike_sa_t *this, host_t *local, host_t *remote) |
1399 | 0 | { |
1400 | 0 | DESTROY_IF(this->local_host); |
1401 | 0 | DESTROY_IF(this->remote_host); |
1402 | 0 | this->local_host = local->clone(local); |
1403 | 0 | this->remote_host = remote->clone(remote); |
1404 | 0 | } |
1405 | | |
1406 | | #ifdef ME |
1407 | | METHOD(ike_sa_t, act_as_mediation_server, void, |
1408 | | private_ike_sa_t *this) |
1409 | | { |
1410 | | charon->mediation_manager->update_sa_id(charon->mediation_manager, |
1411 | | this->other_id, this->ike_sa_id); |
1412 | | this->is_mediation_server = TRUE; |
1413 | | } |
1414 | | |
1415 | | METHOD(ike_sa_t, get_server_reflexive_host, host_t*, |
1416 | | private_ike_sa_t *this) |
1417 | | { |
1418 | | return this->server_reflexive_host; |
1419 | | } |
1420 | | |
1421 | | METHOD(ike_sa_t, set_server_reflexive_host, void, |
1422 | | private_ike_sa_t *this, host_t *host) |
1423 | | { |
1424 | | DESTROY_IF(this->server_reflexive_host); |
1425 | | this->server_reflexive_host = host; |
1426 | | } |
1427 | | |
1428 | | METHOD(ike_sa_t, get_connect_id, chunk_t, |
1429 | | private_ike_sa_t *this) |
1430 | | { |
1431 | | return this->connect_id; |
1432 | | } |
1433 | | |
1434 | | METHOD(ike_sa_t, respond, status_t, |
1435 | | private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id) |
1436 | | { |
1437 | | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1438 | | task->respond(task, peer_id, connect_id); |
1439 | | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1440 | | return this->task_manager->initiate(this->task_manager); |
1441 | | } |
1442 | | |
1443 | | METHOD(ike_sa_t, callback, status_t, |
1444 | | private_ike_sa_t *this, identification_t *peer_id) |
1445 | | { |
1446 | | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1447 | | task->callback(task, peer_id); |
1448 | | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1449 | | return this->task_manager->initiate(this->task_manager); |
1450 | | } |
1451 | | |
1452 | | METHOD(ike_sa_t, relay, status_t, |
1453 | | private_ike_sa_t *this, identification_t *requester, chunk_t connect_id, |
1454 | | chunk_t connect_key, linked_list_t *endpoints, bool response) |
1455 | | { |
1456 | | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1457 | | task->relay(task, requester, connect_id, connect_key, endpoints, response); |
1458 | | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1459 | | return this->task_manager->initiate(this->task_manager); |
1460 | | } |
1461 | | |
1462 | | METHOD(ike_sa_t, initiate_mediation, status_t, |
1463 | | private_ike_sa_t *this, peer_cfg_t *mediated_cfg) |
1464 | | { |
1465 | | ike_me_t *task = ike_me_create(&this->public, TRUE); |
1466 | | task->connect(task, mediated_cfg->get_peer_id(mediated_cfg)); |
1467 | | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
1468 | | return this->task_manager->initiate(this->task_manager); |
1469 | | } |
1470 | | |
1471 | | METHOD(ike_sa_t, initiate_mediated, status_t, |
1472 | | private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id) |
1473 | | { |
1474 | | set_my_host(this, me->clone(me)); |
1475 | | set_other_host(this, other->clone(other)); |
1476 | | chunk_free(&this->connect_id); |
1477 | | this->connect_id = chunk_clone(connect_id); |
1478 | | return this->task_manager->initiate(this->task_manager); |
1479 | | } |
1480 | | #endif /* ME */ |
1481 | | |
1482 | | /** |
1483 | | * Resolve DNS host in configuration |
1484 | | */ |
1485 | | static void resolve_hosts(private_ike_sa_t *this) |
1486 | 0 | { |
1487 | 0 | host_t *host; |
1488 | 0 | int family = AF_UNSPEC; |
1489 | |
|
1490 | 0 | switch (charon->socket->supported_families(charon->socket)) |
1491 | 0 | { |
1492 | 0 | case SOCKET_FAMILY_IPV4: |
1493 | 0 | family = AF_INET; |
1494 | 0 | break; |
1495 | 0 | case SOCKET_FAMILY_IPV6: |
1496 | 0 | family = AF_INET6; |
1497 | 0 | break; |
1498 | 0 | case SOCKET_FAMILY_BOTH: |
1499 | 0 | case SOCKET_FAMILY_NONE: |
1500 | 0 | break; |
1501 | 0 | } |
1502 | | |
1503 | | /* if an IP address is set locally, use the same family to resolve remote */ |
1504 | 0 | if (family == AF_UNSPEC && !this->remote_host) |
1505 | 0 | { |
1506 | 0 | if (this->local_host) |
1507 | 0 | { |
1508 | 0 | family = this->local_host->get_family(this->local_host); |
1509 | 0 | } |
1510 | 0 | else |
1511 | 0 | { |
1512 | 0 | family = ike_cfg_get_family(this->ike_cfg, TRUE); |
1513 | 0 | } |
1514 | 0 | } |
1515 | |
|
1516 | 0 | if (this->remote_host) |
1517 | 0 | { |
1518 | 0 | host = this->remote_host->clone(this->remote_host); |
1519 | 0 | host->set_port(host, IKEV2_UDP_PORT); |
1520 | 0 | } |
1521 | 0 | else |
1522 | 0 | { |
1523 | 0 | host = this->ike_cfg->resolve_other(this->ike_cfg, family); |
1524 | 0 | } |
1525 | 0 | if (host) |
1526 | 0 | { |
1527 | 0 | if (!host->is_anyaddr(host) || |
1528 | 0 | this->other_host->is_anyaddr(this->other_host)) |
1529 | 0 | { /* don't set to %any if we currently have an address, but the |
1530 | | * address family might have changed */ |
1531 | 0 | set_other_host(this, host); |
1532 | 0 | } |
1533 | 0 | else |
1534 | 0 | { /* reuse the original port as some implementations might not like |
1535 | | * initial IKE messages on other ports */ |
1536 | 0 | this->other_host->set_port(this->other_host, host->get_port(host)); |
1537 | 0 | host->destroy(host); |
1538 | 0 | } |
1539 | 0 | } |
1540 | |
|
1541 | 0 | if (this->local_host) |
1542 | 0 | { |
1543 | 0 | host = this->local_host->clone(this->local_host); |
1544 | 0 | host->set_port(host, charon->socket->get_port(charon->socket, FALSE)); |
1545 | 0 | } |
1546 | 0 | else |
1547 | 0 | { |
1548 | | /* use same address family as for other */ |
1549 | 0 | if (!this->other_host->is_anyaddr(this->other_host)) |
1550 | 0 | { |
1551 | 0 | family = this->other_host->get_family(this->other_host); |
1552 | 0 | } |
1553 | 0 | host = this->ike_cfg->resolve_me(this->ike_cfg, family); |
1554 | |
|
1555 | 0 | if (host && host->is_anyaddr(host) && |
1556 | 0 | !this->other_host->is_anyaddr(this->other_host)) |
1557 | 0 | { |
1558 | 0 | host->destroy(host); |
1559 | 0 | host = charon->kernel->get_source_addr(charon->kernel, |
1560 | 0 | this->other_host, NULL); |
1561 | 0 | if (host) |
1562 | 0 | { |
1563 | 0 | host->set_port(host, this->ike_cfg->get_my_port(this->ike_cfg)); |
1564 | 0 | } |
1565 | 0 | else |
1566 | 0 | { /* fallback to address family specific %any(6), if configured */ |
1567 | 0 | host = this->ike_cfg->resolve_me(this->ike_cfg, family); |
1568 | 0 | } |
1569 | 0 | } |
1570 | 0 | } |
1571 | 0 | if (host) |
1572 | 0 | { |
1573 | 0 | set_my_host(this, host); |
1574 | 0 | } |
1575 | 0 | } |
1576 | | |
1577 | | METHOD(ike_sa_t, initiate, status_t, |
1578 | | private_ike_sa_t *this, child_cfg_t *child_cfg, child_init_args_t *args) |
1579 | 0 | { |
1580 | 0 | bool defer_initiate = FALSE; |
1581 | |
|
1582 | 0 | if (this->state == IKE_CREATED) |
1583 | 0 | { |
1584 | 0 | if (this->my_host->is_anyaddr(this->my_host) || |
1585 | 0 | this->other_host->is_anyaddr(this->other_host)) |
1586 | 0 | { |
1587 | 0 | resolve_hosts(this); |
1588 | 0 | } |
1589 | |
|
1590 | 0 | if (this->other_host->is_anyaddr(this->other_host) |
1591 | | #ifdef ME |
1592 | | && !this->peer_cfg->get_mediated_by(this->peer_cfg) |
1593 | | #endif /* ME */ |
1594 | 0 | ) |
1595 | 0 | { |
1596 | 0 | if (!this->retry_initiate_interval) |
1597 | 0 | { |
1598 | 0 | DBG1(DBG_IKE, "unable to resolve %s, initiate aborted", |
1599 | 0 | this->ike_cfg->get_other_addr(this->ike_cfg)); |
1600 | 0 | DESTROY_IF(child_cfg); |
1601 | 0 | charon->bus->alert(charon->bus, ALERT_PEER_ADDR_FAILED); |
1602 | 0 | return DESTROY_ME; |
1603 | 0 | } |
1604 | 0 | DBG1(DBG_IKE, "unable to resolve %s, retrying in %ds", |
1605 | 0 | this->ike_cfg->get_other_addr(this->ike_cfg), |
1606 | 0 | this->retry_initiate_interval); |
1607 | 0 | defer_initiate = TRUE; |
1608 | 0 | } |
1609 | | |
1610 | 0 | set_condition(this, COND_ORIGINAL_INITIATOR, TRUE); |
1611 | 0 | this->task_manager->queue_ike(this->task_manager); |
1612 | 0 | } |
1613 | | |
1614 | | #ifdef ME |
1615 | | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
1616 | | { |
1617 | | if (this->state == IKE_ESTABLISHED) |
1618 | | { |
1619 | | /* mediation connection is already established, retrigger state |
1620 | | * change to notify bus listeners */ |
1621 | | DBG1(DBG_IKE, "mediation connection is already up"); |
1622 | | set_state(this, IKE_ESTABLISHED); |
1623 | | } |
1624 | | DESTROY_IF(child_cfg); |
1625 | | } |
1626 | | else |
1627 | | #endif /* ME */ |
1628 | 0 | if (child_cfg) |
1629 | 0 | { |
1630 | | /* normal IKE_SA with CHILD_SA */ |
1631 | 0 | this->task_manager->queue_child(this->task_manager, child_cfg, args, NULL); |
1632 | | #ifdef ME |
1633 | | if (this->peer_cfg->get_mediated_by(this->peer_cfg)) |
1634 | | { |
1635 | | /* mediated connection, initiate mediation process */ |
1636 | | job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id); |
1637 | | lib->processor->queue_job(lib->processor, job); |
1638 | | return SUCCESS; |
1639 | | } |
1640 | | #endif /* ME */ |
1641 | 0 | } |
1642 | |
|
1643 | 0 | if (defer_initiate) |
1644 | 0 | { |
1645 | 0 | if (!this->retry_initiate_queued) |
1646 | 0 | { |
1647 | 0 | job_t *job = (job_t*)retry_initiate_job_create(this->ike_sa_id); |
1648 | 0 | lib->scheduler->schedule_job(lib->scheduler, (job_t*)job, |
