root / src / charon / sa / ike_sa.c @ b5a2055fb1b88ea4abb97334d89e311c9ceaa7d4
History | View | Annotate | Download (56.1 KB)
| 1 | /*
|
|---|---|
| 2 | * Copyright (C) 2006-2008 Tobias Brunner |
| 3 | * Copyright (C) 2006 Daniel Roethlisberger |
| 4 | * Copyright (C) 2005-2009 Martin Willi |
| 5 | * Copyright (C) 2005 Jan Hutter |
| 6 | * Hochschule fuer Technik Rapperswil |
| 7 | * |
| 8 | * This program is free software; you can redistribute it and/or modify it |
| 9 | * under the terms of the GNU General Public License as published by the |
| 10 | * Free Software Foundation; either version 2 of the License, or (at your |
| 11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. |
| 12 | * |
| 13 | * This program is distributed in the hope that it will be useful, but |
| 14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
| 15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 16 | * for more details. |
| 17 | */ |
| 18 | |
| 19 | #include <string.h> |
| 20 | #include <sys/stat.h> |
| 21 | #include <errno.h> |
| 22 | #include <time.h> |
| 23 | |
| 24 | #include "ike_sa.h" |
| 25 | |
| 26 | #include <library.h> |
| 27 | #include <daemon.h> |
| 28 | #include <utils/linked_list.h> |
| 29 | #include <utils/lexparser.h> |
| 30 | #include <sa/task_manager.h> |
| 31 | #include <sa/tasks/ike_init.h> |
| 32 | #include <sa/tasks/ike_natd.h> |
| 33 | #include <sa/tasks/ike_mobike.h> |
| 34 | #include <sa/tasks/ike_auth.h> |
| 35 | #include <sa/tasks/ike_auth_lifetime.h> |
| 36 | #include <sa/tasks/ike_config.h> |
| 37 | #include <sa/tasks/ike_cert_pre.h> |
| 38 | #include <sa/tasks/ike_cert_post.h> |
| 39 | #include <sa/tasks/ike_rekey.h> |
| 40 | #include <sa/tasks/ike_reauth.h> |
| 41 | #include <sa/tasks/ike_delete.h> |
| 42 | #include <sa/tasks/ike_dpd.h> |
| 43 | #include <sa/tasks/child_create.h> |
| 44 | #include <sa/tasks/child_delete.h> |
| 45 | #include <sa/tasks/child_rekey.h> |
| 46 | #include <processing/jobs/retransmit_job.h> |
| 47 | #include <processing/jobs/delete_ike_sa_job.h> |
| 48 | #include <processing/jobs/send_dpd_job.h> |
| 49 | #include <processing/jobs/send_keepalive_job.h> |
| 50 | #include <processing/jobs/rekey_ike_sa_job.h> |
| 51 | |
| 52 | #ifdef ME
|
| 53 | #include <sa/tasks/ike_me.h> |
| 54 | #include <processing/jobs/initiate_mediation_job.h> |
| 55 | #endif
|
| 56 | |
| 57 | ENUM(ike_sa_state_names, IKE_CREATED, IKE_DESTROYING, |
| 58 | "CREATED",
|
| 59 | "CONNECTING",
|
| 60 | "ESTABLISHED",
|
| 61 | "PASSIVE",
|
| 62 | "REKEYING",
|
| 63 | "DELETING",
|
| 64 | "DESTROYING",
|
| 65 | ); |
| 66 | |
| 67 | typedef struct private_ike_sa_t private_ike_sa_t; |
| 68 | typedef struct attribute_entry_t attribute_entry_t; |
| 69 | |
| 70 | /**
|
| 71 | * Private data of an ike_sa_t object. |
| 72 | */ |
| 73 | struct private_ike_sa_t {
|
| 74 | |
| 75 | /**
|
| 76 | * Public members |
| 77 | */ |
| 78 | ike_sa_t public; |
| 79 | |
| 80 | /**
|
| 81 | * Identifier for the current IKE_SA. |
| 82 | */ |
| 83 | ike_sa_id_t *ike_sa_id; |
| 84 | |
| 85 | /**
|
| 86 | * unique numerical ID for this IKE_SA. |
| 87 | */ |
| 88 | u_int32_t unique_id; |
| 89 | |
| 90 | /**
|
| 91 | * Current state of the IKE_SA |
| 92 | */ |
| 93 | ike_sa_state_t state; |
| 94 | |
| 95 | /**
|
| 96 | * IKE configuration used to set up this IKE_SA |
| 97 | */ |
| 98 | ike_cfg_t *ike_cfg; |
| 99 | |
| 100 | /**
|
| 101 | * Peer and authentication information to establish IKE_SA. |
| 102 | */ |
| 103 | peer_cfg_t *peer_cfg; |
| 104 | |
| 105 | /**
|
| 106 | * currently used authentication ruleset, local (as auth_cfg_t) |
| 107 | */ |
| 108 | auth_cfg_t *my_auth; |
| 109 | |
| 110 | /**
|
| 111 | * currently used authentication constraints, remote (as auth_cfg_t) |
| 112 | */ |
| 113 | auth_cfg_t *other_auth; |
| 114 | |
| 115 | /**
|
| 116 | * Selected IKE proposal |
| 117 | */ |
| 118 | proposal_t *proposal; |
| 119 | |
| 120 | /**
|
| 121 | * Juggles tasks to process messages |
| 122 | */ |
| 123 | task_manager_t *task_manager; |
| 124 | |
| 125 | /**
|
| 126 | * Address of local host |
| 127 | */ |
| 128 | host_t *my_host; |
| 129 | |
| 130 | /**
|
| 131 | * Address of remote host |
| 132 | */ |
| 133 | host_t *other_host; |
| 134 | |
| 135 | #ifdef ME
|
| 136 | /**
|
| 137 | * Are we mediation server |
| 138 | */ |
| 139 | bool is_mediation_server;
|
| 140 | |
| 141 | /**
|
| 142 | * Server reflexive host |
| 143 | */ |
| 144 | host_t *server_reflexive_host; |
| 145 | |
| 146 | /**
|
| 147 | * Connect ID |
| 148 | */ |
| 149 | chunk_t connect_id; |
| 150 | #endif /* ME */ |
| 151 | |
| 152 | /**
|
| 153 | * Identification used for us |
| 154 | */ |
| 155 | identification_t *my_id; |
| 156 | |
| 157 | /**
|
| 158 | * Identification used for other |
| 159 | */ |
| 160 | identification_t *other_id; |
| 161 | |
| 162 | /**
|
| 163 | * EAP Identity exchange in EAP-Identity method |
| 164 | */ |
| 165 | identification_t *eap_identity;; |
| 166 | |
| 167 | /**
|
| 168 | * set of extensions the peer supports |
| 169 | */ |
| 170 | ike_extension_t extensions; |
| 171 | |
| 172 | /**
|
| 173 | * set of condition flags currently enabled for this IKE_SA |
| 174 | */ |
| 175 | ike_condition_t conditions; |
| 176 | |
| 177 | /**
|
| 178 | * Linked List containing the child sa's of the current IKE_SA. |
| 179 | */ |
| 180 | linked_list_t *child_sas; |
| 181 | |
| 182 | /**
|
| 183 | * keymat of this IKE_SA |
| 184 | */ |
| 185 | keymat_t *keymat; |
| 186 | |
| 187 | /**
|
| 188 | * Virtual IP on local host, if any |
| 189 | */ |
| 190 | host_t *my_virtual_ip; |
| 191 | |
| 192 | /**
|
| 193 | * Virtual IP on remote host, if any |
| 194 | */ |
| 195 | host_t *other_virtual_ip; |
| 196 | |
| 197 | /**
|
| 198 | * List of configuration attributes (attribute_entry_t) |
| 199 | */ |
| 200 | linked_list_t *attributes; |
| 201 | |
| 202 | /**
|
| 203 | * list of peers additional addresses, transmitted via MOBIKE |
| 204 | */ |
| 205 | linked_list_t *additional_addresses; |
| 206 | |
| 207 | /**
|
| 208 | * previously value of received DESTINATION_IP hash |
| 209 | */ |
| 210 | chunk_t nat_detection_dest; |
| 211 | |
| 212 | /**
|
| 213 | * number pending UPDATE_SA_ADDRESS (MOBIKE) |
| 214 | */ |
| 215 | u_int32_t pending_updates; |
| 216 | |
| 217 | /**
|
| 218 | * NAT keep alive interval |
| 219 | */ |
| 220 | u_int32_t keepalive_interval; |
| 221 | |
| 222 | /**
|
| 223 | * Timestamps for this IKE_SA |
| 224 | */ |
| 225 | u_int32_t stats[STAT_MAX]; |
| 226 | |
| 227 | /**
|
| 228 | * how many times we have retried so far (keyingtries) |
| 229 | */ |
| 230 | u_int32_t keyingtry; |
| 231 | |
| 232 | /**
|
| 233 | * local host address to be used for IKE, set via MIGRATE kernel message |
| 234 | */ |
| 235 | host_t *local_host; |
| 236 | |
| 237 | /**
|
| 238 | * remote host address to be used for IKE, set via MIGRATE kernel message |
| 239 | */ |
| 240 | host_t *remote_host; |
| 241 | }; |
| 242 | |
| 243 | /**
|
| 244 | * Entry to maintain install configuration attributes during IKE_SA lifetime |
| 245 | */ |
| 246 | struct attribute_entry_t {
|
| 247 | /** handler used to install this attribute */
|
| 248 | attribute_handler_t *handler; |
| 249 | /** attribute type */
|
| 250 | configuration_attribute_type_t type; |
| 251 | /** attribute data */
|
| 252 | chunk_t data; |
| 253 | }; |
| 254 | |
| 255 | /**
|
| 256 | * get the time of the latest traffic processed by the kernel |
| 257 | */ |
| 258 | static time_t get_use_time(private_ike_sa_t* this, bool inbound) |
| 259 | {
|
| 260 | enumerator_t *enumerator; |
| 261 | child_sa_t *child_sa; |
| 262 | time_t use_time, current; |
| 263 | |
| 264 | if (inbound)
|
| 265 | {
|
| 266 | use_time = this->stats[STAT_INBOUND]; |
| 267 | } |
| 268 | else
|
| 269 | {
|
| 270 | use_time = this->stats[STAT_OUTBOUND]; |
| 271 | } |
| 272 | enumerator = this->child_sas->create_enumerator(this->child_sas); |
| 273 | while (enumerator->enumerate(enumerator, &child_sa))
|
| 274 | {
|
| 275 | child_sa->get_usestats(child_sa, inbound, ¤t, NULL);
|
| 276 | use_time = max(use_time, current); |
| 277 | } |
| 278 | enumerator->destroy(enumerator); |
| 279 | |
| 280 | return use_time;
|
| 281 | } |
| 282 | |
| 283 | /**
|
| 284 | * Implementation of ike_sa_t.get_unique_id |
| 285 | */ |
| 286 | static u_int32_t get_unique_id(private_ike_sa_t *this)
|
| 287 | {
|
| 288 | return this->unique_id;
|
| 289 | } |
| 290 | |
| 291 | /**
|
| 292 | * Implementation of ike_sa_t.get_name. |
| 293 | */ |
| 294 | static char *get_name(private_ike_sa_t *this) |
| 295 | {
|
| 296 | if (this->peer_cfg)
|
| 297 | {
|
| 298 | return this->peer_cfg->get_name(this->peer_cfg);
|
| 299 | } |
| 300 | return "(unnamed)"; |
| 301 | } |
| 302 | |
| 303 | /**
|
| 304 | * Implementation of ike_sa_t.get_statistic. |
| 305 | */ |
| 306 | static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind)
|
| 307 | {
|
| 308 | if (kind < STAT_MAX)
|
| 309 | {
|
| 310 | return this->stats[kind];
|
| 311 | } |
| 312 | return 0; |
| 313 | } |
| 314 | |
| 315 | /**
|
| 316 | * Implementation of ike_sa_t.get_my_host. |
| 317 | */ |
| 318 | static host_t *get_my_host(private_ike_sa_t *this)
|
| 319 | {
|
| 320 | return this->my_host;
|
| 321 | } |
| 322 | |
| 323 | /**
|
| 324 | * Implementation of ike_sa_t.set_my_host. |
| 325 | */ |
| 326 | static void set_my_host(private_ike_sa_t *this, host_t *me) |
