projects / GitHub / MotorolaMobilityLLC / external-strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
configurable retransmit tries added
[GitHub/MotorolaMobilityLLC/external-strongswan.git] / src / libcharon / sa / ikev2 / task_manager_v2.c
1 /*
2 * Copyright (C) 2007-2018 Tobias Brunner
3 * Copyright (C) 2007-2010 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "task_manager_v2.h"
18
19 #include <math.h>
20
21 #include <collections/array.h>
22 #include <daemon.h>
23 #include <sa/ikev2/tasks/ike_init.h>
24 #include <sa/ikev2/tasks/ike_natd.h>
25 #include <sa/ikev2/tasks/ike_mobike.h>
26 #include <sa/ikev2/tasks/ike_auth.h>
27 #include <sa/ikev2/tasks/ike_auth_lifetime.h>
28 #include <sa/ikev2/tasks/ike_cert_pre.h>
29 #include <sa/ikev2/tasks/ike_cert_post.h>
30 #include <sa/ikev2/tasks/ike_rekey.h>
31 #include <sa/ikev2/tasks/ike_reauth.h>
32 #include <sa/ikev2/tasks/ike_reauth_complete.h>
33 #include <sa/ikev2/tasks/ike_redirect.h>
34 #include <sa/ikev2/tasks/ike_delete.h>
35 #include <sa/ikev2/tasks/ike_config.h>
36 #include <sa/ikev2/tasks/ike_dpd.h>
37 #include <sa/ikev2/tasks/ike_mid_sync.h>
38 #include <sa/ikev2/tasks/ike_vendor.h>
39 #include <sa/ikev2/tasks/ike_verify_peer_cert.h>
40 #include <sa/ikev2/tasks/child_create.h>
41 #include <sa/ikev2/tasks/child_rekey.h>
42 #include <sa/ikev2/tasks/child_delete.h>
43 #include <encoding/payloads/delete_payload.h>
44 #include <encoding/payloads/unknown_payload.h>
45 #include <processing/jobs/retransmit_job.h>
46 #include <processing/jobs/delete_ike_sa_job.h>
47 #include <processing/jobs/initiate_tasks_job.h>
48
49 #ifdef ME
50 #include <sa/ikev2/tasks/ike_me.h>
51 #endif
52
53 typedef struct private_task_manager_t private_task_manager_t;
54 typedef struct queued_task_t queued_task_t;
55
56 /**
57 * private data of the task manager
58 */
59 struct private_task_manager_t {
60
61 /**
62 * public functions
63 */
64 task_manager_v2_t public;
65
66 /**
67 * associated IKE_SA we are serving
68 */
69 ike_sa_t *ike_sa;
70
71 /**
72 * Exchange we are currently handling as responder
73 */
74 struct {
75 /**
76 * Message ID of the exchange
77 */
78 uint32_t mid;
79
80 /**
81 * packet(s) for retransmission
82 */
83 array_t *packets;
84
85 /**
86 * Helper to defragment the request
87 */
88 message_t *defrag;
89
90 } responding;
91
92 /**
93 * Exchange we are currently handling as initiator
94 */
95 struct {
96 /**
97 * Message ID of the exchange
98 */
99 uint32_t mid;
100
101 /**
102 * how many times we have retransmitted so far
103 */
104 u_int retransmitted;
105
106 /**
107 * packet(s) for retransmission
108 */
109 array_t *packets;
110
111 /**
112 * type of the initiated exchange
113 */
114 exchange_type_t type;
115
116 /**
117 * TRUE if exchange was deferred because no path was available
118 */
119 bool deferred;
120
121 /**
122 * Helper to defragment the response
123 */
124 message_t *defrag;
125
126 } initiating;
127
128 /**
129 * Array of queued tasks not yet in action
130 */
131 array_t *queued_tasks;
132
133 /**
134 * Array of active tasks, initiated by ourselves
135 */
136 array_t *active_tasks;
137
138 /**
139 * Array of tasks initiated by peer
140 */
141 array_t *passive_tasks;
142
143 /**
144 * the task manager has been reset
145 */
146 bool reset;
147
148 #ifndef VOWIFI_CFG
149 /**
150 * Number of times we retransmit messages before giving up
151 */
152 u_int retransmit_tries;
153
154 /**
155 * Retransmission timeout
156 */
157 double retransmit_timeout;
158
159 /**
160 * Base to calculate retransmission timeout
161 */
162 double retransmit_base;
163
164 /**
165 * Jitter to apply to calculated retransmit timeout (in percent)
166 */
167 u_int retransmit_jitter;
168
169 /**
170 * Limit retransmit timeout to this value
171 */
172 uint32_t retransmit_limit;
173 #endif
174
175 /**
176 * Use make-before-break instead of break-before-make reauth?
177 */
178 bool make_before_break;
179 };
180
181 /**
182 * Queued tasks
183 */
184 struct queued_task_t {
185
186 /**
187 * Queued task
188 */
189 task_t *task;
190
191 /**
192 * Time before which the task is not to be initiated
193 */
194 timeval_t time;
195 };
196
197 /**
198 * Reset retransmission packet list
199 */
200 static void clear_packets(array_t *array)
201 {
202 packet_t *packet;
203
204 while (array_remove(array, ARRAY_TAIL, &packet))
205 {
206 packet->destroy(packet);
207 }
208 }
209
210 METHOD(task_manager_t, flush_queue, void,
211 private_task_manager_t *this, task_queue_t queue)
212 {
213 array_t *array;
214 task_t *task;
215
216 switch (queue)
217 {
218 case TASK_QUEUE_ACTIVE:
219 array = this->active_tasks;
220 break;
221 case TASK_QUEUE_PASSIVE:
222 array = this->passive_tasks;
223 break;
224 case TASK_QUEUE_QUEUED:
225 array = this->queued_tasks;
226 break;
227 default:
228 return;
229 }
230 while (array_remove(array, ARRAY_TAIL, &task))
231 {
232 if (queue == TASK_QUEUE_QUEUED)
233 {
234 queued_task_t *queued = (queued_task_t*)task;
235 task = queued->task;
236 free(queued);
237 }
238 task->destroy(task);
239 }
240 }
241
242 METHOD(task_manager_t, flush, void,
243 private_task_manager_t *this)
244 {
245 flush_queue(this, TASK_QUEUE_QUEUED);
246 flush_queue(this, TASK_QUEUE_PASSIVE);
247 flush_queue(this, TASK_QUEUE_ACTIVE);
248 }
249
250 /**
251 * Move a task of a specific type from the queue to the active list, if it is
252 * not delayed.
253 */
254 static bool activate_task(private_task_manager_t *this, task_type_t type)
255 {
256 enumerator_t *enumerator;
257 queued_task_t *queued;
258 timeval_t now;
259 bool found = FALSE;
260
261 time_monotonic(&now);
262
263 enumerator = array_create_enumerator(this->queued_tasks);
264 while (enumerator->enumerate(enumerator, (void**)&queued))
265 {
266 if (queued->task->get_type(queued->task) == type &&
267 !timercmp(&now, &queued->time, <))
268 {
269 DBG2(DBG_IKE, " activating %N task", task_type_names, type);
270 array_remove_at(this->queued_tasks, enumerator);
271 array_insert(this->active_tasks, ARRAY_TAIL, queued->task);
272 free(queued);
273 found = TRUE;
274 break;
275 }
276 }
277 enumerator->destroy(enumerator);
278 return found;
279 }
280
281 /**
282 * Send packets in the given array (they get cloned). Optionally, the
283 * source and destination addresses are changed before sending it.