1649 | 0 | this->retry_initiate_interval); |
1650 | 0 | this->retry_initiate_queued = TRUE; |
1651 | 0 | } |
1652 | 0 | return SUCCESS; |
1653 | 0 | } |
1654 | 0 | this->retry_initiate_queued = FALSE; |
1655 | 0 | return this->task_manager->initiate(this->task_manager); |
1656 | 0 | } |
1657 | | |
1658 | | METHOD(ike_sa_t, retry_initiate, status_t, |
1659 | | private_ike_sa_t *this) |
1660 | 0 | { |
1661 | 0 | if (this->retry_initiate_queued) |
1662 | 0 | { |
1663 | 0 | this->retry_initiate_queued = FALSE; |
1664 | 0 | return initiate(this, NULL, NULL); |
1665 | 0 | } |
1666 | 0 | return SUCCESS; |
1667 | 0 | } |
1668 | | |
1669 | | METHOD(ike_sa_t, process_message, status_t, |
1670 | | private_ike_sa_t *this, message_t *message) |
1671 | 0 | { |
1672 | 0 | status_t status; |
1673 | |
|
1674 | 0 | if (this->state == IKE_PASSIVE) |
1675 | 0 | { /* do not handle messages in passive state */ |
1676 | 0 | return FAILED; |
1677 | 0 | } |
1678 | 0 | if (message->get_major_version(message) != this->version) |
1679 | 0 | { |
1680 | 0 | DBG1(DBG_IKE, "ignoring %N IKEv%u exchange on %N SA", |
1681 | 0 | exchange_type_names, message->get_exchange_type(message), |
1682 | 0 | message->get_major_version(message), |
1683 | 0 | ike_version_names, this->version); |
1684 | | /* TODO-IKEv1: fall back to IKEv1 if we receive an IKEv1 |
1685 | | * INVALID_MAJOR_VERSION on an IKEv2 SA. */ |
1686 | 0 | return FAILED; |
1687 | 0 | } |
1688 | 0 | status = this->task_manager->process_message(this->task_manager, message); |
1689 | 0 | if (this->flush_auth_cfg && this->state == IKE_ESTABLISHED) |
1690 | 0 | { |
1691 | | /* authentication completed but if the online validation is suspended we |
1692 | | * need the auth cfgs until we did the delayed verification, we flush |
1693 | | * them afterwards */ |
1694 | 0 | if (!has_condition(this, COND_ONLINE_VALIDATION_SUSPENDED)) |
1695 | 0 | { |
1696 | 0 | this->flush_auth_cfg = FALSE; |
1697 | 0 | flush_auth_cfgs(this); |
1698 | 0 | } |
1699 | 0 | } |
1700 | 0 | return status; |
1701 | 0 | } |
1702 | | |
1703 | | METHOD(ike_sa_t, get_id, ike_sa_id_t*, |
1704 | | private_ike_sa_t *this) |
1705 | 0 | { |
1706 | 0 | return this->ike_sa_id; |
1707 | 0 | } |
1708 | | |
1709 | | METHOD(ike_sa_t, get_version, ike_version_t, |
1710 | | private_ike_sa_t *this) |
1711 | 0 | { |
1712 | 0 | return this->version; |
1713 | 0 | } |
1714 | | |
1715 | | METHOD(ike_sa_t, get_my_id, identification_t*, |
1716 | | private_ike_sa_t *this) |
1717 | 0 | { |
1718 | 0 | return this->my_id; |
1719 | 0 | } |
1720 | | |
1721 | | METHOD(ike_sa_t, set_my_id, void, |
1722 | | private_ike_sa_t *this, identification_t *me) |
1723 | 0 | { |
1724 | 0 | DESTROY_IF(this->my_id); |
1725 | 0 | this->my_id = me; |
1726 | 0 | } |
1727 | | |
1728 | | METHOD(ike_sa_t, get_other_id, identification_t*, |
1729 | | private_ike_sa_t *this) |
1730 | 0 | { |
1731 | 0 | return this->other_id; |
1732 | 0 | } |
1733 | | |
1734 | | METHOD(ike_sa_t, get_other_eap_id, identification_t*, |
1735 | | private_ike_sa_t *this) |
1736 | 0 | { |
1737 | 0 | identification_t *id = NULL, *current; |
1738 | 0 | enumerator_t *enumerator; |
1739 | 0 | auth_cfg_t *cfg; |
1740 | |
|
1741 | 0 | enumerator = array_create_enumerator(this->other_auths); |
1742 | 0 | while (enumerator->enumerate(enumerator, &cfg)) |
1743 | 0 | { |
1744 | | /* prefer EAP-Identity of last round */ |
1745 | 0 | current = cfg->get(cfg, AUTH_RULE_EAP_IDENTITY); |
1746 | 0 | if (!current || current->get_type(current) == ID_ANY) |
1747 | 0 | { |
1748 | 0 | current = cfg->get(cfg, AUTH_RULE_XAUTH_IDENTITY); |
1749 | 0 | } |
1750 | 0 | if (!current || current->get_type(current) == ID_ANY) |
1751 | 0 | { |
1752 | 0 | current = cfg->get(cfg, AUTH_RULE_IDENTITY); |
1753 | 0 | } |
1754 | 0 | if (current && current->get_type(current) != ID_ANY) |
1755 | 0 | { |
1756 | 0 | id = current; |
1757 | 0 | continue; |
1758 | 0 | } |
1759 | 0 | } |
1760 | 0 | enumerator->destroy(enumerator); |
1761 | 0 | if (id) |
1762 | 0 | { |
1763 | 0 | return id; |
1764 | 0 | } |
1765 | 0 | return this->other_id; |
1766 | 0 | } |
1767 | | |
1768 | | METHOD(ike_sa_t, set_other_id, void, |
1769 | | private_ike_sa_t *this, identification_t *other) |
1770 | 0 | { |
1771 | 0 | DESTROY_IF(this->other_id); |
1772 | 0 | this->other_id = other; |
1773 | 0 | } |
1774 | | |
1775 | | METHOD(ike_sa_t, get_if_id, uint32_t, |
1776 | | private_ike_sa_t *this, bool inbound) |
1777 | 0 | { |
1778 | 0 | return inbound ? this->if_id_in : this->if_id_out; |
1779 | 0 | } |
1780 | | |
1781 | | /** |
1782 | | * Sort CHILD_SAs by config and CPU ID so SAs without ID are enumerated first. |
1783 | | */ |
1784 | | static int child_sa_sort(const void *a_pub, const void *b_pub, void *user) |
1785 | 0 | { |
1786 | 0 | child_sa_t *a = (child_sa_t*)a_pub, *b = (child_sa_t*)b_pub; |
1787 | 0 | child_cfg_t *cfg = a->get_config(a); |
1788 | |
|
1789 | 0 | if (!cfg->equals(cfg, b->get_config(b))) |
1790 | 0 | { /* use the unique IDs of unrelated SAs to maintain insertion order */ |
1791 | 0 | return a->get_unique_id(a) - b->get_unique_id(b); |
1792 | 0 | } |
1793 | | /* otherwise use the CPU ID, making sure an SA without ID comes first */ |
1794 | 0 | return a->get_cpu(a) == CPU_ID_MAX ? -1 : a->get_cpu(a) - b->get_cpu(b); |
1795 | 0 | } |
1796 | | |
1797 | | METHOD(ike_sa_t, add_child_sa, void, |
1798 | | private_ike_sa_t *this, child_sa_t *child_sa) |
1799 | 0 | { |
1800 | 0 | array_insert_create(&this->child_sas, ARRAY_TAIL, child_sa); |
1801 | 0 | array_sort(this->child_sas, child_sa_sort, NULL); |
1802 | 0 | charon->child_sa_manager->add(charon->child_sa_manager, |
1803 | 0 | child_sa, &this->public); |
1804 | 0 | } |
1805 | | |
1806 | | METHOD(ike_sa_t, get_child_sa, child_sa_t*, |
1807 | | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool inbound) |
1808 | 0 | { |
1809 | 0 | enumerator_t *enumerator; |
1810 | 0 | child_sa_t *current, *found = NULL; |
1811 | |
|
1812 | 0 | enumerator = array_create_enumerator(this->child_sas); |
1813 | 0 | while (enumerator->enumerate(enumerator, (void**)¤t)) |
1814 | 0 | { |
1815 | 0 | if (current->get_spi(current, inbound) == spi && |
1816 | 0 | current->get_protocol(current) == protocol) |
1817 | 0 | { |
1818 | 0 | found = current; |
1819 | 0 | } |
1820 | 0 | } |
1821 | 0 | enumerator->destroy(enumerator); |
1822 | 0 | return found; |
1823 | 0 | } |
1824 | | |
1825 | | METHOD(ike_sa_t, get_child_count, int, |
1826 | | private_ike_sa_t *this) |
1827 | 0 | { |
1828 | 0 | return array_count(this->child_sas); |
1829 | 0 | } |
1830 | | |
1831 | | /** |
1832 | | * Private data of a create_child_sa_enumerator() |
1833 | | */ |
1834 | | typedef struct { |
1835 | | /** implements enumerator */ |
1836 | | enumerator_t public; |
1837 | | /** inner array enumerator */ |
1838 | | enumerator_t *inner; |
1839 | | /** current item */ |
1840 | | child_sa_t *current; |
1841 | | } child_enumerator_t; |
1842 | | |
1843 | | METHOD(enumerator_t, child_enumerate, bool, |
1844 | | child_enumerator_t *this, va_list args) |
1845 | 0 | { |
1846 | 0 | child_sa_t **child_sa; |
1847 | |
|
1848 | 0 | VA_ARGS_VGET(args, child_sa); |
1849 | 0 | if (this->inner->enumerate(this->inner, &this->current)) |
1850 | 0 | { |
1851 | 0 | *child_sa = this->current; |
1852 | 0 | return TRUE; |
1853 | 0 | } |
1854 | 0 | return FALSE; |
1855 | 0 | } |
1856 | | |
1857 | | METHOD(enumerator_t, child_enumerator_destroy, void, |
1858 | | child_enumerator_t *this) |
1859 | 0 | { |
1860 | 0 | this->inner->destroy(this->inner); |
1861 | 0 | free(this); |
1862 | 0 | } |
1863 | | |
1864 | | METHOD(ike_sa_t, create_child_sa_enumerator, enumerator_t*, |
1865 | | private_ike_sa_t *this) |
1866 | 0 | { |
1867 | 0 | child_enumerator_t *enumerator; |
1868 | |
|
1869 | 0 | INIT(enumerator, |
1870 | 0 | .public = { |
1871 | 0 | .enumerate = enumerator_enumerate_default, |
1872 | 0 | .venumerate = _child_enumerate, |
1873 | 0 | .destroy = _child_enumerator_destroy, |
1874 | 0 | }, |
1875 | 0 | .inner = array_create_enumerator(this->child_sas), |
1876 | 0 | ); |
1877 | 0 | return &enumerator->public; |
1878 | 0 | } |
1879 | | |
1880 | | METHOD(ike_sa_t, remove_child_sa, void, |
1881 | | private_ike_sa_t *this, enumerator_t *enumerator) |
1882 | 0 | { |
1883 | 0 | child_enumerator_t *ce = (child_enumerator_t*)enumerator; |
1884 | |
|
1885 | 0 | charon->child_sa_manager->remove(charon->child_sa_manager, ce->current); |
1886 | 0 | array_remove_at(this->child_sas, ce->inner); |
1887 | 0 | } |
1888 | | |
1889 | | METHOD(ike_sa_t, rekey_child_sa, status_t, |
1890 | | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi) |
1891 | 0 | { |
1892 | 0 | if (this->state == IKE_PASSIVE) |
1893 | 0 | { |
1894 | 0 | return INVALID_STATE; |
1895 | 0 | } |
1896 | 0 | this->task_manager->queue_child_rekey(this->task_manager, protocol, spi); |
1897 | 0 | return this->task_manager->initiate(this->task_manager); |
1898 | 0 | } |
1899 | | |
1900 | | METHOD(ike_sa_t, delete_child_sa, status_t, |
1901 | | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi, bool expired) |
1902 | 0 | { |
1903 | 0 | if (this->state == IKE_PASSIVE) |
1904 | 0 | { |
1905 | 0 | return INVALID_STATE; |
1906 | 0 | } |
1907 | 0 | this->task_manager->queue_child_delete(this->task_manager, |
1908 | 0 | protocol, spi, expired); |
