2005-11-08 13:33:28 +00:00
|
|
|
/**
|
|
|
|
* @file ike_sa.c
|
2005-11-09 09:11:06 +00:00
|
|
|
*
|
2005-11-29 08:08:03 +00:00
|
|
|
* @brief Implementation of ike_sa_t.
|
2005-11-09 09:11:06 +00:00
|
|
|
*
|
2005-11-08 13:33:28 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2006-06-22 06:36:28 +00:00
|
|
|
* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
|
2006-07-07 08:49:06 +00:00
|
|
|
* Copyright (C) 2005-2006 Martin Willi
|
|
|
|
* Copyright (C) 2005 Jan Hutter
|
2005-11-08 13:33:28 +00:00
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*/
|
2006-06-22 06:36:28 +00:00
|
|
|
|
|
|
|
#include <sys/time.h>
|
2006-04-10 08:07:38 +00:00
|
|
|
#include <string.h>
|
2005-11-08 13:33:28 +00:00
|
|
|
|
2005-11-11 13:52:11 +00:00
|
|
|
#include "ike_sa.h"
|
|
|
|
|
2005-11-23 09:24:35 +00:00
|
|
|
#include <types.h>
|
2005-11-29 10:25:07 +00:00
|
|
|
#include <daemon.h>
|
2005-11-23 09:24:35 +00:00
|
|
|
#include <definitions.h>
|
|
|
|
#include <utils/linked_list.h>
|
|
|
|
#include <utils/logger_manager.h>
|
2006-04-05 12:10:50 +00:00
|
|
|
#include <crypto/diffie_hellman.h>
|
|
|
|
#include <crypto/prf_plus.h>
|
|
|
|
#include <crypto/crypters/crypter.h>
|
2006-06-22 06:36:28 +00:00
|
|
|
#include <crypto/hashers/hasher.h>
|
2005-11-23 09:57:18 +00:00
|
|
|
#include <encoding/payloads/sa_payload.h>
|
|
|
|
#include <encoding/payloads/nonce_payload.h>
|
|
|
|
#include <encoding/payloads/ke_payload.h>
|
2005-12-12 14:14:52 +00:00
|
|
|
#include <encoding/payloads/delete_payload.h>
|
2005-11-23 09:57:18 +00:00
|
|
|
#include <encoding/payloads/transform_substructure.h>
|
|
|
|
#include <encoding/payloads/transform_attribute.h>
|
2006-06-07 13:26:23 +00:00
|
|
|
#include <encoding/payloads/ts_payload.h>
|
2006-07-05 10:53:20 +00:00
|
|
|
#include <sa/transactions/transaction.h>
|
|
|
|
#include <sa/transactions/ike_sa_init.h>
|
|
|
|
#include <sa/transactions/delete_ike_sa.h>
|
2006-07-07 07:04:07 +00:00
|
|
|
#include <sa/transactions/create_child_sa.h>
|
|
|
|
#include <sa/transactions/delete_child_sa.h>
|
2006-07-05 10:53:20 +00:00
|
|
|
#include <sa/transactions/dead_peer_detection.h>
|
2005-12-02 14:07:36 +00:00
|
|
|
#include <queues/jobs/retransmit_request_job.h>
|
2005-12-06 12:27:09 +00:00
|
|
|
#include <queues/jobs/delete_established_ike_sa_job.h>
|
2006-05-23 08:01:49 +00:00
|
|
|
#include <queues/jobs/delete_half_open_ike_sa_job.h>
|
2006-07-05 10:53:20 +00:00
|
|
|
#include <queues/jobs/send_dpd_job.h>
|
|
|
|
#include <queues/jobs/send_keepalive_job.h>
|
2005-11-08 13:33:28 +00:00
|
|
|
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/**
|
|
|
|
* String mappings for ike_sa_state_t.
|
|
|
|
*/
|
|
|
|
mapping_t ike_sa_state_m[] = {
|
2006-07-13 08:26:54 +00:00
|
|
|
{IKE_CREATED, "CREATED"},
|
|
|
|
{IKE_CONNECTING, "CONNECTING"},
|
|
|
|
{IKE_ESTABLISHED, "ESTABLISHED"},
|
|
|
|
{IKE_DELETING, "DELETING"},
|
2006-07-05 10:53:20 +00:00
|
|
|
{MAPPING_END, NULL}
|
|
|
|
};
|
2005-11-18 10:31:56 +00:00
|
|
|
|
2005-11-08 13:33:28 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
typedef struct private_ike_sa_t private_ike_sa_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Private data of an ike_sa_t object.
|
|
|
|
*/
|
|
|
|
struct private_ike_sa_t {
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Public members
|
2006-06-23 14:02:30 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
ike_sa_t public;
|
2006-06-23 14:02:30 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2005-12-03 16:52:54 +00:00
|
|
|
* Identifier for the current IKE_SA.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
|
|
|
ike_sa_id_t *ike_sa_id;
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Current state of the IKE_SA
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
ike_sa_state_t state;
|
2005-12-01 17:16:10 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Name of the connection used by this IKE_SA
|
2005-12-01 17:16:10 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
char *name;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Address of local host
|
|
|
|
*/
|
|
|
|
host_t *my_host;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Address of remote host
|
|
|
|
*/
|
|
|
|
host_t *other_host;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Identification used for us
|
|
|
|
*/
|
|
|
|
identification_t *my_id;
|
2005-12-01 17:16:10 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Identification used for other
|
2005-12-01 17:16:10 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
identification_t *other_id;
|
2005-12-03 16:52:54 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Linked List containing the child sa's of the current IKE_SA.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
linked_list_t *child_sas;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* crypter for inbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_t *crypter_in;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* crypter for outbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_t *crypter_out;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Signer for inbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_t *signer_in;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Signer for outbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_t *signer_out;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-02-14 14:52:00 +00:00
|
|
|
* Multi purpose prf, set key, use it, forget it
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
|
|
|
prf_t *prf;
|
|
|
|
|
2006-02-09 16:25:02 +00:00
|
|
|
/**
|
|
|
|
* Prf function for derivating keymat child SAs
|
|
|
|
*/
|
|
|
|
prf_t *child_prf;
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-02-14 14:52:00 +00:00
|
|
|
* PRF, with key set to pi_key, used for authentication
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-02-14 14:52:00 +00:00
|
|
|
prf_t *prf_auth_i;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
2006-02-14 14:52:00 +00:00
|
|
|
/**
|
|
|
|
* PRF, with key set to pr_key, used for authentication
|
|
|
|
*/
|
|
|
|
prf_t *prf_auth_r;
|
2005-12-02 14:07:36 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2005-12-03 16:52:54 +00:00
|
|
|
* A logger for this IKE_SA.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
|
|
|
logger_t *logger;
|
2006-06-22 06:36:28 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* NAT hasher.
|
|
|
|
*/
|
|
|
|
hasher_t *nat_hasher;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* NAT status of local host.
|
|
|
|
*/
|
|
|
|
bool nat_here;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* NAT status of remote host.
|
|
|
|
*/
|
|
|
|
bool nat_there;
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* message ID for next outgoung request
|
|
|
|
*/
|
|
|
|
u_int32_t message_id_out;
|
2006-06-22 06:36:28 +00:00
|
|
|
|
|
|
|
/**
|
2006-06-23 14:02:30 +00:00
|
|
|
* Timestamp of last IKE message received on this SA
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
time_t time_inbound;
|
2006-06-23 14:02:30 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Timestamp of last IKE message sent on this SA
|
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
time_t time_outbound;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* List of queued transactions to process
|
|
|
|
*/
|
|
|
|
linked_list_t *transaction_queue;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Transaction currently initiated
|
|
|
|
* (only one supported yet, window size = 1)
|
|
|
|
*/
|
|
|
|
transaction_t *transaction_out;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* last transaction initiated by peer processed.
|
|
|
|
* (only one supported yet, window size = 1)
|
|
|
|
* Stored for retransmission.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
transaction_t *transaction_in;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Next incoming transaction expected. Used to
|
|
|
|
* do multi transaction operations.
