2005-11-08 13:33:28 +00:00
|
|
|
/**
|
|
|
|
* @file ike_sa.c
|
2005-11-09 09:11:06 +00:00
|
|
|
*
|
2005-11-29 08:08:03 +00:00
|
|
|
* @brief Implementation of ike_sa_t.
|
2005-11-09 09:11:06 +00:00
|
|
|
*
|
2005-11-08 13:33:28 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
/*
|
2006-06-22 06:36:28 +00:00
|
|
|
* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
|
2006-07-07 08:49:06 +00:00
|
|
|
* Copyright (C) 2005-2006 Martin Willi
|
|
|
|
* Copyright (C) 2005 Jan Hutter
|
2005-11-08 13:33:28 +00:00
|
|
|
* Hochschule fuer Technik Rapperswil
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
|
|
* under the terms of the GNU General Public License as published by the
|
|
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful, but
|
|
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
|
|
* for more details.
|
|
|
|
*/
|
2006-06-22 06:36:28 +00:00
|
|
|
|
|
|
|
#include <sys/time.h>
|
2006-04-10 08:07:38 +00:00
|
|
|
#include <string.h>
|
2006-10-18 11:46:13 +00:00
|
|
|
#include <printf.h>
|
2005-11-08 13:33:28 +00:00
|
|
|
|
2005-11-11 13:52:11 +00:00
|
|
|
#include "ike_sa.h"
|
|
|
|
|
2005-11-23 09:24:35 +00:00
|
|
|
#include <types.h>
|
2005-11-29 10:25:07 +00:00
|
|
|
#include <daemon.h>
|
2005-11-23 09:24:35 +00:00
|
|
|
#include <definitions.h>
|
|
|
|
#include <utils/linked_list.h>
|
2006-04-05 12:10:50 +00:00
|
|
|
#include <crypto/diffie_hellman.h>
|
|
|
|
#include <crypto/prf_plus.h>
|
|
|
|
#include <crypto/crypters/crypter.h>
|
2006-06-22 06:36:28 +00:00
|
|
|
#include <crypto/hashers/hasher.h>
|
2005-11-23 09:57:18 +00:00
|
|
|
#include <encoding/payloads/sa_payload.h>
|
|
|
|
#include <encoding/payloads/nonce_payload.h>
|
|
|
|
#include <encoding/payloads/ke_payload.h>
|
2005-12-12 14:14:52 +00:00
|
|
|
#include <encoding/payloads/delete_payload.h>
|
2005-11-23 09:57:18 +00:00
|
|
|
#include <encoding/payloads/transform_substructure.h>
|
|
|
|
#include <encoding/payloads/transform_attribute.h>
|
2006-06-07 13:26:23 +00:00
|
|
|
#include <encoding/payloads/ts_payload.h>
|
2006-07-05 10:53:20 +00:00
|
|
|
#include <sa/transactions/transaction.h>
|
|
|
|
#include <sa/transactions/ike_sa_init.h>
|
|
|
|
#include <sa/transactions/delete_ike_sa.h>
|
2006-07-07 07:04:07 +00:00
|
|
|
#include <sa/transactions/create_child_sa.h>
|
|
|
|
#include <sa/transactions/delete_child_sa.h>
|
2006-07-05 10:53:20 +00:00
|
|
|
#include <sa/transactions/dead_peer_detection.h>
|
2006-07-27 12:18:40 +00:00
|
|
|
#include <sa/transactions/rekey_ike_sa.h>
|
2005-12-02 14:07:36 +00:00
|
|
|
#include <queues/jobs/retransmit_request_job.h>
|
2006-09-05 14:07:25 +00:00
|
|
|
#include <queues/jobs/delete_ike_sa_job.h>
|
2006-07-05 10:53:20 +00:00
|
|
|
#include <queues/jobs/send_dpd_job.h>
|
|
|
|
#include <queues/jobs/send_keepalive_job.h>
|
2006-07-27 12:18:40 +00:00
|
|
|
#include <queues/jobs/rekey_ike_sa_job.h>
|
2006-09-08 06:12:02 +00:00
|
|
|
#include <queues/jobs/route_job.h>
|
|
|
|
#include <queues/jobs/initiate_job.h>
|
2005-11-08 13:33:28 +00:00
|
|
|
|
2006-10-18 11:46:13 +00:00
|
|
|
ENUM(ike_sa_state_names, IKE_CREATED, IKE_DELETING,
|
|
|
|
"CREATED",
|
|
|
|
"CONNECTING",
|
|
|
|
"ESTABLISHED",
|
|
|
|
"REKEYING",
|
|
|
|
"DELETING",
|
|
|
|
);
|
2005-11-08 13:33:28 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
typedef struct private_ike_sa_t private_ike_sa_t;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Private data of an ike_sa_t object.
|
|
|
|
*/
|
|
|
|
struct private_ike_sa_t {
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Public members
|
2006-06-23 14:02:30 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
ike_sa_t public;
|
2006-06-23 14:02:30 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2005-12-03 16:52:54 +00:00
|
|
|
* Identifier for the current IKE_SA.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
|
|
|
ike_sa_id_t *ike_sa_id;
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Current state of the IKE_SA
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
ike_sa_state_t state;
|
2005-12-01 17:16:10 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Name of the connection used by this IKE_SA
|
2005-12-01 17:16:10 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
char *name;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Address of local host
|
|
|
|
*/
|
|
|
|
host_t *my_host;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Address of remote host
|
|
|
|
*/
|
|
|
|
host_t *other_host;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Identification used for us
|
|
|
|
*/
|
|
|
|
identification_t *my_id;
|
2005-12-01 17:16:10 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Identification used for other
|
2005-12-01 17:16:10 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
identification_t *other_id;
|
2005-12-03 16:52:54 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Linked List containing the child sa's of the current IKE_SA.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
linked_list_t *child_sas;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* crypter for inbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_t *crypter_in;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* crypter for outbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_t *crypter_out;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Signer for inbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_t *signer_in;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Signer for outbound traffic
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_t *signer_out;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
|
|
|
/**
|
2006-02-14 14:52:00 +00:00
|
|
|
* Multi purpose prf, set key, use it, forget it
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
|
|
|
prf_t *prf;
|
|
|
|
|
2006-02-09 16:25:02 +00:00
|
|
|
/**
|
|
|
|
* Prf function for derivating keymat child SAs
|
|
|
|
*/
|
|
|
|
prf_t *child_prf;
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-10-30 14:07:05 +00:00
|
|
|
* PRF to build outging authentication data
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
prf_t *auth_build;
|
2005-11-25 13:42:02 +00:00
|
|
|
|
2006-02-14 14:52:00 +00:00
|
|
|
/**
|
2006-10-30 14:07:05 +00:00
|
|
|
* PRF to verify incoming authentication data
|
2006-02-14 14:52:00 +00:00
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
prf_t *auth_verify;
|
2005-12-02 14:07:36 +00:00
|
|
|
|
2006-06-22 06:36:28 +00:00
|
|
|
/**
|
|
|
|
* NAT hasher.
|
|
|
|
*/
|
|
|
|
hasher_t *nat_hasher;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* NAT status of local host.
|
|
|
|
*/
|
|
|
|
bool nat_here;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* NAT status of remote host.
|
|
|
|
*/
|
|
|
|
bool nat_there;
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* message ID for next outgoung request
|
|
|
|
*/
|
|
|
|
u_int32_t message_id_out;
|
2006-06-22 06:36:28 +00:00
|
|
|
|
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Timestamps for this IKE_SA
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-27 12:18:40 +00:00
|
|
|
struct {
|
|
|
|
/** last IKE message received */
|
|
|
|
u_int32_t inbound;
|
|
|
|
/** last IKE message sent */
|
|
|
|
u_int32_t outbound;
|
|
|
|
/** when IKE_SA became established */
|
|
|
|
u_int32_t established;
|
|
|
|
/** when IKE_SA gets rekeyed */
|
|
|
|
u_int32_t rekey;
|
|
|
|
/** when IKE_SA gets deleted */
|
|
|
|
u_int32_t delete;
|
|
|
|
} time;
|
2006-07-05 10:53:20 +00:00
|
|
|
|
2006-09-05 14:07:25 +00:00
|
|
|
/**
|
|
|
|
* interval to send DPD liveness check
|
|
|
|
*/
|
|
|
|
time_t dpd_delay;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* number of retransmit sequences to go through before giving up (keyingtries)
|
|
|
|
*/
|
|
|
|
u_int32_t retrans_sequences;
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/**
|
|
|
|
* List of queued transactions to process
|
|
|
|
*/
|
|
|
|
linked_list_t *transaction_queue;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Transaction currently initiated
|
|
|
|
* (only one supported yet, window size = 1)
|
|
|
|
*/
|
|
|
|
transaction_t *transaction_out;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* last transaction initiated by peer processed.
|
|
|
|
* (only one supported yet, window size = 1)
|
|
|
|
* Stored for retransmission.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
transaction_t *transaction_in;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Next incoming transaction expected. Used to
|
|
|
|
* do multi transaction operations.
|
|
|
|
*/
|
|
|
|
transaction_t *transaction_in_next;
|
2006-08-23 07:30:43 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Transaction which rekeys this IKE_SA, used do detect simultaneus rekeying
|
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
transaction_t *rekeying_transaction;
|
2005-11-25 13:42:02 +00:00
|
|
|
};
|
|
|
|
|
2005-11-21 10:59:45 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* get the time of the latest traffic processed by the kernel
|
2005-11-21 10:59:45 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static time_t get_kernel_time(private_ike_sa_t* this, bool inbound)
|
2005-11-18 12:01:53 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
time_t latest = 0, use_time;
|
2006-03-16 15:25:06 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
if (child_sa->get_use_time(child_sa, inbound, &use_time) == SUCCESS)
|
|
|
|
{
|
|
|
|
latest = max(latest, use_time);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
2005-12-02 13:20:20 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
return latest;
|
2005-12-01 17:16:10 +00:00
|
|
|
}
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* get the time of the latest received traffice
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static time_t get_time_inbound(private_ike_sa_t *this)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-27 12:18:40 +00:00
|
|
|
return max(this->time.inbound, get_kernel_time(this, TRUE));
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 19:26:01 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* get the time of the latest sent traffic
|
2005-12-02 19:26:01 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static time_t get_time_outbound(private_ike_sa_t *this)
|
2005-12-02 19:26:01 +00:00
|
|
|
{
|
2006-07-27 12:18:40 +00:00
|
|
|
return max(this->time.outbound, get_kernel_time(this, FALSE));
|
2005-12-02 19:26:01 +00:00
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_name.
|
|
|
|
*/
|
|
|
|
static char *get_name(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->name;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.set_name.
|
|
|
|
*/
|
|
|
|
static void set_name(private_ike_sa_t *this, char* name)
|
|
|
|
{
|
|
|
|
free(this->name);
|
|
|
|
this->name = strdup(name);
|
|
|
|
}
|
|
|
|
|
2006-09-25 06:38:58 +00:00
|
|
|
/**
|
2006-09-25 07:24:08 +00:00
|
|
|
* Implementation of ike_sa_t.apply_connection.