| 327 | {
|
| 328 | DESTROY_IF(this->my_host); |
| 329 | this->my_host = me; |
| 330 | } |
| 331 | |
| 332 | /**
|
| 333 | * Implementation of ike_sa_t.get_other_host. |
| 334 | */ |
| 335 | static host_t *get_other_host(private_ike_sa_t *this)
|
| 336 | {
|
| 337 | return this->other_host;
|
| 338 | } |
| 339 | |
| 340 | /**
|
| 341 | * Implementation of ike_sa_t.set_other_host. |
| 342 | */ |
| 343 | static void set_other_host(private_ike_sa_t *this, host_t *other) |
| 344 | {
|
| 345 | DESTROY_IF(this->other_host); |
| 346 | this->other_host = other; |
| 347 | } |
| 348 | |
| 349 | /**
|
| 350 | * Implementation of ike_sa_t.get_peer_cfg |
| 351 | */ |
| 352 | static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this)
|
| 353 | {
|
| 354 | return this->peer_cfg;
|
| 355 | } |
| 356 | |
| 357 | /**
|
| 358 | * Implementation of ike_sa_t.set_peer_cfg |
| 359 | */ |
| 360 | static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg) |
| 361 | {
|
| 362 | DESTROY_IF(this->peer_cfg); |
| 363 | peer_cfg->get_ref(peer_cfg); |
| 364 | this->peer_cfg = peer_cfg; |
| 365 | |
| 366 | if (this->ike_cfg == NULL) |
| 367 | {
|
| 368 | this->ike_cfg = peer_cfg->get_ike_cfg(peer_cfg); |
| 369 | this->ike_cfg->get_ref(this->ike_cfg); |
| 370 | } |
| 371 | } |
| 372 | |
| 373 | /**
|
| 374 | * Implementation of ike_sa_t.get_auth_cfg |
| 375 | */ |
| 376 | static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local) |
| 377 | {
|
| 378 | if (local)
|
| 379 | {
|
| 380 | return this->my_auth;
|
| 381 | } |
| 382 | return this->other_auth;
|
| 383 | } |
| 384 | |
| 385 | /**
|
| 386 | * Implementation of ike_sa_t.get_proposal |
| 387 | */ |
| 388 | static proposal_t* get_proposal(private_ike_sa_t *this)
|
| 389 | {
|
| 390 | return this->proposal;
|
| 391 | } |
| 392 | |
| 393 | /**
|
| 394 | * Implementation of ike_sa_t.set_proposal |
| 395 | */ |
| 396 | static void set_proposal(private_ike_sa_t *this, proposal_t *proposal) |
| 397 | {
|
| 398 | DESTROY_IF(this->proposal); |
| 399 | this->proposal = proposal->clone(proposal); |
| 400 | } |
| 401 | |
| 402 | /**
|
| 403 | * Implementation of ike_sa_t.set_message_id |
| 404 | */ |
| 405 | static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid) |
| 406 | {
|
| 407 | if (initiate)
|
| 408 | {
|
| 409 | this->task_manager->reset(this->task_manager, mid, UINT_MAX); |
| 410 | } |
| 411 | else
|
| 412 | {
|
| 413 | this->task_manager->reset(this->task_manager, UINT_MAX, mid); |
| 414 | } |
| 415 | } |
| 416 | |
| 417 | /**
|
| 418 | * Implementation of ike_sa_t.send_keepalive |
| 419 | */ |
| 420 | static void send_keepalive(private_ike_sa_t *this) |
| 421 | {
|
| 422 | send_keepalive_job_t *job; |
| 423 | time_t last_out, now, diff; |
| 424 | |
| 425 | if (!(this->conditions & COND_NAT_HERE) || this->keepalive_interval == 0) |
| 426 | { /* disable keep alives if we are not NATed anymore */
|
| 427 | return;
|
| 428 | } |
| 429 | |
| 430 | last_out = get_use_time(this, FALSE); |
| 431 | now = time_monotonic(NULL);
|
| 432 | |
| 433 | diff = now - last_out; |
| 434 | |
| 435 | if (diff >= this->keepalive_interval)
|
| 436 | {
|
| 437 | packet_t *packet; |
| 438 | chunk_t data; |
| 439 | |
| 440 | packet = packet_create(); |
| 441 | packet->set_source(packet, this->my_host->clone(this->my_host)); |
| 442 | packet->set_destination(packet, this->other_host->clone(this->other_host)); |
| 443 | data.ptr = malloc(1);
|
| 444 | data.ptr[0] = 0xFF; |
| 445 | data.len = 1;
|
| 446 | packet->set_data(packet, data); |
| 447 | DBG1(DBG_IKE, "sending keep alive");
|
| 448 | charon->sender->send(charon->sender, packet); |
| 449 | diff = 0;
|
| 450 | } |
| 451 | job = send_keepalive_job_create(this->ike_sa_id); |
| 452 | charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, |
| 453 | this->keepalive_interval - diff); |
| 454 | } |
| 455 | |
| 456 | /**
|
| 457 | * Implementation of ike_sa_t.get_ike_cfg |
| 458 | */ |
| 459 | static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this)
|
| 460 | {
|
| 461 | return this->ike_cfg;
|
| 462 | } |
| 463 | |
| 464 | /**
|
| 465 | * Implementation of ike_sa_t.set_ike_cfg |
| 466 | */ |
| 467 | static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg) |
| 468 | {
|
| 469 | ike_cfg->get_ref(ike_cfg); |
| 470 | this->ike_cfg = ike_cfg; |
| 471 | } |
| 472 | |
| 473 | /**
|
| 474 | * Implementation of ike_sa_t.enable_extension. |
| 475 | */ |
| 476 | static void enable_extension(private_ike_sa_t *this, ike_extension_t extension) |
| 477 | {
|
| 478 | this->extensions |= extension; |
| 479 | } |
| 480 | |
| 481 | /**
|
| 482 | * Implementation of ike_sa_t.has_extension. |
| 483 | */ |
| 484 | static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension) |
| 485 | {
|
| 486 | return (this->extensions & extension) != FALSE;
|
| 487 | } |
| 488 | |
| 489 | /**
|
| 490 | * Implementation of ike_sa_t.has_condition. |
| 491 | */ |
| 492 | static bool has_condition(private_ike_sa_t *this, ike_condition_t condition) |
| 493 | {
|
| 494 | return (this->conditions & condition) != FALSE;
|
| 495 | } |
| 496 | |
| 497 | /**
|
| 498 | * Implementation of ike_sa_t.enable_condition. |
| 499 | */ |
| 500 | static void set_condition(private_ike_sa_t *this, ike_condition_t condition, |
| 501 | bool enable)
|
| 502 | {
|
| 503 | if (has_condition(this, condition) != enable)
|
| 504 | {
|
| 505 | if (enable)
|
| 506 | {
|
| 507 | this->conditions |= condition; |
| 508 | switch (condition)
|
| 509 | {
|
| 510 | case COND_NAT_HERE: |
| 511 | DBG1(DBG_IKE, "local host is behind NAT, sending keep alives");
|
| 512 | this->conditions |= COND_NAT_ANY; |
| 513 | send_keepalive(this); |
| 514 | break;
|
| 515 | case COND_NAT_THERE: |
| 516 | DBG1(DBG_IKE, "remote host is behind NAT");
|
| 517 | this->conditions |= COND_NAT_ANY; |
| 518 | break;
|
| 519 | case COND_NAT_FAKE: |
| 520 | DBG1(DBG_IKE, "faking NAT situation to enforce UDP encapsulation");
|
| 521 | this->conditions |= COND_NAT_ANY; |
| 522 | break;
|
| 523 | default:
|
| 524 | break;
|
| 525 | } |
| 526 | } |
| 527 | else
|
| 528 | {
|
| 529 | this->conditions &= ~condition; |
| 530 | switch (condition)
|
| 531 | {
|
| 532 | case COND_NAT_HERE: |
| 533 | case COND_NAT_FAKE: |
| 534 | case COND_NAT_THERE: |
| 535 | set_condition(this, COND_NAT_ANY, |
| 536 | has_condition(this, COND_NAT_HERE) || |
| 537 | has_condition(this, COND_NAT_THERE) || |
| 538 | has_condition(this, COND_NAT_FAKE)); |
| 539 | break;
|
| 540 | default:
|
| 541 | break;
|
| 542 | } |
| 543 | } |
| 544 | } |
| 545 | } |
| 546 | |
| 547 | /**
|
| 548 | * Implementation of ike_sa_t.send_dpd |
| 549 | */ |
| 550 | static status_t send_dpd(private_ike_sa_t *this)
|
| 551 | {
|
| 552 | job_t *job; |
| 553 | time_t diff, delay; |
| 554 | |
| 555 | delay = this->peer_cfg->get_dpd(this->peer_cfg); |
| 556 | |
| 557 | if (delay == 0) |
| 558 | {
|
| 559 | /* DPD disabled */
|
| 560 | return SUCCESS;
|
| 561 | } |
| 562 | |
| 563 | if (this->task_manager->busy(this->task_manager))
|
| 564 | {
|
| 565 | /* an exchange is in the air, no need to start a DPD check */
|
| 566 | diff = 0;
|
| 567 | } |
| 568 | else
|
| 569 | {
|
| 570 | /* check if there was any inbound traffic */
|
| 571 | time_t last_in, now; |
| 572 | last_in = get_use_time(this, TRUE); |
| 573 | now = time_monotonic(NULL);
|
| 574 | diff = now - last_in; |
| 575 | if (diff >= delay)
|
| 576 | {
|
| 577 | /* to long ago, initiate dead peer detection */
|
| 578 | task_t *task; |
| 579 | ike_mobike_t *mobike; |
| 580 | |
| 581 | if (supports_extension(this, EXT_MOBIKE) &&
|
| 582 | has_condition(this, COND_NAT_HERE)) |
| 583 | {
|
| 584 | /* use mobike enabled DPD to detect NAT mapping changes */
|
| 585 | mobike = ike_mobike_create(&this->public, TRUE); |
| 586 | mobike->dpd(mobike); |
| 587 | task = &mobike->task; |
| 588 | } |
| 589 | else
|
| 590 | {
|
| 591 | task = (task_t*)ike_dpd_create(TRUE); |
| 592 | } |
| 593 | diff = 0;
|
| 594 | DBG1(DBG_IKE, "sending DPD request");
|
| 595 | |
| 596 | this->task_manager->queue_task(this->task_manager, task); |
| 597 | this->task_manager->initiate(this->task_manager); |
| 598 | } |
| 599 | } |
| 600 | /* recheck in "interval" seconds */
|
| 601 | job = (job_t*)send_dpd_job_create(this->ike_sa_id); |
| 602 | charon->scheduler->schedule_job(charon->scheduler, job, delay - diff); |
| 603 | return SUCCESS;
|
| 604 | } |
| 605 | |
| 606 | /**
|
| 607 | * Implementation of ike_sa_t.get_state. |
| 608 | */ |
| 609 | static ike_sa_state_t get_state(private_ike_sa_t *this)
|
| 610 | {
|
| 611 | return this->state;
|
| 612 | } |
| 613 | |
| 614 | /**
|
| 615 | * Implementation of ike_sa_t.set_state. |
| 616 | */ |
| 617 | static void set_state(private_ike_sa_t *this, ike_sa_state_t state) |
| 618 | {
|
| 619 | DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N",
|
| 620 | get_name(this), this->unique_id, |
| 621 | ike_sa_state_names, this->state, |
| 622 | ike_sa_state_names, state); |
| 623 | |
| 624 | switch (state)
|
| 625 | {
|
| 626 | case IKE_ESTABLISHED: |
| 627 | {
|
| 628 | if (this->state == IKE_CONNECTING ||
|
| 629 | this->state == IKE_PASSIVE) |
| 630 | {
|
| 631 | job_t *job; |
| 632 | u_int32_t t; |
| 633 | |
| 634 | /* calculate rekey, reauth and lifetime */
|
| 635 | this->stats[STAT_ESTABLISHED] = time_monotonic(NULL);
|
| 636 | |
