diff --git a/src/charon/Makefile.am b/src/charon/Makefile.am index c8bd339fc..d7454f60f 100644 --- a/src/charon/Makefile.am +++ b/src/charon/Makefile.am @@ -17,6 +17,7 @@ sa/transactions/create_child_sa.h sa/transactions/create_child_sa.c \ sa/transactions/delete_child_sa.h sa/transactions/delete_child_sa.c \ sa/transactions/dead_peer_detection.h sa/transactions/dead_peer_detection.c \ sa/transactions/delete_ike_sa.h sa/transactions/delete_ike_sa.c \ +sa/transactions/rekey_ike_sa.h sa/transactions/rekey_ike_sa.c \ sa/child_sa.c sa/child_sa.h sa/ike_sa.c sa/ike_sa.h sa/ike_sa_manager.c sa/ike_sa_manager.h \ sa/ike_sa_id.c sa/ike_sa_id.h sa/authenticator.c sa/authenticator.h encoding/payloads/encryption_payload.c \ encoding/payloads/cert_payload.c encoding/payloads/payload.h encoding/payloads/traffic_selector_substructure.c \ @@ -43,11 +44,9 @@ queues/jobs/incoming_packet_job.c queues/jobs/delete_half_open_ike_sa_job.c \ queues/jobs/delete_established_ike_sa_job.h queues/jobs/delete_half_open_ike_sa_job.h \ queues/jobs/incoming_packet_job.h queues/jobs/retransmit_request_job.c queues/jobs/initiate_job.c \ queues/jobs/send_keepalive_job.c queues/jobs/send_keepalive_job.h \ -queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h \ -queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \ -queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h \ -queues/jobs/route_job.c queues/jobs/route_job.h \ -queues/jobs/acquire_job.c queues/jobs/acquire_job.h \ +queues/jobs/rekey_child_sa_job.c queues/jobs/rekey_child_sa_job.h queues/jobs/delete_child_sa_job.c queues/jobs/delete_child_sa_job.h \ +queues/jobs/send_dpd_job.c queues/jobs/send_dpd_job.h queues/jobs/route_job.c queues/jobs/route_job.h \ +queues/jobs/acquire_job.c queues/jobs/acquire_job.h queues/jobs/rekey_ike_sa_job.c queues/jobs/rekey_ike_sa_job.h \ queues/job_queue.c queues/event_queue.c queues/send_queue.h queues/job_queue.h queues/event_queue.h \ queues/send_queue.c threads/kernel_interface.c threads/thread_pool.c threads/scheduler.c threads/sender.c \ threads/sender.h threads/kernel_interface.h threads/scheduler.h threads/receiver.c threads/stroke_interface.c \ diff --git a/src/charon/config/connections/connection.c b/src/charon/config/connections/connection.c index e1ab0392d..3ecc08a16 100644 --- a/src/charon/config/connections/connection.c +++ b/src/charon/config/connections/connection.c @@ -109,6 +109,22 @@ struct private_connection_t { * Supported proposals */ linked_list_t *proposals; + + /** + * Time before an SA gets invalid + */ + u_int32_t soft_lifetime; + + /** + * Time before an SA gets rekeyed + */ + u_int32_t hard_lifetime; + + /** + * Time, which specifies the range of a random value + * substracted from soft_lifetime. + */ + u_int32_t jitter; }; /** @@ -164,7 +180,19 @@ static host_t *get_other_host (private_connection_t *this) */ static linked_list_t* get_proposals(private_connection_t *this) { - return this->proposals; + iterator_t *iterator; + proposal_t *current; + linked_list_t *proposals = linked_list_create(); + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + current = current->clone(current); + proposals->insert_last(proposals, (void*)current); + } + iterator->destroy(iterator); + + return proposals; } /** @@ -273,6 +301,25 @@ static bool check_dh_group(private_connection_t *this, diffie_hellman_group_t dh prop_iter->destroy(prop_iter); return FALSE; } +/** + * Implementation of connection_t.get_soft_lifetime + */ +static u_int32_t get_soft_lifetime(private_connection_t *this) +{ + if (this->jitter == 0) + { + return this->soft_lifetime ; + } + return this->soft_lifetime - (random() % this->jitter); +} + +/** + * Implementation of connection_t.get_hard_lifetime + */ +static u_int32_t get_hard_lifetime(private_connection_t *this) +{ + return this->hard_lifetime; +} /** * Implementation of connection_t.get_ref. @@ -310,8 +357,10 @@ static void destroy(private_connection_t *this) connection_t * connection_create(char *name, bool ikev2, cert_policy_t cert_policy, cert_policy_t certreq_policy, - host_t *my_host, host_t *other_host, - auth_method_t auth_method) + host_t *my_host, host_t *other_host, + auth_method_t auth_method, + u_int32_t hard_lifetime, + u_int32_t soft_lifetime, u_int32_t jitter) { private_connection_t *this = malloc_thing(private_connection_t); @@ -328,6 +377,8 @@ connection_t * connection_create(char *name, bool ikev2, this->public.get_auth_method = (auth_method_t(*)(connection_t*)) get_auth_method; this->public.get_dh_group = (diffie_hellman_group_t(*)(connection_t*)) get_dh_group; this->public.check_dh_group = (bool(*)(connection_t*,diffie_hellman_group_t)) check_dh_group; + this->public.get_soft_lifetime = (u_int32_t (*) (connection_t *))get_soft_lifetime; + this->public.get_hard_lifetime = (u_int32_t (*) (connection_t *))get_hard_lifetime; this->public.get_ref = (void(*)(connection_t*))get_ref; this->public.destroy = (void(*)(connection_t*))destroy; @@ -340,6 +391,9 @@ connection_t * connection_create(char *name, bool ikev2, this->my_host = my_host; this->other_host = other_host; this->auth_method = auth_method; + this->hard_lifetime = hard_lifetime; + this->soft_lifetime = soft_lifetime; + this->jitter = jitter; this->proposals = linked_list_create(); diff --git a/src/charon/config/connections/connection.h b/src/charon/config/connections/connection.h index 111acd5e1..068dd710b 100644 --- a/src/charon/config/connections/connection.h +++ b/src/charon/config/connections/connection.h @@ -134,8 +134,7 @@ struct connection_t { /** * @brief Returns a list of all supported proposals. * - * Returned list is still owned by connection and MUST NOT - * modified or destroyed. + * Returned list and its proposals must be destroyed after usage. * * @param this calling object * @return list containing all the proposals @@ -235,6 +234,25 @@ struct connection_t { * @return TRUE if group acceptable */ bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group); + + /** + * @brief Get the lifetime of a connection, before IKE_SA rekeying starts. + * + * A call to this function automatically adds a jitter to + * avoid simultanous rekeying. + * + * @param this calling object + * @return lifetime in seconds + */ + u_int32_t (*get_soft_lifetime) (connection_t *this); + + /** + * @brief Get the lifetime of a connection, before IKE_SA gets deleted. + * + * @param this calling object + * @return lifetime in seconds + */ + u_int32_t (*get_hard_lifetime) (connection_t *this); /** * @brief Get a new reference to this connection. @@ -271,6 +289,9 @@ struct connection_t { * @param my_host host_t representing local address * @param other_host host_t representing remote address * @param auth_method Authentication method to use for our(!) auth data + * @param hard_lifetime lifetime before deleting an IKE_SA + * @param soft_lifetime lifetime before rekeying an IKE_SA + * @param jitter range of randomization time * @return connection_t object. * * @ingroup config @@ -278,6 +299,7 @@ struct connection_t { connection_t * connection_create(char *name, bool ikev2, cert_policy_t cert_pol, cert_policy_t req_pol, host_t *my_host, host_t *other_host, - auth_method_t auth_method); + auth_method_t auth_method, u_int32_t hard_lifetime, + u_int32_t soft_lifetime, u_int32_t jitter); #endif /* CONNECTION_H_ */ diff --git a/src/charon/config/policies/policy.c b/src/charon/config/policies/policy.c index a64af3271..14fa93b4e 100644 --- a/src/charon/config/policies/policy.c +++ b/src/charon/config/policies/policy.c @@ -258,7 +258,19 @@ static linked_list_t *select_other_traffic_selectors(private_policy_t *this, */ static linked_list_t *get_proposals(private_policy_t *this) { - return this->proposals; + iterator_t *iterator; + proposal_t *current; + linked_list_t *proposals = linked_list_create(); + + iterator = this->proposals->create_iterator(this->proposals, TRUE); + while (iterator->iterate(iterator, (void**)¤t)) + { + current = current->clone(current); + proposals->insert_last(proposals, (void*)current); + } + iterator->destroy(iterator); + + return proposals; } /** @@ -349,7 +361,6 @@ static u_int32_t get_soft_lifetime(private_policy_t *this) { return this->soft_lifetime ; } - srandom(time(NULL)+getpid()); return this->soft_lifetime - (random() % this->jitter); } diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h index 1a539f5bc..1659a7070 100644 --- a/src/charon/config/policies/policy.h +++ b/src/charon/config/policies/policy.h @@ -136,8 +136,7 @@ struct policy_t { * * policy_t does store proposals for AH/ESP, IKE proposals are in * the connection_t. - * List and Items are still owned by policy and MUST NOT - * be manipulated or freed! + * Resulting list and all of its proposals must be freed after usage. * * @param this calling object * @return lists with proposals diff --git a/src/charon/daemon.c b/src/charon/daemon.c index e017165e0..5e4a67a20 100644 --- a/src/charon/daemon.c +++ b/src/charon/daemon.c @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #include @@ -171,6 +172,9 @@ static void initialize(private_daemon_t *this, bool strict) { credential_store_t* credentials; + /* for uncritical pseudo random numbers */ + srandom(time(NULL) + getpid()); + this->public.configuration = configuration_create(); this->public.socket = socket_create(IKEV2_UDP_PORT, IKEV2_NATT_PORT); this->public.interfaces = interfaces_create(IKEV2_UDP_PORT); diff --git a/src/charon/doc/Todo-list.txt b/src/charon/doc/Todo-list.txt index b0835cda8..788a06c54 100644 --- a/src/charon/doc/Todo-list.txt +++ b/src/charon/doc/Todo-list.txt @@ -50,7 +50,7 @@ - implement 3DES to load encrypted pem files + ipsec.secrets parsing -/ trapping ++ trapping + proper delete messages - notifys on connection setup failure + create child sa message/rekeying @@ -59,7 +59,7 @@ when a blocked IKE_SA receives a lot of messages - add a crl fetch mechanism which synchronizes equal fetches -- replace state machine with something more transaction oriented -- find existing IKE_SA on CHILD_SA initiation ++ replace state machine with something more transaction oriented ++ find existing IKE_SA on CHILD_SA initiation - configure flag which allows to ommit vendor id in pluto diff --git a/src/charon/encoding/payloads/proposal_substructure.c b/src/charon/encoding/payloads/proposal_substructure.c index cf4e413ea..540e44587 100644 --- a/src/charon/encoding/payloads/proposal_substructure.c +++ b/src/charon/encoding/payloads/proposal_substructure.c @@ -105,31 +105,30 @@ struct private_proposal_substructure_t { /** * Encoding rules to parse or generate a Proposal substructure. - * + * * The defined offsets are the positions in a object of type * private_proposal_substructure_t. - * */ encoding_rule_t proposal_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, + { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, 0 }, /* Length of the whole proposal substructure payload*/ - { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, + { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, /* proposal number is a number of 8 bit */ - { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) }, + { U_INT_8, offsetof(private_proposal_substructure_t, proposal_number) }, /* protocol ID is a number of 8 bit */ - { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) }, + { U_INT_8, offsetof(private_proposal_substructure_t, protocol_id) }, /* SPI Size has its own type */ - { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) }, + { SPI_SIZE, offsetof(private_proposal_substructure_t, spi_size) }, /* Number of transforms is a number of 8 bit */ - { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, + { U_INT_8, offsetof(private_proposal_substructure_t, transforms_count) }, /* SPI is a chunk of variable size*/ - { SPI, offsetof(private_proposal_substructure_t, spi) }, + { SPI, offsetof(private_proposal_substructure_t, spi) }, /* Transforms are stored in a transform substructure, offset points to a linked_list_t pointer */ - { TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) } + { TRANSFORMS, offsetof(private_proposal_substructure_t, transforms) } }; /* @@ -169,6 +168,31 @@ static status_t verify(private_proposal_substructure_t *this) return FAILED; } + switch (this->protocol_id) + { + case PROTO_AH: + case PROTO_ESP: + if (this->spi.len != 4) + { + this->logger->log(this->logger, ERROR, + "invalid SPI length in %s proposal", + mapping_find(protocol_id_m, this->protocol_id)); + return FAILED; + } + break; + case PROTO_IKE: + if (this->spi.len != 0 && this->spi.len != 8) + { + this->logger->log(this->logger, ERROR, + "invalid SPI length in IKE proposal"); + return FAILED; + } + break; + default: + this->logger->log(this->logger, ERROR, + "invalid proposal protocol (%d)", this->protocol_id); + return FAILED; + } if ((this->protocol_id == 0) || (this->protocol_id >= 4)) { /* reserved are not supported */ @@ -177,12 +201,11 @@ static status_t verify(private_proposal_substructure_t *this) } iterator = this->transforms->create_iterator(this->transforms,TRUE); - while(iterator->has_next(iterator)) { payload_t *current_transform; iterator->current(iterator,(void **)¤t_transform); - + status = current_transform->verify(current_transform); if (status != SUCCESS) { @@ -190,10 +213,8 @@ static status_t verify(private_proposal_substructure_t *this) break; } } - iterator->destroy(iterator); - - + /* proposal number is checked in SA payload */ return status; } @@ -275,7 +296,6 @@ static void set_is_last_proposal (private_proposal_substructure_t *this, bool is this->next_payload = (is_last) ? 0: PROPOSAL_TYPE_VALUE; } - /** * Implementation of proposal_substructure_t.set_proposal_number. */ @@ -303,7 +323,7 @@ static void set_protocol_id(private_proposal_substructure_t *this,u_int8_t proto /** * Implementation of proposal_substructure_t.get_protocol_id. */ -static u_int8_t get_protocol_id (private_proposal_substructure_t *this) +static u_int8_t get_protocol_id(private_proposal_substructure_t *this) { return (this->protocol_id); } @@ -311,7 +331,7 @@ static u_int8_t get_protocol_id (private_proposal_substructure_t *this) /** * Implementation of proposal_substructure_t.set_spi. */ -static void set_spi (private_proposal_substructure_t *this, chunk_t spi) +static void set_spi(private_proposal_substructure_t *this, chunk_t spi) { /* first delete already set spi value */ if (this->spi.ptr != NULL) @@ -331,54 +351,19 @@ static void set_spi (private_proposal_substructure_t *this, chunk_t spi) /** * Implementation of proposal_substructure_t.get_spi. */ -static chunk_t get_spi (private_proposal_substructure_t *this) +static chunk_t get_spi(private_proposal_substructure_t *this) { chunk_t spi; spi.ptr = this->spi.ptr; - spi.len = this->spi.len; + spi.len = this->spi.len; return spi; } -/** - * Implementation of proposal_substructure_t.get_info_for_transform_type. - */ -static status_t get_info_for_transform_type (private_proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length) -{ - iterator_t *iterator; - status_t status; - u_int16_t found_transform_id; - u_int16_t found_key_length; - - iterator = this->transforms->create_iterator(this->transforms,TRUE); - - while (iterator->has_next(iterator)) - { - transform_substructure_t *current_transform; - status = iterator->current(iterator,(void **) ¤t_transform); - if (status != SUCCESS) - { - break; - } - if (current_transform->get_transform_type(current_transform) == type) - { - /* now get data for specific type */ - found_transform_id = current_transform->get_transform_id(current_transform); - status = current_transform->get_key_length(current_transform,&found_key_length); - *transform_id = found_transform_id; - *key_length = found_key_length; - iterator->destroy(iterator); - return status; - } - } - iterator->destroy(iterator); - return NOT_FOUND; -} - /** * Implementation of private_proposal_substructure_t.compute_length. */ -static void compute_length (private_proposal_substructure_t *this) +static void compute_length(private_proposal_substructure_t *this) { iterator_t *iterator; size_t transforms_count = 0; @@ -550,7 +535,6 @@ proposal_substructure_t *proposal_substructure_create() this->public.get_proposal_number = (u_int8_t (*) (proposal_substructure_t *)) get_proposal_number; this->public.set_protocol_id = (void (*) (proposal_substructure_t *,u_int8_t))set_protocol_id; this->public.get_protocol_id = (u_int8_t (*) (proposal_substructure_t *)) get_protocol_id; - this->public.get_info_for_transform_type = (status_t (*) (proposal_substructure_t *,transform_type_t,u_int16_t *, u_int16_t *))get_info_for_transform_type; this->public.set_is_last_proposal = (void (*) (proposal_substructure_t *,bool)) set_is_last_proposal; this->public.get_proposal = (proposal_t* (*) (proposal_substructure_t*))get_proposal; this->public.set_spi = (void (*) (proposal_substructure_t *,chunk_t))set_spi; @@ -643,16 +627,26 @@ proposal_substructure_t *proposal_substructure_create_from_proposal(proposal_t * } iterator->destroy(iterator); - /* take over general infos */ - this->spi_size = proposal->get_protocol(proposal) == PROTO_IKE ? 0 : 4; - this->spi.len = this->spi_size; - if (this->spi_size == 4) + /* add SPI, if necessary */ + switch (proposal->get_protocol(proposal)) { - this->spi.ptr = malloc(this->spi_size); - *((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal); + case PROTO_AH: + case PROTO_ESP: + this->spi_size = this->spi.len = 4; + this->spi.ptr = malloc(this->spi_size); + *((u_int32_t*)this->spi.ptr) = proposal->get_spi(proposal); + break; + case PROTO_IKE: + if (proposal->get_spi(proposal)) + { /* IKE only uses SPIS when rekeying, but on initial setup */ + this->spi_size = this->spi.len = 8; + this->spi.ptr = malloc(this->spi_size); + *((u_int64_t*)this->spi.ptr) = proposal->get_spi(proposal); + } + break; } this->proposal_number = 0; this->protocol_id = proposal->get_protocol(proposal); - return &(this->public); + return &this->public; } diff --git a/src/charon/encoding/payloads/proposal_substructure.h b/src/charon/encoding/payloads/proposal_substructure.h index 67a83edc2..b9bd0a8b3 100644 --- a/src/charon/encoding/payloads/proposal_substructure.h +++ b/src/charon/encoding/payloads/proposal_substructure.h @@ -68,12 +68,12 @@ struct proposal_substructure_t { * @param forward iterator direction (TRUE: front to end) * @return created iterator_t object */ - iterator_t * (*create_transform_substructure_iterator) (proposal_substructure_t *this, bool forward); + iterator_t *(*create_transform_substructure_iterator) (proposal_substructure_t *this, bool forward); /** * @brief Adds a transform_substructure_t object to this object. * - * @warning The added transform_substructure_t object is + * @warning The added transform_substructure_t object is * getting destroyed in destroy function of proposal_substructure_t. * * @param this calling proposal_substructure_t object @@ -129,20 +129,6 @@ struct proposal_substructure_t { */ u_int8_t (*get_protocol_id) (proposal_substructure_t *this); - /** - * @brief Get informations for a specific transform type. - * - * @param this calling proposal_substructure_t object - * @param type type to get informations for - * @param transform_id transform id of the specific type - * @param key_length key length of the specific key length transform attribute - * @return - * - SUCCESS if transform type is part of this proposal and - * all data (incl. key length) could be fetched - * - NOT_FOUND if transform type is not part of this proposal - */ - status_t (*get_info_for_transform_type) (proposal_substructure_t *this,transform_type_t type, u_int16_t *transform_id, u_int16_t *key_length); - /** * @brief Sets the next_payload field of this substructure * @@ -153,7 +139,7 @@ struct proposal_substructure_t { * @param is_last When TRUE, next payload field is set to 0, otherwise to 2 */ void (*set_is_last_proposal) (proposal_substructure_t *this, bool is_last); - + /** * @brief Returns the currently set SPI of this proposal. * diff --git a/src/charon/queues/jobs/delete_established_ike_sa_job.c b/src/charon/queues/jobs/delete_established_ike_sa_job.c index 9e0e39b8e..e5230e532 100644 --- a/src/charon/queues/jobs/delete_established_ike_sa_job.c +++ b/src/charon/queues/jobs/delete_established_ike_sa_job.c @@ -62,12 +62,10 @@ static job_type_t get_type(private_delete_established_ike_sa_job_t *this) */ static status_t execute(private_delete_established_ike_sa_job_t *this) { - status_t status; - - status = charon->ike_sa_manager->delete(charon->ike_sa_manager, this->ike_sa_id); - if (status != SUCCESS) + if (charon->ike_sa_manager->delete(charon->ike_sa_manager, + this->ike_sa_id) != SUCCESS) { - this->logger->log(this->logger, CONTROL, "IKE SA didn't exist anymore"); + this->logger->log(this->logger, ERROR|LEVEL1, "IKE SA didn't exist anymore"); } return DESTROY_ME; } diff --git a/src/charon/queues/jobs/incoming_packet_job.c b/src/charon/queues/jobs/incoming_packet_job.c index d9661038e..69ef141ec 100644 --- a/src/charon/queues/jobs/incoming_packet_job.c +++ b/src/charon/queues/jobs/incoming_packet_job.c @@ -149,7 +149,10 @@ static status_t execute(private_incoming_packet_job_t *this) "received packet with SPIs %llx:%llx, but no such IKE_SA", ike_sa_id->get_initiator_spi(ike_sa_id), ike_sa_id->get_responder_spi(ike_sa_id)); - send_notify_response(this, message, INVALID_IKE_SPI); + if (message->get_request(message)) + { + send_notify_response(this, message, INVALID_IKE_SPI); + } ike_sa_id->destroy(ike_sa_id); message->destroy(message); return DESTROY_ME; diff --git a/src/charon/queues/jobs/initiate_job.c b/src/charon/queues/jobs/initiate_job.c index 43670485d..4b5b704ae 100644 --- a/src/charon/queues/jobs/initiate_job.c +++ b/src/charon/queues/jobs/initiate_job.c @@ -71,7 +71,6 @@ static status_t execute(private_initiate_job_t *this) { ike_sa_t *ike_sa; - this->logger->log(this->logger, CONTROL|LEVEL2, "getting an IKE SA"); ike_sa = charon->ike_sa_manager->checkout_by_ids(charon->ike_sa_manager, this->policy->get_my_id(this->policy), this->policy->get_other_id(this->policy)); diff --git a/src/charon/queues/jobs/job.c b/src/charon/queues/jobs/job.c index 1808a3faa..f99ea14c1 100644 --- a/src/charon/queues/jobs/job.c +++ b/src/charon/queues/jobs/job.c @@ -29,8 +29,13 @@ mapping_t