|
|
|
|
*/
|
|
|
|
transaction_t *transaction_in_next;
|
2005-11-25 13:42:02 +00:00
|
|
|
};
|
|
|
|
|
2005-11-21 10:59:45 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* get the time of the latest traffic processed by the kernel
|
2005-11-21 10:59:45 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static time_t get_kernel_time(private_ike_sa_t* this, bool inbound)
|
2005-11-18 12:01:53 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
time_t latest = 0, use_time;
|
2006-03-16 15:25:06 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
|
|
|
|
{
|
|
|
|
latest = max(latest, use_time);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
2005-12-02 13:20:20 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
return latest;
|
2005-12-01 17:16:10 +00:00
|
|
|
}
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* get the time of the latest received traffice
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static time_t get_time_inbound(private_ike_sa_t *this)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return max(this->time_inbound, get_kernel_time(this, TRUE));
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 19:26:01 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* get the time of the latest sent traffic
|
2005-12-02 19:26:01 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static time_t get_time_outbound(private_ike_sa_t *this)
|
2005-12-02 19:26:01 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return max(this->time_outbound, get_kernel_time(this, FALSE));
|
2005-12-02 19:26:01 +00:00
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_name.
|
|
|
|
*/
|
|
|
|
static char *get_name(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->name;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.set_name.
|
|
|
|
*/
|
|
|
|
static void set_name(private_ike_sa_t *this, char* name)
|
|
|
|
{
|
|
|
|
free(this->name);
|
|
|
|
this->name = strdup(name);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_my_host.
|
|
|
|
*/
|
|
|
|
static host_t *get_my_host(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->my_host;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_other_host.
|
|
|
|
*/
|
|
|
|
static host_t *get_other_host(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->other_host;
|
|
|
|
}
|
2006-02-09 16:25:02 +00:00
|
|
|
|
2005-12-02 19:26:01 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Update connection host, as addresses may change (NAT)
|
2005-12-02 19:26:01 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
|
2005-12-02 19:26:01 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
/*
|
|
|
|
* Quoting RFC 4306:
|
|
|
|
*
|
|
|
|
* 2.11. Address and Port Agility
|
|
|
|
*
|
|
|
|
* IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
|
|
|
|
* AH associations for the same IP addresses it runs over. The IP
|
|
|
|
* addresses and ports in the outer header are, however, not themselves
|
|
|
|
* cryptographically protected, and IKE is designed to work even through
|
|
|
|
* Network Address Translation (NAT) boxes. An implementation MUST
|
|
|
|
* accept incoming requests even if the source port is not 500 or 4500,
|
|
|
|
* and MUST respond to the address and port from which the request was
|
|
|
|
* received. It MUST specify the address and port at which the request
|
|
|
|
* was received as the source address and port in the response. IKE
|
|
|
|
* functions identically over IPv4 or IPv6.
|
|
|
|
*
|
|
|
|
* [...]
|
|
|
|
*
|
|
|
|
* There are cases where a NAT box decides to remove mappings that
|
|
|
|
* are still alive (for example, the keepalive interval is too long,
|
|
|
|
* or the NAT box is rebooted). To recover in these cases, hosts
|
|
|
|
* that are not behind a NAT SHOULD send all packets (including
|
|
|
|
* retransmission packets) to the IP address and port from the last
|
|
|
|
* valid authenticated packet from the other end (i.e., dynamically
|
|
|
|
* update the address). A host behind a NAT SHOULD NOT do this
|
|
|
|
* because it opens a DoS attack possibility. Any authenticated IKE
|
|
|
|
* packet or any authenticated UDP-encapsulated ESP packet can be
|
|
|
|
* used to detect that the IP address or the port has changed.
|
|
|
|
*/
|
|
|
|
iterator_t *iterator = NULL;
|
|
|
|
child_sa_t *child_sa = NULL;
|
2006-07-20 10:09:32 +00:00
|
|
|
host_diff_t my_diff, other_diff;
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
if (this->my_host->is_anyaddr(this->my_host) ||
|
|
|
|
this->other_host->is_anyaddr(this->other_host))
|
2006-07-20 10:09:32 +00:00
|
|
|
{
|
|
|
|
/* on first received message */
|
2006-07-21 13:31:53 +00:00
|
|
|
this->my_host->destroy(this->my_host);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_host = me->clone(me);
|
2006-07-21 13:31:53 +00:00
|
|
|
this->other_host->destroy(this->other_host);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_host = other->clone(other);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
my_diff = me->get_differences(me, this->my_host);
|
|
|
|
other_diff = other->get_differences(other, this->other_host);
|
|
|
|
|
|
|
|
if (!my_diff && !other_diff)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
if (my_diff)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_host->destroy(this->my_host);
|
|
|
|
this->my_host = me->clone(me);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!this->nat_here)
|
|
|
|
{
|
|
|
|
/* update without restrictions if we are not NATted */
|
2006-07-20 10:09:32 +00:00
|
|
|
if (other_diff)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_host->destroy(this->other_host);
|
|
|
|
this->other_host = other->clone(other);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* if we are natted, only port may change */
|
2006-07-20 10:09:32 +00:00
|
|
|
if (other_diff & HOST_DIFF_ADDR)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
|
|
|
return;
|
|
|
|
}
|
2006-07-20 10:09:32 +00:00
|
|
|
else if (other_diff & HOST_DIFF_PORT)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_host->set_port(this->other_host, other->get_port(other));
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
child_sa->update_hosts(child_sa, this->my_host, this->other_host,
|
|
|
|
my_diff, other_diff);
|
2006-07-05 10:53:20 +00:00
|
|
|
/* TODO: what to do if update fails? Delete CHILD_SA? */
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* send a request and schedule retransmission
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t transmit_request(private_ike_sa_t *this)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
message_t *request;
|
|
|
|
packet_t *packet;
|
|
|
|
status_t status;
|
|
|
|
retransmit_request_job_t *job;
|
|
|
|
u_int32_t transmitted;
|
|
|
|
u_int32_t timeout;
|
|
|
|
transaction_t *transaction = this->transaction_out;
|
|
|
|
u_int32_t message_id = transaction->get_message_id(transaction);
|
|
|
|
|
|
|
|
transmitted = transaction->requested(transaction);
|
|
|
|
timeout = charon->configuration->get_retransmit_timeout(charon->configuration,
|
|
|
|
transmitted);
|
|
|
|
if (timeout == 0)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"giving up after %d retransmits, deleting IKE_SA",
|
|
|
|
transmitted - 1);
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
|
|
|
|
|
|
|
status = transaction->get_request(transaction, &request);
|
|
|
|
if (status != SUCCESS)
|
|
|
|
{
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
/* if we retransmit, the request is already generated */
|
|
|
|
if (transmitted == 0)
|
|
|
|
{
|
|
|
|
status = request->generate(request, this->crypter_out, this->signer_out, &packet);
|
|
|
|
if (status != SUCCESS)
|
|
|
|
{
|
2006-07-18 12:53:54 +00:00
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"request generation failed. transaction discarded");
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"sending retransmit %d for %s request with message ID %d",
|
|
|
|
transmitted,
|
|
|
|
mapping_find(exchange_type_m, request->get_exchange_type(request)),
|
|
|
|
message_id);
|
|
|
|
packet = request->get_packet(request);
|
|
|
|
}
|
|
|
|
/* finally send */
|
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
|
|
|
this->time_outbound = time(NULL);
|
|
|
|
|
|
|
|
/* schedule retransmission job */
|
|
|
|
job = retransmit_request_job_create(message_id, this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, (job_t*)job, timeout);
|
|
|
|
return SUCCESS;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa.retransmit_request.