|
2006-09-25 06:38:58 +00:00
|
|
|
*/
|
2006-09-25 07:24:08 +00:00
|
|
|
static void apply_connection(private_ike_sa_t *this, connection_t *connection)
|
2006-09-25 06:38:58 +00:00
|
|
|
{
|
2006-09-25 07:24:08 +00:00
|
|
|
this->dpd_delay = connection->get_dpd_delay(connection);
|
|
|
|
this->retrans_sequences = connection->get_retrans_seq(connection);
|
2006-09-25 06:38:58 +00:00
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_my_host.
|
|
|
|
*/
|
|
|
|
static host_t *get_my_host(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->my_host;
|
|
|
|
}
|
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.set_my_host.
|
|
|
|
*/
|
|
|
|
static void set_my_host(private_ike_sa_t *this, host_t *me)
|
|
|
|
{
|
|
|
|
DESTROY_IF(this->my_host);
|
|
|
|
this->my_host = me;
|
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_other_host.
|
|
|
|
*/
|
|
|
|
static host_t *get_other_host(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->other_host;
|
|
|
|
}
|
2006-02-09 16:25:02 +00:00
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.set_other_host.
|
|
|
|
*/
|
|
|
|
static void set_other_host(private_ike_sa_t *this, host_t *other)
|
|
|
|
{
|
|
|
|
DESTROY_IF(this->other_host);
|
|
|
|
this->other_host = other;
|
|
|
|
}
|
|
|
|
|
2005-12-02 19:26:01 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Update connection host, as addresses may change (NAT)
|
2005-12-02 19:26:01 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other)
|
2005-12-02 19:26:01 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
/*
|
|
|
|
* Quoting RFC 4306:
|
|
|
|
*
|
|
|
|
* 2.11. Address and Port Agility
|
|
|
|
*
|
|
|
|
* IKE runs over UDP ports 500 and 4500, and implicitly sets up ESP and
|
|
|
|
* AH associations for the same IP addresses it runs over. The IP
|
|
|
|
* addresses and ports in the outer header are, however, not themselves
|
|
|
|
* cryptographically protected, and IKE is designed to work even through
|
|
|
|
* Network Address Translation (NAT) boxes. An implementation MUST
|
|
|
|
* accept incoming requests even if the source port is not 500 or 4500,
|
|
|
|
* and MUST respond to the address and port from which the request was
|
|
|
|
* received. It MUST specify the address and port at which the request
|
|
|
|
* was received as the source address and port in the response. IKE
|
|
|
|
* functions identically over IPv4 or IPv6.
|
|
|
|
*
|
|
|
|
* [...]
|
|
|
|
*
|
|
|
|
* There are cases where a NAT box decides to remove mappings that
|
|
|
|
* are still alive (for example, the keepalive interval is too long,
|
|
|
|
* or the NAT box is rebooted). To recover in these cases, hosts
|
|
|
|
* that are not behind a NAT SHOULD send all packets (including
|
|
|
|
* retransmission packets) to the IP address and port from the last
|
|
|
|
* valid authenticated packet from the other end (i.e., dynamically
|
|
|
|
* update the address). A host behind a NAT SHOULD NOT do this
|
|
|
|
* because it opens a DoS attack possibility. Any authenticated IKE
|
|
|
|
* packet or any authenticated UDP-encapsulated ESP packet can be
|
|
|
|
* used to detect that the IP address or the port has changed.
|
|
|
|
*/
|
|
|
|
iterator_t *iterator = NULL;
|
|
|
|
child_sa_t *child_sa = NULL;
|
2006-07-20 10:09:32 +00:00
|
|
|
host_diff_t my_diff, other_diff;
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
if (this->my_host->is_anyaddr(this->my_host) ||
|
|
|
|
this->other_host->is_anyaddr(this->other_host))
|
2006-07-20 10:09:32 +00:00
|
|
|
{
|
|
|
|
/* on first received message */
|
2006-07-21 13:31:53 +00:00
|
|
|
this->my_host->destroy(this->my_host);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_host = me->clone(me);
|
2006-07-21 13:31:53 +00:00
|
|
|
this->other_host->destroy(this->other_host);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_host = other->clone(other);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
my_diff = me->get_differences(me, this->my_host);
|
|
|
|
other_diff = other->get_differences(other, this->other_host);
|
|
|
|
|
|
|
|
if (!my_diff && !other_diff)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
if (my_diff)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_host->destroy(this->my_host);
|
|
|
|
this->my_host = me->clone(me);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!this->nat_here)
|
|
|
|
{
|
|
|
|
/* update without restrictions if we are not NATted */
|
2006-07-20 10:09:32 +00:00
|
|
|
if (other_diff)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_host->destroy(this->other_host);
|
|
|
|
this->other_host = other->clone(other);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* if we are natted, only port may change */
|
2006-07-20 10:09:32 +00:00
|
|
|
if (other_diff & HOST_DIFF_ADDR)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
|
|
|
return;
|
|
|
|
}
|
2006-07-20 10:09:32 +00:00
|
|
|
else if (other_diff & HOST_DIFF_PORT)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_host->set_port(this->other_host, other->get_port(other));
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
child_sa->update_hosts(child_sa, this->my_host, this->other_host,
|
|
|
|
my_diff, other_diff);
|
2006-07-05 10:53:20 +00:00
|
|
|
/* TODO: what to do if update fails? Delete CHILD_SA? */
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-09-08 06:12:02 +00:00
|
|
|
/**
|
|
|
|
* called when the peer is not responding anymore
|
|
|
|
*/
|
|
|
|
static void dpd_detected(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
connection_t *connection = NULL;
|
|
|
|
policy_t *policy;
|
|
|
|
linked_list_t *my_ts, *other_ts;
|
|
|
|
child_sa_t* child_sa;
|
|
|
|
dpd_action_t action;
|
|
|
|
job_t *job;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG2(DBG_IKE, "dead peer detected, handling CHILD_SAs dpd action");
|
2006-09-08 06:12:02 +00:00
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
/* check for childrens with dpdaction = hold */
|
2006-09-08 06:12:02 +00:00
|
|
|
while(this->child_sas->remove_first(this->child_sas,
|
2006-10-26 09:46:56 +00:00
|
|
|
(void**)&child_sa) == SUCCESS)
|
2006-09-08 06:12:02 +00:00
|
|
|
{
|
|
|
|
/* get the policy which belongs to this CHILD */
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
policy = charon->policies->get_policy(charon->policies,
|
|
|
|
this->my_id, this->other_id,
|
|
|
|
my_ts, other_ts,
|
|
|
|
this->my_host, this->other_host);
|
|
|
|
if (policy == NULL)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "no policy for CHILD to handle DPD");
|
2006-09-08 06:12:02 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
action = policy->get_dpd_action(policy);
|
|
|
|
/* get a connection for further actions */
|
2006-10-26 09:46:56 +00:00
|
|
|
if (connection == NULL &&
|
2006-09-08 06:12:02 +00:00
|
|
|
(action == DPD_ROUTE || action == DPD_RESTART))
|
|
|
|
{
|
|
|
|
connection = charon->connections->get_connection_by_hosts(
|
|
|
|
charon->connections,
|
|
|
|
this->my_host, this->other_host);
|
|
|
|
if (connection == NULL)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(IKE_UP_FAILED, "no connection found to handle DPD");
|
2006-09-08 06:12:02 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "dpd action for %s is %N",
|
2006-10-18 11:46:13 +00:00
|
|
|
policy->get_name(policy), dpd_action_names, action);
|
2006-09-08 06:12:02 +00:00
|
|
|
|
|
|
|
switch (action)
|
|
|
|
{
|
|
|
|
case DPD_ROUTE:
|
|
|
|
connection->get_ref(connection);
|
|
|
|
job = (job_t*)route_job_create(connection, policy, TRUE);
|
|
|
|
charon->job_queue->add(charon->job_queue, job);
|
|
|
|
break;
|
|
|
|
case DPD_RESTART:
|
|
|
|
connection->get_ref(connection);
|
|
|
|
job = (job_t*)initiate_job_create(connection, policy);
|
|
|
|
charon->job_queue->add(charon->job_queue, job);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
policy->destroy(policy);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
child_sa->destroy(child_sa);
|
|
|
|
}
|
|
|
|
DESTROY_IF(connection);
|
|
|
|
}
|
|
|
|
|
2006-06-07 13:26:23 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* send a request and schedule retransmission
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t transmit_request(private_ike_sa_t *this)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
message_t *request;
|
|
|
|
packet_t *packet;
|
|
|
|
status_t status;
|
|
|
|
retransmit_request_job_t *job;
|
|
|
|
u_int32_t transmitted;
|
|
|
|
u_int32_t timeout;
|
|
|
|
transaction_t *transaction = this->transaction_out;
|
2006-09-05 14:07:25 +00:00
|
|
|
u_int32_t message_id;
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
transmitted = transaction->requested(transaction);
|
|
|
|
timeout = charon->configuration->get_retransmit_timeout(charon->configuration,
|
2006-09-05 14:07:25 +00:00
|
|
|
transmitted,
|
|
|
|
this->retrans_sequences);
|
2006-07-05 10:53:20 +00:00
|
|
|
if (timeout == 0)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "giving up after %d retransmits, deleting IKE_SA",
|
|
|
|
transmitted - 1);
|
2006-09-08 06:12:02 +00:00
|
|
|
dpd_detected(this);
|
2006-07-05 10:53:20 +00:00
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
|
|
|
|
|
|
|
status = transaction->get_request(transaction, &request);
|
|
|
|
if (status != SUCCESS)
|
|
|
|
{
|
2006-10-18 11:46:13 +00:00
|
|
|
/* generating request failed */
|
2006-07-05 10:53:20 +00:00
|
|
|
return status;
|
|
|
|
}
|
2006-09-05 14:07:25 +00:00
|
|
|
message_id = transaction->get_message_id(transaction);
|
2006-07-05 10:53:20 +00:00
|
|
|
/* if we retransmit, the request is already generated */
|
|
|
|
if (transmitted == 0)
|
|
|
|
{
|
|
|
|
status = request->generate(request, this->crypter_out, this->signer_out, &packet);
|
|
|
|
if (status != SUCCESS)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "request generation failed. transaction discarded");
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "sending retransmit %d for %N request with messageID %d",
|
2006-10-18 11:46:13 +00:00
|
|
|
transmitted, exchange_type_names, request->get_exchange_type(request),
|
|
|
|
message_id);
|
2006-07-05 10:53:20 +00:00
|
|
|
packet = request->get_packet(request);
|
|
|
|
}
|
|
|
|
/* finally send */
|
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.outbound = time(NULL);
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
/* schedule retransmission job */
|
|
|
|
job = retransmit_request_job_create(message_id, this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, (job_t*)job, timeout);
|
|
|
|
return SUCCESS;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa.retransmit_request.
