Print this page
Current snapshot of OpenSolaris port.
Checkpoint
Checkpoint
Merge from parent.
Merge with WIDE update.
Pull from WIDE.
Pull from WIDE.
Checkpoint
Re-update.
blah
WIDE update
Update from WIDE.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/iked/ike_sa.c
+++ new/iked/ike_sa.c
1 1 /* $Id: ike_sa.c,v 1.79 2007/12/05 07:26:09 fukumoto Exp $ */
2 2
3 3 /*
4 4 * Copyright (C) 2004 WIDE Project.
5 5 * All rights reserved.
6 6 *
7 7 * Redistribution and use in source and binary forms, with or without
8 8 * modification, are permitted provided that the following conditions
9 9 * are met:
10 10 * 1. Redistributions of source code must retain the above copyright
11 11 * notice, this list of conditions and the following disclaimer.
12 12 * 2. Redistributions in binary form must reproduce the above copyright
13 13 * notice, this list of conditions and the following disclaimer in the
14 14 * documentation and/or other materials provided with the distribution.
15 15 * 3. Neither the name of the project nor the names of its contributors
16 16 * may be used to endorse or promote products derived from this software
17 17 * without specific prior written permission.
18 18 *
19 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 29 * SUCH DAMAGE.
30 30 */
31 31
32 32 #include <config.h>
33 33
34 34 #include <assert.h>
35 35 #include <stdlib.h>
36 36 #include <string.h>
37 37 #include <sys/types.h>
38 38 #include <limits.h>
39 39 #include <inttypes.h>
40 40
41 41 #include "gcmalloc.h"
42 42 #include "racoon.h"
43 43 #include "isakmp_impl.h"
44 44 #include "ikev2_impl.h"
45 45
46 46 #include "ike_conf.h"
47 47 #include "var.h"
48 48 #include "crypto_impl.h"
49 49
50 50 #include "debug.h"
51 51
52 52 void ikev2_sa_start_nego_timer(struct ikev2_sa *sa);
53 53 void ikev2_sa_start_grace_period(struct ikev2_sa *sa);
54 54
55 55 IKEV2_SA_LIST_HEAD ikev2_sa_list;
56 56
57 57 #define FOREACH_SA(v_) TAILQ_FOREACH(v_, &ikev2_sa_list, link)
58 58
59 59 void
60 60 ikev2_sa_init(void)
61 61 {
62 62 IKEV2_SA_LIST_INIT(&ikev2_sa_list);
63 63 }
64 64
65 65 void
66 66 ikev2_sa_insert(struct ikev2_sa *sa)
67 67 {
68 68 IKEV2_SA_LIST_LINK(&ikev2_sa_list, sa);
69 69 }
70 70
71 71 static void
72 72 ikev2_sa_remove(struct ikev2_sa *sa)
73 73 {
74 74 IKEV2_SA_LIST_REMOVE(&ikev2_sa_list, sa);
75 75 }
76 76
77 77 #ifdef DEBUG
78 78 void
79 79 ikev2_dump(void)
80 80 {
81 81 struct timeval tv;
82 82 struct ikev2_sa *sa;
83 83 struct ikev2_child_sa *child_sa;
84 84
85 85 gettimeofday(&tv, 0);
86 86 plog(PLOG_DEBUG, PLOGLOC, 0, "timeofday: %ld\n", (long)tv.tv_sec);
87 87 FOREACH_SA(sa) {
88 88 plog(PLOG_DEBUG, PLOGLOC, 0, "IKE_SA %p\n", sa);
89 89 plog(PLOG_DEBUG, PLOGLOC, 0,
90 90 "index:%02x%02x%02x%02x%02x%02x%02x%02x %02x%02x%02x%02x%02x%02x%02x%02x "
91 91 "serial_number:%d "
92 92 "version:%d is_initiator:%d remote:%s local:%s rmconf:%p "
93 93 "send_message_id:%d request_pending:%d recv_message_id:%d "
94 94 "state:%d negotiated_sa:%p prf:%p (%s) dh_choice:%p "
95 95 "encryptor:%p authenticator:%p "
96 96 "due_time:%ld lifetime_byte:%d "
97 97 "child_created:%d rekey_inprogress:%d new_sa:%p\n",
98 98 sa->index.i_ck[0], sa->index.i_ck[1], sa->index.i_ck[2],
99 99 sa->index.i_ck[3], sa->index.i_ck[4], sa->index.i_ck[5],
100 100 sa->index.i_ck[6], sa->index.i_ck[7], sa->index.r_ck[0],
101 101 sa->index.r_ck[1], sa->index.r_ck[2], sa->index.r_ck[3],
102 102 sa->index.r_ck[4], sa->index.r_ck[5], sa->index.r_ck[6],
103 103 sa->index.r_ck[7], sa->serial_number, sa->version,
104 104 sa->is_initiator, rcs_sa2str(sa->remote),
105 105 rcs_sa2str(sa->local), sa->rmconf, sa->send_message_id,
106 106 sa->request_pending, sa->recv_message_id, sa->state,
107 107 sa->negotiated_sa, sa->prf,
108 108 (!sa->
109 109 prf ? "(undef)" : (sa->prf && sa->prf->method
110 110 && sa->prf->method->name) ? sa->prf->
111 111 method->name : "(unknown)"), sa->dh_choice, sa->encryptor,
112 112 sa->authenticator, (long)sa->due_time.tv_sec,
113 113 sa->lifetime_byte, sa->child_created, sa->rekey_inprogress,
114 114 sa->new_sa);
115 115
116 116 if (!sa->expire_timer)
117 117 plog(PLOG_DEBUG, PLOGLOC, 0, "expire_timer:none\n");
