2011-11-21 10:20:34 +00:00
|
|
|
/*
|
2019-02-12 10:59:38 +00:00
|
|
|
* Copyright (C) 2012-2019 Tobias Brunner
|
2018-05-23 14:04:50 +00:00
|
|
|
* HSR Hochschule fuer Technik Rapperswil
|
2012-05-24 12:00:44 +00:00
|
|
|
*
|
2011-11-21 10:20:34 +00:00
|
|
|
* Copyright (C) 2011 Martin Willi
|
|
|
|
|
* Copyright (C) 2011 revosec AG
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
|
* for more details.
|
|
|
|
|
*/
|
|
|
|
|
|
2012-12-15 13:11:26 +00:00
|
|
|
/*
|
|
|
|
|
* Copyright (C) 2012 Volker Rümelin
|
|
|
|
|
*
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
|
|
|
* in the Software without restriction, including without limitation the rights
|
|
|
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
|
|
|
* furnished to do so, subject to the following conditions:
|
|
|
|
|
*
|
|
|
|
|
* The above copyright notice and this permission notice shall be included in
|
|
|
|
|
* all copies or substantial portions of the Software.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
|
|
|
* THE SOFTWARE.
|
|
|
|
|
*/
|
|
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
#include "quick_mode.h"
|
|
|
|
|
|
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
|
|
#include <daemon.h>
|
2011-12-19 12:10:29 +00:00
|
|
|
#include <sa/ikev1/keymat_v1.h>
|
2011-11-21 16:56:39 +00:00
|
|
|
#include <encoding/payloads/sa_payload.h>
|
|
|
|
|
#include <encoding/payloads/nonce_payload.h>
|
2011-12-07 16:43:58 +00:00
|
|
|
#include <encoding/payloads/ke_payload.h>
|
2011-11-21 16:56:39 +00:00
|
|
|
#include <encoding/payloads/id_payload.h>
|
2011-12-02 15:22:42 +00:00
|
|
|
#include <encoding/payloads/payload.h>
|
2011-12-19 12:10:29 +00:00
|
|
|
#include <sa/ikev1/tasks/informational.h>
|
|
|
|
|
#include <sa/ikev1/tasks/quick_delete.h>
|
2012-01-23 12:49:56 +00:00
|
|
|
#include <processing/jobs/inactivity_job.h>
|
2011-11-21 10:20:34 +00:00
|
|
|
|
|
|
|
|
typedef struct private_quick_mode_t private_quick_mode_t;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Private members of a quick_mode_t task.
|
|
|
|
|
*/
|
|
|
|
|
struct private_quick_mode_t {
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Public methods and task_t interface.
|
|
|
|
|
*/
|
|
|
|
|
quick_mode_t public;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Assigned IKE_SA.
|
|
|
|
|
*/
|
|
|
|
|
ike_sa_t *ike_sa;
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
/**
|
|
|
|
|
* TRUE if we are initiating quick mode
|
|
|
|
|
*/
|
|
|
|
|
bool initiator;
|
|
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
/**
|
|
|
|
|
* Traffic selector of initiator
|
|
|
|
|
*/
|
|
|
|
|
traffic_selector_t *tsi;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Traffic selector of responder
|
|
|
|
|
*/
|
|
|
|
|
traffic_selector_t *tsr;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Initiators nonce
|
|
|
|
|
*/
|
|
|
|
|
chunk_t nonce_i;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Responder nonce
|
|
|
|
|
*/
|
|
|
|
|
chunk_t nonce_r;
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
/**
|
|
|
|
|
* Initiators ESP SPI
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t spi_i;
|
2011-11-22 14:24:24 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Responder ESP SPI
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t spi_r;
|
2011-11-22 14:24:24 +00:00
|
|
|
|
2012-05-24 12:00:44 +00:00
|
|
|
/**
|
|
|
|
|
* Initiators IPComp CPI
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint16_t cpi_i;
|
2012-05-24 12:00:44 +00:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Responders IPComp CPI
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint16_t cpi_r;
|
2012-05-24 12:00:44 +00:00
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
/**
|
|
|
|
|
* selected CHILD_SA proposal
|
|
|
|
|
*/
|
|
|
|
|
proposal_t *proposal;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Config of CHILD_SA to establish
|
|
|
|
|
*/
|
|
|
|
|
child_cfg_t *config;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* CHILD_SA we are about to establish
|
|
|
|
|
*/
|
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
/**
|
|
|
|
|
* IKEv1 keymat
|
|
|
|
|
*/
|
|
|
|
|
keymat_v1_t *keymat;
|
|
|
|
|
|
2011-12-07 16:43:58 +00:00
|
|
|
/**
|
|
|
|
|
* DH exchange, when PFS is in use
|
|
|
|
|
*/
|
|
|
|
|
diffie_hellman_t *dh;
|
|
|
|
|
|
2011-11-24 14:25:00 +00:00
|
|
|
/**
|
|
|
|
|
* Negotiated lifetime of new SA
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t lifetime;
|
2011-11-24 14:25:00 +00:00
|
|
|
|
|
|
|
|
/**
|
2016-06-15 15:43:55 +00:00
|
|
|
* Negotiated lifebytes of new SA
|
2011-11-24 14:25:00 +00:00
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint64_t lifebytes;
|
2011-11-24 14:25:00 +00:00
|
|
|
|
2012-01-02 12:36:10 +00:00
|
|
|
/**
|
2019-03-22 16:39:47 +00:00
|
|
|
* Data collected to create the CHILD_SA
|
2012-01-02 12:36:10 +00:00
|
|
|
*/
|
2019-03-22 16:39:47 +00:00
|
|
|
child_sa_create_t child;
|
2014-11-13 14:26:10 +00:00
|
|
|
|
2012-01-16 15:17:27 +00:00
|
|
|
/**
|
|
|
|
|
* SPI of SA we rekey
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t rekey;
|
2012-01-16 15:17:27 +00:00
|
|
|
|
2016-02-17 16:31:51 +00:00
|
|
|
/**
|
|
|
|
|
* Delete old child after successful rekey
|
|
|
|
|
*/
|
|
|
|
|
bool delete;
|
|
|
|
|
|
2012-01-05 14:02:40 +00:00
|
|
|
/**
|
|
|
|
|
* Negotiated mode, tunnel or transport
|
|
|
|
|
*/
|
|
|
|
|
ipsec_mode_t mode;
|
|
|
|
|
|
2013-06-20 14:12:58 +00:00
|
|
|
/*
|
|
|
|
|
* SA protocol (ESP|AH) negotiated
|
|
|
|
|
*/
|
|
|
|
|
protocol_id_t proto;
|
|
|
|
|
|
2015-08-19 13:28:02 +00:00
|
|
|
/**
|
|
|
|
|
* Message ID of handled quick mode exchange
|
|
|
|
|
*/
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t mid;
|
2015-08-19 13:28:02 +00:00
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
/** states of quick mode */
|
|
|
|
|
enum {
|
|
|
|
|
QM_INIT,
|
2011-11-21 16:56:39 +00:00
|
|
|
QM_NEGOTIATED,
|
2011-11-21 10:20:34 +00:00
|
|
|
} state;
|
|
|
|
|
};
|
|
|
|
|
|
2012-01-23 12:49:56 +00:00
|
|
|
/**
|
|
|
|
|
* Schedule inactivity timeout for CHILD_SA with reqid, if enabled
|
|
|
|
|
*/
|
|
|
|
|
static void schedule_inactivity_timeout(private_quick_mode_t *this)
|
|
|
|
|
{
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t timeout;
|
2012-01-23 12:49:56 +00:00
|
|
|
bool close_ike;
|
|
|
|
|
|
|
|
|
|
timeout = this->config->get_inactivity(this->config);
|
|
|
|
|
if (timeout)
|
|
|
|
|
{
|
|
|
|
|
close_ike = lib->settings->get_bool(lib->settings,
|
2014-01-22 14:18:58 +00:00
|
|
|
"%s.inactivity_close_ike", FALSE, lib->ns);
|
2012-01-23 12:49:56 +00:00
|
|
|
lib->scheduler->schedule_job(lib->scheduler, (job_t*)
|
2014-10-27 14:19:09 +00:00
|
|
|
inactivity_job_create(this->child_sa->get_unique_id(this->child_sa),
|
|
|
|
|
timeout, close_ike), timeout);
|
2012-01-23 12:49:56 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-09-11 10:56:29 +00:00
|
|
|
/**
|
|
|
|
|
* Check if we have a an address pool configured
|
|
|
|
|
*/
|
|
|
|
|
static bool have_pool(ike_sa_t *ike_sa)
|
|
|
|
|
{
|
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
|
peer_cfg_t *peer_cfg;
|
|
|
|
|
char *pool;
|
|
|
|
|
bool found = FALSE;
|
|
|
|
|
|
|
|
|
|
peer_cfg = ike_sa->get_peer_cfg(ike_sa);
|
|
|
|
|
if (peer_cfg)
|
|
|
|
|
{
|
|
|
|
|
enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
|
|
|
|
|
if (enumerator->enumerate(enumerator, &pool))
|
|
|
|
|
{
|
|
|
|
|
found = TRUE;
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
}
|
|
|
|
|
return found;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2012-09-18 10:46:36 +00:00
|
|
|
* Get hosts to use for dynamic traffic selectors
|
2012-09-11 10:56:29 +00:00
|
|
|
*/
|
2012-09-18 10:46:36 +00:00
|
|
|
static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
|
2012-09-11 10:56:29 +00:00
|
|
|
{
|
|
|
|
|
enumerator_t *enumerator;
|
2012-09-18 10:46:36 +00:00
|
|
|
linked_list_t *list;
|
2012-09-11 10:56:29 +00:00
|
|
|
host_t *host;
|
|
|
|
|
|
2012-09-18 10:46:36 +00:00
|
|
|
list = linked_list_create();
|
2012-09-11 10:56:29 +00:00
|
|
|
enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
|
2012-09-18 10:46:36 +00:00
|
|
|
while (enumerator->enumerate(enumerator, &host))
|
2012-09-11 10:56:29 +00:00
|
|
|
{
|
2012-09-18 10:46:36 +00:00
|
|
|
list->insert_last(list, host);
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
|
|
|
|
|
if (list->get_count(list) == 0)
|
|
|
|
|
{ /* no virtual IPs assigned */
|
2012-09-11 10:56:29 +00:00
|
|
|
if (local)
|
|
|
|
|
{
|
|
|
|
|
host = ike_sa->get_my_host(ike_sa);
|
2012-09-18 10:46:36 +00:00
|
|
|
list->insert_last(list, host);
|
2012-09-11 10:56:29 +00:00
|
|
|
}
|
2012-09-18 10:46:36 +00:00
|
|
|
else if (!have_pool(ike_sa))
|
|
|
|
|
{ /* use host only if we don't have a pool configured */
|
|
|
|
|
host = ike_sa->get_other_host(ike_sa);
|
|
|
|
|
list->insert_last(list, host);
|
2012-09-11 10:56:29 +00:00
|
|
|
}
|
|
|
|
|
}
|
2012-09-18 10:46:36 +00:00
|
|
|
return list;
|
2012-09-11 10:56:29 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
/**
|
|
|
|
|
* Install negotiated CHILD_SA
|
|
|
|
|
*/
|
|
|
|
|
static bool install(private_quick_mode_t *this)