| 637 | /* schedule rekeying if we have a time which is smaller than
|
| 638 | * an already scheduled rekeying */ |
| 639 | t = this->peer_cfg->get_rekey_time(this->peer_cfg); |
| 640 | if (t && (this->stats[STAT_REKEY] == 0 || |
| 641 | (this->stats[STAT_REKEY] > t + this->stats[STAT_ESTABLISHED]))) |
| 642 | {
|
| 643 | this->stats[STAT_REKEY] = t + this->stats[STAT_ESTABLISHED]; |
| 644 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, FALSE); |
| 645 | charon->scheduler->schedule_job(charon->scheduler, job, t); |
| 646 | DBG1(DBG_IKE, "scheduling rekeying in %ds", t);
|
| 647 | } |
| 648 | t = this->peer_cfg->get_reauth_time(this->peer_cfg); |
| 649 | if (t && (this->stats[STAT_REAUTH] == 0 || |
| 650 | (this->stats[STAT_REAUTH] > t + this->stats[STAT_ESTABLISHED]))) |
| 651 | {
|
| 652 | this->stats[STAT_REAUTH] = t + this->stats[STAT_ESTABLISHED]; |
| 653 | job = (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE); |
| 654 | charon->scheduler->schedule_job(charon->scheduler, job, t); |
| 655 | DBG1(DBG_IKE, "scheduling reauthentication in %ds", t);
|
| 656 | } |
| 657 | t = this->peer_cfg->get_over_time(this->peer_cfg); |
| 658 | if (this->stats[STAT_REKEY] || this->stats[STAT_REAUTH])
|
| 659 | {
|
| 660 | if (this->stats[STAT_REAUTH] == 0) |
| 661 | {
|
| 662 | this->stats[STAT_DELETE] = this->stats[STAT_REKEY]; |
| 663 | } |
| 664 | else if (this->stats[STAT_REKEY] == 0) |
| 665 | {
|
| 666 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH]; |
| 667 | } |
| 668 | else
|
| 669 | {
|
| 670 | this->stats[STAT_DELETE] = min(this->stats[STAT_REKEY], |
| 671 | this->stats[STAT_REAUTH]); |
| 672 | } |
| 673 | this->stats[STAT_DELETE] += t; |
| 674 | t = this->stats[STAT_DELETE] - this->stats[STAT_ESTABLISHED]; |
| 675 | job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); |
| 676 | charon->scheduler->schedule_job(charon->scheduler, job, t); |
| 677 | DBG1(DBG_IKE, "maximum IKE_SA lifetime %ds", t);
|
| 678 | } |
| 679 | |
| 680 | /* start DPD checks */
|
| 681 | send_dpd(this); |
| 682 | } |
| 683 | break;
|
| 684 | } |
| 685 | case IKE_DELETING: |
| 686 | {
|
| 687 | /* delete may fail if a packet gets lost, so set a timeout */
|
| 688 | job_t *job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE); |
| 689 | charon->scheduler->schedule_job(charon->scheduler, job, |
| 690 | HALF_OPEN_IKE_SA_TIMEOUT); |
| 691 | break;
|
| 692 | } |
| 693 | default:
|
| 694 | break;
|
| 695 | } |
| 696 | charon->bus->ike_state_change(charon->bus, &this->public, state); |
| 697 | this->state = state; |
| 698 | } |
| 699 | |
| 700 | /**
|
| 701 | * Implementation of ike_sa_t.reset |
| 702 | */ |
| 703 | static void reset(private_ike_sa_t *this) |
| 704 | {
|
| 705 | /* the responder ID is reset, as peer may choose another one */
|
| 706 | if (this->ike_sa_id->is_initiator(this->ike_sa_id))
|
| 707 | {
|
| 708 | this->ike_sa_id->set_responder_spi(this->ike_sa_id, 0);
|
| 709 | } |
| 710 | |
| 711 | set_state(this, IKE_CREATED); |
| 712 | |
| 713 | this->task_manager->reset(this->task_manager, 0, 0); |
| 714 | } |
| 715 | |
| 716 | /**
|
| 717 | * Implementation of ike_sa_t.get_keymat |
| 718 | */ |
| 719 | static keymat_t* get_keymat(private_ike_sa_t *this)
|
| 720 | {
|
| 721 | return this->keymat;
|
| 722 | } |
| 723 | |
| 724 | /**
|
| 725 | * Implementation of ike_sa_t.set_virtual_ip |
| 726 | */ |
| 727 | static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) |
| 728 | {
|
| 729 | if (local)
|
| 730 | {
|
| 731 | DBG1(DBG_IKE, "installing new virtual IP %H", ip);
|
| 732 | if (charon->kernel_interface->add_ip(charon->kernel_interface, ip,
|
| 733 | this->my_host) == SUCCESS) |
| 734 | {
|
| 735 | if (this->my_virtual_ip)
|
| 736 | {
|
| 737 | DBG1(DBG_IKE, "removing old virtual IP %H", this->my_virtual_ip);
|
| 738 | charon->kernel_interface->del_ip(charon->kernel_interface, |
| 739 | this->my_virtual_ip); |
| 740 | } |
| 741 | DESTROY_IF(this->my_virtual_ip); |
| 742 | this->my_virtual_ip = ip->clone(ip); |
| 743 | } |
| 744 | else
|
| 745 | {
|
| 746 | DBG1(DBG_IKE, "installing virtual IP %H failed", ip);
|
| 747 | this->my_virtual_ip = NULL;
|
| 748 | } |
| 749 | } |
| 750 | else
|
| 751 | {
|
| 752 | DESTROY_IF(this->other_virtual_ip); |
| 753 | this->other_virtual_ip = ip->clone(ip); |
| 754 | } |
| 755 | } |
| 756 | |
| 757 | /**
|
| 758 | * Implementation of ike_sa_t.get_virtual_ip |
| 759 | */ |
| 760 | static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) |
| 761 | {
|
| 762 | if (local)
|
| 763 | {
|
| 764 | return this->my_virtual_ip;
|
| 765 | } |
| 766 | else
|
| 767 | {
|
| 768 | return this->other_virtual_ip;
|
| 769 | } |
| 770 | } |
| 771 | |
| 772 | /**
|
| 773 | * Implementation of ike_sa_t.add_additional_address. |
| 774 | */ |
| 775 | static void add_additional_address(private_ike_sa_t *this, host_t *host) |
| 776 | {
|
| 777 | this->additional_addresses->insert_last(this->additional_addresses, host); |
| 778 | } |
| 779 | |
| 780 | /**
|
| 781 | * Implementation of ike_sa_t.create_additional_address_iterator. |
| 782 | */ |
| 783 | static iterator_t* create_additional_address_iterator(private_ike_sa_t *this)
|
| 784 | {
|
| 785 | return this->additional_addresses->create_iterator(
|
| 786 | this->additional_addresses, TRUE); |
| 787 | } |
| 788 | |
| 789 | /**
|
| 790 | * Implementation of ike_sa_t.has_mapping_changed |
| 791 | */ |
| 792 | static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash) |
| 793 | {
|
| 794 | if (this->nat_detection_dest.ptr == NULL) |
| 795 | {
|
| 796 | this->nat_detection_dest = chunk_clone(hash); |
| 797 | return FALSE;
|
| 798 | } |
| 799 | if (chunk_equals(hash, this->nat_detection_dest))
|
| 800 | {
|
| 801 | return FALSE;
|
| 802 | } |
| 803 | free(this->nat_detection_dest.ptr); |
| 804 | this->nat_detection_dest = chunk_clone(hash); |
| 805 | return TRUE;
|
| 806 | } |
| 807 | |
| 808 | /**
|
| 809 | * Implementation of ike_sa_t.set_pending_updates. |
| 810 | */ |
| 811 | static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates) |
| 812 | {
|
| 813 | this->pending_updates = updates; |
| 814 | } |
| 815 | |
| 816 | /**
|
| 817 | * Implementation of ike_sa_t.get_pending_updates. |
| 818 | */ |
| 819 | static u_int32_t get_pending_updates(private_ike_sa_t *this)
|
| 820 | {
|
| 821 | return this->pending_updates;
|
| 822 | } |
| 823 | |
| 824 | /**
|
| 825 | * Update hosts, as addresses may change (NAT) |
| 826 | */ |
| 827 | static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) |
| 828 | {
|
| 829 | bool update = FALSE;
|
| 830 | |
| 831 | if (me == NULL) |
| 832 | {
|
| 833 | me = this->my_host; |
| 834 | } |
| 835 | if (other == NULL) |
| 836 | {
|
| 837 | other = this->other_host; |
| 838 | } |
| 839 | |
| 840 | /* apply hosts on first received message */
|
| 841 | if (this->my_host->is_anyaddr(this->my_host) ||
|
| 842 | this->other_host->is_anyaddr(this->other_host)) |
| 843 | {
|
| 844 | set_my_host(this, me->clone(me)); |
| 845 | set_other_host(this, other->clone(other)); |
| 846 | update = TRUE; |
| 847 | } |
| 848 | else
|
| 849 | {
|
| 850 | /* update our address in any case */
|
| 851 | if (!me->equals(me, this->my_host))
|
| 852 | {
|
| 853 | set_my_host(this, me->clone(me)); |
| 854 | update = TRUE; |
| 855 | } |
| 856 | |
| 857 | if (!other->equals(other, this->other_host))
|
| 858 | {
|
| 859 | /* update others adress if we are NOT NATed,
|
| 860 | * and allow port changes if we are NATed */ |
| 861 | if (!has_condition(this, COND_NAT_HERE) ||
|
| 862 | other->ip_equals(other, this->other_host)) |
| 863 | {
|
| 864 | set_other_host(this, other->clone(other)); |
| 865 | update = TRUE; |
| 866 | } |
| 867 | } |
| 868 | } |
| 869 | |
| 870 | /* update all associated CHILD_SAs, if required */
|
| 871 | if (update)
|
| 872 | {
|
| 873 | iterator_t *iterator; |
| 874 | child_sa_t *child_sa; |
| 875 | |
| 876 | iterator = this->child_sas->create_iterator(this->child_sas, TRUE); |
| 877 | while (iterator->iterate(iterator, (void**)&child_sa)) |
| 878 | {
|
| 879 | if (child_sa->update(child_sa, this->my_host,
|
| 880 | this->other_host, this->my_virtual_ip, |
| 881 | has_condition(this, COND_NAT_ANY)) == NOT_SUPPORTED) |
| 882 | {
|
| 883 | this->public.rekey_child_sa(&this->public, |
| 884 | child_sa->get_protocol(child_sa), |
| 885 | child_sa->get_spi(child_sa, TRUE)); |
| 886 | } |
| 887 | } |
| 888 | iterator->destroy(iterator); |
| 889 | } |
| 890 | } |
| 891 | |
| 892 | /**
|
| 893 | * Implementation of ike_sa_t.generate |
| 894 | */ |
| 895 | static status_t generate_message(private_ike_sa_t *this, message_t *message,
|
| 896 | packet_t **packet) |
| 897 | {
|
| 898 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
|
| 899 | message->set_ike_sa_id(message, this->ike_sa_id); |
| 900 | return message->generate(message,
|
| 901 | this->keymat->get_crypter(this->keymat, FALSE), |
| 902 | this->keymat->get_signer(this->keymat, FALSE), packet); |
| 903 | } |
| 904 | |
| 905 | /**
|
| 906 | * send a notify back to the sender |
| 907 | */ |
| 908 | static void send_notify_response(private_ike_sa_t *this, message_t *request, |
| 909 | notify_type_t type) |
| 910 | {
|
| 911 | message_t *response; |
| 912 | packet_t *packet; |
| 913 | |
| 914 | response = message_create(); |
| 915 | response->set_exchange_type(response, request->get_exchange_type(request)); |