118 118 else
119 119 plog(PLOG_DEBUG, PLOGLOC, 0,
120 120 "expire_timer: xtime %ld func %p param %p\n",
121 121 (long)sa->expire_timer->xtime,
122 122 sa->expire_timer->func, sa->expire_timer->param);
123 123
124 124 if (!sa->soft_expire_timer)
125 125 plog(PLOG_DEBUG, PLOGLOC, 0,
126 126 "soft_expire_timer:none\n");
127 127 else
128 128 plog(PLOG_DEBUG, PLOGLOC, 0,
129 129 "soft_expire_timer: xtime %ld func %p param %p\n",
130 130 (long)sa->soft_expire_timer->xtime,
131 131 sa->soft_expire_timer->func,
132 132 sa->soft_expire_timer->param);
133 133
134 134 if (!sa->grace_timer)
135 135 plog(PLOG_DEBUG, PLOGLOC, 0, "grace_timer:none\n");
136 136 else
137 137 plog(PLOG_DEBUG, PLOGLOC, 0,
138 138 "grace_timer: xtime %ld func %p param %p\n",
139 139 (long)sa->grace_timer->xtime,
140 140 sa->grace_timer->func, sa->grace_timer->param);
141 141
142 142 if (!sa->polling_timer)
143 143 plog(PLOG_DEBUG, PLOGLOC, 0, "polling_timer:none\n");
144 144 else
145 145 plog(PLOG_DEBUG, PLOGLOC, 0,
146 146 "polling_timer: xtime %ld func %p param %p\n",
147 147 (long)sa->polling_timer->xtime,
148 148 sa->polling_timer->func, sa->polling_timer->param);
149 149
150 150 if (!sa->natk_timer)
151 151 plog(PLOG_DEBUG, PLOGLOC, 0, "natk_timer:none\n");
152 152 else
153 153 plog(PLOG_DEBUG, PLOGLOC, 0,
154 154 "natk_timer: xtime %ld func %p param %p\n",
155 155 (long)sa->natk_timer->xtime,
156 156 sa->natk_timer->func, sa->natk_timer->param);
157 157
158 158 #define D(msg, x) do { plog(PLOG_DEBUG, PLOGLOC, 0, msg); if (!(x)) plog(PLOG_DEBUG, PLOGLOC, 0, "null\n"); else plogdump(PLOG_DEBUG, PLOGLOC, 0, (x)->v, (x)->l); } while(0)
159 159 D("n_i:\n", sa->n_i);
160 160 D("n_r:\n", sa->n_r);
161 161 D("dhpriv:\n", sa->dhpriv);
162 162 D("dhpub:\n", sa->dhpub);
163 163 D("dhpub_p:\n", sa->dhpub_p);
164 164 D("skeyseed:\n", sa->skeyseed);
165 165 D("sk_d:\n", sa->sk_d);
166 166 D("sk_a_i\n", sa->sk_a_i);
167 167 D("sk_a_r:\n", sa->sk_a_r);
168 168 D("sk_e_i:\n", sa->sk_e_i);
169 169 D("sk_e_r:\n", sa->sk_e_r);
170 170 D("sk_p_i:\n", sa->sk_p_i);
171 171 D("sk_p_r:\n", sa->sk_p_r);
172 172 D("id_i:\n", sa->id_i);
173 173 D("id_r:\n", sa->id_r);
174 174 D("my_first_message:\n", sa->my_first_message);
175 175 D("peer_first_message:\n", sa->peer_first_message);
176 176
177 177 plog(PLOG_DEBUG, PLOGLOC, 0,
178 178 "verified_info: packet %p result %d\n",
179 179 sa->verified_info.packet, sa->verified_info.result);
180 180
181 181 plog(PLOG_DEBUG, PLOGLOC, 0,
182 182 "transmit_info: packet %p sent_time %ld.%08d retry_count %d retry_limit %d interval_to_send %d times_per_send %d\n",
183 183 sa->transmit_info.packet,
184 184 (long)sa->transmit_info.sent_time.tv_sec,
185 185 (int)sa->transmit_info.sent_time.tv_usec,
186 186 sa->transmit_info.retry_count,
187 187 sa->transmit_info.retry_limit,
188 188 sa->transmit_info.interval_to_send,
189 189 sa->transmit_info.times_per_send);
190 190 if (!sa->transmit_info.timer)
191 191 plog(PLOG_DEBUG, PLOGLOC, 0, "timer none\n");
192 192 else
193 193 plog(PLOG_DEBUG, PLOGLOC, 0,
194 194 "timer xtime %ld func %p param %p\n",
195 195 (long)sa->transmit_info.timer->xtime,
196 196 sa->transmit_info.timer->func,
197 197 sa->transmit_info.timer->param);
198 198
199 199 plog(PLOG_DEBUG, PLOGLOC, 0, "children:\n");
200 200 for (child_sa = IKEV2_CHILD_LIST_FIRST(&sa->children);
201 201 !IKEV2_CHILD_LIST_END(child_sa);
202 202 child_sa = IKEV2_CHILD_LIST_NEXT(child_sa)) {
203 203 plog(PLOG_DEBUG, PLOGLOC, 0,
204 204 "child_sa %p child_id:%lx is_initiator:%d state:%d "
205 205 "local:%s remote:%s message_id:0x%lx\n",
206 206 child_sa,
207 207 child_sa->child_id, child_sa->is_initiator,
208 208 child_sa->state, rcs_sa2str(child_sa->local),
209 209 rcs_sa2str(child_sa->remote),
210 210 (unsigned long)child_sa->message_id);
211 211 }
212 212 }
213 213 }
214 214 #endif
215 215
216 216 void
217 217 ikev2_sa_periodic_task(void)
218 218 {
219 219 struct ikev2_sa *sa, *next_sa;
220 220
221 221 for (sa = IKEV2_SA_LIST_FIRST(&ikev2_sa_list); sa; sa = next_sa) {
222 222 struct ikev2_child_sa *child_sa;
223 223 struct ikev2_child_sa *next;
224 224