|
|
|
|
|
{
|
|
|
|
|
status_t status, status_i, status_o;
|
|
|
|
|
chunk_t encr_i, encr_r, integ_i, integ_r;
|
2013-07-17 08:01:22 +00:00
|
|
|
linked_list_t *tsi, *tsr, *my_ts, *other_ts;
|
2012-01-16 15:17:27 +00:00
|
|
|
child_sa_t *old = NULL;
|
2011-11-22 14:24:24 +00:00
|
|
|
|
|
|
|
|
this->child_sa->set_proposal(this->child_sa, this->proposal);
|
|
|
|
|
this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
|
2012-01-05 14:02:40 +00:00
|
|
|
this->child_sa->set_mode(this->child_sa, this->mode);
|
2012-05-24 12:00:44 +00:00
|
|
|
|
|
|
|
|
if (this->cpi_i && this->cpi_r)
|
|
|
|
|
{ /* DEFLATE is the only transform we currently support */
|
|
|
|
|
this->child_sa->set_ipcomp(this->child_sa, IPCOMP_DEFLATE);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->cpi_i = this->cpi_r = 0;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
this->child_sa->set_protocol(this->child_sa,
|
|
|
|
|
this->proposal->get_protocol(this->proposal));
|
|
|
|
|
|
|
|
|
|
status_i = status_o = FAILED;
|
|
|
|
|
encr_i = encr_r = integ_i = integ_r = chunk_empty;
|
2012-09-18 10:44:59 +00:00
|
|
|
tsi = linked_list_create_with_items(this->tsi->clone(this->tsi), NULL);
|
|
|
|
|
tsr = linked_list_create_with_items(this->tsr->clone(this->tsr), NULL);
|
2012-01-18 12:28:15 +00:00
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
|
|
|
|
charon->bus->narrow(charon->bus, this->child_sa,
|
|
|
|
|
NARROW_INITIATOR_POST_AUTH, tsi, tsr);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
charon->bus->narrow(charon->bus, this->child_sa,
|
2012-07-24 10:40:45 +00:00
|
|
|
NARROW_RESPONDER_POST, tsr, tsi);
|
2012-01-18 12:28:15 +00:00
|
|
|
}
|
|
|
|
|
if (tsi->get_count(tsi) == 0 || tsr->get_count(tsr) == 0)
|
|
|
|
|
{
|
|
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
DBG1(DBG_IKE, "no acceptable traffic selectors found");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-01 13:40:15 +00:00
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
|
|
|
|
this->child_sa->set_policies(this->child_sa, tsi, tsr);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->child_sa->set_policies(this->child_sa, tsr, tsi);
|
|
|
|
|
}
|
|
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
|
2011-12-07 16:43:58 +00:00
|
|
|
if (this->keymat->derive_child_keys(this->keymat, this->proposal, this->dh,
|
2011-11-23 13:26:24 +00:00
|
|
|
this->spi_i, this->spi_r, this->nonce_i, this->nonce_r,
|
|
|
|
|
&encr_i, &integ_i, &encr_r, &integ_r))
|
2011-11-22 14:24:24 +00:00
|
|
|
{
|
|
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
kernel-interface: add an exchange initiator parameter to add_sa()
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
2013-05-08 08:31:06 +00:00
|
|
|
status_i = this->child_sa->install(this->child_sa,
|
|
|
|
|
encr_r, integ_r, this->spi_i, this->cpi_i,
|
2017-03-01 13:40:15 +00:00
|
|
|
this->initiator, TRUE, FALSE);
|
kernel-interface: add an exchange initiator parameter to add_sa()
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
2013-05-08 08:31:06 +00:00
|
|
|
status_o = this->child_sa->install(this->child_sa,
|
|
|
|
|
encr_i, integ_i, this->spi_r, this->cpi_r,
|
2017-03-01 13:40:15 +00:00
|
|
|
this->initiator, FALSE, FALSE);
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
kernel-interface: add an exchange initiator parameter to add_sa()
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
2013-05-08 08:31:06 +00:00
|
|
|
status_i = this->child_sa->install(this->child_sa,
|
|
|
|
|
encr_i, integ_i, this->spi_r, this->cpi_r,
|
2017-03-01 13:40:15 +00:00
|
|
|
this->initiator, TRUE, FALSE);
|
kernel-interface: add an exchange initiator parameter to add_sa()
This new flag gives the kernel-interface a hint how it should priorize the
use of newly installed SAs during rekeying.
Consider the following rekey procedure in IKEv2:
Initiator --- Responder
I1 -------CREATE-------> R1
I2 <------CREATE--------
-------DELETE-------> R2
I3 <------DELETE--------
SAs are always handled as pairs, the following happens at the SA level:
* Initiator starts the exchange at I1
* Responder installs new SA pair at R1
* Initiator installs new SA pair at I2
* Responder removes old SA pair at R2
* Initiator removes old SA pair at I3
This makes sure SAs get installed/removed overlapping during rekeying. However,
to avoid any packet loss, it is crucial that the new outbound SA gets
activated at the correct position:
* as exchange initiator, in I2
* as exchange responder, in R2
This should guarantee that we don't use the new outbound SA before the peer
could install its corresponding inbound SA.
The new parameter allows the kernel backend to install the new SA with
appropriate priorities, i.e. it should:
* as exchange inititator, have the new outbound SA installed with higher
priority than the old SA
* as exchange responder, have the new outbound SA installed with lower
priority than the old SA
While we could split up the SA installation at the responder, this approach
has another advantage: it allows the kernel backend to switch SAs based on
other criteria, for example when receiving traffic on the new inbound SA.
2013-05-08 08:31:06 +00:00
|
|
|
status_o = this->child_sa->install(this->child_sa,
|
|
|
|
|
encr_r, integ_r, this->spi_i, this->cpi_i,
|
2017-03-01 13:40:15 +00:00
|
|
|
this->initiator, FALSE, FALSE);
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (status_i != SUCCESS || status_o != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
|
|
|
|
|
(status_i != SUCCESS) ? "inbound " : "",
|
|
|
|
|
(status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
|
|
|
|
|
(status_o != SUCCESS) ? "outbound " : "");
|
2016-09-14 13:57:21 +00:00
|
|
|
status = FAILED;
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2017-03-01 13:40:15 +00:00
|
|
|
status = this->child_sa->install_policies(this->child_sa);
|
|
|
|
|
|
2016-09-14 13:57:21 +00:00
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
charon->bus->child_derived_keys(charon->bus, this->child_sa,
|
|
|
|
|
this->initiator, encr_i, encr_r,
|
|
|
|
|
integ_i, integ_r);
|
|
|
|
|
}
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
2016-09-14 13:57:21 +00:00
|
|
|
chunk_clear(&integ_i);
|
|
|
|
|
chunk_clear(&integ_r);
|
|
|
|
|
chunk_clear(&encr_i);
|
|
|
|
|
chunk_clear(&encr_r);
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
if (status != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
|
2011-12-07 16:43:58 +00:00
|
|
|
this->dh, this->nonce_i, this->nonce_r);
|
2011-11-22 14:24:24 +00:00
|
|
|
|
2013-07-17 08:01:22 +00:00
|
|
|
my_ts = linked_list_create_from_enumerator(
|
|
|
|
|
this->child_sa->create_ts_enumerator(this->child_sa, TRUE));
|
|
|
|
|
other_ts = linked_list_create_from_enumerator(
|
|
|
|
|
this->child_sa->create_ts_enumerator(this->child_sa, FALSE));
|
|
|
|
|
|
2011-11-22 14:24:24 +00:00
|
|
|
DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
|
2015-10-07 14:25:05 +00:00
|
|
|
"with SPIs %.8x_i %.8x_o and TS %#R === %#R",
|
2011-11-22 14:24:24 +00:00
|
|
|
this->child_sa->get_name(this->child_sa),
|
2014-10-28 09:54:38 +00:00
|
|
|
this->child_sa->get_unique_id(this->child_sa),
|
2011-11-22 14:24:24 +00:00
|
|
|
ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
|
2013-07-17 08:01:22 +00:00
|
|
|
ntohl(this->child_sa->get_spi(this->child_sa, FALSE)), my_ts, other_ts);
|
|
|
|
|
|
|
|
|
|
my_ts->destroy(my_ts);
|
|
|
|
|
other_ts->destroy(other_ts);
|
2011-11-22 14:24:24 +00:00
|
|
|
|
2017-06-20 10:01:24 +00:00
|
|
|
this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
|
|
|
|
|
this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
|
|
|
|
|
|
2012-01-16 15:17:27 +00:00
|
|
|
if (this->rekey)
|
|
|
|
|
{
|
|
|
|
|
old = this->ike_sa->get_child_sa(this->ike_sa,
|
|
|
|
|
this->proposal->get_protocol(this->proposal),
|
|
|
|
|
this->rekey, TRUE);
|
|
|
|
|
}
|
|
|
|
|
if (old)
|
|
|
|
|
{
|
|
|
|
|
charon->bus->child_rekey(charon->bus, old, this->child_sa);
|
2016-02-17 16:31:51 +00:00
|
|
|
/* rekeyed CHILD_SAs stay installed until they expire or are deleted
|
|
|
|
|
* by the other peer */
|
2015-03-24 17:36:49 +00:00
|
|
|
old->set_state(old, CHILD_REKEYED);
|
2016-02-17 16:31:51 +00:00
|
|
|
/* as initiator we delete the CHILD_SA if configured to do so */
|
|
|
|
|
if (this->initiator && this->delete)
|
|
|
|
|
{
|
|
|
|
|
this->ike_sa->queue_task(this->ike_sa,
|
|
|
|
|
(task_t*)quick_delete_create(this->ike_sa,
|
|
|
|
|
this->proposal->get_protocol(this->proposal),
|
|
|
|
|
this->rekey, TRUE, FALSE));
|
|
|
|
|
}
|
2012-01-16 15:17:27 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
|
|
|
|
|
}
|
2014-10-27 14:19:09 +00:00
|
|
|
schedule_inactivity_timeout(this);
|
2011-11-22 14:24:24 +00:00
|
|
|
this->child_sa = NULL;
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-24 08:51:40 +00:00
|
|
|
/**
|
|
|
|
|
* Generate and add NONCE
|
|
|
|
|
*/
|
|
|
|
|
static bool add_nonce(private_quick_mode_t *this, chunk_t *nonce,
|
|
|
|
|
message_t *message)
|
|
|
|
|
{
|
|
|
|
|
nonce_payload_t *nonce_payload;
|
2012-05-02 15:49:41 +00:00
|
|
|
nonce_gen_t *nonceg;
|
2011-11-24 08:51:40 +00:00
|
|
|
|
2012-05-02 15:49:41 +00:00