| 916 | response->set_request(response, FALSE); |
| 917 | response->set_message_id(response, request->get_message_id(request)); |
| 918 | response->add_notify(response, FALSE, type, chunk_empty); |
| 919 | if (this->my_host->is_anyaddr(this->my_host))
|
| 920 | {
|
| 921 | this->my_host->destroy(this->my_host); |
| 922 | this->my_host = request->get_destination(request); |
| 923 | this->my_host = this->my_host->clone(this->my_host); |
| 924 | } |
| 925 | if (this->other_host->is_anyaddr(this->other_host))
|
| 926 | {
|
| 927 | this->other_host->destroy(this->other_host); |
| 928 | this->other_host = request->get_source(request); |
| 929 | this->other_host = this->other_host->clone(this->other_host); |
| 930 | } |
| 931 | response->set_source(response, this->my_host->clone(this->my_host)); |
| 932 | response->set_destination(response, this->other_host->clone(this->other_host)); |
| 933 | if (generate_message(this, response, &packet) == SUCCESS)
|
| 934 | {
|
| 935 | charon->sender->send(charon->sender, packet); |
| 936 | } |
| 937 | response->destroy(response); |
| 938 | } |
| 939 | |
| 940 | /**
|
| 941 | * Implementation of ike_sa_t.set_kmaddress. |
| 942 | */ |
| 943 | static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote) |
| 944 | {
|
| 945 | DESTROY_IF(this->local_host); |
| 946 | DESTROY_IF(this->remote_host); |
| 947 | this->local_host = local->clone(local); |
| 948 | this->remote_host = remote->clone(remote); |
| 949 | } |
| 950 | |
| 951 | #ifdef ME
|
| 952 | /**
|
| 953 | * Implementation of ike_sa_t.act_as_mediation_server. |
| 954 | */ |
| 955 | static void act_as_mediation_server(private_ike_sa_t *this) |
| 956 | {
|
| 957 | charon->mediation_manager->update_sa_id(charon->mediation_manager, |
| 958 | this->other_id, this->ike_sa_id); |
| 959 | this->is_mediation_server = TRUE; |
| 960 | } |
| 961 | |
| 962 | /**
|
| 963 | * Implementation of ike_sa_t.get_server_reflexive_host. |
| 964 | */ |
| 965 | static host_t *get_server_reflexive_host(private_ike_sa_t *this)
|
| 966 | {
|
| 967 | return this->server_reflexive_host;
|
| 968 | } |
| 969 | |
| 970 | /**
|
| 971 | * Implementation of ike_sa_t.set_server_reflexive_host. |
| 972 | */ |
| 973 | static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host) |
| 974 | {
|
| 975 | DESTROY_IF(this->server_reflexive_host); |
| 976 | this->server_reflexive_host = host; |
| 977 | } |
| 978 | |
| 979 | /**
|
| 980 | * Implementation of ike_sa_t.get_connect_id. |
| 981 | */ |
| 982 | static chunk_t get_connect_id(private_ike_sa_t *this)
|
| 983 | {
|
| 984 | return this->connect_id;
|
| 985 | } |
| 986 | |
| 987 | /**
|
| 988 | * Implementation of ike_sa_t.respond |
| 989 | */ |
| 990 | static status_t respond(private_ike_sa_t *this, identification_t *peer_id,
|
| 991 | chunk_t connect_id) |
| 992 | {
|
| 993 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
| 994 | task->respond(task, peer_id, connect_id); |
| 995 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
| 996 | return this->task_manager->initiate(this->task_manager);
|
| 997 | } |
| 998 | |
| 999 | /**
|
| 1000 | * Implementation of ike_sa_t.callback |
| 1001 | */ |
| 1002 | static status_t callback(private_ike_sa_t *this, identification_t *peer_id)
|
| 1003 | {
|
| 1004 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
| 1005 | task->callback(task, peer_id); |
| 1006 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
| 1007 | return this->task_manager->initiate(this->task_manager);
|
| 1008 | } |
| 1009 | |
| 1010 | /**
|
| 1011 | * Implementation of ike_sa_t.relay |
| 1012 | */ |
| 1013 | static status_t relay(private_ike_sa_t *this, identification_t *requester,
|
| 1014 | chunk_t connect_id, chunk_t connect_key, |
| 1015 | linked_list_t *endpoints, bool response)
|
| 1016 | {
|
| 1017 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
| 1018 | task->relay(task, requester, connect_id, connect_key, endpoints, response); |
| 1019 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
| 1020 | return this->task_manager->initiate(this->task_manager);
|
| 1021 | } |
| 1022 | |
| 1023 | /**
|
| 1024 | * Implementation of ike_sa_t.initiate_mediation |
| 1025 | */ |
| 1026 | static status_t initiate_mediation(private_ike_sa_t *this,
|
| 1027 | peer_cfg_t *mediated_cfg) |
| 1028 | {
|
| 1029 | ike_me_t *task = ike_me_create(&this->public, TRUE); |
| 1030 | task->connect(task, mediated_cfg->get_peer_id(mediated_cfg)); |
| 1031 | this->task_manager->queue_task(this->task_manager, (task_t*)task); |
| 1032 | return this->task_manager->initiate(this->task_manager);
|
| 1033 | } |
| 1034 | |
| 1035 | /**
|
| 1036 | * Implementation of ike_sa_t.initiate_mediated |
| 1037 | */ |
| 1038 | static status_t initiate_mediated(private_ike_sa_t *this, host_t *me,
|
| 1039 | host_t *other, chunk_t connect_id) |
| 1040 | {
|
| 1041 | set_my_host(this, me->clone(me)); |
| 1042 | set_other_host(this, other->clone(other)); |
| 1043 | chunk_free(&this->connect_id); |
| 1044 | this->connect_id = chunk_clone(connect_id); |
| 1045 | return this->task_manager->initiate(this->task_manager);
|
| 1046 | } |
| 1047 | #endif /* ME */ |
| 1048 | |
| 1049 | /**
|
| 1050 | * Resolve DNS host in configuration |
| 1051 | */ |
| 1052 | static void resolve_hosts(private_ike_sa_t *this) |
| 1053 | {
|
| 1054 | host_t *host; |
| 1055 | |
| 1056 | if (this->remote_host)
|
| 1057 | {
|
| 1058 | host = this->remote_host->clone(this->remote_host); |
| 1059 | host->set_port(host, IKEV2_UDP_PORT); |
| 1060 | } |
| 1061 | else
|
| 1062 | {
|
| 1063 | host = host_create_from_dns(this->ike_cfg->get_other_addr(this->ike_cfg), |
| 1064 | 0, IKEV2_UDP_PORT);
|
| 1065 | } |
| 1066 | if (host)
|
| 1067 | {
|
| 1068 | set_other_host(this, host); |
| 1069 | } |
| 1070 | |
| 1071 | if (this->local_host)
|
| 1072 | {
|
| 1073 | host = this->local_host->clone(this->local_host); |
| 1074 | host->set_port(host, IKEV2_UDP_PORT); |
| 1075 | } |
| 1076 | else
|
| 1077 | {
|
| 1078 | int family = 0; |
| 1079 | |
| 1080 | /* use same address family as for other */
|
| 1081 | if (!this->other_host->is_anyaddr(this->other_host))
|
| 1082 | {
|
| 1083 | family = this->other_host->get_family(this->other_host); |
| 1084 | } |
| 1085 | host = host_create_from_dns(this->ike_cfg->get_my_addr(this->ike_cfg), |
| 1086 | family, IKEV2_UDP_PORT); |
| 1087 | |
| 1088 | if (host && host->is_anyaddr(host) &&
|
| 1089 | !this->other_host->is_anyaddr(this->other_host)) |
| 1090 | {
|
| 1091 | host->destroy(host); |
| 1092 | host = charon->kernel_interface->get_source_addr( |
| 1093 | charon->kernel_interface, this->other_host, NULL);
|
| 1094 | if (host)
|
| 1095 | {
|
| 1096 | host->set_port(host, IKEV2_UDP_PORT); |
| 1097 | } |
| 1098 | else
|
| 1099 | { /* fallback to address family specific %any(6), if configured */
|
| 1100 | host = host_create_from_dns( |
| 1101 | this->ike_cfg->get_my_addr(this->ike_cfg), |
| 1102 | 0, IKEV2_UDP_PORT);
|
| 1103 | } |
| 1104 | } |
| 1105 | } |
| 1106 | if (host)
|
| 1107 | {
|
| 1108 | set_my_host(this, host); |
| 1109 | } |
| 1110 | } |
| 1111 | |
| 1112 | /**
|
| 1113 | * Implementation of ike_sa_t.initiate |
| 1114 | */ |
| 1115 | static status_t initiate(private_ike_sa_t *this,
|
| 1116 | child_cfg_t *child_cfg, u_int32_t reqid, |
| 1117 | traffic_selector_t *tsi, traffic_selector_t *tsr) |
| 1118 | {
|
| 1119 | task_t *task; |
| 1120 | |
| 1121 | if (this->state == IKE_CREATED)
|
| 1122 | {
|
| 1123 | resolve_hosts(this); |
| 1124 | |
| 1125 | if (this->other_host->is_anyaddr(this->other_host)
|
| 1126 | #ifdef ME
|
| 1127 | && !this->peer_cfg->get_mediated_by(this->peer_cfg) |
| 1128 | #endif /* ME */ |
| 1129 | ) |
| 1130 | {
|
| 1131 | child_cfg->destroy(child_cfg); |
| 1132 | DBG1(DBG_IKE, "unable to initiate to %%any");
|
| 1133 | return DESTROY_ME;
|
| 1134 | } |
| 1135 | |
| 1136 | set_condition(this, COND_ORIGINAL_INITIATOR, TRUE); |
| 1137 | |
| 1138 | task = (task_t*)ike_init_create(&this->public, TRUE, NULL);
|
| 1139 | this->task_manager->queue_task(this->task_manager, task); |
| 1140 | task = (task_t*)ike_natd_create(&this->public, TRUE); |
| 1141 | this->task_manager->queue_task(this->task_manager, task); |
| 1142 | task = (task_t*)ike_cert_pre_create(&this->public, TRUE); |
| 1143 | this->task_manager->queue_task(this->task_manager, task); |
| 1144 | task = (task_t*)ike_auth_create(&this->public, TRUE); |
| 1145 | this->task_manager->queue_task(this->task_manager, task); |
| 1146 | task = (task_t*)ike_cert_post_create(&this->public, TRUE); |
| 1147 | this->task_manager->queue_task(this->task_manager, task); |
| 1148 | task = (task_t*)ike_config_create(&this->public, TRUE); |
| 1149 | this->task_manager->queue_task(this->task_manager, task); |
| 1150 | task = (task_t*)ike_auth_lifetime_create(&this->public, TRUE); |
| 1151 | this->task_manager->queue_task(this->task_manager, task); |
| 1152 | if (this->peer_cfg->use_mobike(this->peer_cfg))
|
| 1153 | {
|
| 1154 | task = (task_t*)ike_mobike_create(&this->public, TRUE); |
| 1155 | this->task_manager->queue_task(this->task_manager, task); |
| 1156 | } |
| 1157 | #ifdef ME
|
| 1158 | task = (task_t*)ike_me_create(&this->public, TRUE); |
| 1159 | this->task_manager->queue_task(this->task_manager, task); |
| 1160 | #endif /* ME */ |
| 1161 | } |
| 1162 | |
| 1163 | #ifdef ME
|
| 1164 | if (this->peer_cfg->is_mediation(this->peer_cfg))
|
| 1165 | {
|
| 1166 | if (this->state == IKE_ESTABLISHED)
|
| 1167 | {
|
| 1168 | /* mediation connection is already established, retrigger state
|
| 1169 | * change to notify bus listeners */ |
| 1170 | DBG1(DBG_IKE, "mediation connection is already up");
|
| 1171 | set_state(this, IKE_ESTABLISHED); |
| 1172 | } |
| 1173 | DESTROY_IF(child_cfg); |
| 1174 | } |
| 1175 | else
|
| 1176 | #endif /* ME */ |
| 1177 | {
|
| 1178 | /* normal IKE_SA with CHILD_SA */
|
| 1179 | task = (task_t*)child_create_create(&this->public, child_cfg, FALSE, |
| 1180 | tsi, tsr); |
| 1181 | child_cfg->destroy(child_cfg); |
| 1182 | if (reqid)
|
| 1183 | {
|
| 1184 | child_create_t *child_create = (child_create_t*)task; |
| 1185 | child_create->use_reqid(child_create, reqid); |
| 1186 | } |
| 1187 | this->task_manager->queue_task(this->task_manager, task); |
| 1188 | |
| 1189 | #ifdef ME
|
| 1190 | if (this->peer_cfg->get_mediated_by(this->peer_cfg))
|
| 1191 | {
|
| 1192 | /* mediated connection, initiate mediation process */
|
| 1193 | job_t *job = (job_t*)initiate_mediation_job_create(this->ike_sa_id); |
| 1194 | charon->processor->queue_job(charon->processor, job); |
| 1195 | return SUCCESS;
|
| 1196 | } |
| 1197 | #endif /* ME */ |
| 1198 | } |
| 1199 | |
| 1200 | return this->task_manager->initiate(this->task_manager);
|
| 1201 | } |
| 1202 | |
| 1203 | /**
|
| 1204 | * Implementation of ike_sa_t.process_message. |
| 1205 | */ |
| 1206 | static status_t process_message(private_ike_sa_t *this, message_t *message)
|
| 1207 | {
|
| 1208 | status_t status; |
| 1209 | bool is_request;
|
| 1210 | |
| 1211 | if (this->state == IKE_PASSIVE)
|
| 1212 | { /* do not handle messages in passive state */
|
| 1213 | return FAILED;
|
| 1214 | } |
| 1215 | |
| 1216 | is_request = message->get_request(message); |
| 1217 | |
| 1218 | status = message->parse_body(message, |
| 1219 | this->keymat->get_crypter(this->keymat, TRUE), |
| 1220 | this->keymat->get_signer(this->keymat, TRUE)); |
| 1221 | if (status != SUCCESS)
|
| 1222 | {
|
| 1223 | |
| 1224 | if (is_request)
|
| 1225 | {
|
| 1226 | switch (status)
|
| 1227 | {
|
| 1228 | case NOT_SUPPORTED: |
| 1229 | DBG1(DBG_IKE, "critical unknown payloads found");
|
| 1230 | if (is_request)
|
| 1231 | {
|
| 1232 | send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); |
| 1233 | } |
| 1234 | break;
|
| 1235 | case PARSE_ERROR: |
| 1236 | DBG1(DBG_IKE, "message parsing failed");
|
| 1237 | if (is_request)
|
| 1238 | {
|
| 1239 | send_notify_response(this, message, INVALID_SYNTAX); |
| 1240 | } |
| 1241 | break;
|
| 1242 | case VERIFY_ERROR: |
| 1243 | DBG1(DBG_IKE, "message verification failed");
|
| 1244 | if (is_request)
|
| 1245 | {
|
| 1246 | send_notify_response(this, message, INVALID_SYNTAX); |
| 1247 | } |
| 1248 | break;
|
| 1249 | case FAILED: |
| 1250 | DBG1(DBG_IKE, "integrity check failed");
|
| 1251 | /* ignored */
|
| 1252 | break;
|
| 1253 | case INVALID_STATE: |
| 1254 | DBG1(DBG_IKE, "found encrypted message, but no keys available");
|
| 1255 | if (is_request)
|
| 1256 | {
|
| 1257 | send_notify_response(this, message, INVALID_SYNTAX); |
| 1258 | } |
| 1259 | default:
|
| 1260 | break;
|
| 1261 | } |
| 1262 | } |
| 1263 | DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
|
| 1264 | exchange_type_names, message->get_exchange_type(message), |
| 1265 | message->get_request(message) ? "request" : "response", |
| 1266 | message->get_message_id(message)); |
| 1267 | |
| 1268 | if (this->state == IKE_CREATED)
|
| 1269 | { /* invalid initiation attempt, close SA */
|
| 1270 | return DESTROY_ME;
|
| 1271 | } |
| 1272 | return status;
|
| 1273 | } |
| 1274 | else
|
| 1275 | {
|
| 1276 | host_t *me, *other; |
| 1277 | |
| 1278 | me = message->get_destination(message); |
| 1279 | other = message->get_source(message); |
| 1280 | |
| 1281 | /* if this IKE_SA is virgin, we check for a config */
|
| 1282 | if (this->ike_cfg == NULL) |
| 1283 | {
|
| 1284 | job_t *job; |
| 1285 | this->ike_cfg = charon->backends->get_ike_cfg(charon->backends, |
| 1286 | me, other); |
| 1287 | if (this->ike_cfg == NULL) |
| 1288 | {
|
| 1289 | /* no config found for these hosts, destroy */
|
| 1290 | DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
|
| 1291 | me, other, notify_type_names, NO_PROPOSAL_CHOSEN); |
| 1292 | send_notify_response(this, message, NO_PROPOSAL_CHOSEN); |
| 1293 | return DESTROY_ME;
|
| 1294 | } |
| 1295 | /* add a timeout if peer does not establish it completely */
|
| 1296 | job = (job_t*)delete_ike_sa_job_create(this->ike_sa_id, FALSE); |
| 1297 | charon->scheduler->schedule_job(charon->scheduler, job, |
| 1298 | HALF_OPEN_IKE_SA_TIMEOUT); |
| 1299 | } |
| 1300 | this->stats[STAT_INBOUND] = time_monotonic(NULL);
|
| 1301 | /* check if message is trustworthy, and update host information */
|
| 1302 | if (this->state == IKE_CREATED || this->state == IKE_CONNECTING ||
|
| 1303 | message->get_exchange_type(message) != IKE_SA_INIT) |
| 1304 | {
|
| 1305 | if (!supports_extension(this, EXT_MOBIKE))
|
| 1306 | { /* with MOBIKE, we do no implicit updates */
|
| 1307 | update_hosts(this, me, other); |
| 1308 | } |
| 1309 | } |
| 1310 | return this->task_manager->process_message(this->task_manager, message);
|
| 1311 | } |
| 1312 | } |
| 1313 | |
| 1314 | /**
|
| 1315 | * Implementation of ike_sa_t.get_id. |
| 1316 | */ |
| 1317 | static ike_sa_id_t* get_id(private_ike_sa_t *this)
|
| 1318 | {
|
| 1319 | return this->ike_sa_id;
|
| 1320 | } |
| 1321 | |
| 1322 | /**
|
| 1323 | * Implementation of ike_sa_t.get_my_id. |
| 1324 | */ |
| 1325 | static identification_t* get_my_id(private_ike_sa_t *this)
|
| 1326 | {
|
| 1327 | return this->my_id;
|
| 1328 | } |
| 1329 | |
| 1330 | /**
|
| 1331 | * Implementation of ike_sa_t.set_my_id. |
| 1332 | */ |
| 1333 | static void set_my_id(private_ike_sa_t *this, identification_t *me) |
| 1334 | {
|
| 1335 | DESTROY_IF(this->my_id); |
| 1336 | this->my_id = me; |
| 1337 | } |
| 1338 | |
| 1339 | /**
|
| 1340 | * Implementation of ike_sa_t.get_other_id. |
| 1341 | */ |
| 1342 | static identification_t* get_other_id(private_ike_sa_t *this)
|
| 1343 | {
|
| 1344 | return this->other_id;
|
| 1345 | } |
| 1346 | |
| 1347 | /**
|
| 1348 | * Implementation of ike_sa_t.set_other_id. |
| 1349 | */ |
| 1350 | static void set_other_id(private_ike_sa_t *this, identification_t *other) |
| 1351 | {
|
| 1352 | DESTROY_IF(this->other_id); |
| 1353 | this->other_id = other; |
| 1354 | } |
| 1355 | |
| 1356 | /**
|
| 1357 | * Implementation of ike_sa_t.get_eap_identity. |
| 1358 | */ |
| 1359 | static identification_t* get_eap_identity(private_ike_sa_t *this)
|
| 1360 | {
|
| 1361 | return this->eap_identity;
|
| 1362 | } |
| 1363 | |
| 1364 | /**
|
| 1365 | * Implementation of ike_sa_t.set_eap_identity. |
| 1366 | */ |
| 1367 | static void set_eap_identity(private_ike_sa_t *this, identification_t *id) |
| 1368 | {
|
| 1369 | DESTROY_IF(this->eap_identity); |
| 1370 | this->eap_identity = id; |
| 1371 | } |
| 1372 | |
| 1373 | /**
|
| 1374 | * Implementation of ike_sa_t.add_child_sa. |
| 1375 | */ |
| 1376 | static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa) |
| 1377 | {
|
| 1378 | this->child_sas->insert_last(this->child_sas, child_sa); |
| 1379 | } |
| 1380 | |
| 1381 | /**
|
| 1382 | * Implementation of ike_sa_t.get_child_sa. |
| 1383 | */ |
| 1384 | static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
| 1385 | u_int32_t spi, bool inbound)
|
| 1386 | {
|
| 1387 | iterator_t *iterator; |
| 1388 | child_sa_t *current, *found = NULL;
|
| 1389 | |
| 1390 | iterator = this->child_sas->create_iterator(this->child_sas, TRUE); |
| 1391 | while (iterator->iterate(iterator, (void**)¤t)) |
| 1392 | {
|
| 1393 | if (current->get_spi(current, inbound) == spi &&
|
| 1394 | current->get_protocol(current) == protocol) |
| 1395 | {
|
| 1396 | found = current; |
| 1397 | } |
| 1398 | } |
| 1399 | iterator->destroy(iterator); |
| 1400 | return found;
|
| 1401 | } |
| 1402 | |
| 1403 | /**
|
| 1404 | * Implementation of ike_sa_t.create_child_sa_iterator. |
| 1405 | */ |
| 1406 | static iterator_t* create_child_sa_iterator(private_ike_sa_t *this)
|
| 1407 | {
|
| 1408 | return this->child_sas->create_iterator(this->child_sas, TRUE);
|
| 1409 | } |
| 1410 | |
| 1411 | /**
|
| 1412 | * Implementation of ike_sa_t.rekey_child_sa. |
| 1413 | */ |
| 1414 | static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
| 1415 | u_int32_t spi) |
| 1416 | {
|
| 1417 | child_rekey_t *child_rekey; |
| 1418 | |
| 1419 | child_rekey = child_rekey_create(&this->public, protocol, spi); |
| 1420 | this->task_manager->queue_task(this->task_manager, &child_rekey->task); |
| 1421 | return this->task_manager->initiate(this->task_manager);
|
| 1422 | } |
| 1423 | |
| 1424 | /**
|
| 1425 | * Implementation of ike_sa_t.delete_child_sa. |
| 1426 | */ |
| 1427 | static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
| 1428 | u_int32_t spi) |
| 1429 | {
|
| 1430 | child_delete_t *child_delete; |
| 1431 | |
| 1432 | child_delete = child_delete_create(&this->public, protocol, spi); |
| 1433 | this->task_manager->queue_task(this->task_manager, &child_delete->task); |
| 1434 | return this->task_manager->initiate(this->task_manager);
|
| 1435 | } |
| 1436 | |
| 1437 | /**
|