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t retransmit_request(private_ike_sa_t *this, u_int32_t message_id)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (this->transaction_out == NULL ||
|
|
|
|
this->transaction_out->get_message_id(this->transaction_out) != message_id)
|
|
|
|
{
|
|
|
|
/* no retransmit necessary, transaction did already complete */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
return transmit_request(this);
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-06-22 06:36:28 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Check for transactions in the queue and initiate the first transaction found.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t process_transaction_queue(private_ike_sa_t *this)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (this->transaction_out)
|
|
|
|
{
|
|
|
|
/* already a transaction in progress */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (TRUE)
|
|
|
|
{
|
|
|
|
if (this->transaction_queue->remove_first(this->transaction_queue,
|
|
|
|
(void**)&this->transaction_out) != SUCCESS)
|
|
|
|
{
|
|
|
|
/* transaction queue empty */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
switch (transmit_request(this))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
return SUCCESS;
|
|
|
|
case DESTROY_ME:
|
|
|
|
/* critical, IKE_SA unusable, destroy immediately */
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"transaction initiaton failed, deleting IKE_SA");
|
|
|
|
return DESTROY_ME;
|
|
|
|
default:
|
|
|
|
/* discard transaction, process next one */
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"transaction initiation failed, discarded");
|
|
|
|
this->transaction_out->destroy(this->transaction_out);
|
|
|
|
this->transaction_out = NULL;
|
|
|
|
/* handle next transaction */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2006-06-07 13:26:23 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Queue a new transaction and execute the next outstanding transaction
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t queue_transaction(private_ike_sa_t *this, transaction_t *transaction, bool prefer)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
/* inject next transaction */
|
|
|
|
if (transaction)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (prefer)
|
|
|
|
{
|
|
|
|
this->transaction_queue->insert_first(this->transaction_queue, transaction);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->transaction_queue->insert_last(this->transaction_queue, transaction);
|
|
|
|
}
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
/* process a transaction */
|
|
|
|
return process_transaction_queue(this);
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2005-12-03 16:02:06 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* process an incoming request.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t process_request(private_ike_sa_t *this, message_t *request)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
transaction_t *last, *current = NULL;
|
|
|
|
message_t *response;
|
|
|
|
packet_t *packet;
|
|
|
|
u_int32_t request_mid;
|
|
|
|
status_t status;
|
2005-11-28 15:20:51 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
request_mid = request->get_message_id(request);
|
|
|
|
last = this->transaction_in;
|
|
|
|
|
|
|
|
/* check if message ID is correct */
|
|
|
|
if (last)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
u_int32_t last_mid = last->get_message_id(last);
|
|
|
|
|
|
|
|
if (last_mid == request_mid)
|
|
|
|
{
|
|
|
|
/* retransmit detected */
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"received retransmitted request for message ID %d, retransmitting response",
|
|
|
|
request_mid);
|
|
|
|
last->get_response(last, request, &response, &this->transaction_in_next);
|
|
|
|
packet = response->get_packet(response);
|
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
|
|
|
this->time_outbound = time(NULL);
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (last_mid > request_mid)
|
|
|
|
{
|
|
|
|
/* something seriously wrong here, message id may not decrease */
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"received request with message ID %d, excepted %d, ingored",
|
|
|
|
request_mid, last_mid + 1);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
/* we allow jumps in message IDs, as long as they are incremental */
|
|
|
|
if (last_mid + 1 < request_mid)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"received request with message ID %d, excepted %d",
|
|
|
|
request_mid, last_mid + 1);
|
|
|
|
}
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
else
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (request_mid != 0)
|
|
|
|
{
|
|
|
|
/* warn, but allow it */
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"first received request has message ID %d, excepted 0",
|
|
|
|
request_mid);
|
|
|
|
}
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* check if we already have a pre-created transaction for this request */
|
|
|
|
if (this->transaction_in_next)
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-07-13 08:26:54 +00:00
|
|
|
current = this->transaction_in_next;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->transaction_in_next = NULL;
|
2006-02-14 14:52:00 +00:00
|
|
|
}
|
2006-07-13 08:26:54 +00:00
|
|
|
else
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
current = transaction_create(&this->public, request);
|
|
|
|
if (current == NULL)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"no idea how to handle received message (%d), ignored",
|
|
|
|
request->get_exchange_type(request));
|
|
|
|
return FAILED;
|
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
}
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* send message. get_request() always gives a valid response */
|
|
|
|
status = current->get_response(current, request, &response, &this->transaction_in_next);
|
|
|
|
if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS)
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-06-15 13:14:09 +00:00
|
|
|
this->logger->log(this->logger, ERROR,
|
2006-07-05 10:53:20 +00:00
|
|
|
"response generation failed, discarding transaction");
|
|
|
|
current->destroy(current);
|
2005-11-28 15:20:51 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
|
|
|
this->time_outbound = time(NULL);
|
|
|
|
/* act depending on transaction result */
|
|
|
|
switch (status)
|
|
|
|
{
|
|
|
|
case DESTROY_ME:
|
|
|
|
/* transactions says we should destroy the IKE_SA, so do it */
|
|
|
|
current->destroy(current);
|
|
|
|
return DESTROY_ME;
|
|
|
|
default:
|
|
|
|
/* store for retransmission, destroy old transaction */
|
|
|
|
this->transaction_in = current;
|
|
|
|
if (last)
|
|
|
|
{
|
|
|
|
last->destroy(last);
|
|
|
|
}
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
}
|
2005-11-28 15:20:51 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/**
|
|
|
|
* process an incoming response
|
|
|
|
*/
|
|
|
|
static status_t process_response(private_ike_sa_t *this, message_t *response)
|
|
|
|
{
|
|
|
|
transaction_t *current, *new = NULL;
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
current = this->transaction_out;
|
|
|
|
/* check if message ID is that of our currently active transaction */
|
|
|
|
if (current == NULL ||
|
|
|
|
current->get_message_id(current) !=
|
|
|
|
response->get_message_id(response))
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"received response with message ID %d not requested, ignored");
|
2006-02-14 14:52:00 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
switch (current->conclude(current, response, &new))
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
case DESTROY_ME:
|
|
|
|
/* state requested to destroy IKE_SA */
|
|
|
|
return DESTROY_ME;
|
|
|
|
default:
|
|
|
|
/* discard transaction, process next one */
|
|
|
|
break;
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
/* transaction comleted, remove */
|
|
|
|
current->destroy(current);
|
|
|
|
this->transaction_out = NULL;
|
2005-11-28 15:20:51 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* queue new transaction */
|
|
|
|
return queue_transaction(this, new, TRUE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* send a notify back to the sender
|
|
|
|
*/
|
|
|
|
static void send_notify_response(private_ike_sa_t *this,
|
|
|
|
message_t *request,
|
|
|
|
notify_type_t type)
|
|
|
|
{
|
|
|
|
notify_payload_t *notify;
|
|
|
|
message_t *response;
|
|
|
|
host_t *src, *dst;
|
|
|
|
packet_t *packet;
|
|
|
|
|
|
|
|
response = message_create();
|
|
|
|
dst = request->get_source(request);
|
|
|
|
src = request->get_destination(request);
|
|
|
|
response->set_source(response, src->clone(src));
|
|
|
|
response->set_destination(response, dst->clone(dst));
|
|
|
|
response->set_exchange_type(response, request->get_exchange_type(request));
|
|
|
|
response->set_request(response, FALSE);
|
|
|
|
response->set_message_id(response, request->get_message_id(request));
|
|
|
|
response->set_ike_sa_id(response, this->ike_sa_id);
|
|
|
|
notify = notify_payload_create_from_protocol_and_type(PROTO_NONE, type);
|
|
|
|
response->add_payload(response, (payload_t *)notify);
|
|
|
|
if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS)
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
response->destroy(response);
|
|
|
|
return;
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
|
|
|
this->time_outbound = time(NULL);
|
|
|
|
response->destroy(response);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.process_message.
|
|
|
|
*/
|
|
|
|
static status_t process_message(private_ike_sa_t *this, message_t *message)
|
|
|
|
{
|
|
|
|
status_t status;
|
|
|
|
bool is_request;
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
is_request = message->get_request(message);
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
status = message->parse_body(message, this->crypter_in, this->signer_in);
|
|
|
|
if (status != SUCCESS)
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
switch (status)
|
|
|
|
{
|
|
|
|
case NOT_SUPPORTED:
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"ciritcal unknown payloads found");
|
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case PARSE_ERROR:
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"message parsing failed");
|
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, INVALID_SYNTAX);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case VERIFY_ERROR:
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"message verification failed");
|
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, INVALID_SYNTAX);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case FAILED:
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"integrity check failed");
|
|
|
|
/* ignored */
|
|
|
|
break;
|
|
|
|
case INVALID_STATE:
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"found encrypted message, but no keys available");
|
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, INVALID_SYNTAX);
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"%s %s with message ID %d processing failed",
|
|
|
|
mapping_find(exchange_type_m, message->get_exchange_type(message)),
|
|
|
|
message->get_request(message) ? "request" : "response",
|
|
|
|
message->get_message_id(message));
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
else
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
/* check if message is trustworthy, and update connection information */
|
2006-07-20 10:09:32 +00:00
|
|
|
if (this->state == IKE_CREATED ||
|
2006-07-05 10:53:20 +00:00
|
|
|
message->get_exchange_type(message) != IKE_SA_INIT)
|
|
|
|
{
|
|
|
|
update_hosts(this, message->get_destination(message),
|
|
|
|
message->get_source(message));
|
|
|
|
this->time_inbound = time(NULL);
|
|
|
|
}
|
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
status = process_request(this, message);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
status = process_response(this, message);
|
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
return status;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.initiate.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static status_t initiate(private_ike_sa_t *this,
|
|
|
|
connection_t *connection, policy_t *policy)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-20 14:57:49 +00:00
|
|
|
switch (this->state)
|
|
|
|
{
|
|
|
|
case IKE_CREATED:
|
|
|
|
{
|
|
|
|
/* in state CREATED, we must do the ike_sa_init
|
|
|
|
* and ike_auth transactions. Along with these,
|
|
|
|
* a CHILD_SA with the supplied policy is set up.