|
|
|
nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
|
|
|
|
|
if (!nonceg)
|
2011-11-24 08:51:40 +00:00
|
|
|
{
|
2012-05-02 15:49:41 +00:00
|
|
|
DBG1(DBG_IKE, "no nonce generator found to create nonce");
|
2011-11-24 08:51:40 +00:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
2012-06-12 08:54:02 +00:00
|
|
|
if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, nonce))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "nonce allocation failed");
|
|
|
|
|
nonceg->destroy(nonceg);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2012-05-02 15:49:41 +00:00
|
|
|
nonceg->destroy(nonceg);
|
2011-11-24 08:51:40 +00:00
|
|
|
|
2013-10-29 09:09:39 +00:00
|
|
|
nonce_payload = nonce_payload_create(PLV1_NONCE);
|
2011-11-24 08:51:40 +00:00
|
|
|
nonce_payload->set_nonce(nonce_payload, *nonce);
|
|
|
|
|
message->add_payload(message, &nonce_payload->payload_interface);
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Extract nonce from NONCE payload
|
|
|
|
|
*/
|
|
|
|
|
static bool get_nonce(private_quick_mode_t *this, chunk_t *nonce,
|
|
|
|
|
message_t *message)
|
|
|
|
|
{
|
|
|
|
|
nonce_payload_t *nonce_payload;
|
|
|
|
|
|
2013-10-29 09:09:39 +00:00
|
|
|
nonce_payload = (nonce_payload_t*)message->get_payload(message, PLV1_NONCE);
|
2011-11-24 08:51:40 +00:00
|
|
|
if (!nonce_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "NONCE payload missing in message");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
*nonce = nonce_payload->get_nonce(nonce_payload);
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-07 16:43:58 +00:00
|
|
|
/**
|
|
|
|
|
* Add KE payload to message
|
|
|
|
|
*/
|
2015-03-23 10:10:40 +00:00
|
|
|
static bool add_ke(private_quick_mode_t *this, message_t *message)
|
2011-12-07 16:43:58 +00:00
|
|
|
{
|
|
|
|
|
ke_payload_t *ke_payload;
|
|
|
|
|
|
2015-03-23 10:10:40 +00:00
|
|
|
ke_payload = ke_payload_create_from_diffie_hellman(PLV1_KEY_EXCHANGE,
|
|
|
|
|
this->dh);
|
|
|
|
|
if (!ke_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "creating KE payload failed");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
message->add_payload(message, &ke_payload->payload_interface);
|
2015-03-23 10:10:40 +00:00
|
|
|
return TRUE;
|
2011-12-07 16:43:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get DH value from a KE payload
|
|
|
|
|
*/
|
|
|
|
|
static bool get_ke(private_quick_mode_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
ke_payload_t *ke_payload;
|
|
|
|
|
|
2013-10-29 09:09:39 +00:00
|
|
|
ke_payload = (ke_payload_t*)message->get_payload(message, PLV1_KEY_EXCHANGE);
|
2011-12-07 16:43:58 +00:00
|
|
|
if (!ke_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "KE payload missing");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2015-03-24 08:37:38 +00:00
|
|
|
if (!this->dh->set_other_public_value(this->dh,
|
2015-03-23 12:09:32 +00:00
|
|
|
ke_payload->get_key_exchange_data(ke_payload)))
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "unable to apply received KE value");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-24 09:20:59 +00:00
|
|
|
/**
|
|
|
|
|
* Select a traffic selector from configuration
|
|
|
|
|
*/
|
2011-12-13 14:32:53 +00:00
|
|
|
static traffic_selector_t* select_ts(private_quick_mode_t *this, bool local,
|
|
|
|
|
linked_list_t *supplied)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
|
|
|
|
traffic_selector_t *ts;
|
2012-09-18 10:46:36 +00:00
|
|
|
linked_list_t *list, *hosts;
|
2011-11-24 09:20:59 +00:00
|
|
|
|
2012-09-18 10:46:36 +00:00
|
|
|
hosts = get_dynamic_hosts(this->ike_sa, local);
|
|
|
|
|
list = this->config->get_traffic_selectors(this->config,
|
2018-05-29 16:12:16 +00:00
|
|
|
local, supplied, hosts, TRUE);
|
2012-09-18 10:46:36 +00:00
|
|
|
hosts->destroy(hosts);
|
2011-11-24 09:20:59 +00:00
|
|
|
if (list->get_first(list, (void**)&ts) == SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
ts = ts->clone(ts);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "%s traffic selector missing in configuration",
|
2014-05-14 08:00:20 +00:00
|
|
|
local ? "local" : "remote");
|
2011-11-24 09:20:59 +00:00
|
|
|
ts = NULL;
|
|
|
|
|
}
|
|
|
|
|
list->destroy_offset(list, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
return ts;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Add selected traffic selectors to message
|
|
|
|
|
*/
|
2011-11-24 09:33:43 +00:00
|
|
|
static void add_ts(private_quick_mode_t *this, message_t *message)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
|
|
2013-07-25 15:08:17 +00:00
|
|
|
id_payload = id_payload_create_from_ts(this->tsi);
|
|
|
|
|
message->add_payload(message, &id_payload->payload_interface);
|
|
|
|
|
id_payload = id_payload_create_from_ts(this->tsr);
|
|
|
|
|
message->add_payload(message, &id_payload->payload_interface);
|
2011-11-24 09:20:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get traffic selectors from received message
|
|
|
|
|
*/
|
2011-11-24 09:33:43 +00:00
|
|
|
static bool get_ts(private_quick_mode_t *this, message_t *message)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
|
|
|
|
traffic_selector_t *tsi = NULL, *tsr = NULL;
|
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
|
id_payload_t *id_payload;
|
|
|
|
|
payload_t *payload;
|
|
|
|
|
host_t *hsi, *hsr;
|
|
|
|
|
bool first = TRUE;
|
|
|
|
|
|
|
|
|
|
enumerator = message->create_payload_enumerator(message);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &payload))
|
|
|
|
|
{
|
2013-10-29 09:09:39 +00:00
|
|
|
if (payload->get_type(payload) == PLV1_ID)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
|
|
|
|
id_payload = (id_payload_t*)payload;
|
|
|
|
|
|
|
|
|
|
if (first)
|
|
|
|
|
{
|
|
|
|
|
tsi = id_payload->get_ts(id_payload);
|
|
|
|
|
first = FALSE;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
tsr = id_payload->get_ts(id_payload);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
|
|
|
|
|
/* create host2host selectors if ID payloads missing */
|
2011-11-24 09:33:43 +00:00
|
|
|
if (this->initiator)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
|
|
|
|
hsi = this->ike_sa->get_my_host(this->ike_sa);
|
|
|
|
|
hsr = this->ike_sa->get_other_host(this->ike_sa);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
hsr = this->ike_sa->get_my_host(this->ike_sa);
|
|
|
|
|
hsi = this->ike_sa->get_other_host(this->ike_sa);
|
|
|
|
|
}
|
|
|
|
|
if (!tsi)
|
|
|
|
|
{
|
|
|
|
|
tsi = traffic_selector_create_from_subnet(hsi->clone(hsi),
|
2013-02-21 10:04:35 +00:00
|
|
|
hsi->get_family(hsi) == AF_INET ? 32 : 128, 0, 0, 65535);
|
2011-11-24 09:20:59 +00:00
|
|
|
}
|
|
|
|
|
if (!tsr)
|
|
|
|
|
{
|
|
|
|
|
tsr = traffic_selector_create_from_subnet(hsr->clone(hsr),
|
2013-02-21 10:04:35 +00:00
|
|
|
hsr->get_family(hsr) == AF_INET ? 32 : 128, 0, 0, 65535);
|
2011-11-24 09:20:59 +00:00
|
|
|
}
|
2019-03-22 16:39:47 +00:00
|
|
|
if (this->mode == MODE_TRANSPORT && this->child.encap &&
|
2012-09-14 07:07:21 +00:00
|
|
|
(!tsi->is_host(tsi, hsi) || !tsr->is_host(tsr, hsr)))
|
|
|
|
|
{ /* change TS in case of a NAT in transport mode */
|
|
|
|
|
DBG2(DBG_IKE, "changing received traffic selectors %R=== %R due to NAT",
|
|
|
|
|
tsi, tsr);
|
|
|
|
|
tsi->set_address(tsi, hsi);
|
|
|
|
|
tsr->set_address(tsr, hsr);
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-24 09:33:43 +00:00
|
|
|
if (this->initiator)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
2013-03-07 08:50:43 +00:00
|
|
|
traffic_selector_t *tsisub, *tsrsub;
|
|
|
|
|
|
2012-12-13 14:25:03 +00:00
|
|
|
/* check if peer selection is valid */
|
2013-03-07 08:50:43 +00:00
|
|
|
tsisub = this->tsi->get_subset(this->tsi, tsi);
|
|
|
|
|
tsrsub = this->tsr->get_subset(this->tsr, tsr);
|
|
|
|
|
if (!tsisub || !tsrsub)
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
2012-12-13 14:25:03 +00:00
|
|
|
DBG1(DBG_IKE, "peer selected invalid traffic selectors: "
|
2011-11-24 09:20:59 +00:00
|
|
|
"%R for %R, %R for %R", tsi, this->tsi, tsr, this->tsr);
|
2013-03-07 08:50:43 +00:00
|
|
|
DESTROY_IF(tsisub);
|
|
|
|
|
DESTROY_IF(tsrsub);
|
2011-11-24 09:20:59 +00:00
|
|
|
tsi->destroy(tsi);
|
|
|
|
|
tsr->destroy(tsr);
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
2013-03-07 08:50:43 +00:00
|
|
|
tsi->destroy(tsi);
|
|
|
|
|
tsr->destroy(tsr);
|
2011-11-24 09:20:59 +00:00
|
|
|
this->tsi->destroy(this->tsi);
|
|
|
|
|
this->tsr->destroy(this->tsr);
|
2013-03-07 08:50:43 +00:00
|
|
|
this->tsi = tsisub;
|
|
|
|
|
this->tsr = tsrsub;
|
2011-11-24 09:20:59 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->tsi = tsi;
|
|
|
|
|
this->tsr = tsr;
|
|
|
|
|
}
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
2012-12-15 13:11:26 +00:00
|
|
|
/**
|
|
|
|
|
* Get encap
|
|
|
|
|
*/
|
|
|
|
|
static encap_t get_encap(ike_sa_t* ike_sa, bool udp)
|
|
|
|
|
{
|
|
|
|
|
if (!udp)
|
|
|
|
|
{
|
|
|
|
|
return ENCAP_NONE;
|
|
|
|
|
}
|
|
|
|
|
if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
|
|
|
|
|
{
|
|
|
|
|
return ENCAP_UDP_DRAFT_00_03;
|
|
|
|
|
}
|
|
|
|
|
return ENCAP_UDP;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get NAT-OA payload type (RFC 3947 or RFC 3947 drafts).