225 225 TRACE((PLOGLOC, "ike_sa: %p state %d\n", sa, sa->state));
226 226 next_sa = IKEV2_SA_LIST_NEXT(sa);
227 227 for (child_sa = IKEV2_CHILD_LIST_FIRST(&sa->children);
228 228 !IKEV2_CHILD_LIST_END(child_sa); child_sa = next) {
229 229 TRACE((PLOGLOC, "child_sa: %p state %d\n", child_sa,
230 230 child_sa->state));
231 231 next = IKEV2_CHILD_LIST_NEXT(child_sa);
232 232 if (child_sa->state == IKEV2_CHILD_STATE_EXPIRED) {
233 233 TRACE((PLOGLOC, "deallocating child_sa %p\n",
234 234 child_sa));
235 235 ikev2_remove_child(child_sa);
236 236 ikev2_destroy_child_sa(child_sa);
237 237 }
238 238 }
239 239 if ((sa->state == IKEV2_STATE_DYING
240 240 || sa->state == IKEV2_STATE_DEAD)
241 241 && IKEV2_CHILD_LIST_FIRST(&sa->children) == NULL) {
242 242 TRACE((PLOGLOC, "deallocating ike_sa %p\n", sa));
243 243 ikev2_sa_remove(sa);
244 244 ikev2_dispose_sa(sa);
245 245 } else if (sa->state == IKEV2_STATE_ESTABLISHED
246 246 && IKEV2_CHILD_LIST_FIRST(&sa->children) == NULL
247 247 && !sa->rekey_inprogress) {
248 248 TRACE((PLOGLOC, "launching grace period %p\n", sa));
249 249 ikev2_sa_start_grace_period(sa);
250 250 }
251 251 }
252 252 }
253 253
254 254 /*
255 255 * abort negotiation of ike_sa
256 256 * kills pending children, deletes established ipsec sa
257 257 */
258 258 void
259 259 ikev2_abort(struct ikev2_sa *ike_sa, int err)
260 260 {
261 261 struct ikev2_child_sa *child_sa;
262 262
263 263 TRACE((PLOGLOC, "ikev2_abort(%p, %d)\n", ike_sa, err));
264 264 isakmp_log(ike_sa, 0, 0, 0, PLOG_INFO, PLOGLOC, "aborting ike_sa\n");
265 265 ikev2_set_state(ike_sa, IKEV2_STATE_DYING);
266 266
267 267 for (child_sa = IKEV2_CHILD_LIST_FIRST(&ike_sa->children);
268 268 !IKEV2_CHILD_LIST_END(child_sa);
269 269 child_sa = IKEV2_CHILD_LIST_NEXT(child_sa)) {
270 270 TRACE((PLOGLOC, "child_sa %p state %d\n", child_sa,
271 271 child_sa->state));
272 272 switch (child_sa->state) {
273 273 case IKEV2_CHILD_STATE_GETSPI:
274 274 ikev2_child_abort(child_sa, err);
275 275 break;
276 276 case IKEV2_CHILD_STATE_MATURE:
277 277 ikev2_child_delete_ipsecsa(child_sa);
278 278 ikev2_child_state_set(child_sa,
279 279 IKEV2_CHILD_STATE_EXPIRED);
280 280 break;
281 281 case IKEV2_CHILD_STATE_EXPIRED:
282 282 break;
283 283 case IKEV2_CHILD_STATE_REQUEST_PENDING:
284 284 case IKEV2_CHILD_STATE_REQUEST_SENT:
285 285 default:
286 286 ikev2_child_state_set(child_sa,
287 287 IKEV2_CHILD_STATE_EXPIRED);
288 288 break;
289 289 }
|
↓ open down ↓ |
289 lines elided |
↑ open up ↑ |
290 290 }
291 291 ikev2_set_state(ike_sa, IKEV2_STATE_DEAD);
292 292 ++isakmpstat.abort;
293 293 }
294 294
295 295 void
296 296 ikev2_child_abort(struct ikev2_child_sa *child_sa, int err)
297 297 {
298 298 struct rcpfk_msg param;
299 299
300 + (void) memset(¶m, 0, sizeof (param));
300 301 param.satype = RCT_SATYPE_ESP; /* XXX */
301 302 param.seq = child_sa->sadb_request.seqno;
302 303 param.eno = err;
303 304 child_sa->sadb_request.method->acquire_error(¶m);
304 305
305 306 ikev2_child_state_set(child_sa, IKEV2_CHILD_STATE_EXPIRED);
306 307 ++isakmpstat.child_abort;
307 308 }
308 309
309 310 /*
310 311 * find ike_sa by ike message spi
311 312 */
312 313 struct ikev2_sa *
313 314 ikev2_find_sa(rc_vchar_t *message)
314 315 {
315 316 struct ikev2_header *ikehdr;
316 317 isakmp_cookie_t *spi_i;
317 318 isakmp_cookie_t *spi_r;
318 319 int is_response;
319 320 int remote_is_initiator;
320 321 struct ikev2_sa *sa;
321 322
322 323 ikehdr = (struct ikev2_header *)message->v;
323 324
324 325 spi_i = &ikehdr->initiator_spi;
325 326 spi_r = &ikehdr->responder_spi;
326 327 is_response = (ikehdr->flags & IKEV2FLAG_RESPONSE) != 0;
327 328 remote_is_initiator = (ikehdr->flags & IKEV2FLAG_INITIATOR) != 0;
328 329
329 330 FOREACH_SA(sa) {
330 331 if (!remote_is_initiator && sa->is_initiator) {
331 332 if (memcmp(spi_i, &sa->index.i_ck,
332 333 sizeof(isakmp_cookie_t)) == 0)
333 334 return sa;
334 335 } else if (remote_is_initiator && !sa->is_initiator) {
335 336 /* retransmission of IKE_SA_INIT requests? */
336 337 if (ikehdr->exchange_type == IKEV2EXCH_IKE_SA_INIT &&
337 338 !is_response) {
338 339 if (memcmp(spi_i, &sa->index.i_ck,
339 340 sizeof(isakmp_cookie_t)) == 0 &&