|
|
|
|
*/
|
|
|
|
ike_sa_init_t *ike_sa_init;
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"initiating IKE_SA");
|
|
|
|
|
2006-07-20 14:57:49 +00:00
|
|
|
set_name(this, connection->get_name(connection));
|
2006-07-21 13:31:53 +00:00
|
|
|
DESTROY_IF(this->my_host);
|
2006-07-20 14:57:49 +00:00
|
|
|
this->my_host = connection->get_my_host(connection);
|
|
|
|
this->my_host = this->my_host->clone(this->my_host);
|
2006-07-21 13:31:53 +00:00
|
|
|
DESTROY_IF(this->other_host);
|
2006-07-20 14:57:49 +00:00
|
|
|
this->other_host = connection->get_other_host(connection);
|
|
|
|
this->other_host = this->other_host->clone(this->other_host);
|
|
|
|
|
|
|
|
this->message_id_out = 1;
|
|
|
|
ike_sa_init = ike_sa_init_create(&this->public);
|
|
|
|
ike_sa_init->set_config(ike_sa_init, connection, policy);
|
|
|
|
return queue_transaction(this, (transaction_t*)ike_sa_init, TRUE);
|
|
|
|
}
|
|
|
|
case IKE_DELETING:
|
|
|
|
{
|
|
|
|
/* if we are in DELETING, we deny set up of a policy. */
|
2006-07-21 13:31:53 +00:00
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"creating CHILD_SA discarded, as IKE_SA is deleting");
|
2006-07-20 14:57:49 +00:00
|
|
|
policy->destroy(policy);
|
|
|
|
connection->destroy(connection);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
case IKE_CONNECTING:
|
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
{
|
|
|
|
/* if we are ESTABLISHED or CONNECTING,we queue the
|
|
|
|
* transaction to create the CHILD_SA. It gets processed
|
|
|
|
* when the IKE_SA is ready to do so. We don't need the
|
|
|
|
* connection, as the IKE_SA is already established/establishing.
|
|
|
|
*/
|
|
|
|
create_child_sa_t *create_child;
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"initiating CHILD_SA");
|
|
|
|
|
2006-07-20 14:57:49 +00:00
|
|
|
connection->destroy(connection);
|
|
|
|
create_child = create_child_sa_create(&this->public);
|
|
|
|
create_child->set_policy(create_child, policy);
|
|
|
|
return queue_transaction(this, (transaction_t*)create_child, FALSE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return FAILED;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.acquire.
|
|
|
|
*/
|
|
|
|
static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
|
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
connection_t *connection;
|
|
|
|
policy_t *policy;
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *current, *child_sa = NULL;
|
|
|
|
linked_list_t *my_ts, *other_ts;
|
|
|
|
|
|
|
|
if (this->state == IKE_DELETING)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"acquiring CHILD_SA with reqid %d discarded, as IKE_SA is deleting",
|
|
|
|
reqid);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* find CHILD_SA */
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)¤t))
|
|
|
|
{
|
|
|
|
if (current->get_reqid(current) == reqid)
|
|
|
|
{
|
|
|
|
iterator->remove(iterator);
|
|
|
|
child_sa = current;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
if (!child_sa)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"CHILD_SA with reqid %d not found, unable to acquire",
|
|
|
|
reqid);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
|
|
|
|
policy = charon->policies->get_policy(charon->policies,
|
|
|
|
this->my_id, this->other_id,
|
|
|
|
my_ts, other_ts,
|
|
|
|
this->my_host, this->other_host);
|
|
|
|
child_sa->destroy(child_sa);
|
|
|
|
if (policy == NULL)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"no policy found to acquire CHILD_SA with reqid %d",
|
|
|
|
reqid);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
switch (this->state)
|
|
|
|
{
|
|
|
|
case IKE_CREATED:
|
2006-07-21 13:31:53 +00:00
|
|
|
{
|
|
|
|
ike_sa_init_t *ike_sa_init;
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"acquiring CHILD_SA with reqid %d, IKE_SA setup needed",
|
|
|
|
reqid);
|
|
|
|
|
|
|
|
connection = charon->connections->get_connection_by_hosts(
|
|
|
|
charon->connections, this->my_host, this->other_host);
|
|
|
|
|
|
|
|
if (connection == NULL)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"no connection found to acquire IKE_SA for CHILD_SA with reqid %d",
|
|
|
|
reqid);
|
|
|
|
policy->destroy(policy);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
this->message_id_out = 1;
|
|
|
|
ike_sa_init = ike_sa_init_create(&this->public);
|
|
|
|
ike_sa_init->set_config(ike_sa_init, connection, policy);
|
|
|
|
return queue_transaction(this, (transaction_t*)ike_sa_init, TRUE);
|
|
|
|
}
|
|
|
|
case IKE_CONNECTING:
|
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
{
|
|
|
|
create_child_sa_t *create_child;
|
|
|
|
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"acquiring CHILD_SA with reqid %d",
|
|
|
|
reqid);
|
|
|
|
|
|
|
|
create_child = create_child_sa_create(&this->public);
|
|
|
|
create_child->set_policy(create_child, policy);
|
|
|
|
return queue_transaction(this, (transaction_t*)create_child, FALSE);
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* destroy a list of traffic selectors
|
|
|
|
*/
|
|
|
|
static void ts_list_destroy(linked_list_t *list)
|
|
|
|
{
|
|
|
|
traffic_selector_t *ts;
|
|
|
|
while (list->remove_last(list, (void**)&ts) == SUCCESS)
|
|
|
|
{
|
|
|
|
ts->destroy(ts);
|
|
|
|
}
|
|
|
|
list->destroy(list);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* compare two lists of traffic selectors for equality
|
|
|
|
*/
|
|
|
|
static bool ts_list_equals(linked_list_t *l1, linked_list_t *l2)
|
|
|
|
{
|
|
|
|
bool equals = TRUE;
|
|
|
|
iterator_t *i1, *i2;
|
|
|
|
traffic_selector_t *t1, *t2;
|
|
|
|
|
|
|
|
i1 = l1->create_iterator(l1, TRUE);
|
|
|
|
i2 = l2->create_iterator(l2, TRUE);
|
|
|
|
while (i1->iterate(i1, (void**)&t1) && i2->iterate(i2, (void**)&t2))
|
|
|
|
{
|
|
|
|
if (!t1->equals(t1, t2))
|
|
|
|
{
|
|
|
|
equals = FALSE;
|
2006-07-20 10:09:32 +00:00
|
|
|
break;
|
2006-07-21 13:31:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
/* check if one iterator is not at the end */
|
|
|
|
if (i1->has_next(i1) || i2->has_next(i2))
|
|
|
|
{
|
|
|
|
equals = FALSE;
|
|
|
|
}
|
|
|
|
i1->destroy(i1);
|
|
|
|
i2->destroy(i2);
|
|
|
|
return equals;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.route.
|
|
|
|
*/
|
|
|
|
static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t *policy)
|
|
|
|
{
|
|
|
|
child_sa_t *child_sa = NULL;
|
|
|
|
iterator_t *iterator;
|
|
|
|
linked_list_t *my_ts, *other_ts;
|
|
|
|
status_t status;
|
|
|
|
|
|
|
|
/* check if not already routed*/
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
linked_list_t *my_ts_conf, *other_ts_conf;
|
|
|
|
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
|
|
|
|
my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
|
|
|
|
other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
|
|
|
|
|
|
|
|
if (ts_list_equals(my_ts, my_ts_conf) &&
|
|
|
|
ts_list_equals(other_ts, other_ts_conf))
|
|
|
|
{
|
|
|
|
ts_list_destroy(my_ts_conf);
|
|
|
|
ts_list_destroy(other_ts_conf);
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"a CHILD_SA with such a policy already routed");
|
|
|
|
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
ts_list_destroy(my_ts_conf);
|
|
|
|
ts_list_destroy(other_ts_conf);
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
|
|
|
switch (this->state)
|
|
|
|
{
|
|
|
|
case IKE_CREATED:
|
2006-07-20 10:09:32 +00:00
|
|
|
case IKE_CONNECTING:
|
2006-07-21 13:31:53 +00:00
|
|
|
/* we update IKE_SA information as good as possible,
|
|
|
|
* this allows us to set up the SA later when an acquire comes in. */
|
|
|
|
if (this->my_id->get_type(this->my_id) == ID_ANY)
|
|
|
|
{
|
|
|
|
this->my_id->destroy(this->my_id);
|
|
|
|
this->my_id = policy->get_my_id(policy);
|
|
|
|
this->my_id = this->my_id->clone(this->my_id);
|
|
|
|
}
|
|
|
|
if (this->other_id->get_type(this->other_id) == ID_ANY)
|
|
|
|
{
|
|
|
|
this->other_id->destroy(this->other_id);
|
|
|
|
this->other_id = policy->get_other_id(policy);
|
|
|
|
this->other_id = this->other_id->clone(this->other_id);
|
|
|
|
}
|
|
|
|
if (this->my_host->is_anyaddr(this->my_host))
|
|
|
|
{
|
|
|
|
this->my_host->destroy(this->my_host);
|
|
|
|
this->my_host = connection->get_my_host(connection);
|
|
|
|
this->my_host = this->my_host->clone(this->my_host);
|
|
|
|
}
|
|
|
|
if (this->other_host->is_anyaddr(this->other_host))
|
|
|
|
{
|
|
|
|
this->other_host->destroy(this->other_host);
|
|
|
|
this->other_host = connection->get_other_host(connection);
|
|
|
|
this->other_host = this->other_host->clone(this->other_host);
|
|
|
|
}
|
|
|
|
set_name(this, connection->get_name(connection));
|
|
|
|
break;
|
2006-07-20 10:09:32 +00:00
|
|
|
case IKE_ESTABLISHED:
|
2006-07-21 13:31:53 +00:00
|
|
|
/* nothing to do */
|
2006-07-20 10:09:32 +00:00
|
|
|
break;
|
|
|
|
case IKE_DELETING:
|
|
|
|
/* deny */
|
2006-07-21 13:31:53 +00:00
|
|
|
return FAILED;
|
2006-07-20 10:09:32 +00:00
|
|
|
}
|
2006-07-21 13:31:53 +00:00
|
|
|
|
|
|
|
child_sa = child_sa_create(0, this->my_host, this->other_host, 0, 0, FALSE);
|
|
|
|
my_ts = policy->get_my_traffic_selectors(policy, this->my_host);
|
|
|
|
other_ts = policy->get_other_traffic_selectors(policy, this->other_host);
|
|
|
|
status = child_sa->add_policies(child_sa, my_ts, other_ts);
|
|
|
|
ts_list_destroy(my_ts);
|
|
|
|
ts_list_destroy(other_ts);
|
|
|
|
this->child_sas->insert_last(this->child_sas, child_sa);
|
|
|
|
|
|
|
|
return status;
|
2006-07-20 10:09:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-21 13:31:53 +00:00
|
|
|
* Implementation of ike_sa_t.unroute.
|
2006-07-20 10:09:32 +00:00
|
|
|
*/
|
2006-07-21 13:31:53 +00:00
|
|
|
static status_t unroute(private_ike_sa_t *this, policy_t *policy)
|
2006-07-20 10:09:32 +00:00
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa = NULL;
|
|
|
|
linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf;
|
|
|
|
|
|
|
|
/* find CHILD_SA in ROUTED state */
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
if (child_sa->get_state(child_sa) == CHILD_ROUTED)
|
|
|
|
{
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
|
|
|
|
my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
|
|
|
|
other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
|
|
|
|
|
|
|
|
if (ts_list_equals(my_ts, my_ts_conf) &&
|
|
|
|
ts_list_equals(other_ts, other_ts_conf))
|
|
|
|
{
|
|
|
|
iterator->remove(iterator);
|
|
|
|
child_sa->destroy(child_sa);
|
|
|
|
ts_list_destroy(my_ts_conf);
|
|
|
|
ts_list_destroy(other_ts_conf);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
ts_list_destroy(my_ts_conf);
|
|
|
|
ts_list_destroy(other_ts_conf);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
/* if we are not established, and we have no more routed childs, remove whole SA */
|
|
|
|
if (this->state == IKE_CREATED &&
|
|
|
|
this->child_sas->get_count(this->child_sas) == 0)
|
|
|
|
{
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
|
|
|
return SUCCESS;
|
2006-07-20 10:09:32 +00:00
|
|
|
}
|
|
|
|
|
2005-11-29 17:19:59 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.send_dpd
|
2005-11-29 17:19:59 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t send_dpd(private_ike_sa_t *this)
|
2005-11-29 17:19:59 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
send_dpd_job_t *job;
|
|
|
|
time_t diff, interval;
|
|
|
|
status_t status = SUCCESS;
|
|
|
|
|
|
|
|
interval = charon->configuration->get_dpd_interval(charon->configuration);
|
|
|
|
|
|
|
|
if (this->transaction_out)
|
|
|
|
{
|
|
|
|
/* there is a transaction in progress. Come back later */
|
|
|
|
diff = 0;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* check if there was any inbound traffic */
|
|
|
|
time_t last_in, now;
|
|
|
|
last_in = get_time_inbound(this);
|
|
|
|
now = time(NULL);
|
|
|
|
diff = now - last_in;
|
|
|
|
if (diff >= interval)
|
|
|
|
{
|
|
|
|
/* to long ago, initiate dead peer detection */
|
|
|
|
dead_peer_detection_t *dpd;
|
|
|
|
this->logger->log(this->logger, CONTROL, "sending DPD request");
|
2006-07-13 08:26:54 +00:00
|
|
|
dpd = dead_peer_detection_create(&this->public);
|
2006-07-05 10:53:20 +00:00
|
|
|
status = queue_transaction(this, (transaction_t*)dpd, FALSE);
|
|
|
|
diff = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* recheck in "interval" seconds */
|
|
|
|
job = send_dpd_job_create(this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
|
|
|
|
(interval - diff) * 1000);
|
|
|
|
return SUCCESS;
|
2005-11-29 17:19:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.send_keepalive
|
2005-11-29 17:19:59 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void send_keepalive(private_ike_sa_t *this)
|
2005-11-29 17:19:59 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
send_keepalive_job_t *job;
|
|
|
|
time_t last_out, now, diff, interval;
|
|
|
|
|
|
|
|
last_out = get_time_outbound(this);
|
|
|
|
now = time(NULL);
|
|
|
|
|
|
|
|
diff = now - last_out;
|
|
|
|
interval = charon->configuration->get_keepalive_interval(charon->configuration);
|
|
|
|
|
|
|
|
if (diff >= interval)
|
|
|
|
{
|
|
|
|
packet_t *packet;
|
|
|
|
chunk_t data;
|
|
|
|
|
|
|
|
packet = packet_create();
|
2006-07-20 10:09:32 +00:00
|
|
|
packet->set_source(packet, this->my_host->clone(this->my_host));
|
|
|
|
packet->set_destination(packet, this->other_host->clone(this->other_host));
|
2006-07-05 10:53:20 +00:00
|
|
|
data.ptr = malloc(1);
|
|
|
|
data.ptr[0] = 0xFF;
|
|
|
|
data.len = 1;
|
|
|
|
packet->set_data(packet, data);
|
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
|
|
|
this->logger->log(this->logger, CONTROL, "sending keep alive");
|
|
|
|
diff = 0;
|
|
|
|
}
|
|
|
|
job = send_keepalive_job_create(this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
|
|
|
|
(interval - diff) * 1000);
|
2005-11-29 17:19:59 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 12:38:55 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.get_state.
|
2005-12-02 12:38:55 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static ike_sa_state_t get_state(private_ike_sa_t *this)
|
2005-12-02 12:38:55 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
return this->state;
|
2005-12-02 12:38:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.set_state.
|
2005-12-02 12:38:55 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
|
2005-12-02 12:38:55 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, CONTROL, "state change: %s => %s",
|
|
|
|
mapping_find(ike_sa_state_m, this->state),
|
|
|
|
mapping_find(ike_sa_state_m, state));
|
2006-07-13 08:26:54 +00:00
|
|
|
if (state == IKE_ESTABLISHED)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
|
|
|
this->logger->log(this->logger, AUDIT, "IKE_SA established: %s[%s]...%s[%s]",
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_host->get_string(this->my_host),
|
|
|
|
this->my_id->get_string(this->my_id),
|
|
|
|
this->other_host->get_string(this->other_host),
|
|
|
|
this->other_id->get_string(this->other_id));
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
send_dpd(this);
|
|
|
|
}
|
|
|
|
this->state = state;
|
2005-12-02 12:38:55 +00:00
|
|
|
}
|
|
|
|
|
2006-06-23 14:02:30 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of protected_ike_sa_t.get_prf.