1909 | 0 | return this->task_manager->initiate(this->task_manager); |
1910 | 0 | } |
1911 | | |
1912 | | METHOD(ike_sa_t, destroy_child_sa, status_t, |
1913 | | private_ike_sa_t *this, protocol_id_t protocol, uint32_t spi) |
1914 | 0 | { |
1915 | 0 | enumerator_t *enumerator; |
1916 | 0 | child_sa_t *child_sa; |
1917 | 0 | status_t status = NOT_FOUND; |
1918 | |
|
1919 | 0 | enumerator = create_child_sa_enumerator(this); |
1920 | 0 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
1921 | 0 | { |
1922 | 0 | if (child_sa->get_protocol(child_sa) == protocol && |
1923 | 0 | child_sa->get_spi(child_sa, TRUE) == spi) |
1924 | 0 | { |
1925 | 0 | remove_child_sa(this, enumerator); |
1926 | 0 | child_sa->destroy(child_sa); |
1927 | 0 | status = SUCCESS; |
1928 | 0 | break; |
1929 | 0 | } |
1930 | 0 | } |
1931 | 0 | enumerator->destroy(enumerator); |
1932 | 0 | return status; |
1933 | 0 | } |
1934 | | |
1935 | | METHOD(ike_sa_t, delete_, status_t, |
1936 | | private_ike_sa_t *this, bool force) |
1937 | 0 | { |
1938 | 0 | status_t status = DESTROY_ME; |
1939 | |
|
1940 | 0 | switch (this->state) |
1941 | 0 | { |
1942 | 0 | case IKE_ESTABLISHED: |
1943 | 0 | case IKE_REKEYING: |
1944 | 0 | case IKE_REKEYED: |
1945 | 0 | if (time_monotonic(NULL) >= this->stats[STAT_DELETE] && |
1946 | 0 | !(this->version == IKEV1 && this->state == IKE_REKEYING)) |
1947 | 0 | { /* IKE_SA hard lifetime hit, ignored for reauthenticated |
1948 | | * IKEv1 SAs */ |
1949 | 0 | charon->bus->alert(charon->bus, ALERT_IKE_SA_EXPIRED); |
1950 | 0 | } |
1951 | 0 | this->task_manager->queue_ike_delete(this->task_manager); |
1952 | 0 | status = this->task_manager->initiate(this->task_manager); |
1953 | 0 | break; |
1954 | 0 | case IKE_CREATED: |
1955 | 0 | DBG1(DBG_IKE, "deleting unestablished IKE_SA"); |
1956 | 0 | break; |
1957 | 0 | case IKE_PASSIVE: |
1958 | 0 | break; |
1959 | 0 | default: |
1960 | 0 | DBG1(DBG_IKE, "destroying IKE_SA in state %N without notification", |
1961 | 0 | ike_sa_state_names, this->state); |
1962 | 0 | force = TRUE; |
1963 | 0 | break; |
1964 | 0 | } |
1965 | | |
1966 | 0 | if (force) |
1967 | 0 | { |
1968 | 0 | status = DESTROY_ME; |
1969 | |
|
1970 | 0 | if (this->version == IKEV2) |
1971 | 0 | { /* for IKEv1 we trigger this in the ISAKMP delete task */ |
1972 | 0 | switch (this->state) |
1973 | 0 | { |
1974 | 0 | case IKE_ESTABLISHED: |
1975 | 0 | case IKE_REKEYING: |
1976 | 0 | case IKE_DELETING: |
1977 | 0 | charon->bus->ike_updown(charon->bus, &this->public, FALSE); |
1978 | 0 | default: |
1979 | 0 | break; |
1980 | 0 | } |
1981 | 0 | } |
1982 | 0 | } |
1983 | 0 | return status; |
1984 | 0 | } |
1985 | | |
1986 | | METHOD(ike_sa_t, rekey, status_t, |
1987 | | private_ike_sa_t *this) |
1988 | 0 | { |
1989 | 0 | if (this->state == IKE_PASSIVE || |
1990 | 0 | has_condition(this, COND_REAUTHENTICATING)) |
1991 | 0 | { |
1992 | 0 | return INVALID_STATE; |
1993 | 0 | } |
1994 | 0 | this->task_manager->queue_ike_rekey(this->task_manager); |
1995 | 0 | return this->task_manager->initiate(this->task_manager); |
1996 | 0 | } |
1997 | | |
1998 | | /* |
1999 | | * Described in header |
2000 | | */ |
2001 | | bool ike_sa_can_reauthenticate(ike_sa_t *public) |
2002 | 0 | { |
2003 | 0 | private_ike_sa_t *this = (private_ike_sa_t*)public; |
2004 | |
|
2005 | 0 | return array_count(this->other_vips) == 0 && |
2006 | 0 | !has_condition(this, COND_XAUTH_AUTHENTICATED) && |
2007 | 0 | !has_condition(this, COND_EAP_AUTHENTICATED) |
2008 | | #ifdef ME |
2009 | | /* as mediation server we too cannot reauth the IKE_SA */ |
2010 | | && !this->is_mediation_server |
2011 | | #endif /* ME */ |
2012 | 0 | ; |
2013 | 0 | } |
2014 | | |
2015 | | METHOD(ike_sa_t, reauth, status_t, |
2016 | | private_ike_sa_t *this) |
2017 | 0 | { |
2018 | 0 | if (this->state == IKE_PASSIVE) |
2019 | 0 | { |
2020 | 0 | return INVALID_STATE; |
2021 | 0 | } |
2022 | 0 | if (this->state == IKE_CONNECTING) |
2023 | 0 | { |
2024 | 0 | DBG0(DBG_IKE, "reinitiating IKE_SA %s[%u]", |
2025 | 0 | get_name(this), this->unique_id); |
2026 | 0 | reset(this, TRUE); |
2027 | 0 | return this->task_manager->initiate(this->task_manager); |
2028 | 0 | } |
2029 | | /* we can't reauthenticate as responder when we use EAP or virtual IPs. |
2030 | | * If the peer does not support RFC4478, there is no way to keep the |
2031 | | * IKE_SA up. */ |
2032 | 0 | if (!has_condition(this, COND_ORIGINAL_INITIATOR) && |
2033 | 0 | !ike_sa_can_reauthenticate(&this->public)) |
2034 | 0 | { |
2035 | | #if DEBUG_LEVEL >= 1 |
2036 | | time_t del = this->stats[STAT_DELETE]; |
2037 | | time_t now = time_monotonic(NULL); |
2038 | | DBG1(DBG_IKE, "initiator did not reauthenticate as requested, IKE_SA " |
2039 | | "%s[%u] will timeout in %V", get_name(this), this->unique_id, |
2040 | | &now, &del); |
2041 | | #endif |
2042 | 0 | return FAILED; |
2043 | 0 | } |
2044 | 0 | DBG0(DBG_IKE, "reauthenticating IKE_SA %s[%u]", |
2045 | 0 | get_name(this), this->unique_id); |
2046 | 0 | set_condition(this, COND_REAUTHENTICATING, TRUE); |
2047 | 0 | this->task_manager->queue_ike_reauth(this->task_manager); |
2048 | 0 | return this->task_manager->initiate(this->task_manager); |
2049 | 0 | } |
2050 | | |
2051 | | /** |
2052 | | * Check if any tasks of a specific type are queued in the given queue. |
2053 | | */ |
2054 | | static bool is_task_queued(private_ike_sa_t *this, task_queue_t queue, |
2055 | | task_type_t type) |
2056 | 0 | { |
2057 | 0 | enumerator_t *enumerator; |
2058 | 0 | task_t *task; |
2059 | 0 | bool found = FALSE; |
2060 | |
|
2061 | 0 | enumerator = this->task_manager->create_task_enumerator(this->task_manager, |
2062 | 0 | queue); |
2063 | 0 | while (enumerator->enumerate(enumerator, &task)) |
2064 | 0 | { |
2065 | 0 | if (task->get_type(task) == type) |
2066 | 0 | { |
2067 | 0 | found = TRUE; |
2068 | 0 | break; |
2069 | 0 | } |
2070 | 0 | } |
2071 | 0 | enumerator->destroy(enumerator); |
2072 | 0 | return found; |
2073 | 0 | } |
2074 | | |
2075 | | /** |
2076 | | * Check if any tasks to create CHILD_SAs are queued in the given queue. |
2077 | | */ |
2078 | | static bool is_child_queued(private_ike_sa_t *this, task_queue_t queue) |
2079 | 0 | { |
2080 | 0 | return is_task_queued(this, queue, |
2081 | 0 | this->version == IKEV1 ? TASK_QUICK_MODE : TASK_CHILD_CREATE); |
2082 | 0 | } |
2083 | | |
2084 | | /* |
2085 | | * Described in header |
2086 | | */ |
2087 | | bool ike_sa_is_delete_queued(ike_sa_t *ike_sa) |
2088 | 0 | { |
2089 | 0 | private_ike_sa_t *this = (private_ike_sa_t*)ike_sa; |
2090 | 0 | return is_task_queued(this, TASK_QUEUE_QUEUED, |
2091 | 0 | this->version == IKEV1 ? TASK_ISAKMP_DELETE : TASK_IKE_DELETE); |
2092 | 0 | } |
2093 | | |
2094 | | /** |
2095 | | * Reestablish CHILD_SAs and migrate queued tasks. |
2096 | | * |
2097 | | * If force is true all SAs are restarted, otherwise their close/dpd_action |
2098 | | * is followed. |
2099 | | */ |
2100 | | static status_t reestablish_children(private_ike_sa_t *this, ike_sa_t *new, |
2101 | | bool force) |
2102 | 0 | { |
2103 | 0 | private_ike_sa_t *other = (private_ike_sa_t*)new; |
2104 | 0 | enumerator_t *enumerator; |
2105 | 0 | child_sa_t *child_sa; |
2106 | 0 | child_cfg_t *child_cfg; |
2107 | 0 | action_t action; |
2108 | | |
2109 | | /* handle existing CHILD_SAs */ |
2110 | 0 | enumerator = create_child_sa_enumerator(this); |
2111 | 0 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
2112 | 0 | { |
2113 | 0 | switch (child_sa->get_state(child_sa)) |
2114 | 0 | { |
2115 | 0 | case CHILD_REKEYED: |
2116 | 0 | case CHILD_DELETED: |
2117 | | /* ignore CHILD_SAs in these states */ |
2118 | 0 | continue; |
2119 | 0 | default: |
2120 | 0 | break; |
2121 | 0 | } |
2122 | 0 | if (force) |
2123 | 0 | { |
2124 | 0 | action = ACTION_START; |
2125 | 0 | } |
2126 | 0 | else |
2127 | 0 | { /* only restart CHILD_SAs that are configured accordingly */ |
2128 | 0 | if (this->state == IKE_DELETING) |
2129 | 0 | { |
2130 | 0 | action = child_sa->get_close_action(child_sa); |
2131 | 0 | } |
2132 | 0 | else |
2133 | 0 | { |
2134 | 0 | action = child_sa->get_dpd_action(child_sa); |
2135 | 0 | } |
2136 | 0 | } |
2137 | 0 | if (action & ACTION_START) |
2138 | 0 | { |
2139 | 0 | child_cfg = child_sa->get_config(child_sa); |
2140 | 0 | DBG1(DBG_IKE, "restarting CHILD_SA %s", |
2141 | 0 | child_cfg->get_name(child_cfg)); |
2142 | 0 | other->task_manager->queue_child(other->task_manager, |
2143 | 0 | child_cfg->get_ref(child_cfg), |
2144 | 0 | NULL, child_sa); |
2145 | 0 | } |
2146 | 0 | } |
2147 | 0 | enumerator->destroy(enumerator); |
2148 | | |
2149 | | /* adopt any active or queued CHILD-creating tasks */ |
2150 | 0 | new->adopt_child_tasks(new, &this->public); |
2151 | |
|
2152 | 0 | return new->initiate(new, NULL, NULL); |
2153 | 0 | } |
2154 | | |
2155 | | METHOD(ike_sa_t, reestablish, status_t, |
2156 | | private_ike_sa_t *this) |
2157 | 0 | { |
2158 | 0 | ike_sa_t *new; |
2159 | 0 | host_t *host; |
2160 | 0 | action_t action; |
2161 | 0 | enumerator_t *enumerator; |
2162 | 0 | child_sa_t *child_sa; |
2163 | 0 | bool restart = FALSE; |
2164 | 0 | status_t status = FAILED; |
2165 | |
|
2166 | 0 | if (ike_sa_is_delete_queued((ike_sa_t*)this)) |
2167 | 0 | { /* don't reestablish IKE_SAs that have explicitly been deleted in the |
2168 | | * mean time */ |
2169 | 0 | return FAILED; |
2170 | 0 | } |