job_type_m[] = { {INCOMING_PACKET, "INCOMING_PACKET"}, {RETRANSMIT_REQUEST, "RETRANSMIT_REQUEST"}, {INITIATE, "INITIATE"}, - {DELETE_HALF_OPEN_IKE_SA, "DELETE_HALF_OPEN_IKE_SA"}, + {ROUTE, "ROUTE"}, + {ACQUIRE, "ACQUIRE"}, {DELETE_ESTABLISHED_IKE_SA, "DELETE_ESTABLISHED_IKE_SA"}, + {DELETE_HALF_OPEN_IKE_SA, "DELETE_HALF_OPEN_IKE_SA"}, + {DELETE_CHILD_SA, "DELETE_CHILD_SA"}, + {REKEY_CHILD_SA, "REKEY_CHILD_SA"}, + {REKEY_IKE_SA, "REKEY_IKE_SA"}, {SEND_KEEPALIVE, "SEND_KEEPALIVE"}, {SEND_DPD, "SEND_DPD"}, {MAPPING_END, NULL} diff --git a/src/charon/queues/jobs/job.h b/src/charon/queues/jobs/job.h index 86af1a318..d1b0a5c82 100644 --- a/src/charon/queues/jobs/job.h +++ b/src/charon/queues/jobs/job.h @@ -99,6 +99,13 @@ enum job_type_t { */ REKEY_CHILD_SA, + /** + * Rekey an IKE_SA + * + * Job is implemented in class rekey_ike_sa_job_t + */ + REKEY_IKE_SA, + /** * Send a keepalive packet. * diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.c b/src/charon/queues/jobs/rekey_ike_sa_job.c new file mode 100644 index 000000000..f163af50d --- /dev/null +++ b/src/charon/queues/jobs/rekey_ike_sa_job.c @@ -0,0 +1,105 @@ +/** + * @file rekey_ike_sa_job.c + * + * @brief Implementation of rekey_ike_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "rekey_ike_sa_job.h" + +#include + + +typedef struct private_rekey_ike_sa_job_t private_rekey_ike_sa_job_t; + +/** + * Private data of an rekey_ike_sa_job_t object. + */ +struct private_rekey_ike_sa_job_t { + /** + * Public rekey_ike_sa_job_t interface. + */ + rekey_ike_sa_job_t public; + + /** + * ID of the IKE_SA to rekey + */ + ike_sa_id_t *ike_sa_id; + + /** + * Logger ref + */ + logger_t *logger; +}; + +/** + * Implementation of job_t.get_type. + */ +static job_type_t get_type(private_rekey_ike_sa_job_t *this) +{ + return REKEY_IKE_SA; +} + +/** + * Implementation of job_t.execute. + */ +static status_t execute(private_rekey_ike_sa_job_t *this) +{ + ike_sa_t *ike_sa; + + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + this->ike_sa_id); + if (ike_sa == NULL) + { + this->logger->log(this->logger, ERROR, + "IKE_SA to rekey not found"); + return DESTROY_ME; + } + ike_sa->rekey(ike_sa); + + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return DESTROY_ME; +} + +/** + * Implementation of job_t.destroy. + */ +static void destroy(private_rekey_ike_sa_job_t *this) +{ + this->ike_sa_id->destroy(this->ike_sa_id); + free(this); +} + +/* + * Described in header + */ +rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id) +{ + private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t); + + /* interface functions */ + this->public.job_interface.get_type = (job_type_t (*) (job_t *)) get_type; + this->public.job_interface.execute = (status_t (*) (job_t *)) execute; + this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + + /* private variables */ + this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + this->logger = logger_manager->get_logger(logger_manager, WORKER); + + return &(this->public); +} diff --git a/src/charon/queues/jobs/rekey_ike_sa_job.h b/src/charon/queues/jobs/rekey_ike_sa_job.h new file mode 100644 index 000000000..1fb3fb691 --- /dev/null +++ b/src/charon/queues/jobs/rekey_ike_sa_job.h @@ -0,0 +1,60 @@ +/** + * @file rekey_ike_sa_job.h + * + * @brief Interface of rekey_ike_sa_job_t. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef REKEY_IKE_SA_JOB_H_ +#define REKEY_IKE_SA_JOB_H_ + +#include +#include +#include + + +typedef struct rekey_ike_sa_job_t rekey_ike_sa_job_t; + +/** + * @brief Class representing an REKEY_IKE_SA Job. + * + * This job initiates the rekeying of an IKE_SA. + * + * @b Constructors: + * - rekey_ike_sa_job_create() + * + * @ingroup jobs + */ +struct rekey_ike_sa_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * @brief Creates a job of type REKEY_IKE_SA. + * + * @param ike_sa_id ID of the IKE_SA to rekey + * @return rekey_ike_sa_job_t object + * + * @ingroup jobs + */ +rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id); + +#endif /* REKEY_IKE_SA_JOB_H_ */ diff --git a/src/charon/queues/jobs/route_job.c b/src/charon/queues/jobs/route_job.c index b6a862691..ae773afdf 100644 --- a/src/charon/queues/jobs/route_job.c +++ b/src/charon/queues/jobs/route_job.c @@ -74,11 +74,9 @@ static status_t execute(private_route_job_t *this) { ike_sa_t *ike_sa; - this->logger->log(this->logger, CONTROL|LEVEL2, "getting an IKE SA"); ike_sa = charon->ike_sa_manager->checkout_by_ids(charon->ike_sa_manager, this->policy->get_my_id(this->policy), this->policy->get_other_id(this->policy)); - if (this->route) { if (ike_sa->route(ike_sa, this->connection, this->policy) != SUCCESS) diff --git a/src/charon/sa/child_sa.c b/src/charon/sa/child_sa.c index d73542163..ae5601e49 100644 --- a/src/charon/sa/child_sa.c +++ b/src/charon/sa/child_sa.c @@ -552,7 +552,7 @@ static status_t get_use_time(private_child_sa_t *this, bool inbound, time_t *use { iterator_t *iterator; sa_policy_t *policy; - status_t status; + status_t status = FAILED; *use_time = UNDEFINED_TIME; diff --git a/src/charon/sa/ike_sa.c b/src/charon/sa/ike_sa.c index c3011ecba..fba94cce0 100644 --- a/src/charon/sa/ike_sa.c +++ b/src/charon/sa/ike_sa.c @@ -49,12 +49,13 @@ #include #include #include +#include #include #include #include #include #include - +#include /** * String mappings for ike_sa_state_t. @@ -186,14 +187,20 @@ struct private_ike_sa_t { u_int32_t message_id_out; /** - * Timestamp of last IKE message received on this SA + * Timestamps for this IKE_SA */ - time_t time_inbound; - - /** - * Timestamp of last IKE message sent on this SA - */ - time_t time_outbound; + struct { + /** last IKE message received */ + u_int32_t inbound; + /** last IKE message sent */ + u_int32_t outbound; + /** when IKE_SA became established */ + u_int32_t established; + /** when IKE_SA gets rekeyed */ + u_int32_t rekey; + /** when IKE_SA gets deleted */ + u_int32_t delete; + } time; /** * List of queued transactions to process @@ -247,7 +254,7 @@ static time_t get_kernel_time(private_ike_sa_t* this, bool inbound) */ static time_t get_time_inbound(private_ike_sa_t *this) { - return max(this->time_inbound, get_kernel_time(this, TRUE)); + return max(this->time.inbound, get_kernel_time(this, TRUE)); } /** @@ -255,7 +262,7 @@ static time_t get_time_inbound(private_ike_sa_t *this) */ static time_t get_time_outbound(private_ike_sa_t *this) { - return max(this->time_outbound, get_kernel_time(this, FALSE)); + return max(this->time.outbound, get_kernel_time(this, FALSE)); } /** @@ -283,6 +290,15 @@ static host_t *get_my_host(private_ike_sa_t *this) return this->my_host; } +/** + * Implementation of ike_sa_t.set_my_host. + */ +static void set_my_host(private_ike_sa_t *this, host_t *me) +{ + DESTROY_IF(this->my_host); + this->my_host = me; +} + /** * Implementation of ike_sa_t.get_other_host. */ @@ -291,6 +307,15 @@ static host_t *get_other_host(private_ike_sa_t *this) return this->other_host; } +/** + * Implementation of ike_sa_t.set_other_host. + */ +static void set_other_host(private_ike_sa_t *this, host_t *other) +{ + DESTROY_IF(this->other_host); + this->other_host = other; +} + /** * Update connection host, as addresses may change (NAT) */ @@ -437,7 +462,7 @@ static status_t transmit_request(private_ike_sa_t *this) } /* finally send */ charon->send_queue->add(charon->send_queue, packet); - this->time_outbound = time(NULL); + this->time.outbound = time(NULL); /* schedule retransmission job */ job = retransmit_request_job_create(message_id, this->ike_sa_id); @@ -548,7 +573,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) last->get_response(last, request, &response, &this->transaction_in_next); packet = response->get_packet(response); charon->send_queue->add(charon->send_queue, packet); - this->time_outbound = time(NULL); + this->time.outbound = time(NULL); return SUCCESS; } @@ -608,7 +633,7 @@ static status_t process_request(private_ike_sa_t *this, message_t *request) } charon->send_queue->add(charon->send_queue, packet); - this->time_outbound = time(NULL); + this->time.outbound = time(NULL); /* act depending on transaction result */ switch (status) { @@ -691,7 +716,7 @@ static void send_notify_response(private_ike_sa_t *this, return; } charon->send_queue->add(charon->send_queue, packet); - this->time_outbound = time(NULL); + this->time.outbound = time(NULL); response->destroy(response); return; } @@ -710,46 +735,49 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) status = message->parse_body(message, this->crypter_in, this->signer_in); if (status != SUCCESS) { - switch (status) + if (is_request) { - case NOT_SUPPORTED: - this->logger->log(this->logger, ERROR, - "ciritcal unknown payloads found"); - if (is_request) - { - send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); - } - break; - case PARSE_ERROR: - this->logger->log(this->logger, ERROR, - "message parsing failed"); - if (is_request) - { - send_notify_response(this, message, INVALID_SYNTAX); - } - break; - case VERIFY_ERROR: - this->logger->log(this->logger, ERROR, - "message verification failed"); - if (is_request) - { - send_notify_response(this, message, INVALID_SYNTAX); - } - break; - case FAILED: - this->logger->log(this->logger, ERROR, - "integrity check failed"); - /* ignored */ - break; - case INVALID_STATE: - this->logger->log(this->logger, ERROR, - "found encrypted message, but no keys available"); - if (is_request) - { - send_notify_response(this, message, INVALID_SYNTAX); - } - default: - break; + switch (status) + { + case NOT_SUPPORTED: + this->logger->log(this->logger, ERROR, + "ciritcal unknown payloads found"); + if (is_request) + { + send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); + } + break; + case PARSE_ERROR: + this->logger->log(this->logger, ERROR, + "message parsing failed"); + if (is_request) + { + send_notify_response(this, message, INVALID_SYNTAX); + } + break; + case VERIFY_ERROR: + this->logger->log(this->logger, ERROR, + "message verification failed"); + if (is_request) + { + send_notify_response(this, message, INVALID_SYNTAX); + } + break; + case FAILED: + this->logger->log(this->logger, ERROR, + "integrity check failed"); + /* ignored */ + break; + case INVALID_STATE: + this->logger->log(this->logger, ERROR, + "found encrypted message, but no keys available"); + if (is_request) + { + send_notify_response(this, message, INVALID_SYNTAX); + } + default: + break; + } } this->logger->log(this->logger, ERROR, "%s %s with message ID %d processing failed", @@ -765,7 +793,7 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) { update_hosts(this, message->get_destination(message), message->get_source(message)); - this->time_inbound = time(NULL); + this->time.inbound = time(NULL); } if (is_request) { @@ -1211,19 +1239,20 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) mapping_find(ike_sa_state_m, state)); if (state == IKE_ESTABLISHED) { + this->time.established = time(NULL); this->logger->log(this->logger, AUDIT, "IKE_SA established: %s[%s]...