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t retransmit_request(private_ike_sa_t *this, u_int32_t message_id)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (this->transaction_out == NULL ||
|
|
|
|
this->transaction_out->get_message_id(this->transaction_out) != message_id)
|
|
|
|
{
|
|
|
|
/* no retransmit necessary, transaction did already complete */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
return transmit_request(this);
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-06-22 06:36:28 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Check for transactions in the queue and initiate the first transaction found.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t process_transaction_queue(private_ike_sa_t *this)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (this->transaction_out)
|
|
|
|
{
|
|
|
|
/* already a transaction in progress */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (TRUE)
|
|
|
|
{
|
|
|
|
if (this->transaction_queue->remove_first(this->transaction_queue,
|
|
|
|
(void**)&this->transaction_out) != SUCCESS)
|
|
|
|
{
|
|
|
|
/* transaction queue empty */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
switch (transmit_request(this))
|
|
|
|
{
|
|
|
|
case SUCCESS:
|
|
|
|
return SUCCESS;
|
|
|
|
case DESTROY_ME:
|
|
|
|
/* critical, IKE_SA unusable, destroy immediately */
|
|
|
|
return DESTROY_ME;
|
|
|
|
default:
|
|
|
|
/* discard transaction, process next one */
|
|
|
|
this->transaction_out->destroy(this->transaction_out);
|
|
|
|
this->transaction_out = NULL;
|
|
|
|
/* handle next transaction */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2006-06-07 13:26:23 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Queue a new transaction and execute the next outstanding transaction
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t queue_transaction(private_ike_sa_t *this, transaction_t *transaction, bool prefer)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
/* inject next transaction */
|
|
|
|
if (transaction)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (prefer)
|
|
|
|
{
|
|
|
|
this->transaction_queue->insert_first(this->transaction_queue, transaction);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->transaction_queue->insert_last(this->transaction_queue, transaction);
|
|
|
|
}
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
/* process a transaction */
|
|
|
|
return process_transaction_queue(this);
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2005-12-03 16:02:06 +00:00
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* process an incoming request.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t process_request(private_ike_sa_t *this, message_t *request)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
transaction_t *last, *current = NULL;
|
|
|
|
message_t *response;
|
|
|
|
packet_t *packet;
|
|
|
|
u_int32_t request_mid;
|
|
|
|
status_t status;
|
2005-11-28 15:20:51 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
request_mid = request->get_message_id(request);
|
|
|
|
last = this->transaction_in;
|
|
|
|
|
|
|
|
/* check if message ID is correct */
|
|
|
|
if (last)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
u_int32_t last_mid = last->get_message_id(last);
|
|
|
|
|
|
|
|
if (last_mid == request_mid)
|
|
|
|
{
|
|
|
|
/* retransmit detected */
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "received retransmitted request for message "
|
2006-10-18 11:46:13 +00:00
|
|
|
"ID %d, retransmitting response", request_mid);
|
2006-07-05 10:53:20 +00:00
|
|
|
last->get_response(last, request, &response, &this->transaction_in_next);
|
|
|
|
packet = response->get_packet(response);
|
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.outbound = time(NULL);
|
2006-07-05 10:53:20 +00:00
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (last_mid > request_mid)
|
|
|
|
{
|
|
|
|
/* something seriously wrong here, message id may not decrease */
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "received request with message ID %d, "
|
2006-10-18 11:46:13 +00:00
|
|
|
"excepted %d, ingored", request_mid, last_mid + 1);
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
/* we allow jumps in message IDs, as long as they are incremental */
|
|
|
|
if (last_mid + 1 < request_mid)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "received request with message ID %d, excepted %d",
|
2006-10-18 11:46:13 +00:00
|
|
|
request_mid, last_mid + 1);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
else
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (request_mid != 0)
|
|
|
|
{
|
|
|
|
/* warn, but allow it */
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "first received request has message ID %d, "
|
2006-10-18 11:46:13 +00:00
|
|
|
"excepted 0", request_mid);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* check if we already have a pre-created transaction for this request */
|
|
|
|
if (this->transaction_in_next)
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-07-13 08:26:54 +00:00
|
|
|
current = this->transaction_in_next;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->transaction_in_next = NULL;
|
2006-02-14 14:52:00 +00:00
|
|
|
}
|
2006-07-13 08:26:54 +00:00
|
|
|
else
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
current = transaction_create(&this->public, request);
|
|
|
|
if (current == NULL)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "no idea how to handle received message (exchange"
|
2006-10-18 11:46:13 +00:00
|
|
|
" type %d), ignored", request->get_exchange_type(request));
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
}
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* send message. get_request() always gives a valid response */
|
|
|
|
status = current->get_response(current, request, &response, &this->transaction_in_next);
|
|
|
|
if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS)
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "response generation failed, discarding transaction");
|
2006-07-05 10:53:20 +00:00
|
|
|
current->destroy(current);
|
2005-11-28 15:20:51 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.outbound = time(NULL);
|
2006-07-05 10:53:20 +00:00
|
|
|
/* act depending on transaction result */
|
|
|
|
switch (status)
|
|
|
|
{
|
|
|
|
case DESTROY_ME:
|
|
|
|
/* transactions says we should destroy the IKE_SA, so do it */
|
|
|
|
current->destroy(current);
|
|
|
|
return DESTROY_ME;
|
|
|
|
default:
|
|
|
|
/* store for retransmission, destroy old transaction */
|
|
|
|
this->transaction_in = current;
|
|
|
|
if (last)
|
|
|
|
{
|
|
|
|
last->destroy(last);
|
|
|
|
}
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
|
|
|
}
|
2005-11-28 15:20:51 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/**
|
|
|
|
* process an incoming response
|
|
|
|
*/
|
|
|
|
static status_t process_response(private_ike_sa_t *this, message_t *response)
|
|
|
|
{
|
|
|
|
transaction_t *current, *new = NULL;
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
current = this->transaction_out;
|
|
|
|
/* check if message ID is that of our currently active transaction */
|
|
|
|
if (current == NULL ||
|
2006-09-05 14:07:25 +00:00
|
|
|
current->get_message_id(current) != response->get_message_id(response))
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "received response with message ID %d "
|
2006-10-18 11:46:13 +00:00
|
|
|
"not requested, ignored", response->get_message_id(response));
|
2006-02-14 14:52:00 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
switch (current->conclude(current, response, &new))
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
case DESTROY_ME:
|
|
|
|
/* state requested to destroy IKE_SA */
|
|
|
|
return DESTROY_ME;
|
|
|
|
default:
|
|
|
|
/* discard transaction, process next one */
|
|
|
|
break;
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
/* transaction comleted, remove */
|
|
|
|
current->destroy(current);
|
|
|
|
this->transaction_out = NULL;
|
2005-11-28 15:20:51 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* queue new transaction */
|
|
|
|
return queue_transaction(this, new, TRUE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* send a notify back to the sender
|
|
|
|
*/
|
|
|
|
static void send_notify_response(private_ike_sa_t *this,
|
|
|
|
message_t *request,
|
|
|
|
notify_type_t type)
|
|
|
|
{
|
|
|
|
notify_payload_t *notify;
|
|
|
|
message_t *response;
|
|
|
|
host_t *src, *dst;
|
|
|
|
packet_t *packet;
|
|
|
|
|
|
|
|
response = message_create();
|
|
|
|
dst = request->get_source(request);
|
|
|
|
src = request->get_destination(request);
|
|
|
|
response->set_source(response, src->clone(src));
|
|
|
|
response->set_destination(response, dst->clone(dst));
|
|
|
|
response->set_exchange_type(response, request->get_exchange_type(request));
|
|
|
|
response->set_request(response, FALSE);
|
|
|
|
response->set_message_id(response, request->get_message_id(request));
|
|
|
|
response->set_ike_sa_id(response, this->ike_sa_id);
|
|
|
|
notify = notify_payload_create_from_protocol_and_type(PROTO_NONE, type);
|
|
|
|
response->add_payload(response, (payload_t *)notify);
|
|
|
|
if (response->generate(response, this->crypter_out, this->signer_out, &packet) != SUCCESS)
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
response->destroy(response);
|
|
|
|
return;
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.outbound = time(NULL);
|
2006-07-05 10:53:20 +00:00
|
|
|
response->destroy(response);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.process_message.
|
|
|
|
*/
|
|
|
|
static status_t process_message(private_ike_sa_t *this, message_t *message)
|
|
|
|
{
|
|
|
|
status_t status;
|
|
|
|
bool is_request;
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
is_request = message->get_request(message);
|
2006-02-14 14:52:00 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
status = message->parse_body(message, this->crypter_in, this->signer_in);
|
|
|
|
if (status != SUCCESS)
|
2005-11-28 15:20:51 +00:00
|
|
|
{
|
2006-10-18 11:46:13 +00:00
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
if (is_request)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-27 12:18:40 +00:00
|
|
|
switch (status)
|
|
|
|
{
|
|
|
|
case NOT_SUPPORTED:
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "ciritcal unknown payloads found");
|
2006-07-27 12:18:40 +00:00
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case PARSE_ERROR:
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "message parsing failed");
|
2006-07-27 12:18:40 +00:00
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, INVALID_SYNTAX);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case VERIFY_ERROR:
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "message verification failed");
|
2006-07-27 12:18:40 +00:00
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, INVALID_SYNTAX);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case FAILED:
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "integrity check failed");
|
2006-07-27 12:18:40 +00:00
|
|
|
/* ignored */
|
|
|
|
break;
|
|
|
|
case INVALID_STATE:
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "found encrypted message, but no keys available");
|
2006-07-27 12:18:40 +00:00
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
send_notify_response(this, message, INVALID_SYNTAX);
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
|
2006-10-18 11:46:13 +00:00
|
|
|
exchange_type_names, message->get_exchange_type(message),
|
|
|
|
message->get_request(message) ? "request" : "response",
|
|
|
|
message->get_message_id(message));
|
2005-11-28 15:20:51 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
else
|
2006-02-14 14:52:00 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
/* check if message is trustworthy, and update connection information */
|
2006-07-20 10:09:32 +00:00
|
|
|
if (this->state == IKE_CREATED ||
|
2006-07-05 10:53:20 +00:00
|
|
|
message->get_exchange_type(message) != IKE_SA_INIT)
|
|
|
|
{
|
|
|
|
update_hosts(this, message->get_destination(message),
|
|
|
|
message->get_source(message));
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.inbound = time(NULL);
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
if (is_request)
|
|
|
|
{
|
|
|
|
status = process_request(this, message);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
status = process_response(this, message);
|
|
|
|
}
|
2006-02-14 14:52:00 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
return status;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.initiate.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static status_t initiate(private_ike_sa_t *this,
|
|
|
|
connection_t *connection, policy_t *policy)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-20 14:57:49 +00:00
|
|
|
switch (this->state)
|
|
|
|
{
|
|
|
|
case IKE_CREATED:
|
|
|
|
{
|
|
|
|
/* in state CREATED, we must do the ike_sa_init
|
|
|
|
* and ike_auth transactions. Along with these,
|
|
|
|
* a CHILD_SA with the supplied policy is set up.