|
|
|
|
|
*/
|
|
|
|
|
static payload_type_t get_nat_oa_payload_type(ike_sa_t *ike_sa)
|
|
|
|
|
{
|
|
|
|
|
if (ike_sa->supports_extension(ike_sa, EXT_NATT_DRAFT_02_03))
|
|
|
|
|
{
|
2013-10-29 09:09:39 +00:00
|
|
|
return PLV1_NAT_OA_DRAFT_00_03;
|
2012-12-15 13:11:26 +00:00
|
|
|
}
|
2013-10-29 09:09:39 +00:00
|
|
|
return PLV1_NAT_OA;
|
2012-12-15 13:11:26 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-30 17:03:06 +00:00
|
|
|
/**
|
|
|
|
|
* Add NAT-OA payloads
|
|
|
|
|
*/
|
|
|
|
|
static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
|
|
|
|
|
{
|
|
|
|
|
identification_t *id;
|
|
|
|
|
id_payload_t *nat_oa;
|
2017-03-03 16:11:04 +00:00
|
|
|
host_t *init, *resp;
|
2012-12-15 13:11:26 +00:00
|
|
|
payload_type_t nat_oa_payload_type;
|
2011-11-30 17:03:06 +00:00
|
|
|
|
2017-03-03 16:11:04 +00:00
|
|
|
if (this->initiator)
|
|
|
|
|
{
|
|
|
|
|
init = message->get_source(message);
|
|
|
|
|
resp = message->get_destination(message);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
init = message->get_destination(message);
|
|
|
|
|
resp = message->get_source(message);
|
|
|
|
|
}
|
2011-11-30 17:03:06 +00:00
|
|
|
|
2012-12-15 13:11:26 +00:00
|
|
|
nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa);
|
|
|
|
|
|
2011-11-30 17:03:06 +00:00
|
|
|
/* first NAT-OA is the initiator's address */
|
2017-03-03 16:11:04 +00:00
|
|
|
id = identification_create_from_sockaddr(init->get_sockaddr(init));
|
2012-12-15 13:11:26 +00:00
|
|
|
nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
|
2011-11-30 17:03:06 +00:00
|
|
|
message->add_payload(message, (payload_t*)nat_oa);
|
|
|
|
|
id->destroy(id);
|
|
|
|
|
|
|
|
|
|
/* second NAT-OA is that of the responder */
|
2017-03-03 16:11:04 +00:00
|
|
|
id = identification_create_from_sockaddr(resp->get_sockaddr(resp));
|
2012-12-15 13:11:26 +00:00
|
|
|
nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
|
2011-11-30 17:03:06 +00:00
|
|
|
message->add_payload(message, (payload_t*)nat_oa);
|
|
|
|
|
id->destroy(id);
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-24 14:25:00 +00:00
|
|
|
/**
|
|
|
|
|
* Look up lifetimes
|
|
|
|
|
*/
|
|
|
|
|
static void get_lifetimes(private_quick_mode_t *this)
|
|
|
|
|
{
|
|
|
|
|
lifetime_cfg_t *lft;
|
|
|
|
|
|
2016-05-03 15:33:43 +00:00
|
|
|
lft = this->config->get_lifetime(this->config, TRUE);
|
2011-11-24 14:25:00 +00:00
|
|
|
if (lft->time.life)
|
|
|
|
|
{
|
|
|
|
|
this->lifetime = lft->time.life;
|
|
|
|
|
}
|
2016-06-15 15:43:55 +00:00
|
|
|
if (lft->bytes.life)
|
2011-11-24 14:25:00 +00:00
|
|
|
{
|
|
|
|
|
this->lifebytes = lft->bytes.life;
|
|
|
|
|
}
|
|
|
|
|
free(lft);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check and apply lifetimes
|
|
|
|
|
*/
|
|
|
|
|
static void apply_lifetimes(private_quick_mode_t *this, sa_payload_t *sa_payload)
|
|
|
|
|
{
|
2016-03-22 12:22:01 +00:00
|
|
|
uint32_t lifetime;
|
|
|
|
|
uint64_t lifebytes;
|
2011-11-24 14:25:00 +00:00
|
|
|
|
2020-02-06 14:52:06 +00:00
|
|
|
lifetime = sa_payload->get_lifetime(sa_payload, this->proposal);
|
|
|
|
|
lifebytes = sa_payload->get_lifebytes(sa_payload, this->proposal);
|
2011-11-24 14:25:00 +00:00
|
|
|
if (this->lifetime != lifetime)
|
|
|
|
|
{
|
2012-01-02 14:49:20 +00:00
|
|
|
DBG1(DBG_IKE, "received %us lifetime, configured %us",
|
2011-11-24 14:25:00 +00:00
|
|
|
lifetime, this->lifetime);
|
2012-01-02 14:49:20 +00:00
|
|
|
this->lifetime = lifetime;
|
2011-11-24 14:25:00 +00:00
|
|
|
}
|
|
|
|
|
if (this->lifebytes != lifebytes)
|
|
|
|
|
{
|
2012-01-02 14:49:20 +00:00
|
|
|
DBG1(DBG_IKE, "received %llu lifebytes, configured %llu",
|
2011-11-24 14:25:00 +00:00
|
|
|
lifebytes, this->lifebytes);
|
2012-01-02 14:49:20 +00:00
|
|
|
this->lifebytes = lifebytes;
|
2011-11-24 14:25:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2011-12-12 17:13:10 +00:00
|
|
|
/**
|
|
|
|
|
* Set the task ready to build notify error message
|
|
|
|
|
*/
|
|
|
|
|
static status_t send_notify(private_quick_mode_t *this, notify_type_t type)
|
2011-12-12 14:54:27 +00:00
|
|
|
{
|
|
|
|
|
notify_payload_t *notify;
|
|
|
|
|
|
2013-10-29 09:09:39 +00:00
|
|
|
notify = notify_payload_create_from_protocol_and_type(PLV1_NOTIFY,
|
2013-06-20 14:12:58 +00:00
|
|
|
this->proto, type);
|
2011-12-12 14:54:27 +00:00
|
|
|
notify->set_spi(notify, this->spi_i);
|
|
|
|
|
|
2011-12-12 17:13:10 +00:00
|
|
|
this->ike_sa->queue_task(this->ike_sa,
|
2012-01-10 16:21:52 +00:00
|
|
|
(task_t*)informational_create(this->ike_sa, notify));
|
2021-06-25 09:32:29 +00:00
|
|
|
/* cancel all active/passive tasks in favor of informational */
|
2012-05-21 12:17:09 +00:00
|
|
|
this->ike_sa->flush_queue(this->ike_sa,
|
|
|
|
|
this->initiator ? TASK_QUEUE_ACTIVE : TASK_QUEUE_PASSIVE);
|
2011-12-12 17:13:10 +00:00
|
|
|
return ALREADY_DONE;
|
2011-12-12 14:54:27 +00:00
|
|
|
}
|
|
|
|
|
|
2013-08-23 12:15:44 +00:00
|
|
|
/**
|
|
|
|
|
* Prepare a list of proposals from child_config containing only the specified
|
|
|
|
|
* DH group, unless it is set to MODP_NONE.