2171 | | |
2172 | 0 | if (has_condition(this, COND_REAUTHENTICATING)) |
2173 | 0 | { /* only reauthenticate if we have children */ |
2174 | 0 | if (array_count(this->child_sas) == 0 |
2175 | | #ifdef ME |
2176 | | /* allow reauth of mediation connections without CHILD_SAs */ |
2177 | | && !this->peer_cfg->is_mediation(this->peer_cfg) |
2178 | | #endif /* ME */ |
2179 | 0 | ) |
2180 | 0 | { |
2181 | 0 | DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA " |
2182 | 0 | "to recreate"); |
2183 | 0 | } |
2184 | 0 | else |
2185 | 0 | { |
2186 | 0 | restart = TRUE; |
2187 | 0 | } |
2188 | 0 | } |
2189 | 0 | else |
2190 | 0 | { /* check if we have children to keep up at all */ |
2191 | 0 | enumerator = array_create_enumerator(this->child_sas); |
2192 | 0 | while (enumerator->enumerate(enumerator, (void**)&child_sa)) |
2193 | 0 | { |
2194 | 0 | switch (child_sa->get_state(child_sa)) |
2195 | 0 | { |
2196 | 0 | case CHILD_REKEYED: |
2197 | 0 | case CHILD_DELETED: |
2198 | | /* ignore CHILD_SAs in these states */ |
2199 | 0 | continue; |
2200 | 0 | default: |
2201 | 0 | break; |
2202 | 0 | } |
2203 | 0 | if (this->state == IKE_DELETING) |
2204 | 0 | { |
2205 | 0 | action = child_sa->get_close_action(child_sa); |
2206 | 0 | } |
2207 | 0 | else |
2208 | 0 | { |
2209 | 0 | action = child_sa->get_dpd_action(child_sa); |
2210 | 0 | } |
2211 | 0 | if (action & ACTION_TRAP) |
2212 | 0 | { |
2213 | 0 | charon->traps->install(charon->traps, this->peer_cfg, |
2214 | 0 | child_sa->get_config(child_sa)); |
2215 | 0 | } |
2216 | 0 | if (action & ACTION_START) |
2217 | 0 | { |
2218 | 0 | restart = TRUE; |
2219 | 0 | } |
2220 | 0 | } |
2221 | 0 | enumerator->destroy(enumerator); |
2222 | | /* check if we have tasks that recreate children */ |
2223 | 0 | if (!restart) |
2224 | 0 | { |
2225 | 0 | restart = is_child_queued(this, TASK_QUEUE_ACTIVE) || |
2226 | 0 | is_child_queued(this, TASK_QUEUE_QUEUED); |
2227 | 0 | } |
2228 | | #ifdef ME |
2229 | | /* mediation connections have no children, keep them up anyway */ |
2230 | | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
2231 | | { |
2232 | | restart = TRUE; |
2233 | | } |
2234 | | #endif /* ME */ |
2235 | 0 | } |
2236 | 0 | if (!restart) |
2237 | 0 | { |
2238 | 0 | return FAILED; |
2239 | 0 | } |
2240 | | |
2241 | | /* check if we are able to reestablish this IKE_SA */ |
2242 | 0 | if (!has_condition(this, COND_ORIGINAL_INITIATOR) && |
2243 | 0 | (array_count(this->other_vips) != 0 || |
2244 | 0 | has_condition(this, COND_EAP_AUTHENTICATED) |
2245 | | #ifdef ME |
2246 | | || this->is_mediation_server |
2247 | | #endif /* ME */ |
2248 | 0 | )) |
2249 | 0 | { |
2250 | 0 | DBG1(DBG_IKE, "unable to reestablish IKE_SA due to asymmetric setup"); |
2251 | 0 | return FAILED; |
2252 | 0 | } |
2253 | | |
2254 | 0 | new = charon->ike_sa_manager->create_new(charon->ike_sa_manager, |
2255 | 0 | this->version, TRUE); |
2256 | 0 | if (!new) |
2257 | 0 | { |
2258 | 0 | return FAILED; |
2259 | 0 | } |
2260 | 0 | new->set_peer_cfg(new, this->peer_cfg); |
2261 | 0 | host = this->other_host; |
2262 | 0 | new->set_other_host(new, host->clone(host)); |
2263 | 0 | host = this->my_host; |
2264 | 0 | new->set_my_host(new, host->clone(host)); |
2265 | 0 | charon->bus->ike_reestablish_pre(charon->bus, &this->public, new); |
2266 | 0 | if (!has_condition(this, COND_REAUTHENTICATING)) |
2267 | 0 | { /* reauthenticate to the same addresses, but resolve hosts if |
2268 | | * reestablishing (old addresses serve as fallback) */ |
2269 | 0 | resolve_hosts((private_ike_sa_t*)new); |
2270 | 0 | } |
2271 | | /* if we already have a virtual IP, we reuse it */ |
2272 | 0 | enumerator = array_create_enumerator(this->my_vips); |
2273 | 0 | while (enumerator->enumerate(enumerator, &host)) |
2274 | 0 | { |
2275 | 0 | new->add_virtual_ip(new, TRUE, host); |
2276 | 0 | } |
2277 | 0 | enumerator->destroy(enumerator); |
2278 | |
|
2279 | | #ifdef ME |
2280 | | if (this->peer_cfg->is_mediation(this->peer_cfg)) |
2281 | | { |
2282 | | status = new->initiate(new, NULL, NULL); |
2283 | | } |
2284 | | else |
2285 | | #endif /* ME */ |
2286 | 0 | { |
2287 | 0 | status = reestablish_children(this, new, |
2288 | 0 | has_condition(this, COND_REAUTHENTICATING)); |
2289 | 0 | } |
2290 | |
|
2291 | 0 | if (status == DESTROY_ME) |
2292 | 0 | { |
2293 | 0 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2294 | 0 | FALSE); |
2295 | 0 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); |
2296 | 0 | status = FAILED; |
2297 | 0 | } |
2298 | 0 | else |
2299 | 0 | { |
2300 | 0 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2301 | 0 | TRUE); |
2302 | 0 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); |
2303 | 0 | status = SUCCESS; |
2304 | 0 | } |
2305 | 0 | charon->bus->set_sa(charon->bus, &this->public); |
2306 | 0 | return status; |
2307 | 0 | } |
2308 | | |
2309 | | /** |
2310 | | * Resolve the given gateway ID |
2311 | | */ |
2312 | | static host_t *resolve_gateway_id(identification_t *gateway) |
2313 | 0 | { |
2314 | 0 | char gw[BUF_LEN]; |
2315 | 0 | host_t *addr; |
2316 | |
|
2317 | 0 | snprintf(gw, sizeof(gw), "%Y", gateway); |
2318 | 0 | gw[sizeof(gw)-1] = '\0'; |
2319 | 0 | addr = host_create_from_dns(gw, AF_UNSPEC, IKEV2_UDP_PORT); |
2320 | 0 | if (!addr) |
2321 | 0 | { |
2322 | 0 | DBG1(DBG_IKE, "unable to resolve gateway ID '%Y', redirect failed", |
2323 | 0 | gateway); |
2324 | 0 | } |
2325 | 0 | return addr; |
2326 | 0 | } |
2327 | | |
2328 | | /** |
2329 | | * Redirect the current SA to the given target host |
2330 | | */ |
2331 | | static bool redirect_established(private_ike_sa_t *this, identification_t *to) |
2332 | 0 | { |
2333 | 0 | private_ike_sa_t *new_priv; |
2334 | 0 | ike_sa_t *new; |
2335 | 0 | host_t *other; |
2336 | 0 | time_t redirect; |
2337 | |
|
2338 | 0 | new = charon->ike_sa_manager->create_new(charon->ike_sa_manager, |
2339 | 0 | this->version, TRUE); |
2340 | 0 | if (!new) |
2341 | 0 | { |
2342 | 0 | return FALSE; |
2343 | 0 | } |
2344 | | /* mark the SA so it won't get reused even though it's established */ |
2345 | 0 | set_condition(this, COND_REDIRECTED, TRUE); |
2346 | |
|
2347 | 0 | new_priv = (private_ike_sa_t*)new; |
2348 | 0 | new->set_peer_cfg(new, this->peer_cfg); |
2349 | 0 | new_priv->redirected_from = this->other_host->clone(this->other_host); |
2350 | 0 | charon->bus->ike_reestablish_pre(charon->bus, &this->public, new); |
2351 | 0 | other = resolve_gateway_id(to); |
2352 | 0 | if (other) |
2353 | 0 | { |
2354 | 0 | set_my_host(new_priv, this->my_host->clone(this->my_host)); |
2355 | | /* this allows us to force the remote address while we still properly |
2356 | | * resolve the local address */ |
2357 | 0 | new_priv->remote_host = other; |
2358 | 0 | resolve_hosts(new_priv); |
2359 | 0 | new_priv->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS); |
2360 | 0 | while (array_remove(this->redirected_at, ARRAY_HEAD, &redirect)) |
2361 | 0 | { |
2362 | 0 | array_insert(new_priv->redirected_at, ARRAY_TAIL, &redirect); |
2363 | 0 | } |
2364 | 0 | if (reestablish_children(this, new, TRUE) != DESTROY_ME) |
2365 | 0 | { |
2366 | 0 | #ifdef USE_IKEV2 |
2367 | 0 | new->queue_task(new, (task_t*)ike_reauth_complete_create(new, |
2368 | 0 | this->ike_sa_id)); |
2369 | 0 | #endif |
2370 | 0 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2371 | 0 | TRUE); |
2372 | 0 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); |
2373 | 0 | charon->bus->set_sa(charon->bus, &this->public); |
2374 | 0 | return TRUE; |
2375 | 0 | } |
2376 | 0 | } |
2377 | 0 | charon->bus->ike_reestablish_post(charon->bus, &this->public, new, |
2378 | 0 | FALSE); |
2379 | 0 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); |
2380 | 0 | charon->bus->set_sa(charon->bus, &this->public); |
2381 | 0 | return FALSE; |
2382 | 0 | } |
2383 | | |
2384 | | /** |
2385 | | * Redirect the current connecting SA to the given target host |
2386 | | */ |
2387 | | static bool redirect_connecting(private_ike_sa_t *this, identification_t *to) |
2388 | 0 | { |
2389 | 0 | host_t *other; |
2390 | |
|
2391 | 0 | other = resolve_gateway_id(to); |
2392 | 0 | if (!other) |
2393 | 0 | { |
2394 | 0 | return FALSE; |
2395 | 0 | } |
2396 | 0 | reset(this, TRUE); |
2397 | 0 | DESTROY_IF(this->redirected_from); |
2398 | 0 | this->redirected_from = this->other_host->clone(this->other_host); |
2399 | | /* this allows us to force the remote address while we still properly |
2400 | | * resolve the local address */ |
2401 | 0 | DESTROY_IF(this->remote_host); |
2402 | 0 | this->remote_host = other; |
2403 | 0 | resolve_hosts(this); |
2404 | 0 | return TRUE; |
2405 | 0 | } |
2406 | | |
2407 | | /** |
2408 | | * Check if the current redirect exceeds the limits for redirects |
2409 | | */ |
2410 | | static bool redirect_count_exceeded(private_ike_sa_t *this) |
2411 | 0 | { |
2412 | 0 | time_t now, redirect; |
2413 | |
|
2414 | 0 | now = time_monotonic(NULL); |
2415 | | /* remove entries outside the defined period */ |
2416 | 0 | while (array_get(this->redirected_at, ARRAY_HEAD, &redirect) && |
2417 | 0 | now - redirect >= REDIRECT_LOOP_DETECT_PERIOD) |
2418 | 0 | { |
2419 | 0 | array_remove(this->redirected_at, ARRAY_HEAD, NULL); |
2420 | 0 | } |
2421 | 0 | if (array_count(this->redirected_at) < MAX_REDIRECTS) |
2422 | 0 | { |
2423 | 0 | if (!this->redirected_at) |