|
|
|
|
*/
|
|
|
|
ike_sa_init_t *ike_sa_init;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG2(DBG_IKE, "initiating new IKE_SA for CHILD_SA");
|
2006-07-21 13:31:53 +00:00
|
|
|
DESTROY_IF(this->my_host);
|
2006-07-20 14:57:49 +00:00
|
|
|
this->my_host = connection->get_my_host(connection);
|
|
|
|
this->my_host = this->my_host->clone(this->my_host);
|
2006-07-21 13:31:53 +00:00
|
|
|
DESTROY_IF(this->other_host);
|
2006-07-20 14:57:49 +00:00
|
|
|
this->other_host = connection->get_other_host(connection);
|
|
|
|
this->other_host = this->other_host->clone(this->other_host);
|
2006-09-05 14:07:25 +00:00
|
|
|
this->retrans_sequences = connection->get_retrans_seq(connection);
|
|
|
|
this->dpd_delay = connection->get_dpd_delay(connection);
|
2006-07-20 14:57:49 +00:00
|
|
|
|
2006-10-18 11:46:13 +00:00
|
|
|
if (this->other_host->is_anyaddr(this->other_host))
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(IKE_UP_START, "establishing new IKE_SA for CHILD_SA");
|
|
|
|
SIG(IKE_UP_FAILED, "can not initiate a connection to %%any, aborting");
|
2006-10-18 11:46:13 +00:00
|
|
|
policy->destroy(policy);
|
|
|
|
connection->destroy(connection);
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
|
|
|
|
2006-07-20 14:57:49 +00:00
|
|
|
this->message_id_out = 1;
|
|
|
|
ike_sa_init = ike_sa_init_create(&this->public);
|
|
|
|
ike_sa_init->set_config(ike_sa_init, connection, policy);
|
|
|
|
return queue_transaction(this, (transaction_t*)ike_sa_init, TRUE);
|
|
|
|
}
|
|
|
|
case IKE_DELETING:
|
2006-08-23 07:30:43 +00:00
|
|
|
case IKE_REKEYING:
|
2006-07-20 14:57:49 +00:00
|
|
|
{
|
2006-10-18 11:46:13 +00:00
|
|
|
/* if we are in DELETING/REKEYING, we deny set up of a policy.
|
|
|
|
* TODO: would it make sense to queue the transaction and adopt
|
2006-10-26 09:46:56 +00:00
|
|
|
* all transactions to the new IKE_SA? */
|
|
|
|
SIG(IKE_UP_START, "creating CHILD_SA in existing IKE_SA");
|
|
|
|
SIG(IKE_UP_FAILED, "creating CHILD_SA discarded, as IKE_SA is in state %N",
|
2006-10-18 11:46:13 +00:00
|
|
|
ike_sa_state_names, this->state);
|
2006-07-20 14:57:49 +00:00
|
|
|
policy->destroy(policy);
|
|
|
|
connection->destroy(connection);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
case IKE_CONNECTING:
|
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
{
|
2006-10-18 11:46:13 +00:00
|
|
|
/* if we are ESTABLISHED or CONNECTING, we queue the
|
2006-07-20 14:57:49 +00:00
|
|
|
* transaction to create the CHILD_SA. It gets processed
|
|
|
|
* when the IKE_SA is ready to do so. We don't need the
|
|
|
|
* connection, as the IKE_SA is already established/establishing.
|
|
|
|
*/
|
|
|
|
create_child_sa_t *create_child;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "creating CHILD_SA in existing IKE_SA");
|
2006-07-20 14:57:49 +00:00
|
|
|
connection->destroy(connection);
|
|
|
|
create_child = create_child_sa_create(&this->public);
|
|
|
|
create_child->set_policy(create_child, policy);
|
|
|
|
return queue_transaction(this, (transaction_t*)create_child, FALSE);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return FAILED;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.acquire.
|
|
|
|
*/
|
|
|
|
static status_t acquire(private_ike_sa_t *this, u_int32_t reqid)
|
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
connection_t *connection;
|
|
|
|
policy_t *policy;
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *current, *child_sa = NULL;
|
|
|
|
linked_list_t *my_ts, *other_ts;
|
|
|
|
|
|
|
|
if (this->state == IKE_DELETING)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
|
|
|
|
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
|
2006-10-18 11:46:13 +00:00
|
|
|
"IKE_SA is deleting", reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* find CHILD_SA */
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)¤t))
|
|
|
|
{
|
|
|
|
if (current->get_reqid(current) == reqid)
|
|
|
|
{
|
|
|
|
child_sa = current;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
if (!child_sa)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_UP_START, "acquiring CHILD_SA on kernel request");
|
|
|
|
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
|
2006-10-18 11:46:13 +00:00
|
|
|
"CHILD_SA not found", reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
|
|
|
|
policy = charon->policies->get_policy(charon->policies,
|
|
|
|
this->my_id, this->other_id,
|
|
|
|
my_ts, other_ts,
|
|
|
|
this->my_host, this->other_host);
|
|
|
|
if (policy == NULL)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
|
|
|
|
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
|
2006-10-18 11:46:13 +00:00
|
|
|
"no policy found", reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
2006-07-20 10:09:32 +00:00
|
|
|
switch (this->state)
|
|
|
|
{
|
|
|
|
case IKE_CREATED:
|
2006-07-21 13:31:53 +00:00
|
|
|
{
|
|
|
|
ike_sa_init_t *ike_sa_init;
|
|
|
|
|
|
|
|
connection = charon->connections->get_connection_by_hosts(
|
|
|
|
charon->connections, this->my_host, this->other_host);
|
|
|
|
|
|
|
|
if (connection == NULL)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_UP_START, "acquiring CHILD_SA with reqid %d", reqid);
|
|
|
|
SIG(CHILD_UP_FAILED, "acquiring CHILD_SA (reqid %d) failed: "
|
|
|
|
"no connection found to establsih IKE_SA", reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
policy->destroy(policy);
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "establishing IKE_SA to acquire CHILD_SA "
|
|
|
|
"with reqid %d", reqid);
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
this->message_id_out = 1;
|
|
|
|
ike_sa_init = ike_sa_init_create(&this->public);
|
|
|
|
ike_sa_init->set_config(ike_sa_init, connection, policy);
|
2006-09-05 14:07:25 +00:00
|
|
|
/* reuse existing reqid */
|
|
|
|
ike_sa_init->set_reqid(ike_sa_init, reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
return queue_transaction(this, (transaction_t*)ike_sa_init, TRUE);
|
|
|
|
}
|
|
|
|
case IKE_CONNECTING:
|
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
{
|
|
|
|
create_child_sa_t *create_child;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_CHD, "acquiring CHILD_SA with reqid %d", reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
|
|
|
|
create_child = create_child_sa_create(&this->public);
|
|
|
|
create_child->set_policy(create_child, policy);
|
2006-09-05 14:07:25 +00:00
|
|
|
/* reuse existing reqid */
|
|
|
|
create_child->set_reqid(create_child, reqid);
|
2006-07-21 13:31:53 +00:00
|
|
|
return queue_transaction(this, (transaction_t*)create_child, FALSE);
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* compare two lists of traffic selectors for equality
|
|
|
|
*/
|
|
|
|
static bool ts_list_equals(linked_list_t *l1, linked_list_t *l2)
|
|
|
|
{
|
|
|
|
bool equals = TRUE;
|
|
|
|
iterator_t *i1, *i2;
|
|
|
|
traffic_selector_t *t1, *t2;
|
|
|
|
|
2006-10-24 14:20:45 +00:00
|
|
|
if (l1->get_count(l1) != l2->get_count(l2))
|
|
|
|
{
|
|
|
|
return FALSE;
|
|
|
|
}
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
i1 = l1->create_iterator(l1, TRUE);
|
|
|
|
i2 = l2->create_iterator(l2, TRUE);
|
|
|
|
while (i1->iterate(i1, (void**)&t1) && i2->iterate(i2, (void**)&t2))
|
|
|
|
{
|
|
|
|
if (!t1->equals(t1, t2))
|
|
|
|
{
|
|
|
|
equals = FALSE;
|
2006-07-20 10:09:32 +00:00
|
|
|
break;
|
2006-07-21 13:31:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
i1->destroy(i1);
|
|
|
|
i2->destroy(i2);
|
|
|
|
return equals;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.route.
|
|
|
|
*/
|
|
|
|
static status_t route(private_ike_sa_t *this, connection_t *connection, policy_t *policy)
|
|
|
|
{
|
|
|
|
child_sa_t *child_sa = NULL;
|
|
|
|
iterator_t *iterator;
|
|
|
|
linked_list_t *my_ts, *other_ts;
|
|
|
|
status_t status;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_ROUTE_START, "routing CHILD_SA");
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
/* check if not already routed*/
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
2006-09-08 13:10:52 +00:00
|
|
|
if (child_sa->get_state(child_sa) == CHILD_ROUTED)
|
2006-07-21 13:31:53 +00:00
|
|
|
{
|
2006-09-08 13:10:52 +00:00
|
|
|
linked_list_t *my_ts_conf, *other_ts_conf;
|
|
|
|
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
|
|
|
|
my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
|
|
|
|
other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
|
|
|
|
|
|
|
|
if (ts_list_equals(my_ts, my_ts_conf) &&
|
2006-10-24 08:46:17 +00:00
|
|
|
ts_list_equals(other_ts, other_ts_conf))
|
2006-09-08 13:10:52 +00:00
|
|
|
{
|
|
|
|
iterator->destroy(iterator);
|
2006-10-24 08:46:17 +00:00
|
|
|
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
|
|
|
|
other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_ROUTE_FAILED, "CHILD_SA with such a policy already routed");
|
2006-09-08 13:10:52 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-10-24 08:46:17 +00:00
|
|
|
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
|
|
|
|
other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
|
2006-07-21 13:31:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
|
|
|
|
switch (this->state)
|
|
|
|
{
|
|
|
|
case IKE_CREATED:
|
2006-07-20 10:09:32 +00:00
|
|
|
case IKE_CONNECTING:
|
2006-10-26 09:46:56 +00:00
|
|
|
/* we update IKE_SA information as good as possible,
|
2006-07-21 13:31:53 +00:00
|
|
|
* this allows us to set up the SA later when an acquire comes in. */
|
|
|
|
if (this->my_id->get_type(this->my_id) == ID_ANY)
|
|
|
|
{
|
|
|
|
this->my_id->destroy(this->my_id);
|
|
|
|
this->my_id = policy->get_my_id(policy);
|
|
|
|
this->my_id = this->my_id->clone(this->my_id);
|
|
|
|
}
|
|
|
|
if (this->other_id->get_type(this->other_id) == ID_ANY)
|
|
|
|
{
|
|
|
|
this->other_id->destroy(this->other_id);
|
|
|
|
this->other_id = policy->get_other_id(policy);
|
|
|
|
this->other_id = this->other_id->clone(this->other_id);
|
|
|
|
}
|
|
|
|
if (this->my_host->is_anyaddr(this->my_host))
|
|
|
|
{
|
|
|
|
this->my_host->destroy(this->my_host);
|
|
|
|
this->my_host = connection->get_my_host(connection);
|
|
|
|
this->my_host = this->my_host->clone(this->my_host);
|
|
|
|
}
|
|
|
|
if (this->other_host->is_anyaddr(this->other_host))
|
|
|
|
{
|
|
|
|
this->other_host->destroy(this->other_host);
|
|
|
|
this->other_host = connection->get_other_host(connection);
|
|
|
|
this->other_host = this->other_host->clone(this->other_host);
|
|
|
|
}
|
|
|
|
set_name(this, connection->get_name(connection));
|
2006-09-05 14:07:25 +00:00
|
|
|
this->retrans_sequences = connection->get_retrans_seq(connection);
|
|
|
|
this->dpd_delay = connection->get_dpd_delay(connection);
|
2006-07-21 13:31:53 +00:00
|
|
|
break;
|
2006-07-20 10:09:32 +00:00
|
|
|
case IKE_ESTABLISHED:
|
2006-08-23 07:30:43 +00:00
|
|
|
case IKE_REKEYING:
|
|
|
|
/* nothing to do. We allow it for rekeying, as it will be
|
|
|
|
* adopted by the new IKE_SA */
|
2006-07-20 10:09:32 +00:00
|
|
|
break;
|
|
|
|
case IKE_DELETING:
|
2006-10-26 09:46:56 +00:00
|
|
|
/* TODO: hanlde this case, create a new IKE_SA and route CHILD_SA */
|
|
|
|
SIG(CHILD_ROUTE_FAILED, "unable to route CHILD_SA, as its IKE_SA gets deleted");
|
2006-07-21 13:31:53 +00:00
|
|
|
return FAILED;
|
2006-07-20 10:09:32 +00:00
|
|
|
}
|
2006-09-25 06:10:28 +00:00
|
|
|
|
2006-09-08 06:12:02 +00:00
|
|
|
child_sa = child_sa_create(0, this->my_host, this->other_host,
|
2006-09-12 13:50:14 +00:00
|
|
|
this->my_id, this->other_id,
|
2006-09-25 06:10:28 +00:00
|
|
|
0, 0,
|
|
|
|
NULL, policy->get_hostaccess(policy),
|
|
|
|
FALSE);
|
2006-09-05 14:07:25 +00:00
|
|
|
child_sa->set_name(child_sa, policy->get_name(policy));
|
2006-07-21 13:31:53 +00:00
|
|
|
my_ts = policy->get_my_traffic_selectors(policy, this->my_host);
|
|
|
|
other_ts = policy->get_other_traffic_selectors(policy, this->other_host);
|
|
|
|
status = child_sa->add_policies(child_sa, my_ts, other_ts);
|
2006-10-24 08:46:17 +00:00
|
|
|
my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
|
|
|
|
other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
|
2006-07-21 13:31:53 +00:00
|
|
|
this->child_sas->insert_last(this->child_sas, child_sa);
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_ROUTE_SUCCESS, "CHILD_SA routed");
|
2006-07-21 13:31:53 +00:00
|
|
|
return status;
|
2006-07-20 10:09:32 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-21 13:31:53 +00:00
|
|
|
* Implementation of ike_sa_t.unroute.