340 341 sa->peer_first_message &&
341 342 message->l == sa->peer_first_message->l &&
342 343 memcmp(message->v,
343 344 sa->peer_first_message->v,
344 345 message->l) == 0)
345 346 return sa;
346 347 } else {
347 348 if (memcmp(spi_i, &sa->index.i_ck,
348 349 sizeof(isakmp_cookie_t)) == 0 &&
349 350 memcmp(spi_r, &sa->index.r_ck,
350 351 sizeof(isakmp_cookie_t)) == 0)
351 352 return sa;
352 353 }
353 354 }
354 355 }
355 356
356 357 return 0;
357 358 }
358 359
359 360 /*
360 361 * find ike_sa by addr
361 362 */
362 363 struct ikev2_sa *
363 364 ikev2_find_sa_by_addr(struct sockaddr *addr)
364 365 {
365 366 struct ikev2_sa *sa;
366 367 struct ikev2_sa *candidate = 0;
367 368
368 369 FOREACH_SA(sa) {
369 370 if (rcs_cmpsa_wop(sa->remote, addr) == 0) {
370 371 switch (sa->state) {
371 372 case IKEV2_STATE_ESTABLISHED:
372 373 return sa;
373 374 case IKEV2_STATE_DYING:
374 375 case IKEV2_STATE_DEAD:
375 376 break;
376 377 default:
377 378 candidate = sa;
378 379 break;
379 380 }
380 381 }
381 382 }
382 383 return candidate;
383 384 }
384 385
385 386 struct ikev2_sa *
386 387 ikev2_find_sa_by_serial(int num)
387 388 {
388 389 struct ikev2_sa *sa;
389 390
390 391 FOREACH_SA(sa) {
391 392 if (sa->serial_number == num)
392 393 return sa;
393 394 }
394 395 return 0;
395 396 }
396 397
397 398 /*
398 399 * creates a new IKE_SA
399 400 * if initiator_spi is NULL, creates an initiator SA
400 401 * if initiator_spi is non-NULL, creates a responder SA, remembers initiator_spi
401 402 */
402 403 struct ikev2_sa *
403 404 ikev2_allocate_sa(isakmp_cookie_t *initiator_spi, struct sockaddr *local,
404 405 struct sockaddr *remote, struct rcf_remote *conf)
405 406 {
406 407 struct ikev2_sa *sa;
407 408 extern void ikev2_verified(struct verified_info *);
408 409 extern void ikev2_timeout(struct transmit_info *);
409 410 static int serial_number = 0;
410 411
411 412 TRACE((PLOGLOC, "ikev2_create_sa(%p, %s, %s, %p)\n",
412 413 initiator_spi, rcs_sa2str(local), rcs_sa2str(remote), conf));
413 414
414 415 sa = racoon_calloc(1, sizeof(struct ikev2_sa));
415 416 TRACE((PLOGLOC, "sa: %p\n", sa));
416 417 if (!sa)
417 418 goto fail;
418 419 if (initiator_spi) {
419 420 rc_vchar_t *r;
420 421 memcpy(sa->index.i_ck, initiator_spi, sizeof(isakmp_cookie_t));
421 422 r = random_bytes(sizeof(isakmp_cookie_t));
422 423 if (!r)
423 424 goto fail;
424 425 memcpy(sa->index.r_ck, r->v, sizeof(isakmp_cookie_t));
425 426 rc_vfree(r);
426 427 } else {
427 428 rc_vchar_t *r;
428 429 sa->is_initiator = TRUE;
429 430 r = random_bytes(sizeof(isakmp_cookie_t));
430 431 if (!r)
431 432 goto fail;
432 433 memcpy(sa->index.i_ck, r->v, sizeof(isakmp_cookie_t));
433 434 rc_vfree(r);
434 435 }
435 436 sa->serial_number = ++serial_number;
436 437 sa->version = IKEV2_VERSION;
437 438 sa->state = IKEV2_STATE_IDLING;
438 439 if (local) {
439 440 sa->local = rcs_sadup(local);
440 441 if (!sa->local)
441 442 goto fail;
442 443 }
443 444 if (remote) {
444 445 sa->remote = rcs_sadup(remote);
445 446 if (!sa->remote)
446 447 goto fail;
447 448 }
448 449
449 450 IKEV2_CHILD_LIST_INIT(&sa->children);
450 451
451 452 sa->verified_info.is_initiator = sa->is_initiator;
452 453 sa->verified_info.verify = ikev2_verify;
453 454 sa->verified_info.verified_callback = ikev2_verified;
454 455 sa->verified_info.callback_param = (void *)sa;
455 456
456 457 sa->transmit_info.timeout_callback = ikev2_timeout;
457 458 sa->transmit_info.callback_param = (void *)sa;
458 459
459 460 sa->response_info.timeout_callback = 0;
460 461 sa->response_info.callback_param = (void *)0;
461 462 sa->response_info.times_per_send = 1;
462 463
463 464 sa->lifetime_byte = 0;
464 465
465 466 SCHED_INIT(sa->expire_timer);
466 467 SCHED_INIT(sa->soft_expire_timer);
467 468 SCHED_INIT(sa->grace_timer);
468 469 SCHED_INIT(sa->polling_timer);
469 470 SCHED_INIT(sa->natk_timer);
470 471
471 472 ikev2_set_rmconf(sa, conf);
472 473
473 474 ikev2_sa_start_nego_timer(sa);
474 475
475 476 /* if this is responder, increment half-open sa counter */
476 477 if (initiator_spi)
477 478 ++ikev2_half_open_sa;
478 479
479 480 return sa;
480 481
481 482 fail:
482 483 if (sa)