|
2006-06-23 14:02:30 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static prf_t *get_prf(private_ike_sa_t *this)
|
2006-06-23 14:02:30 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->prf;
|
2006-06-23 14:02:30 +00:00
|
|
|
}
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of protected_ike_sa_t.get_prf.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static prf_t *get_child_prf(private_ike_sa_t *this)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->child_prf;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of protected_ike_sa_t.get_prf_auth_i.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static prf_t *get_prf_auth_i(private_ike_sa_t *this)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->prf_auth_i;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
2005-12-07 09:53:33 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of protected_ike_sa_t.get_prf_auth_r.
|
2005-12-07 09:53:33 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static prf_t *get_prf_auth_r(private_ike_sa_t *this)
|
2005-12-07 09:53:33 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->prf_auth_r;
|
2005-12-07 09:53:33 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 11:38:56 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.get_id.
|
2005-12-02 14:07:36 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static ike_sa_id_t* get_id(private_ike_sa_t *this)
|
2005-12-02 14:07:36 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->ike_sa_id;
|
2005-12-02 14:07:36 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 19:26:01 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.get_my_id.
|
2005-12-02 19:26:01 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static identification_t* get_my_id(private_ike_sa_t *this)
|
2005-12-02 19:26:01 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->my_id;
|
2005-12-03 14:47:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.set_my_id.
|
2005-12-03 14:47:58 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static void set_my_id(private_ike_sa_t *this, identification_t *me)
|
2005-12-03 14:47:58 +00:00
|
|
|
{
|
2006-07-20 14:57:49 +00:00
|
|
|
DESTROY_IF(this->my_id);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_id = me;
|
2005-12-02 19:26:01 +00:00
|
|
|
}
|
|
|
|
|
2006-02-16 09:55:07 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.get_other_id.
|
2006-02-16 09:55:07 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static identification_t* get_other_id(private_ike_sa_t *this)
|
2006-02-16 09:55:07 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->other_id;
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
2006-07-20 10:09:32 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.set_other_id.
|
2006-07-05 10:53:20 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static void set_other_id(private_ike_sa_t *this, identification_t *other)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 14:57:49 +00:00
|
|
|
DESTROY_IF(this->other_id);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_id = other;
|
2006-02-16 09:55:07 +00:00
|
|
|
}
|
|
|
|
|
2006-06-07 13:26:23 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of protected_ike_sa_t.build_transforms.
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal,
|
|
|
|
diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r,
|
|
|
|
bool initiator)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
chunk_t nonces, nonces_spis, skeyseed, key, secret;
|
|
|
|
u_int64_t spi_i, spi_r;
|
|
|
|
prf_plus_t *prf_plus;
|
|
|
|
algorithm_t *algo;
|
|
|
|
size_t key_size;
|
|
|
|
crypter_t *crypter_i, *crypter_r;
|
|
|
|
signer_t *signer_i, *signer_r;
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* Build the PRF+ instance for deriving keys */
|
|
|
|
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR, "no PSEUDO_RANDOM_FUNCTION selected!");
|
|
|
|
return FAILED;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
this->prf = prf_create(algo->algorithm);
|
|
|
|
if (this->prf == NULL)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR, "PSEUDO_RANDOM_FUNCTION %s not supported!",
|
|
|
|
mapping_find(pseudo_random_function_m, algo->algorithm));
|
|
|
|
return FAILED;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* nonces = nonce_i | nonce_r */
|
|
|
|
nonces = chunk_alloc(nonce_i.len + nonce_r.len);
|
|
|
|
memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len);
|
|
|
|
memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* prf_seed = nonce_i | nonce_r | spi_i | spi_r */
|
|
|
|
nonces_spis = chunk_alloc(nonces.len + 16);
|
|
|
|
memcpy(nonces_spis.ptr, nonces.ptr, nonces.len);
|
|
|
|
spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
|
|
|
|
spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
|
|
|
|
memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8);
|
|
|
|
memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8);
|
|
|
|
|
|
|
|
/* SKEYSEED = prf(Ni | Nr, g^ir) */
|
|
|
|
dh->get_shared_secret(dh, &secret);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE, "shared Diffie Hellman secret", secret);
|
|
|
|
this->prf->set_key(this->prf, nonces);
|
|
|
|
this->prf->allocate_bytes(this->prf, secret, &skeyseed);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed);
|
|
|
|
chunk_free(&secret);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr )
|
|
|
|
* = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr
|
|
|
|
*/
|
|
|
|
this->prf->set_key(this->prf, skeyseed);
|
|
|
|
prf_plus = prf_plus_create(this->prf, nonces_spis);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* clean up unused stuff */
|
|
|
|
chunk_free(&nonces);
|
|
|
|
chunk_free(&nonces_spis);
|
|
|
|
chunk_free(&skeyseed);
|
|
|
|
|
|
|
|
/* SK_d used for prf+ to derive keys for child SAs */
|
|
|
|
this->child_prf = prf_create(algo->algorithm);
|
|
|
|
key_size = this->child_prf->get_key_size(this->child_prf);
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE, "Sk_d secret", key);
|
|
|
|
this->child_prf->set_key(this->child_prf, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
/* SK_ai/SK_ar used for integrity protection */
|
|
|
|
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR, "no INTEGRITY_ALGORITHM selected?!");
|
2006-06-07 13:26:23 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_i = signer_create(algo->algorithm);
|
|
|
|
signer_r = signer_create(algo->algorithm);
|
|
|
|
if (signer_i == NULL || signer_r == NULL)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR, "INTEGRITY_ALGORITHM %s not supported!",
|
|
|
|
mapping_find(integrity_algorithm_m,algo->algorithm));
|
|
|
|
return FAILED;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
key_size = signer_i->get_key_size(signer_i);
|
|
|
|
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ai secret", key);
|
|
|
|
signer_i->set_key(signer_i, key);
|
|
|
|
chunk_free(&key);
|
2006-06-22 06:36:28 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ar secret", key);
|
|
|
|
signer_r->set_key(signer_r, key);
|
|
|
|
chunk_free(&key);
|
2006-06-22 06:36:28 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
if (initiator)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->signer_in = signer_r;
|
|
|
|
this->signer_out = signer_i;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->signer_in = signer_i;
|
|
|
|
this->signer_out = signer_r;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
/* SK_ei/SK_er used for encryption */
|
|
|
|
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR, "no ENCRYPTION_ALGORITHM selected!");
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
|
|
|
|
crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
|
|
|
|
if (crypter_i == NULL || crypter_r == NULL)
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"ENCRYPTION_ALGORITHM %s (key size %d) not supported!",
|
|
|
|
mapping_find(encryption_algorithm_m, algo->algorithm),
|
|
|
|
algo->key_size);
|
|
|
|
return FAILED;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
key_size = crypter_i->get_key_size(crypter_i);
|
2006-06-22 06:36:28 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE, "Sk_ei secret", key);
|
|
|
|
crypter_i->set_key(crypter_i, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE, "Sk_er secret", key);
|
|
|
|
crypter_r->set_key(crypter_r, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
if (initiator)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->crypter_in = crypter_r;
|
|
|
|
this->crypter_out = crypter_i;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
else
|
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->crypter_in = crypter_i;
|
|
|
|
this->crypter_out = crypter_r;
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* SK_pi/SK_pr used for authentication */
|
|
|
|
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
|
|
|
this->prf_auth_i = prf_create(algo->algorithm);
|
|
|
|
this->prf_auth_r = prf_create(algo->algorithm);
|
|
|
|
|
|
|
|
key_size = this->prf_auth_i->get_key_size(this->prf_auth_i);
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE, "Sk_pi secret", key);
|
|
|
|
this->prf_auth_i->set_key(this->prf_auth_i, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
|
|
|
this->logger->log_chunk(this->logger, PRIVATE, "Sk_pr secret", key);
|
|
|
|
this->prf_auth_r->set_key(this->prf_auth_r, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
/* all done, prf_plus not needed anymore */
|
|
|
|
prf_plus->destroy(prf_plus);
|
|
|
|
|
|
|
|
return SUCCESS;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2006-05-31 14:23:15 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of protected_ike_sa_t.add_child_sa.
|
2006-05-31 14:23:15 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
|
2006-05-31 14:23:15 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->child_sas->insert_last(this->child_sas, child_sa);
|
2006-05-31 14:23:15 +00:00
|
|
|
}
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
/**
|
|
|
|
* Implementation of protected_ike_sa_t.has_child_sa.