|
|
|
|
|
*/
|
|
|
|
|
static linked_list_t *get_proposals(private_quick_mode_t *this,
|
|
|
|
|
diffie_hellman_group_t group)
|
|
|
|
|
{
|
|
|
|
|
linked_list_t *list;
|
|
|
|
|
proposal_t *proposal;
|
|
|
|
|
enumerator_t *enumerator;
|
|
|
|
|
|
|
|
|
|
list = this->config->get_proposals(this->config, FALSE);
|
|
|
|
|
enumerator = list->create_enumerator(list);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &proposal))
|
|
|
|
|
{
|
|
|
|
|
if (group != MODP_NONE)
|
|
|
|
|
{
|
|
|
|
|
if (!proposal->has_dh_group(proposal, group))
|
|
|
|
|
{
|
|
|
|
|
list->remove_at(list, enumerator);
|
|
|
|
|
proposal->destroy(proposal);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2019-09-05 15:23:57 +00:00
|
|
|
proposal->promote_dh_group(proposal, group);
|
2013-08-23 12:15:44 +00:00
|
|
|
}
|
|
|
|
|
proposal->set_spi(proposal, this->spi_i);
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
|
|
|
|
|
return list;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
METHOD(task_t, build_i, status_t,
|
|
|
|
|
private_quick_mode_t *this, message_t *message)
|
|
|
|
|
{
|
2011-11-21 16:56:39 +00:00
|
|
|
switch (this->state)
|
|
|
|
|
{
|
|
|
|
|
case QM_INIT:
|
|
|
|
|
{
|
|
|
|
|
sa_payload_t *sa_payload;
|
2012-01-18 12:28:15 +00:00
|
|
|
linked_list_t *list, *tsi, *tsr;
|
2013-06-20 14:12:58 +00:00
|
|
|
proposal_t *proposal;
|
2011-12-07 16:43:58 +00:00
|
|
|
diffie_hellman_group_t group;
|
2012-12-15 13:11:26 +00:00
|
|
|
encap_t encap;
|
2011-11-21 16:56:39 +00:00
|
|
|
|
2012-05-24 12:00:44 +00:00
|
|
|
this->mode = this->config->get_mode(this->config);
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child.if_id_in_def = this->ike_sa->get_if_id(this->ike_sa,
|
|
|
|
|
TRUE);
|
|
|
|
|
this->child.if_id_out_def = this->ike_sa->get_if_id(this->ike_sa,
|
|
|
|
|
FALSE);
|
|
|
|
|
this->child.encap = this->ike_sa->has_condition(this->ike_sa,
|
|
|
|
|
COND_NAT_ANY);
|
2011-11-22 14:24:24 +00:00
|
|
|
this->child_sa = child_sa_create(
|
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
2019-03-22 16:39:47 +00:00
|
|
|
this->config, &this->child);
|
2011-11-22 14:24:24 +00:00
|
|
|
|
2019-03-22 16:39:47 +00:00
|
|
|
if (this->child.encap && this->mode == MODE_TRANSPORT)
|
2012-05-23 16:09:21 +00:00
|
|
|
{
|
|
|
|
|
/* TODO-IKEv1: disable NAT-T for TRANSPORT mode by default? */
|
|
|
|
|
add_nat_oa_payloads(this, message);
|
|
|
|
|
}
|
2011-11-22 14:24:24 +00:00
|
|
|
|
2017-05-10 17:04:25 +00:00
|
|
|
if (this->config->has_option(this->config, OPT_IPCOMP))
|
2012-05-24 12:00:44 +00:00
|
|
|
{
|
2013-05-16 11:32:48 +00:00
|
|
|
this->cpi_i = this->child_sa->alloc_cpi(this->child_sa);
|
|
|
|
|
if (!this->cpi_i)
|
2012-05-24 12:00:44 +00:00
|
|
|
{
|
2013-05-16 11:32:48 +00:00
|
|
|
DBG1(DBG_IKE, "unable to allocate a CPI from kernel, "
|
|
|
|
|
"IPComp disabled");
|
2012-05-24 12:00:44 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-03 11:24:08 +00:00
|
|
|
list = this->config->get_proposals(this->config, FALSE);
|
2013-06-20 14:12:58 +00:00
|
|
|
if (list->get_first(list, (void**)&proposal) == SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
this->proto = proposal->get_protocol(proposal);
|
|
|
|
|
}
|
|
|
|
|
list->destroy_offset(list, offsetof(proposal_t, destroy));
|
|
|
|
|
this->spi_i = this->child_sa->alloc_spi(this->child_sa, this->proto);
|
2011-11-22 14:24:24 +00:00
|
|
|
if (!this->spi_i)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "allocating SPI from kernel failed");
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2013-06-20 14:12:58 +00:00
|
|
|
|
2012-10-18 16:09:16 +00:00
|
|
|
group = this->config->get_dh_group(this->config);
|
|
|
|
|
if (group != MODP_NONE)
|
|
|
|
|
{
|
2013-08-23 12:15:44 +00:00
|
|
|
proposal_t *proposal;
|
2016-03-22 12:22:01 +00:00
|
|
|
uint16_t preferred_group;
|
2013-08-23 12:15:44 +00:00
|
|
|
|
|
|
|
|
proposal = this->ike_sa->get_proposal(this->ike_sa);
|
|
|
|
|
proposal->get_algorithm(proposal, DIFFIE_HELLMAN_GROUP,
|
|
|
|
|
&preferred_group, NULL);
|
|
|
|
|
/* try the negotiated DH group from IKE_SA */
|
|
|
|
|
list = get_proposals(this, preferred_group);
|
|
|
|
|
if (list->get_count(list))
|
|
|
|
|
{
|
|
|
|
|
group = preferred_group;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
/* fall back to the first configured DH group */
|
|
|
|
|
list->destroy(list);
|
|
|
|
|
list = get_proposals(this, group);
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-18 16:09:16 +00:00
|
|
|
this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
|
|
|
|
|
group);
|
|
|
|
|
if (!this->dh)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "configured DH group %N not supported",
|
|
|
|
|
diffie_hellman_group_names, group);
|
2013-08-23 12:15:44 +00:00
|
|
|
list->destroy_offset(list, offsetof(proposal_t, destroy));
|
2012-10-18 16:09:16 +00:00
|
|
|
return FAILED;
|
|
|
|
|
}
|
|
|
|
|
}
|
2013-08-23 12:15:44 +00:00
|
|
|
else
|
2011-11-22 14:24:24 +00:00
|
|
|
{
|
2013-08-23 12:15:44 +00:00
|
|
|
list = get_proposals(this, MODP_NONE);
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-24 14:25:00 +00:00
|
|
|
get_lifetimes(this);
|
2019-03-22 16:39:47 +00:00
|
|
|
encap = get_encap(this->ike_sa, this->child.encap);
|
2011-11-24 10:39:31 +00:00
|
|
|
sa_payload = sa_payload_create_from_proposals_v1(list,
|
2011-11-24 14:25:00 +00:00
|
|
|
this->lifetime, this->lifebytes, AUTH_NONE,
|
2012-12-15 13:11:26 +00:00
|
|
|
this->mode, encap, this->cpi_i);
|
2011-11-21 16:56:39 +00:00
|
|
|
list->destroy_offset(list, offsetof(proposal_t, destroy));
|
|
|
|
|
message->add_payload(message, &sa_payload->payload_interface);
|
|
|
|
|
|
2011-11-24 08:51:40 +00:00
|
|
|
if (!add_nonce(this, &this->nonce_i, message))
|
2011-11-21 16:56:39 +00:00
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
if (group != MODP_NONE)
|
|
|
|
|
{
|
2015-03-23 10:10:40 +00:00
|
|
|
if (!add_ke(this, message))
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
}
|
2012-06-05 13:27:34 +00:00
|
|
|
if (!this->tsi)
|
|
|
|
|
{
|
|
|
|
|
this->tsi = select_ts(this, TRUE, NULL);
|
|
|
|
|
}
|
|
|
|
|
if (!this->tsr)
|
|
|
|
|
{
|
|
|
|
|
this->tsr = select_ts(this, FALSE, NULL);
|
|
|
|
|
}
|
2012-09-18 10:44:59 +00:00
|
|
|
tsi = linked_list_create_with_items(this->tsi, NULL);
|
|
|
|
|
tsr = linked_list_create_with_items(this->tsr, NULL);
|
2012-01-18 12:28:15 +00:00
|
|
|
this->tsi = this->tsr = NULL;
|
|
|
|
|
charon->bus->narrow(charon->bus, this->child_sa,
|
|
|
|
|
NARROW_INITIATOR_PRE_AUTH, tsi, tsr);
|
|
|
|
|
tsi->remove_first(tsi, (void**)&this->tsi);
|
|
|
|
|
tsr->remove_first(tsr, (void**)&this->tsr);
|
|
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
2011-11-24 09:20:59 +00:00
|
|
|
if (!this->tsi || !this->tsr)
|
2011-11-21 16:56:39 +00:00
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-11-24 09:33:43 +00:00
|
|
|
add_ts(this, message);
|
2011-11-21 16:56:39 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
case QM_NEGOTIATED:
|
|
|
|
|
{
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-11-21 10:20:34 +00:00
|
|
|
}
|
|
|
|
|
|
2011-12-07 16:51:35 +00:00
|
|
|
/**
|
|
|
|
|
* Check for notify errors, return TRUE if error found
|
|
|
|
|
*/
|
|
|
|
|
static bool has_notify_errors(private_quick_mode_t *this, message_t *message)
|
2011-12-02 15:22:42 +00:00
|
|
|
{
|
2011-12-07 16:51:35 +00:00
|
|
|
enumerator_t *enumerator;
|
|
|
|
|
payload_t *payload;
|
|
|
|
|
bool err = FALSE;
|
|
|
|
|
|
|
|
|
|
enumerator = message->create_payload_enumerator(message);
|
|
|
|
|
while (enumerator->enumerate(enumerator, &payload))
|
2011-12-02 15:22:42 +00:00
|
|
|
{
|
2013-10-29 09:09:39 +00:00
|
|
|
if (payload->get_type(payload) == PLV1_NOTIFY)
|
2011-12-07 16:51:35 +00:00
|
|
|
{
|
|
|
|
|
notify_payload_t *notify;
|
|
|
|
|
notify_type_t type;
|
|
|
|
|
|
|
|
|
|
notify = (notify_payload_t*)payload;
|
|
|
|
|
type = notify->get_notify_type(notify);
|
|
|
|
|
if (type < 16384)
|
|
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
|
2011-12-07 16:51:35 +00:00
|
|
|
DBG1(DBG_IKE, "received %N error notify",
|
|
|
|
|
notify_type_names, type);
|
|
|
|
|