|
2006-07-20 10:09:32 +00:00
|
|
|
*/
|
2006-07-21 13:31:53 +00:00
|
|
|
static status_t unroute(private_ike_sa_t *this, policy_t *policy)
|
2006-07-20 10:09:32 +00:00
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa = NULL;
|
2006-10-26 09:46:56 +00:00
|
|
|
bool found = FALSE;
|
2006-07-21 13:31:53 +00:00
|
|
|
linked_list_t *my_ts, *other_ts, *my_ts_conf, *other_ts_conf;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_UNROUTE_START, "unrouting CHILD_SA");
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
/* find CHILD_SA in ROUTED state */
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
if (child_sa->get_state(child_sa) == CHILD_ROUTED)
|
|
|
|
{
|
|
|
|
my_ts = child_sa->get_my_traffic_selectors(child_sa);
|
|
|
|
other_ts = child_sa->get_other_traffic_selectors(child_sa);
|
|
|
|
|
|
|
|
my_ts_conf = policy->get_my_traffic_selectors(policy, this->my_host);
|
|
|
|
other_ts_conf = policy->get_other_traffic_selectors(policy, this->other_host);
|
|
|
|
|
|
|
|
if (ts_list_equals(my_ts, my_ts_conf) &&
|
|
|
|
ts_list_equals(other_ts, other_ts_conf))
|
|
|
|
{
|
|
|
|
iterator->remove(iterator);
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(CHILD_UNROUTE_SUCCESS, "CHILD_SA unrouted");
|
2006-07-21 13:31:53 +00:00
|
|
|
child_sa->destroy(child_sa);
|
2006-10-24 08:46:17 +00:00
|
|
|
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
|
|
|
|
other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
|
2006-10-26 09:46:56 +00:00
|
|
|
found = TRUE;
|
2006-07-21 13:31:53 +00:00
|
|
|
break;
|
|
|
|
}
|
2006-10-24 08:46:17 +00:00
|
|
|
my_ts_conf->destroy_offset(my_ts_conf, offsetof(traffic_selector_t, destroy));
|
|
|
|
other_ts_conf->destroy_offset(other_ts_conf, offsetof(traffic_selector_t, destroy));
|
2006-07-21 13:31:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
2006-10-26 09:46:56 +00:00
|
|
|
|
|
|
|
if (!found)
|
|
|
|
{
|
|
|
|
SIG(CHILD_UNROUTE_FAILED, "CHILD_SA to unroute not found");
|
|
|
|
return FAILED;
|
|
|
|
}
|
2006-07-21 13:31:53 +00:00
|
|
|
/* if we are not established, and we have no more routed childs, remove whole SA */
|
|
|
|
if (this->state == IKE_CREATED &&
|
|
|
|
this->child_sas->get_count(this->child_sas) == 0)
|
|
|
|
{
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
|
|
|
return SUCCESS;
|
2006-07-20 10:09:32 +00:00
|
|
|
}
|
|
|
|
|
2005-11-29 17:19:59 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.send_dpd
|
2005-11-29 17:19:59 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static status_t send_dpd(private_ike_sa_t *this)
|
2005-11-29 17:19:59 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
send_dpd_job_t *job;
|
2006-09-05 14:07:25 +00:00
|
|
|
time_t diff;
|
2006-07-05 10:53:20 +00:00
|
|
|
|
2006-09-05 14:07:25 +00:00
|
|
|
if (this->dpd_delay == 0)
|
|
|
|
{
|
|
|
|
/* DPD disabled */
|
|
|
|
return SUCCESS;
|
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
if (this->transaction_out)
|
|
|
|
{
|
|
|
|
/* there is a transaction in progress. Come back later */
|
|
|
|
diff = 0;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
/* check if there was any inbound traffic */
|
|
|
|
time_t last_in, now;
|
|
|
|
last_in = get_time_inbound(this);
|
|
|
|
now = time(NULL);
|
|
|
|
diff = now - last_in;
|
2006-09-05 14:07:25 +00:00
|
|
|
if (diff >= this->dpd_delay)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
|
|
|
/* to long ago, initiate dead peer detection */
|
|
|
|
dead_peer_detection_t *dpd;
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "sending DPD request");
|
2006-07-13 08:26:54 +00:00
|
|
|
dpd = dead_peer_detection_create(&this->public);
|
2006-09-05 14:07:25 +00:00
|
|
|
queue_transaction(this, (transaction_t*)dpd, FALSE);
|
2006-07-05 10:53:20 +00:00
|
|
|
diff = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/* recheck in "interval" seconds */
|
|
|
|
job = send_dpd_job_create(this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
|
2006-09-05 14:07:25 +00:00
|
|
|
(this->dpd_delay - diff) * 1000);
|
2006-07-05 10:53:20 +00:00
|
|
|
return SUCCESS;
|
2005-11-29 17:19:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.send_keepalive
|
2005-11-29 17:19:59 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void send_keepalive(private_ike_sa_t *this)
|
2005-11-29 17:19:59 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
send_keepalive_job_t *job;
|
|
|
|
time_t last_out, now, diff, interval;
|
|
|
|
|
|
|
|
last_out = get_time_outbound(this);
|
|
|
|
now = time(NULL);
|
|
|
|
|
|
|
|
diff = now - last_out;
|
|
|
|
interval = charon->configuration->get_keepalive_interval(charon->configuration);
|
|
|
|
|
|
|
|
if (diff >= interval)
|
|
|
|
{
|
|
|
|
packet_t *packet;
|
|
|
|
chunk_t data;
|
|
|
|
|
|
|
|
packet = packet_create();
|
2006-07-20 10:09:32 +00:00
|
|
|
packet->set_source(packet, this->my_host->clone(this->my_host));
|
|
|
|
packet->set_destination(packet, this->other_host->clone(this->other_host));
|
2006-07-05 10:53:20 +00:00
|
|
|
data.ptr = malloc(1);
|
|
|
|
data.ptr[0] = 0xFF;
|
|
|
|
data.len = 1;
|
|
|
|
packet->set_data(packet, data);
|
|
|
|
charon->send_queue->add(charon->send_queue, packet);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "sending keep alive");
|
2006-07-05 10:53:20 +00:00
|
|
|
diff = 0;
|
|
|
|
}
|
|
|
|
job = send_keepalive_job_create(this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, (job_t*)job,
|
|
|
|
(interval - diff) * 1000);
|
2005-11-29 17:19:59 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 12:38:55 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.get_state.
|
2005-12-02 12:38:55 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static ike_sa_state_t get_state(private_ike_sa_t *this)
|
2005-12-02 12:38:55 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
return this->state;
|
2005-12-02 12:38:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.set_state.
|
2005-12-02 12:38:55 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void set_state(private_ike_sa_t *this, ike_sa_state_t state)
|
2005-12-02 12:38:55 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "IKE_SA state change: %N => %N",
|
2006-10-18 11:46:13 +00:00
|
|
|
ike_sa_state_names, this->state,
|
|
|
|
ike_sa_state_names, state);
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
if (state == IKE_ESTABLISHED)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.established = time(NULL);
|
|
|
|
/* start DPD checks */
|
2006-07-05 10:53:20 +00:00
|
|
|
send_dpd(this);
|
|
|
|
}
|
2006-10-18 11:46:13 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
this->state = state;
|
2005-12-02 12:38:55 +00:00
|
|
|
}
|
|
|
|
|
2006-06-23 14:02:30 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.get_prf.
|
2006-06-23 14:02:30 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static prf_t *get_prf(private_ike_sa_t *this)
|
2006-06-23 14:02:30 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->prf;
|
2006-06-23 14:02:30 +00:00
|
|
|
}
|
|
|
|
|
2005-11-25 13:42:02 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.get_prf.