2424 | 0 | { |
2425 | 0 | this->redirected_at = array_create(sizeof(time_t), MAX_REDIRECTS); |
2426 | 0 | } |
2427 | 0 | array_insert(this->redirected_at, ARRAY_TAIL, &now); |
2428 | 0 | return FALSE; |
2429 | 0 | } |
2430 | 0 | return TRUE; |
2431 | 0 | } |
2432 | | |
2433 | | METHOD(ike_sa_t, handle_redirect, bool, |
2434 | | private_ike_sa_t *this, identification_t *gateway) |
2435 | 0 | { |
2436 | 0 | DBG1(DBG_IKE, "redirected to %Y", gateway); |
2437 | 0 | if (!this->follow_redirects) |
2438 | 0 | { |
2439 | 0 | DBG1(DBG_IKE, "server sent REDIRECT even though we disabled it"); |
2440 | 0 | return FALSE; |
2441 | 0 | } |
2442 | 0 | if (redirect_count_exceeded(this)) |
2443 | 0 | { |
2444 | 0 | DBG1(DBG_IKE, "only %d redirects are allowed within %d seconds", |
2445 | 0 | MAX_REDIRECTS, REDIRECT_LOOP_DETECT_PERIOD); |
2446 | 0 | return FALSE; |
2447 | 0 | } |
2448 | | |
2449 | 0 | switch (this->state) |
2450 | 0 | { |
2451 | 0 | case IKE_CONNECTING: |
2452 | 0 | if (!has_condition(this, COND_AUTHENTICATED)) |
2453 | 0 | { |
2454 | 0 | return redirect_connecting(this, gateway); |
2455 | 0 | } |
2456 | | /* fall-through during IKE_AUTH if authenticated */ |
2457 | 0 | case IKE_ESTABLISHED: |
2458 | 0 | return redirect_established(this, gateway); |
2459 | 0 | default: |
2460 | 0 | DBG1(DBG_IKE, "unable to handle redirect for IKE_SA in state %N", |
2461 | 0 | ike_sa_state_names, this->state); |
2462 | 0 | return FALSE; |
2463 | 0 | } |
2464 | 0 | } |
2465 | | |
2466 | | METHOD(ike_sa_t, redirect, status_t, |
2467 | | private_ike_sa_t *this, identification_t *gateway) |
2468 | 0 | { |
2469 | 0 | switch (this->state) |
2470 | 0 | { |
2471 | 0 | case IKE_CONNECTING: |
2472 | 0 | case IKE_ESTABLISHED: |
2473 | 0 | case IKE_REKEYING: |
2474 | 0 | if (has_condition(this, COND_REDIRECTED)) |
2475 | 0 | { /* IKE_SA already got redirected */ |
2476 | 0 | return SUCCESS; |
2477 | 0 | } |
2478 | 0 | if (has_condition(this, COND_ORIGINAL_INITIATOR)) |
2479 | 0 | { |
2480 | 0 | DBG1(DBG_IKE, "unable to redirect IKE_SA as initiator"); |
2481 | 0 | return FAILED; |
2482 | 0 | } |
2483 | 0 | if (this->version == IKEV1) |
2484 | 0 | { |
2485 | 0 | DBG1(DBG_IKE, "unable to redirect IKEv1 SA"); |
2486 | 0 | return FAILED; |
2487 | 0 | } |
2488 | 0 | if (!supports_extension(this, EXT_IKE_REDIRECTION)) |
2489 | 0 | { |
2490 | 0 | DBG1(DBG_IKE, "client does not support IKE redirection"); |
2491 | 0 | return FAILED; |
2492 | 0 | } |
2493 | 0 | #ifdef USE_IKEV2 |
2494 | 0 | this->task_manager->queue_task(this->task_manager, |
2495 | 0 | (task_t*)ike_redirect_create(&this->public, gateway)); |
2496 | 0 | #endif |
2497 | 0 | return this->task_manager->initiate(this->task_manager); |
2498 | 0 | default: |
2499 | 0 | DBG1(DBG_IKE, "unable to redirect IKE_SA in state %N", |
2500 | 0 | ike_sa_state_names, this->state); |
2501 | 0 | return INVALID_STATE; |
2502 | 0 | } |
2503 | 0 | } |
2504 | | |
2505 | | METHOD(ike_sa_t, retransmit, status_t, |
2506 | | private_ike_sa_t *this, uint32_t message_id) |
2507 | 0 | { |
2508 | 0 | if (this->state == IKE_PASSIVE) |
2509 | 0 | { |
2510 | 0 | return INVALID_STATE; |
2511 | 0 | } |
2512 | 0 | switch (this->task_manager->retransmit(this->task_manager, message_id)) |
2513 | 0 | { |
2514 | 0 | case SUCCESS: |
2515 | 0 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL); |
2516 | 0 | return SUCCESS; |
2517 | 0 | case INVALID_STATE: |
2518 | 0 | return INVALID_STATE; |
2519 | 0 | default: |
2520 | 0 | break; |
2521 | 0 | } |
2522 | | /* send a proper signal to brief interested bus listeners */ |
2523 | 0 | switch (this->state) |
2524 | 0 | { |
2525 | 0 | case IKE_CONNECTING: |
2526 | 0 | { |
2527 | | /* retry IKE_SA_INIT/Main Mode if we have multiple keyingtries */ |
2528 | 0 | uint32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg); |
2529 | 0 | charon->bus->alert(charon->bus, ALERT_PEER_INIT_UNREACHABLE, |
2530 | 0 | this->keyingtry); |
2531 | 0 | this->keyingtry++; |
2532 | 0 | if (tries == 0 || tries > this->keyingtry) |
2533 | 0 | { |
2534 | 0 | DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", |
2535 | 0 | this->keyingtry + 1, tries); |
2536 | 0 | reset(this, TRUE); |
2537 | 0 | resolve_hosts(this); |
2538 | 0 | return this->task_manager->initiate(this->task_manager); |
2539 | 0 | } |
2540 | 0 | DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding"); |
2541 | |
|
2542 | 0 | if (this->version == IKEV1 && array_count(this->child_sas)) |
2543 | 0 | { |
2544 | 0 | enumerator_t *enumerator; |
2545 | 0 | child_sa_t *child_sa; |
2546 | | |
2547 | | /* if reauthenticating an IKEv1 SA failed (assumed for an SA |
2548 | | * in this state with CHILD_SAs), try again from scratch */ |
2549 | 0 | DBG1(DBG_IKE, "reauthentication failed, trying to " |
2550 | 0 | "reestablish IKE_SA"); |
2551 | 0 | reestablish(this); |
2552 | | /* trigger down events for the CHILD_SAs, as no down event |
2553 | | * is triggered below for IKE SAs in this state */ |
2554 | 0 | enumerator = array_create_enumerator(this->child_sas); |
2555 | 0 | while (enumerator->enumerate(enumerator, &child_sa)) |
2556 | 0 | { |
2557 | 0 | if (child_sa->get_state(child_sa) != CHILD_REKEYED && |
2558 | 0 | child_sa->get_state(child_sa) != CHILD_DELETED) |
2559 | 0 | { |
2560 | 0 | charon->bus->child_updown(charon->bus, child_sa, |
2561 | 0 | FALSE); |
2562 | 0 | } |
2563 | 0 | } |
2564 | 0 | enumerator->destroy(enumerator); |
2565 | 0 | } |
2566 | 0 | break; |
2567 | 0 | } |
2568 | 0 | case IKE_DELETING: |
2569 | 0 | DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding"); |
2570 | 0 | if (has_condition(this, COND_REAUTHENTICATING) && |
2571 | 0 | !lib->settings->get_bool(lib->settings, |
2572 | 0 | "%s.make_before_break", TRUE, lib->ns)) |
2573 | 0 | { |
2574 | 0 | DBG1(DBG_IKE, "delete during reauthentication failed, " |
2575 | 0 | "trying to reestablish IKE_SA anyway"); |
2576 | 0 | reestablish(this); |
2577 | 0 | } |
2578 | 0 | break; |
2579 | 0 | case IKE_REKEYING: |
2580 | 0 | DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding"); |
2581 | | /* FALL */ |
2582 | 0 | default: |
2583 | 0 | reestablish(this); |
2584 | 0 | break; |
2585 | 0 | } |
2586 | 0 | if (this->state != IKE_CONNECTING && |
2587 | 0 | this->state != IKE_REKEYED) |
2588 | 0 | { |
2589 | 0 | charon->bus->ike_updown(charon->bus, &this->public, FALSE); |
2590 | 0 | } |
2591 | 0 | return DESTROY_ME; |
2592 | 0 | } |
2593 | | |
2594 | | METHOD(ike_sa_t, set_auth_lifetime, status_t, |
2595 | | private_ike_sa_t *this, uint32_t lifetime) |
2596 | 0 | { |
2597 | 0 | uint32_t diff, hard, soft, now; |
2598 | 0 | bool send_update; |
2599 | |
|
2600 | 0 | diff = this->peer_cfg->get_over_time(this->peer_cfg); |
2601 | 0 | now = time_monotonic(NULL); |
2602 | 0 | hard = now + lifetime; |
2603 | 0 | soft = hard - diff; |
2604 | | |
2605 | | /* check if we have to send an AUTH_LIFETIME to enforce the new lifetime. |
2606 | | * We send the notify in IKE_AUTH if not yet ESTABLISHED. */ |
2607 | 0 | send_update = this->state == IKE_ESTABLISHED && this->version == IKEV2 && |
2608 | 0 | !has_condition(this, COND_ORIGINAL_INITIATOR) && |
2609 | 0 | (array_count(this->other_vips) != 0 || |
2610 | 0 | has_condition(this, COND_EAP_AUTHENTICATED)); |
2611 | |
|
2612 | 0 | if (lifetime < diff) |
2613 | 0 | { |
2614 | 0 | this->stats[STAT_REAUTH] = now; |
2615 | |
|
2616 | 0 | if (!send_update) |
2617 | 0 | { |
2618 | 0 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, " |
2619 | 0 | "starting reauthentication", lifetime); |
2620 | 0 | lib->processor->queue_job(lib->processor, |
2621 | 0 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE)); |
2622 | 0 | } |
2623 | 0 | } |
2624 | 0 | else if (this->stats[STAT_REAUTH] == 0 || |
2625 | 0 | this->stats[STAT_REAUTH] > soft) |
2626 | 0 | { |
2627 | 0 | this->stats[STAT_REAUTH] = soft; |
2628 | 0 | if (!send_update) |
2629 | 0 | { |
2630 | 0 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling " |
2631 | 0 | "reauthentication in %ds", lifetime, lifetime - diff); |
2632 | 0 | lib->scheduler->schedule_job(lib->scheduler, |
2633 | 0 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), |
2634 | 0 | lifetime - diff); |
2635 | 0 | } |
2636 | 0 | } |
2637 | 0 | else |
2638 | 0 | { |
2639 | 0 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, " |
2640 | 0 | "reauthentication already scheduled in %ds", lifetime, |
2641 | 0 | this->stats[STAT_REAUTH] - time_monotonic(NULL)); |
2642 | 0 | send_update = FALSE; |
2643 | 0 | } |
2644 | | /* give at least some seconds to reauthenticate */ |
2645 | 0 | this->stats[STAT_DELETE] = max(hard, now + 10); |
2646 | |
|
2647 | 0 | #ifdef USE_IKEV2 |
2648 | 0 | if (send_update) |
2649 | 0 | { |
2650 | 0 | ike_auth_lifetime_t *task; |
2651 | |
|
2652 | 0 | task = ike_auth_lifetime_create(&this->public, TRUE); |
2653 | 0 | this->task_manager->queue_task(this->task_manager, &task->task); |
2654 | 0 | return this->task_manager->initiate(this->task_manager); |
2655 | 0 | } |
2656 | 0 | #endif |
2657 | 0 | return SUCCESS; |
2658 | 0 | } |
2659 | | |
2660 | | /** |
2661 | | * Check if the current combination of source and destination address is still |
2662 | | * valid. |
2663 | | */ |
2664 | | static bool is_current_path_valid(private_ike_sa_t *this) |
2665 | 0 | { |
2666 | 0 | bool valid = FALSE; |
2667 | 0 | host_t *src; |
2668 | |
|