err = TRUE;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "received %N notify", notify_type_names, type);
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-12-02 15:22:42 +00:00
|
|
|
}
|
2011-12-07 16:51:35 +00:00
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
|
|
|
|
|
return err;
|
2011-12-02 15:22:42 +00:00
|
|
|
}
|
|
|
|
|
|
2012-01-02 15:36:39 +00:00
|
|
|
/**
|
|
|
|
|
* Check if this is a rekey for an existing CHILD_SA, reuse reqid if so
|
|
|
|
|
*/
|
2018-03-27 14:55:59 +00:00
|
|
|
static void check_for_rekeyed_child(private_quick_mode_t *this, bool responder)
|
2012-01-02 15:36:39 +00:00
|
|
|
{
|
|
|
|
|
enumerator_t *enumerator, *policies;
|
2018-03-27 14:55:59 +00:00
|
|
|
traffic_selector_t *local, *remote, *my_ts, *other_ts;
|
2012-01-02 15:36:39 +00:00
|
|
|
child_sa_t *child_sa;
|
2013-04-03 15:08:00 +00:00
|
|
|
proposal_t *proposal;
|
|
|
|
|
char *name;
|
2012-01-02 15:36:39 +00:00
|
|
|
|
2018-03-27 14:55:59 +00:00
|
|
|
if (responder)
|
|
|
|
|
{
|
|
|
|
|
my_ts = this->tsr;
|
|
|
|
|
other_ts = this->tsi;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
my_ts = this->tsi;
|
|
|
|
|
other_ts = this->tsr;
|
|
|
|
|
}
|
|
|
|
|
|
2013-04-03 15:08:00 +00:00
|
|
|
name = this->config->get_name(this->config);
|
2012-01-02 15:36:39 +00:00
|
|
|
enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
|
2019-03-22 16:39:47 +00:00
|
|
|
while (!this->child.reqid && enumerator->enumerate(enumerator, &child_sa))
|
2012-01-02 15:36:39 +00:00
|
|
|
{
|
2013-04-03 15:08:00 +00:00
|
|
|
if (streq(child_sa->get_name(child_sa), name))
|
2012-01-02 15:36:39 +00:00
|
|
|
{
|
2013-04-03 15:08:00 +00:00
|
|
|
proposal = child_sa->get_proposal(child_sa);
|
|
|
|
|
switch (child_sa->get_state(child_sa))
|
2012-01-02 15:36:39 +00:00
|
|
|
{
|
2013-04-03 15:08:00 +00:00
|
|
|
case CHILD_INSTALLED:
|
|
|
|
|
case CHILD_REKEYING:
|
|
|
|
|
policies = child_sa->create_policy_enumerator(child_sa);
|
|
|
|
|
if (policies->enumerate(policies, &local, &remote) &&
|
2018-03-27 14:55:59 +00:00
|
|
|
local->equals(local, my_ts) &&
|
|
|
|
|
remote->equals(remote, other_ts) &&
|
2013-04-03 15:08:00 +00:00
|
|
|
this->proposal->equals(this->proposal, proposal))
|
|
|
|
|
{
|
|
|
|
|
this->rekey = child_sa->get_spi(child_sa, TRUE);
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child.reqid = child_sa->get_reqid(child_sa);
|
|
|
|
|
this->child.mark_in = child_sa->get_mark(child_sa,
|
|
|
|
|
TRUE).value;
|
|
|
|
|
this->child.mark_out = child_sa->get_mark(child_sa,
|
|
|
|
|
FALSE).value;
|
|
|
|
|
this->child.if_id_in = child_sa->get_if_id(child_sa,
|
|
|
|
|
TRUE);
|
|
|
|
|
this->child.if_id_out = child_sa->get_if_id(child_sa,
|
|
|
|
|
FALSE);
|
2013-04-03 15:08:00 +00:00
|
|
|
child_sa->set_state(child_sa, CHILD_REKEYING);
|
|
|
|
|
DBG1(DBG_IKE, "detected rekeying of CHILD_SA %s{%u}",
|
2014-10-28 09:54:38 +00:00
|
|
|
child_sa->get_name(child_sa),
|
|
|
|
|
child_sa->get_unique_id(child_sa));
|
2013-04-03 15:08:00 +00:00
|
|
|
}
|
|
|
|
|
policies->destroy(policies);
|
2016-04-20 11:56:55 +00:00
|
|
|
break;
|
|
|
|
|
case CHILD_REKEYED:
|
|
|
|
|
default:
|
|
|
|
|
break;
|
2012-01-02 15:36:39 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
enumerator->destroy(enumerator);
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
METHOD(task_t, process_r, status_t,
|
|
|
|
|
private_quick_mode_t *this, message_t *message)
|
|
|
|
|
{
|
2015-08-19 13:28:02 +00:00
|
|
|
if (this->mid && this->mid != message->get_message_id(message))
|
|
|
|
|
{ /* not responsible for this quick mode exchange */
|
2015-10-07 14:08:22 +00:00
|
|
|
return INVALID_ARG;
|
2015-08-19 13:28:02 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-21 16:56:39 +00:00
|
|
|
switch (this->state)
|
|
|
|
|
{
|
|
|
|
|
case QM_INIT:
|
|
|
|
|
{
|
|
|
|
|
sa_payload_t *sa_payload;
|
2012-09-18 10:46:36 +00:00
|
|
|
linked_list_t *tsi, *tsr, *hostsi, *hostsr, *list = NULL;
|
2011-11-21 16:56:39 +00:00
|
|
|
peer_cfg_t *peer_cfg;
|
2016-03-22 12:22:01 +00:00
|
|
|
uint16_t group;
|
2019-09-03 11:24:08 +00:00
|
|
|
proposal_selection_flag_t flags = 0;
|
2011-11-21 16:56:39 +00:00
|
|
|
|
2012-09-14 07:07:21 +00:00
|
|
|
sa_payload = (sa_payload_t*)message->get_payload(message,
|
2013-10-29 09:09:39 +00:00
|
|
|
PLV1_SECURITY_ASSOCIATION);
|
2012-09-14 07:07:21 +00:00
|
|
|
if (!sa_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "sa payload missing");
|
|
|
|
|
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-22 16:39:47 +00:00
|
|
|
this->mode = sa_payload->get_encap_mode(sa_payload,
|
|
|
|
|
&this->child.encap);
|
2012-09-14 07:07:21 +00:00
|
|
|
|
2011-11-24 09:33:43 +00:00
|
|
|
if (!get_ts(this, message))
|
2011-11-23 14:55:00 +00:00
|
|
|
{
|
2011-11-24 09:20:59 +00:00
|
|
|
return FAILED;
|
2011-11-23 14:55:00 +00:00
|
|
|
}
|
2011-11-21 16:56:39 +00:00
|
|
|
peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
|
2012-09-18 10:44:59 +00:00
|
|
|
tsi = linked_list_create_with_items(this->tsi, NULL);
|
|
|
|
|
tsr = linked_list_create_with_items(this->tsr, NULL);
|
2011-12-13 14:32:53 +00:00
|
|
|
this->tsi = this->tsr = NULL;
|
2012-09-18 10:46:36 +00:00
|
|
|
hostsi = get_dynamic_hosts(this->ike_sa, FALSE);
|
|
|
|
|
hostsr = get_dynamic_hosts(this->ike_sa, TRUE);
|
2011-11-21 16:56:39 +00:00
|
|
|
this->config = peer_cfg->select_child_cfg(peer_cfg, tsr, tsi,
|
2012-09-18 10:46:36 +00:00
|
|
|
hostsr, hostsi);
|
|
|
|
|
hostsi->destroy(hostsi);
|
|
|
|
|
hostsr->destroy(hostsr);
|
2011-12-20 10:15:15 +00:00
|
|
|
if (this->config)
|
|
|
|
|
{
|
|
|
|
|
this->tsi = select_ts(this, FALSE, tsi);
|
|
|
|
|
this->tsr = select_ts(this, TRUE, tsr);
|
|
|
|
|
}
|
2014-08-12 13:15:02 +00:00
|
|
|
if (!this->config || !this->tsi || !this->tsr ||
|
|
|
|
|
this->mode != this->config->get_mode(this->config))
|
2011-11-21 16:56:39 +00:00
|
|
|
{
|
2018-10-02 13:11:16 +00:00
|
|
|
DBG1(DBG_IKE, "no matching CHILD_SA config found for "
|
|
|
|
|
"%#R === %#R", tsi, tsr);
|
|
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
2011-12-22 12:26:38 +00:00
|
|
|
return send_notify(this, INVALID_ID_INFORMATION);
|
2011-11-21 16:56:39 +00:00
|
|
|
}
|
2018-10-02 13:11:16 +00:00
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
2011-11-21 16:56:39 +00:00
|
|
|
|
2017-05-10 17:04:25 +00:00
|
|
|
if (this->config->has_option(this->config, OPT_IPCOMP))
|
2012-05-24 12:00:44 +00:00
|
|
|
{
|
2013-05-16 11:32:48 +00:00
|
|
|
list = sa_payload->get_ipcomp_proposals(sa_payload,
|
|
|
|
|
&this->cpi_i);
|
|
|
|
|
if (!list->get_count(list))
|
2012-05-24 12:00:44 +00:00
|
|
|
{
|
2013-05-16 11:32:48 +00:00
|
|
|
DBG1(DBG_IKE, "expected IPComp proposal but peer did "
|
|
|
|
|
"not send one, IPComp disabled");
|
|
|
|
|
this->cpi_i = 0;
|
2012-05-24 12:00:44 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!list || !list->get_count(list))
|
|
|
|
|
{
|
|
|
|
|
DESTROY_IF(list);
|
|
|
|
|
list = sa_payload->get_proposals(sa_payload);
|
|
|
|
|
}
|
2019-09-12 14:58:46 +00:00
|
|
|
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
|
|
|
|
|
&& !lib->settings->get_bool(lib->settings,
|
|
|
|
|
"%s.accept_private_algs", FALSE, lib->ns))
|
2019-09-03 11:24:08 +00:00
|
|
|
{
|
2019-09-05 15:29:00 +00:00
|
|
|
flags |= PROPOSAL_SKIP_PRIVATE;
|
2019-09-03 11:24:08 +00:00
|
|
|
}
|
2019-09-04 14:25:18 +00:00
|
|
|
if (!lib->settings->get_bool(lib->settings,
|
2019-09-03 11:24:08 +00:00
|
|
|
"%s.prefer_configured_proposals", TRUE, lib->ns))
|
|
|
|
|
{
|
2019-09-04 14:25:18 +00:00
|
|
|
flags |= PROPOSAL_PREFER_SUPPLIED;
|
2019-09-03 11:24:08 +00:00
|
|
|
}
|
2016-06-01 10:03:21 +00:00
|
|
|
this->proposal = this->config->select_proposal(this->config, list,
|
2019-09-03 11:24:08 +00:00
|
|
|
flags);
|
2011-11-21 16:56:39 +00:00
|
|
|
list->destroy_offset(list, offsetof(proposal_t, destroy));
|
2011-11-24 14:25:00 +00:00
|
|
|
|
2011-11-21 16:56:39 +00:00
|
|
|
if (!this->proposal)
|
|
|
|
|
{
|
2011-12-12 17:13:10 +00:00
|
|
|
DBG1(DBG_IKE, "no matching proposal found, sending %N",
|
|
|
|
|
notify_type_names, NO_PROPOSAL_CHOSEN);
|
|
|
|
|
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
2011-11-21 16:56:39 +00:00
|
|
|
}
|