|
|
|
|
*/
|
|
|
|
static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *current;
|
|
|
|
bool found = FALSE;
|
|
|
|
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)¤t))
|
|
|
|
{
|
|
|
|
if (current->get_reqid(current) == reqid)
|
|
|
|
{
|
|
|
|
found = TRUE;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
return found;
|
|
|
|
}
|
|
|
|
|
2006-06-09 15:12:43 +00:00
|
|
|
/**
|
|
|
|
* Implementation of protected_ike_sa_t.get_child_sa.
|
|
|
|
*/
|
2006-07-07 07:04:07 +00:00
|
|
|
static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
|
|
|
u_int32_t spi, bool inbound)
|
2006-06-09 15:12:43 +00:00
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *current, *found = NULL;
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
2006-06-09 15:12:43 +00:00
|
|
|
while (iterator->has_next(iterator))
|
|
|
|
{
|
|
|
|
iterator->current(iterator, (void**)¤t);
|
2006-07-07 07:04:07 +00:00
|
|
|
if (current->get_spi(current, inbound) == spi &&
|
2006-07-21 13:31:53 +00:00
|
|
|
current->get_protocol(current) == protocol)
|
2006-06-09 15:12:43 +00:00
|
|
|
{
|
|
|
|
found = current;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
return found;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.rekey_child_sa.
|
|
|
|
*/
|
2006-07-07 07:04:07 +00:00
|
|
|
static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-07 07:04:07 +00:00
|
|
|
create_child_sa_t *rekey;
|
2006-06-07 13:26:23 +00:00
|
|
|
child_sa_t *child_sa;
|
|
|
|
|
2006-07-07 07:04:07 +00:00
|
|
|
child_sa = get_child_sa(this, protocol, spi, TRUE);
|
|
|
|
if (child_sa == NULL)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-07 07:04:07 +00:00
|
|
|
return NOT_FOUND;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
rekey = create_child_sa_create(&this->public);
|
2006-07-07 07:04:07 +00:00
|
|
|
rekey->rekeys_child(rekey, child_sa);
|
|
|
|
return queue_transaction(this, (transaction_t*)rekey, FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.delete_child_sa.
|
|
|
|
*/
|
|
|
|
static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
|
|
|
{
|
|
|
|
delete_child_sa_t *del;
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
|
|
|
|
child_sa = get_child_sa(this, protocol, spi, TRUE);
|
2006-06-07 13:26:23 +00:00
|
|
|
if (child_sa == NULL)
|
|
|
|
{
|
2006-07-07 07:04:07 +00:00
|
|
|
return NOT_FOUND;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
del = delete_child_sa_create(&this->public);
|
2006-07-07 07:04:07 +00:00
|
|
|
del->set_child_sa(del, child_sa);
|
|
|
|
return queue_transaction(this, (transaction_t*)del, FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of protected_ike_sa_t.destroy_child_sa.
|
|
|
|
*/
|
|
|
|
static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
status_t status = NOT_FOUND;
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-07 07:04:07 +00:00
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
if (child_sa->get_protocol(child_sa) == protocol &&
|
|
|
|
child_sa->get_spi(child_sa, TRUE) == spi)
|
|
|
|
{
|
|
|
|
child_sa->destroy(child_sa);
|
|
|
|
iterator->remove(iterator);
|
|
|
|
status = SUCCESS;
|
|
|
|
break;
|
|
|
|
}
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2006-07-07 07:04:07 +00:00
|
|
|
iterator->destroy(iterator);
|
|
|
|
return status;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
|
2006-04-26 12:28:02 +00:00
|
|
|
/**
|
|
|
|
* Implementation of protected_ike_sa_t.log_status.
|
|
|
|
*/
|
2006-04-27 07:24:04 +00:00
|
|
|
static void log_status(private_ike_sa_t *this, logger_t *logger, char *name)
|
2006-04-26 12:28:02 +00:00
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa;
|
2006-07-20 10:09:32 +00:00
|
|
|
char *my_host, *other_host, *my_id, *other_id;
|
2006-04-26 12:28:02 +00:00
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
if (name == NULL || streq(name, this->name))
|
2006-04-27 07:24:04 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
if (logger == NULL)
|
2006-04-27 07:24:04 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
logger = this->logger;
|
2006-04-27 07:24:04 +00:00
|
|
|
}
|
2006-07-20 10:09:32 +00:00
|
|
|
|
|
|
|
my_host = this->my_host ?
|
|
|
|
this->my_host->get_string(this->my_host) : "(unknown)";
|
|
|
|
other_host = this->other_host ?
|
|
|
|
this->other_host->get_string(this->other_host) : "(unknown)";
|
|
|
|
my_id = this->my_id ?
|
|
|
|
this->my_id->get_string(this->my_id) : "(unknown)";
|
|
|
|
other_id = this->other_id ?
|
|
|
|
this->other_id->get_string(this->other_id) : "(unknown)";
|
|
|
|
|
|
|
|
logger->log(logger, CONTROL|LEVEL1,
|
|
|
|
" \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx",
|
|
|
|
this->name,
|
|
|
|
mapping_find(ike_sa_state_m, this->state),
|
|
|
|
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
|
|
|
this->ike_sa_id->get_responder_spi(this->ike_sa_id));
|
|
|
|
logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]",
|
|
|
|
this->name, my_host, my_id, other_host, other_id);
|
|
|
|
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->has_next(iterator))
|
|
|
|
{
|
|
|
|
iterator->current(iterator, (void**)&child_sa);
|
|
|
|
child_sa->log_status(child_sa, logger, this->name);
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
2006-04-27 07:24:04 +00:00
|
|
|
}
|
2006-04-26 12:28:02 +00:00
|
|
|
}
|
|
|
|
|
2006-05-23 08:01:49 +00:00
|
|
|
/**
|
|
|
|
* Implementation of public_ike_sa_t.delete.
|
|
|
|
*/
|
|
|
|
static status_t delete_(private_ike_sa_t *this)
|
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
switch (this->state)
|
2006-07-13 12:49:35 +00:00
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
case IKE_CONNECTING:
|
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
{
|
|
|
|
delete_ike_sa_t *delete_ike_sa;
|
|
|
|
delete_ike_sa = delete_ike_sa_create(&this->public);
|
|
|
|
if (this->transaction_out)
|
|
|
|
{
|
|
|
|
/* already a transaction in progress. As this may hang
|
|
|
|
* around a while, we don't inform the other peer. */
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
|
|
|
return queue_transaction(this, (transaction_t*)delete_ike_sa, FALSE);
|
|
|
|
}
|
|
|
|
case IKE_CREATED:
|
|
|
|
case IKE_DELETING:
|
|
|
|
default:
|
|
|
|
{
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
2006-07-13 12:49:35 +00:00
|
|
|
}
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_next_message_id.
|
|
|
|
*/
|
|
|
|
static u_int32_t get_next_message_id (private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->message_id_out++;
|
|
|
|
}
|
|
|
|
|
2006-06-22 06:36:28 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.is_natt_enabled.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static bool is_natt_enabled (private_ike_sa_t *this)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
|
|
|
return this->nat_here || this->nat_there;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of protected_ike_sa_t.enable_natt.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void enable_natt (private_ike_sa_t *this, bool local)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (local)
|
2006-06-23 14:02:30 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"local host is behind NAT, using NAT-T, scheduled keep alives");
|
|
|
|
this->nat_here = TRUE;
|
|
|
|
send_keepalive(this);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->logger->log(this->logger, CONTROL,
|
|
|
|
"remote host is behind NAT, using NAT-T");
|
|
|
|
this->nat_there = TRUE;
|
2006-06-23 14:02:30 +00:00
|
|
|
}
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2005-11-16 16:05:46 +00:00
|
|
|
/**
|
2005-12-02 11:38:56 +00:00
|
|
|
* Implementation of protected_ike_sa_t.destroy.