2669 | 0 | if (supports_extension(this, EXT_MOBIKE) && |
2670 | 0 | lib->settings->get_bool(lib->settings, |
2671 | 0 | "%s.prefer_best_path", FALSE, lib->ns)) |
2672 | 0 | { |
2673 | | /* check if the current path is the best path; migrate otherwise */ |
2674 | 0 | src = charon->kernel->get_source_addr(charon->kernel, this->other_host, |
2675 | 0 | NULL); |
2676 | 0 | if (src) |
2677 | 0 | { |
2678 | 0 | valid = src->ip_equals(src, this->my_host); |
2679 | 0 | src->destroy(src); |
2680 | 0 | } |
2681 | 0 | if (!valid) |
2682 | 0 | { |
2683 | 0 | DBG1(DBG_IKE, "old path is not preferred anymore"); |
2684 | 0 | } |
2685 | 0 | return valid; |
2686 | 0 | } |
2687 | 0 | src = charon->kernel->get_source_addr(charon->kernel, this->other_host, |
2688 | 0 | this->my_host); |
2689 | 0 | if (src) |
2690 | 0 | { |
2691 | 0 | if (src->ip_equals(src, this->my_host)) |
2692 | 0 | { |
2693 | 0 | valid = TRUE; |
2694 | 0 | } |
2695 | 0 | src->destroy(src); |
2696 | 0 | } |
2697 | 0 | if (!valid) |
2698 | 0 | { |
2699 | 0 | DBG1(DBG_IKE, "old path is not available anymore, try to find another"); |
2700 | 0 | } |
2701 | 0 | return valid; |
2702 | 0 | } |
2703 | | |
2704 | | /** |
2705 | | * Check if we have any path available for this IKE SA. |
2706 | | */ |
2707 | | static bool is_any_path_valid(private_ike_sa_t *this) |
2708 | 0 | { |
2709 | 0 | bool valid = FALSE; |
2710 | 0 | enumerator_t *enumerator; |
2711 | 0 | host_t *src = NULL, *addr; |
2712 | 0 | int family = AF_UNSPEC; |
2713 | |
|
2714 | 0 | switch (charon->socket->supported_families(charon->socket)) |
2715 | 0 | { |
2716 | 0 | case SOCKET_FAMILY_IPV4: |
2717 | 0 | family = AF_INET; |
2718 | 0 | break; |
2719 | 0 | case SOCKET_FAMILY_IPV6: |
2720 | 0 | family = AF_INET6; |
2721 | 0 | break; |
2722 | 0 | case SOCKET_FAMILY_BOTH: |
2723 | 0 | case SOCKET_FAMILY_NONE: |
2724 | 0 | break; |
2725 | 0 | } |
2726 | | |
2727 | 0 | enumerator = create_peer_address_enumerator(this); |
2728 | 0 | while (enumerator->enumerate(enumerator, &addr)) |
2729 | 0 | { |
2730 | 0 | if (family != AF_UNSPEC && addr->get_family(addr) != family) |
2731 | 0 | { |
2732 | 0 | continue; |
2733 | 0 | } |
2734 | 0 | DBG1(DBG_IKE, "looking for a route to %H ...", addr); |
2735 | 0 | src = charon->kernel->get_source_addr(charon->kernel, addr, NULL); |
2736 | 0 | if (src) |
2737 | 0 | { |
2738 | 0 | break; |
2739 | 0 | } |
2740 | 0 | } |
2741 | 0 | enumerator->destroy(enumerator); |
2742 | 0 | if (src) |
2743 | 0 | { |
2744 | 0 | valid = TRUE; |
2745 | 0 | src->destroy(src); |
2746 | 0 | } |
2747 | 0 | return valid; |
2748 | 0 | } |
2749 | | |
2750 | | METHOD(ike_sa_t, roam, status_t, |
2751 | | private_ike_sa_t *this, bool address) |
2752 | 0 | { |
2753 | 0 | switch (this->state) |
2754 | 0 | { |
2755 | 0 | case IKE_CREATED: |
2756 | 0 | case IKE_DELETING: |
2757 | 0 | case IKE_DESTROYING: |
2758 | 0 | case IKE_PASSIVE: |
2759 | 0 | case IKE_REKEYED: |
2760 | 0 | return SUCCESS; |
2761 | 0 | default: |
2762 | 0 | break; |
2763 | 0 | } |
2764 | | |
2765 | 0 | if (!this->ike_cfg) |
2766 | 0 | { /* this is the case for new HA SAs not yet in state IKE_PASSIVE and |
2767 | | * without config assigned */ |
2768 | 0 | return SUCCESS; |
2769 | 0 | } |
2770 | 0 | if (this->version == IKEV1) |
2771 | 0 | { /* ignore roam events for IKEv1 where we don't have MOBIKE and would |
2772 | | * have to reestablish from scratch (reauth is not enough) */ |
2773 | 0 | return SUCCESS; |
2774 | 0 | } |
2775 | | |
2776 | | /* ignore roam events if MOBIKE is not supported/enabled and the local |
2777 | | * address is statically configured */ |
2778 | 0 | if (!supports_extension(this, EXT_MOBIKE) && |
2779 | 0 | ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE)) |
2780 | 0 | { |
2781 | 0 | DBG2(DBG_IKE, "keeping statically configured path %H - %H", |
2782 | 0 | this->my_host, this->other_host); |
2783 | 0 | return SUCCESS; |
2784 | 0 | } |
2785 | | |
2786 | | /* keep existing path if possible */ |
2787 | 0 | if (is_current_path_valid(this)) |
2788 | 0 | { |
2789 | 0 | DBG2(DBG_IKE, "keeping connection path %H - %H", |
2790 | 0 | this->my_host, this->other_host); |
2791 | 0 | set_condition(this, COND_STALE, FALSE); |
2792 | |
|
2793 | 0 | if (supports_extension(this, EXT_MOBIKE) && address) |
2794 | 0 | { /* if any addresses changed, send an updated list */ |
2795 | 0 | DBG1(DBG_IKE, "sending address list update using MOBIKE"); |
2796 | 0 | this->task_manager->queue_mobike(this->task_manager, FALSE, TRUE); |
2797 | 0 | return this->task_manager->initiate(this->task_manager); |
2798 | 0 | } |
2799 | 0 | if (lib->settings->get_bool(lib->settings, |
2800 | 0 | "%s.check_current_path", FALSE, lib->ns) && |
2801 | 0 | !this->task_manager->busy(this->task_manager)) |
2802 | 0 | { |
2803 | 0 | DBG1(DBG_IKE, "checking if current path still works using DPD"); |
2804 | 0 | this->task_manager->queue_dpd(this->task_manager); |
2805 | 0 | return this->task_manager->initiate(this->task_manager); |
2806 | 0 | } |
2807 | 0 | return SUCCESS; |
2808 | 0 | } |
2809 | | |
2810 | 0 | if (!is_any_path_valid(this)) |
2811 | 0 | { |
2812 | 0 | DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred", |
2813 | 0 | this->other_host); |
2814 | 0 | set_condition(this, COND_STALE, TRUE); |
2815 | 0 | return SUCCESS; |
2816 | 0 | } |
2817 | 0 | set_condition(this, COND_STALE, FALSE); |
2818 | | |
2819 | | /* update addresses with mobike, if supported ... */ |
2820 | 0 | if (supports_extension(this, EXT_MOBIKE)) |
2821 | 0 | { |
2822 | 0 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
2823 | 0 | { /* responder updates the peer about changed address config */ |
2824 | 0 | DBG1(DBG_IKE, "sending address list update using MOBIKE, " |
2825 | 0 | "implicitly requesting an address change"); |
2826 | 0 | address = TRUE; |
2827 | 0 | } |
2828 | 0 | else |
2829 | 0 | { |
2830 | 0 | DBG1(DBG_IKE, "requesting address change using MOBIKE"); |
2831 | 0 | } |
2832 | 0 | this->task_manager->queue_mobike(this->task_manager, TRUE, address); |
2833 | 0 | return this->task_manager->initiate(this->task_manager); |
2834 | 0 | } |
2835 | | |
2836 | | /* ... reauth if not */ |
2837 | 0 | if (!has_condition(this, COND_ORIGINAL_INITIATOR)) |
2838 | 0 | { /* responder does not reauthenticate */ |
2839 | 0 | set_condition(this, COND_STALE, TRUE); |
2840 | 0 | return SUCCESS; |
2841 | 0 | } |
2842 | 0 | DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change"); |
2843 | | /* since our previous path is not valid anymore, try and find a new one */ |
2844 | 0 | resolve_hosts(this); |
2845 | 0 | return reauth(this); |
2846 | 0 | } |
2847 | | |
2848 | | METHOD(ike_sa_t, add_configuration_attribute, void, |
2849 | | private_ike_sa_t *this, attribute_handler_t *handler, |
2850 | | configuration_attribute_type_t type, chunk_t data) |
2851 | 0 | { |
2852 | 0 | attribute_entry_t entry = { |
2853 | 0 | .handler = handler, |
2854 | 0 | .type = type, |
2855 | 0 | .data = chunk_clone(data), |
2856 | 0 | }; |
2857 | 0 | array_insert(this->attributes, ARRAY_TAIL, &entry); |
2858 | 0 | } |
2859 | | |
2860 | | CALLBACK(filter_attribute, bool, |
2861 | | void *null, enumerator_t *orig, va_list args) |
2862 | 0 | { |
2863 | 0 | attribute_entry_t *entry; |
2864 | 0 | configuration_attribute_type_t *type; |
2865 | 0 | chunk_t *data; |
2866 | 0 | bool *handled; |
2867 | |
|
2868 | 0 | VA_ARGS_VGET(args, type, data, handled); |
2869 | |
|
2870 | 0 | if (orig->enumerate(orig, &entry)) |
2871 | 0 | { |
2872 | 0 | *type = entry->type; |
2873 | 0 | *data = entry->data; |
2874 | 0 | *handled = entry->handler != NULL; |
2875 | 0 | return TRUE; |
2876 | 0 | } |
2877 | 0 | return FALSE; |
2878 | 0 | } |
2879 | | |
2880 | | METHOD(ike_sa_t, create_attribute_enumerator, enumerator_t*, |
2881 | | private_ike_sa_t *this) |
2882 | 0 | { |
2883 | 0 | return enumerator_create_filter(array_create_enumerator(this->attributes), |
2884 | 0 | filter_attribute, NULL, NULL); |
2885 | 0 | } |
2886 | | |
2887 | | METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, |
2888 | | private_ike_sa_t *this, task_queue_t queue) |
2889 | 0 | { |
2890 | 0 | return this->task_manager->create_task_enumerator(this->task_manager, queue); |
2891 | 0 | } |
2892 | | |
2893 | | METHOD(ike_sa_t, remove_task, void, |
2894 | | private_ike_sa_t *this, enumerator_t *enumerator) |
2895 | 0 | { |
2896 | 0 | return this->task_manager->remove_task(this->task_manager, enumerator); |
2897 | 0 | } |
2898 | | |
2899 | | METHOD(ike_sa_t, flush_queue, void, |
2900 | | private_ike_sa_t *this, task_queue_t queue) |
2901 | 0 | { |
2902 | 0 | this->task_manager->flush_queue(this->task_manager, queue); |
2903 | 0 | } |
2904 | | |
2905 | | METHOD(ike_sa_t, queue_task, void, |
2906 | | private_ike_sa_t *this, task_t *task) |
2907 | 0 | { |
2908 | 0 | this->task_manager->queue_task(this->task_manager, task); |
2909 | 0 | } |
2910 | | |
2911 | | METHOD(ike_sa_t, queue_task_delayed, void, |
2912 | | private_ike_sa_t *this, task_t *task, uint32_t delay) |
2913 | 0 | { |
2914 | 0 | this->task_manager->queue_task_delayed(this->task_manager, task, delay); |
2915 | 0 | } |
2916 | | |
2917 | | /** |
2918 | | * Migrate and queue child-creating tasks from another IKE_SA |
2919 | | */ |
2920 | | static void migrate_child_tasks(private_ike_sa_t *this, ike_sa_t *other, |
2921 | | task_queue_t queue) |