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static prf_t *get_child_prf(private_ike_sa_t *this)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->child_prf;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-10-30 14:07:05 +00:00
|
|
|
* Implementation of ike_sa_t.get_auth_bild
|
2005-11-25 13:42:02 +00:00
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
static prf_t *get_auth_build(private_ike_sa_t *this)
|
2005-11-25 13:42:02 +00:00
|
|
|
{
|
2006-10-30 14:07:05 +00:00
|
|
|
return this->auth_build;
|
2005-11-25 13:42:02 +00:00
|
|
|
}
|
|
|
|
|
2005-12-07 09:53:33 +00:00
|
|
|
/**
|
2006-10-30 14:07:05 +00:00
|
|
|
* Implementation of ike_sa_t.get_auth_verify
|
2005-12-07 09:53:33 +00:00
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
static prf_t *get_auth_verify(private_ike_sa_t *this)
|
2005-12-07 09:53:33 +00:00
|
|
|
{
|
2006-10-30 14:07:05 +00:00
|
|
|
return this->auth_verify;
|
2005-12-07 09:53:33 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 11:38:56 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.get_id.
|
2005-12-02 14:07:36 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static ike_sa_id_t* get_id(private_ike_sa_t *this)
|
2005-12-02 14:07:36 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->ike_sa_id;
|
2005-12-02 14:07:36 +00:00
|
|
|
}
|
|
|
|
|
2005-12-02 19:26:01 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.get_my_id.
|
2005-12-02 19:26:01 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static identification_t* get_my_id(private_ike_sa_t *this)
|
2005-12-02 19:26:01 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->my_id;
|
2005-12-03 14:47:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.set_my_id.
|
2005-12-03 14:47:58 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static void set_my_id(private_ike_sa_t *this, identification_t *me)
|
2005-12-03 14:47:58 +00:00
|
|
|
{
|
2006-07-20 14:57:49 +00:00
|
|
|
DESTROY_IF(this->my_id);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->my_id = me;
|
2005-12-02 19:26:01 +00:00
|
|
|
}
|
|
|
|
|
2006-02-16 09:55:07 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.get_other_id.
|
2006-02-16 09:55:07 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static identification_t* get_other_id(private_ike_sa_t *this)
|
2006-02-16 09:55:07 +00:00
|
|
|
{
|
2006-07-20 10:09:32 +00:00
|
|
|
return this->other_id;
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
2006-07-20 10:09:32 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/**
|
2006-07-20 10:09:32 +00:00
|
|
|
* Implementation of ike_sa_t.set_other_id.
|
2006-07-05 10:53:20 +00:00
|
|
|
*/
|
2006-07-20 10:09:32 +00:00
|
|
|
static void set_other_id(private_ike_sa_t *this, identification_t *other)
|
2006-07-05 10:53:20 +00:00
|
|
|
{
|
2006-07-20 14:57:49 +00:00
|
|
|
DESTROY_IF(this->other_id);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->other_id = other;
|
2006-02-16 09:55:07 +00:00
|
|
|
}
|
|
|
|
|
2006-06-07 13:26:23 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.derive_keys.
|
2006-06-07 13:26:23 +00:00
|
|
|
*/
|
2006-07-27 12:18:40 +00:00
|
|
|
static status_t derive_keys(private_ike_sa_t *this,
|
|
|
|
proposal_t *proposal, diffie_hellman_t *dh,
|
|
|
|
chunk_t nonce_i, chunk_t nonce_r,
|
2006-08-23 07:30:43 +00:00
|
|
|
bool initiator, prf_t *child_prf, prf_t *old_prf)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
prf_plus_t *prf_plus;
|
2006-07-27 12:18:40 +00:00
|
|
|
chunk_t skeyseed, secret, key, nonces, prf_plus_seed;
|
2006-07-05 10:53:20 +00:00
|
|
|
algorithm_t *algo;
|
|
|
|
size_t key_size;
|
|
|
|
crypter_t *crypter_i, *crypter_r;
|
|
|
|
signer_t *signer_i, *signer_r;
|
2006-10-30 14:07:05 +00:00
|
|
|
prf_t *prf_i, *prf_r;
|
2006-07-27 12:18:40 +00:00
|
|
|
u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)];
|
|
|
|
chunk_t spi_i = chunk_from_buf(spi_i_buf);
|
|
|
|
chunk_t spi_r = chunk_from_buf(spi_r_buf);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/* Create SAs general purpose PRF first, we may use it here */
|
2006-07-05 10:53:20 +00:00
|
|
|
if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo))
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "key derivation failed: no PSEUDO_RANDOM_FUNCTION");;
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
this->prf = prf_create(algo->algorithm);
|
|
|
|
if (this->prf == NULL)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "key derivation failed: PSEUDO_RANDOM_FUNCTION "
|
2006-10-18 11:46:13 +00:00
|
|
|
"%N not supported!", pseudo_random_function_names, algo->algorithm);
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
dh->get_shared_secret(dh, &secret);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "shared Diffie Hellman secret %B", &secret);
|
2006-07-27 12:18:40 +00:00
|
|
|
nonces = chunk_cat("cc", nonce_i, nonce_r);
|
|
|
|
*((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id);
|
|
|
|
*((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id);
|
|
|
|
prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr)
|
|
|
|
*
|
2006-10-26 09:46:56 +00:00
|
|
|
* if we are rekeying, SKEYSEED is built on another way
|
2006-07-27 12:18:40 +00:00
|
|
|
*/
|
2006-08-23 07:30:43 +00:00
|
|
|
if (child_prf == NULL) /* not rekeying */
|
2006-10-18 11:46:13 +00:00
|
|
|
{
|
2006-07-27 12:18:40 +00:00
|
|
|
/* SKEYSEED = prf(Ni | Nr, g^ir) */
|
|
|
|
this->prf->set_key(this->prf, nonces);
|
|
|
|
this->prf->allocate_bytes(this->prf, secret, &skeyseed);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
|
2006-07-27 12:18:40 +00:00
|
|
|
this->prf->set_key(this->prf, skeyseed);
|
|
|
|
chunk_free(&skeyseed);
|
|
|
|
chunk_free(&secret);
|
|
|
|
prf_plus = prf_plus_create(this->prf, prf_plus_seed);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-08-23 07:30:43 +00:00
|
|
|
/* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr)
|
|
|
|
* use OLD SAs PRF functions for both prf_plus and prf */
|
2006-07-27 12:18:40 +00:00
|
|
|
secret = chunk_cat("mc", secret, nonces);
|
2006-08-23 07:30:43 +00:00
|
|
|
child_prf->allocate_bytes(child_prf, secret, &skeyseed);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "SKEYSEED %B", &skeyseed);
|
2006-08-23 07:30:43 +00:00
|
|
|
old_prf->set_key(old_prf, skeyseed);
|
2006-07-27 12:18:40 +00:00
|
|
|
chunk_free(&skeyseed);
|
|
|
|
chunk_free(&secret);
|
2006-08-23 07:30:43 +00:00
|
|
|
prf_plus = prf_plus_create(old_prf, prf_plus_seed);
|
2006-07-27 12:18:40 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
chunk_free(&nonces);
|
2006-07-27 12:18:40 +00:00
|
|
|
chunk_free(&prf_plus_seed);
|
|
|
|
|
|
|
|
/* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */
|
2006-07-05 10:53:20 +00:00
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/* SK_d is used for generating CHILD_SA key mat => child_prf */
|
|
|
|
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
2006-07-05 10:53:20 +00:00
|
|
|
this->child_prf = prf_create(algo->algorithm);
|
|
|
|
key_size = this->child_prf->get_key_size(this->child_prf);
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_d secret %B", &key);
|
2006-07-05 10:53:20 +00:00
|
|
|
this->child_prf->set_key(this->child_prf, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */
|
2006-07-05 10:53:20 +00:00
|
|
|
if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo))
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "key derivation failed: no INTEGRITY_ALGORITHM");
|
2006-06-07 13:26:23 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_i = signer_create(algo->algorithm);
|
|
|
|
signer_r = signer_create(algo->algorithm);
|
|
|
|
if (signer_i == NULL || signer_r == NULL)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "key derivation failed: INTEGRITY_ALGORITHM "
|
2006-10-18 11:46:13 +00:00
|
|
|
"%N not supported!", integrity_algorithm_names ,algo->algorithm);
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
key_size = signer_i->get_key_size(signer_i);
|
|
|
|
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_ai secret %B", &key);
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_i->set_key(signer_i, key);
|
|
|
|
chunk_free(&key);
|
2006-07-27 12:18:40 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_ar secret %B", &key);
|
2006-07-05 10:53:20 +00:00
|
|
|
signer_r->set_key(signer_r, key);
|
|
|
|
chunk_free(&key);
|
2006-06-22 06:36:28 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
if (initiator)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->signer_in = signer_r;
|
|
|
|
this->signer_out = signer_i;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->signer_in = signer_i;
|
|
|
|
this->signer_out = signer_r;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/* SK_ei/SK_er used for encryption => crypter_in/crypter_out */
|
2006-07-05 10:53:20 +00:00
|
|
|
if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo))
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "key derivation failed: no ENCRYPTION_ALGORITHM");
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
2006-07-27 12:18:40 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_i = crypter_create(algo->algorithm, algo->key_size / 8);
|
|
|
|
crypter_r = crypter_create(algo->algorithm, algo->key_size / 8);
|
|
|
|
if (crypter_i == NULL || crypter_r == NULL)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "key derivation failed: ENCRYPTION_ALGORITHM "
|
2006-10-18 11:46:13 +00:00
|
|
|
"%N (key size %d) not supported!",
|
|
|
|
encryption_algorithm_names, algo->algorithm, algo->key_size);
|
2006-07-05 10:53:20 +00:00
|
|
|
return FAILED;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
key_size = crypter_i->get_key_size(crypter_i);
|
2006-06-22 06:36:28 +00:00
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_ei secret %B", &key);
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_i->set_key(crypter_i, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_er secret %B", &key);
|
2006-07-05 10:53:20 +00:00
|
|
|
crypter_r->set_key(crypter_r, key);
|
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
if (initiator)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->crypter_in = crypter_r;
|
|
|
|
this->crypter_out = crypter_i;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
2006-07-05 10:53:20 +00:00
|
|
|
else
|
|
|
|
{
|
2006-07-12 14:08:13 +00:00
|
|
|
this->crypter_in = crypter_i;
|
|
|
|
this->crypter_out = crypter_r;
|
2006-07-05 10:53:20 +00:00
|
|
|
}
|
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */
|
2006-07-05 10:53:20 +00:00
|
|
|
proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo);
|
2006-10-30 14:07:05 +00:00
|
|
|
prf_i = prf_create(algo->algorithm);
|
|
|
|
prf_r = prf_create(algo->algorithm);
|
2006-07-05 10:53:20 +00:00
|
|
|
|
2006-10-30 14:07:05 +00:00
|
|
|
key_size = prf_i->get_key_size(prf_i);
|
2006-07-05 10:53:20 +00:00
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_pi secret %B", &key);
|
2006-10-30 14:07:05 +00:00
|
|
|
prf_i->set_key(prf_i, key);
|
2006-07-05 10:53:20 +00:00
|
|
|
chunk_free(&key);
|
|
|
|
|
|
|
|
prf_plus->allocate_bytes(prf_plus, key_size, &key);
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG4(DBG_IKE, "Sk_pr secret %B", &key);
|
2006-10-30 14:07:05 +00:00
|
|
|
prf_r->set_key(prf_r, key);
|
2006-07-05 10:53:20 +00:00
|
|
|
chunk_free(&key);
|
|
|
|
|
2006-10-30 14:07:05 +00:00
|
|
|
if (initiator)
|
|
|
|
{
|
|
|
|
this->auth_verify = prf_r;
|
|
|
|
this->auth_build = prf_i;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
this->auth_verify = prf_i;
|
|
|
|
this->auth_build = prf_r;
|
|
|
|
}
|
|
|
|
|
2006-07-05 10:53:20 +00:00
|
|
|
/* all done, prf_plus not needed anymore */
|
|
|
|
prf_plus->destroy(prf_plus);
|
|
|
|
|
|
|
|
return SUCCESS;
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2006-05-31 14:23:15 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.add_child_sa.
|
2006-05-31 14:23:15 +00:00
|
|
|
*/
|
2006-07-05 10:53:20 +00:00
|
|
|
static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa)
|
2006-05-31 14:23:15 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
this->child_sas->insert_last(this->child_sas, child_sa);
|
2006-05-31 14:23:15 +00:00
|
|
|
}
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.has_child_sa.