|
2005-11-16 16:05:46 +00:00
|
|
|
*/
|
2006-05-23 08:01:49 +00:00
|
|
|
static void destroy(private_ike_sa_t *this)
|
2005-11-16 16:05:46 +00:00
|
|
|
{
|
2006-02-16 09:55:07 +00:00
|
|
|
child_sa_t *child_sa;
|
2006-07-05 10:53:20 +00:00
|
|
|
transaction_t *transaction;
|
2006-07-20 10:09:32 +00:00
|
|
|
char *my_host, *other_host, *my_id, *other_id;
|
2006-02-16 09:55:07 +00:00
|
|
|
|
2006-07-03 06:27:45 +00:00
|
|
|
this->logger->log(this->logger, CONTROL|LEVEL2, "going to destroy IKE SA %llu:%llu, role %s",
|
2005-12-02 15:40:04 +00:00
|
|
|
this->ike_sa_id->get_initiator_spi(this->ike_sa_id),
|
|
|
|
this->ike_sa_id->get_responder_spi(this->ike_sa_id),
|
|
|
|
this->ike_sa_id->is_initiator(this->ike_sa_id) ? "initiator" : "responder");
|
2006-05-23 08:01:49 +00:00
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
if (this->state == IKE_ESTABLISHED)
|
2006-05-23 08:01:49 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->logger->log(this->logger, ERROR,
|
|
|
|
"destroying an established IKE SA without knowledge from remote peer!");
|
2006-05-23 08:01:49 +00:00
|
|
|
}
|
2005-11-21 16:41:24 +00:00
|
|
|
|
2006-02-16 09:55:07 +00:00
|
|
|
while (this->child_sas->remove_last(this->child_sas, (void**)&child_sa) == SUCCESS)
|
2005-11-16 16:05:46 +00:00
|
|
|
{
|
2006-02-16 09:55:07 +00:00
|
|
|
child_sa->destroy(child_sa);
|
2005-11-16 16:05:46 +00:00
|
|
|
}
|
2005-11-08 13:33:28 +00:00
|
|
|
this->child_sas->destroy(this->child_sas);
|
2006-03-20 15:43:26 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
while (this->transaction_queue->remove_last(this->transaction_queue, (void**)&transaction) == SUCCESS)
|
|
|
|
{
|
|
|
|
transaction->destroy(transaction);
|
|
|
|
}
|
|
|
|
this->transaction_queue->destroy(this->transaction_queue);
|
2006-07-20 10:09:32 +00:00
|
|
|
|
|
|
|
DESTROY_IF(this->transaction_in);
|
|
|
|
DESTROY_IF(this->transaction_in_next);
|
|
|
|
DESTROY_IF(this->transaction_out);
|
|
|
|
DESTROY_IF(this->crypter_in);
|
|
|
|
DESTROY_IF(this->crypter_out);
|
|
|
|
DESTROY_IF(this->signer_in);
|
|
|
|
DESTROY_IF(this->signer_out);
|
|
|
|
DESTROY_IF(this->prf);
|
|
|
|
DESTROY_IF(this->child_prf);
|
|
|
|
DESTROY_IF(this->prf_auth_i);
|
|
|
|
DESTROY_IF(this->prf_auth_r);
|
|
|
|
|
|
|
|
my_host = this->my_host ?
|
|
|
|
this->my_host->get_string(this->my_host) : "(unknown)";
|
|
|
|
other_host = this->other_host ?
|
|
|
|
this->other_host->get_string(this->other_host) : "(unknown)";
|
|
|
|
my_id = this->my_id ?
|
|
|
|
this->my_id->get_string(this->my_id) : "(unknown)";
|
|
|
|
other_id = this->other_id ?
|
|
|
|
this->other_id->get_string(this->other_id) : "(unknown)";
|
|
|
|
|
|
|
|
this->logger->log(this->logger, AUDIT,
|
|
|
|
"IKE_SA deleted between %s[%s]...%s[%s]",
|
|
|
|
my_host, my_id, other_host, other_id);
|
|
|
|
|
|
|
|
DESTROY_IF(this->my_host);
|
|
|
|
DESTROY_IF(this->other_host);
|
|
|
|
DESTROY_IF(this->my_id);
|
|
|
|
DESTROY_IF(this->other_id);
|
|
|
|
|
|
|
|
free(this->name);
|
2006-03-20 15:43:26 +00:00
|
|
|
this->ike_sa_id->destroy(this->ike_sa_id);
|
2006-04-10 08:07:38 +00:00
|
|
|
free(this);
|
2005-11-08 13:33:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2005-12-07 09:03:34 +00:00
|
|
|
* Described in header.
|
2005-11-08 13:33:28 +00:00
|
|
|
*/
|
|
|
|
ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
|
|
|
{
|
2006-04-10 08:07:38 +00:00
|
|
|
private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2005-11-08 13:33:28 +00:00
|
|
|
/* Public functions */
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.get_state = (ike_sa_state_t(*)(ike_sa_t*)) get_state;
|
|
|
|
this->public.set_state = (void(*)(ike_sa_t*,ike_sa_state_t)) set_state;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.get_name = (char*(*)(ike_sa_t*))get_name;
|
|
|
|
this->public.set_name = (void(*)(ike_sa_t*,char*))set_name;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.initiate = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) initiate;
|
2006-07-21 13:31:53 +00:00
|
|
|
this->public.route = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) route;
|
|
|
|
this->public.unroute = (status_t(*)(ike_sa_t*,policy_t*)) unroute;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
|
|
|
|
this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
|
|
|
|
this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
|
|
|
|
this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
|
|
|
|
this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
|
|
|
|
this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id;
|
2006-07-13 08:26:54 +00:00
|
|
|
this->public.get_next_message_id = (u_int32_t(*)(ike_sa_t*)) get_next_message_id;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
|
|
|
|
this->public.log_status = (void (*) (ike_sa_t*,logger_t*,char*))log_status;
|
|
|
|
this->public.delete = (status_t(*)(ike_sa_t*))delete_;
|
|
|
|
this->public.destroy = (void(*)(ike_sa_t*))destroy;
|
|
|
|
this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
|
|
|
|
this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
|
|
|
|
this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf;
|
|
|
|
this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
|
|
|
|
this->public.get_prf_auth_i = (prf_t *(*) (ike_sa_t *)) get_prf_auth_i;
|
|
|
|
this->public.get_prf_auth_r = (prf_t *(*) (ike_sa_t *)) get_prf_auth_r;
|
|
|
|
this->public.build_transforms = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool)) build_transforms;
|
2006-07-07 07:04:07 +00:00
|
|
|
this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
|
2006-07-21 13:31:53 +00:00
|
|
|
this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa;
|
2006-07-07 07:04:07 +00:00
|
|
|
this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
|
|
|
|
this->public.rekey_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
|
|
|
|
this->public.delete_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
|
|
|
|
this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
|
|
|
|
this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
|
|
|
|
|
2005-11-08 13:33:28 +00:00
|
|
|
/* initialize private fields */
|
2006-04-10 08:07:38 +00:00
|
|
|
this->logger = logger_manager->get_logger(logger_manager, IKE_SA);
|
2005-11-28 20:29:47 +00:00
|
|
|
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->name = strdup("(uninitialized)");
|
2005-11-08 13:33:28 +00:00
|
|
|
this->child_sas = linked_list_create();
|
2006-07-21 13:31:53 +00:00
|
|
|
this->my_host = host_create(AF_INET, "0.0.0.0", 0);
|
|
|
|
this->other_host = host_create(AF_INET, "0.0.0.0", 0);
|
|
|
|
this->my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
|
|
|
|
this->other_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
|
2006-07-05 10:53:20 +00:00
|
|
|
this->crypter_in = NULL;
|
|
|
|
this->crypter_out = NULL;
|
|
|
|
this->signer_in = NULL;
|
|
|
|
this->signer_out = NULL;
|
2005-11-22 15:38:41 +00:00
|
|
|
this->prf = NULL;
|
2006-02-14 14:52:00 +00:00
|
|
|
this->prf_auth_i = NULL;
|
|
|
|
this->prf_auth_r = NULL;
|
2006-07-03 06:27:45 +00:00
|
|
|
this->child_prf = NULL;
|
2006-06-22 06:36:28 +00:00
|
|
|
this->nat_here = FALSE;
|
|
|
|
this->nat_there = FALSE;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->transaction_queue = linked_list_create();
|
|
|
|
this->transaction_in = NULL;
|
|
|
|
this->transaction_in_next = NULL;
|
|
|
|
this->transaction_out = NULL;
|
2006-07-13 08:26:54 +00:00
|
|
|
this->state = IKE_CREATED;
|
|
|
|
/* we start with message ID out, as ike_sa_init does not use this counter */
|
2006-07-05 10:53:20 +00:00
|
|
|
this->message_id_out = 0;
|
|
|
|
this->time_inbound = 0;
|
|
|
|
this->time_outbound = 0;
|
|
|
|
|
|
|
|
return &this->public;
|
2005-11-08 13:33:28 +00:00
|
|
|
}
|