2922 | 0 | { |
2923 | 0 | enumerator_t *enumerator; |
2924 | 0 | task_t *task; |
2925 | |
|
2926 | 0 | enumerator = other->create_task_enumerator(other, queue); |
2927 | 0 | while (enumerator->enumerate(enumerator, &task)) |
2928 | 0 | { |
2929 | 0 | if (task->get_type(task) == TASK_CHILD_CREATE || |
2930 | 0 | task->get_type(task) == TASK_QUICK_MODE) |
2931 | 0 | { |
2932 | 0 | other->remove_task(other, enumerator); |
2933 | 0 | task->migrate(task, &this->public); |
2934 | 0 | queue_task(this, task); |
2935 | 0 | } |
2936 | 0 | } |
2937 | 0 | enumerator->destroy(enumerator); |
2938 | 0 | } |
2939 | | |
2940 | | METHOD(ike_sa_t, adopt_child_tasks, void, |
2941 | | private_ike_sa_t *this, ike_sa_t *other) |
2942 | 0 | { |
2943 | 0 | migrate_child_tasks(this, other, TASK_QUEUE_ACTIVE); |
2944 | 0 | migrate_child_tasks(this, other, TASK_QUEUE_QUEUED); |
2945 | 0 | } |
2946 | | |
2947 | | METHOD(ike_sa_t, inherit_pre, void, |
2948 | | private_ike_sa_t *this, ike_sa_t *other_public) |
2949 | 0 | { |
2950 | 0 | private_ike_sa_t *other = (private_ike_sa_t*)other_public; |
2951 | | |
2952 | | /* apply config and hosts */ |
2953 | 0 | set_peer_cfg(this, other->peer_cfg); |
2954 | 0 | set_my_host(this, other->my_host->clone(other->my_host)); |
2955 | 0 | set_other_host(this, other->other_host->clone(other->other_host)); |
2956 | | |
2957 | | /* apply extensions and conditions with a few exceptions */ |
2958 | 0 | this->extensions = other->extensions; |
2959 | 0 | this->private_extensions = other->private_extensions; |
2960 | 0 | this->conditions = other->conditions; |
2961 | 0 | this->private_conditions = other->private_conditions; |
2962 | 0 | this->conditions &= ~COND_STALE; |
2963 | 0 | this->conditions &= ~COND_REAUTHENTICATING; |
2964 | 0 | } |
2965 | | |
2966 | | METHOD(ike_sa_t, inherit_post, void, |
2967 | | private_ike_sa_t *this, ike_sa_t *other_public) |
2968 | 0 | { |
2969 | 0 | private_ike_sa_t *other = (private_ike_sa_t*)other_public; |
2970 | 0 | child_sa_t *child_sa; |
2971 | 0 | enumerator_t *enumerator; |
2972 | 0 | attribute_entry_t entry; |
2973 | 0 | auth_cfg_t *cfg; |
2974 | 0 | host_t *vip; |
2975 | | |
2976 | | /* apply hosts and ids */ |
2977 | 0 | set_my_host(this, other->my_host->clone(other->my_host)); |
2978 | 0 | set_other_host(this, other->other_host->clone(other->other_host)); |
2979 | 0 | set_my_id(this, other->my_id->clone(other->my_id)); |
2980 | 0 | set_other_id(this, other->other_id->clone(other->other_id)); |
2981 | 0 | this->if_id_in = other->if_id_in; |
2982 | 0 | this->if_id_out = other->if_id_out; |
2983 | | |
2984 | | /* apply assigned virtual IPs... */ |
2985 | 0 | while (array_remove(other->my_vips, ARRAY_HEAD, &vip)) |
2986 | 0 | { |
2987 | 0 | array_insert_create(&this->my_vips, ARRAY_TAIL, vip); |
2988 | 0 | } |
2989 | 0 | while (array_remove(other->other_vips, ARRAY_HEAD, &vip)) |
2990 | 0 | { |
2991 | 0 | array_insert_create(&this->other_vips, ARRAY_TAIL, vip); |
2992 | 0 | } |
2993 | | |
2994 | | /* MOBIKE additional addresses */ |
2995 | 0 | while (array_remove(other->peer_addresses, ARRAY_HEAD, &vip)) |
2996 | 0 | { |
2997 | 0 | array_insert_create(&this->peer_addresses, ARRAY_TAIL, vip); |
2998 | 0 | } |
2999 | | |
3000 | | /* authentication information */ |
3001 | 0 | enumerator = array_create_enumerator(other->my_auths); |
3002 | 0 | while (enumerator->enumerate(enumerator, &cfg)) |
3003 | 0 | { |
3004 | 0 | array_insert(this->my_auths, ARRAY_TAIL, cfg->clone(cfg)); |
3005 | 0 | } |
3006 | 0 | enumerator->destroy(enumerator); |
3007 | 0 | enumerator = array_create_enumerator(other->other_auths); |
3008 | 0 | while (enumerator->enumerate(enumerator, &cfg)) |
3009 | 0 | { |
3010 | 0 | array_insert(this->other_auths, ARRAY_TAIL, cfg->clone(cfg)); |
3011 | 0 | } |
3012 | 0 | enumerator->destroy(enumerator); |
3013 | | |
3014 | | /* ... and configuration attributes */ |
3015 | 0 | while (array_remove(other->attributes, ARRAY_HEAD, &entry)) |
3016 | 0 | { |
3017 | 0 | array_insert(this->attributes, ARRAY_TAIL, &entry); |
3018 | 0 | } |
3019 | |
|
3020 | 0 | if (this->conditions & COND_NAT_HERE) |
3021 | 0 | { |
3022 | 0 | send_keepalive(this, FALSE); |
3023 | 0 | } |
3024 | |
|
3025 | | #ifdef ME |
3026 | | if (other->is_mediation_server) |
3027 | | { |
3028 | | act_as_mediation_server(this); |
3029 | | } |
3030 | | else if (other->server_reflexive_host) |
3031 | | { |
3032 | | this->server_reflexive_host = other->server_reflexive_host->clone( |
3033 | | other->server_reflexive_host); |
3034 | | } |
3035 | | #endif /* ME */ |
3036 | | |
3037 | | /* adopt all children */ |
3038 | 0 | while (array_remove(other->child_sas, ARRAY_HEAD, &child_sa)) |
3039 | 0 | { |
3040 | 0 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
3041 | 0 | add_child_sa(this, child_sa); |
3042 | 0 | } |
3043 | | |
3044 | | /* move pending tasks to the new IKE_SA */ |
3045 | 0 | this->task_manager->adopt_tasks(this->task_manager, other->task_manager); |
3046 | | |
3047 | | /* reauthentication timeout survives a rekeying */ |
3048 | 0 | if (other->stats[STAT_REAUTH]) |
3049 | 0 | { |
3050 | 0 | time_t reauth, delete, now = time_monotonic(NULL); |
3051 | |
|
3052 | 0 | this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH]; |
3053 | 0 | reauth = max(0, this->stats[STAT_REAUTH] - now); |
3054 | 0 | delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg); |
3055 | 0 | this->stats[STAT_DELETE] = now + delete; |
3056 | 0 | DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, " |
3057 | 0 | "lifetime reduced to %ds", reauth, delete); |
3058 | 0 | lib->scheduler->schedule_job(lib->scheduler, |
3059 | 0 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth); |
3060 | 0 | lib->scheduler->schedule_job(lib->scheduler, |
3061 | 0 | (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete); |
3062 | 0 | } |
3063 | 0 | } |
3064 | | |
3065 | | METHOD(ike_sa_t, destroy, void, |
3066 | | private_ike_sa_t *this) |
3067 | 0 | { |
3068 | 0 | attribute_entry_t entry; |
3069 | 0 | child_sa_t *child_sa; |
3070 | 0 | host_t *vip; |
3071 | |
|
3072 | 0 | charon->bus->set_sa(charon->bus, &this->public); |
3073 | |
|
3074 | 0 | set_state(this, IKE_DESTROYING); |
3075 | 0 | if (this->task_manager) |
3076 | 0 | { |
3077 | 0 | this->task_manager->flush(this->task_manager); |
3078 | 0 | } |
3079 | | |
3080 | | /* remove attributes first, as we pass the IKE_SA to the handler */ |
3081 | 0 | charon->bus->handle_vips(charon->bus, &this->public, FALSE); |
3082 | 0 | while (array_remove(this->attributes, ARRAY_TAIL, &entry)) |
3083 | 0 | { |
3084 | 0 | if (entry.handler) |
3085 | 0 | { |
3086 | 0 | charon->attributes->release(charon->attributes, entry.handler, |
3087 | 0 | &this->public, entry.type, entry.data); |
3088 | 0 | } |
3089 | 0 | free(entry.data.ptr); |
3090 | 0 | } |
3091 | | /* uninstall CHILD_SAs before virtual IPs, otherwise we might kill |
3092 | | * routes that the CHILD_SA tries to uninstall. */ |
3093 | 0 | while (array_remove(this->child_sas, ARRAY_HEAD, &child_sa)) |
3094 | 0 | { |
3095 | 0 | charon->child_sa_manager->remove(charon->child_sa_manager, child_sa); |
3096 | 0 | child_sa->destroy(child_sa); |
3097 | 0 | } |
3098 | 0 | while (array_remove(this->my_vips, ARRAY_TAIL, &vip)) |
3099 | 0 | { |
3100 | 0 | charon->kernel->del_ip(charon->kernel, vip, -1, TRUE); |
3101 | 0 | vip->destroy(vip); |
3102 | 0 | } |
3103 | 0 | if (array_count(this->other_vips)) |
3104 | 0 | { |
3105 | 0 | charon->bus->assign_vips(charon->bus, &this->public, FALSE); |
3106 | 0 | } |
3107 | 0 | while (array_remove(this->other_vips, ARRAY_TAIL, &vip)) |
3108 | 0 | { |
3109 | 0 | if (this->peer_cfg) |
3110 | 0 | { |
3111 | 0 | linked_list_t *pools; |
3112 | |
|
3113 | 0 | pools = linked_list_create_from_enumerator( |
3114 | 0 | this->peer_cfg->create_pool_enumerator(this->peer_cfg)); |
3115 | 0 | charon->attributes->release_address(charon->attributes, |
3116 | 0 | pools, vip, &this->public); |
3117 | 0 | pools->destroy(pools); |
3118 | 0 | } |
3119 | 0 | vip->destroy(vip); |
3120 | 0 | } |
3121 | | |
3122 | | /* unset SA after here to avoid usage by the listeners */ |
3123 | 0 | charon->bus->set_sa(charon->bus, NULL); |
3124 | |
|
3125 | 0 | array_destroy(this->child_sas); |
3126 | 0 | DESTROY_IF(this->task_manager); |
3127 | 0 | DESTROY_IF(this->keymat); |
3128 | 0 | array_destroy(this->attributes); |
3129 | 0 | array_destroy(this->my_vips); |
3130 | 0 | array_destroy(this->other_vips); |
3131 | 0 | array_destroy_offset(this->peer_addresses, offsetof(host_t, destroy)); |
3132 | | #ifdef ME |
3133 | | if (this->is_mediation_server) |
3134 | | { |
3135 | | charon->mediation_manager->remove(charon->mediation_manager, |
3136 | | this->ike_sa_id); |
3137 | | } |
3138 | | DESTROY_IF(this->server_reflexive_host); |
3139 | | chunk_free(&this->connect_id); |
3140 | | #endif /* ME */ |
3141 | 0 | free(this->nat_detection_dest.ptr); |
3142 | |
|
3143 | 0 | DESTROY_IF(this->my_host); |
3144 | 0 | DESTROY_IF(this->other_host); |
3145 | 0 | DESTROY_IF(this->my_id); |
3146 | 0 | DESTROY_IF(this->other_id); |
3147 | 0 | DESTROY_IF(this->local_host); |
3148 | 0 | DESTROY_IF(this->remote_host); |
3149 | 0 | DESTROY_IF(this->redirected_from); |
3150 | 0 | array_destroy(this->redirected_at); |
3151 | |
|
3152 | 0 | DESTROY_IF(this->ike_cfg); |
3153 | 0 | DESTROY_IF(this->peer_cfg); |