|
2006-07-21 13:31:53 +00:00
|
|
|
*/
|
|
|
|
static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid)
|
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *current;
|
|
|
|
bool found = FALSE;
|
|
|
|
|
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)¤t))
|
|
|
|
{
|
|
|
|
if (current->get_reqid(current) == reqid)
|
|
|
|
{
|
|
|
|
found = TRUE;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
return found;
|
|
|
|
}
|
|
|
|
|
2006-06-09 15:12:43 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.get_child_sa.
|
2006-06-09 15:12:43 +00:00
|
|
|
*/
|
2006-07-07 07:04:07 +00:00
|
|
|
static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
|
|
|
u_int32_t spi, bool inbound)
|
2006-06-09 15:12:43 +00:00
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *current, *found = NULL;
|
|
|
|
|
2006-07-21 13:31:53 +00:00
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
2006-10-24 14:20:45 +00:00
|
|
|
while (iterator->iterate(iterator, (void**)¤t))
|
|
|
|
{;
|
2006-07-07 07:04:07 +00:00
|
|
|
if (current->get_spi(current, inbound) == spi &&
|
2006-10-24 14:20:45 +00:00
|
|
|
current->get_protocol(current) == protocol)
|
2006-06-09 15:12:43 +00:00
|
|
|
{
|
|
|
|
found = current;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
iterator->destroy(iterator);
|
|
|
|
return found;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-08-23 07:30:43 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.create_child_sa_iterator.
|
|
|
|
*/
|
|
|
|
static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
}
|
|
|
|
|
2006-06-07 13:26:23 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.rekey_child_sa.
|
|
|
|
*/
|
2006-07-07 07:04:07 +00:00
|
|
|
static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-07 07:04:07 +00:00
|
|
|
create_child_sa_t *rekey;
|
2006-06-07 13:26:23 +00:00
|
|
|
child_sa_t *child_sa;
|
|
|
|
|
2006-07-07 07:04:07 +00:00
|
|
|
child_sa = get_child_sa(this, protocol, spi, TRUE);
|
|
|
|
if (child_sa == NULL)
|
2006-06-07 13:26:23 +00:00
|
|
|
{
|
2006-07-07 07:04:07 +00:00
|
|
|
return NOT_FOUND;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
rekey = create_child_sa_create(&this->public);
|
2006-07-07 07:04:07 +00:00
|
|
|
rekey->rekeys_child(rekey, child_sa);
|
|
|
|
return queue_transaction(this, (transaction_t*)rekey, FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.delete_child_sa.
|
|
|
|
*/
|
|
|
|
static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
|
|
|
{
|
|
|
|
delete_child_sa_t *del;
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
|
|
|
|
child_sa = get_child_sa(this, protocol, spi, TRUE);
|
2006-06-07 13:26:23 +00:00
|
|
|
if (child_sa == NULL)
|
|
|
|
{
|
2006-07-07 07:04:07 +00:00
|
|
|
return NOT_FOUND;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
del = delete_child_sa_create(&this->public);
|
2006-07-07 07:04:07 +00:00
|
|
|
del->set_child_sa(del, child_sa);
|
|
|
|
return queue_transaction(this, (transaction_t*)del, FALSE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.destroy_child_sa.
|
2006-07-07 07:04:07 +00:00
|
|
|
*/
|
|
|
|
static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi)
|
|
|
|
{
|
|
|
|
iterator_t *iterator;
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
status_t status = NOT_FOUND;
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2006-07-07 07:04:07 +00:00
|
|
|
iterator = this->child_sas->create_iterator(this->child_sas, TRUE);
|
|
|
|
while (iterator->iterate(iterator, (void**)&child_sa))
|
|
|
|
{
|
|
|
|
if (child_sa->get_protocol(child_sa) == protocol &&
|
|
|
|
child_sa->get_spi(child_sa, TRUE) == spi)
|
|
|
|
{
|
|
|
|
child_sa->destroy(child_sa);
|
|
|
|
iterator->remove(iterator);
|
|
|
|
status = SUCCESS;
|
|
|
|
break;
|
|
|
|
}
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
2006-07-07 07:04:07 +00:00
|
|
|
iterator->destroy(iterator);
|
|
|
|
return status;
|
2006-06-07 13:26:23 +00:00
|
|
|
}
|
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.set_lifetimes.
|
|
|
|
*/
|
|
|
|
static void set_lifetimes(private_ike_sa_t *this,
|
|
|
|
u_int32_t soft_lifetime, u_int32_t hard_lifetime)
|
|
|
|
{
|
|
|
|
job_t *job;
|
|
|
|
|
|
|
|
if (soft_lifetime)
|
|
|
|
{
|
|
|
|
this->time.rekey = this->time.established + soft_lifetime;
|
|
|
|
job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id);
|
|
|
|
charon->event_queue->add_relative(charon->event_queue, job,
|
|
|
|
soft_lifetime * 1000);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (hard_lifetime)
|
|
|
|
{
|
|
|
|
this->time.delete = this->time.established + hard_lifetime;
|
2006-09-05 14:07:25 +00:00
|
|
|
job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE);
|
2006-07-27 12:18:40 +00:00
|
|
|
charon->event_queue->add_relative(charon->event_queue, job,
|
|
|
|
hard_lifetime * 1000);
|
|
|
|
}
|
|
|
|
}
|
2005-11-25 13:42:02 +00:00
|
|
|
|
2006-04-26 12:28:02 +00:00
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.rekey.
|
|
|
|
*/
|
|
|
|
static status_t rekey(private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
rekey_ike_sa_t *rekey_ike_sa;
|
|
|
|
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "rekeying IKE_SA between %H[%D]..%H[%D]",
|
|
|
|
this->my_host, this->my_id, this->other_host, this->other_id);
|
2006-07-27 12:18:40 +00:00
|
|
|
|
|
|
|
if (this->state != IKE_ESTABLISHED)
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(IKE_REKEY_START, "rekeying IKE_SA");
|
|
|
|
SIG(IKE_REKEY_FAILED, "unable to rekey IKE_SA in state %N",
|
2006-10-18 11:46:13 +00:00
|
|
|
ike_sa_state_names, this->state);
|
2006-07-27 12:18:40 +00:00
|
|
|
return FAILED;
|
|
|
|
}
|
|
|
|
|
|
|
|
rekey_ike_sa = rekey_ike_sa_create(&this->public);
|
|
|
|
return queue_transaction(this, (transaction_t*)rekey_ike_sa, FALSE);
|
|
|
|
}
|
|
|
|
|
2006-08-23 07:30:43 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_rekeying_transaction.
|
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
static transaction_t* get_rekeying_transaction(private_ike_sa_t *this)
|
2006-08-23 07:30:43 +00:00
|
|
|
{
|
|
|
|
return this->rekeying_transaction;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.set_rekeying_transaction.
|
|
|
|
*/
|
2006-10-30 14:07:05 +00:00
|
|
|
static void set_rekeying_transaction(private_ike_sa_t *this, transaction_t *rekey)
|
2006-08-23 07:30:43 +00:00
|
|
|
{
|
|
|
|
this->rekeying_transaction = rekey;
|
|
|
|
}
|
|
|
|
|
2006-07-27 12:18:40 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.adopt_children.
|
|
|
|
*/
|
|
|
|
static void adopt_children(private_ike_sa_t *this, private_ike_sa_t *other)
|
|
|
|
{
|
|
|
|
child_sa_t *child_sa;
|
|
|
|
|
|
|
|
while (other->child_sas->remove_last(other->child_sas,
|
|
|
|
(void**)&child_sa) == SUCCESS)
|
|
|
|
{
|
|
|
|
this->child_sas->insert_first(this->child_sas, (void*)child_sa);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-05-23 08:01:49 +00:00
|
|
|
/**
|
|
|
|
* Implementation of public_ike_sa_t.delete.
|
|
|
|
*/
|
|
|
|
static status_t delete_(private_ike_sa_t *this)
|
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
switch (this->state)
|
2006-07-13 12:49:35 +00:00
|
|
|
{
|
2006-07-21 13:31:53 +00:00
|
|
|
case IKE_CONNECTING:
|
2006-10-26 09:46:56 +00:00
|
|
|
{
|
|
|
|
/* this may happen if a half open IKE_SA gets closed after a
|
|
|
|
* timeout. We signal here UP_FAILED to complete the SIG schema */
|
|
|
|
SIG(IKE_UP_FAILED, "half open IKE_SA deleted after timeout");
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
2006-07-21 13:31:53 +00:00
|
|
|
case IKE_ESTABLISHED:
|
|
|
|
{
|
|
|
|
delete_ike_sa_t *delete_ike_sa;
|
|
|
|
if (this->transaction_out)
|
|
|
|
{
|
|
|
|
/* already a transaction in progress. As this may hang
|
|
|
|
* around a while, we don't inform the other peer. */
|
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
2006-08-30 17:12:56 +00:00
|
|
|
delete_ike_sa = delete_ike_sa_create(&this->public);
|
2006-07-21 13:31:53 +00:00
|
|
|
return queue_transaction(this, (transaction_t*)delete_ike_sa, FALSE);
|
|
|
|
}
|
|
|
|
case IKE_CREATED:
|
|
|
|
case IKE_DELETING:
|
|
|
|
default:
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
SIG(IKE_DOWN_START, "closing IKE_SA");
|
|
|
|
SIG(IKE_DOWN_SUCCESS, "IKE_SA closed between %H[%D]...%H[%D]",
|
|
|
|
this->my_host, this->my_id, this->other_host, this->other_id);
|
2006-07-21 13:31:53 +00:00
|
|
|
return DESTROY_ME;
|
|
|
|
}
|
2006-07-13 12:49:35 +00:00
|
|
|
}
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2006-07-13 08:26:54 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.get_next_message_id.
|
|
|
|
*/
|
|
|
|
static u_int32_t get_next_message_id (private_ike_sa_t *this)
|
|
|
|
{
|
|
|
|
return this->message_id_out++;
|
|
|
|
}
|
|
|
|
|
2006-06-22 06:36:28 +00:00
|
|
|
/**
|
2006-07-05 10:53:20 +00:00
|
|
|
* Implementation of ike_sa_t.is_natt_enabled.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-10-26 09:46:56 +00:00
|
|
|
static bool is_natt_enabled(private_ike_sa_t *this)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
|
|
|
return this->nat_here || this->nat_there;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2006-07-27 12:18:40 +00:00
|
|
|
* Implementation of ike_sa_t.enable_natt.
|
2006-06-22 06:36:28 +00:00
|
|
|
*/
|
2006-10-26 09:46:56 +00:00
|
|
|
static void enable_natt(private_ike_sa_t *this, bool local)
|
2006-06-22 06:36:28 +00:00
|
|
|
{
|
2006-07-05 10:53:20 +00:00
|
|
|
if (local)
|
2006-06-23 14:02:30 +00:00
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "local host is behind NAT, using NAT-T, "
|
2006-10-18 11:46:13 +00:00
|
|
|
"scheduled keep alives");
|
2006-07-05 10:53:20 +00:00
|
|
|
this->nat_here = TRUE;
|
|
|
|
send_keepalive(this);
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
2006-10-26 09:46:56 +00:00
|
|
|
DBG1(DBG_IKE, "remote host is behind NAT, using NAT-T");
|
2006-07-05 10:53:20 +00:00
|
|
|
this->nat_there = TRUE;
|
2006-06-23 14:02:30 +00:00
|
|
|
}
|
2006-06-22 06:36:28 +00:00
|
|
|
}
|
|
|
|
|
2005-11-16 16:05:46 +00:00
|
|
|
/**
|
2006-10-18 11:46:13 +00:00
|
|
|
* output handler in printf()
|
2005-11-16 16:05:46 +00:00
|
|
|
*/
|
2006-10-18 11:46:13 +00:00
|
|
|
static int print(FILE *stream, const struct printf_info *info,
|
|
|
|
const void *const *args)
|
2005-11-16 16:05:46 +00:00
|
|
|
{
|
2006-10-18 11:46:13 +00:00
|
|
|
private_ike_sa_t *this = *((private_ike_sa_t**)(args[0]));
|
2006-02-16 09:55:07 +00:00
|
|
|
|
2006-10-18 11:46:13 +00:00
|
|
|
if (this == NULL)
|
|
|
|
{
|
|
|
|
return fprintf(stream, "(null)");
|
|
|
|
}
|
2006-05-23 08:01:49 +00:00
|
|
|
|
2006-10-18 11:46:13 +00:00
|
|
|
return fprintf(stream, "%10s: %N, %H[%D]...%H[%D] (%J)",
|
|
|
|
this->name, ike_sa_state_names, this->state,
|
|
|
|
this->my_host, this->my_id, this->other_host, this->other_id,
|
|
|
|
this->ike_sa_id);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* arginfo handler in printf()
|
|
|
|
*/
|
|
|
|
static int print_arginfo(const struct printf_info *info, size_t n, int *argtypes)
|
|
|
|
{
|
|
|
|
if (n > 0)
|
2006-05-23 08:01:49 +00:00
|
|
|
{
|
2006-10-18 11:46:13 +00:00
|
|
|
argtypes[0] = PA_POINTER;
|
2006-05-23 08:01:49 +00:00
|
|
|
}
|
2006-10-18 11:46:13 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* register printf() handlers
|
|
|
|
*/
|
|
|
|
static void __attribute__ ((constructor))print_register()
|
|
|
|
{
|
|
|
|
register_printf_function(IKE_SA_PRINTF_SPEC, print, print_arginfo);
|
|
|
|
}
|
2005-11-21 16:41:24 +00:00
|
|
|
|
2006-10-18 11:46:13 +00:00
|
|
|
/**
|
|
|
|
* Implementation of ike_sa_t.destroy.
|
|
|
|
*/
|
|
|
|
static void destroy(private_ike_sa_t *this)
|
|
|
|
{
|
2006-10-24 08:46:17 +00:00
|
|
|
this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy));
|
|
|
|
this->transaction_queue->destroy_offset(this->transaction_queue, offsetof(transaction_t, destroy));
|
2006-07-20 10:09:32 +00:00
|
|
|
|
|
|
|
DESTROY_IF(this->transaction_in);
|
|
|
|
DESTROY_IF(this->transaction_in_next);
|
|
|
|
DESTROY_IF(this->transaction_out);
|
|
|
|
DESTROY_IF(this->crypter_in);
|
|
|
|
DESTROY_IF(this->crypter_out);
|
|
|
|
DESTROY_IF(this->signer_in);
|
|
|
|
DESTROY_IF(this->signer_out);
|
|
|
|
DESTROY_IF(this->prf);
|
|
|
|
DESTROY_IF(this->child_prf);
|
2006-10-30 14:07:05 +00:00
|
|
|
DESTROY_IF(this->auth_verify);
|
|
|
|
DESTROY_IF(this->auth_build);
|
2006-07-20 10:09:32 +00:00
|
|
|
|
|
|
|
DESTROY_IF(this->my_host);
|
|
|
|
DESTROY_IF(this->other_host);
|
|
|
|
DESTROY_IF(this->my_id);
|
|
|
|
DESTROY_IF(this->other_id);
|
|
|
|
|
|
|
|
free(this->name);
|
2006-03-20 15:43:26 +00:00
|
|
|
this->ike_sa_id->destroy(this->ike_sa_id);
|
2006-04-10 08:07:38 +00:00
|
|
|
free(this);
|
2005-11-08 13:33:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2005-12-07 09:03:34 +00:00
|
|
|
* Described in header.
|
2005-11-08 13:33:28 +00:00
|
|
|
*/
|
|
|
|
ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id)
|
|
|
|
{
|
2006-04-10 08:07:38 +00:00
|
|
|
private_ike_sa_t *this = malloc_thing(private_ike_sa_t);
|
2006-06-07 13:26:23 +00:00
|
|
|
|
2005-11-08 13:33:28 +00:00
|
|
|
/* Public functions */
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.get_state = (ike_sa_state_t(*)(ike_sa_t*)) get_state;
|
|
|
|
this->public.set_state = (void(*)(ike_sa_t*,ike_sa_state_t)) set_state;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.get_name = (char*(*)(ike_sa_t*))get_name;
|
|
|
|
this->public.set_name = (void(*)(ike_sa_t*,char*))set_name;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.process_message = (status_t(*)(ike_sa_t*, message_t*)) process_message;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.initiate = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) initiate;
|
2006-07-21 13:31:53 +00:00
|
|
|
this->public.route = (status_t(*)(ike_sa_t*,connection_t*,policy_t*)) route;
|
|
|
|
this->public.unroute = (status_t(*)(ike_sa_t*,policy_t*)) unroute;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host;
|
2006-07-27 12:18:40 +00:00
|
|
|
this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host;
|
2006-07-27 12:18:40 +00:00
|
|
|
this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host;
|
2006-07-20 10:09:32 +00:00
|
|
|
this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id;
|
|
|
|
this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id;
|
|
|
|
this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id;
|
|
|
|
this->public.set_other_id = (void(*)(ike_sa_t*,identification_t*)) set_other_id;
|
2006-07-13 08:26:54 +00:00
|
|
|
this->public.get_next_message_id = (u_int32_t(*)(ike_sa_t*)) get_next_message_id;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.retransmit_request = (status_t (*) (ike_sa_t *, u_int32_t)) retransmit_request;
|
|
|
|
this->public.delete = (status_t(*)(ike_sa_t*))delete_;
|
|
|
|
this->public.destroy = (void(*)(ike_sa_t*))destroy;
|
|
|
|
this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd;
|
|
|
|
this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
|
|
|
|
this->public.get_prf = (prf_t *(*) (ike_sa_t *)) get_prf;
|
|
|
|
this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf;
|
2006-10-30 14:07:05 +00:00
|
|
|
this->public.get_auth_verify = (prf_t *(*) (ike_sa_t *)) get_auth_verify;
|
|
|
|
this->public.get_auth_build = (prf_t *(*) (ike_sa_t *)) get_auth_build;
|
2006-08-23 07:30:43 +00:00
|
|
|
this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool,prf_t*,prf_t*)) derive_keys;
|
2006-07-07 07:04:07 +00:00
|
|
|
this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa;
|
2006-07-21 13:31:53 +00:00
|
|
|
this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa;
|
2006-07-07 07:04:07 +00:00
|
|
|
this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
|
2006-08-23 07:30:43 +00:00
|
|
|
this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator;
|
2006-07-07 07:04:07 +00:00
|
|
|
this->public.rekey_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa;
|
|
|
|
this->public.delete_child_sa = (status_t(*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa;
|
|
|
|
this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt;
|
|
|
|
this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled;
|
2006-07-27 12:18:40 +00:00
|
|
|
this->public.set_lifetimes = (void(*)(ike_sa_t*,u_int32_t,u_int32_t))set_lifetimes;
|
2006-09-25 07:24:08 +00:00
|
|
|
this->public.apply_connection = (void(*)(ike_sa_t*,connection_t*))apply_connection;
|
2006-07-27 12:18:40 +00:00
|
|
|
this->public.rekey = (status_t(*)(ike_sa_t*))rekey;
|
2006-10-30 14:07:05 +00:00
|
|
|
this->public.get_rekeying_transaction = (transaction_t*(*)(ike_sa_t*))get_rekeying_transaction;
|
|
|
|
this->public.set_rekeying_transaction = (void(*)(ike_sa_t*,transaction_t*))set_rekeying_transaction;
|
2006-07-27 12:18:40 +00:00
|
|
|
this->public.adopt_children = (void(*)(ike_sa_t*,ike_sa_t*))adopt_children;
|
2006-07-05 10:53:20 +00:00
|
|
|
|
2005-11-08 13:33:28 +00:00
|
|
|
/* initialize private fields */
|
2005-11-28 20:29:47 +00:00
|
|
|
this->ike_sa_id = ike_sa_id->clone(ike_sa_id);
|
2006-07-20 10:09:32 +00:00
|
|
|
this->name = strdup("(uninitialized)");
|
2005-11-08 13:33:28 +00:00
|
|
|
this->child_sas = linked_list_create();
|
2006-08-30 17:12:56 +00:00
|
|
|
this->my_host = host_create_from_string("0.0.0.0", 0);
|
|
|
|
this->other_host = host_create_from_string("0.0.0.0", 0);
|
2006-07-21 13:31:53 +00:00
|
|
|
this->my_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
|
|
|
|
this->other_id = identification_create_from_encoding(ID_ANY, CHUNK_INITIALIZER);
|
2006-07-05 10:53:20 +00:00
|
|
|
this->crypter_in = NULL;
|
|
|
|
this->crypter_out = NULL;
|
|
|
|
this->signer_in = NULL;
|
|
|
|
this->signer_out = NULL;
|
2005-11-22 15:38:41 +00:00
|
|
|
this->prf = NULL;
|
2006-10-30 14:07:05 +00:00
|
|
|
this->auth_verify = NULL;
|
|
|
|
this->auth_build = NULL;
|
2006-07-03 06:27:45 +00:00
|
|
|
this->child_prf = NULL;
|
2006-06-22 06:36:28 +00:00
|
|
|
this->nat_here = FALSE;
|
|
|
|
this->nat_there = FALSE;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->transaction_queue = linked_list_create();
|
|
|
|
this->transaction_in = NULL;
|
|
|
|
this->transaction_in_next = NULL;
|
|
|
|
this->transaction_out = NULL;
|
2006-08-23 07:30:43 +00:00
|
|
|
this->rekeying_transaction = NULL;
|
2006-07-13 08:26:54 +00:00
|
|
|
this->state = IKE_CREATED;
|
2006-07-05 10:53:20 +00:00
|
|
|
this->message_id_out = 0;
|
2006-10-26 09:46:56 +00:00
|
|
|
/* set to NOW, as when we rekey an existing IKE_SA no message is exchanged
|
|
|
|
* and inbound therefore uninitialized */
|
2006-07-27 12:18:40 +00:00
|
|
|
this->time.inbound = this->time.outbound = time(NULL);
|
|
|
|
this->time.established = 0;
|
|
|
|
this->time.rekey = 0;
|
|
|
|
this->time.delete = 0;
|
2006-09-05 14:07:25 +00:00
|
|
|
this->dpd_delay = 0;
|
|
|
|
this->retrans_sequences = 0;
|
2006-07-05 10:53:20 +00:00
|
|
|
|
|
|
|
return &this->public;
|
2005-11-08 13:33:28 +00:00
|
|
|
}
|