2011-11-22 14:24:24 +00:00
|
|
|
this->spi_i = this->proposal->get_spi(this->proposal);
|
2011-11-21 16:56:39 +00:00
|
|
|
|
2020-03-26 07:41:00 +00:00
|
|
|
get_lifetimes(this);
|
|
|
|
|
apply_lifetimes(this, sa_payload);
|
|
|
|
|
|
2011-11-24 08:51:40 +00:00
|
|
|
if (!get_nonce(this, &this->nonce_i, message))
|
2011-11-21 16:56:39 +00:00
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
2011-11-21 16:56:39 +00:00
|
|
|
}
|
2011-11-24 14:25:00 +00:00
|
|
|
|
2011-12-07 16:43:58 +00:00
|
|
|
if (this->proposal->get_algorithm(this->proposal,
|
|
|
|
|
DIFFIE_HELLMAN_GROUP, &group, NULL))
|
|
|
|
|
{
|
|
|
|
|
this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
|
|
|
|
|
group);
|
|
|
|
|
if (!this->dh)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "negotiated DH group %N not supported",
|
|
|
|
|
diffie_hellman_group_names, group);
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, INVALID_KEY_INFORMATION);
|
2011-12-07 16:43:58 +00:00
|
|
|
}
|
|
|
|
|
if (!get_ke(this, message))
|
|
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
2011-12-07 16:43:58 +00:00
|
|
|
}
|
|
|
|
|
}
|
2011-11-24 14:25:00 +00:00
|
|
|
|
2018-03-27 14:55:59 +00:00
|
|
|
check_for_rekeyed_child(this, TRUE);
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child.if_id_in_def = this->ike_sa->get_if_id(this->ike_sa,
|
|
|
|
|
TRUE);
|
|
|
|
|
this->child.if_id_out_def = this->ike_sa->get_if_id(this->ike_sa,
|
|
|
|
|
FALSE);
|
2011-11-22 14:24:24 +00:00
|
|
|
this->child_sa = child_sa_create(
|
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
2019-03-22 16:39:47 +00:00
|
|
|
this->config, &this->child);
|
2012-07-24 10:40:45 +00:00
|
|
|
|
2012-09-18 10:44:59 +00:00
|
|
|
tsi = linked_list_create_with_items(this->tsi, NULL);
|
|
|
|
|
tsr = linked_list_create_with_items(this->tsr, NULL);
|
2012-07-24 10:40:45 +00:00
|
|
|
this->tsi = this->tsr = NULL;
|
|
|
|
|
charon->bus->narrow(charon->bus, this->child_sa,
|
|
|
|
|
NARROW_RESPONDER, tsr, tsi);
|
|
|
|
|
if (tsi->remove_first(tsi, (void**)&this->tsi) != SUCCESS ||
|
|
|
|
|
tsr->remove_first(tsr, (void**)&this->tsr) != SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
return send_notify(this, INVALID_ID_INFORMATION);
|
|
|
|
|
}
|
|
|
|
|
tsi->destroy_offset(tsi, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
tsr->destroy_offset(tsr, offsetof(traffic_selector_t, destroy));
|
|
|
|
|
|
2011-11-21 16:56:39 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
case QM_NEGOTIATED:
|
|
|
|
|
{
|
2014-07-11 09:59:01 +00:00
|
|
|
if (has_notify_errors(this, message))
|
2011-12-02 15:22:42 +00:00
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return SUCCESS;
|
2011-12-02 15:22:42 +00:00
|
|
|
}
|
2014-07-11 09:59:01 +00:00
|
|
|
if (message->get_exchange_type(message) == INFORMATIONAL_V1)
|
|
|
|
|
{
|
|
|
|
|
if (message->get_payload(message, PLV1_DELETE))
|
|
|
|
|
{
|
|
|
|
|
/* If the DELETE for a Quick Mode follows immediately
|
|
|
|
|
* after rekeying, we might receive it before the
|
|
|
|
|
* third completing Quick Mode message. Ignore it, as
|
|
|
|
|
* it gets handled by a separately queued delete task. */
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
2019-05-16 08:19:15 +00:00
|
|
|
if (!this->rekey)
|
|
|
|
|
{
|
|
|
|
|
/* do another check in case SAs were created since we handled
|
|
|
|
|
* the QM request, this is consistent with the rekey check
|
|
|
|
|
* before installation on the initiator */
|
|
|
|
|
check_for_rekeyed_child(this, TRUE);
|
|
|
|
|
if (this->rekey)
|
|
|
|
|
{
|
|
|
|
|
this->child_sa->destroy(this->child_sa);
|
|
|
|
|
this->child_sa = child_sa_create(
|
|
|
|
|
this->ike_sa->get_my_host(this->ike_sa),
|
|
|
|
|
this->ike_sa->get_other_host(this->ike_sa),
|
|
|
|
|
this->config, &this->child);
|
|
|
|
|
}
|
|
|
|
|
}
|
2011-11-22 14:24:24 +00:00
|
|
|
if (!install(this))
|
|
|
|
|
{
|
2012-06-07 12:59:20 +00:00
|
|
|
ike_sa_t *ike_sa = this->ike_sa;
|
|
|
|
|
task_t *task;
|
|
|
|
|
|
|
|
|
|
task = (task_t*)quick_delete_create(this->ike_sa,
|
2011-12-15 17:04:39 +00:00
|
|
|
this->proposal->get_protocol(this->proposal),
|
2012-06-07 12:59:20 +00:00
|
|
|
this->spi_i, TRUE, TRUE);
|
|
|
|
|
/* flush_queue() destroys the current task */
|
|
|
|
|
ike_sa->flush_queue(ike_sa, TASK_QUEUE_PASSIVE);
|
|
|
|
|
ike_sa->queue_task(ike_sa, task);
|
2011-12-15 17:04:39 +00:00
|
|
|
return ALREADY_DONE;
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
2011-11-21 16:56:39 +00:00
|
|
|
return SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-11-21 10:20:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(task_t, build_r, status_t,
|
|
|
|
|
private_quick_mode_t *this, message_t *message)
|
|
|
|
|
{
|
2015-08-19 13:28:02 +00:00
|
|
|
if (this->mid && this->mid != message->get_message_id(message))
|
|
|
|
|
{ /* not responsible for this quick mode exchange */
|
2015-10-07 14:08:22 +00:00
|
|
|
return INVALID_ARG;
|
2015-08-19 13:28:02 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-21 16:56:39 +00:00
|
|
|
switch (this->state)
|
|
|
|
|
{
|
|
|
|
|
case QM_INIT:
|
|
|
|
|
{
|
|
|
|
|
sa_payload_t *sa_payload;
|
2012-12-15 13:11:26 +00:00
|
|
|
encap_t encap;
|
2011-11-21 16:56:39 +00:00
|
|
|
|
2013-06-20 14:12:58 +00:00
|
|
|
this->proto = this->proposal->get_protocol(this->proposal);
|
|
|
|
|
this->spi_r = this->child_sa->alloc_spi(this->child_sa, this->proto);
|
2011-11-22 14:24:24 +00:00
|
|
|
if (!this->spi_r)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "allocating SPI from kernel failed");
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
|
|
|
|
this->proposal->set_spi(this->proposal, this->spi_r);
|
|
|
|
|
|
2012-05-24 12:00:44 +00:00
|
|
|
if (this->cpi_i)
|
|
|
|
|
{
|
|
|
|
|
this->cpi_r = this->child_sa->alloc_cpi(this->child_sa);
|
|
|
|
|
if (!this->cpi_r)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "unable to allocate a CPI from "
|
|
|
|
|
"kernel, IPComp disabled");
|
|
|
|
|
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-22 16:39:47 +00:00
|
|
|
if (this->child.encap && this->mode == MODE_TRANSPORT)
|
2011-11-30 16:52:14 +00:00
|
|
|
{
|
2011-11-30 17:03:06 +00:00
|
|
|
/* TODO-IKEv1: disable NAT-T for TRANSPORT mode by default? */
|
2011-12-06 09:33:10 +00:00
|
|
|
add_nat_oa_payloads(this, message);
|
2011-11-30 16:52:14 +00:00
|
|
|
}
|
|
|
|
|
|
2019-03-22 16:39:47 +00:00
|
|
|
encap = get_encap(this->ike_sa, this->child.encap);
|
2011-11-24 10:39:31 +00:00
|
|
|
sa_payload = sa_payload_create_from_proposal_v1(this->proposal,
|
2011-11-24 14:25:00 +00:00
|
|
|
this->lifetime, this->lifebytes, AUTH_NONE,
|
2012-12-15 13:11:26 +00:00
|
|
|
this->mode, encap, this->cpi_r);
|
2011-11-21 16:56:39 +00:00
|
|
|
message->add_payload(message, &sa_payload->payload_interface);
|
|
|
|
|
|
2011-11-24 08:51:40 +00:00
|
|
|
if (!add_nonce(this, &this->nonce_r, message))
|
2011-11-21 16:56:39 +00:00
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
if (this->dh)
|
|
|
|
|
{
|
2015-03-23 10:10:40 +00:00
|
|
|
if (!add_ke(this, message))
|
|
|
|
|
{
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
}
|
|
|
|
|
|
2011-11-24 09:33:43 +00:00
|
|
|
add_ts(this, message);
|
2011-11-21 16:56:39 +00:00
|
|
|
|
|
|
|
|
this->state = QM_NEGOTIATED;
|
2015-08-19 13:28:02 +00:00
|
|
|
this->mid = message->get_message_id(message);
|
2011-11-21 16:56:39 +00:00
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
2014-07-11 09:59:01 +00:00
|
|
|
case QM_NEGOTIATED:
|
|
|
|
|
if (message->get_exchange_type(message) == INFORMATIONAL_V1)
|
|
|
|
|
{
|
|
|
|
|
/* skip INFORMATIONAL response if we received a INFORMATIONAL
|
|
|
|
|
* delete, see process_r() */
|
|
|
|
|
return ALREADY_DONE;
|
|
|
|
|
}
|
|
|
|
|
/* fall */
|
2011-11-21 16:56:39 +00:00
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-11-21 10:20:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(task_t, process_i, status_t,
|
|
|
|
|
private_quick_mode_t *this, message_t *message)
|
|
|
|
|
{
|
2011-11-21 16:56:39 +00:00
|
|
|
switch (this->state)
|
|
|
|
|
{
|
|
|
|
|
case QM_INIT:
|
|
|
|
|
{
|
|
|
|
|
sa_payload_t *sa_payload;
|
2012-05-24 12:00:44 +00:00
|
|
|