284 */
285 static void send_packets(private_task_manager_t *this, array_t *packets,
286 host_t *src, host_t *dst)
287 {
288 packet_t *packet, *clone;
289 int i;
290
291 for (i = 0; i < array_count(packets); i++)
292 {
293 array_get(packets, i, &packet);
294 clone = packet->clone(packet);
295 if (src)
296 {
297 clone->set_source(clone, src->clone(src));
298 }
299 if (dst)
300 {
301 clone->set_destination(clone, dst->clone(dst));
302 }
303 charon->sender->send(charon->sender, clone);
304 }
305 }
306
307 /**
308 * Generates the given message and stores packet(s) in the given array
309 */
310 static bool generate_message(private_task_manager_t *this, message_t *message,
311 array_t **packets)
312 {
313 enumerator_t *fragments;
314 packet_t *fragment;
315
316 if (this->ike_sa->generate_message_fragmented(this->ike_sa, message,
317 &fragments) != SUCCESS)
318 {
319 return FALSE;
320 }
321 while (fragments->enumerate(fragments, &fragment))
322 {
323 array_insert_create(packets, ARRAY_TAIL, fragment);
324 }
325 fragments->destroy(fragments);
326 array_compress(*packets);
327 return TRUE;
328 }
329
330 METHOD(task_manager_t, retransmit, status_t,
331 private_task_manager_t *this, uint32_t message_id)
332 {
333 if (message_id == this->initiating.mid &&
334 array_count(this->initiating.packets))
335 {
336 uint32_t timeout, max_jitter;
337 job_t *job;
338 enumerator_t *enumerator;
339 packet_t *packet;
340 task_t *task;
341 ike_mobike_t *mobike = NULL;
342
343 array_get(this->initiating.packets, 0, &packet);
344
345 /* check if we are retransmitting a MOBIKE routability check */
346 if (this->initiating.type == INFORMATIONAL)
347 {
348 enumerator = array_create_enumerator(this->active_tasks);
349 while (enumerator->enumerate(enumerator, (void*)&task))
350 {
351 if (task->get_type(task) == TASK_IKE_MOBIKE)
352 {
353 mobike = (ike_mobike_t*)task;
354 break;
355 }
356 }
357 enumerator->destroy(enumerator);
358 }
359
360 if (!mobike || !mobike->is_probing(mobike))
361 {
362 #ifdef VOWIFI_CFG
363 double retransmit_timeout = RETRANSMIT_TIMEOUT;
364 double base = RETRANSMIT_BASE;
365 u_int max_tries = RETRANSMIT_TRIES;
366
367 peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
368 if (peer_cfg)
369 {
370 if (this->ike_sa->is_handover(this->ike_sa))
371 {
372 retransmit_timeout = peer_cfg->get_retransmit_timeout_handover(peer_cfg);
373 base = peer_cfg->get_retransmit_base_handover(peer_cfg);
374 max_tries = peer_cfg->get_retransmit_retries_handover(peer_cfg);
375 }
376 else
377 {
378 retransmit_timeout = peer_cfg->get_retransmit_timeout(peer_cfg);
379 base = peer_cfg->get_retransmit_base(peer_cfg);
380 max_tries = peer_cfg->get_retransmit_retries(peer_cfg);
381 }
382 }
383 DBG1(DBG_IKE, "Retries: %d, range: %d\n", this->initiating.retransmitted, max_tries);
384
385 if (this->initiating.retransmitted <= max_tries)
386 {
387 timeout = (u_int32_t)(retransmit_timeout * 1000.0 *
388 pow(base, this->initiating.retransmitted));
389 }
390 #else
391 if (this->initiating.retransmitted <= this->retransmit_tries)
392 {
393 timeout = (uint32_t)(this->retransmit_timeout * 1000.0 *
394 pow(this->retransmit_base, this->initiating.retransmitted));
395 if (this->retransmit_limit)
396 {
397 timeout = min(timeout, this->retransmit_limit);
398 }
399 if (this->retransmit_jitter)
400 {
401 max_jitter = (timeout / 100.0) * this->retransmit_jitter;
402 timeout -= max_jitter * (random() / (RAND_MAX + 1.0));
403 }
404 }
405 #endif
406 else
407 {
408 DBG1(DBG_IKE, "giving up after %d retransmits",
409 this->initiating.retransmitted - 1);
410 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
411 packet);
412 return DESTROY_ME;
413 }
414
415 if (this->initiating.retransmitted)
416 {
417 DBG1(DBG_IKE, "retransmit %d of request with message ID %d",
418 this->initiating.retransmitted, message_id);
419 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND, packet,
420 this->initiating.retransmitted);
421 }
422 if (!mobike)
423 {
424 send_packets(this, this->initiating.packets,
425 this->ike_sa->get_my_host(this->ike_sa),
426 this->ike_sa->get_other_host(this->ike_sa));
427 }
428 else
429 {
430 if (!mobike->transmit(mobike, packet))
431 {
432 DBG1(DBG_IKE, "no route found to reach peer, MOBIKE update "
433 "deferred");
434 #ifdef VOWIFI_CFG
435 /* do not try to wait next attempt if we are already done and all failed */
436 if (this->initiating.retransmitted >= max_tries)
437 {
438 DBG1(DBG_IKE, "giving up after %d retransmits",
439 this->initiating.retransmitted);
440 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_TIMEOUT,
441 packet);
442 return DESTROY_ME;
443 }
444 #endif
445 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
446 this->initiating.deferred = TRUE;
447 return SUCCESS;
448 }
449 else if (mobike->is_probing(mobike))
450 {
451 timeout = ROUTEABILITY_CHECK_INTERVAL;
452 }
453 }
454 }
455 else
456 { /* for routeability checks, we use a more aggressive behavior */
457 if (this->initiating.retransmitted <= ROUTEABILITY_CHECK_TRIES)
458 {
459 timeout = ROUTEABILITY_CHECK_INTERVAL;
460 }
461 else
462 {
463 DBG1(DBG_IKE, "giving up after %d path probings",
464 this->initiating.retransmitted - 1);
465 return DESTROY_ME;
466 }
467
468 if (this->initiating.retransmitted)
469 {
470 DBG1(DBG_IKE, "path probing attempt %d",
471 this->initiating.retransmitted);
472 }
473 /* TODO-FRAG: presumably these small packets are not fragmented,
474 * we should maybe ensure this is the case when generating them */
475 if (!mobike->transmit(mobike, packet))
476 {
477 DBG1(DBG_IKE, "no route found to reach peer, path probing "
478 "deferred");
479 this->ike_sa->set_condition(this->ike_sa, COND_STALE, TRUE);
480 this->initiating.deferred = TRUE;
481 return SUCCESS;
482 }
483 }
484
485 this->initiating.retransmitted++;
486 job = (job_t*)retransmit_job_create(this->initiating.mid,
487 this->ike_sa->get_id(this->ike_sa));
488 lib->scheduler->schedule_job_ms(lib->scheduler, job, timeout);
489 }
490 return SUCCESS;
491 }
492
493 METHOD(task_manager_t, initiate, status_t,
494 private_task_manager_t *this)
495 {
496 enumerator_t *enumerator;
497 task_t *task;
498 message_t *message;
499 host_t *me, *other;
500 exchange_type_t exchange = 0;
501
502 if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED)
503 {
504 DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress",
505 exchange_type_names, this->initiating.type);
506 /* do not initiate if we already have a message in the air */
507 if (this->initiating.deferred)
508 { /* re-initiate deferred exchange */
509 this->initiating.deferred = FALSE;
510 this->initiating.retransmitted = 0;
511 return retransmit(this, this->initiating.mid);
512 }
513 return SUCCESS;
514 }
515
516 if (array_count(this->active_tasks) == 0)
517 {
518 DBG2(DBG_IKE, "activating new tasks");
519 switch (this->ike_sa->get_state(this->ike_sa))
520 {
521 case IKE_CREATED:
522 activate_task(this, TASK_IKE_VENDOR);
523 if (activate_task(this, TASK_IKE_INIT))
524 {
525 this->initiating.mid = 0;
526 exchange = IKE_SA_INIT;
527 activate_task(this, TASK_IKE_NATD);
528 activate_task(this, TASK_IKE_CERT_PRE);
529 #ifdef ME
530 /* this task has to be activated before the TASK_IKE_AUTH
531 * task, because that task pregenerates the packet after
532 * which no payloads can be added to the message anymore.
533 */
534 activate_task(this, TASK_IKE_ME);
535 #endif /* ME */
536 activate_task(this, TASK_IKE_AUTH);
537 activate_task(this, TASK_IKE_CERT_POST);
538 activate_task(this, TASK_IKE_CONFIG);
539 activate_task(this, TASK_CHILD_CREATE);
540 activate_task(this, TASK_IKE_AUTH_LIFETIME);
541 activate_task(this, TASK_IKE_MOBIKE);
542 }
543 break;
544 case IKE_ESTABLISHED:
545 if (activate_task(this, TASK_IKE_MOBIKE))
546 {
547 exchange = INFORMATIONAL;
548 break;
549 }
550 if (activate_task(this, TASK_IKE_DELETE))
551 {
552 exchange = INFORMATIONAL;
553 break;
554 }
555 if (activate_task(this, TASK_IKE_REDIRECT))
556 {
557 exchange = INFORMATIONAL;
558 break;
559 }
560 if (activate_task(this, TASK_CHILD_DELETE))
561 {
562 exchange = INFORMATIONAL;
563 break;
564 }
565 if (activate_task(this, TASK_IKE_REAUTH))
566 {
567 exchange = INFORMATIONAL;
568 break;
569 }
570 if (activate_task(this, TASK_CHILD_CREATE))
571 {
572 exchange = CREATE_CHILD_SA;
573 break;
574 }
575 if (activate_task(this, TASK_CHILD_REKEY))
576 {
577 exchange = CREATE_CHILD_SA;
578 break;
579 }
580 if (activate_task(this, TASK_IKE_REKEY))
581 {
582 exchange = CREATE_CHILD_SA;
583 break;
584 }
585 if (activate_task(this, TASK_IKE_DPD))
586 {
587 exchange = INFORMATIONAL;
588 break;
589 }
590 if (activate_task(this, TASK_IKE_AUTH_LIFETIME))
591 {
592 exchange = INFORMATIONAL;
593 break;
594 }
595 #ifdef ME
596 if (activate_task(this, TASK_IKE_ME))
597 {
598 exchange = ME_CONNECT;
599 break;
600 }
601 #endif /* ME */
602 if (activate_task(this, TASK_IKE_REAUTH_COMPLETE))
603 {
604 exchange = INFORMATIONAL;
605 break;
606 }
607 if (activate_task(this, TASK_IKE_VERIFY_PEER_CERT))
608 {
609 exchange = INFORMATIONAL;
610 break;
611 }
612 case IKE_REKEYING:
613 case IKE_REKEYED:
614 if (activate_task(this, TASK_IKE_DELETE))
615 {
616 exchange = INFORMATIONAL;
617 break;
618 }
619 case IKE_DELETING:
620 default:
621 break;
622 }
623 }
624 else
625 {
626 DBG2(DBG_IKE, "reinitiating already active tasks");
627 enumerator = array_create_enumerator(this->active_tasks);
628 while (enumerator->enumerate(enumerator, &task))
629 {
630 DBG2(DBG_IKE, " %N task", task_type_names, task->get_type(task));
631 switch (task->get_type(task))
632 {
633 case TASK_IKE_INIT:
634 exchange = IKE_SA_INIT;
635 break;
636 case TASK_IKE_AUTH:
637 exchange = IKE_AUTH;
638 break;
639 case TASK_CHILD_CREATE:
640 case TASK_CHILD_REKEY:
641 case TASK_IKE_REKEY:
642 exchange = CREATE_CHILD_SA;
643 break;
644 case TASK_IKE_MOBIKE:
645 exchange = INFORMATIONAL;
646 break;
647 default:
648 continue;
649 }
650 break;
651 }
652 enumerator->destroy(enumerator);
653 }
654
655 if (exchange == 0)
656 {
657 DBG2(DBG_IKE, "nothing to initiate");
658 /* nothing to do yet... */
659 return SUCCESS;
660 }
661
662 me = this->ike_sa->get_my_host(this->ike_sa);
663 other = this->ike_sa->get_other_host(this->ike_sa);
664
665 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
666 message->set_message_id(message, this->initiating.mid);
667 message->set_source(message, me->clone(me));
668 message->set_destination(message, other->clone(other));
669 message->set_exchange_type(message, exchange);
670 this->initiating.type = exchange;
671 this->initiating.retransmitted = 0;
672 this->initiating.deferred = FALSE;
673
674 enumerator = array_create_enumerator(this->active_tasks);
675 while (enumerator->enumerate(enumerator, &task))
676 {
677 switch (task->build(task, message))
678 {
679 case SUCCESS:
680 /* task completed, remove it */
681 array_remove_at(this->active_tasks, enumerator);
682 task->destroy(task);
683 break;
684 case NEED_MORE:
685 /* processed, but task needs another exchange */
686 break;
687 case FAILED:
688 default:
689 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
690 if (this->ike_sa->get_state(this->ike_sa) != IKE_CONNECTING &&
691 this->ike_sa->get_state(this->ike_sa) != IKE_REKEYED)
692 {
693 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
694 }
695 /* FALL */
696 case DESTROY_ME:
697 /* critical failure, destroy IKE_SA */
698 enumerator->destroy(enumerator);
699 message->destroy(message);
700 flush(this);
701 return DESTROY_ME;
702 }
703 }
704 enumerator->destroy(enumerator);
705
706 /* update exchange type if a task changed it */
707 this->initiating.type = message->get_exchange_type(message);
708 if (this->initiating.type == EXCHANGE_TYPE_UNDEFINED)
709 {
710 message->destroy(message);
711 return initiate(this);
712 }
713
714 if (!generate_message(this, message, &this->initiating.packets))
715 {
716 /* message generation failed. There is nothing more to do than to
717 * close the SA */
718 message->destroy(message);
719 flush(this);
720 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
721 return DESTROY_ME;
722 }
723 message->destroy(message);
724
725 array_compress(this->active_tasks);
726 array_compress(this->queued_tasks);
727
728 return retransmit(this, this->initiating.mid);
729 }
730
731 /**
732 * handle an incoming response message
733 */
734 static status_t process_response(private_task_manager_t *this,
735 message_t *message)
736 {
737 enumerator_t *enumerator;
738 task_t *task;
739
740 if (message->get_exchange_type(message) != this->initiating.type)
741 {
742 DBG1(DBG_IKE, "received %N response, but expected %N",
743 exchange_type_names, message->get_exchange_type(message),
744 exchange_type_names, this->initiating.type);
745 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
746 return DESTROY_ME;
747 }
748
749 /* handle fatal INVALID_SYNTAX notifies */
750 switch (message->get_exchange_type(message))
751 {
752 case CREATE_CHILD_SA:
753 case INFORMATIONAL:
754 if (message->get_notify(message, INVALID_SYNTAX))
755 {
756 DBG1(DBG_IKE, "received %N notify error, destroying IKE_SA",
757 notify_type_names, INVALID_SYNTAX);
758 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
759 return DESTROY_ME;
760 }
761 break;
762 default:
763 break;
764 }
765
766 enumerator = array_create_enumerator(this->active_tasks);
767 while (enumerator->enumerate(enumerator, &task))
768 {
769 if (!task->pre_process)
770 {
771 continue;
772 }
773 switch (task->pre_process(task, message))
774 {
775 case SUCCESS:
776 break;
777 case FAILED:
778 default:
779 /* just ignore the message */
780 DBG1(DBG_IKE, "ignore invalid %N response",
781 exchange_type_names, message->get_exchange_type(message));
782 enumerator->destroy(enumerator);
783 return SUCCESS;
784 case DESTROY_ME:
785 /* critical failure, destroy IKE_SA */
786 enumerator->destroy(enumerator);
787 return DESTROY_ME;
788 }
789 }
790 enumerator->destroy(enumerator);
791
792 if (this->initiating.retransmitted > 1)
793 {
794 packet_t *packet = NULL;
795 array_get(this->initiating.packets, 0, &packet);
796 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_SEND_CLEARED, packet);
797 }
798
799 /* catch if we get reset while processing */
800 this->reset = FALSE;
801 enumerator = array_create_enumerator(this->active_tasks);
802 while (enumerator->enumerate(enumerator, &task))
803 {
804 switch (task->process(task, message))
805 {
806 case SUCCESS:
807 /* task completed, remove it */
808 array_remove_at(this->active_tasks, enumerator);
809 task->destroy(task);
810 break;
811 case NEED_MORE:
812 /* processed, but task needs another exchange */
813 break;
814 case FAILED:
815 default:
816 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
817 /* FALL */
818 case DESTROY_ME:
819 /* critical failure, destroy IKE_SA */
820 array_remove_at(this->active_tasks, enumerator);
821 enumerator->destroy(enumerator);
822 task->destroy(task);
823 return DESTROY_ME;
824 }
825 if (this->reset)
826 { /* start all over again if we were reset */
827 this->reset = FALSE;
828 enumerator->destroy(enumerator);
829 return initiate(this);
830 }
831 }
832 enumerator->destroy(enumerator);
833
834 this->initiating.mid++;
835 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
836 clear_packets(this->initiating.packets);
837
838 array_compress(this->active_tasks);
839
840 return initiate(this);
841 }
842
843 /**
844 * handle exchange collisions
845 */
846 static bool handle_collisions(private_task_manager_t *this, task_t *task)
847 {
848 enumerator_t *enumerator;
849 task_t *active;
850 task_type_t type;
851
852 type = task->get_type(task);
853
854 /* do we have to check */
855 if (type == TASK_IKE_REKEY || type == TASK_CHILD_REKEY ||
856 type == TASK_CHILD_DELETE || type == TASK_IKE_DELETE)
857 {
858 /* find an exchange collision, and notify these tasks */
859 enumerator = array_create_enumerator(this->active_tasks);
860 while (enumerator->enumerate(enumerator, &active))
861 {
862 switch (active->get_type(active))
863 {
864 case TASK_IKE_REKEY:
865 if (type == TASK_IKE_REKEY || type == TASK_IKE_DELETE)
866 {
867 ike_rekey_t *rekey = (ike_rekey_t*)active;
868 rekey->collide(rekey, task);
869 break;
870 }
871 continue;
872 case TASK_CHILD_REKEY:
873 if (type == TASK_CHILD_REKEY || type == TASK_CHILD_DELETE)
874 {
875 child_rekey_t *rekey = (child_rekey_t*)active;
876 rekey->collide(rekey, task);
877 break;
878 }
879 continue;
880 default:
881 continue;
882 }
883 enumerator->destroy(enumerator);
884 return TRUE;
885 }
886 enumerator->destroy(enumerator);
887 }
888 return FALSE;
889 }
890
891 /**
892 * build a response depending on the "passive" task list
893 */
894 static status_t build_response(private_task_manager_t *this, message_t *request)
895 {
896 enumerator_t *enumerator;
897 task_t *task;
898 message_t *message;
899 host_t *me, *other;
900 bool delete = FALSE, hook = FALSE, mid_sync = FALSE;
901 ike_sa_id_t *id = NULL;
902 uint64_t responder_spi = 0;
903 bool result;
904
905 me = request->get_destination(request);
906 other = request->get_source(request);
907
908 message = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
909 message->set_exchange_type(message, request->get_exchange_type(request));
910 /* send response along the path the request came in */
911 message->set_source(message, me->clone(me));
912 message->set_destination(message, other->clone(other));
913 message->set_message_id(message, this->responding.mid);
914 message->set_request(message, FALSE);
915
916 enumerator = array_create_enumerator(this->passive_tasks);
917 while (enumerator->enumerate(enumerator, (void*)&task))
918 {
919 if (task->get_type(task) == TASK_IKE_MID_SYNC)
920 {
921 mid_sync = TRUE;
922 }
923 switch (task->build(task, message))
924 {
925 case SUCCESS:
926 /* task completed, remove it */
927 array_remove_at(this->passive_tasks, enumerator);
928 if (!handle_collisions(this, task))
929 {
930 task->destroy(task);
931 }
932 break;
933 case NEED_MORE:
934 /* processed, but task needs another exchange */
935 if (handle_collisions(this, task))
936 {
937 array_remove_at(this->passive_tasks, enumerator);
938 }
939 break;
940 case FAILED:
941 default:
942 hook = TRUE;
943 /* FALL */
944 case DESTROY_ME:
945 /* destroy IKE_SA, but SEND response first */
946 if (handle_collisions(this, task))
947 {
948 array_remove_at(this->passive_tasks, enumerator);
949 }
950 delete = TRUE;
951 break;
952 }
953 if (delete)
954 {
955 break;
956 }
957 }
958 enumerator->destroy(enumerator);
959
960 /* RFC 5996, section 2.6 mentions that in the event of a failure during
961 * IKE_SA_INIT the responder's SPI will be 0 in the response, while it
962 * actually explicitly allows it to be non-zero. Since we use the responder
963 * SPI to create hashes in the IKE_SA manager we can only set the SPI to
964 * zero temporarily, otherwise checking the SA in would fail. */
965 if (delete && request->get_exchange_type(request) == IKE_SA_INIT)
966 {
967 id = this->ike_sa->get_id(this->ike_sa);
968 responder_spi = id->get_responder_spi(id);
969 id->set_responder_spi(id, 0);
970 }
971
972 /* message complete, send it */
973 clear_packets(this->responding.packets);
974 result = generate_message(this, message, &this->responding.packets);
975 message->destroy(message);
976 if (id)
977 {
978 id->set_responder_spi(id, responder_spi);
979 }
980 if (!result)
981 {
982 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
983 return DESTROY_ME;
984 }
985
986 send_packets(this, this->responding.packets, NULL, NULL);
987 if (delete)
988 {
989 if (hook)
990 {
991 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
992 }
993 return DESTROY_ME;
994 }
995 else if (mid_sync)
996 {
997 /* we don't want to resend messages to sync MIDs if requests with the
998 * previous MID arrive */
999 clear_packets(this->responding.packets);
1000 /* avoid increasing the expected message ID after handling a message
1001 * to sync MIDs with MID 0 */
1002 return NEED_MORE;
1003 }
1004
1005 array_compress(this->passive_tasks);
1006
1007 return SUCCESS;
1008 }
1009
1010 /**
1011 * handle an incoming request message
1012 */
1013 static status_t process_request(private_task_manager_t *this,
1014 message_t *message)
1015 {
1016 enumerator_t *enumerator;
1017 task_t *task = NULL;
1018 payload_t *payload;
1019 notify_payload_t *notify;
1020 delete_payload_t *delete;
1021 ike_sa_state_t state;
1022
1023 if (array_count(this->passive_tasks) == 0)
1024 { /* create tasks depending on request type, if not already some queued */
1025 state = this->ike_sa->get_state(this->ike_sa);
1026 switch (message->get_exchange_type(message))
1027 {
1028 case IKE_SA_INIT:
1029 {
1030 task = (task_t*)ike_vendor_create(this->ike_sa, FALSE);
1031 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1032 task = (task_t*)ike_init_create(this->ike_sa, FALSE, NULL);
1033 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1034 task = (task_t*)ike_natd_create(this->ike_sa, FALSE);
1035 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1036 task = (task_t*)ike_cert_pre_create(this->ike_sa, FALSE);
1037 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1038 #ifdef ME
1039 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1040 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1041 #endif /* ME */
1042 task = (task_t*)ike_auth_create(this->ike_sa, FALSE);
1043 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1044 task = (task_t*)ike_cert_post_create(this->ike_sa, FALSE);
1045 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1046 task = (task_t*)ike_config_create(this->ike_sa, FALSE);
1047 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1048 task = (task_t*)child_create_create(this->ike_sa, NULL, FALSE,
1049 NULL, NULL);
1050 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1051 task = (task_t*)ike_auth_lifetime_create(this->ike_sa, FALSE);
1052 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1053 task = (task_t*)ike_mobike_create(this->ike_sa, FALSE);
1054 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1055 break;
1056 }
1057 case CREATE_CHILD_SA:
1058 { /* FIXME: we should prevent this on mediation connections */
1059 bool notify_found = FALSE, ts_found = FALSE;
1060
1061 if (state == IKE_CREATED ||
1062 state == IKE_CONNECTING)
1063 {
1064 DBG1(DBG_IKE, "received CREATE_CHILD_SA request for "
1065 "unestablished IKE_SA, rejected");
1066 return FAILED;
1067 }
1068
1069 enumerator = message->create_payload_enumerator(message);
1070 while (enumerator->enumerate(enumerator, &payload))
1071 {
1072 switch (payload->get_type(payload))
1073 {
1074 case PLV2_NOTIFY:
1075 { /* if we find a rekey notify, its CHILD_SA rekeying */
1076 notify = (notify_payload_t*)payload;
1077 if (notify->get_notify_type(notify) == REKEY_SA &&
1078 (notify->get_protocol_id(notify) == PROTO_AH ||
1079 notify->get_protocol_id(notify) == PROTO_ESP))
1080 {
1081 notify_found = TRUE;
1082 }
1083 break;
1084 }
1085 case PLV2_TS_INITIATOR:
1086 case PLV2_TS_RESPONDER:
1087 { /* if we don't find a TS, its IKE rekeying */
1088 ts_found = TRUE;
1089 break;
1090 }
1091 default:
1092 break;
1093 }
1094 }
1095 enumerator->destroy(enumerator);
1096
1097 if (ts_found)
1098 {
1099 if (notify_found)
1100 {
1101 task = (task_t*)child_rekey_create(this->ike_sa,
1102 PROTO_NONE, 0);
1103 }
1104 else
1105 {
1106 task = (task_t*)child_create_create(this->ike_sa, NULL,
1107 FALSE, NULL, NULL);
1108 }
1109 }
1110 else
1111 {
1112 task = (task_t*)ike_rekey_create(this->ike_sa, FALSE);
1113 }
1114 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1115 break;
1116 }
1117 case INFORMATIONAL:
1118 {
1119 enumerator = message->create_payload_enumerator(message);
1120 while (enumerator->enumerate(enumerator, &payload))
1121 {
1122 switch (payload->get_type(payload))
1123 {
1124 case PLV2_NOTIFY:
1125 {
1126 notify = (notify_payload_t*)payload;
1127 if (state == IKE_REKEYED)
1128 {
1129 DBG1(DBG_IKE, "received unexpected notify %N "
1130 "for rekeyed IKE_SA, ignored",
1131 notify_type_names,
1132 notify->get_notify_type(notify));
1133 break;
1134 }
1135 switch (notify->get_notify_type(notify))
1136 {
1137 case ADDITIONAL_IP4_ADDRESS:
1138 case ADDITIONAL_IP6_ADDRESS:
1139 case NO_ADDITIONAL_ADDRESSES:
1140 case UPDATE_SA_ADDRESSES:
1141 case NO_NATS_ALLOWED:
1142 case UNACCEPTABLE_ADDRESSES:
1143 case UNEXPECTED_NAT_DETECTED:
1144 case COOKIE2:
1145 case NAT_DETECTION_SOURCE_IP:
1146 case NAT_DETECTION_DESTINATION_IP:
1147 task = (task_t*)ike_mobike_create(
1148 this->ike_sa, FALSE);
1149 break;
1150 case AUTH_LIFETIME:
1151 task = (task_t*)ike_auth_lifetime_create(
1152 this->ike_sa, FALSE);
1153 break;
1154 case AUTHENTICATION_FAILED:
1155 /* initiator failed to authenticate us.
1156 * We use ike_delete to handle this, which
1157 * invokes all the required hooks. */
1158 task = (task_t*)ike_delete_create(
1159 this->ike_sa, FALSE);
1160 break;
1161 case REDIRECT:
1162 task = (task_t*)ike_redirect_create(
1163 this->ike_sa, NULL);
1164 break;
1165 case IKEV2_MESSAGE_ID_SYNC:
1166 task = (task_t*)ike_mid_sync_create(
1167 this->ike_sa);
1168 break;
1169 default:
1170 break;
1171 }
1172 break;
1173 }
1174 case PLV2_DELETE:
1175 {
1176 delete = (delete_payload_t*)payload;
1177 if (delete->get_protocol_id(delete) == PROTO_IKE)
1178 {
1179 task = (task_t*)ike_delete_create(this->ike_sa,
1180 FALSE);
1181 }
1182 else
1183 {
1184 task = (task_t*)child_delete_create(this->ike_sa,
1185 PROTO_NONE, 0, FALSE);
1186 }
1187 break;
1188 }
1189 default:
1190 break;
1191 }
1192 if (task)
1193 {
1194 break;
1195 }
1196 }
1197 enumerator->destroy(enumerator);
1198
1199 if (task == NULL)
1200 {
1201 task = (task_t*)ike_dpd_create(FALSE);
1202 }
1203 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1204 break;
1205 }
1206 #ifdef ME
1207 case ME_CONNECT:
1208 {
1209 task = (task_t*)ike_me_create(this->ike_sa, FALSE);
1210 array_insert(this->passive_tasks, ARRAY_TAIL, task);
1211 }
1212 #endif /* ME */
1213 default:
1214 break;
1215 }
1216 }
1217
1218 enumerator = array_create_enumerator(this->passive_tasks);
1219 while (enumerator->enumerate(enumerator, &task))
1220 {
1221 if (!task->pre_process)
1222 {
1223 continue;
1224 }
1225 switch (task->pre_process(task, message))
1226 {
1227 case SUCCESS:
1228 break;
1229 case FAILED:
1230 default:
1231 /* just ignore the message */
1232 DBG1(DBG_IKE, "ignore invalid %N request",
1233 exchange_type_names, message->get_exchange_type(message));
1234 enumerator->destroy(enumerator);
1235 switch (message->get_exchange_type(message))
1236 {
1237 case IKE_SA_INIT:
1238 /* no point in keeping the SA when it was created with
1239 * an invalid IKE_SA_INIT message */
1240 return DESTROY_ME;
1241 default:
1242 /* remove tasks we queued for this request */
1243 flush_queue(this, TASK_QUEUE_PASSIVE);
1244 /* fall-through */
1245 case IKE_AUTH:
1246 return NEED_MORE;
1247 }
1248 case DESTROY_ME:
1249 /* critical failure, destroy IKE_SA */
1250 enumerator->destroy(enumerator);
1251 return DESTROY_ME;
1252 }
1253 }
1254 enumerator->destroy(enumerator);
1255
1256 /* let the tasks process the message */
1257 enumerator = array_create_enumerator(this->passive_tasks);
1258 while (enumerator->enumerate(enumerator, (void*)&task))
1259 {
1260 switch (task->process(task, message))
1261 {
1262 case SUCCESS:
1263 /* task completed, remove it */
1264 array_remove_at(this->passive_tasks, enumerator);
1265 task->destroy(task);
1266 break;
1267 case NEED_MORE:
1268 /* processed, but task needs at least another call to build() */
1269 break;
1270 case FAILED:
1271 default:
1272 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1273 /* FALL */
1274 case DESTROY_ME:
1275 /* critical failure, destroy IKE_SA */
1276 array_remove_at(this->passive_tasks, enumerator);
1277 enumerator->destroy(enumerator);
1278 task->destroy(task);
1279 return DESTROY_ME;
1280 }
1281 }
1282 enumerator->destroy(enumerator);
1283
1284 return build_response(this, message);
1285 }
1286
1287 METHOD(task_manager_t, incr_mid, void,
1288 private_task_manager_t *this, bool initiate)
1289 {
1290 if (initiate)
1291 {
1292 this->initiating.mid++;
1293 }
1294 else
1295 {
1296 this->responding.mid++;
1297 }
1298 }
1299
1300 METHOD(task_manager_t, get_mid, uint32_t,
1301 private_task_manager_t *this, bool initiate)
1302 {
1303 return initiate ? this->initiating.mid : this->responding.mid;
1304 }
1305
1306 /**
1307 * Handle the given IKE fragment, if it is one.
1308 *
1309 * Returns SUCCESS if the message is not a fragment, and NEED_MORE if it was
1310 * handled properly. Error states are returned if the fragment was invalid or
1311 * the reassembled message could not have been processed properly.
1312 */
1313 static status_t handle_fragment(private_task_manager_t *this,
1314 message_t **defrag, message_t *msg)
1315 {
1316 message_t *reassembled;
1317 status_t status;
1318
1319 if (!msg->get_payload(msg, PLV2_FRAGMENT))
1320 {
1321 return SUCCESS;
1322 }
1323 if (!*defrag)
1324 {
1325 *defrag = message_create_defrag(msg);
1326 if (!*defrag)
1327 {
1328 return FAILED;
1329 }
1330 }
1331 status = (*defrag)->add_fragment(*defrag, msg);
1332 if (status == SUCCESS)
1333 {
1334 /* reinject the reassembled message */
1335 reassembled = *defrag;
1336 *defrag = NULL;
1337 status = this->ike_sa->process_message(this->ike_sa, reassembled);
1338 if (status == SUCCESS)
1339 {
1340 /* avoid processing the last fragment */
1341 status = NEED_MORE;
1342 }
1343 reassembled->destroy(reassembled);
1344 }
1345 return status;
1346 }
1347
1348 /**
1349 * Send a notify back to the sender
1350 */
1351 static void send_notify_response(private_task_manager_t *this,
1352 message_t *request, notify_type_t type,
1353 chunk_t data)
1354 {
1355 message_t *response;
1356 packet_t *packet;
1357 host_t *me, *other;
1358
1359 response = message_create(IKEV2_MAJOR_VERSION, IKEV2_MINOR_VERSION);
1360 response->set_exchange_type(response, request->get_exchange_type(request));
1361 response->set_request(response, FALSE);
1362 response->set_message_id(response, request->get_message_id(request));
1363 response->add_notify(response, FALSE, type, data);
1364 me = this->ike_sa->get_my_host(this->ike_sa);
1365 if (me->is_anyaddr(me))
1366 {
1367 me = request->get_destination(request);
1368 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
1369 }
1370 other = this->ike_sa->get_other_host(this->ike_sa);
1371 if (other->is_anyaddr(other))
1372 {
1373 other = request->get_source(request);
1374 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
1375 }
1376 response->set_source(response, me->clone(me));
1377 response->set_destination(response, other->clone(other));
1378 if (this->ike_sa->generate_message(this->ike_sa, response,
1379 &packet) == SUCCESS)
1380 {
1381 charon->sender->send(charon->sender, packet);
1382 }
1383 response->destroy(response);
1384 }
1385
1386 /**
1387 * Check if a given task has been queued already
1388 */
1389 static bool has_queued(private_task_manager_t *this, task_type_t type)
1390 {
1391 enumerator_t *enumerator;
1392 bool found = FALSE;
1393 queued_task_t *queued;
1394
1395 enumerator = array_create_enumerator(this->queued_tasks);
1396 while (enumerator->enumerate(enumerator, &queued))
1397 {
1398 if (queued->task->get_type(queued->task) == type)
1399 {
1400 found = TRUE;
1401 break;
1402 }
1403 }
1404 enumerator->destroy(enumerator);
1405 return found;
1406 }
1407
1408 /**
1409 * Send an INVALID_SYNTAX notify and destroy the IKE_SA for authenticated
1410 * messages.
1411 */
1412 static status_t send_invalid_syntax(private_task_manager_t *this,
1413 message_t *msg)
1414 {
1415 send_notify_response(this, msg, INVALID_SYNTAX, chunk_empty);
1416 incr_mid(this, FALSE);
1417
1418 /* IKE_SA_INIT is currently the only type the parser accepts unprotected,
1419 * don't destroy the IKE_SA if such a message is invalid */
1420 if (msg->get_exchange_type(msg) == IKE_SA_INIT)
1421 {
1422 return FAILED;
1423 }
1424 return DESTROY_ME;
1425 }
1426
1427 /**
1428 * Parse the given message and verify that it is valid.
1429 */
1430 static status_t parse_message(private_task_manager_t *this, message_t *msg)
1431 {
1432 status_t parse_status, status;
1433 uint8_t type = 0;
1434
1435 parse_status = msg->parse_body(msg, this->ike_sa->get_keymat(this->ike_sa));
1436
1437 if (parse_status == SUCCESS)
1438 { /* check for unsupported critical payloads */
1439 enumerator_t *enumerator;
1440 unknown_payload_t *unknown;
1441 payload_t *payload;
1442
1443 enumerator = msg->create_payload_enumerator(msg);
1444 while (enumerator->enumerate(enumerator, &payload))
1445 {
1446 if (payload->get_type(payload) == PL_UNKNOWN)
1447 {
1448 unknown = (unknown_payload_t*)payload;
1449 if (unknown->is_critical(unknown))
1450 {
1451 type = unknown->get_type(unknown);
1452 DBG1(DBG_ENC, "payload type %N is not supported, "
1453 "but payload is critical!", payload_type_names, type);
1454 parse_status = NOT_SUPPORTED;
1455 break;
1456 }
1457 }
1458 }
1459 enumerator->destroy(enumerator);
1460 }
1461
1462 status = parse_status;
1463
1464 if (parse_status != SUCCESS)
1465 {
1466 bool is_request = msg->get_request(msg);
1467
1468 switch (parse_status)
1469 {
1470 case NOT_SUPPORTED:
1471 DBG1(DBG_IKE, "critical unknown payloads found");
1472 if (is_request)
1473 {
1474 send_notify_response(this, msg,
1475 UNSUPPORTED_CRITICAL_PAYLOAD,
1476 chunk_from_thing(type));
1477 incr_mid(this, FALSE);
1478 }
1479 break;
1480 case PARSE_ERROR:
1481 DBG1(DBG_IKE, "message parsing failed");
1482 if (is_request)
1483 {
1484 status = send_invalid_syntax(this, msg);
1485 }
1486 break;
1487 case VERIFY_ERROR:
1488 DBG1(DBG_IKE, "message verification failed");
1489 if (is_request)
1490 {
1491 status = send_invalid_syntax(this, msg);
1492 }
1493 break;
1494 case FAILED:
1495 DBG1(DBG_IKE, "integrity check failed");
1496 /* ignored */
1497 #ifdef VOWIFI_CFG
1498 if (has_queued(this, TASK_IKE_MOBIKE))
1499 {
1500 DBG1(DBG_IKE, "MOBIKE task was queued");
1501 /* ignore error response for MOBIKE */
1502 notify_payload_t* notify = msg->get_notify(msg, INVALID_IKE_SPI);
1503 if (notify)
1504 {
1505 DBG1(DBG_IKE, "Ignore path probing attempt error. Server is alive and reachable");
1506 return SUCCESS;
1507 }
1508 }
1509 #endif
1510 break;
1511 case INVALID_STATE:
1512 DBG1(DBG_IKE, "found encrypted message, but no keys available");
1513 default:
1514 break;
1515 }
1516 DBG1(DBG_IKE, "%N %s with message ID %d processing failed",
1517 exchange_type_names, msg->get_exchange_type(msg),
1518 is_request ? "request" : "response",
1519 msg->get_message_id(msg));
1520
1521 charon->bus->alert(charon->bus, ALERT_PARSE_ERROR_BODY, msg,
1522 parse_status);
1523
1524 switch (this->ike_sa->get_state(this->ike_sa))
1525 {
1526 case IKE_CREATED:
1527 /* invalid initiation attempt, close SA */
1528 status = DESTROY_ME;
1529 break;
1530 case IKE_CONNECTING:
1531 case IKE_REKEYED:
1532 /* don't trigger updown event in these states */
1533 break;
1534 default:
1535 if (status == DESTROY_ME)
1536 {
1537 charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
1538 }
1539 break;
1540 }
1541 }
1542 return status;
1543 }
1544
1545 /**
1546 * Check if a message with message ID 0 looks like it is used to synchronize
1547 * the message IDs.
1548 */
1549 static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
1550 bool strict)
1551 {
1552 enumerator_t *enumerator;
1553 notify_payload_t *notify;
1554 payload_t *payload;
1555 bool found = FALSE, other = FALSE;
1556
1557 if (msg->get_exchange_type(msg) == INFORMATIONAL)
1558 {
1559 enumerator = msg->create_payload_enumerator(msg);
1560 while (enumerator->enumerate(enumerator, &payload))
1561 {
1562 if (payload->get_type(payload) == PLV2_NOTIFY)
1563 {
1564 notify = (notify_payload_t*)payload;
1565 switch (notify->get_notify_type(notify))
1566 {
1567 case IKEV2_MESSAGE_ID_SYNC:
1568 case IPSEC_REPLAY_COUNTER_SYNC:
1569 found = TRUE;
1570 continue;
1571 default:
1572 break;
1573 }
1574 }
1575 if (strict)
1576 {
1577 other = TRUE;
1578 break;
1579 }
1580 }
1581 enumerator->destroy(enumerator);
1582 }
1583 return found && !other;
1584 }
1585
1586 /**
1587 * Check whether we should reject the given request message
1588 */
1589 static inline bool reject_request(private_task_manager_t *this,
1590 message_t *msg)
1591 {
1592 ike_sa_state_t state;
1593 exchange_type_t type;
1594 ike_sa_id_t *ike_sa_id;
1595 bool reject = FALSE;
1596
1597 state = this->ike_sa->get_state(this->ike_sa);
1598 type = msg->get_exchange_type(msg);
1599
1600 /* reject initial messages if not received in specific states */
1601 switch (type)
1602 {
1603 case IKE_SA_INIT:
1604 reject = state != IKE_CREATED;
1605 break;
1606 case IKE_AUTH:
1607 reject = state != IKE_CONNECTING;
1608 break;
1609 default:
1610 break;
1611 }
1612
1613 if (!reject)
1614 {
1615 switch (state)
1616 {
1617 /* after rekeying we only expect a DELETE in an INFORMATIONAL */
1618 case IKE_REKEYED:
1619 reject = type != INFORMATIONAL;
1620 break;
1621 /* also reject requests for half-open IKE_SAs as initiator */
1622 case IKE_CREATED:
1623 case IKE_CONNECTING:
1624 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1625 reject = ike_sa_id->is_initiator(ike_sa_id);
1626 break;
1627 default:
1628 break;
1629 }
1630 }
1631
1632 if (reject)
1633 {
1634 DBG1(DBG_IKE, "ignoring %N in IKE_SA state %N", exchange_type_names,
1635 type, ike_sa_state_names, state);
1636 }
1637 return reject;
1638 }
1639 /**
1640 * Check if a message with message ID 0 looks like it is used to synchronize
1641 * the message IDs and we are prepared to process it.
1642 *
1643 * Note: This is not called if the responder never sent a message before (i.e.
1644 * we expect MID 0).
1645 */
1646 static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
1647 {
1648 if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
1649 this->ike_sa->supports_extension(this->ike_sa,
1650 EXT_IKE_MESSAGE_ID_SYNC))
1651 {
1652 return looks_like_mid_sync(this, msg, TRUE);
1653 }
1654 return FALSE;
1655 }
1656
1657 METHOD(task_manager_t, process_message, status_t,
1658 private_task_manager_t *this, message_t *msg)
1659 {
1660 host_t *me, *other;
1661 status_t status;
1662 uint32_t mid;
1663 bool schedule_delete_job = FALSE;
1664
1665 charon->bus->message(charon->bus, msg, TRUE, FALSE);
1666 status = parse_message(this, msg);
1667 if (status != SUCCESS)
1668 {
1669 return status;
1670 }
1671
1672 me = msg->get_destination(msg);
1673 other = msg->get_source(msg);
1674
1675 /* if this IKE_SA is virgin, we check for a config */
1676 if (this->ike_sa->get_ike_cfg(this->ike_sa) == NULL)
1677 {
1678 ike_cfg_t *ike_cfg;
1679
1680 ike_cfg = charon->backends->get_ike_cfg(charon->backends,
1681 me, other, IKEV2);
1682 if (ike_cfg == NULL)
1683 {
1684 /* no config found for these hosts, destroy */
1685 DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N",
1686 me, other, notify_type_names, NO_PROPOSAL_CHOSEN);
1687 send_notify_response(this, msg,
1688 NO_PROPOSAL_CHOSEN, chunk_empty);
1689 #ifndef VOWIFI_CFG
1690 return DESTROY_ME;
1691 #else
1692 /* deleting IKE_SA without config can cause crash, return success */
1693 return SUCCESS;
1694 #endif
1695 }
1696 this->ike_sa->set_ike_cfg(this->ike_sa, ike_cfg);
1697 ike_cfg->destroy(ike_cfg);
1698 /* add a timeout if peer does not establish it completely */
1699 schedule_delete_job = TRUE;
1700 }
1701
1702 mid = msg->get_message_id(msg);
1703 if (msg->get_request(msg))
1704 {
1705 if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
1706 {
1707 if (reject_request(this, msg))
1708 {
1709 return FAILED;
1710 }
1711 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1712 { /* with MOBIKE, we do no implicit updates */
1713 this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1);
1714 }
1715 status = handle_fragment(this, &this->responding.defrag, msg);
1716 if (status != SUCCESS)
1717 {
1718 if (status == NEED_MORE)
1719 {
1720 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1721 time_monotonic(NULL));
1722 }
1723 return status;
1724 }
1725 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1726 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1727 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1728 return SUCCESS;
1729 }
1730 switch (process_request(this, msg))
1731 {
1732 case SUCCESS:
1733 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1734 time_monotonic(NULL));
1735 this->responding.mid++;
1736 break;
1737 case NEED_MORE:
1738 break;
1739 default:
1740 flush(this);
1741 return DESTROY_ME;
1742 }
1743 }
1744 else if ((mid == this->responding.mid - 1) &&
1745 array_count(this->responding.packets) &&
1746 !(mid == 0 && looks_like_mid_sync(this, msg, FALSE)))
1747 {
1748 status = handle_fragment(this, &this->responding.defrag, msg);
1749 if (status != SUCCESS)
1750 {
1751 if (status == NEED_MORE)
1752 {
1753 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1754 time_monotonic(NULL));
1755 }
1756 return status;
1757 }
1758 DBG1(DBG_IKE, "received retransmit of request with ID %d, "
1759 "retransmitting response", mid);
1760 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1761 time_monotonic(NULL));
1762 charon->bus->alert(charon->bus, ALERT_RETRANSMIT_RECEIVE, msg);
1763 send_packets(this, this->responding.packets,
1764 msg->get_destination(msg), msg->get_source(msg));
1765 }
1766 else
1767 {
1768 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1769 mid, this->responding.mid);
1770 }
1771 }
1772 else
1773 {
1774 if (mid == this->initiating.mid)
1775 {
1776 if (this->ike_sa->get_state(this->ike_sa) == IKE_CREATED ||
1777 this->ike_sa->get_state(this->ike_sa) == IKE_CONNECTING ||
1778 msg->get_exchange_type(msg) != IKE_SA_INIT)
1779 { /* only do updates based on verified messages (or initial ones) */
1780 if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
1781 { /* with MOBIKE, we do no implicit updates. we force an
1782 * update of the local address on IKE_SA_INIT, but never
1783 * for the remote address */
1784 this->ike_sa->update_hosts(this->ike_sa, me, NULL, mid == 0);
1785 this->ike_sa->update_hosts(this->ike_sa, NULL, other, FALSE);
1786 }
1787 }
1788 status = handle_fragment(this, &this->initiating.defrag, msg);
1789 if (status != SUCCESS)
1790 {
1791 if (status == NEED_MORE)
1792 {
1793 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1794 time_monotonic(NULL));
1795 }
1796 return status;
1797 }
1798 charon->bus->message(charon->bus, msg, TRUE, TRUE);
1799 if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED)
1800 { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */
1801 return SUCCESS;
1802 }
1803 if (process_response(this, msg) != SUCCESS)
1804 {
1805 flush(this);
1806 return DESTROY_ME;
1807 }
1808 this->ike_sa->set_statistic(this->ike_sa, STAT_INBOUND,
1809 time_monotonic(NULL));
1810 }
1811 else
1812 {
1813 DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
1814 mid, this->initiating.mid);
1815 return SUCCESS;
1816 }
1817 }
1818
1819 if (schedule_delete_job)
1820 {
1821 ike_sa_id_t *ike_sa_id;
1822 job_t *job;
1823
1824 ike_sa_id = this->ike_sa->get_id(this->ike_sa);
1825 job = (job_t*)delete_ike_sa_job_create(ike_sa_id, FALSE);
1826 lib->scheduler->schedule_job(lib->scheduler, job,
1827 lib->settings->get_int(lib->settings,
1828 "%s.half_open_timeout", HALF_OPEN_IKE_SA_TIMEOUT,
1829 lib->ns));
1830 }
1831 return SUCCESS;
1832 }
1833
1834 METHOD(task_manager_t, queue_task_delayed, void,
1835 private_task_manager_t *this, task_t *task, uint32_t delay)
1836 {
1837 queued_task_t *queued;
1838 timeval_t time;
1839
1840 time_monotonic(&time);
1841 if (delay)
1842 {
1843 job_t *job;
1844
1845 DBG2(DBG_IKE, "queueing %N task (delayed by %us)", task_type_names,
1846 task->get_type(task), delay);
1847 time.tv_sec += delay;