| 1438 | * Implementation of ike_sa_t.destroy_child_sa. |
| 1439 | */ |
| 1440 | static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol,
|
| 1441 | u_int32_t spi) |
| 1442 | {
|
| 1443 | iterator_t *iterator; |
| 1444 | child_sa_t *child_sa; |
| 1445 | status_t status = NOT_FOUND; |
| 1446 | |
| 1447 | iterator = this->child_sas->create_iterator(this->child_sas, TRUE); |
| 1448 | while (iterator->iterate(iterator, (void**)&child_sa)) |
| 1449 | {
|
| 1450 | if (child_sa->get_protocol(child_sa) == protocol &&
|
| 1451 | child_sa->get_spi(child_sa, TRUE) == spi) |
| 1452 | {
|
| 1453 | child_sa->destroy(child_sa); |
| 1454 | iterator->remove(iterator); |
| 1455 | status = SUCCESS; |
| 1456 | break;
|
| 1457 | } |
| 1458 | } |
| 1459 | iterator->destroy(iterator); |
| 1460 | return status;
|
| 1461 | } |
| 1462 | |
| 1463 | /**
|
| 1464 | * Implementation of public_ike_sa_t.delete. |
| 1465 | */ |
| 1466 | static status_t delete_(private_ike_sa_t *this)
|
| 1467 | {
|
| 1468 | ike_delete_t *ike_delete; |
| 1469 | |
| 1470 | switch (this->state)
|
| 1471 | {
|
| 1472 | case IKE_ESTABLISHED: |
| 1473 | case IKE_REKEYING: |
| 1474 | ike_delete = ike_delete_create(&this->public, TRUE); |
| 1475 | this->task_manager->queue_task(this->task_manager, &ike_delete->task); |
| 1476 | return this->task_manager->initiate(this->task_manager);
|
| 1477 | case IKE_CREATED: |
| 1478 | DBG1(DBG_IKE, "deleting unestablished IKE_SA");
|
| 1479 | break;
|
| 1480 | case IKE_PASSIVE: |
| 1481 | break;
|
| 1482 | default:
|
| 1483 | DBG1(DBG_IKE, "destroying IKE_SA in state %N "
|
| 1484 | "without notification", ike_sa_state_names, this->state);
|
| 1485 | break;
|
| 1486 | } |
| 1487 | return DESTROY_ME;
|
| 1488 | } |
| 1489 | |
| 1490 | /**
|
| 1491 | * Implementation of ike_sa_t.rekey. |
| 1492 | */ |
| 1493 | static status_t rekey(private_ike_sa_t *this)
|
| 1494 | {
|
| 1495 | ike_rekey_t *ike_rekey; |
| 1496 | |
| 1497 | ike_rekey = ike_rekey_create(&this->public, TRUE); |
| 1498 | |
| 1499 | this->task_manager->queue_task(this->task_manager, &ike_rekey->task); |
| 1500 | return this->task_manager->initiate(this->task_manager);
|
| 1501 | } |
| 1502 | |
| 1503 | /**
|
| 1504 | * Implementation of ike_sa_t.reauth |
| 1505 | */ |
| 1506 | static status_t reauth(private_ike_sa_t *this)
|
| 1507 | {
|
| 1508 | task_t *task; |
| 1509 | |
| 1510 | /* we can't reauthenticate as responder when we use EAP or virtual IPs.
|
| 1511 | * If the peer does not support RFC4478, there is no way to keep the |
| 1512 | * IKE_SA up. */ |
| 1513 | if (!has_condition(this, COND_ORIGINAL_INITIATOR))
|
| 1514 | {
|
| 1515 | DBG1(DBG_IKE, "initiator did not reauthenticate as requested");
|
| 1516 | if (this->other_virtual_ip != NULL || |
| 1517 | has_condition(this, COND_EAP_AUTHENTICATED) |
| 1518 | #ifdef ME
|
| 1519 | /* as mediation server we too cannot reauth the IKE_SA */
|
| 1520 | || this->is_mediation_server |
| 1521 | #endif /* ME */ |
| 1522 | ) |
| 1523 | {
|
| 1524 | time_t now = time_monotonic(NULL);
|
| 1525 | |
| 1526 | DBG1(DBG_IKE, "IKE_SA will timeout in %V",
|
| 1527 | &now, &this->stats[STAT_DELETE]); |
| 1528 | return FAILED;
|
| 1529 | } |
| 1530 | else
|
| 1531 | {
|
| 1532 | DBG1(DBG_IKE, "reauthenticating actively");
|
| 1533 | } |
| 1534 | } |
| 1535 | task = (task_t*)ike_reauth_create(&this->public); |
| 1536 | this->task_manager->queue_task(this->task_manager, task); |
| 1537 | |
| 1538 | return this->task_manager->initiate(this->task_manager);
|
| 1539 | } |
| 1540 | |
| 1541 | /**
|
| 1542 | * Implementation of ike_sa_t.reestablish |
| 1543 | */ |
| 1544 | static status_t reestablish(private_ike_sa_t *this)
|
| 1545 | {
|
| 1546 | ike_sa_t *new; |
| 1547 | host_t *host; |
| 1548 | action_t action; |
| 1549 | iterator_t *iterator; |
| 1550 | child_sa_t *child_sa; |
| 1551 | child_cfg_t *child_cfg; |
| 1552 | bool restart = FALSE;
|
| 1553 | status_t status = FAILED; |
| 1554 | |
| 1555 | /* check if we have children to keep up at all */
|
| 1556 | iterator = create_child_sa_iterator(this); |
| 1557 | while (iterator->iterate(iterator, (void**)&child_sa)) |
| 1558 | {
|
| 1559 | child_cfg = child_sa->get_config(child_sa); |
| 1560 | if (this->state == IKE_DELETING)
|
| 1561 | {
|
| 1562 | action = child_cfg->get_close_action(child_cfg); |
| 1563 | } |
| 1564 | else
|
| 1565 | {
|
| 1566 | action = child_cfg->get_dpd_action(child_cfg); |
| 1567 | } |
| 1568 | switch (action)
|
| 1569 | {
|
| 1570 | case ACTION_RESTART: |
| 1571 | restart = TRUE; |
| 1572 | break;
|
| 1573 | case ACTION_ROUTE: |
| 1574 | charon->traps->install(charon->traps, this->peer_cfg, child_cfg); |
| 1575 | break;
|
| 1576 | default:
|
| 1577 | break;
|
| 1578 | } |
| 1579 | } |
| 1580 | iterator->destroy(iterator); |
| 1581 | #ifdef ME
|
| 1582 | /* mediation connections have no children, keep them up anyway */
|
| 1583 | if (this->peer_cfg->is_mediation(this->peer_cfg))
|
| 1584 | {
|
| 1585 | restart = TRUE; |
| 1586 | } |
| 1587 | #endif /* ME */ |
| 1588 | if (!restart)
|
| 1589 | {
|
| 1590 | return FAILED;
|
| 1591 | } |
| 1592 | |
| 1593 | /* check if we are able to reestablish this IKE_SA */
|
| 1594 | if (!has_condition(this, COND_ORIGINAL_INITIATOR) &&
|
| 1595 | (this->other_virtual_ip != NULL ||
|
| 1596 | has_condition(this, COND_EAP_AUTHENTICATED) |
| 1597 | #ifdef ME
|
| 1598 | || this->is_mediation_server |
| 1599 | #endif /* ME */ |
| 1600 | )) |
| 1601 | {
|
| 1602 | DBG1(DBG_IKE, "unable to reestablish IKE_SA due asymetric setup");
|
| 1603 | return FAILED;
|
| 1604 | } |
| 1605 | |
| 1606 | new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager, TRUE); |
| 1607 | new->set_peer_cfg(new, this->peer_cfg); |
| 1608 | host = this->other_host; |
| 1609 | new->set_other_host(new, host->clone(host)); |
| 1610 | host = this->my_host; |
| 1611 | new->set_my_host(new, host->clone(host)); |
| 1612 | /* if we already have a virtual IP, we reuse it */
|
| 1613 | host = this->my_virtual_ip; |
| 1614 | if (host)
|
| 1615 | {
|
| 1616 | new->set_virtual_ip(new, TRUE, host); |
| 1617 | } |
| 1618 | |
| 1619 | #ifdef ME
|
| 1620 | if (this->peer_cfg->is_mediation(this->peer_cfg))
|
| 1621 | {
|
| 1622 | status = new->initiate(new, NULL, 0, NULL, NULL); |
| 1623 | } |
| 1624 | else
|
| 1625 | #endif /* ME */ |
| 1626 | {
|
| 1627 | iterator = create_child_sa_iterator(this); |
| 1628 | while (iterator->iterate(iterator, (void**)&child_sa)) |
| 1629 | {
|
| 1630 | child_cfg = child_sa->get_config(child_sa); |
| 1631 | if (this->state == IKE_DELETING)
|
| 1632 | {
|
| 1633 | action = child_cfg->get_close_action(child_cfg); |
| 1634 | } |
| 1635 | else
|
| 1636 | {
|
| 1637 | action = child_cfg->get_dpd_action(child_cfg); |
| 1638 | } |
| 1639 | switch (action)
|
| 1640 | {
|
| 1641 | case ACTION_RESTART: |
| 1642 | DBG1(DBG_IKE, "restarting CHILD_SA %s",
|
| 1643 | child_cfg->get_name(child_cfg)); |
| 1644 | child_cfg->get_ref(child_cfg); |
| 1645 | status = new->initiate(new, child_cfg, 0, NULL, NULL); |
| 1646 | break;
|
| 1647 | default:
|
| 1648 | continue;
|
| 1649 | } |
| 1650 | if (status == DESTROY_ME)
|
| 1651 | {
|
| 1652 | break;
|
| 1653 | } |
| 1654 | } |
| 1655 | iterator->destroy(iterator); |
| 1656 | } |
| 1657 | |
| 1658 | if (status == DESTROY_ME)
|
| 1659 | {
|
| 1660 | charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new); |
| 1661 | status = FAILED; |
| 1662 | } |
| 1663 | else
|
| 1664 | {
|
| 1665 | charon->ike_sa_manager->checkin(charon->ike_sa_manager, new); |
| 1666 | status = SUCCESS; |
| 1667 | } |
| 1668 | charon->bus->set_sa(charon->bus, &this->public); |
| 1669 | return status;
|
| 1670 | } |
| 1671 | |
| 1672 | /**
|
| 1673 | * Implementation of ike_sa_t.retransmit. |
| 1674 | */ |
| 1675 | static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id)
|
| 1676 | {
|
| 1677 | this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
|
| 1678 | if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS)
|
| 1679 | {
|
| 1680 | /* send a proper signal to brief interested bus listeners */
|
| 1681 | switch (this->state)
|
| 1682 | {
|
| 1683 | case IKE_CONNECTING: |
| 1684 | {
|
| 1685 | /* retry IKE_SA_INIT if we have multiple keyingtries */
|
| 1686 | u_int32_t tries = this->peer_cfg->get_keyingtries(this->peer_cfg); |
| 1687 | this->keyingtry++; |
| 1688 | if (tries == 0 || tries > this->keyingtry) |
| 1689 | {
|
| 1690 | DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)",
|
| 1691 | this->keyingtry + 1, tries);
|
| 1692 | reset(this); |
| 1693 | return this->task_manager->initiate(this->task_manager);
|
| 1694 | } |
| 1695 | DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding");
|
| 1696 | break;
|
| 1697 | } |
| 1698 | case IKE_DELETING: |
| 1699 | DBG1(DBG_IKE, "proper IKE_SA delete failed, peer not responding");
|
| 1700 | break;
|
| 1701 | case IKE_REKEYING: |
| 1702 | DBG1(DBG_IKE, "rekeying IKE_SA failed, peer not responding");
|
| 1703 | /* FALL */
|
| 1704 | default:
|
| 1705 | reestablish(this); |
| 1706 | break;
|
| 1707 | } |
| 1708 | return DESTROY_ME;
|
| 1709 | } |
| 1710 | return SUCCESS;
|
| 1711 | } |
| 1712 | |
| 1713 | /**
|
| 1714 | * Implementation of ike_sa_t.set_auth_lifetime. |
| 1715 | */ |
| 1716 | static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime) |
| 1717 | {
|
| 1718 | u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg); |