483 484 racoon_free(sa);
484 485 return 0;
485 486 }
486 487
487 488 struct ikev2_sa *
488 489 ikev2_create_sa(isakmp_cookie_t *initiator_spi, struct sockaddr *local,
489 490 struct sockaddr *remote, struct rcf_remote *conf)
490 491 {
491 492 struct ikev2_sa *sa;
492 493
493 494 sa = ikev2_allocate_sa(initiator_spi, local, remote, conf);
494 495 if (!sa)
495 496 return 0;
496 497 ikev2_sa_insert(sa);
497 498
498 499 return sa;
499 500 }
500 501
501 502 static void ikev2_negotiation_timeout_callback(void *);
502 503
503 504 void
504 505 ikev2_sa_start_nego_timer(struct ikev2_sa *sa)
505 506 {
506 507 int time_limit;
507 508
508 509 time_limit = ikev2_kmp_sa_nego_time_limit(sa->rmconf);
509 510 sa->expire_timer =
510 511 sched_new(time_limit, ikev2_negotiation_timeout_callback, sa);
511 512 }
512 513
513 514 static void
514 515 ikev2_negotiation_timeout_callback(void *param)
515 516 {
516 517 struct ikev2_sa *sa;
517 518
518 519 sa = (struct ikev2_sa *)param;
519 520 SCHED_KILL(sa->expire_timer);
520 521 ikev2_abort(sa, ETIMEDOUT);
521 522 }
522 523
523 524 static void ikev2_sa_lifetime_callback(void *);
524 525 static void ikev2_sa_lifetime_soft_callback(void *);
525 526
526 527 void
527 528 ikev2_sa_start_lifetime_timer(struct ikev2_sa *sa)
528 529 {
529 530 int time_limit;
530 531 int lifetime_soft;
531 532
532 533 time_limit = ikev2_kmp_sa_lifetime_time(sa->rmconf);
533 534 if (sa->due_time.tv_sec > 0) {
534 535 struct timeval now, diff;
535 536 gettimeofday(&now, 0);
536 537 if (sa->due_time.tv_sec <= now.tv_sec) {
537 538 isakmp_log(sa, 0, 0, 0,
538 539 PLOG_INTERR, PLOGLOC,
539 540 "certificate expired already\n");
540 541 ikev2_sa_expire(sa, TRUE);
541 542 time_limit = 0;
542 543 } else {
543 544 timersub(&sa->due_time, &now, &diff);
544 545 if (time_limit == 0 || diff.tv_sec < time_limit) {
545 546 isakmp_log(sa, 0, 0, 0,
546 547 PLOG_INTWARN, PLOGLOC,
547 548 "certificate expiration is earlier than life time\n");
548 549 time_limit = diff.tv_sec;
549 550 }
550 551 }
551 552 }
552 553 TRACE((PLOGLOC, "lifetime: %d\n", time_limit));
553 554 if (time_limit > 0) {
554 555 sa->expire_timer =
555 556 sched_new(time_limit, ikev2_sa_lifetime_callback, sa);
556 557 if (!sa->expire_timer)
557 558 goto fail_nomem;
558 559 lifetime_soft = time_limit * (ikev2_lifetime_soft_factor +
559 560 ikev2_lifetime_soft_jitter *
560 561 ((double)eay_random_uint32() /
561 562 UINT32_MAX));
562 563 TRACE((PLOGLOC, "lifetime_soft: %d\n", lifetime_soft));
563 564 sa->soft_expire_timer =
564 565 sched_new(lifetime_soft,
565 566 ikev2_sa_lifetime_soft_callback, sa);
566 567 if (!sa->soft_expire_timer)
567 568 goto fail_nomem;
568 569 }
569 570 return;
570 571
571 572 fail_nomem:
572 573 return;
573 574 }
574 575
575 576 static void
576 577 ikev2_sa_lifetime_callback(void *param)
577 578 {
578 579 struct ikev2_sa *ike_sa;
579 580 struct ikev2_child_sa *child_sa;
580 581
581 582 ike_sa = (struct ikev2_sa *)param;
582 583 TRACE((PLOGLOC, "lifetime expired %p\n", ike_sa));
583 584 SCHED_KILL(ike_sa->expire_timer);
584 585 ikev2_sa_expire(ike_sa, TRUE);
585 586 child_sa = ikev2_choose_pending_child(ike_sa, TRUE);
586 587 if (child_sa)
587 588 ikev2_wakeup_child_sa(child_sa);
588 589 }
589 590
590 591 static void
591 592 ikev2_sa_lifetime_soft_callback(void *param)
592 593 {
593 594 struct ikev2_sa *ike_sa;
594 595 struct ikev2_child_sa *child_sa;
595 596
596 597 ike_sa = (struct ikev2_sa *)param;
597 598 TRACE((PLOGLOC, "soft lifetime expired %p\n", ike_sa));
598 599 SCHED_KILL(ike_sa->soft_expire_timer);
599 600 ike_sa->soft_expired = TRUE;
600 601 if (ike_sa->child_created > 0 && !ike_sa->rekey_inprogress)
601 602 ikev2_rekey_ikesa_initiate(ike_sa);
602 603 child_sa = ikev2_choose_pending_child(ike_sa, TRUE);
603 604 if (child_sa)
604 605 ikev2_wakeup_child_sa(child_sa);
605 606 }
606 607
607 608 static void ikev2_sa_grace_period_callback(void *);
608 609
609 610 void
610 611 ikev2_sa_start_grace_period(struct ikev2_sa *sa)
611 612 {
612 613 int grace_period;
613 614
614 615 grace_period = ikev2_kmp_sa_grace_period(sa->rmconf);
615 616 if (grace_period <= 0)
616 617 return;