3154 | 0 | DESTROY_IF(this->proposal); |
3155 | 0 | this->my_auth->destroy(this->my_auth); |
3156 | 0 | this->other_auth->destroy(this->other_auth); |
3157 | 0 | array_destroy_offset(this->my_auths, offsetof(auth_cfg_t, destroy)); |
3158 | 0 | array_destroy_offset(this->other_auths, offsetof(auth_cfg_t, destroy)); |
3159 | |
|
3160 | 0 | this->ike_sa_id->destroy(this->ike_sa_id); |
3161 | 0 | free(this); |
3162 | 0 | } |
3163 | | |
3164 | | /* |
3165 | | * Described in header. |
3166 | | */ |
3167 | | ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, |
3168 | | ike_version_t version) |
3169 | 0 | { |
3170 | 0 | private_ike_sa_t *this; |
3171 | 0 | static refcount_t unique_id = 0; |
3172 | |
|
3173 | 0 | if (version == IKE_ANY) |
3174 | 0 | { /* prefer IKEv2 if protocol not specified */ |
3175 | 0 | #ifdef USE_IKEV2 |
3176 | 0 | version = IKEV2; |
3177 | | #else |
3178 | | version = IKEV1; |
3179 | | #endif |
3180 | 0 | } |
3181 | |
|
3182 | 0 | INIT(this, |
3183 | 0 | .public = { |
3184 | 0 | .get_version = _get_version, |
3185 | 0 | .get_state = _get_state, |
3186 | 0 | .set_state = _set_state, |
3187 | 0 | .get_name = _get_name, |
3188 | 0 | .get_statistic = _get_statistic, |
3189 | 0 | .set_statistic = _set_statistic, |
3190 | 0 | .process_message = _process_message, |
3191 | 0 | .initiate = _initiate, |
3192 | 0 | .retry_initiate = _retry_initiate, |
3193 | 0 | .get_ike_cfg = _get_ike_cfg, |
3194 | 0 | .set_ike_cfg = _set_ike_cfg, |
3195 | 0 | .get_peer_cfg = _get_peer_cfg, |
3196 | 0 | .set_peer_cfg = _set_peer_cfg, |
3197 | 0 | .get_auth_cfg = _get_auth_cfg, |
3198 | 0 | .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, |
3199 | 0 | .verify_peer_certificate = _verify_peer_certificate, |
3200 | 0 | .add_auth_cfg = _add_auth_cfg, |
3201 | 0 | .get_proposal = _get_proposal, |
3202 | 0 | .set_proposal = _set_proposal, |
3203 | 0 | .get_id = _get_id, |
3204 | 0 | .get_my_host = _get_my_host, |
3205 | 0 | .set_my_host = _set_my_host, |
3206 | 0 | .get_other_host = _get_other_host, |
3207 | 0 | .set_other_host = _set_other_host, |
3208 | 0 | .set_message_id = _set_message_id, |
3209 | 0 | .get_message_id = _get_message_id, |
3210 | 0 | .float_ports = _float_ports, |
3211 | 0 | .update_hosts = _update_hosts, |
3212 | 0 | .get_my_id = _get_my_id, |
3213 | 0 | .set_my_id = _set_my_id, |
3214 | 0 | .get_other_id = _get_other_id, |
3215 | 0 | .set_other_id = _set_other_id, |
3216 | 0 | .get_other_eap_id = _get_other_eap_id, |
3217 | 0 | .enable_extension = _enable_extension, |
3218 | 0 | .supports_extension = _supports_extension, |
3219 | 0 | .set_condition = _set_condition, |
3220 | 0 | .has_condition = _has_condition, |
3221 | 0 | .create_peer_address_enumerator = _create_peer_address_enumerator, |
3222 | 0 | .add_peer_address = _add_peer_address, |
3223 | 0 | .clear_peer_addresses = _clear_peer_addresses, |
3224 | 0 | .has_mapping_changed = _has_mapping_changed, |
3225 | 0 | .retransmit = _retransmit, |
3226 | 0 | .delete = _delete_, |
3227 | 0 | .destroy = _destroy, |
3228 | 0 | .send_dpd = _send_dpd, |
3229 | 0 | .send_keepalive = _send_keepalive, |
3230 | 0 | .redirect = _redirect, |
3231 | 0 | .handle_redirect = _handle_redirect, |
3232 | 0 | .get_redirected_from = _get_redirected_from, |
3233 | 0 | .get_keymat = _get_keymat, |
3234 | 0 | .add_child_sa = _add_child_sa, |
3235 | 0 | .get_child_sa = _get_child_sa, |
3236 | 0 | .get_child_count = _get_child_count, |
3237 | 0 | .create_child_sa_enumerator = _create_child_sa_enumerator, |
3238 | 0 | .remove_child_sa = _remove_child_sa, |
3239 | 0 | .rekey_child_sa = _rekey_child_sa, |
3240 | 0 | .delete_child_sa = _delete_child_sa, |
3241 | 0 | .destroy_child_sa = _destroy_child_sa, |
3242 | 0 | .rekey = _rekey, |
3243 | 0 | .reauth = _reauth, |
3244 | 0 | .reestablish = _reestablish, |
3245 | 0 | .set_auth_lifetime = _set_auth_lifetime, |
3246 | 0 | .roam = _roam, |
3247 | 0 | .inherit_pre = _inherit_pre, |
3248 | 0 | .inherit_post = _inherit_post, |
3249 | 0 | .generate_message = _generate_message, |
3250 | 0 | .generate_message_fragmented = _generate_message_fragmented, |
3251 | 0 | .reset = _reset, |
3252 | 0 | .get_unique_id = _get_unique_id, |
3253 | 0 | .add_virtual_ip = _add_virtual_ip, |
3254 | 0 | .clear_virtual_ips = _clear_virtual_ips, |
3255 | 0 | .create_virtual_ip_enumerator = _create_virtual_ip_enumerator, |
3256 | 0 | .add_configuration_attribute = _add_configuration_attribute, |
3257 | 0 | .create_attribute_enumerator = _create_attribute_enumerator, |
3258 | 0 | .get_if_id = _get_if_id, |
3259 | 0 | .set_kmaddress = _set_kmaddress, |
3260 | 0 | .create_task_enumerator = _create_task_enumerator, |
3261 | 0 | .remove_task = _remove_task, |
3262 | 0 | .flush_queue = _flush_queue, |
3263 | 0 | .queue_task = _queue_task, |
3264 | 0 | .queue_task_delayed = _queue_task_delayed, |
3265 | 0 | .adopt_child_tasks = _adopt_child_tasks, |
3266 | 0 | }, |
3267 | 0 | .ike_sa_id = ike_sa_id->clone(ike_sa_id), |
3268 | 0 | .version = version, |
3269 | 0 | .my_host = host_create_any(AF_INET), |
3270 | 0 | .other_host = host_create_any(AF_INET), |
3271 | 0 | .my_id = identification_create_from_encoding(ID_ANY, chunk_empty), |
3272 | 0 | .other_id = identification_create_from_encoding(ID_ANY, chunk_empty), |
3273 | 0 | .keymat = keymat_create(version, initiator), |
3274 | 0 | .state = IKE_CREATED, |
3275 | 0 | .stats[STAT_INBOUND] = time_monotonic(NULL), |
3276 | 0 | .stats[STAT_OUTBOUND] = time_monotonic(NULL), |
3277 | 0 | .my_auth = auth_cfg_create(), |
3278 | 0 | .other_auth = auth_cfg_create(), |
3279 | 0 | .my_auths = array_create(0, 0), |
3280 | 0 | .other_auths = array_create(0, 0), |
3281 | 0 | .attributes = array_create(sizeof(attribute_entry_t), 0), |
3282 | 0 | .unique_id = ref_get_nonzero(&unique_id), |
3283 | 0 | .keepalive_interval = lib->settings->get_time(lib->settings, |
3284 | 0 | "%s.keep_alive", KEEPALIVE_INTERVAL, lib->ns), |
3285 | 0 | .keepalive_dpd_margin = lib->settings->get_time(lib->settings, |
3286 | 0 | "%s.keep_alive_dpd_margin", 0, lib->ns), |
3287 | 0 | .retry_initiate_interval = lib->settings->get_time(lib->settings, |
3288 | 0 | "%s.retry_initiate_interval", 0, lib->ns), |
3289 | 0 | .flush_auth_cfg = lib->settings->get_bool(lib->settings, |
3290 | 0 | "%s.flush_auth_cfg", FALSE, lib->ns), |
3291 | 0 | .follow_redirects = lib->settings->get_bool(lib->settings, |
3292 | 0 | "%s.follow_redirects", TRUE, lib->ns), |
3293 | 0 | ); |
3294 | |
|
3295 | | #ifdef ME |
3296 | | this->public.act_as_mediation_server = _act_as_mediation_server; |
3297 | | this->public.get_server_reflexive_host = _get_server_reflexive_host; |
3298 | | this->public.set_server_reflexive_host = _set_server_reflexive_host; |
3299 | | this->public.get_connect_id = _get_connect_id; |
3300 | | this->public.initiate_mediation = _initiate_mediation; |
3301 | | this->public.initiate_mediated = _initiate_mediated; |
3302 | | this->public.relay = _relay; |
3303 | | this->public.callback = _callback; |
3304 | | this->public.respond = _respond; |
3305 | | #endif /* ME */ |
3306 | |
|
3307 | 0 | if (version == IKEV2) |
3308 | 0 | { /* always supported with IKEv2 */ |
3309 | 0 | enable_extension(this, EXT_DPD); |
3310 | 0 | } |
3311 | |
|
3312 | 0 | this->task_manager = task_manager_create(&this->public); |
3313 | 0 | this->my_host->set_port(this->my_host, |
3314 | 0 | charon->socket->get_port(charon->socket, FALSE)); |
3315 | |
|
3316 | 0 | if (!this->task_manager || !this->keymat) |
3317 | 0 | { |
3318 | 0 | DBG1(DBG_IKE, "IKE version %d not supported", this->version); |
3319 | 0 | destroy(this); |
3320 | 0 | return NULL; |
3321 | 0 | } |
3322 | 0 | return &this->public; |
3323 | 0 | } |
3324 | | |
3325 | | /** |
3326 | | * Check if we have a an address pool configured. |
3327 | | */ |
3328 | | static bool have_pool(private_ike_sa_t *this) |
3329 | 0 | { |
3330 | 0 | enumerator_t *enumerator; |
3331 | 0 | bool found = FALSE; |
3332 | |
|
3333 | 0 | if (this->peer_cfg) |
3334 | 0 | { |
3335 | 0 | enumerator = this->peer_cfg->create_pool_enumerator(this->peer_cfg); |
3336 | 0 | found = enumerator->enumerate(enumerator, NULL); |
3337 | 0 | enumerator->destroy(enumerator); |
3338 | 0 | } |
3339 | 0 | return found; |
3340 | 0 | } |
3341 | | |
3342 | | /* |
3343 | | * Described in header |
3344 | | */ |
3345 | | linked_list_t *ike_sa_get_dynamic_hosts(ike_sa_t *ike_sa, bool local) |
3346 | 0 | { |
3347 | 0 | private_ike_sa_t *this = (private_ike_sa_t*)ike_sa; |
3348 | 0 | enumerator_t *enumerator; |
3349 | 0 | linked_list_t *list; |
3350 | 0 | host_t *host; |
3351 | |
|
3352 | 0 | list = linked_list_create(); |
3353 | 0 | enumerator = create_virtual_ip_enumerator(this, local); |
3354 | 0 | while (enumerator->enumerate(enumerator, &host)) |
3355 | 0 | { |
3356 | 0 | list->insert_last(list, host); |
3357 | 0 | } |
3358 | 0 | enumerator->destroy(enumerator); |
3359 | |
|
3360 | 0 | if (!list->get_count(list)) |
3361 | 0 | { /* no virtual IPs assigned */ |
3362 | 0 | if (local) |
3363 | 0 | { |
3364 | 0 | list->insert_last(list, this->my_host); |
3365 | 0 | } |
3366 | 0 | else if (!have_pool(this)) |
3367 | 0 | { /* use remote host only if we don't have a pool configured */ |
3368 | 0 | list->insert_last(list, this->other_host); |
3369 | 0 | } |
3370 | 0 | } |
3371 | 0 | return list; |
3372 | 0 | } |