| 1719 | u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction;
|
| 1720 | |
| 1721 | if (lifetime < reduction)
|
| 1722 | {
|
| 1723 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, starting reauthentication",
|
| 1724 | lifetime); |
| 1725 | charon->processor->queue_job(charon->processor, |
| 1726 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE)); |
| 1727 | } |
| 1728 | else if (this->stats[STAT_REAUTH] == 0 || |
| 1729 | this->stats[STAT_REAUTH] > reauth_time) |
| 1730 | {
|
| 1731 | this->stats[STAT_REAUTH] = reauth_time; |
| 1732 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, scheduling reauthentication"
|
| 1733 | " in %ds", lifetime, lifetime - reduction);
|
| 1734 | charon->scheduler->schedule_job(charon->scheduler, |
| 1735 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), |
| 1736 | lifetime - reduction); |
| 1737 | } |
| 1738 | else
|
| 1739 | {
|
| 1740 | DBG1(DBG_IKE, "received AUTH_LIFETIME of %ds, "
|
| 1741 | "reauthentication already scheduled in %ds", lifetime,
|
| 1742 | this->stats[STAT_REAUTH] - time_monotonic(NULL));
|
| 1743 | } |
| 1744 | } |
| 1745 | |
| 1746 | /**
|
| 1747 | * Implementation of ike_sa_t.roam. |
| 1748 | */ |
| 1749 | static status_t roam(private_ike_sa_t *this, bool address) |
| 1750 | {
|
| 1751 | host_t *src; |
| 1752 | ike_mobike_t *mobike; |
| 1753 | |
| 1754 | switch (this->state)
|
| 1755 | {
|
| 1756 | case IKE_CREATED: |
| 1757 | case IKE_DELETING: |
| 1758 | case IKE_DESTROYING: |
| 1759 | case IKE_PASSIVE: |
| 1760 | return SUCCESS;
|
| 1761 | default:
|
| 1762 | break;
|
| 1763 | } |
| 1764 | /* responder just updates the peer about changed address config */
|
| 1765 | if (!this->ike_sa_id->is_initiator(this->ike_sa_id))
|
| 1766 | {
|
| 1767 | if (supports_extension(this, EXT_MOBIKE) && address)
|
| 1768 | {
|
| 1769 | DBG1(DBG_IKE, "sending address list update using MOBIKE");
|
| 1770 | mobike = ike_mobike_create(&this->public, TRUE); |
| 1771 | this->task_manager->queue_task(this->task_manager, (task_t*)mobike); |
| 1772 | return this->task_manager->initiate(this->task_manager);
|
| 1773 | } |
| 1774 | return SUCCESS;
|
| 1775 | } |
| 1776 | |
| 1777 | /* keep existing path if possible */
|
| 1778 | src = charon->kernel_interface->get_source_addr(charon->kernel_interface, |
| 1779 | this->other_host, this->my_host); |
| 1780 | if (src)
|
| 1781 | {
|
| 1782 | if (src->ip_equals(src, this->my_host))
|
| 1783 | {
|
| 1784 | DBG2(DBG_IKE, "keeping connection path %H - %H",
|
| 1785 | src, this->other_host); |
| 1786 | src->destroy(src); |
| 1787 | set_condition(this, COND_STALE, FALSE); |
| 1788 | return SUCCESS;
|
| 1789 | } |
| 1790 | src->destroy(src); |
| 1791 | |
| 1792 | } |
| 1793 | else
|
| 1794 | {
|
| 1795 | /* check if we find a route at all */
|
| 1796 | enumerator_t *enumerator; |
| 1797 | host_t *addr; |
| 1798 | |
| 1799 | src = charon->kernel_interface->get_source_addr(charon->kernel_interface, |
| 1800 | this->other_host, NULL);
|
| 1801 | if (!src)
|
| 1802 | {
|
| 1803 | enumerator = this->additional_addresses->create_enumerator( |
| 1804 | this->additional_addresses); |
| 1805 | while (enumerator->enumerate(enumerator, &addr))
|
| 1806 | {
|
| 1807 | DBG1(DBG_IKE, "looking for a route to %H ...", addr);
|
| 1808 | src = charon->kernel_interface->get_source_addr( |
| 1809 | charon->kernel_interface, addr, NULL);
|
| 1810 | if (src)
|
| 1811 | {
|
| 1812 | break;
|
| 1813 | } |
| 1814 | } |
| 1815 | enumerator->destroy(enumerator); |
| 1816 | } |
| 1817 | if (!src)
|
| 1818 | {
|
| 1819 | DBG1(DBG_IKE, "no route found to reach %H, MOBIKE update deferred",
|
| 1820 | this->other_host); |
| 1821 | set_condition(this, COND_STALE, TRUE); |
| 1822 | return SUCCESS;
|
| 1823 | } |
| 1824 | src->destroy(src); |
| 1825 | } |
| 1826 | set_condition(this, COND_STALE, FALSE); |
| 1827 | |
| 1828 | /* update addresses with mobike, if supported ... */
|
| 1829 | if (supports_extension(this, EXT_MOBIKE))
|
| 1830 | {
|
| 1831 | DBG1(DBG_IKE, "requesting address change using MOBIKE");
|
| 1832 | mobike = ike_mobike_create(&this->public, TRUE); |
| 1833 | mobike->roam(mobike, address); |
| 1834 | this->task_manager->queue_task(this->task_manager, (task_t*)mobike); |
| 1835 | return this->task_manager->initiate(this->task_manager);
|
| 1836 | } |
| 1837 | DBG1(DBG_IKE, "reauthenticating IKE_SA due to address change");
|
| 1838 | /* ... reauth if not */
|
| 1839 | return reauth(this);
|
| 1840 | } |
| 1841 | |
| 1842 | /**
|
| 1843 | * Implementation of ike_sa_t.add_configuration_attribute |
| 1844 | */ |
| 1845 | static void add_configuration_attribute(private_ike_sa_t *this, |
| 1846 | attribute_handler_t *handler, |
| 1847 | configuration_attribute_type_t type, chunk_t data) |
| 1848 | {
|
| 1849 | attribute_entry_t *entry = malloc_thing(attribute_entry_t); |
| 1850 | |
| 1851 | entry->handler = handler; |
| 1852 | entry->type = type; |
| 1853 | entry->data = chunk_clone(data); |
| 1854 | |
| 1855 | this->attributes->insert_last(this->attributes, entry); |
| 1856 | } |
| 1857 | |
| 1858 | /**
|
| 1859 | * Implementation of ike_sa_t.inherit. |
| 1860 | */ |
| 1861 | static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other)
|
| 1862 | {
|
| 1863 | child_sa_t *child_sa; |
| 1864 | attribute_entry_t *entry; |
| 1865 | |
| 1866 | /* apply hosts and ids */
|
| 1867 | this->my_host->destroy(this->my_host); |
| 1868 | this->other_host->destroy(this->other_host); |
| 1869 | this->my_id->destroy(this->my_id); |
| 1870 | this->other_id->destroy(this->other_id); |
| 1871 | this->my_host = other->my_host->clone(other->my_host); |
| 1872 | this->other_host = other->other_host->clone(other->other_host); |
| 1873 | this->my_id = other->my_id->clone(other->my_id); |
| 1874 | this->other_id = other->other_id->clone(other->other_id); |
| 1875 | |
| 1876 | /* apply virtual assigned IPs... */
|
| 1877 | if (other->my_virtual_ip)
|
| 1878 | {
|
| 1879 | this->my_virtual_ip = other->my_virtual_ip; |
| 1880 | other->my_virtual_ip = NULL;
|
| 1881 | } |
| 1882 | if (other->other_virtual_ip)
|
| 1883 | {
|
| 1884 | this->other_virtual_ip = other->other_virtual_ip; |
| 1885 | other->other_virtual_ip = NULL;
|
| 1886 | } |
| 1887 | |
| 1888 | /* ... and configuration attributes */
|
| 1889 | while (other->attributes->remove_last(other->attributes,
|
| 1890 | (void**)&entry) == SUCCESS)
|
| 1891 | {
|
| 1892 | this->attributes->insert_first(this->attributes, entry); |
| 1893 | } |
| 1894 | |
| 1895 | /* inherit all conditions */
|
| 1896 | this->conditions = other->conditions; |
| 1897 | if (this->conditions & COND_NAT_HERE)
|
| 1898 | {
|
| 1899 | send_keepalive(this); |
| 1900 | } |
| 1901 | |
| 1902 | #ifdef ME
|
| 1903 | if (other->is_mediation_server)
|
| 1904 | {
|
| 1905 | act_as_mediation_server(this); |
| 1906 | } |
| 1907 | else if (other->server_reflexive_host) |
| 1908 | {
|
| 1909 | this->server_reflexive_host = other->server_reflexive_host->clone( |
| 1910 | other->server_reflexive_host); |
| 1911 | } |
| 1912 | #endif /* ME */ |
| 1913 | |
| 1914 | /* adopt all children */
|
| 1915 | while (other->child_sas->remove_last(other->child_sas,
|
| 1916 | (void**)&child_sa) == SUCCESS)
|
| 1917 | {
|
| 1918 | this->child_sas->insert_first(this->child_sas, (void*)child_sa);
|
| 1919 | } |
| 1920 | |
| 1921 | /* move pending tasks to the new IKE_SA */
|
| 1922 | this->task_manager->adopt_tasks(this->task_manager, other->task_manager); |
| 1923 | |
| 1924 | /* reauthentication timeout survives a rekeying */
|
| 1925 | if (other->stats[STAT_REAUTH])
|
| 1926 | {
|
| 1927 | time_t reauth, delete, now = time_monotonic(NULL);
|
| 1928 | |
| 1929 | this->stats[STAT_REAUTH] = other->stats[STAT_REAUTH]; |
| 1930 | reauth = this->stats[STAT_REAUTH] - now; |
| 1931 | delete = reauth + this->peer_cfg->get_over_time(this->peer_cfg); |
| 1932 | this->stats[STAT_DELETE] = this->stats[STAT_REAUTH] + delete; |
| 1933 | DBG1(DBG_IKE, "rescheduling reauthentication in %ds after rekeying, "
|
| 1934 | "lifetime reduced to %ds", reauth, delete);
|
| 1935 | charon->scheduler->schedule_job(charon->scheduler, |
| 1936 | (job_t*)rekey_ike_sa_job_create(this->ike_sa_id, TRUE), reauth); |
| 1937 | charon->scheduler->schedule_job(charon->scheduler, |
| 1938 | (job_t*)delete_ike_sa_job_create(this->ike_sa_id, TRUE), delete); |
| 1939 | } |
| 1940 | /* we have to initate here, there may be new tasks to handle */
|
| 1941 | return this->task_manager->initiate(this->task_manager);
|
| 1942 | } |
| 1943 | |
| 1944 | /**
|
| 1945 | * Implementation of ike_sa_t.destroy. |
| 1946 | */ |
| 1947 | static void destroy(private_ike_sa_t *this) |
| 1948 | {
|
| 1949 | attribute_entry_t *entry; |
| 1950 | |
| 1951 | charon->bus->set_sa(charon->bus, &this->public); |
| 1952 | |
| 1953 | set_state(this, IKE_DESTROYING); |
| 1954 | |
| 1955 | /* remove attributes first, as we pass the IKE_SA to the handler */
|
| 1956 | while (this->attributes->remove_last(this->attributes,
|
| 1957 | (void**)&entry) == SUCCESS)
|
| 1958 | {
|
| 1959 | lib->attributes->release(lib->attributes, entry->handler, |
| 1960 | this->other_id, entry->type, entry->data); |
| 1961 | free(entry->data.ptr); |
| 1962 | free(entry); |
| 1963 | } |
| 1964 | this->attributes->destroy(this->attributes); |
| 1965 | |
| 1966 | this->child_sas->destroy_offset(this->child_sas, offsetof(child_sa_t, destroy)); |
| 1967 | |
| 1968 | /* unset SA after here to avoid usage by the listeners */
|
| 1969 | charon->bus->set_sa(charon->bus, NULL);
|
| 1970 | |
| 1971 | this->task_manager->destroy(this->task_manager); |
| 1972 | this->keymat->destroy(this->keymat); |
| 1973 | |
| 1974 | if (this->my_virtual_ip)
|
| 1975 | {
|
| 1976 | charon->kernel_interface->del_ip(charon->kernel_interface, |
| 1977 | this->my_virtual_ip); |
| 1978 | this->my_virtual_ip->destroy(this->my_virtual_ip); |
| 1979 | } |
| 1980 | if (this->other_virtual_ip)
|
| 1981 | {
|
| 1982 | if (this->peer_cfg && this->peer_cfg->get_pool(this->peer_cfg))
|
| 1983 | {
|
| 1984 | lib->attributes->release_address(lib->attributes, |
| 1985 | this->peer_cfg->get_pool(this->peer_cfg), |
| 1986 | this->other_virtual_ip, this->other_id); |
| 1987 | } |
| 1988 | this->other_virtual_ip->destroy(this->other_virtual_ip); |
| 1989 | } |
| 1990 | this->additional_addresses->destroy_offset(this->additional_addresses, |
| 1991 | offsetof(host_t, destroy)); |
| 1992 | #ifdef ME
|
| 1993 | if (this->is_mediation_server)
|
| 1994 | {
|
| 1995 | charon->mediation_manager->remove(charon->mediation_manager, |
| 1996 | this->ike_sa_id); |
| 1997 | } |
| 1998 | DESTROY_IF(this->server_reflexive_host); |
| 1999 | chunk_free(&this->connect_id); |
| 2000 | #endif /* ME */ |
| 2001 | free(this->nat_detection_dest.ptr); |
| 2002 | |
| 2003 | DESTROY_IF(this->my_host); |
| 2004 | DESTROY_IF(this->other_host); |
| 2005 | DESTROY_IF(this->my_id); |
| 2006 | DESTROY_IF(this->other_id); |
| 2007 | DESTROY_IF(this->local_host); |
| 2008 | DESTROY_IF(this->remote_host); |
| 2009 | DESTROY_IF(this->eap_identity); |
| 2010 | |
| 2011 | DESTROY_IF(this->ike_cfg); |
| 2012 | DESTROY_IF(this->peer_cfg); |
| 2013 | DESTROY_IF(this->proposal); |
| 2014 | this->my_auth->destroy(this->my_auth); |
| 2015 | this->other_auth->destroy(this->other_auth); |
| 2016 | |
| 2017 | this->ike_sa_id->destroy(this->ike_sa_id); |
| 2018 | free(this); |
| 2019 | } |
| 2020 | |
| 2021 | /*
|
| 2022 | * Described in header. |
| 2023 | */ |
| 2024 | ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) |
| 2025 | {
|
| 2026 | private_ike_sa_t *this = malloc_thing(private_ike_sa_t); |
| 2027 | static u_int32_t unique_id = 0; |
| 2028 | |
| 2029 | /* Public functions */
|
| 2030 | this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state; |
| 2031 | this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state;
|
| 2032 | this->public.get_name = (char* (*)(ike_sa_t*))get_name;
|
| 2033 | this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic; |
| 2034 | this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message; |
| 2035 | this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate; |
| 2036 | this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg; |
| 2037 | this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg;
|
| 2038 | this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg; |
| 2039 | this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg;
|
| 2040 | this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg;
|
| 2041 | this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal; |
| 2042 | this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal;
|
| 2043 | this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id; |
| 2044 | this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host; |
| 2045 | this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host;
|
| 2046 | this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host; |
| 2047 | this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host;
|
| 2048 | this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id; |
| 2049 | this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts;
|
| 2050 | this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id; |
| 2051 | this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id;
|
| 2052 | this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id; |
| 2053 | this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id;
|
| 2054 | this->public.get_eap_identity = (identification_t* (*)(ike_sa_t*)) get_eap_identity; |
| 2055 | this->public.set_eap_identity = (void (*)(ike_sa_t*,identification_t*)) set_eap_identity;
|
| 2056 | this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension;
|
| 2057 | this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension;
|
| 2058 | this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition; |
| 2059 | this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition;
|
| 2060 | this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates;
|
| 2061 | this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates; |
| 2062 | this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator; |
| 2063 | this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address;
|
| 2064 | this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed;
|
| 2065 | this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit; |
| 2066 | this->public.delete = (status_t (*)(ike_sa_t*))delete_; |
| 2067 | this->public.destroy = (void (*)(ike_sa_t*))destroy;
|
| 2068 | this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd; |
| 2069 | this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive;
|
| 2070 | this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat; |
| 2071 | this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa;
|
| 2072 | this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa;
|
| 2073 | this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator; |
| 2074 | this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa; |
| 2075 | this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa; |
| 2076 | this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa; |
| 2077 | this->public.rekey = (status_t (*)(ike_sa_t*))rekey; |
| 2078 | this->public.reauth = (status_t (*)(ike_sa_t*))reauth; |
| 2079 | this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish; |
| 2080 | this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime;
|
| 2081 | this->public.roam = (status_t(*)(ike_sa_t*,bool))roam;
|
| 2082 | this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit; |
| 2083 | this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message; |
| 2084 | this->public.reset = (void (*)(ike_sa_t*))reset;
|
| 2085 | this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id; |
| 2086 | this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip; |
| 2087 | this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip;
|
| 2088 | this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute;
|
| 2089 | this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress;
|
| 2090 | #ifdef ME
|
| 2091 | this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server;
|
| 2092 | this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host; |
| 2093 | this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host;
|
| 2094 | this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id; |
| 2095 | this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation; |
| 2096 | this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated; |
| 2097 | this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay;
|
| 2098 | this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback; |
| 2099 | this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond; |
| 2100 | #endif /* ME */ |
| 2101 | |
| 2102 | /* initialize private fields */
|
| 2103 | this->ike_sa_id = ike_sa_id->clone(ike_sa_id); |
| 2104 | this->child_sas = linked_list_create(); |
| 2105 | this->my_host = host_create_any(AF_INET); |
| 2106 | this->my_host->set_port(this->my_host, IKEV2_UDP_PORT); |
| 2107 | this->other_host = host_create_any(AF_INET); |
| 2108 | this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty); |
| 2109 | this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty); |
| 2110 | this->eap_identity = NULL;
|
| 2111 | this->extensions = 0;
|
| 2112 | this->conditions = 0;
|
| 2113 | this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)); |
| 2114 | this->state = IKE_CREATED; |
| 2115 | this->keepalive_interval = lib->settings->get_time(lib->settings, |
| 2116 | "charon.keep_alive", KEEPALIVE_INTERVAL);
|
| 2117 | memset(this->stats, 0, sizeof(this->stats)); |
| 2118 | this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL);
|
| 2119 | this->ike_cfg = NULL;
|
| 2120 | this->peer_cfg = NULL;
|
| 2121 | this->my_auth = auth_cfg_create(); |
| 2122 | this->other_auth = auth_cfg_create(); |
| 2123 | this->proposal = NULL;
|
| 2124 | this->task_manager = task_manager_create(&this->public); |
| 2125 | this->unique_id = ++unique_id; |
| 2126 | this->my_virtual_ip = NULL;
|
| 2127 | this->other_virtual_ip = NULL;
|
| 2128 | this->additional_addresses = linked_list_create(); |
| 2129 | this->attributes = linked_list_create(); |
| 2130 | this->nat_detection_dest = chunk_empty; |
| 2131 | this->pending_updates = 0;
|
| 2132 | this->keyingtry = 0;
|
| 2133 | this->local_host = NULL;
|
| 2134 | this->remote_host = NULL;
|
| 2135 | #ifdef ME
|
| 2136 | this->is_mediation_server = FALSE; |
| 2137 | this->server_reflexive_host = NULL;
|
| 2138 | this->connect_id = chunk_empty; |
| 2139 | #endif /* ME */ |
| 2140 | |
| 2141 | return &this->public;
|
| 2142 | } |