617 618 sa->grace_timer =
618 619 sched_new(grace_period, ikev2_sa_grace_period_callback, sa);
619 620 }
620 621
621 622 void
622 623 ikev2_sa_stop_grace_timer(struct ikev2_sa *sa)
623 624 {
624 625 if (sa->grace_timer)
625 626 SCHED_KILL(sa->grace_timer);
626 627 }
627 628
628 629 static void
629 630 ikev2_sa_grace_period_callback(void *param)
630 631 {
631 632 struct ikev2_sa *ike_sa;
632 633 struct ikev2_child_sa *child_sa;
633 634
634 635 ike_sa = (struct ikev2_sa *)param;
635 636 TRACE((PLOGLOC, "grace period expired %p\n", ike_sa));
636 637 SCHED_KILL(ike_sa->grace_timer);
637 638 ikev2_sa_expire(ike_sa, TRUE);
638 639 child_sa = ikev2_choose_pending_child(ike_sa, TRUE);
639 640 if (child_sa)
640 641 ikev2_wakeup_child_sa(child_sa);
641 642 }
642 643
643 644 void
644 645 ikev2_sa_expire(struct ikev2_sa *ike_sa, int send_delete)
645 646 {
646 647 struct ikev2_child_sa *child_sa;
647 648
648 649 TRACE((PLOGLOC, "expire ikev2_sa %p\n", ike_sa));
649 650
650 651 switch (ike_sa->state) {
651 652 case IKEV2_STATE_INI_IKE_SA_INIT_SENT:
652 653 case IKEV2_STATE_RES_IKE_SA_INIT_SENT:
653 654 case IKEV2_STATE_INI_IKE_AUTH_SENT:
654 655 case IKEV2_STATE_RES_IKE_AUTH_RCVD:
655 656 case IKEV2_STATE_INI_IKE_AUTH_RCVD:
656 657 isakmp_log(ike_sa, 0, 0, 0,
657 658 PLOG_INTERR, PLOGLOC, "ike_sa expired\n");
658 659 ikev2_abort(ike_sa, ETIMEDOUT);
659 660 break;
660 661 case IKEV2_STATE_ESTABLISHED:
661 662 if (ike_sa->child_created > 0) {
662 663 if (!ike_sa->rekey_inprogress)
663 664 ikev2_rekey_ikesa_initiate(ike_sa);
664 665 } else {
665 666 /* (draft-17)
666 667 * Closing the IKE_SA implicitly closes all associated CHILD_SAs.
667 668 */
668 669 for (child_sa =
669 670 IKEV2_CHILD_LIST_FIRST(&ike_sa->children);
670 671 !IKEV2_CHILD_LIST_END(child_sa);
671 672 child_sa = IKEV2_CHILD_LIST_NEXT(child_sa)) {
672 673 if (child_sa->state == IKEV2_CHILD_STATE_MATURE) {
673 674 ikev2_child_delete_ipsecsa(child_sa);
674 675 ikev2_child_state_set(child_sa,
675 676 IKEV2_CHILD_STATE_EXPIRED);
676 677 }
677 678 }
678 679
679 680 if (send_delete)
680 681 ikev2_sa_delete(ike_sa);
681 682 }
682 683 ikev2_set_state(ike_sa, IKEV2_STATE_DYING);
683 684 break;
684 685 case IKEV2_STATE_DYING:
685 686 ikev2_set_state(ike_sa, IKEV2_STATE_DEAD);
686 687 break;
687 688 case IKEV2_STATE_DEAD:
688 689 break;
689 690 default:
690 691 TRACE((PLOGLOC, "state: %d\n", ike_sa->state));
691 692 break;
692 693 }
693 694 }
694 695
695 696 static void ikev2_sa_delete_callback(enum request_callback,
696 697 struct ikev2_child_sa *, void *);
697 698
698 699 void
699 700 ikev2_sa_delete(struct ikev2_sa *sa)
700 701 {
701 702 struct ikev2_payloads *payl;
702 703
703 704 TRACE((PLOGLOC, "initiating DELETE IKE_SA\n"));
704 705 payl = racoon_malloc(sizeof(struct ikev2_payloads));
705 706 ikev2_payloads_init(payl);
706 707 ikev2_payloads_push(payl,
707 708 IKEV2_PAYLOAD_DELETE,
708 709 ikev2_delete_payload(IKEV2_DELETE_PROTO_IKE, 0, 0,
709 710 0), TRUE);
710 711 (void)ikev2_request_initiator_start(sa, ikev2_sa_delete_callback, payl);
711 712 }
712 713
713 714 static void
714 715 ikev2_sa_delete_callback(enum request_callback action,
715 716 struct ikev2_child_sa *child_sa, void *data)
716 717 {
717 718 TRACE((PLOGLOC,
718 719 "ikev2_sa_delete_callback(%d, %p, %p)\n", action, child_sa,
719 720 data));
720 721 switch (action) {
721 722 case REQUEST_CALLBACK_CONTINUE:
722 723 ikev2_informational_initiator_transmit(child_sa->parent,
723 724 child_sa,
724 725 (struct ikev2_payloads *)
725 726 data);
726 727 break;
727 728 case REQUEST_CALLBACK_TRANSMIT_ERROR:
728 729 /* none here */
729 730 break;
730 731 case REQUEST_CALLBACK_RESPONSE:
731 732 ikev2_info_init_delete_recv(child_sa, (rc_vchar_t *)data);
732 733 ikev2_set_state(child_sa->parent, IKEV2_STATE_DEAD);
733 734 break;
734 735 default:
735 736 isakmp_log(child_sa->parent, 0, 0, 0,
736 737 PLOG_INTERR, PLOGLOC,
737 738 "unknown action code %d\n", (int)action);
738 739 break;
739 740 }
740 741 }
741 742
742 743 void
743 744 ikev2_sa_stop_timer(struct ikev2_sa *sa)
744 745 {
745 746 if (sa->expire_timer)
746 747 SCHED_KILL(sa->expire_timer);