linked_list_t *list = NULL;
|
2019-09-04 14:25:18 +00:00
|
|
|
proposal_selection_flag_t flags = 0;
|
2011-11-21 16:56:39 +00:00
|
|
|
|
|
|
|
|
sa_payload = (sa_payload_t*)message->get_payload(message,
|
2013-10-29 09:09:39 +00:00
|
|
|
PLV1_SECURITY_ASSOCIATION);
|
2011-11-21 16:56:39 +00:00
|
|
|
if (!sa_payload)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "sa payload missing");
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
2011-11-21 16:56:39 +00:00
|
|
|
}
|
2012-05-24 12:00:44 +00:00
|
|
|
if (this->cpi_i)
|
|
|
|
|
{
|
|
|
|
|
list = sa_payload->get_ipcomp_proposals(sa_payload,
|
|
|
|
|
&this->cpi_r);
|
2012-05-24 12:36:57 +00:00
|
|
|
if (!list->get_count(list))
|
|
|
|
|
{
|
2018-02-13 11:04:12 +00:00
|
|
|
DBG1(DBG_IKE, "peer did not accept our IPComp proposal, "
|
2012-05-24 12:36:57 +00:00
|
|
|
"IPComp disabled");
|
|
|
|
|
this->cpi_i = 0;
|
|
|
|
|
}
|
2012-05-24 12:00:44 +00:00
|
|
|
}
|
|
|
|
|
if (!list || !list->get_count(list))
|
|
|
|
|
{
|
|
|
|
|
DESTROY_IF(list);
|
|
|
|
|
list = sa_payload->get_proposals(sa_payload);
|
|
|
|
|
}
|
2019-09-12 14:58:46 +00:00
|
|
|
if (!this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN)
|
|
|
|
|
&& !lib->settings->get_bool(lib->settings,
|
|
|
|
|
"%s.accept_private_algs", FALSE, lib->ns))
|
2019-09-03 11:24:08 +00:00
|
|
|
{
|
2019-09-05 15:29:00 +00:00
|
|
|
flags |= PROPOSAL_SKIP_PRIVATE;
|
2019-09-03 11:24:08 +00:00
|
|
|
}
|
2016-06-01 10:03:21 +00:00
|
|
|
this->proposal = this->config->select_proposal(this->config, list,
|
2019-09-03 11:24:08 +00:00
|
|
|
flags);
|
2011-11-21 16:56:39 +00:00
|
|
|
list->destroy_offset(list, offsetof(proposal_t, destroy));
|
|
|
|
|
if (!this->proposal)
|
|
|
|
|
{
|
|
|
|
|
DBG1(DBG_IKE, "no matching proposal found");
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
2011-11-21 16:56:39 +00:00
|
|
|
}
|
2011-11-22 14:24:24 +00:00
|
|
|
this->spi_r = this->proposal->get_spi(this->proposal);
|
|
|
|
|
|
2011-11-24 14:25:00 +00:00
|
|
|
apply_lifetimes(this, sa_payload);
|
|
|
|
|
|
2011-11-24 08:51:40 +00:00
|
|
|
if (!get_nonce(this, &this->nonce_r, message))
|
2011-11-21 16:56:39 +00:00
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
2011-11-21 16:56:39 +00:00
|
|
|
}
|
2011-12-07 16:43:58 +00:00
|
|
|
if (this->dh && !get_ke(this, message))
|
|
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, INVALID_KEY_INFORMATION);
|
2011-12-07 16:43:58 +00:00
|
|
|
}
|
2011-11-24 09:33:43 +00:00
|
|
|
if (!get_ts(this, message))
|
2011-11-24 09:20:59 +00:00
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, INVALID_PAYLOAD_TYPE);
|
2011-11-24 09:20:59 +00:00
|
|
|
}
|
2018-03-27 14:55:59 +00:00
|
|
|
check_for_rekeyed_child(this, FALSE);
|
2011-11-22 14:24:24 +00:00
|
|
|
if (!install(this))
|
|
|
|
|
{
|
2011-12-15 17:35:55 +00:00
|
|
|
return send_notify(this, NO_PROPOSAL_CHOSEN);
|
2011-11-22 14:24:24 +00:00
|
|
|
}
|
2011-11-21 16:56:39 +00:00
|
|
|
this->state = QM_NEGOTIATED;
|
|
|
|
|
return NEED_MORE;
|
|
|
|
|
}
|
|
|
|
|
default:
|
|
|
|
|
return FAILED;
|
|
|
|
|
}
|
2011-11-21 10:20:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(task_t, get_type, task_type_t,
|
|
|
|
|
private_quick_mode_t *this)
|
|
|
|
|
{
|
|
|
|
|
return TASK_QUICK_MODE;
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-22 12:22:01 +00:00
|
|
|
METHOD(quick_mode_t, get_mid, uint32_t,
|
2015-08-19 13:28:02 +00:00
|
|
|
private_quick_mode_t *this)
|
|
|
|
|
{
|
|
|
|
|
return this->mid;
|
|
|
|
|
}
|
|
|
|
|
|
2012-01-02 12:36:10 +00:00
|
|
|
METHOD(quick_mode_t, use_reqid, void,
|
2016-03-22 12:22:01 +00:00
|
|
|
private_quick_mode_t *this, uint32_t reqid)
|
2012-01-02 12:36:10 +00:00
|
|
|
{
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child.reqid = reqid;
|
2012-01-02 12:36:10 +00:00
|
|
|
}
|
|
|
|
|
|
2014-11-13 14:26:10 +00:00
|
|
|
METHOD(quick_mode_t, use_marks, void,
|
2019-02-12 10:59:38 +00:00
|
|
|
private_quick_mode_t *this, uint32_t in, uint32_t out)
|
2014-11-13 14:26:10 +00:00
|
|
|
{
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child.mark_in = in;
|
|
|
|
|
this->child.mark_out = out;
|
2014-11-13 14:26:10 +00:00
|
|
|
}
|
|
|
|
|
|
2019-02-12 10:59:38 +00:00
|
|
|
METHOD(quick_mode_t, use_if_ids, void,
|
|
|
|
|
private_quick_mode_t *this, uint32_t in, uint32_t out)
|
|
|
|
|
{
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child.if_id_in = in;
|
|
|
|
|
this->child.if_id_out = out;
|
2019-02-12 10:59:38 +00:00
|
|
|
}
|
|
|
|
|
|
2012-01-16 15:17:27 +00:00
|
|
|
METHOD(quick_mode_t, rekey, void,
|
2016-03-22 12:22:01 +00:00
|
|
|
private_quick_mode_t *this, uint32_t spi)
|
2012-01-16 15:17:27 +00:00
|
|
|
{
|
|
|
|
|
this->rekey = spi;
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
METHOD(task_t, migrate, void,
|
|
|
|
|
private_quick_mode_t *this, ike_sa_t *ike_sa)
|
|
|
|
|
{
|
2011-12-20 17:01:12 +00:00
|
|
|
chunk_free(&this->nonce_i);
|
|
|
|
|
chunk_free(&this->nonce_r);
|
|
|
|
|
DESTROY_IF(this->tsi);
|
|
|
|
|
DESTROY_IF(this->tsr);
|
|
|
|
|
DESTROY_IF(this->proposal);
|
|
|
|
|
DESTROY_IF(this->child_sa);
|
|
|
|
|
DESTROY_IF(this->dh);
|
|
|
|
|
|
2011-11-21 10:20:34 +00:00
|
|
|
this->ike_sa = ike_sa;
|
2011-12-20 17:01:12 +00:00
|
|
|
this->keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
|
|
|
|
|
this->state = QM_INIT;
|
2015-08-19 13:28:02 +00:00
|
|
|
this->mid = 0;
|
2011-12-20 17:01:12 +00:00
|
|
|
this->tsi = NULL;
|
|
|
|
|
this->tsr = NULL;
|
|
|
|
|
this->proposal = NULL;
|
|
|
|
|
this->child_sa = NULL;
|
|
|
|
|
this->dh = NULL;
|
|
|
|
|
this->spi_i = 0;
|
|
|
|
|
this->spi_r = 0;
|
2019-03-22 16:39:47 +00:00
|
|
|
this->child = (child_sa_create_t){};
|
2011-12-20 17:01:12 +00:00
|
|
|
|
|
|
|
|
if (!this->initiator)
|
|
|
|
|
{
|
|
|
|
|
DESTROY_IF(this->config);
|
|
|
|
|
this->config = NULL;
|
|
|
|
|
}
|
2011-11-21 10:20:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
METHOD(task_t, destroy, void,
|
|
|
|
|
private_quick_mode_t *this)
|
|
|
|
|
{
|
|
|
|
|
chunk_free(&this->nonce_i);
|
|
|
|
|
chunk_free(&this->nonce_r);
|
|
|
|
|
DESTROY_IF(this->tsi);
|
|
|
|
|
DESTROY_IF(this->tsr);
|
|
|
|
|
DESTROY_IF(this->proposal);
|
|
|
|
|
DESTROY_IF(this->child_sa);
|
|
|
|
|
DESTROY_IF(this->config);
|
2011-12-07 16:43:58 +00:00
|
|
|
DESTROY_IF(this->dh);
|
2011-11-21 10:20:34 +00:00
|
|
|
free(this);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Described in header.
|
|
|
|
|
*/
|
|
|
|
|
quick_mode_t *quick_mode_create(ike_sa_t *ike_sa, child_cfg_t *config,
|
|
|
|
|
traffic_selector_t *tsi, traffic_selector_t *tsr)
|
|
|
|
|
{
|
|
|
|
|
private_quick_mode_t *this;
|
|
|
|
|
|
|
|
|
|
INIT(this,
|
|
|
|
|
.public = {
|
|
|
|
|
.task = {
|
|
|
|
|
.get_type = _get_type,
|
|
|
|
|
.migrate = _migrate,
|
|
|
|
|
.destroy = _destroy,
|
|
|
|
|
},
|
2015-08-19 13:28:02 +00:00
|
|
|
.get_mid = _get_mid,
|
2012-01-02 12:36:10 +00:00
|
|
|
.use_reqid = _use_reqid,
|
2014-11-13 14:26:10 +00:00
|
|
|
.use_marks = _use_marks,
|
2019-02-12 10:59:38 +00:00
|
|
|
.use_if_ids = _use_if_ids,
|
2012-01-16 15:17:27 +00:00
|
|
|
.rekey = _rekey,
|
2011-11-21 10:20:34 +00:00
|
|
|
},
|
|
|
|
|
.ike_sa = ike_sa,
|
2011-11-22 14:24:24 +00:00
|
|
|
.initiator = config != NULL,
|
2011-11-21 10:20:34 +00:00
|
|
|
.config = config,
|
2011-11-22 14:24:24 +00:00
|
|
|
.keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa),
|
2011-11-21 10:20:34 +00:00
|
|
|
.state = QM_INIT,
|
2012-06-05 13:27:34 +00:00
|
|
|
.tsi = tsi ? tsi->clone(tsi) : NULL,
|
|
|
|
|
.tsr = tsr ? tsr->clone(tsr) : NULL,
|
2013-06-20 14:12:58 +00:00
|
|
|
.proto = PROTO_ESP,
|
2016-02-17 16:31:51 +00:00
|
|
|
.delete = lib->settings->get_bool(lib->settings,
|
|
|
|
|
"%s.delete_rekeyed", FALSE, lib->ns),
|
2011-11-21 10:20:34 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
|
|
if (config)
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = _build_i;
|
|
|
|
|
this->public.task.process = _process_i;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
this->public.task.build = _build_r;
|
|
|
|
|
this->public.task.process = _process_r;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &this->public;
|
|
|
|
|
}
|