1848
1849 job = (job_t*)initiate_tasks_job_create(
1850 this->ike_sa->get_id(this->ike_sa));
1851 lib->scheduler->schedule_job_tv(lib->scheduler, job, time);
1852 }
1853 else
1854 {
1855 DBG2(DBG_IKE, "queueing %N task", task_type_names,
1856 task->get_type(task));
1857 }
1858 INIT(queued,
1859 .task = task,
1860 .time = time,
1861 );
1862 array_insert(this->queued_tasks, ARRAY_TAIL, queued);
1863 }
1864
1865 METHOD(task_manager_t, queue_task, void,
1866 private_task_manager_t *this, task_t *task)
1867 {
1868 queue_task_delayed(this, task, 0);
1869 }
1870
1871 METHOD(task_manager_t, queue_ike, void,
1872 private_task_manager_t *this)
1873 {
1874 if (!has_queued(this, TASK_IKE_VENDOR))
1875 {
1876 queue_task(this, (task_t*)ike_vendor_create(this->ike_sa, TRUE));
1877 }
1878 if (!has_queued(this, TASK_IKE_INIT))
1879 {
1880 queue_task(this, (task_t*)ike_init_create(this->ike_sa, TRUE, NULL));
1881 }
1882 if (!has_queued(this, TASK_IKE_NATD))
1883 {
1884 queue_task(this, (task_t*)ike_natd_create(this->ike_sa, TRUE));
1885 }
1886 if (!has_queued(this, TASK_IKE_CERT_PRE))
1887 {
1888 queue_task(this, (task_t*)ike_cert_pre_create(this->ike_sa, TRUE));
1889 }
1890 if (!has_queued(this, TASK_IKE_AUTH))
1891 {
1892 queue_task(this, (task_t*)ike_auth_create(this->ike_sa, TRUE));
1893 }
1894 if (!has_queued(this, TASK_IKE_CERT_POST))
1895 {
1896 queue_task(this, (task_t*)ike_cert_post_create(this->ike_sa, TRUE));
1897 }
1898 if (!has_queued(this, TASK_IKE_CONFIG))
1899 {
1900 queue_task(this, (task_t*)ike_config_create(this->ike_sa, TRUE));
1901 }
1902 if (!has_queued(this, TASK_IKE_AUTH_LIFETIME))
1903 {
1904 queue_task(this, (task_t*)ike_auth_lifetime_create(this->ike_sa, TRUE));
1905 }
1906 if (!has_queued(this, TASK_IKE_MOBIKE))
1907 {
1908 peer_cfg_t *peer_cfg;
1909
1910 peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
1911 if (peer_cfg->use_mobike(peer_cfg))
1912 {
1913 queue_task(this, (task_t*)ike_mobike_create(this->ike_sa, TRUE));
1914 }
1915 }
1916 #ifdef ME
1917 if (!has_queued(this, TASK_IKE_ME))
1918 {
1919 queue_task(this, (task_t*)ike_me_create(this->ike_sa, TRUE));
1920 }
1921 #endif /* ME */
1922 }
1923
1924 METHOD(task_manager_t, queue_ike_rekey, void,
1925 private_task_manager_t *this)
1926 {
1927 queue_task(this, (task_t*)ike_rekey_create(this->ike_sa, TRUE));
1928 }
1929
1930 /**
1931 * Start reauthentication using make-before-break
1932 */
1933 static void trigger_mbb_reauth(private_task_manager_t *this)
1934 {
1935 enumerator_t *enumerator;
1936 child_sa_t *child_sa;
1937 child_cfg_t *cfg;
1938 peer_cfg_t *peer;
1939 ike_sa_t *new;
1940 host_t *host;
1941 queued_task_t *queued;
1942 bool children = FALSE;
1943
1944 new = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
1945 this->ike_sa->get_version(this->ike_sa), TRUE);
1946 if (!new)
1947 { /* shouldn't happen */
1948 return;
1949 }
1950
1951 peer = this->ike_sa->get_peer_cfg(this->ike_sa);
1952 new->set_peer_cfg(new, peer);
1953 host = this->ike_sa->get_other_host(this->ike_sa);
1954 new->set_other_host(new, host->clone(host));
1955 host = this->ike_sa->get_my_host(this->ike_sa);
1956 new->set_my_host(new, host->clone(host));
1957 enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
1958 while (enumerator->enumerate(enumerator, &host))
1959 {
1960 new->add_virtual_ip(new, TRUE, host);
1961 }
1962 enumerator->destroy(enumerator);
1963
1964 enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
1965 while (enumerator->enumerate(enumerator, &child_sa))
1966 {
1967 child_create_t *child_create;
1968
1969 switch (child_sa->get_state(child_sa))
1970 {
1971 case CHILD_REKEYED:
1972 case CHILD_DELETED:
1973 /* ignore CHILD_SAs in these states */
1974 continue;
1975 default:
1976 break;
1977 }
1978 cfg = child_sa->get_config(child_sa);
1979 child_create = child_create_create(new, cfg->get_ref(cfg),
1980 FALSE, NULL, NULL);
1981 child_create->use_reqid(child_create, child_sa->get_reqid(child_sa));
1982 child_create->use_marks(child_create,
1983 child_sa->get_mark(child_sa, TRUE).value,
1984 child_sa->get_mark(child_sa, FALSE).value);
1985 /* interface IDs are not migrated as the new CHILD_SAs on old and new
1986 * IKE_SA go though regular updown events */
1987 new->queue_task(new, &child_create->task);
1988 children = TRUE;
1989 }
1990 enumerator->destroy(enumerator);
1991
1992 enumerator = array_create_enumerator(this->queued_tasks);
1993 while (enumerator->enumerate(enumerator, &queued))
1994 {
1995 if (queued->task->get_type(queued->task) == TASK_CHILD_CREATE)
1996 {
1997 queued->task->migrate(queued->task, new);
1998 new->queue_task(new, queued->task);
1999 array_remove_at(this->queued_tasks, enumerator);
2000 free(queued);
2001 children = TRUE;
2002 }
2003 }
2004 enumerator->destroy(enumerator);
2005
2006 if (!children
2007 #ifdef ME
2008 /* allow reauth of mediation connections without CHILD_SAs */
2009 && !peer->is_mediation(peer)
2010 #endif /* ME */
2011 )
2012 {
2013 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2014 DBG1(DBG_IKE, "unable to reauthenticate IKE_SA, no CHILD_SA "
2015 "to recreate");
2016 return;
2017 }
2018
2019 /* suspend online revocation checking until the SA is established */
2020 new->set_condition(new, COND_ONLINE_VALIDATION_SUSPENDED, TRUE);
2021
2022 if (new->initiate(new, NULL, 0, NULL, NULL) != DESTROY_ME)
2023 {
2024 new->queue_task(new, (task_t*)ike_verify_peer_cert_create(new));
2025 new->queue_task(new, (task_t*)ike_reauth_complete_create(new,
2026 this->ike_sa->get_id(this->ike_sa)));
2027 charon->ike_sa_manager->checkin(charon->ike_sa_manager, new);
2028 }
2029 else
2030 {
2031 charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, new);
2032 DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
2033 }
2034 charon->bus->set_sa(charon->bus, this->ike_sa);
2035 }
2036
2037 METHOD(task_manager_t, queue_ike_reauth, void,
2038 private_task_manager_t *this)
2039 {
2040 if (this->make_before_break)
2041 {
2042 return trigger_mbb_reauth(this);
2043 }
2044 queue_task(this, (task_t*)ike_reauth_create(this->ike_sa));
2045 }
2046
2047 METHOD(task_manager_t, queue_ike_delete, void,
2048 private_task_manager_t *this)
2049 {
2050 queue_task(this, (task_t*)ike_delete_create(this->ike_sa, TRUE));
2051 }
2052
2053 /**
2054 * There is no need to queue more than one mobike task, so this either returns
2055 * an already queued task or queues one if there is none yet.
2056 */
2057 static ike_mobike_t *queue_mobike_task(private_task_manager_t *this)
2058 {
2059 enumerator_t *enumerator;
2060 queued_task_t *queued;
2061 ike_mobike_t *mobike = NULL;
2062
2063 enumerator = array_create_enumerator(this->queued_tasks);
2064 while (enumerator->enumerate(enumerator, &queued))
2065 {
2066 if (queued->task->get_type(queued->task) == TASK_IKE_MOBIKE)
2067 {
2068 mobike = (ike_mobike_t*)queued->task;
2069 break;
2070 }
2071 }
2072 enumerator->destroy(enumerator);
2073
2074 if (!mobike)
2075 {
2076 mobike = ike_mobike_create(this->ike_sa, TRUE);
2077 queue_task(this, &mobike->task);
2078 }
2079 return mobike;
2080 }
2081
2082 METHOD(task_manager_t, queue_mobike, void,
2083 private_task_manager_t *this, bool roam, bool address)
2084 {
2085 ike_mobike_t *mobike;
2086
2087 mobike = queue_mobike_task(this);
2088 if (roam)
2089 {
2090 enumerator_t *enumerator;
2091 task_t *current;
2092
2093 mobike->roam(mobike, address);
2094
2095 /* enable path probing for a currently active MOBIKE task. This might
2096 * not be the case if an address appeared on a new interface while the
2097 * current address is not working but has not yet disappeared. */
2098 enumerator = array_create_enumerator(this->active_tasks);
2099 while (enumerator->enumerate(enumerator, &current))
2100 {
2101 if (current->get_type(current) == TASK_IKE_MOBIKE)
2102 {
2103 ike_mobike_t *active = (ike_mobike_t*)current;
2104 active->enable_probing(active);
2105 break;
2106 }
2107 }
2108 enumerator->destroy(enumerator);
2109 }
2110 else
2111 {
2112 mobike->addresses(mobike);
2113 }
2114 }
2115
2116 METHOD(task_manager_t, queue_dpd, void,
2117 private_task_manager_t *this)
2118 {
2119 ike_mobike_t *mobike;
2120
2121 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
2122 {
2123 #ifdef ME
2124 peer_cfg_t *cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
2125 if (cfg->get_peer_id(cfg) ||
2126 this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
2127 #else
2128 if (this->ike_sa->has_condition(this->ike_sa, COND_ORIGINAL_INITIATOR))
2129 #endif
2130 {
2131 /* use mobike enabled DPD to detect NAT mapping changes */
2132 mobike = queue_mobike_task(this);
2133 mobike->dpd(mobike);
2134 return;
2135 }
2136 }
2137 queue_task(this, (task_t*)ike_dpd_create(TRUE));
2138 }
2139
2140 METHOD(task_manager_t, queue_child, void,
2141 private_task_manager_t *this, child_cfg_t *cfg, uint32_t reqid,
2142 traffic_selector_t *tsi, traffic_selector_t *tsr)
2143 {
2144 child_create_t *task;
2145
2146 task = child_create_create(this->ike_sa, cfg, FALSE, tsi, tsr);
2147 if (reqid)
2148 {
2149 task->use_reqid(task, reqid);
2150 }
2151 queue_task(this, &task->task);
2152 }
2153
2154 METHOD(task_manager_t, queue_child_rekey, void,
2155 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi)
2156 {
2157 queue_task(this, (task_t*)child_rekey_create(this->ike_sa, protocol, spi));
2158 }
2159
2160 METHOD(task_manager_t, queue_child_delete, void,
2161 private_task_manager_t *this, protocol_id_t protocol, uint32_t spi,
2162 bool expired)
2163 {
2164 queue_task(this, (task_t*)child_delete_create(this->ike_sa,
2165 protocol, spi, expired));
2166 }
2167
2168 METHOD(task_manager_t, adopt_tasks, void,
2169 private_task_manager_t *this, task_manager_t *other_public)
2170 {
2171 private_task_manager_t *other = (private_task_manager_t*)other_public;
2172 queued_task_t *queued;
2173 timeval_t now;
2174
2175 time_monotonic(&now);
2176
2177 /* move queued tasks from other to this */
2178 while (array_remove(other->queued_tasks, ARRAY_TAIL, &queued))
2179 {
2180 DBG2(DBG_IKE, "migrating %N task", task_type_names,
2181 queued->task->get_type(queued->task));
2182 #ifdef VOWIFI_CFG
2183 if (queued->task->get_type(queued->task) == TASK_IKE_DELETE)
2184 {
2185 DBG1(DBG_IKE, "do not migrate TASK_IKE_DELETE");
2186 continue;
2187 }
2188 #endif
2189 queued->task->migrate(queued->task, this->ike_sa);
2190 /* don't delay tasks on the new IKE_SA */
2191 queued->time = now;
2192 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
2193 }
2194 }
2195
2196 METHOD(task_manager_t, busy, bool,
2197 private_task_manager_t *this)
2198 {
2199 return array_count(this->active_tasks) > 0;
2200 }
2201
2202 METHOD(task_manager_t, reset, void,
2203 private_task_manager_t *this, uint32_t initiate, uint32_t respond)
2204 {
2205 enumerator_t *enumerator;
2206 queued_task_t *queued;
2207 task_t *task;
2208 timeval_t now;
2209
2210 /* reset message counters and retransmit packets */
2211 clear_packets(this->responding.packets);
2212 clear_packets(this->initiating.packets);
2213 DESTROY_IF(this->responding.defrag);
2214 DESTROY_IF(this->initiating.defrag);
2215 this->responding.defrag = NULL;
2216 this->initiating.defrag = NULL;
2217 if (initiate != UINT_MAX)
2218 {
2219 this->initiating.mid = initiate;
2220 }
2221 if (respond != UINT_MAX)
2222 {
2223 this->responding.mid = respond;
2224 }
2225 this->initiating.type = EXCHANGE_TYPE_UNDEFINED;
2226
2227 time_monotonic(&now);
2228 /* reset queued tasks */
2229 enumerator = array_create_enumerator(this->queued_tasks);
2230 while (enumerator->enumerate(enumerator, &queued))
2231 {
2232 queued->time = now;
2233 queued->task->migrate(queued->task, this->ike_sa);
2234 }
2235 enumerator->destroy(enumerator);
2236
2237 /* reset active tasks */
2238 while (array_remove(this->active_tasks, ARRAY_TAIL, &task))
2239 {
2240 task->migrate(task, this->ike_sa);
2241 INIT(queued,
2242 .task = task,
2243 .time = now,
2244 );
2245 array_insert(this->queued_tasks, ARRAY_HEAD, queued);
2246 }
2247
2248 this->reset = TRUE;
2249 }
2250
2251 /**
2252 * Data for a task queue enumerator
2253 */
2254 typedef struct {
2255 enumerator_t public;
2256 task_queue_t queue;
2257 enumerator_t *inner;
2258 queued_task_t *queued;
2259 } task_enumerator_t;
2260
2261 METHOD(enumerator_t, task_enumerator_destroy, void,
2262 task_enumerator_t *this)
2263 {
2264 this->inner->destroy(this->inner);
2265 free(this);
2266 }
2267
2268 METHOD(enumerator_t, task_enumerator_enumerate, bool,
2269 task_enumerator_t *this, va_list args)
2270 {
2271 task_t **task;
2272
2273 VA_ARGS_VGET(args, task);
2274 if (this->queue == TASK_QUEUE_QUEUED)
2275 {
2276 if (this->inner->enumerate(this->inner, &this->queued))
2277 {
2278 *task = this->queued->task;
2279 return TRUE;
2280 }
2281 }
2282 else if (this->inner->enumerate(this->inner, task))
2283 {
2284 return TRUE;
2285 }
2286 return FALSE;
2287 }
2288
2289 METHOD(task_manager_t, create_task_enumerator, enumerator_t*,
2290 private_task_manager_t *this, task_queue_t queue)
2291 {
2292 task_enumerator_t *enumerator;
2293
2294 INIT(enumerator,
2295 .public = {
2296 .enumerate = enumerator_enumerate_default,
2297 .venumerate = _task_enumerator_enumerate,
2298 .destroy = _task_enumerator_destroy,
2299 },
2300 .queue = queue,
2301 );
2302 switch (queue)
2303 {
2304 case TASK_QUEUE_ACTIVE:
2305 enumerator->inner = array_create_enumerator(this->active_tasks);
2306 break;
2307 case TASK_QUEUE_PASSIVE:
2308 enumerator->inner = array_create_enumerator(this->passive_tasks);
2309 break;
2310 case TASK_QUEUE_QUEUED:
2311 enumerator->inner = array_create_enumerator(this->queued_tasks);
2312 break;
2313 default:
2314 enumerator->inner = enumerator_create_empty();
2315 break;
2316 }
2317 return &enumerator->public;
2318 }
2319
2320 METHOD(task_manager_t, remove_task, void,
2321 private_task_manager_t *this, enumerator_t *enumerator_public)
2322 {
2323 task_enumerator_t *enumerator = (task_enumerator_t*)enumerator_public;
2324
2325 switch (enumerator->queue)
2326 {
2327 case TASK_QUEUE_ACTIVE:
2328 array_remove_at(this->active_tasks, enumerator->inner);
2329 break;
2330 case TASK_QUEUE_PASSIVE:
2331 array_remove_at(this->passive_tasks, enumerator->inner);
2332 break;
2333 case TASK_QUEUE_QUEUED:
2334 array_remove_at(this->queued_tasks, enumerator->inner);
2335 free(enumerator->queued);
2336 enumerator->queued = NULL;
2337 break;
2338 default:
2339 break;
2340 }
2341 }
2342
2343 METHOD(task_manager_t, destroy, void,
2344 private_task_manager_t *this)
2345 {
2346 flush(this);
2347
2348 array_destroy(this->active_tasks);
2349 array_destroy(this->queued_tasks);
2350 array_destroy(this->passive_tasks);
2351
2352 clear_packets(this->responding.packets);
2353 array_destroy(this->responding.packets);
2354 clear_packets(this->initiating.packets);
2355 array_destroy(this->initiating.packets);
2356 DESTROY_IF(this->responding.defrag);
2357 DESTROY_IF(this->initiating.defrag);
2358 free(this);
2359 }
2360
2361 /*
2362 * see header file
2363 */
2364 task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
2365 {
2366 private_task_manager_t *this;
2367
2368 INIT(this,
2369 .public = {
2370 .task_manager = {
2371 .process_message = _process_message,
2372 .queue_task = _queue_task,
2373 .queue_task_delayed = _queue_task_delayed,
2374 .queue_ike = _queue_ike,
2375 .queue_ike_rekey = _queue_ike_rekey,
2376 .queue_ike_reauth = _queue_ike_reauth,
2377 .queue_ike_delete = _queue_ike_delete,
2378 .queue_mobike = _queue_mobike,
2379 .queue_child = _queue_child,
2380 .queue_child_rekey = _queue_child_rekey,
2381 .queue_child_delete = _queue_child_delete,
2382 .queue_dpd = _queue_dpd,
2383 .initiate = _initiate,
2384 .retransmit = _retransmit,
2385 .incr_mid = _incr_mid,
2386 .get_mid = _get_mid,
2387 .reset = _reset,
2388 .adopt_tasks = _adopt_tasks,
2389 .busy = _busy,
2390 .create_task_enumerator = _create_task_enumerator,
2391 .remove_task = _remove_task,
2392 .flush = _flush,
2393 .flush_queue = _flush_queue,
2394 .destroy = _destroy,
2395 },
2396 },
2397 .ike_sa = ike_sa,
2398 .initiating.type = EXCHANGE_TYPE_UNDEFINED,
2399 .queued_tasks = array_create(0, 0),
2400 .active_tasks = array_create(0, 0),
2401 .passive_tasks = array_create(0, 0),
2402 #ifndef VOWIFI_CFG
2403 .retransmit_tries = lib->settings->get_int(lib->settings,
2404 "%s.retransmit_tries", RETRANSMIT_TRIES, lib->ns),
2405 .retransmit_timeout = lib->settings->get_double(lib->settings,
2406 "%s.retransmit_timeout", RETRANSMIT_TIMEOUT, lib->ns),
2407 .retransmit_base = lib->settings->get_double(lib->settings,
2408 "%s.retransmit_base", RETRANSMIT_BASE, lib->ns),
2409 .retransmit_jitter = min(lib->settings->get_int(lib->settings,
2410 "%s.retransmit_jitter", 0, lib->ns), RETRANSMIT_JITTER_MAX),
2411 .retransmit_limit = lib->settings->get_int(lib->settings,
2412 "%s.retransmit_limit", 0, lib->ns) * 1000,
2413 #endif
2414 .make_before_break = lib->settings->get_bool(lib->settings,
2415 "%s.make_before_break", FALSE, lib->ns),
2416 );
2417
2418 return &this->public;
2419 }