747 748 if (sa->soft_expire_timer)
748 749 SCHED_KILL(sa->soft_expire_timer);
749 750 if (sa->grace_timer)
750 751 SCHED_KILL(sa->grace_timer);
751 752 }
752 753
753 754 /* shut down all IKE_SA by sending DELETE */
754 755 static void ikev2_shutdown_sa(struct ikev2_sa *ike_sa);
755 756
756 757 void
757 758 ikev2_shutdown(void)
758 759 {
759 760 struct ikev2_sa *ike_sa;
760 761
761 762 FOREACH_SA(ike_sa) {
762 763 ikev2_shutdown_sa(ike_sa);
763 764 }
764 765 }
765 766
766 767 static void
767 768 ikev2_shutdown_sa(struct ikev2_sa *ike_sa)
768 769 {
769 770 struct ikev2_child_sa *child_sa;
770 771
771 772 TRACE((PLOGLOC, "shutdown ikev2_sa %p state %d\n",
772 773 ike_sa, ike_sa->state));
773 774
774 775 switch (ike_sa->state) {
775 776 case IKEV2_STATE_INI_IKE_SA_INIT_SENT:
776 777 case IKEV2_STATE_RES_IKE_SA_INIT_SENT:
777 778 case IKEV2_STATE_INI_IKE_AUTH_SENT:
778 779 case IKEV2_STATE_RES_IKE_AUTH_RCVD:
779 780 case IKEV2_STATE_INI_IKE_AUTH_RCVD:
780 781 ikev2_abort(ike_sa, ETIMEDOUT);
781 782 break;
782 783 case IKEV2_STATE_ESTABLISHED:
783 784 ikev2_set_state(ike_sa, IKEV2_STATE_DYING);
784 785 for (child_sa = IKEV2_CHILD_LIST_FIRST(&ike_sa->children);
785 786 !IKEV2_CHILD_LIST_END(child_sa);
786 787 child_sa = IKEV2_CHILD_LIST_NEXT(child_sa)) {
787 788 if (child_sa->state == IKEV2_CHILD_STATE_MATURE) {
788 789 ikev2_child_delete_ipsecsa(child_sa);
789 790 ikev2_child_state_set(child_sa,
790 791 IKEV2_CHILD_STATE_EXPIRED);
791 792 }
792 793 }
793 794 ikev2_sa_delete(ike_sa);
794 795 break;
795 796 case IKEV2_STATE_DYING:
796 797 ikev2_set_state(ike_sa, IKEV2_STATE_DEAD);
797 798 break;
798 799 case IKEV2_STATE_DEAD:
799 800 break;
800 801 default:
801 802 TRACE((PLOGLOC, "state: %d\n", ike_sa->state));
802 803 break;
803 804 }
804 805 }
805 806
806 807 static void ikev2_poll_timer_callback(void *);
807 808
808 809 void
809 810 ikev2_sa_start_polling_timer(struct ikev2_sa *sa)
810 811 {
811 812 int interval;
812 813
813 814 if (sa->polling_timer)
814 815 SCHED_KILL(sa->polling_timer);
815 816
816 817 interval = ikev2_dpd_interval(sa->rmconf);
817 818 TRACE((PLOGLOC, "dpd polling interval %d\n", interval));
818 819 if (interval > 0)
819 820 sa->polling_timer =
820 821 sched_new(interval, ikev2_poll_timer_callback, sa);
821 822 }
822 823
823 824 static void
824 825 ikev2_poll_timer_callback(void *param)
825 826 {
826 827 struct ikev2_sa *sa;
827 828
828 829 sa = (struct ikev2_sa *)param;
829 830 SCHED_KILL(sa->polling_timer);
830 831 if (sa->state == IKEV2_STATE_ESTABLISHED)
831 832 ikev2_poll(sa);
832 833 }
833 834
834 835 void
835 836 ikev2_dispose_sa(struct ikev2_sa *sa)
836 837 {
837 838 TRACE((PLOGLOC, "ikev2_dispose_sa(%p)\n", sa));
838 839
839 840 /* remove from sa list in advance */
840 841 /* ikev2_sa_remove(sa); */
841 842
842 843 assert(IKEV2_CHILD_LIST_EMPTY(&sa->children));
843 844
844 845 if (sa->new_sa)
845 846 ikev2_dispose_sa(sa->new_sa);
846 847
847 848 if (sa->expire_timer)
848 849 SCHED_KILL(sa->expire_timer);
849 850 if (sa->soft_expire_timer)
850 851 SCHED_KILL(sa->soft_expire_timer);
851 852 if (sa->grace_timer)
852 853 SCHED_KILL(sa->grace_timer);
853 854 if (sa->polling_timer)
854 855 SCHED_KILL(sa->polling_timer);
855 856 if (sa->natk_timer)
856 857 SCHED_KILL(sa->natk_timer);
857 858
858 859 if (sa->rmconf)
859 860 rcf_free_remote(sa->rmconf);
860 861
861 862 if (sa->negotiated_sa)
862 863 racoon_free(sa->negotiated_sa);
863 864
864 865 if (sa->prf)
865 866 keyed_hash_dispose(sa->prf);
866 867
867 868 if (sa->n_i)
868 869 rc_vfree(sa->n_i);
869 870 if (sa->n_r)
870 871 rc_vfree(sa->n_r);
871 872 if (sa->dhpriv)
872 873 rc_vfreez(sa->dhpriv);
873 874 if (sa->dhpub)
874 875 rc_vfree(sa->dhpub);
875 876 if (sa->dhpub_p)
876 877 rc_vfree(sa->dhpub_p);
877 878 if (sa->skeyseed)
878 879 rc_vfreez(sa->skeyseed);
879 880 if (sa->sk_d)
880 881 rc_vfreez(sa->sk_d);
881 882 if (sa->sk_a_i)
882 883 rc_vfreez(sa->sk_a_i);
883 884 if (sa->sk_a_r)
884 885 rc_vfreez(sa->sk_a_r);
885 886 if (sa->sk_e_i)
886 887 rc_vfreez(sa->sk_e_i);
887 888 if (sa->sk_e_r)
888 889 rc_vfreez(sa->sk_e_r);
889 890 if (sa->sk_p_i)
890 891 rc_vfreez(sa->sk_p_i);
891 892 if (sa->sk_p_r)