%s[%s]", - this->my_host->get_string(this->my_host), - this->my_id->get_string(this->my_id), - this->other_host->get_string(this->other_host), - this->other_id->get_string(this->other_id)); - + this->my_host->get_string(this->my_host), + this->my_id->get_string(this->my_id), + this->other_host->get_string(this->other_host), + this->other_id->get_string(this->other_id)); + /* start DPD checks */ send_dpd(this); } this->state = state; } /** - * Implementation of protected_ike_sa_t.get_prf. + * Implementation of ike_sa_t.get_prf. */ static prf_t *get_prf(private_ike_sa_t *this) { @@ -1231,7 +1260,7 @@ static prf_t *get_prf(private_ike_sa_t *this) } /** - * Implementation of protected_ike_sa_t.get_prf. + * Implementation of ike_sa_t.get_prf. */ static prf_t *get_child_prf(private_ike_sa_t *this) { @@ -1239,7 +1268,7 @@ static prf_t *get_child_prf(private_ike_sa_t *this) } /** - * Implementation of protected_ike_sa_t.get_prf_auth_i. + * Implementation of ike_sa_t.get_prf_auth_i. */ static prf_t *get_prf_auth_i(private_ike_sa_t *this) { @@ -1247,7 +1276,7 @@ static prf_t *get_prf_auth_i(private_ike_sa_t *this) } /** - * Implementation of protected_ike_sa_t.get_prf_auth_r. + * Implementation of ike_sa_t.get_prf_auth_r. */ static prf_t *get_prf_auth_r(private_ike_sa_t *this) { @@ -1297,21 +1326,24 @@ static void set_other_id(private_ike_sa_t *this, identification_t *other) } /** - * Implementation of protected_ike_sa_t.build_transforms. + * Implementation of ike_sa_t.derive_keys. */ -static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, - bool initiator) +static status_t derive_keys(private_ike_sa_t *this, + proposal_t *proposal, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, + bool initiator, prf_t *rekey_prf) { - chunk_t nonces, nonces_spis, skeyseed, key, secret; - u_int64_t spi_i, spi_r; prf_plus_t *prf_plus; + chunk_t skeyseed, secret, key, nonces, prf_plus_seed; algorithm_t *algo; size_t key_size; crypter_t *crypter_i, *crypter_r; signer_t *signer_i, *signer_r; + u_int8_t spi_i_buf[sizeof(u_int64_t)], spi_r_buf[sizeof(u_int64_t)]; + chunk_t spi_i = chunk_from_buf(spi_i_buf); + chunk_t spi_r = chunk_from_buf(spi_r_buf); - /* Build the PRF+ instance for deriving keys */ + /* Create SAs general purpose PRF first, we may use it here */ if (!proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo)) { this->logger->log(this->logger, ERROR, "no PSEUDO_RANDOM_FUNCTION selected!"); @@ -1325,39 +1357,46 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, return FAILED; } - /* nonces = nonce_i | nonce_r */ - nonces = chunk_alloc(nonce_i.len + nonce_r.len); - memcpy(nonces.ptr, nonce_i.ptr, nonce_i.len); - memcpy(nonces.ptr + nonce_i.len, nonce_r.ptr, nonce_r.len); - - /* prf_seed = nonce_i | nonce_r | spi_i | spi_r */ - nonces_spis = chunk_alloc(nonces.len + 16); - memcpy(nonces_spis.ptr, nonces.ptr, nonces.len); - spi_i = this->ike_sa_id->get_initiator_spi(this->ike_sa_id); - spi_r = this->ike_sa_id->get_responder_spi(this->ike_sa_id); - memcpy(nonces_spis.ptr + nonces.len, &spi_i, 8); - memcpy(nonces_spis.ptr + nonces.len + 8, &spi_r, 8); - - /* SKEYSEED = prf(Ni | Nr, g^ir) */ dh->get_shared_secret(dh, &secret); this->logger->log_chunk(this->logger, PRIVATE, "shared Diffie Hellman secret", secret); - this->prf->set_key(this->prf, nonces); - this->prf->allocate_bytes(this->prf, secret, &skeyseed); - this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed); - chunk_free(&secret); - - /* prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr ) - * = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr + nonces = chunk_cat("cc", nonce_i, nonce_r); + *((u_int64_t*)spi_i.ptr) = this->ike_sa_id->get_initiator_spi(this->ike_sa_id); + *((u_int64_t*)spi_r.ptr) = this->ike_sa_id->get_responder_spi(this->ike_sa_id); + prf_plus_seed = chunk_cat("ccc", nonces, spi_i, spi_r); + + /* KEYMAT = prf+ (SKEYSEED, Ni | Nr | SPIi | SPIr) + * + * if we are rekeying, SKEYSEED built on another way */ - this->prf->set_key(this->prf, skeyseed); - prf_plus = prf_plus_create(this->prf, nonces_spis); - - /* clean up unused stuff */ + if (rekey_prf == NULL) /* not rekeying */ + { + /* SKEYSEED = prf(Ni | Nr, g^ir) */ + this->prf->set_key(this->prf, nonces); + this->prf->allocate_bytes(this->prf, secret, &skeyseed); + this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed); + this->prf->set_key(this->prf, skeyseed); + chunk_free(&skeyseed); + chunk_free(&secret); + prf_plus = prf_plus_create(this->prf, prf_plus_seed); + } + else + { + /* SKEYSEED = prf(SK_d (old), [g^ir (new)] | Ni | Nr) */ + secret = chunk_cat("mc", secret, nonces); + rekey_prf->allocate_bytes(rekey_prf, secret, &skeyseed); + this->logger->log_chunk(this->logger, PRIVATE|LEVEL1, "SKEYSEED", skeyseed); + rekey_prf->set_key(rekey_prf, skeyseed); /* abuse of rekeyed SAs child_prf */ + chunk_free(&skeyseed); + chunk_free(&secret); + prf_plus = prf_plus_create(rekey_prf, prf_plus_seed); + } chunk_free(&nonces); - chunk_free(&nonces_spis); - chunk_free(&skeyseed); + chunk_free(&prf_plus_seed); - /* SK_d used for prf+ to derive keys for child SAs */ + /* KEYMAT = SK_d | SK_ai | SK_ar | SK_ei | SK_er | SK_pi | SK_pr */ + + /* SK_d is used for generating CHILD_SA key mat => child_prf */ + proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo); this->child_prf = prf_create(algo->algorithm); key_size = this->child_prf->get_key_size(this->child_prf); prf_plus->allocate_bytes(prf_plus, key_size, &key); @@ -1365,13 +1404,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, this->child_prf->set_key(this->child_prf, key); chunk_free(&key); - /* SK_ai/SK_ar used for integrity protection */ + /* SK_ai/SK_ar used for integrity protection => signer_in/signer_out */ if (!proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &algo)) { this->logger->log(this->logger, ERROR, "no INTEGRITY_ALGORITHM selected?!"); return FAILED; } - signer_i = signer_create(algo->algorithm); signer_r = signer_create(algo->algorithm); if (signer_i == NULL || signer_r == NULL) @@ -1386,7 +1424,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ai secret", key); signer_i->set_key(signer_i, key); chunk_free(&key); - + prf_plus->allocate_bytes(prf_plus, key_size, &key); this->logger->log_chunk(this->logger, CONTROL|LEVEL1, "Sk_ar secret", key); signer_r->set_key(signer_r, key); @@ -1403,12 +1441,12 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, this->signer_out = signer_r; } - /* SK_ei/SK_er used for encryption */ + /* SK_ei/SK_er used for encryption => crypter_in/crypter_out */ if (!proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &algo)) { this->logger->log(this->logger, ERROR, "no ENCRYPTION_ALGORITHM selected!"); return FAILED; - } + } crypter_i = crypter_create(algo->algorithm, algo->key_size / 8); crypter_r = crypter_create(algo->algorithm, algo->key_size / 8); if (crypter_i == NULL || crypter_r == NULL) @@ -1442,7 +1480,7 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, this->crypter_out = crypter_r; } - /* SK_pi/SK_pr used for authentication */ + /* SK_pi/SK_pr used for authentication => prf_auth_i, prf_auth_r */ proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &algo); this->prf_auth_i = prf_create(algo->algorithm); this->prf_auth_r = prf_create(algo->algorithm); @@ -1462,10 +1500,11 @@ static status_t build_transforms(private_ike_sa_t *this, proposal_t *proposal, prf_plus->destroy(prf_plus); return SUCCESS; + } /** - * Implementation of protected_ike_sa_t.add_child_sa. + * Implementation of ike_sa_t.add_child_sa. */ static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa) { @@ -1473,7 +1512,7 @@ static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa) } /** - * Implementation of protected_ike_sa_t.has_child_sa. + * Implementation of ike_sa_t.has_child_sa. */ static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid) { @@ -1495,7 +1534,7 @@ static bool has_child_sa(private_ike_sa_t *this, u_int32_t reqid) } /** - * Implementation of protected_ike_sa_t.get_child_sa. + * Implementation of ike_sa_t.get_child_sa. */ static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound) @@ -1556,7 +1595,7 @@ static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, } /** - * Implementation of protected_ike_sa_t.destroy_child_sa. + * Implementation of ike_sa_t.destroy_child_sa. */ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { @@ -1580,32 +1619,85 @@ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return status; } +/** + * Implementation of ike_sa_t.set_lifetimes. + */ +static void set_lifetimes(private_ike_sa_t *this, + u_int32_t soft_lifetime, u_int32_t hard_lifetime) +{ + job_t *job; + + if (soft_lifetime) + { + this->time.rekey = this->time.established + soft_lifetime; + job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id); + charon->event_queue->add_relative(charon->event_queue, job, + soft_lifetime * 1000); + } + + if (hard_lifetime) + { + this->time.delete = this->time.established + hard_lifetime; + job = (job_t*)delete_established_ike_sa_job_create(this->ike_sa_id); + charon->event_queue->add_relative(charon->event_queue, job, + hard_lifetime * 1000); + } +} /** - * Implementation of protected_ike_sa_t.log_status. + * Implementation of ike_sa_t.rekey. + */ +static status_t rekey(private_ike_sa_t *this) +{ + rekey_ike_sa_t *rekey_ike_sa; + + this->logger->log(this->logger, CONTROL, + "rekeying IKE_SA between %s[%s]..%s[%s]", + this->my_host->get_string(this->my_host), + this->my_id->get_string(this->my_id), + this->other_host->get_string(this->other_host), + this->other_id->get_string(this->other_id)); + + if (this->state != IKE_ESTABLISHED) + { + this->logger->log(this->logger, ERROR, + "unable to rekey IKE_SA in state %s", + mapping_find(ike_sa_state_m, this->state)); + return FAILED; + } + + rekey_ike_sa = rekey_ike_sa_create(&this->public); + return queue_transaction(this, (transaction_t*)rekey_ike_sa, FALSE); +} + +/** + * Implementation of ike_sa_t.adopt_children. + */ +static void adopt_children(private_ike_sa_t *this, private_ike_sa_t *other) +{ + child_sa_t *child_sa; + + while (other->child_sas->remove_last(other->child_sas, + (void**)&child_sa) == SUCCESS) + { + this->child_sas->insert_first(this->child_sas, (void*)child_sa); + } +} + +/** + * Implementation of ike_sa_t.log_status. */ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name) { iterator_t *iterator; child_sa_t *child_sa; - char *my_host, *other_host, *my_id, *other_id; if (name == NULL || streq(name, this->name)) { if (logger == NULL) { logger = this->logger; - } - - my_host = this->my_host ? - this->my_host->get_string(this->my_host) : "(unknown)"; - other_host = this->other_host ? - this->other_host->get_string(this->other_host) : "(unknown)"; - my_id = this->my_id ? - this->my_id->get_string(this->my_id) : "(unknown)"; - other_id = this->other_id ? - this->other_id->get_string(this->other_id) : "(unknown)"; - + } logger->log(logger, CONTROL|LEVEL1, " \"%s\": IKE_SA in state %s, SPIs: 0x%.16llx 0x%.16llx", this->name, @@ -1613,7 +1705,11 @@ static void log_status(private_ike_sa_t *this, logger_t *logger, char *name) this->ike_sa_id->get_initiator_spi(this->ike_sa_id), this->ike_sa_id->get_responder_spi(this->ike_sa_id)); logger->log(logger, CONTROL, " \"%s\": %s[%s]...%s[%s]", - this->name, my_host, my_id, other_host, other_id); + this->name, + this->my_host->get_string(this->my_host), + this->my_id->get_string(this->my_id), + this->other_host->get_string(this->other_host), + this->other_id->get_string(this->other_id)); iterator = this->child_sas->create_iterator(this->child_sas, TRUE); while (iterator->has_next(iterator)) @@ -1671,7 +1767,7 @@ static bool is_natt_enabled (private_ike_sa_t *this) } /** - * Implementation of protected_ike_sa_t.enable_natt. + * Implementation of ike_sa_t.enable_natt. */ static void enable_natt (private_ike_sa_t *this, bool local) { @@ -1691,13 +1787,12 @@ static void enable_natt (private_ike_sa_t *this, bool local) } /** - * Implementation of protected_ike_sa_t.destroy. + * Implementation of ike_sa_t.destroy. */ static void destroy(private_ike_sa_t *this) { child_sa_t *child_sa; transaction_t *transaction; - char *my_host, *other_host, *my_id, *other_id; this->logger->log(this->logger, CONTROL|LEVEL2, "going to destroy IKE SA %llu:%llu, role %s", this->ike_sa_id->get_initiator_spi(this->ike_sa_id), @@ -1733,19 +1828,13 @@ static void destroy(private_ike_sa_t *this) DESTROY_IF(this->child_prf); DESTROY_IF(this->prf_auth_i); DESTROY_IF(this->prf_auth_r); - - my_host = this->my_host ? - this->my_host->get_string(this->my_host) : "(unknown)"; - other_host = this->other_host ? - this->other_host->get_string(this->other_host) : "(unknown)"; - my_id = this->my_id ? - this->my_id->get_string(this->my_id) : "(unknown)"; - other_id = this->other_id ? - this->other_id->get_string(this->other_id) : "(unknown)"; this->logger->log(this->logger, AUDIT, - "IKE_SA deleted between %s[%s]...%s[%s]", - my_host, my_id, other_host, other_id); + "IKE_SA deleted between %s[%s]...%s[%s]", + this->my_host->get_string(this->my_host), + this->my_id->get_string(this->my_id), + this->other_host->get_string(this->other_host), + this->other_id->get_string(this->other_id)); DESTROY_IF(this->my_host); DESTROY_IF(this->other_host); @@ -1776,7 +1865,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.acquire = (status_t(*)(ike_sa_t*,u_int32_t)) acquire; this->public.get_id = (ike_sa_id_t*(*)(ike_sa_t*)) get_id; this->public.get_my_host = (host_t*(*)(ike_sa_t*)) get_my_host; + this->public.set_my_host = (void(*)(ike_sa_t*,host_t*)) set_my_host; this->public.get_other_host = (host_t*(*)(ike_sa_t*)) get_other_host; + this->public.set_other_host = (void(*)(ike_sa_t*,host_t*)) set_other_host; this->public.get_my_id = (identification_t*(*)(ike_sa_t*)) get_my_id; this->public.set_my_id = (void(*)(ike_sa_t*,identification_t*)) set_my_id; this->public.get_other_id = (identification_t*(*)(ike_sa_t*)) get_other_id; @@ -1792,7 +1883,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.get_child_prf = (prf_t *(*) (ike_sa_t *)) get_child_prf; this->public.get_prf_auth_i = (prf_t *(*) (ike_sa_t *)) get_prf_auth_i; this->public.get_prf_auth_r = (prf_t *(*) (ike_sa_t *)) get_prf_auth_r; - this->public.build_transforms = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool)) build_transforms; + this->public.derive_keys = (status_t (*) (ike_sa_t *,proposal_t*,diffie_hellman_t*,chunk_t,chunk_t,bool,prf_t*)) derive_keys; this->public.add_child_sa = (void (*) (ike_sa_t*,child_sa_t*)) add_child_sa; this->public.has_child_sa = (bool(*)(ike_sa_t*,u_int32_t)) has_child_sa; this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa; @@ -1801,6 +1892,9 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa; this->public.enable_natt = (void(*)(ike_sa_t*, bool)) enable_natt; this->public.is_natt_enabled = (bool(*)(ike_sa_t*)) is_natt_enabled; + this->public.set_lifetimes = (void(*)(ike_sa_t*,u_int32_t,u_int32_t))set_lifetimes; + this->public.rekey = (status_t(*)(ike_sa_t*))rekey; + this->public.adopt_children = (void(*)(ike_sa_t*,ike_sa_t*))adopt_children; /* initialize private fields */ this->logger = logger_manager->get_logger(logger_manager, IKE_SA); @@ -1826,10 +1920,12 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) this->transaction_in_next = NULL; this->transaction_out = NULL; this->state = IKE_CREATED; - /* we start with message ID out, as ike_sa_init does not use this counter */ this->message_id_out = 0; - this->time_inbound = 0; - this->time_outbound = 0; + /* set to NOW, as when we rekey an existing IKE_SA no message is exchanged */ + this->time.inbound = this->time.outbound = time(NULL); + this->time.established = 0; + this->time.rekey = 0; + this->time.delete = 0; return &this->public; } diff --git a/src/charon/sa/ike_sa.h b/src/charon/sa/ike_sa.h index dfd24b049..b1b9a8fcd 100644 --- a/src/charon/sa/ike_sa.h +++ b/src/charon/sa/ike_sa.h @@ -177,6 +177,14 @@ struct ike_sa_t { */ host_t* (*get_my_host) (ike_sa_t *this); + /** + * @brief Set the own host address. + * + * @param this calling object + * @param me host address + */ + void (*set_my_host) (ike_sa_t *this, host_t *me); + /** * @brief Get the other peers host address. * @@ -185,6 +193,14 @@ struct ike_sa_t { */ host_t* (*get_other_host) (ike_sa_t *this); + /** + * @brief Set the others host address. + * + * @param this calling object + * @param other host address + */ + void (*set_other_host) (ike_sa_t *this, host_t *other); + /** * @brief Get the own identification. * @@ -389,22 +405,25 @@ struct ike_sa_t { /** * @brief Derive all keys and create the transforms for IKE communication. - * + * * Keys are derived using the diffie hellman secret, nonces and internal * stored SPIs. - * Already existing objects get destroyed. - * + * Key derivation differs when an IKE_SA is set up to replace an + * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA + * is included in the derivation process. + * * @param this calling object * @param proposal proposal which contains algorithms to use * @param dh diffie hellman object with shared secret * @param nonce_i initiators nonce * @param nonce_r responders nonce - * @param initiator role of this IKE SA (TRUE = originial initiator) + * @param initiator TRUE if initiator, FALSE otherwise + * @param rekey_prf PRF with SK_d key when rekeying, NULL otherwise */ - status_t (*build_transforms) (ike_sa_t *this, proposal_t* proposal, - diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r, - bool initiator); + status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal, + diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, + bool initiator, prf_t *rekey_prf); /** * @brief Get the multi purpose prf. @@ -510,6 +529,42 @@ struct ike_sa_t { * - SUCCESS */ status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); + + /** + * @brief Set lifetimes of an IKE_SA. + * + * Two lifetimes are specified. The soft_lifetime says, when rekeying should + * be initiated. The hard_lifetime says, when the IKE_SA has been expired + * and must be deleted. Normally, hard_lifetime > soft_lifetime, and + * hard_lifetime is only reached when rekeying at soft_lifetime fails. + * + * @param this calling object + * @param soft_lifetime soft_lifetime + * @param hard_lifetime hard_lifetime + */ + void (*set_lifetimes) (ike_sa_t *this, + u_int32_t soft_lifetime, u_int32_t hard_lifetime); + + /** + * @brief Rekey the IKE_SA. + * + * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA. + * + * @param this calling object + * @return - SUCCESS, if IKE_SA rekeying initiated + */ + status_t (*rekey) (ike_sa_t *this); + + /** + * @brief Move all children from other IKE_SA to this IKE_SA. + * + * After rekeying completes, all children are switched over to the + * newly created IKE_SA. + * + * @param this stepfather + * @param other deceased (rekeyed) IKE_SA + */ + void (*adopt_children) (ike_sa_t *this, ike_sa_t *other); /** * @brief Destroys a ike_sa_t object. diff --git a/src/charon/sa/ike_sa_manager.c b/src/charon/sa/ike_sa_manager.c index abb9c0fef..7e9ce1f57 100644 --- a/src/charon/sa/ike_sa_manager.c +++ b/src/charon/sa/ike_sa_manager.c @@ -402,7 +402,8 @@ static ike_sa_t* checkout_by_ids(private_ike_sa_manager_t *this, found_my_id = entry->ike_sa->get_my_id(entry->ike_sa); found_other_id = entry->ike_sa->get_other_id(entry->ike_sa); - if (!found_my_id || !found_other_id) + if (found_my_id->get_type(found_my_id) == ID_ANY && + found_other_id->get_type(found_other_id) == ID_ANY) { /* IKE_SA has no IDs yet, so we can't use it */ continue; @@ -447,7 +448,7 @@ static ike_sa_t* checkout_by_ids(private_ike_sa_manager_t *this, "new IKE_SA created for IDs %s - %s", my_id->get_string(my_id), other_id->get_string(other_id)); new_ike_sa_entry->checked_out = TRUE; - ike_sa = new_ike_sa_entry->ike_sa; + ike_sa = new_ike_sa_entry->ike_sa; } pthread_mutex_unlock(&(this->mutex)); @@ -476,8 +477,8 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id /* each access is locked */ pthread_mutex_lock(&(this->mutex)); - responder_spi_set = (FALSE != ike_sa_id->get_responder_spi(ike_sa_id)); - initiator_spi_set = (FALSE != ike_sa_id->get_initiator_spi(ike_sa_id)); + responder_spi_set = ike_sa_id->get_responder_spi(ike_sa_id); + initiator_spi_set = ike_sa_id->get_initiator_spi(ike_sa_id); original_initiator = ike_sa_id->is_initiator(ike_sa_id); if ((initiator_spi_set && responder_spi_set) || @@ -523,7 +524,6 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id u_int64_t responder_spi; ike_sa_entry_t *new_ike_sa_entry; - /* set SPIs, we are the responder */ responder_spi = this->get_next_spi(this); @@ -541,6 +541,26 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id new_ike_sa_entry->checked_out = TRUE; ike_sa = new_ike_sa_entry->ike_sa; } + else if (!initiator_spi_set && !responder_spi_set && original_initiator) + { + /* checkout of a new and unused IKE_SA, used for rekeying */ + ike_sa_entry_t *new_ike_sa_entry; + + ike_sa_id->set_initiator_spi(ike_sa_id, this->get_next_spi(this)); + /* create entry */ + new_ike_sa_entry = ike_sa_entry_create(ike_sa_id); + this->logger->log(this->logger, CONTROL|LEVEL2, + "created IKE_SA %llx:%llx, role %s", + ike_sa_id->get_initiator_spi(ike_sa_id), + ike_sa_id->get_responder_spi(ike_sa_id), + ike_sa_id->is_initiator(ike_sa_id) ? "initiator" : "responder"); + + this->ike_sa_list->insert_last(this->ike_sa_list, new_ike_sa_entry); + + /* check ike_sa out */ + new_ike_sa_entry->checked_out = TRUE; + ike_sa = new_ike_sa_entry->ike_sa; + } else { /* responder set, initiator not: here is something seriously wrong! */ @@ -829,7 +849,7 @@ static status_t delete_(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) } else { - this->logger->log(this->logger,ERROR, + this->logger->log(this->logger,ERROR|LEVEL1, "tried to delete nonexisting IKE_SA"); retval = NOT_FOUND; } diff --git a/src/charon/sa/transactions/create_child_sa.c b/src/charon/sa/transactions/create_child_sa.c index 4c29cabd1..7e34be0ba 100644 --- a/src/charon/sa/transactions/create_child_sa.c +++ b/src/charon/sa/transactions/create_child_sa.c @@ -187,6 +187,20 @@ static void destroy_ts_list(linked_list_t *list) } } +/** + * destroy a list of proposals + */ +static void destroy_proposal_list(linked_list_t *list) +{ + proposal_t *proposal; + + while (list->remove_last(list, (void**)&proposal) == SUCCESS) + { + proposal->destroy(proposal); + } + list->destroy(list); +} + /** * Implementation of transaction_t.get_request. */ @@ -280,6 +294,7 @@ static status_t get_request(private_create_child_sa_t *this, message_t **result) return FAILED; } sa_payload = sa_payload_create_from_proposal_list(proposals); + destroy_proposal_list(proposals); request->add_payload(request, (payload_t*)sa_payload); } @@ -628,7 +643,6 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request } { /* process SA payload */ - proposal_t *proposal; linked_list_t *proposal_list; sa_payload_t *sa_response; ts_payload_t *ts_response; @@ -640,13 +654,8 @@ static status_t get_response(private_create_child_sa_t *this, message_t *request proposal_list = sa_request->get_proposals(sa_request); this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:"); this->proposal = this->policy->select_proposal(this->policy, proposal_list); - /* list is not needed anymore */ - while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) - { - proposal->destroy(proposal); - } - proposal_list->destroy(proposal_list); - + destroy_proposal_list(proposal_list); + /* do we have a proposal? */ if (this->proposal == NULL) { @@ -814,18 +823,12 @@ static status_t conclude(private_create_child_sa_t *this, message_t *response, } { /* process sa payload */ - proposal_t *proposal; linked_list_t *proposal_list; proposal_list = sa_payload->get_proposals(sa_payload); /* we have to re-check here if other's selection is valid */ this->proposal = this->policy->select_proposal(this->policy, proposal_list); - /* list not needed anymore */ - while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) - { - proposal->destroy(proposal); - } - proposal_list->destroy(proposal_list); + destroy_proposal_list(proposal_list); /* everything fine to create CHILD? */ if (this->proposal == NULL || diff --git a/src/charon/sa/transactions/ike_auth.c b/src/charon/sa/transactions/ike_auth.c index f423665cf..8f9eeb835 100644 --- a/src/charon/sa/transactions/ike_auth.c +++ b/src/charon/sa/transactions/ike_auth.c @@ -191,6 +191,20 @@ static void destroy_ts_list(linked_list_t *list) } } +/** + * destroy a list of proposals + */ +static void destroy_proposal_list(linked_list_t *list) +{ + proposal_t *proposal; + + while (list->remove_last(list, (void**)&proposal) == SUCCESS) + { + proposal->destroy(proposal); + } + list->destroy(list); +} + /** * Implementation of transaction_t.get_request. */ @@ -298,6 +312,7 @@ static status_t get_request(private_ike_auth_t *this, message_t **result) return DESTROY_ME; } sa_payload = sa_payload_create_from_proposal_list(proposal_list); + destroy_proposal_list(proposal_list); request->add_payload(request, (payload_t*)sa_payload); } @@ -717,7 +732,6 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, } { /* process SA payload */ - proposal_t *proposal; linked_list_t *proposal_list; sa_payload_t *sa_response; ts_payload_t *ts_response; @@ -731,12 +745,7 @@ static status_t get_response(private_ike_auth_t *this, message_t *request, proposal_list = sa_request->get_proposals(sa_request); this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:"); this->proposal = this->policy->select_proposal(this->policy, proposal_list); - /* list is not needed anymore */ - while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) - { - proposal->destroy(proposal); - } - proposal_list->destroy(proposal_list); + destroy_proposal_list(proposal_list); /* do we have a proposal? */ if (this->proposal == NULL) @@ -929,18 +938,12 @@ static status_t conclude(private_ike_auth_t *this, message_t *response, } { /* process sa payload */ - proposal_t *proposal; linked_list_t *proposal_list; proposal_list = sa_payload->get_proposals(sa_payload); /* we have to re-check here if other's selection is valid */ this->proposal = this->policy->select_proposal(this->policy, proposal_list); - /* list not needed anymore */ - while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) - { - proposal->destroy(proposal); - } - proposal_list->destroy(proposal_list); + destroy_proposal_list(proposal_list); /* everything fine to create CHILD? */ if (this->proposal == NULL || diff --git a/src/charon/sa/transactions/ike_sa_init.c b/src/charon/sa/transactions/ike_sa_init.c index d69e6aa19..b86420cac 100644 --- a/src/charon/sa/transactions/ike_sa_init.c +++ b/src/charon/sa/transactions/ike_sa_init.c @@ -34,6 +34,8 @@ #include #include #include +#include +#include typedef struct private_ike_sa_init_t private_ike_sa_init_t; @@ -262,6 +264,20 @@ static notify_payload_t *build_natd_payload(private_ike_sa_init_t *this, return notify; } +/** + * destroy a list of proposals + */ +static void destroy_proposal_list(linked_list_t *list) +{ + proposal_t *proposal; + + while (list->remove_last(list, (void**)&proposal) == SUCCESS) + { + proposal->destroy(proposal); + } + list->destroy(list); +} + /** * Implementation of transaction_t.get_request. */ @@ -323,6 +339,7 @@ static status_t get_request(private_ike_sa_init_t *this, message_t **result) proposal_list = this->connection->get_proposals(this->connection); sa_payload = sa_payload_create_from_proposal_list(proposal_list); + destroy_proposal_list(proposal_list); request->add_payload(request, (payload_t*)sa_payload); } @@ -619,15 +636,10 @@ static status_t get_response(private_ike_sa_init_t *this, */ sa_payload_t* sa_response; linked_list_t *proposal_list; - proposal_t *proposal; proposal_list = sa_request->get_proposals(sa_request); this->proposal = this->connection->select_proposal(this->connection, proposal_list); - while(proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) - { - proposal->destroy(proposal); - } - proposal_list->destroy(proposal_list); + destroy_proposal_list(proposal_list); if (this->proposal == NULL) { notify_payload_t *notify = notify_payload_create(); @@ -760,10 +772,10 @@ static status_t get_response(private_ike_sa_init_t *this, } /* derive all the keys used in the IKE_SA */ - if (this->ike_sa->build_transforms(this->ike_sa, this->proposal, - this->diffie_hellman, - this->nonce_i, this->nonce_r, - FALSE) != SUCCESS) + if (this->ike_sa->derive_keys(this->ike_sa, this->proposal, + this->diffie_hellman, + this->nonce_i, this->nonce_r, + FALSE, NULL) != SUCCESS) { notify_payload_t *notify = notify_payload_create(); notify->set_notify_type(notify, NO_PROPOSAL_CHOSEN); @@ -773,6 +785,10 @@ static status_t get_response(private_ike_sa_init_t *this, return DESTROY_ME; } + this->ike_sa->set_lifetimes(this->ike_sa, + this->connection->get_soft_lifetime(this->connection), + this->connection->get_hard_lifetime(this->connection)); + { /* create ike_auth transaction, which will store informations for us */ packet_t *response_packet; chunk_t request_chunk, response_chunk; @@ -812,6 +828,7 @@ static status_t get_response(private_ike_sa_init_t *this, } /* set new state */ this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING); + return SUCCESS; } @@ -941,11 +958,7 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, /* we have to re-check if the others selection is valid */ this->proposal = this->connection->select_proposal(this->connection, proposal_list); - while (proposal_list->remove_last(proposal_list, (void**)&proposal) == SUCCESS) - { - proposal->destroy(proposal); - } - proposal_list->destroy(proposal_list); + destroy_proposal_list(proposal_list); if (this->proposal == NULL) { @@ -1003,16 +1016,20 @@ static status_t conclude(private_ike_sa_init_t *this, message_t *response, ike_sa_id->set_responder_spi(ike_sa_id, responder_spi); /* derive all the keys used in the IKE_SA */ - if (this->ike_sa->build_transforms(this->ike_sa, this->proposal, - this->diffie_hellman, - this->nonce_i, this->nonce_r, - TRUE) != SUCCESS) + if (this->ike_sa->derive_keys(this->ike_sa, this->proposal, + this->diffie_hellman, + this->nonce_i, this->nonce_r, + TRUE, NULL) != SUCCESS) { this->logger->log(this->logger, AUDIT, "transform objects could not be created from selected proposal, deleting IKE_SA"); return DESTROY_ME; } + this->ike_sa->set_lifetimes(this->ike_sa, + this->connection->get_soft_lifetime(this->connection), + this->connection->get_hard_lifetime(this->connection)); + { /* create ike_auth transaction, which will continue IKE_SA setup */ chunk_t request_chunk, response_chunk; ike_auth_t *ike_auth; diff --git a/src/charon/sa/transactions/rekey_ike_sa.c b/src/charon/sa/transactions/rekey_ike_sa.c new file mode 100644 index 000000000..f546540a5 --- /dev/null +++ b/src/charon/sa/transactions/rekey_ike_sa.c @@ -0,0 +1,800 @@ +/** + * @file rekey_ike_sa.c + * + * @brief Implementation of rekey_ike_sa_t transaction. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "rekey_ike_sa.h" + +#include + +#include +#include +#include +#include +#include +#include + + +typedef struct private_rekey_ike_sa_t private_rekey_ike_sa_t; + +/** + * Private members of a rekey_ike_sa_t object.. + */ +struct private_rekey_ike_sa_t { + + /** + * Public methods and transaction_t interface. + */ + rekey_ike_sa_t public; + + /** + * Assigned IKE_SA. + */ + ike_sa_t *ike_sa; + + /** + * Message sent by our peer, if already generated + */ + message_t *message; + + /** + * Message ID this transaction uses + */ + u_int32_t message_id; + + /** + * Times we did send the request + */ + u_int32_t requested; + + /** + * IKE_SA we set up, replaces ike_sa + */ + ike_sa_t *new_sa; + + /** + * Connection used to replace IKE_SA + */ + connection_t *connection; + + /** + * initiator chosen nonce + */ + chunk_t nonce_i; + + /** + * responder chosen nonce + */ + chunk_t nonce_r; + + /** + * lower of the nonces of a simultaneus rekeying request + */ + chunk_t nonce_s; + + /** + * Diffie hellman to generate new shared secret + */ + diffie_hellman_t *diffie_hellman; + + /** + * negotiated proposal to use + */ + proposal_t *proposal; + + /** + * Have we lost the simultaneous rekeying nonce compare? + */ + bool lost; + + /** + * source of randomness for nonces + */ + randomizer_t *randomizer; + + /** + * next transaction processed by the IKE_SA + */ + transaction_t **next; + + /** + * Assigned logger. + */ + logger_t *logger; +}; + +/** + * Implementation of transaction_t.get_message_id. + */ +static u_int32_t get_message_id(private_rekey_ike_sa_t *this) +{ + return this->message_id; +} + +/** + * Implementation of transaction_t.requested. + */ +static u_int32_t requested(private_rekey_ike_sa_t *this) +{ + return this->requested++; +} + + +/** + * Implementation of rekey_ike_sa_t.use_dh_group. + */ +static bool use_dh_group(private_rekey_ike_sa_t *this, diffie_hellman_group_t dh_group) +{ + if (this->connection->check_dh_group(this->connection, dh_group)) + { + this->diffie_hellman = diffie_hellman_create(dh_group); + if (this->diffie_hellman) + { + return TRUE; + } + } + return FALSE; +} + +/** + * Implementation of rekey_ike_sa_t.cancel. + */ +static void cancel(private_rekey_ike_sa_t *this) +{ + this->lost = TRUE; +} + +/** + * destroy a list of proposals + */ +static void destroy_proposal_list(linked_list_t *list) +{ + proposal_t *proposal; + + while (list->remove_last(list, (void**)&proposal) == SUCCESS) + { + proposal->destroy(proposal); + } + list->destroy(list); +} + +/** + * Implementation of transaction_t.get_request. + */ +static status_t get_request(private_rekey_ike_sa_t *this, message_t **result) +{ + message_t *request; + host_t *me, *other; + + /* check if we already have built a message (retransmission) */ + if (this->message) + { + *result = this->message; + return SUCCESS; + } + + me = this->ike_sa->get_my_host(this->ike_sa); + other = this->ike_sa->get_other_host(this->ike_sa); + + /* build the request */ + request = message_create(); + request->set_source(request, me->clone(me)); + request->set_destination(request, other->clone(other)); + request->set_exchange_type(request, CREATE_CHILD_SA); + request->set_request(request, TRUE); + request->set_ike_sa_id(request, this->ike_sa->get_id(this->ike_sa)); + *result = request; + this->message = request; + + { /* build SA payload */ + sa_payload_t *sa_payload; + linked_list_t *proposals; + ike_sa_id_t *ike_sa_id; + iterator_t *iterator; + proposal_t *proposal; + u_int64_t spi; + + /* get a connection to replace current IKE_SA */ + this->connection = charon->connections->get_connection_by_name( + charon->connections, + this->ike_sa->get_name(this->ike_sa)); + /* if connection lookup by name fails, try it with the hosts */ + if (this->connection == NULL) + { + this->connection = charon->connections->get_connection_by_hosts( + charon->connections, + me, other); + if (this->connection == NULL) + { + this->logger->log(this->logger, ERROR, + "no connection found to rekey IKE_SA"); + return FAILED; + } + } + + /* create a new SA */ + ike_sa_id = ike_sa_id_create(0, 0, TRUE); + this->new_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + ike_sa_id); + spi = ike_sa_id->get_initiator_spi(ike_sa_id); + ike_sa_id->destroy(ike_sa_id); + + proposals = this->connection->get_proposals(this->connection); + iterator = proposals->create_iterator(proposals, TRUE); + while (iterator->iterate(iterator, (void**)&proposal)) + { + proposal->set_spi(proposal, spi); + } + iterator->destroy(iterator); + + sa_payload = sa_payload_create_from_proposal_list(proposals); + destroy_proposal_list(proposals); + request->add_payload(request, (payload_t*)sa_payload); + } + + { /* build the NONCE payload for us (initiator) */ + nonce_payload_t *nonce_payload; + + if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer, + NONCE_SIZE, &this->nonce_i) != SUCCESS) + { + return FAILED; + } + nonce_payload = nonce_payload_create(); + nonce_payload->set_nonce(nonce_payload, this->nonce_i); + request->add_payload(request, (payload_t*)nonce_payload); + } + + /* if the DH group is set via use_dh_group(), we already have a DH object */ + if (!this->diffie_hellman) + { + diffie_hellman_group_t dh_group; + + dh_group = this->connection->get_dh_group(this->connection); + this->diffie_hellman = diffie_hellman_create(dh_group); + if (this->diffie_hellman == NULL) + { + this->logger->log(this->logger, AUDIT, + "DH group %s (%d) not supported, aborting", + mapping_find(diffie_hellman_group_m, dh_group), dh_group); + return DESTROY_ME; + } + } + + { /* build the KE payload from the DH object */ + ke_payload_t *ke_payload; + + ke_payload = ke_payload_create_from_diffie_hellman(this->diffie_hellman); + request->add_payload(request, (payload_t*)ke_payload); + } + + this->message_id = this->ike_sa->get_next_message_id(this->ike_sa); + request->set_message_id(request, this->message_id); + + return SUCCESS; +} + +/** + * Handle all kind of notifys + */ +static status_t process_notifys(private_rekey_ike_sa_t *this, notify_payload_t *notify_payload) +{ + notify_type_t notify_type = notify_payload->get_notify_type(notify_payload); + + this->logger->log(this->logger, CONTROL|LEVEL1, "process notify type %s", + mapping_find(notify_type_m, notify_type)); + + switch (notify_type) + { + case NO_PROPOSAL_CHOSEN: + { + this->logger->log(this->logger, AUDIT, + "received a NO_PROPOSAL_CHOSEN notify, IKE_SA rekeying failed"); + return FAILED; + } + case INVALID_KE_PAYLOAD: + { + chunk_t notify_data; + diffie_hellman_group_t dh_group, old_dh_group; + rekey_ike_sa_t *retry; + + old_dh_group = this->connection->get_dh_group(this->connection); + notify_data = notify_payload->get_notification_data(notify_payload); + dh_group = ntohs(*((u_int16_t*)notify_data.ptr)); + + this->logger->log(this->logger, AUDIT, + "peer didn't accept DH group %s, it requested %s", + mapping_find(diffie_hellman_group_m, old_dh_group), + mapping_find(diffie_hellman_group_m, dh_group)); + if (!this->connection->check_dh_group(this->connection, dh_group)) + { + this->logger->log(this->logger, AUDIT, + "requested DH group not acceptable, IKE_SA rekeying failed"); + return FAILED; + } + retry = rekey_ike_sa_create(this->ike_sa); + retry->use_dh_group(retry, dh_group); + *this->next = (transaction_t*)retry; + return FAILED; + } + default: + { + if (notify_type < 16383) + { + this->logger->log(this->logger, AUDIT, + "received %s notify error (%d, IKE_SA rekeying failed", + mapping_find(notify_type_m, notify_type), + notify_type); + return FAILED; + } + else + { + this->logger->log(this->logger, CONTROL, + "received %s notify (%d), ignored", + mapping_find(notify_type_m, notify_type), + notify_type); + return SUCCESS; + } + } + } +} + +/** + * Switch to the new created IKE_SA + */ +static status_t switchto_new_sa(private_rekey_ike_sa_t* this, bool initiator) +{ + identification_t *my_id, *other_id; + host_t *my_host, *other_host; + char *name; + + my_id = this->ike_sa->get_my_id(this->ike_sa); + other_id = this->ike_sa->get_other_id(this->ike_sa); + my_host = this->ike_sa->get_my_host(this->ike_sa); + other_host = this->ike_sa->get_other_host(this->ike_sa); + name = this->connection->get_name(this->connection); + + this->new_sa->set_my_id(this->new_sa, my_id->clone(my_id)); + this->new_sa->set_other_id(this->new_sa, other_id->clone(other_id)); + this->new_sa->set_my_host(this->new_sa, my_host->clone(my_host)); + this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host)); + this->new_sa->set_name(this->new_sa, name); + + if (this->new_sa->derive_keys(this->new_sa, this->proposal, + this->diffie_hellman, + this->nonce_i, this->nonce_r, initiator, + this->ike_sa->get_child_prf(this->ike_sa) + ) != SUCCESS) + { + return FAILED; + } + + this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED); + + this->new_sa->adopt_children(this->new_sa, this->ike_sa); + + this->new_sa->set_lifetimes(this->new_sa, + this->connection->get_soft_lifetime(this->connection), + this->connection->get_hard_lifetime(this->connection)); + + charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa); + this->new_sa = NULL; + return SUCCESS; +} + +/** + * Build a notify message. + */ +static void build_notify(notify_type_t type, chunk_t data, message_t *message, bool flush_message) +{ + notify_payload_t *notify; + + if (flush_message) + { + payload_t *payload; + iterator_t *iterator = message->get_payload_iterator(message); + while (iterator->iterate(iterator, (void**)&payload)) + { + payload->destroy(payload); + iterator->remove(iterator); + } + iterator->destroy(iterator); + } + + notify = notify_payload_create(); + notify->set_notify_type(notify, type); + notify->set_notification_data(notify, data); + message->add_payload(message, (payload_t*)notify); +} + +/** + * Implementation of transaction_t.get_response. + */ +static status_t get_response(private_rekey_ike_sa_t *this, message_t *request, + message_t **result, transaction_t **next) +{ + host_t *me, *other; + message_t *response; + status_t status; + iterator_t *payloads; + sa_payload_t *sa_request = NULL; + nonce_payload_t *nonce_request = NULL; + ke_payload_t *ke_request = NULL; + nonce_payload_t *nonce_response; + + /* check if we already have built a response (retransmission) */ + if (this->message) + { + *result = this->message; + return SUCCESS; + } + + me = this->ike_sa->get_my_host(this->ike_sa); + other = this->ike_sa->get_other_host(this->ike_sa); + this->message_id = request->get_message_id(request); + + /* set up response */ + response = message_create(); + response->set_source(response, me->clone(me)); + response->set_destination(response, other->clone(other)); + response->set_exchange_type(response, CREATE_CHILD_SA); + response->set_request(response, FALSE); + response->set_message_id(response, this->message_id); + response->set_ike_sa_id(response, this->ike_sa->get_id(this->ike_sa)); + this->message = response; + *result = response; + + /* check message type */ + if (request->get_exchange_type(request) != CREATE_CHILD_SA) + { + this->logger->log(this->logger, ERROR, + "CREATE_CHILD_SA response of invalid type, aborted"); + return FAILED; + } + + /* apply for notify processing */ + this->next = next; + + /* Iterate over all payloads. */ + payloads = request->get_payload_iterator(request); + while (payloads->has_next(payloads)) + { + payload_t *payload; + payloads->current(payloads, (void**)&payload); + switch (payload->get_type(payload)) + { + case SECURITY_ASSOCIATION: + sa_request = (sa_payload_t*)payload; + break; + case NONCE: + nonce_request = (nonce_payload_t*)payload; + break; + case KEY_EXCHANGE: + { + ke_request = (ke_payload_t*)payload; + break; + } + case NOTIFY: + { + status = process_notifys(this, (notify_payload_t*)payload); + if (status != SUCCESS) + { + payloads->destroy(payloads); + return status; + } + break; + } + default: + { + this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)", + mapping_find(payload_type_m, payload->get_type(payload)), + payload->get_type(payload)); + break; + } + } + } + payloads->destroy(payloads); + + /* check if we have all payloads */ + if (!(sa_request && nonce_request && ke_request)) + { + build_notify(INVALID_SYNTAX, CHUNK_INITIALIZER, response, TRUE); + this->logger->log(this->logger, AUDIT, + "request message incomplete, IKE_SA rekeying failed"); + return FAILED; + } + + { /* process nonce payload */ + this->nonce_i = nonce_request->get_nonce(nonce_request); + if (this->randomizer->allocate_pseudo_random_bytes(this->randomizer, + NONCE_SIZE, &this->nonce_r) != SUCCESS) + { + build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); + return FAILED; + } + nonce_response = nonce_payload_create(); + nonce_response->set_nonce(nonce_response, this->nonce_r); + } + + { /* get a connection to replace current IKE_SA */ + this->connection = charon->connections->get_connection_by_name( + charon->connections, + this->ike_sa->get_name(this->ike_sa)); + /* if connection lookup by name fails, try it with the hosts */ + if (this->connection == NULL) + { + this->connection = charon->connections->get_connection_by_hosts( + charon->connections, + me, other); + if (this->connection == NULL) + { + this->logger->log(this->logger, ERROR, + "no connection found to rekey IKE_SA, sending NO_RROPOSAL_CHOSEN"); + build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); + return FAILED; + } + } + } + + { /* process SA payload */ + linked_list_t *proposal_list; + sa_payload_t *sa_response; + u_int64_t spi; + ike_sa_id_t *ike_sa_id; + + sa_response = sa_payload_create(); + /* get proposals from request, and select one with ours */ + proposal_list = sa_request->get_proposals(sa_request); + this->logger->log(this->logger, CONTROL|LEVEL1, "selecting proposals:"); + this->proposal = this->connection->select_proposal(this->connection, proposal_list); + destroy_proposal_list(proposal_list); + + /* do we have a proposal? */ + if (this->proposal == NULL) + { + this->logger->log(this->logger, AUDIT, + "no proposals acceptable to rekey IKE_SA, sending NO_PROPOSAL_CHOSEN"); + build_notify(NO_PROPOSAL_CHOSEN, CHUNK_INITIALIZER, response, TRUE); + return FAILED; + } + + /* create IKE_SA with new SPIs */ + spi = this->proposal->get_spi(this->proposal); + ike_sa_id = ike_sa_id_create(spi, 0, FALSE); + this->new_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + ike_sa_id); + spi = ike_sa_id->get_responder_spi(ike_sa_id); + ike_sa_id->destroy(ike_sa_id); + this->proposal->set_spi(this->proposal, spi); + + sa_response->add_proposal(sa_response, this->proposal); + response->add_payload(response, (payload_t*)sa_response); + /* add nonce after sa payload */ + response->add_payload(response, (payload_t *)nonce_response); + } + + { /* process KE payload */ + diffie_hellman_group_t used_group; + ke_payload_t *ke_response; + + used_group = ke_request->get_dh_group_number(ke_request); + + if (!this->connection->check_dh_group(this->connection, used_group) || + (this->diffie_hellman = diffie_hellman_create(used_group)) == NULL) + { + u_int16_t notify_group; + chunk_t notify_chunk; + + notify_group = this->connection->get_dh_group(this->connection); + this->logger->log(this->logger, AUDIT, + "request used inacceptable DH group %s, sending INVALID_KE_PAYLOAD with %s", + mapping_find(diffie_hellman_group_m, used_group), + mapping_find(diffie_hellman_group_m, notify_group)); + + notify_group = htons(notify_group); + notify_chunk.ptr = (u_int8_t*)¬ify_group; + notify_chunk.len = sizeof(notify_group); + build_notify(INVALID_KE_PAYLOAD, notify_chunk, response, TRUE); + return DESTROY_ME; + } + this->diffie_hellman->set_other_public_value(this->diffie_hellman, + ke_request->get_key_exchange_data(ke_request)); + + /* build response */ + ke_response = ke_payload_create_from_diffie_hellman(this->diffie_hellman); + response->add_payload(response, (payload_t*)ke_response); + } + + return switchto_new_sa(this, FALSE); +} + +/** + * Implementation of transaction_t.conclude + */ +static status_t conclude(private_rekey_ike_sa_t *this, message_t *response, + transaction_t **next) +{ + iterator_t *payloads; + host_t *me, *other; + sa_payload_t *sa_payload = NULL; + nonce_payload_t *nonce_payload = NULL; + ke_payload_t *ke_payload = NULL; + status_t status; + + /* check message type */ + if (response->get_exchange_type(response) != CREATE_CHILD_SA) + { + this->logger->log(this->logger, ERROR, + "CREATE_CHILD_SA response of invalid type, aborting"); + return FAILED; + } + + me = this->ike_sa->get_my_host(this->ike_sa); + other = this->ike_sa->get_other_host(this->ike_sa); + + /* apply for notify processing */ + this->next = next; + + /* Iterate over all payloads to collect them */ + payloads = response->get_payload_iterator(response); + while (payloads->has_next(payloads)) + { + payload_t *payload; + payloads->current(payloads, (void**)&payload); + switch (payload->get_type(payload)) + { + case SECURITY_ASSOCIATION: + sa_payload = (sa_payload_t*)payload; + break; + case NONCE: + nonce_payload = (nonce_payload_t*)payload; + break; + case KEY_EXCHANGE: + ke_payload = (ke_payload_t*)payload; + break; + case NOTIFY: + { + status = process_notifys(this, (notify_payload_t*)payload); + if (status != SUCCESS) + { + payloads->destroy(payloads); + return status; + } + break; + } + default: + { + this->logger->log(this->logger, ERROR, "ignoring %s payload (%d)", + mapping_find(payload_type_m, payload->get_type(payload)), + payload->get_type(payload)); + break; + } + } + } + payloads->destroy(payloads); + + if (!(sa_payload && nonce_payload && ke_payload)) + { + this->logger->log(this->logger, AUDIT, "response message incomplete, rekeying IKE_SA failed"); + return FAILED; + } + + { /* process NONCE payload */ + this->nonce_r = nonce_payload->get_nonce(nonce_payload); + } + + { /* process SA payload */ + linked_list_t *proposal_list; + ike_sa_id_t *ike_sa_id; + u_int64_t spi; + + proposal_list = sa_payload->get_proposals(sa_payload); + /* we have to re-check here if other's selection is valid */ + this->proposal = this->connection->select_proposal(this->connection, proposal_list); + destroy_proposal_list(proposal_list); + + if (this->proposal == NULL) + { + this->logger->log(this->logger, AUDIT, + "no proposal selected, rekeying IKE_SA failed"); + return FAILED; + } + spi = this->proposal->get_spi(this->proposal); + ike_sa_id = this->new_sa->get_id(this->new_sa); + ike_sa_id->set_responder_spi(ike_sa_id, spi); + } + + { /* process KE payload */ + this->diffie_hellman->set_other_public_value(this->diffie_hellman, + ke_payload->get_key_exchange_data(ke_payload)); + } + + if (switchto_new_sa(this, TRUE) == SUCCESS) + { + /* new IKE_SA is in use now, delete old */ + *next = (transaction_t*)delete_ike_sa_create(this->ike_sa); + return SUCCESS; + } + else + { + /* this should not happen. But if, we destroy both SAs */ + *next = (transaction_t*)delete_ike_sa_create(this->new_sa); + return DESTROY_ME; + } +} + +/** + * implements transaction_t.destroy + */ +static void destroy(private_rekey_ike_sa_t *this) +{ + if (this->new_sa) + { + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + this->new_sa); + } + DESTROY_IF(this->message); + DESTROY_IF(this->connection); + DESTROY_IF(this->diffie_hellman); + DESTROY_IF(this->proposal); + chunk_free(&this->nonce_i); + chunk_free(&this->nonce_r); + chunk_free(&this->nonce_s); + this->randomizer->destroy(this->randomizer); + free(this); +} + +/* + * Described in header. + */ +rekey_ike_sa_t *rekey_ike_sa_create(ike_sa_t *ike_sa) +{ + private_rekey_ike_sa_t *this = malloc_thing(private_rekey_ike_sa_t); + + /* transaction interface functions */ + this->public.transaction.get_request = (status_t(*)(transaction_t*,message_t**))get_request; + this->public.transaction.get_response = (status_t(*)(transaction_t*,message_t*,message_t**,transaction_t**))get_response; + this->public.transaction.conclude = (status_t(*)(transaction_t*,message_t*,transaction_t**))conclude; + this->public.transaction.get_message_id = (u_int32_t(*)(transaction_t*))get_message_id; + this->public.transaction.requested = (u_int32_t(*)(transaction_t*))requested; + this->public.transaction.destroy = (void(*)(transaction_t*))destroy; + + /* public functions */ + this->public.use_dh_group = (bool(*)(rekey_ike_sa_t*,diffie_hellman_group_t))use_dh_group; + this->public.cancel = (void(*)(rekey_ike_sa_t*))cancel; + + /* private data */ + this->ike_sa = ike_sa; + this->message_id = 0; + this->message = NULL; + this->requested = 0; + this->nonce_i = CHUNK_INITIALIZER; + this->nonce_r = CHUNK_INITIALIZER; + this->nonce_s = CHUNK_INITIALIZER; + this->new_sa = NULL; + this->lost = FALSE; + this->connection = NULL; + this->randomizer = randomizer_create(); + this->diffie_hellman = NULL; + this->proposal = NULL; + this->logger = logger_manager->get_logger(logger_manager, IKE_SA); + + return &this->public; +} diff --git a/src/charon/sa/transactions/rekey_ike_sa.h b/src/charon/sa/transactions/rekey_ike_sa.h new file mode 100644 index 000000000..f5e9d07da --- /dev/null +++ b/src/charon/sa/transactions/rekey_ike_sa.h @@ -0,0 +1,82 @@ +/** + * @file rekey_ike_sa.h + * + * @brief Interface of transaction rekey_ike_sa. + * + */ + +/* + * Copyright (C) 2006 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef REKEY_IKE_SA_H +#define REKEY_IKE_SA_H + +#include +#include +#include + + +typedef struct rekey_ike_sa_t rekey_ike_sa_t; + +/** + * @brief A transaction to rekey an established IKE_SA + * + * @b Constructors: + * - rekey_ike_sa_create() + * - transaction_create() with the appropriate message + * + * @ingroup transactions + */ +struct rekey_ike_sa_t { + + /** + * The transaction_t interface. + */ + transaction_t transaction; + + /** + * @brief Set the Diffie Hellman group to use for initiating. + * + * If a first exchange fails with a INVALID_KE_PAYLOAD, the second + * try uses the DH group proposed by the responder. + * + * @param this calling object + * @param dh_group diffie hellman group to use + * @return FALSE, if DH group not allowed/supported + */ + bool (*use_dh_group) (rekey_ike_sa_t* this, diffie_hellman_group_t dh_group); + + /** + * @brief Cancel the request. + * + * Cancelling the request will set a flag in the transaction. + * + * @param this calling object + * @param child_sa CHILD_SA to rekey + */ + void (*cancel) (rekey_ike_sa_t* this); +}; + +/** + * @brief Create a new transaction to rekey an existing IKE_SA. + * + * @param ike_sa existing IKE_SA + * @return created rekey_ike_sa transaction + * + * @ingroup transactions + */ +rekey_ike_sa_t *rekey_ike_sa_create(ike_sa_t *ike_sa); + +#endif /* REKEY_IKE_SA_H */ diff --git a/src/charon/sa/transactions/transaction.c b/src/charon/sa/transactions/transaction.c index 603d1c2f1..b42b2c84f 100644 --- a/src/charon/sa/transactions/transaction.c +++ b/src/charon/sa/transactions/transaction.c @@ -29,6 +29,7 @@ #include #include #include +#include #include #include #include @@ -89,8 +90,8 @@ transaction_t *transaction_create(ike_sa_t *ike_sa, message_t *request) switch (prop_struct->get_protocol_id(prop_struct)) { case PROTO_IKE: - /* TODO: transaction = (transaction_t*) - rekey_ike_sa_create(ike_sa); */ + transaction = (transaction_t*) + rekey_ike_sa_create(ike_sa); break; case PROTO_AH: case PROTO_ESP: diff --git a/src/charon/threads/stroke_interface.c b/src/charon/threads/stroke_interface.c index 7188a532d..47b38ea57 100755 --- a/src/charon/threads/stroke_interface.c +++ b/src/charon/threads/stroke_interface.c @@ -339,8 +339,10 @@ static void stroke_add_conn(private_stroke_t *this, stroke_msg_t *msg) msg->add_conn.me.sendcert, msg->add_conn.other.sendcert, my_host, other_host, - RSA_DIGITAL_SIGNATURE - ); + RSA_DIGITAL_SIGNATURE, + msg->add_conn.rekey.ike_lifetime, + msg->add_conn.rekey.ike_lifetime - msg->add_conn.rekey.margin, + msg->add_conn.rekey.margin * msg->add_conn.rekey.fuzz / 100); if (msg->add_conn.algorithms.ike) { diff --git a/src/libstrongswan/types.c b/src/libstrongswan/types.c index c0b1a9d30..b60a604b8 100644 --- a/src/libstrongswan/types.c +++ b/src/libstrongswan/types.c @@ -24,6 +24,7 @@ #include #include #include +#include #include "types.h" @@ -68,6 +69,54 @@ chunk_t chunk_clone(chunk_t chunk) return clone; } +/** + * Decribed in header. + */ +chunk_t chunk_cat(const char* mode, ...) +{ + chunk_t construct; + va_list chunks; + u_char *pos; + int i; + int count = strlen(mode); + + /* sum up lengths of individual chunks */ + va_start(chunks, mode); + construct.len = 0; + for (i = 0; i < count; i++) + { + chunk_t ch = va_arg(chunks, chunk_t); + construct.len += ch.len; + } + va_end(chunks); + + /* allocate needed memory for construct */ + construct.ptr = malloc(construct.len); + pos = construct.ptr; + + /* copy or move the chunks */ + va_start(chunks, mode); + for (i = 0; i < count; i++) + { + chunk_t ch = va_arg(chunks, chunk_t); + switch (*mode++) + { + case 'm': + memcpy(pos, ch.ptr, ch.len); + pos += ch.len; + free(ch.ptr); + break; + case 'c': + default: + memcpy(pos, ch.ptr, ch.len); + pos += ch.len; + } + } + va_end(chunks); + + return construct; +} + /** * Described in header. */ diff --git a/src/libstrongswan/types.h b/src/libstrongswan/types.h index d859d8402..631e5025b 100644 --- a/src/libstrongswan/types.h +++ b/src/libstrongswan/types.h @@ -160,6 +160,13 @@ extern chunk_t CHUNK_INITIALIZER; */ chunk_t chunk_clone(chunk_t chunk); +/** + * Allocate a chunk from concatenation of other chunks. + * mode is a string 'm' and 'c, 'm' means move chunk, + * 'c' means copy chunk. + */ +chunk_t chunk_cat(const char* mode, ...); + /** * Free contents of a chunk */