892 893 rc_vfreez(sa->sk_p_r);
893 894 if (sa->id_i)
894 895 rc_vfree(sa->id_i);
895 896 if (sa->id_r)
896 897 rc_vfree(sa->id_r);
897 898 if (sa->my_first_message)
898 899 rc_vfree(sa->my_first_message);
899 900 if (sa->peer_first_message)
900 901 rc_vfree(sa->peer_first_message);
901 902 if (sa->encryptor)
902 903 encryptor_destroy(sa->encryptor);
903 904 if (sa->authenticator)
904 905 auth_destroy(sa->authenticator);
905 906
906 907 if (sa->verified_info.packet)
907 908 rc_vfree(sa->verified_info.packet);
908 909
909 910 if (sa->transmit_info.packet)
910 911 rc_vfree(sa->transmit_info.packet);
911 912 if (sa->transmit_info.timer)
912 913 SCHED_KILL(sa->transmit_info.timer);
913 914 if (sa->response_info.packet)
914 915 rc_vfree(sa->response_info.packet);
915 916 if (sa->response_info.timer)
916 917 SCHED_KILL(sa->response_info.timer);
917 918
918 919 if (sa->local)
919 920 rc_free(sa->local);
920 921 if (sa->remote)
921 922 rc_free(sa->remote);
922 923
923 924 racoon_free(sa);
924 925 }
925 926
926 927 /*
927 928 * set ike_sa->encryptor, authenticator, prf according to negotiated_sa
928 929 * (negotiated_sa may be equal to ike_sa->negotiated_sa)
929 930 * returns 0 if successful, non-0 otherwise
930 931 */
931 932 int
932 933 ikev2_set_negotiated_sa(struct ikev2_sa *ike_sa,
933 934 struct ikev2_isakmpsa *negotiated_sa)
934 935 {
935 936 struct encryptor *encryptor = 0;
936 937 struct authenticator *authenticator = 0;
937 938 struct keyed_hash *prf = 0;
938 939
939 940 TRACE((PLOGLOC, "ikev2_set_negotiated_sa(%p, %p)\n", ike_sa,
940 941 negotiated_sa));
941 942 assert(!ike_sa->encryptor && !ike_sa->authenticator && !ike_sa->prf);
942 943
943 944 encryptor = ikev2_encryptor_new(negotiated_sa->encr,
944 945 negotiated_sa->encrklen);
945 946 if (!encryptor) {
946 947 isakmp_log(ike_sa, 0, 0, 0,
947 948 PLOG_INTERR, PLOGLOC,
948 949 "failed creating ike_sa encryptor\n");
949 950 goto fail;
950 951 }
951 952 authenticator = ikev2_authenticator_new(negotiated_sa->integr);
952 953 if (!authenticator) {
953 954 isakmp_log(ike_sa, 0, 0, 0,
954 955 PLOG_INTERR, PLOGLOC,
955 956 "failed creating ike_sa authenticator\n");
956 957 goto fail;
957 958 }
958 959 prf = ikev2_prf_new(negotiated_sa->prf);
959 960 if (!prf)
960 961 goto fail;
961 962
962 963 ike_sa->negotiated_sa = negotiated_sa;
963 964 ike_sa->encryptor = encryptor;
964 965 ike_sa->authenticator = authenticator;
965 966 ike_sa->prf = prf;
966 967 return 0;
967 968
968 969 fail:
969 970 if (encryptor)
970 971 encryptor_destroy(encryptor);
971 972 if (authenticator)
972 973 auth_destroy(authenticator);
973 974 if (prf)
974 975 keyed_hash_dispose(prf);
975 976 return -1;
976 977 }
977 978
978 979 void
979 980 ikev2_set_rmconf(struct ikev2_sa *sa, struct rcf_remote *conf)
980 981 {
981 982 if (sa->rmconf)
982 983 rcf_free_remote(sa->rmconf);
983 984
984 985 sa->rmconf = conf;
985 986
986 987 sa->transmit_info.retry_limit = ikev2_max_retry_to_send(conf);
987 988 sa->transmit_info.times_per_send = ikev2_times_per_send(conf);
988 989 sa->transmit_info.interval_to_send = ikev2_interval_to_send(conf);
989 990 if (sa->transmit_info.interval_to_send > 100000) /* XXX */
990 991 sa->transmit_info.interval_to_send = 100000;
991 992 }
992 993
993 994 struct contact_list {
994 995 rc_vchar_t *remote_index;
995 996 struct contact_list *next;
996 997 };
997 998
998 999 struct contact_list *contacted_list = 0;
999 1000
1000 1001 int
1001 1002 ikev2_send_initial_contact(struct ikev2_sa *ike_sa)
1002 1003 {
1003 1004 struct contact_list *peer;
1004 1005 struct contact_list *c;
1005 1006
1006 1007 for (peer = contacted_list; peer; peer = peer->next) {
1007 1008 if (rc_vmemcmp(peer->remote_index, ike_sa->rmconf->rm_index) == 0)
1008 1009 return FALSE;
1009 1010 }
1010 1011
1011 1012 c = racoon_malloc(sizeof(struct contact_list));
1012 1013 if (!c)
1013 1014 return FALSE;
1014 1015
1015 1016 c->remote_index = rc_vdup(ike_sa->rmconf->rm_index);
1016 1017 c->next = contacted_list;
1017 1018 contacted_list = c;
1018 1019
1019 1020 return TRUE;
1020 1021 }
|
↓ open down ↓ |
711 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX