summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ikev2/tasks
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/sa/ikev2/tasks')
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.c1426
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_create.h90
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.c410
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_delete.h61
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_rekey.c485
-rw-r--r--src/libcharon/sa/ikev2/tasks/child_rekey.h64
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth.c1110
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth.h57
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c172
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h53
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_post.c261
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_post.h53
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_pre.c529
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_cert_pre.h53
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_config.c510
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_config.h51
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_delete.c199
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_delete.h50
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_dpd.c94
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_dpd.h51
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_init.c600
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_init.h60
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_me.c845
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_me.h100
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_mobike.c670
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_mobike.h93
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_natd.c472
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_natd.h59
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth.c110
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_reauth.h51
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_rekey.c412
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_rekey.h61
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_vendor.c141
-rw-r--r--src/libcharon/sa/ikev2/tasks/ike_vendor.h49
34 files changed, 9502 insertions, 0 deletions
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.c b/src/libcharon/sa/ikev2/tasks/child_create.c
new file mode 100644
index 000000000..46a165546
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_create.c
@@ -0,0 +1,1426 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_create.h"
+
+#include <daemon.h>
+#include <sa/ikev2/keymat_v2.h>
+#include <crypto/diffie_hellman.h>
+#include <credentials/certificates/x509.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/ts_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/inactivity_job.h>
+
+
+typedef struct private_child_create_t private_child_create_t;
+
+/**
+ * Private members of a child_create_t task.
+ */
+struct private_child_create_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ child_create_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * nonce chosen by us
+ */
+ chunk_t my_nonce;
+
+ /**
+ * nonce chosen by peer
+ */
+ chunk_t other_nonce;
+
+ /**
+ * config to create the CHILD_SA from
+ */
+ child_cfg_t *config;
+
+ /**
+ * list of proposal candidates
+ */
+ linked_list_t *proposals;
+
+ /**
+ * selected proposal to use for CHILD_SA
+ */
+ proposal_t *proposal;
+
+ /**
+ * traffic selectors for initiators side
+ */
+ linked_list_t *tsi;
+
+ /**
+ * traffic selectors for responders side
+ */
+ linked_list_t *tsr;
+
+ /**
+ * source of triggering packet
+ */
+ traffic_selector_t *packet_tsi;
+
+ /**
+ * destination of triggering packet
+ */
+ traffic_selector_t *packet_tsr;
+
+ /**
+ * optional diffie hellman exchange
+ */
+ diffie_hellman_t *dh;
+
+ /**
+ * group used for DH exchange
+ */
+ diffie_hellman_group_t dh_group;
+
+ /**
+ * IKE_SAs keymat
+ */
+ keymat_v2_t *keymat;
+
+ /**
+ * mode the new CHILD_SA uses (transport/tunnel/beet)
+ */
+ ipsec_mode_t mode;
+
+ /**
+ * peer accepts TFC padding for this SA
+ */
+ bool tfcv3;
+
+ /**
+ * IPComp transform to use
+ */
+ ipcomp_transform_t ipcomp;
+
+ /**
+ * IPComp transform proposed or accepted by the other peer
+ */
+ ipcomp_transform_t ipcomp_received;
+
+ /**
+ * Own allocated SPI
+ */
+ u_int32_t my_spi;
+
+ /**
+ * SPI received in proposal
+ */
+ u_int32_t other_spi;
+
+ /**
+ * Own allocated Compression Parameter Index (CPI)
+ */
+ u_int16_t my_cpi;
+
+ /**
+ * Other Compression Parameter Index (CPI), received via IPCOMP_SUPPORTED
+ */
+ u_int16_t other_cpi;
+
+ /**
+ * reqid to use if we are rekeying
+ */
+ u_int32_t reqid;
+
+ /**
+ * CHILD_SA which gets established
+ */
+ child_sa_t *child_sa;
+
+ /**
+ * successfully established the CHILD?
+ */
+ bool established;
+
+ /**
+ * whether the CHILD_SA rekeys an existing one
+ */
+ bool rekey;
+
+ /**
+ * whether we are retrying with another DH group
+ */
+ bool retry;
+};
+
+/**
+ * get the nonce from a message
+ */
+static status_t get_nonce(message_t *message, chunk_t *nonce)
+{
+ nonce_payload_t *payload;
+
+ payload = (nonce_payload_t*)message->get_payload(message, NONCE);
+ if (payload == NULL)
+ {
+ return FAILED;
+ }
+ *nonce = payload->get_nonce(payload);
+ return NEED_MORE;
+}
+
+/**
+ * generate a new nonce to include in a CREATE_CHILD_SA message
+ */
+static status_t generate_nonce(private_child_create_t *this)
+{
+ nonce_gen_t *nonceg;
+
+ nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+ if (!nonceg)
+ {
+ DBG1(DBG_IKE, "no nonce generator found to create nonce");
+ return FAILED;
+ }
+ if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+ {
+ DBG1(DBG_IKE, "nonce allocation failed");
+ nonceg->destroy(nonceg);
+ return FAILED;
+ }
+ nonceg->destroy(nonceg);
+
+ return SUCCESS;
+}
+
+/**
+ * Check a list of traffic selectors if any selector belongs to host
+ */
+static bool ts_list_is_host(linked_list_t *list, host_t *host)
+{
+ traffic_selector_t *ts;
+ bool is_host = TRUE;
+ enumerator_t *enumerator = list->create_enumerator(list);
+
+ while (is_host && enumerator->enumerate(enumerator, (void**)&ts))
+ {
+ is_host = is_host && ts->is_host(ts, host);
+ }
+ enumerator->destroy(enumerator);
+ return is_host;
+}
+
+/**
+ * Allocate SPIs and update proposals
+ */
+static bool allocate_spi(private_child_create_t *this)
+{
+ enumerator_t *enumerator;
+ proposal_t *proposal;
+
+ /* TODO: allocate additional SPI for AH if we have such proposals */
+ this->my_spi = this->child_sa->alloc_spi(this->child_sa, PROTO_ESP);
+ if (this->my_spi)
+ {
+ if (this->initiator)
+ {
+ enumerator = this->proposals->create_enumerator(this->proposals);
+ while (enumerator->enumerate(enumerator, &proposal))
+ {
+ proposal->set_spi(proposal, this->my_spi);
+ }
+ enumerator->destroy(enumerator);
+ }
+ else
+ {
+ this->proposal->set_spi(this->proposal, this->my_spi);
+ }
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
+ * Schedule inactivity timeout for CHILD_SA with reqid, if enabled
+ */
+static void schedule_inactivity_timeout(private_child_create_t *this)
+{
+ u_int32_t timeout;
+ bool close_ike;
+
+ timeout = this->config->get_inactivity(this->config);
+ if (timeout)
+ {
+ close_ike = lib->settings->get_bool(lib->settings,
+ "%s.inactivity_close_ike", FALSE, charon->name);
+ lib->scheduler->schedule_job(lib->scheduler, (job_t*)
+ inactivity_job_create(this->child_sa->get_reqid(this->child_sa),
+ timeout, close_ike), timeout);
+ }
+}
+
+/**
+ * Check if we have a an address pool configured
+ */
+static bool have_pool(ike_sa_t *ike_sa)
+{
+ enumerator_t *enumerator;
+ peer_cfg_t *peer_cfg;
+ char *pool;
+ bool found = FALSE;
+
+ peer_cfg = ike_sa->get_peer_cfg(ike_sa);
+ if (peer_cfg)
+ {
+ enumerator = peer_cfg->create_pool_enumerator(peer_cfg);
+ if (enumerator->enumerate(enumerator, &pool))
+ {
+ found = TRUE;
+ }
+ enumerator->destroy(enumerator);
+ }
+ return found;
+}
+
+/**
+ * Get hosts to use for dynamic traffic selectors
+ */
+static linked_list_t *get_dynamic_hosts(ike_sa_t *ike_sa, bool local)
+{
+ enumerator_t *enumerator;
+ linked_list_t *list;
+ host_t *host;
+
+ list = linked_list_create();
+ enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, local);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ list->insert_last(list, host);
+ }
+ enumerator->destroy(enumerator);
+
+ if (list->get_count(list) == 0)
+ { /* no virtual IPs assigned */
+ if (local)
+ {
+ host = ike_sa->get_my_host(ike_sa);
+ list->insert_last(list, host);
+ }
+ else if (!have_pool(ike_sa))
+ { /* use host only if we don't have a pool configured */
+ host = ike_sa->get_other_host(ike_sa);
+ list->insert_last(list, host);
+ }
+ }
+ return list;
+}
+
+/**
+ * Install a CHILD_SA for usage, return value:
+ * - FAILED: no acceptable proposal
+ * - INVALID_ARG: diffie hellman group inacceptable
+ * - NOT_FOUND: TS inacceptable
+ */
+static status_t select_and_install(private_child_create_t *this,
+ bool no_dh, bool ike_auth)
+{
+ status_t status, status_i, status_o;
+ chunk_t nonce_i, nonce_r;
+ chunk_t encr_i = chunk_empty, encr_r = chunk_empty;
+ chunk_t integ_i = chunk_empty, integ_r = chunk_empty;
+ linked_list_t *my_ts, *other_ts, *list;
+ host_t *me, *other;
+ bool private;
+
+ if (this->proposals == NULL)
+ {
+ DBG1(DBG_IKE, "SA payload missing in message");
+ return FAILED;
+ }
+ if (this->tsi == NULL || this->tsr == NULL)
+ {
+ DBG1(DBG_IKE, "TS payloads missing in message");
+ return NOT_FOUND;
+ }
+
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ other = this->ike_sa->get_other_host(this->ike_sa);
+
+ private = this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN);
+ this->proposal = this->config->select_proposal(this->config,
+ this->proposals, no_dh, private);
+ if (this->proposal == NULL)
+ {
+ DBG1(DBG_IKE, "no acceptable proposal found");
+ return FAILED;
+ }
+ this->other_spi = this->proposal->get_spi(this->proposal);
+
+ if (!this->initiator && !allocate_spi(this))
+ { /* responder has no SPI allocated yet */
+ DBG1(DBG_IKE, "allocating SPI failed");
+ return FAILED;
+ }
+ this->child_sa->set_proposal(this->child_sa, this->proposal);
+
+ if (!this->proposal->has_dh_group(this->proposal, this->dh_group))
+ {
+ u_int16_t group;
+
+ if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+ &group, NULL))
+ {
+ DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+ diffie_hellman_group_names, this->dh_group,
+ diffie_hellman_group_names, group);
+ this->dh_group = group;
+ return INVALID_ARG;
+ }
+ /* the selected proposal does not use a DH group */
+ DBG1(DBG_IKE, "ignoring KE exchange, agreed on a non-PFS proposal");
+ DESTROY_IF(this->dh);
+ this->dh = NULL;
+ this->dh_group = MODP_NONE;
+ }
+
+ if (this->initiator)
+ {
+ nonce_i = this->my_nonce;
+ nonce_r = this->other_nonce;
+ my_ts = this->tsi;
+ other_ts = this->tsr;
+ }
+ else
+ {
+ nonce_r = this->my_nonce;
+ nonce_i = this->other_nonce;
+ my_ts = this->tsr;
+ other_ts = this->tsi;
+ }
+ list = get_dynamic_hosts(this->ike_sa, TRUE);
+ my_ts = this->config->get_traffic_selectors(this->config,
+ TRUE, my_ts, list);
+ list->destroy(list);
+ list = get_dynamic_hosts(this->ike_sa, FALSE);
+ other_ts = this->config->get_traffic_selectors(this->config,
+ FALSE, other_ts, list);
+ list->destroy(list);
+
+ if (this->initiator)
+ {
+ if (ike_auth)
+ {
+ charon->bus->narrow(charon->bus, this->child_sa,
+ NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts);
+ }
+ else
+ {
+ charon->bus->narrow(charon->bus, this->child_sa,
+ NARROW_INITIATOR_POST_AUTH, my_ts, other_ts);
+ }
+ }
+ else
+ {
+ charon->bus->narrow(charon->bus, this->child_sa,
+ NARROW_RESPONDER, my_ts, other_ts);
+ }
+
+ if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+ {
+ my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+ other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+ DBG1(DBG_IKE, "no acceptable traffic selectors found");
+ return NOT_FOUND;
+ }
+
+ this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+ this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+ if (this->initiator)
+ {
+ this->tsi = my_ts;
+ this->tsr = other_ts;
+ }
+ else
+ {
+ this->tsr = my_ts;
+ this->tsi = other_ts;
+ }
+
+ if (!this->initiator)
+ {
+ /* check if requested mode is acceptable, downgrade if required */
+ switch (this->mode)
+ {
+ case MODE_TRANSPORT:
+ if (!this->config->use_proxy_mode(this->config) &&
+ (!ts_list_is_host(this->tsi, other) ||
+ !ts_list_is_host(this->tsr, me))
+ )
+ {
+ this->mode = MODE_TUNNEL;
+ DBG1(DBG_IKE, "not using transport mode, not host-to-host");
+ }
+ else if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+ {
+ this->mode = MODE_TUNNEL;
+ DBG1(DBG_IKE, "not using transport mode, connection NATed");
+ }
+ break;
+ case MODE_BEET:
+ if (!ts_list_is_host(this->tsi, NULL) ||
+ !ts_list_is_host(this->tsr, NULL))
+ {
+ this->mode = MODE_TUNNEL;
+ DBG1(DBG_IKE, "not using BEET mode, not host-to-host");
+ }
+ break;
+ default:
+ break;
+ }
+ }
+
+ this->child_sa->set_state(this->child_sa, CHILD_INSTALLING);
+ this->child_sa->set_ipcomp(this->child_sa, this->ipcomp);
+ this->child_sa->set_mode(this->child_sa, this->mode);
+ this->child_sa->set_protocol(this->child_sa,
+ this->proposal->get_protocol(this->proposal));
+
+ if (this->my_cpi == 0 || this->other_cpi == 0 || this->ipcomp == IPCOMP_NONE)
+ {
+ this->my_cpi = this->other_cpi = 0;
+ this->ipcomp = IPCOMP_NONE;
+ }
+ status_i = status_o = FAILED;
+ if (this->keymat->derive_child_keys(this->keymat, this->proposal,
+ this->dh, nonce_i, nonce_r, &encr_i, &integ_i, &encr_r, &integ_r))
+ {
+ if (this->initiator)
+ {
+ status_i = this->child_sa->install(this->child_sa,
+ encr_r, integ_r, this->my_spi, this->my_cpi,
+ TRUE, this->tfcv3, my_ts, other_ts);
+ status_o = this->child_sa->install(this->child_sa,
+ encr_i, integ_i, this->other_spi, this->other_cpi,
+ FALSE, this->tfcv3, my_ts, other_ts);
+ }
+ else
+ {
+ status_i = this->child_sa->install(this->child_sa,
+ encr_i, integ_i, this->my_spi, this->my_cpi,
+ TRUE, this->tfcv3, my_ts, other_ts);
+ status_o = this->child_sa->install(this->child_sa,
+ encr_r, integ_r, this->other_spi, this->other_cpi,
+ FALSE, this->tfcv3, my_ts, other_ts);
+ }
+ }
+ chunk_clear(&integ_i);
+ chunk_clear(&integ_r);
+ chunk_clear(&encr_i);
+ chunk_clear(&encr_r);
+
+ if (status_i != SUCCESS || status_o != SUCCESS)
+ {
+ DBG1(DBG_IKE, "unable to install %s%s%sIPsec SA (SAD) in kernel",
+ (status_i != SUCCESS) ? "inbound " : "",
+ (status_i != SUCCESS && status_o != SUCCESS) ? "and ": "",
+ (status_o != SUCCESS) ? "outbound " : "");
+ return FAILED;
+ }
+
+ if (this->initiator)
+ {
+ status = this->child_sa->add_policies(this->child_sa, my_ts, other_ts);
+ }
+ else
+ {
+ /* use a copy of the traffic selectors, as the POST hook should not
+ * change payloads */
+ my_ts = this->tsr->clone_offset(this->tsr,
+ offsetof(traffic_selector_t, clone));
+ other_ts = this->tsi->clone_offset(this->tsi,
+ offsetof(traffic_selector_t, clone));
+ charon->bus->narrow(charon->bus, this->child_sa,
+ NARROW_RESPONDER_POST, my_ts, other_ts);
+ if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0)
+ {
+ status = FAILED;
+ }
+ else
+ {
+ status = this->child_sa->add_policies(this->child_sa,
+ my_ts, other_ts);
+ }
+ my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy));
+ other_ts->destroy_offset(other_ts, offsetof(traffic_selector_t, destroy));
+ }
+ if (status != SUCCESS)
+ {
+ DBG1(DBG_IKE, "unable to install IPsec policies (SPD) in kernel");
+ return NOT_FOUND;
+ }
+
+ charon->bus->child_keys(charon->bus, this->child_sa, this->initiator,
+ this->dh, nonce_i, nonce_r);
+
+ /* add to IKE_SA, and remove from task */
+ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+ this->ike_sa->add_child_sa(this->ike_sa, this->child_sa);
+ this->established = TRUE;
+
+ if (!this->rekey)
+ { /* a rekeyed SA uses the same reqid, no need for a new job */
+ schedule_inactivity_timeout(this);
+ }
+ return SUCCESS;
+}
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_child_create_t *this, message_t *message)
+{
+ sa_payload_t *sa_payload;
+ nonce_payload_t *nonce_payload;
+ ke_payload_t *ke_payload;
+ ts_payload_t *ts_payload;
+
+ /* add SA payload */
+ if (this->initiator)
+ {
+ sa_payload = sa_payload_create_from_proposals_v2(this->proposals);
+ }
+ else
+ {
+ sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
+ }
+ message->add_payload(message, (payload_t*)sa_payload);
+
+ /* add nonce payload if not in IKE_AUTH */
+ if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+ {
+ nonce_payload = nonce_payload_create(NONCE);
+ nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+ message->add_payload(message, (payload_t*)nonce_payload);
+ }
+
+ /* diffie hellman exchange, if PFS enabled */
+ if (this->dh)
+ {
+ ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE,
+ this->dh);
+ message->add_payload(message, (payload_t*)ke_payload);
+ }
+
+ /* add TSi/TSr payloads */
+ ts_payload = ts_payload_create_from_traffic_selectors(TRUE, this->tsi);
+ message->add_payload(message, (payload_t*)ts_payload);
+ ts_payload = ts_payload_create_from_traffic_selectors(FALSE, this->tsr);
+ message->add_payload(message, (payload_t*)ts_payload);
+
+ /* add a notify if we are not in tunnel mode */
+ switch (this->mode)
+ {
+ case MODE_TRANSPORT:
+ message->add_notify(message, FALSE, USE_TRANSPORT_MODE, chunk_empty);
+ break;
+ case MODE_BEET:
+ message->add_notify(message, FALSE, USE_BEET_MODE, chunk_empty);
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * Adds an IPCOMP_SUPPORTED notify to the message, allocating a CPI
+ */
+static void add_ipcomp_notify(private_child_create_t *this,
+ message_t *message, u_int8_t ipcomp)
+{
+ if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+ {
+ DBG1(DBG_IKE, "IPComp is not supported if either peer is natted, "
+ "IPComp disabled");
+ return;
+ }
+
+ this->my_cpi = this->child_sa->alloc_cpi(this->child_sa);
+ if (this->my_cpi)
+ {
+ this->ipcomp = ipcomp;
+ message->add_notify(message, FALSE, IPCOMP_SUPPORTED,
+ chunk_cata("cc", chunk_from_thing(this->my_cpi),
+ chunk_from_thing(ipcomp)));
+ }
+ else
+ {
+ DBG1(DBG_IKE, "unable to allocate a CPI from kernel, IPComp disabled");
+ }
+}
+
+/**
+ * handle a received notify payload
+ */
+static void handle_notify(private_child_create_t *this, notify_payload_t *notify)
+{
+ switch (notify->get_notify_type(notify))
+ {
+ case USE_TRANSPORT_MODE:
+ this->mode = MODE_TRANSPORT;
+ break;
+ case USE_BEET_MODE:
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_STRONGSWAN))
+ { /* handle private use notify only if we know its meaning */
+ this->mode = MODE_BEET;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received a notify strongSwan uses for BEET "
+ "mode, but peer implementation unknown, skipped");
+ }
+ break;
+ case IPCOMP_SUPPORTED:
+ {
+ ipcomp_transform_t ipcomp;
+ u_int16_t cpi;
+ chunk_t data;
+
+ data = notify->get_notification_data(notify);
+ cpi = *(u_int16_t*)data.ptr;
+ ipcomp = (ipcomp_transform_t)(*(data.ptr + 2));
+ switch (ipcomp)
+ {
+ case IPCOMP_DEFLATE:
+ this->other_cpi = cpi;
+ this->ipcomp_received = ipcomp;
+ break;
+ case IPCOMP_LZS:
+ case IPCOMP_LZJH:
+ default:
+ DBG1(DBG_IKE, "received IPCOMP_SUPPORTED notify with a "
+ "transform ID we don't support %N",
+ ipcomp_transform_names, ipcomp);
+ break;
+ }
+ break;
+ }
+ case ESP_TFC_PADDING_NOT_SUPPORTED:
+ DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding",
+ notify_type_names, notify->get_notify_type(notify));
+ this->tfcv3 = FALSE;
+ break;
+ default:
+ break;
+ }
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_child_create_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ sa_payload_t *sa_payload;
+ ke_payload_t *ke_payload;
+ ts_payload_t *ts_payload;
+
+ /* defaults to TUNNEL mode */
+ this->mode = MODE_TUNNEL;
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ switch (payload->get_type(payload))
+ {
+ case SECURITY_ASSOCIATION:
+ sa_payload = (sa_payload_t*)payload;
+ this->proposals = sa_payload->get_proposals(sa_payload);
+ break;
+ case KEY_EXCHANGE:
+ ke_payload = (ke_payload_t*)payload;
+ if (!this->initiator)
+ {
+ this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+ this->dh = this->keymat->keymat.create_dh(
+ &this->keymat->keymat, this->dh_group);
+ }
+ if (this->dh)
+ {
+ this->dh->set_other_public_value(this->dh,
+ ke_payload->get_key_exchange_data(ke_payload));
+ }
+ break;
+ case TRAFFIC_SELECTOR_INITIATOR:
+ ts_payload = (ts_payload_t*)payload;
+ this->tsi = ts_payload->get_traffic_selectors(ts_payload);
+ break;
+ case TRAFFIC_SELECTOR_RESPONDER:
+ ts_payload = (ts_payload_t*)payload;
+ this->tsr = ts_payload->get_traffic_selectors(ts_payload);
+ break;
+ case NOTIFY:
+ handle_notify(this, (notify_payload_t*)payload);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_child_create_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ host_t *vip;
+ peer_cfg_t *peer_cfg;
+ linked_list_t *list;
+
+ switch (message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ return get_nonce(message, &this->my_nonce);
+ case CREATE_CHILD_SA:
+ if (generate_nonce(this) != SUCCESS)
+ {
+ message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return SUCCESS;
+ }
+ if (!this->retry)
+ {
+ this->dh_group = this->config->get_dh_group(this->config);
+ }
+ break;
+ case IKE_AUTH:
+ if (message->get_message_id(message) != 1)
+ {
+ /* send only in the first request, not in subsequent rounds */
+ return NEED_MORE;
+ }
+ break;
+ default:
+ break;
+ }
+
+ if (this->reqid)
+ {
+ DBG0(DBG_IKE, "establishing CHILD_SA %s{%d}",
+ this->config->get_name(this->config), this->reqid);
+ }
+ else
+ {
+ DBG0(DBG_IKE, "establishing CHILD_SA %s",
+ this->config->get_name(this->config));
+ }
+
+ /* check if we want a virtual IP, but don't have one */
+ list = linked_list_create();
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (!this->reqid)
+ {
+ enumerator = peer_cfg->create_virtual_ip_enumerator(peer_cfg);
+ while (enumerator->enumerate(enumerator, &vip))
+ {
+ /* propose a 0.0.0.0/0 or ::/0 subnet when we use virtual ip */
+ vip = host_create_any(vip->get_family(vip));
+ list->insert_last(list, vip);
+ }
+ enumerator->destroy(enumerator);
+ }
+ if (list->get_count(list))
+ {
+ this->tsi = this->config->get_traffic_selectors(this->config,
+ TRUE, NULL, list);
+ list->destroy_offset(list, offsetof(host_t, destroy));
+ }
+ else
+ { /* no virtual IPs configured */
+ list->destroy(list);
+ list = get_dynamic_hosts(this->ike_sa, TRUE);
+ this->tsi = this->config->get_traffic_selectors(this->config,
+ TRUE, NULL, list);
+ list->destroy(list);
+ }
+ list = get_dynamic_hosts(this->ike_sa, FALSE);
+ this->tsr = this->config->get_traffic_selectors(this->config,
+ FALSE, NULL, list);
+ list->destroy(list);
+
+ if (this->packet_tsi)
+ {
+ this->tsi->insert_first(this->tsi,
+ this->packet_tsi->clone(this->packet_tsi));
+ }
+ if (this->packet_tsr)
+ {
+ this->tsr->insert_first(this->tsr,
+ this->packet_tsr->clone(this->packet_tsr));
+ }
+ this->proposals = this->config->get_proposals(this->config,
+ this->dh_group == MODP_NONE);
+ this->mode = this->config->get_mode(this->config);
+ if (this->mode == MODE_TRANSPORT &&
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY))
+ {
+ this->mode = MODE_TUNNEL;
+ DBG1(DBG_IKE, "not using transport mode, connection NATed");
+ }
+
+ this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+
+ if (!allocate_spi(this))
+ {
+ DBG1(DBG_IKE, "unable to allocate SPIs from kernel");
+ return FAILED;
+ }
+
+ if (this->dh_group != MODP_NONE)
+ {
+ this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+ this->dh_group);
+ }
+
+ if (this->config->use_ipcomp(this->config))
+ {
+ /* IPCOMP_DEFLATE is the only transform we support at the moment */
+ add_ipcomp_notify(this, message, IPCOMP_DEFLATE);
+ }
+
+ if (message->get_exchange_type(message) == IKE_AUTH)
+ {
+ charon->bus->narrow(charon->bus, this->child_sa,
+ NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr);
+ }
+ else
+ {
+ charon->bus->narrow(charon->bus, this->child_sa,
+ NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr);
+ }
+
+ build_payloads(this, message);
+
+ this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+ this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+ this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+ this->tsi = NULL;
+ this->tsr = NULL;
+ this->proposals = NULL;
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_child_create_t *this, message_t *message)
+{
+ switch (message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ return get_nonce(message, &this->other_nonce);
+ case CREATE_CHILD_SA:
+ get_nonce(message, &this->other_nonce);
+ break;
+ case IKE_AUTH:
+ if (message->get_message_id(message) != 1)
+ {
+ /* only handle first AUTH payload, not additional rounds */
+ return NEED_MORE;
+ }
+ default:
+ break;
+ }
+
+ process_payloads(this, message);
+
+ return NEED_MORE;
+}
+
+/**
+ * handle CHILD_SA setup failure
+ */
+static void handle_child_sa_failure(private_child_create_t *this,
+ message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ lib->settings->get_bool(lib->settings,
+ "%s.close_ike_on_child_failure", FALSE, charon->name))
+ {
+ /* we delay the delete for 100ms, as the IKE_AUTH response must arrive
+ * first */
+ DBG1(DBG_IKE, "closing IKE_SA due CHILD_SA setup failure");
+ lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
+ delete_ike_sa_job_create(this->ike_sa->get_id(this->ike_sa), TRUE),
+ 100);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "failed to establish CHILD_SA, keeping IKE_SA");
+ }
+}
+
+METHOD(task_t, build_r, status_t,
+ private_child_create_t *this, message_t *message)
+{
+ peer_cfg_t *peer_cfg;
+ payload_t *payload;
+ enumerator_t *enumerator;
+ bool no_dh = TRUE, ike_auth = FALSE;
+
+ switch (message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ return get_nonce(message, &this->my_nonce);
+ case CREATE_CHILD_SA:
+ if (generate_nonce(this) != SUCCESS)
+ {
+ message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN,
+ chunk_empty);
+ return SUCCESS;
+ }
+ no_dh = FALSE;
+ break;
+ case IKE_AUTH:
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* wait until all authentication round completed */
+ return NEED_MORE;
+ }
+ ike_auth = TRUE;
+ default:
+ break;
+ }
+
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+ {
+ DBG1(DBG_IKE, "unable to create CHILD_SA while rekeying IKE_SA");
+ message->add_notify(message, TRUE, NO_ADDITIONAL_SAS, chunk_empty);
+ return SUCCESS;
+ }
+
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (!this->config && peer_cfg && this->tsi && this->tsr)
+ {
+ linked_list_t *listr, *listi;
+
+ listr = get_dynamic_hosts(this->ike_sa, TRUE);
+ listi = get_dynamic_hosts(this->ike_sa, FALSE);
+ this->config = peer_cfg->select_child_cfg(peer_cfg,
+ this->tsr, this->tsi, listr, listi);
+ listr->destroy(listr);
+ listi->destroy(listi);
+ }
+
+ if (this->config == NULL)
+ {
+ DBG1(DBG_IKE, "traffic selectors %#R=== %#R inacceptable",
+ this->tsr, this->tsi);
+ message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+
+ /* check if ike_config_t included non-critical error notifies */
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify_payload_t *notify = (notify_payload_t*)payload;
+
+ switch (notify->get_notify_type(notify))
+ {
+ case INTERNAL_ADDRESS_FAILURE:
+ case FAILED_CP_REQUIRED:
+ {
+ DBG1(DBG_IKE,"configuration payload negotiation "
+ "failed, no CHILD_SA built");
+ enumerator->destroy(enumerator);
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+ default:
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ this->child_sa = child_sa_create(this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa), this->config, this->reqid,
+ this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
+
+ if (this->ipcomp_received != IPCOMP_NONE)
+ {
+ if (this->config->use_ipcomp(this->config))
+ {
+ add_ipcomp_notify(this, message, this->ipcomp_received);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received %N notify but IPComp is disabled, ignoring",
+ notify_type_names, IPCOMP_SUPPORTED);
+ }
+ }
+
+ switch (select_and_install(this, no_dh, ike_auth))
+ {
+ case SUCCESS:
+ break;
+ case NOT_FOUND:
+ message->add_notify(message, FALSE, TS_UNACCEPTABLE, chunk_empty);
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ case INVALID_ARG:
+ {
+ u_int16_t group = htons(this->dh_group);
+ message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+ chunk_from_thing(group));
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+ case FAILED:
+ default:
+ message->add_notify(message, FALSE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+
+ build_payloads(this, message);
+
+ DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+ "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ this->child_sa->get_name(this->child_sa),
+ this->child_sa->get_reqid(this->child_sa),
+ ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+ ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+ this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+ this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+
+ if (!this->rekey)
+ { /* invoke the child_up() hook if we are not rekeying */
+ charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+ }
+ return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_child_create_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ bool no_dh = TRUE, ike_auth = FALSE;
+
+ switch (message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ return get_nonce(message, &this->other_nonce);
+ case CREATE_CHILD_SA:
+ get_nonce(message, &this->other_nonce);
+ no_dh = FALSE;
+ break;
+ case IKE_AUTH:
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* wait until all authentication round completed */
+ return NEED_MORE;
+ }
+ ike_auth = TRUE;
+ default:
+ break;
+ }
+
+ /* check for erronous notifies */
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify_payload_t *notify = (notify_payload_t*)payload;
+ notify_type_t type = notify->get_notify_type(notify);
+
+ switch (type)
+ {
+ /* handle notify errors related to CHILD_SA only */
+ case NO_PROPOSAL_CHOSEN:
+ case SINGLE_PAIR_REQUIRED:
+ case NO_ADDITIONAL_SAS:
+ case INTERNAL_ADDRESS_FAILURE:
+ case FAILED_CP_REQUIRED:
+ case TS_UNACCEPTABLE:
+ case INVALID_SELECTORS:
+ {
+ DBG1(DBG_IKE, "received %N notify, no CHILD_SA built",
+ notify_type_names, type);
+ enumerator->destroy(enumerator);
+ handle_child_sa_failure(this, message);
+ /* an error in CHILD_SA creation is not critical */
+ return SUCCESS;
+ }
+ case INVALID_KE_PAYLOAD:
+ {
+ chunk_t data;
+ u_int16_t group = MODP_NONE;
+
+ data = notify->get_notification_data(notify);
+ if (data.len == sizeof(group))
+ {
+ memcpy(&group, data.ptr, data.len);
+ group = ntohs(group);
+ }
+ DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+ "it requested %N", diffie_hellman_group_names,
+ this->dh_group, diffie_hellman_group_names, group);
+ this->retry = TRUE;
+ this->dh_group = group;
+ this->public.task.migrate(&this->public.task, this->ike_sa);
+ enumerator->destroy(enumerator);
+ return NEED_MORE;
+ }
+ default:
+ {
+ if (message->get_exchange_type(message) == CREATE_CHILD_SA)
+ { /* handle notifies if not handled in IKE_AUTH */
+ if (type <= 16383)
+ {
+ DBG1(DBG_IKE, "received %N notify error",
+ notify_type_names, type);
+ enumerator->destroy(enumerator);
+ return SUCCESS;
+ }
+ DBG2(DBG_IKE, "received %N notify",
+ notify_type_names, type);
+ }
+ break;
+ }
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ process_payloads(this, message);
+
+ if (this->ipcomp == IPCOMP_NONE && this->ipcomp_received != IPCOMP_NONE)
+ {
+ DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify without requesting"
+ " one, no CHILD_SA built");
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+ else if (this->ipcomp != IPCOMP_NONE && this->ipcomp_received == IPCOMP_NONE)
+ {
+ DBG1(DBG_IKE, "peer didn't accept our proposed IPComp transforms, "
+ "IPComp is disabled");
+ this->ipcomp = IPCOMP_NONE;
+ }
+ else if (this->ipcomp != IPCOMP_NONE && this->ipcomp != this->ipcomp_received)
+ {
+ DBG1(DBG_IKE, "received an IPCOMP_SUPPORTED notify we didn't propose, "
+ "no CHILD_SA built");
+ handle_child_sa_failure(this, message);
+ return SUCCESS;
+ }
+
+ if (select_and_install(this, no_dh, ike_auth) == SUCCESS)
+ {
+ DBG0(DBG_IKE, "CHILD_SA %s{%d} established "
+ "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ this->child_sa->get_name(this->child_sa),
+ this->child_sa->get_reqid(this->child_sa),
+ ntohl(this->child_sa->get_spi(this->child_sa, TRUE)),
+ ntohl(this->child_sa->get_spi(this->child_sa, FALSE)),
+ this->child_sa->get_traffic_selectors(this->child_sa, TRUE),
+ this->child_sa->get_traffic_selectors(this->child_sa, FALSE));
+
+ if (!this->rekey)
+ { /* invoke the child_up() hook if we are not rekeying */
+ charon->bus->child_updown(charon->bus, this->child_sa, TRUE);
+ }
+ }
+ else
+ {
+ handle_child_sa_failure(this, message);
+ }
+ return SUCCESS;
+}
+
+METHOD(child_create_t, use_reqid, void,
+ private_child_create_t *this, u_int32_t reqid)
+{
+ this->reqid = reqid;
+}
+
+METHOD(child_create_t, get_child, child_sa_t*,
+ private_child_create_t *this)
+{
+ return this->child_sa;
+}
+
+METHOD(child_create_t, set_config, void,
+ private_child_create_t *this, child_cfg_t *cfg)
+{
+ DESTROY_IF(this->config);
+ this->config = cfg;
+}
+
+METHOD(child_create_t, get_lower_nonce, chunk_t,
+ private_child_create_t *this)
+{
+ if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+ min(this->my_nonce.len, this->other_nonce.len)) < 0)
+ {
+ return this->my_nonce;
+ }
+ else
+ {
+ return this->other_nonce;
+ }
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_child_create_t *this)
+{
+ return TASK_CHILD_CREATE;
+}
+
+METHOD(task_t, migrate, void,
+ private_child_create_t *this, ike_sa_t *ike_sa)
+{
+ chunk_free(&this->my_nonce);
+ chunk_free(&this->other_nonce);
+ if (this->tsr)
+ {
+ this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+ }
+ if (this->tsi)
+ {
+ this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+ }
+ DESTROY_IF(this->child_sa);
+ DESTROY_IF(this->proposal);
+ DESTROY_IF(this->dh);
+ if (this->proposals)
+ {
+ this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+ }
+
+ this->ike_sa = ike_sa;
+ this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
+ this->proposal = NULL;
+ this->proposals = NULL;
+ this->tsi = NULL;
+ this->tsr = NULL;
+ this->dh = NULL;
+ this->child_sa = NULL;
+ this->mode = MODE_TUNNEL;
+ this->ipcomp = IPCOMP_NONE;
+ this->ipcomp_received = IPCOMP_NONE;
+ this->other_cpi = 0;
+ this->reqid = 0;
+ this->established = FALSE;
+}
+
+METHOD(task_t, destroy, void,
+ private_child_create_t *this)
+{
+ chunk_free(&this->my_nonce);
+ chunk_free(&this->other_nonce);
+ if (this->tsr)
+ {
+ this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy));
+ }
+ if (this->tsi)
+ {
+ this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy));
+ }
+ if (!this->established)
+ {
+ DESTROY_IF(this->child_sa);
+ }
+ DESTROY_IF(this->packet_tsi);
+ DESTROY_IF(this->packet_tsr);
+ DESTROY_IF(this->proposal);
+ DESTROY_IF(this->dh);
+ if (this->proposals)
+ {
+ this->proposals->destroy_offset(this->proposals, offsetof(proposal_t, destroy));
+ }
+
+ DESTROY_IF(this->config);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+ child_cfg_t *config, bool rekey,
+ traffic_selector_t *tsi, traffic_selector_t *tsr)
+{
+ private_child_create_t *this;
+
+ INIT(this,
+ .public = {
+ .get_child = _get_child,
+ .set_config = _set_config,
+ .get_lower_nonce = _get_lower_nonce,
+ .use_reqid = _use_reqid,
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .config = config,
+ .packet_tsi = tsi ? tsi->clone(tsi) : NULL,
+ .packet_tsr = tsr ? tsr->clone(tsr) : NULL,
+ .dh_group = MODP_NONE,
+ .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
+ .mode = MODE_TUNNEL,
+ .tfcv3 = TRUE,
+ .ipcomp = IPCOMP_NONE,
+ .ipcomp_received = IPCOMP_NONE,
+ .rekey = rekey,
+ .retry = FALSE,
+ );
+
+ if (config)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ this->initiator = TRUE;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ this->initiator = FALSE;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/child_create.h b/src/libcharon/sa/ikev2/tasks/child_create.h
new file mode 100644
index 000000000..d29ba3d98
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_create.h
@@ -0,0 +1,90 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_create child_create
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef CHILD_CREATE_H_
+#define CHILD_CREATE_H_
+
+typedef struct child_create_t child_create_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+#include <config/child_cfg.h>
+
+/**
+ * Task of type TASK_CHILD_CREATE, established a new CHILD_SA.
+ *
+ * This task may be included in the IKE_AUTH message or in a separate
+ * CREATE_CHILD_SA exchange.
+ */
+struct child_create_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Use a specific reqid for the CHILD_SA.
+ *
+ * When this task is used for rekeying, the same reqid is used
+ * for the new CHILD_SA.
+ *
+ * @param reqid reqid to use
+ */
+ void (*use_reqid) (child_create_t *this, u_int32_t reqid);
+
+ /**
+ * Get the lower of the two nonces, used for rekey collisions.
+ *
+ * @return lower nonce
+ */
+ chunk_t (*get_lower_nonce) (child_create_t *this);
+
+ /**
+ * Get the CHILD_SA established/establishing by this task.
+ *
+ * @return child_sa
+ */
+ child_sa_t* (*get_child) (child_create_t *this);
+
+ /**
+ * Enforce a specific CHILD_SA config as responder.
+ *
+ * @param cfg configuration to enforce, reference gets owned
+ */
+ void (*set_config)(child_create_t *this, child_cfg_t *cfg);
+};
+
+/**
+ * Create a new child_create task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param config child_cfg if task initiator, NULL if responder
+ * @param rekey whether we do a rekey or not
+ * @param tsi source of triggering packet, or NULL
+ * @param tsr destination of triggering packet, or NULL
+ * @return child_create task to handle by the task_manager
+ */
+child_create_t *child_create_create(ike_sa_t *ike_sa,
+ child_cfg_t *config, bool rekey,
+ traffic_selector_t *tsi, traffic_selector_t *tsr);
+
+#endif /** CHILD_CREATE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.c b/src/libcharon/sa/ikev2/tasks/child_delete.c
new file mode 100644
index 000000000..644af782c
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.c
@@ -0,0 +1,410 @@
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+
+typedef struct private_child_delete_t private_child_delete_t;
+
+/**
+ * Private members of a child_delete_t task.
+ */
+struct private_child_delete_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ child_delete_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Protocol of CHILD_SA to delete
+ */
+ protocol_id_t protocol;
+
+ /**
+ * Inbound SPI of CHILD_SA to delete
+ */
+ u_int32_t spi;
+
+ /**
+ * whether to enforce delete action policy
+ */
+ bool check_delete_action;
+
+ /**
+ * is this delete exchange following a rekey?
+ */
+ bool rekeyed;
+
+ /**
+ * CHILD_SA already expired?
+ */
+ bool expired;
+
+ /**
+ * CHILD_SAs which get deleted
+ */
+ linked_list_t *child_sas;
+};
+
+/**
+ * build the delete payloads from the listed child_sas
+ */
+static void build_payloads(private_child_delete_t *this, message_t *message)
+{
+ delete_payload_t *ah = NULL, *esp = NULL;
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+
+ enumerator = this->child_sas->create_enumerator(this->child_sas);
+ while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ {
+ protocol_id_t protocol = child_sa->get_protocol(child_sa);
+ u_int32_t spi = child_sa->get_spi(child_sa, TRUE);
+
+ switch (protocol)
+ {
+ case PROTO_ESP:
+ if (esp == NULL)
+ {
+ esp = delete_payload_create(DELETE, PROTO_ESP);
+ message->add_payload(message, (payload_t*)esp);
+ }
+ esp->add_spi(esp, spi);
+ DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+ protocol_id_names, protocol, ntohl(spi));
+ break;
+ case PROTO_AH:
+ if (ah == NULL)
+ {
+ ah = delete_payload_create(DELETE, PROTO_AH);
+ message->add_payload(message, (payload_t*)ah);
+ }
+ ah->add_spi(ah, spi);
+ DBG1(DBG_IKE, "sending DELETE for %N CHILD_SA with SPI %.8x",
+ protocol_id_names, protocol, ntohl(spi));
+ break;
+ default:
+ break;
+ }
+ child_sa->set_state(child_sa, CHILD_DELETING);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * read in payloads and find the children to delete
+ */
+static void process_payloads(private_child_delete_t *this, message_t *message)
+{
+ enumerator_t *payloads, *spis;
+ payload_t *payload;
+ delete_payload_t *delete_payload;
+ u_int32_t spi;
+ protocol_id_t protocol;
+ child_sa_t *child_sa;
+
+ payloads = message->create_payload_enumerator(message);
+ while (payloads->enumerate(payloads, &payload))
+ {
+ if (payload->get_type(payload) == DELETE)
+ {
+ delete_payload = (delete_payload_t*)payload;
+ protocol = delete_payload->get_protocol_id(delete_payload);
+ if (protocol != PROTO_ESP && protocol != PROTO_AH)
+ {
+ continue;
+ }
+ spis = delete_payload->create_spi_enumerator(delete_payload);
+ while (spis->enumerate(spis, &spi))
+ {
+ child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+ spi, FALSE);
+ if (child_sa == NULL)
+ {
+ DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x, "
+ "but no such SA", protocol_id_names, protocol, ntohl(spi));
+ continue;
+ }
+ DBG1(DBG_IKE, "received DELETE for %N CHILD_SA with SPI %.8x",
+ protocol_id_names, protocol, ntohl(spi));
+
+ switch (child_sa->get_state(child_sa))
+ {
+ case CHILD_REKEYING:
+ this->rekeyed = TRUE;
+ /* we reply as usual, rekeying will fail */
+ break;
+ case CHILD_DELETING:
+ /* we don't send back a delete if we initiated ourself */
+ if (!this->initiator)
+ {
+ this->ike_sa->destroy_child_sa(this->ike_sa,
+ protocol, spi);
+ continue;
+ }
+ /* fall through */
+ case CHILD_INSTALLED:
+ if (!this->initiator)
+ { /* reestablish installed children if required */
+ this->check_delete_action = TRUE;
+ }
+ default:
+ break;
+ }
+
+ this->child_sas->insert_last(this->child_sas, child_sa);
+ }
+ spis->destroy(spis);
+ }
+ }
+ payloads->destroy(payloads);
+}
+
+/**
+ * destroy the children listed in this->child_sas, reestablish by policy
+ */
+static status_t destroy_and_reestablish(private_child_delete_t *this)
+{
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+ child_cfg_t *child_cfg;
+ protocol_id_t protocol;
+ u_int32_t spi;
+ action_t action;
+ status_t status = SUCCESS;
+
+ enumerator = this->child_sas->create_enumerator(this->child_sas);
+ while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ {
+ /* signal child down event if we are not rekeying */
+ if (!this->rekeyed)
+ {
+ charon->bus->child_updown(charon->bus, child_sa, FALSE);
+ }
+ spi = child_sa->get_spi(child_sa, TRUE);
+ protocol = child_sa->get_protocol(child_sa);
+ child_cfg = child_sa->get_config(child_sa);
+ child_cfg->get_ref(child_cfg);
+ action = child_sa->get_close_action(child_sa);
+ this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi);
+ if (this->check_delete_action)
+ { /* enforce child_cfg policy if deleted passively */
+ switch (action)
+ {
+ case ACTION_RESTART:
+ child_cfg->get_ref(child_cfg);
+ status = this->ike_sa->initiate(this->ike_sa, child_cfg, 0,
+ NULL, NULL);
+ break;
+ case ACTION_ROUTE:
+ charon->traps->install(charon->traps,
+ this->ike_sa->get_peer_cfg(this->ike_sa), child_cfg);
+ break;
+ default:
+ break;
+ }
+ }
+ child_cfg->destroy(child_cfg);
+ if (status != SUCCESS)
+ {
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return status;
+}
+
+/**
+ * send closing signals for all CHILD_SAs over the bus
+ */
+static void log_children(private_child_delete_t *this)
+{
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+ u_int64_t bytes_in, bytes_out;
+
+ enumerator = this->child_sas->create_enumerator(this->child_sas);
+ while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ {
+ if (this->expired)
+ {
+ DBG0(DBG_IKE, "closing expired CHILD_SA %s{%d} "
+ "with SPIs %.8x_i %.8x_o and TS %#R=== %#R",
+ child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ ntohl(child_sa->get_spi(child_sa, TRUE)),
+ ntohl(child_sa->get_spi(child_sa, FALSE)),
+ child_sa->get_traffic_selectors(child_sa, TRUE),
+ child_sa->get_traffic_selectors(child_sa, FALSE));
+ }
+ else
+ {
+ child_sa->get_usestats(child_sa, TRUE, NULL, &bytes_in);
+ child_sa->get_usestats(child_sa, FALSE, NULL, &bytes_out);
+
+ DBG0(DBG_IKE, "closing CHILD_SA %s{%d} with SPIs %.8x_i "
+ "(%llu bytes) %.8x_o (%llu bytes) and TS %#R=== %#R",
+ child_sa->get_name(child_sa), child_sa->get_reqid(child_sa),
+ ntohl(child_sa->get_spi(child_sa, TRUE)), bytes_in,
+ ntohl(child_sa->get_spi(child_sa, FALSE)), bytes_out,
+ child_sa->get_traffic_selectors(child_sa, TRUE),
+ child_sa->get_traffic_selectors(child_sa, FALSE));
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_child_delete_t *this, message_t *message)
+{
+ child_sa_t *child_sa;
+
+ child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+ this->spi, TRUE);
+ if (!child_sa)
+ { /* check if it is an outbound sa */
+ child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+ this->spi, FALSE);
+ if (!child_sa)
+ { /* child does not exist anymore */
+ return SUCCESS;
+ }
+ /* we work only with the inbound SPI */
+ this->spi = child_sa->get_spi(child_sa, TRUE);
+ }
+ this->child_sas->insert_last(this->child_sas, child_sa);
+ if (child_sa->get_state(child_sa) == CHILD_REKEYING)
+ {
+ this->rekeyed = TRUE;
+ }
+ log_children(this);
+ build_payloads(this, message);
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_child_delete_t *this, message_t *message)
+{
+ /* flush the list before adding new SAs */
+ this->child_sas->destroy(this->child_sas);
+ this->child_sas = linked_list_create();
+
+ process_payloads(this, message);
+ DBG1(DBG_IKE, "CHILD_SA closed");
+ return destroy_and_reestablish(this);
+}
+
+METHOD(task_t, process_r, status_t,
+ private_child_delete_t *this, message_t *message)
+{
+ process_payloads(this, message);
+ log_children(this);
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_child_delete_t *this, message_t *message)
+{
+ /* if we are rekeying, we send an empty informational */
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_REKEYING)
+ {
+ build_payloads(this, message);
+ }
+ DBG1(DBG_IKE, "CHILD_SA closed");
+ return destroy_and_reestablish(this);
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_child_delete_t *this)
+{
+ return TASK_CHILD_DELETE;
+}
+
+METHOD(child_delete_t , get_child, child_sa_t*,
+ private_child_delete_t *this)
+{
+ child_sa_t *child_sa = NULL;
+ this->child_sas->get_first(this->child_sas, (void**)&child_sa);
+ return child_sa;
+}
+
+METHOD(task_t, migrate, void,
+ private_child_delete_t *this, ike_sa_t *ike_sa)
+{
+ this->check_delete_action = FALSE;
+ this->ike_sa = ike_sa;
+
+ this->child_sas->destroy(this->child_sas);
+ this->child_sas = linked_list_create();
+}
+
+METHOD(task_t, destroy, void,
+ private_child_delete_t *this)
+{
+ this->child_sas->destroy(this->child_sas);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+ u_int32_t spi, bool expired)
+{
+ private_child_delete_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .get_child = _get_child,
+ },
+ .ike_sa = ike_sa,
+ .child_sas = linked_list_create(),
+ .protocol = protocol,
+ .spi = spi,
+ .expired = expired,
+ );
+
+ if (protocol != PROTO_NONE)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ this->initiator = TRUE;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ this->initiator = FALSE;
+ }
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/child_delete.h b/src/libcharon/sa/ikev2/tasks/child_delete.h
new file mode 100644
index 000000000..1ada0699e
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_delete.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_delete child_delete
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef CHILD_DELETE_H_
+#define CHILD_DELETE_H_
+
+typedef struct child_delete_t child_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+#include <sa/child_sa.h>
+
+/**
+ * Task of type child_delete, delete a CHILD_SA.
+ */
+struct child_delete_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Get the CHILD_SA to delete by this task.
+ *
+ * @return child_sa
+ */
+ child_sa_t* (*get_child) (child_delete_t *this);
+};
+
+/**
+ * Create a new child_delete task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param protocol protocol of CHILD_SA to delete, PROTO_NONE as responder
+ * @param spi inbound SPI of CHILD_SA to delete
+ * @param expired TRUE if CHILD_SA already expired
+ * @return child_delete task to handle by the task_manager
+ */
+child_delete_t *child_delete_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+ u_int32_t spi, bool expired);
+
+#endif /** CHILD_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.c b/src/libcharon/sa/ikev2/tasks/child_rekey.c
new file mode 100644
index 000000000..f8c2ed141
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.c
@@ -0,0 +1,485 @@
+/*
+ * Copyright (C) 2005-2007 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "child_rekey.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+#include <sa/ikev2/tasks/child_create.h>
+#include <sa/ikev2/tasks/child_delete.h>
+#include <processing/jobs/rekey_child_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+
+typedef struct private_child_rekey_t private_child_rekey_t;
+
+/**
+ * Private members of a child_rekey_t task.
+ */
+struct private_child_rekey_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ child_rekey_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Protocol of CHILD_SA to rekey
+ */
+ protocol_id_t protocol;
+
+ /**
+ * Inbound SPI of CHILD_SA to rekey
+ */
+ u_int32_t spi;
+
+ /**
+ * the CHILD_CREATE task which is reused to simplify rekeying
+ */
+ child_create_t *child_create;
+
+ /**
+ * the CHILD_DELETE task to delete rekeyed CHILD_SA
+ */
+ child_delete_t *child_delete;
+
+ /**
+ * CHILD_SA which gets rekeyed
+ */
+ child_sa_t *child_sa;
+
+ /**
+ * colliding task, may be delete or rekey
+ */
+ task_t *collision;
+
+ /**
+ * Indicate that peer destroyed the redundant child from collision.
+ * This happens if a peer's delete notification for the redundant
+ * child gets processed before the rekey job. If so, we must not
+ * touch the child created in the collision since it points to
+ * memory already freed.
+ */
+ bool other_child_destroyed;
+};
+
+/**
+ * Implementation of task_t.build for initiator, after rekeying
+ */
+static status_t build_i_delete(private_child_rekey_t *this, message_t *message)
+{
+ /* update exchange type to INFORMATIONAL for the delete */
+ message->set_exchange_type(message, INFORMATIONAL);
+
+ return this->child_delete->task.build(&this->child_delete->task, message);
+}
+
+/**
+ * Implementation of task_t.process for initiator, after rekeying
+ */
+static status_t process_i_delete(private_child_rekey_t *this, message_t *message)
+{
+ return this->child_delete->task.process(&this->child_delete->task, message);
+}
+
+/**
+ * find a child using the REKEY_SA notify
+ */
+static void find_child(private_child_rekey_t *this, message_t *message)
+{
+ notify_payload_t *notify;
+ protocol_id_t protocol;
+ u_int32_t spi;
+
+ notify = message->get_notify(message, REKEY_SA);
+ if (notify)
+ {
+ protocol = notify->get_protocol_id(notify);
+ spi = notify->get_spi(notify);
+
+ if (protocol == PROTO_ESP || protocol == PROTO_AH)
+ {
+ this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, protocol,
+ spi, FALSE);
+ }
+ }
+}
+
+METHOD(task_t, build_i, status_t,
+ private_child_rekey_t *this, message_t *message)
+{
+ notify_payload_t *notify;
+ u_int32_t reqid;
+ child_cfg_t *config;
+
+ this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+ this->spi, TRUE);
+ if (!this->child_sa)
+ { /* check if it is an outbound CHILD_SA */
+ this->child_sa = this->ike_sa->get_child_sa(this->ike_sa, this->protocol,
+ this->spi, FALSE);
+ if (!this->child_sa)
+ { /* CHILD_SA is gone, unable to rekey. As an empty CREATE_CHILD_SA
+ * exchange is invalid, we fall back to an INFORMATIONAL exchange.*/
+ message->set_exchange_type(message, INFORMATIONAL);
+ return SUCCESS;
+ }
+ /* we work only with the inbound SPI */
+ this->spi = this->child_sa->get_spi(this->child_sa, TRUE);
+ }
+ config = this->child_sa->get_config(this->child_sa);
+
+ /* we just need the rekey notify ... */
+ notify = notify_payload_create_from_protocol_and_type(NOTIFY,
+ this->protocol, REKEY_SA);
+ notify->set_spi(notify, this->spi);
+ message->add_payload(message, (payload_t*)notify);
+
+ /* ... our CHILD_CREATE task does the hard work for us. */
+ if (!this->child_create)
+ {
+ this->child_create = child_create_create(this->ike_sa,
+ config->get_ref(config), TRUE, NULL, NULL);
+ }
+ reqid = this->child_sa->get_reqid(this->child_sa);
+ this->child_create->use_reqid(this->child_create, reqid);
+ this->child_create->task.build(&this->child_create->task, message);
+
+ this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_child_rekey_t *this, message_t *message)
+{
+ /* let the CHILD_CREATE task process the message */
+ this->child_create->task.process(&this->child_create->task, message);
+
+ find_child(this, message);
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_child_rekey_t *this, message_t *message)
+{
+ child_cfg_t *config;
+ u_int32_t reqid;
+
+ if (this->child_sa == NULL ||
+ this->child_sa->get_state(this->child_sa) == CHILD_DELETING)
+ {
+ DBG1(DBG_IKE, "unable to rekey, CHILD_SA not found");
+ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return SUCCESS;
+ }
+
+ /* let the CHILD_CREATE task build the response */
+ reqid = this->child_sa->get_reqid(this->child_sa);
+ this->child_create->use_reqid(this->child_create, reqid);
+ config = this->child_sa->get_config(this->child_sa);
+ this->child_create->set_config(this->child_create, config->get_ref(config));
+ this->child_create->task.build(&this->child_create->task, message);
+
+ if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+ {
+ /* rekeying failed, reuse old child */
+ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+ return SUCCESS;
+ }
+
+ this->child_sa->set_state(this->child_sa, CHILD_REKEYING);
+
+ /* invoke rekey hook */
+ charon->bus->child_rekey(charon->bus, this->child_sa,
+ this->child_create->get_child(this->child_create));
+ return SUCCESS;
+}
+
+/**
+ * Handle a rekey collision
+ */
+static child_sa_t *handle_collision(private_child_rekey_t *this)
+{
+ child_sa_t *to_delete;
+
+ if (this->collision->get_type(this->collision) == TASK_CHILD_REKEY)
+ {
+ chunk_t this_nonce, other_nonce;
+ private_child_rekey_t *other = (private_child_rekey_t*)this->collision;
+
+ this_nonce = this->child_create->get_lower_nonce(this->child_create);
+ other_nonce = other->child_create->get_lower_nonce(other->child_create);
+
+ /* if we have the lower nonce, delete rekeyed SA. If not, delete
+ * the redundant. */
+ if (memcmp(this_nonce.ptr, other_nonce.ptr,
+ min(this_nonce.len, other_nonce.len)) > 0)
+ {
+ child_sa_t *child_sa;
+
+ DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child");
+ to_delete = this->child_sa;
+ /* don't touch child other created, it has already been deleted */
+ if (!this->other_child_destroyed)
+ {
+ /* disable close action for the redundand child */
+ child_sa = other->child_create->get_child(other->child_create);
+ if (child_sa)
+ {
+ child_sa->set_close_action(child_sa, ACTION_NONE);
+ }
+ }
+ }
+ else
+ {
+ DBG1(DBG_IKE, "CHILD_SA rekey collision lost, "
+ "deleting rekeyed child");
+ to_delete = this->child_create->get_child(this->child_create);
+ }
+ }
+ else
+ { /* CHILD_DELETE */
+ child_delete_t *del = (child_delete_t*)this->collision;
+
+ /* we didn't had a chance to compare the nonces, so we delete
+ * the CHILD_SA the other is not deleting. */
+ if (del->get_child(del) != this->child_sa)
+ {
+ DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, "
+ "deleting rekeyed child");
+ to_delete = this->child_sa;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, "
+ "deleting redundant child");
+ to_delete = this->child_create->get_child(this->child_create);
+ }
+ }
+ return to_delete;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_child_rekey_t *this, message_t *message)
+{
+ protocol_id_t protocol;
+ u_int32_t spi;
+ child_sa_t *to_delete;
+
+ if (message->get_notify(message, NO_ADDITIONAL_SAS))
+ {
+ DBG1(DBG_IKE, "peer seems to not support CHILD_SA rekeying, "
+ "starting reauthentication");
+ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)rekey_ike_sa_job_create(
+ this->ike_sa->get_id(this->ike_sa), TRUE));
+ return SUCCESS;
+ }
+
+ if (this->child_create->task.process(&this->child_create->task,
+ message) == NEED_MORE)
+ {
+ /* bad DH group while rekeying, try again */
+ this->child_create->task.migrate(&this->child_create->task, this->ike_sa);
+ return NEED_MORE;
+ }
+ if (message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+ {
+ /* establishing new child failed, reuse old. but not when we
+ * received a delete in the meantime */
+ if (!(this->collision &&
+ this->collision->get_type(this->collision) == TASK_CHILD_DELETE))
+ {
+ job_t *job;
+ u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+
+ job = (job_t*)rekey_child_sa_job_create(
+ this->child_sa->get_reqid(this->child_sa),
+ this->child_sa->get_protocol(this->child_sa),
+ this->child_sa->get_spi(this->child_sa, TRUE));
+ DBG1(DBG_IKE, "CHILD_SA rekeying failed, "
+ "trying again in %d seconds", retry);
+ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED);
+ lib->scheduler->schedule_job(lib->scheduler, job, retry);
+ }
+ return SUCCESS;
+ }
+
+ /* check for rekey collisions */
+ if (this->collision)
+ {
+ to_delete = handle_collision(this);
+ }
+ else
+ {
+ to_delete = this->child_sa;
+ }
+
+ if (to_delete != this->child_create->get_child(this->child_create))
+ { /* invoke rekey hook if rekeying successful */
+ charon->bus->child_rekey(charon->bus, this->child_sa,
+ this->child_create->get_child(this->child_create));
+ }
+
+ if (to_delete == NULL)
+ {
+ return SUCCESS;
+ }
+ spi = to_delete->get_spi(to_delete, TRUE);
+ protocol = to_delete->get_protocol(to_delete);
+
+ /* rekeying done, delete the obsolete CHILD_SA using a subtask */
+ this->child_delete = child_delete_create(this->ike_sa, protocol, spi, FALSE);
+ this->public.task.build = (status_t(*)(task_t*,message_t*))build_i_delete;
+ this->public.task.process = (status_t(*)(task_t*,message_t*))process_i_delete;
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_child_rekey_t *this)
+{
+ return TASK_CHILD_REKEY;
+}
+
+METHOD(child_rekey_t, collide, void,
+ private_child_rekey_t *this, task_t *other)
+{
+ /* the task manager only detects exchange collision, but not if
+ * the collision is for the same child. we check it here. */
+ if (other->get_type(other) == TASK_CHILD_REKEY)
+ {
+ private_child_rekey_t *rekey = (private_child_rekey_t*)other;
+ if (rekey->child_sa != this->child_sa)
+ {
+ /* not the same child => no collision */
+ other->destroy(other);
+ return;
+ }
+ }
+ else if (other->get_type(other) == TASK_CHILD_DELETE)
+ {
+ child_delete_t *del = (child_delete_t*)other;
+ if (del->get_child(del) == this->child_create->get_child(this->child_create))
+ {
+ /* peer deletes redundant child created in collision */
+ this->other_child_destroyed = TRUE;
+ other->destroy(other);
+ return;
+ }
+ if (del->get_child(del) != this->child_sa)
+ {
+ /* not the same child => no collision */
+ other->destroy(other);
+ return;
+ }
+ }
+ else
+ {
+ /* any other task is not critical for collisisions, ignore */
+ other->destroy(other);
+ return;
+ }
+ DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
+ TASK_CHILD_REKEY, task_type_names, other->get_type(other));
+ DESTROY_IF(this->collision);
+ this->collision = other;
+}
+
+METHOD(task_t, migrate, void,
+ private_child_rekey_t *this, ike_sa_t *ike_sa)
+{
+ if (this->child_create)
+ {
+ this->child_create->task.migrate(&this->child_create->task, ike_sa);
+ }
+ if (this->child_delete)
+ {
+ this->child_delete->task.migrate(&this->child_delete->task, ike_sa);
+ }
+ DESTROY_IF(this->collision);
+
+ this->ike_sa = ike_sa;
+ this->collision = NULL;
+}
+
+METHOD(task_t, destroy, void,
+ private_child_rekey_t *this)
+{
+ if (this->child_create)
+ {
+ this->child_create->task.destroy(&this->child_create->task);
+ }
+ if (this->child_delete)
+ {
+ this->child_delete->task.destroy(&this->child_delete->task);
+ }
+ DESTROY_IF(this->collision);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+ u_int32_t spi)
+{
+ private_child_rekey_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .collide = _collide,
+ },
+ .ike_sa = ike_sa,
+ .protocol = protocol,
+ .spi = spi,
+ );
+
+ if (protocol != PROTO_NONE)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ this->initiator = TRUE;
+ this->child_create = NULL;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ this->initiator = FALSE;
+ this->child_create = child_create_create(ike_sa, NULL, TRUE, NULL, NULL);
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/child_rekey.h b/src/libcharon/sa/ikev2/tasks/child_rekey.h
new file mode 100644
index 000000000..23384653d
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/child_rekey.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup child_rekey child_rekey
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef CHILD_REKEY_H_
+#define CHILD_REKEY_H_
+
+typedef struct child_rekey_t child_rekey_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/child_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_CHILD_REKEY, rekey an established CHILD_SA.
+ */
+struct child_rekey_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Register a rekeying task which collides with this one
+ *
+ * If two peers initiate rekeying at the same time, the collision must
+ * be handled gracefully. The task manager is aware of what exchanges
+ * are going on and notifies the outgoing task by passing the incoming.
+ *
+ * @param other incoming task
+ */
+ void (*collide)(child_rekey_t* this, task_t *other);
+};
+
+/**
+ * Create a new TASK_CHILD_REKEY task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param protocol protocol of CHILD_SA to rekey, PROTO_NONE as responder
+ * @param spi inbound SPI of CHILD_SA to rekey
+ * @return child_rekey task to handle by the task_manager
+ */
+child_rekey_t *child_rekey_create(ike_sa_t *ike_sa, protocol_id_t protocol,
+ u_int32_t spi);
+
+#endif /** CHILD_REKEY_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
new file mode 100644
index 000000000..cd94ccd9e
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -0,0 +1,1110 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2005-2009 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details
+ */
+
+#include "ike_auth.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <encoding/payloads/eap_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+#include <sa/ikev2/authenticators/eap_authenticator.h>
+
+typedef struct private_ike_auth_t private_ike_auth_t;
+
+/**
+ * Private members of a ike_auth_t task.
+ */
+struct private_ike_auth_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_auth_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Nonce chosen by us in ike_init
+ */
+ chunk_t my_nonce;
+
+ /**
+ * Nonce chosen by peer in ike_init
+ */
+ chunk_t other_nonce;
+
+ /**
+ * IKE_SA_INIT message sent by us
+ */
+ packet_t *my_packet;
+
+ /**
+ * IKE_SA_INIT message sent by peer
+ */
+ packet_t *other_packet;
+
+ /**
+ * Reserved bytes of ID payload
+ */
+ char reserved[3];
+
+ /**
+ * currently active authenticator, to authenticate us
+ */
+ authenticator_t *my_auth;
+
+ /**
+ * currently active authenticator, to authenticate peer
+ */
+ authenticator_t *other_auth;
+
+ /**
+ * peer_cfg candidates, ordered by priority
+ */
+ linked_list_t *candidates;
+
+ /**
+ * selected peer config (might change when using multiple authentications)
+ */
+ peer_cfg_t *peer_cfg;
+
+ /**
+ * have we planned an(other) authentication exchange?
+ */
+ bool do_another_auth;
+
+ /**
+ * has the peer announced another authentication exchange?
+ */
+ bool expect_another_auth;
+
+ /**
+ * should we send a AUTHENTICATION_FAILED notify?
+ */
+ bool authentication_failed;
+
+ /**
+ * received an INITIAL_CONTACT?
+ */
+ bool initial_contact;
+};
+
+/**
+ * check if multiple authentication extension is enabled, configuration-wise
+ */
+static bool multiple_auth_enabled()
+{
+ return lib->settings->get_bool(lib->settings,
+ "%s.multiple_authentication", TRUE, charon->name);
+}
+
+/**
+ * collect the needed information in the IKE_SA_INIT exchange from our message
+ */
+static status_t collect_my_init_data(private_ike_auth_t *this,
+ message_t *message)
+{
+ nonce_payload_t *nonce;
+
+ /* get the nonce that was generated in ike_init */
+ nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+ if (nonce == NULL)
+ {
+ return FAILED;
+ }
+ this->my_nonce = nonce->get_nonce(nonce);
+
+ /* pre-generate the message, keep a copy */
+ if (this->ike_sa->generate_message(this->ike_sa, message,
+ &this->my_packet) != SUCCESS)
+ {
+ return FAILED;
+ }
+ return NEED_MORE;
+}
+
+/**
+ * collect the needed information in the IKE_SA_INIT exchange from others message
+ */
+static status_t collect_other_init_data(private_ike_auth_t *this,
+ message_t *message)
+{
+ /* we collect the needed information in the IKE_SA_INIT exchange */
+ nonce_payload_t *nonce;
+
+ /* get the nonce that was generated in ike_init */
+ nonce = (nonce_payload_t*)message->get_payload(message, NONCE);
+ if (nonce == NULL)
+ {
+ return FAILED;
+ }
+ this->other_nonce = nonce->get_nonce(nonce);
+
+ /* keep a copy of the received packet */
+ this->other_packet = message->get_packet(message);
+ return NEED_MORE;
+}
+
+/**
+ * Get and store reserved bytes of id_payload, required for AUTH payload
+ */
+static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id)
+{
+ u_int8_t *byte;
+ int i;
+
+ for (i = 0; i < countof(this->reserved); i++)
+ {
+ byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i);
+ if (byte)
+ {
+ this->reserved[i] = *byte;
+ }
+ }
+}
+
+/**
+ * Get the next authentication configuration
+ */
+static auth_cfg_t *get_auth_cfg(private_ike_auth_t *this, bool local)
+{
+ enumerator_t *e1, *e2;
+ auth_cfg_t *c1, *c2, *next = NULL;
+
+ /* find an available config not already done */
+ e1 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, local);
+ while (e1->enumerate(e1, &c1))
+ {
+ bool found = FALSE;
+
+ e2 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, local);
+ while (e2->enumerate(e2, &c2))
+ {
+ if (c2->complies(c2, c1, FALSE))
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ e2->destroy(e2);
+ if (!found)
+ {
+ next = c1;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ return next;
+}
+
+/**
+ * Check if we have should initiate another authentication round
+ */
+static bool do_another_auth(private_ike_auth_t *this)
+{
+ bool do_another = FALSE;
+ enumerator_t *done, *todo;
+ auth_cfg_t *done_cfg, *todo_cfg;
+
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+ {
+ return FALSE;
+ }
+
+ done = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, TRUE);
+ todo = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, TRUE);
+ while (todo->enumerate(todo, &todo_cfg))
+ {
+ if (!done->enumerate(done, &done_cfg))
+ {
+ done_cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ }
+ if (!done_cfg->complies(done_cfg, todo_cfg, FALSE))
+ {
+ do_another = TRUE;
+ break;
+ }
+ }
+ done->destroy(done);
+ todo->destroy(todo);
+ return do_another;
+}
+
+/**
+ * Get peer configuration candidates from backends
+ */
+static bool load_cfg_candidates(private_ike_auth_t *this)
+{
+ enumerator_t *enumerator;
+ peer_cfg_t *peer_cfg;
+ host_t *me, *other;
+ identification_t *my_id, *other_id;
+
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ other = this->ike_sa->get_other_host(this->ike_sa);
+ my_id = this->ike_sa->get_my_id(this->ike_sa);
+ other_id = this->ike_sa->get_other_id(this->ike_sa);
+
+ DBG1(DBG_CFG, "looking for peer configs matching %H[%Y]...%H[%Y]",
+ me, my_id, other, other_id);
+ enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
+ me, other, my_id, other_id, IKEV2);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
+ {
+ peer_cfg->get_ref(peer_cfg);
+ if (this->peer_cfg == NULL)
+ { /* best match */
+ this->peer_cfg = peer_cfg;
+ this->ike_sa->set_peer_cfg(this->ike_sa, peer_cfg);
+ }
+ else
+ {
+ this->candidates->insert_last(this->candidates, peer_cfg);
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (this->peer_cfg)
+ {
+ DBG1(DBG_CFG, "selected peer config '%s'",
+ this->peer_cfg->get_name(this->peer_cfg));
+ return TRUE;
+ }
+ DBG1(DBG_CFG, "no matching peer config found");
+ return FALSE;
+}
+
+/**
+ * update the current peer candidate if necessary, using candidates
+ */
+static bool update_cfg_candidates(private_ike_auth_t *this, bool strict)
+{
+ do
+ {
+ if (this->peer_cfg)
+ {
+ bool complies = TRUE;
+ enumerator_t *e1, *e2, *tmp;
+ auth_cfg_t *c1, *c2;
+
+ e1 = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE);
+ e2 = this->peer_cfg->create_auth_cfg_enumerator(this->peer_cfg, FALSE);
+
+ if (strict)
+ { /* swap lists in strict mode: all configured rounds must be
+ * fulfilled. If !strict, we check only the rounds done so far. */
+ tmp = e1;
+ e1 = e2;
+ e2 = tmp;
+ }
+ while (e1->enumerate(e1, &c1))
+ {
+ /* check if done authentications comply to configured ones */
+ if ((!e2->enumerate(e2, &c2)) ||
+ (!strict && !c1->complies(c1, c2, TRUE)) ||
+ (strict && !c2->complies(c2, c1, TRUE)))
+ {
+ complies = FALSE;
+ break;
+ }
+ }
+ e1->destroy(e1);
+ e2->destroy(e2);
+ if (complies)
+ {
+ break;
+ }
+ DBG1(DBG_CFG, "selected peer config '%s' inacceptable",
+ this->peer_cfg->get_name(this->peer_cfg));
+ this->peer_cfg->destroy(this->peer_cfg);
+ }
+ if (this->candidates->remove_first(this->candidates,
+ (void**)&this->peer_cfg) != SUCCESS)
+ {
+ DBG1(DBG_CFG, "no alternative config found");
+ this->peer_cfg = NULL;
+ }
+ else
+ {
+ DBG1(DBG_CFG, "switching to peer config '%s'",
+ this->peer_cfg->get_name(this->peer_cfg));
+ this->ike_sa->set_peer_cfg(this->ike_sa, this->peer_cfg);
+ }
+ }
+ while (this->peer_cfg);
+
+ return this->peer_cfg != NULL;
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_auth_t *this, message_t *message)
+{
+ auth_cfg_t *cfg;
+
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ return collect_my_init_data(this, message);
+ }
+
+ if (this->peer_cfg == NULL)
+ {
+ this->peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ this->peer_cfg->get_ref(this->peer_cfg);
+ }
+
+ if (message->get_message_id(message) == 1)
+ { /* in the first IKE_AUTH ... */
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_MULTIPLE_AUTH))
+ { /* indicate support for multiple authentication */
+ message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+ chunk_empty);
+ }
+ /* indicate support for EAP-only authentication */
+ message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
+ chunk_empty);
+ }
+
+ if (!this->do_another_auth && !this->my_auth)
+ { /* we have done our rounds */
+ return NEED_MORE;
+ }
+
+ /* check if an authenticator is in progress */
+ if (this->my_auth == NULL)
+ {
+ identification_t *idi, *idr = NULL;
+ id_payload_t *id_payload;
+
+ /* clean up authentication config from a previous round */
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->purge(cfg, TRUE);
+
+ /* add (optional) IDr */
+ cfg = get_auth_cfg(this, FALSE);
+ if (cfg)
+ {
+ idr = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ if (!cfg->get(cfg, AUTH_RULE_IDENTITY_LOOSE) && idr &&
+ !idr->contains_wildcards(idr))
+ {
+ this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr));
+ id_payload = id_payload_create_from_identification(
+ ID_RESPONDER, idr);
+ message->add_payload(message, (payload_t*)id_payload);
+ }
+ }
+ /* add IDi */
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+ idi = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ if (!idi || idi->get_type(idi) == ID_ANY)
+ { /* ID_ANY is invalid as IDi, use local IP address instead */
+ host_t *me;
+
+ DBG1(DBG_CFG, "no IDi configured, fall back on IP address");
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ idi = identification_create_from_sockaddr(me->get_sockaddr(me));
+ cfg->add(cfg, AUTH_RULE_IDENTITY, idi);
+ }
+ this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi));
+ id_payload = id_payload_create_from_identification(ID_INITIATOR, idi);
+ get_reserved_id_bytes(this, id_payload);
+ message->add_payload(message, (payload_t*)id_payload);
+
+ if (idr && message->get_message_id(message) == 1 &&
+ this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
+ this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
+ {
+ host_t *host;
+
+ host = this->ike_sa->get_other_host(this->ike_sa);
+ if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager,
+ idi, idr, host->get_family(host)))
+ {
+ message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty);
+ }
+ }
+
+ /* build authentication data */
+ this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+ this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
+ if (!this->my_auth)
+ {
+ return FAILED;
+ }
+ }
+ switch (this->my_auth->build(this->my_auth, message))
+ {
+ case SUCCESS:
+ /* authentication step complete, reset authenticator */
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE), TRUE);
+ this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+ this->my_auth->destroy(this->my_auth);
+ this->my_auth = NULL;
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ return FAILED;
+ }
+
+ /* check for additional authentication rounds */
+ if (do_another_auth(this))
+ {
+ if (message->get_payload(message, AUTHENTICATION))
+ {
+ message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+ }
+ }
+ else
+ {
+ this->do_another_auth = FALSE;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_auth_t *this, message_t *message)
+{
+ auth_cfg_t *cfg, *cand;
+ id_payload_t *id_payload;
+ identification_t *id;
+
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ return collect_other_init_data(this, message);
+ }
+
+ if (this->my_auth == NULL && this->do_another_auth)
+ {
+ /* handle (optional) IDr payload, apply proposed identity */
+ id_payload = (id_payload_t*)message->get_payload(message, ID_RESPONDER);
+ if (id_payload)
+ {
+ id = id_payload->get_identification(id_payload);
+ }
+ else
+ {
+ id = identification_create_from_encoding(ID_ANY, chunk_empty);
+ }
+ this->ike_sa->set_my_id(this->ike_sa, id);
+ }
+
+ if (!this->expect_another_auth)
+ {
+ return NEED_MORE;
+ }
+
+ if (message->get_message_id(message) == 1)
+ { /* check for extensions in the first IKE_AUTH */
+ if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED))
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+ }
+ if (message->get_notify(message, EAP_ONLY_AUTHENTICATION))
+ {
+ this->ike_sa->enable_extension(this->ike_sa,
+ EXT_EAP_ONLY_AUTHENTICATION);
+ }
+ }
+
+ if (this->other_auth == NULL)
+ {
+ /* handle IDi payload */
+ id_payload = (id_payload_t*)message->get_payload(message, ID_INITIATOR);
+ if (!id_payload)
+ {
+ DBG1(DBG_IKE, "IDi payload missing");
+ return FAILED;
+ }
+ id = id_payload->get_identification(id_payload);
+ get_reserved_id_bytes(this, id_payload);
+ this->ike_sa->set_other_id(this->ike_sa, id);
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+
+ if (this->peer_cfg == NULL)
+ {
+ if (!load_cfg_candidates(this))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ }
+ if (message->get_payload(message, AUTHENTICATION) == NULL)
+ { /* before authenticating with EAP, we need a EAP config */
+ cand = get_auth_cfg(this, FALSE);
+ while (!cand || (
+ (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK &&
+ (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0))
+ { /* peer requested EAP, but current config does not match */
+ DBG1(DBG_IKE, "peer requested EAP, config inacceptable");
+ this->peer_cfg->destroy(this->peer_cfg);
+ this->peer_cfg = NULL;
+ if (!update_cfg_candidates(this, FALSE))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ cand = get_auth_cfg(this, FALSE);
+ }
+ /* copy over the EAP specific rules for authentication */
+ cfg->add(cfg, AUTH_RULE_EAP_TYPE,
+ cand->get(cand, AUTH_RULE_EAP_TYPE));
+ cfg->add(cfg, AUTH_RULE_EAP_VENDOR,
+ cand->get(cand, AUTH_RULE_EAP_VENDOR));
+ id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY);
+ if (id)
+ {
+ cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id));
+ }
+ id = (identification_t*)cand->get(cand, AUTH_RULE_AAA_IDENTITY);
+ if (id)
+ {
+ cfg->add(cfg, AUTH_RULE_AAA_IDENTITY, id->clone(id));
+ }
+ }
+
+ /* verify authentication data */
+ this->other_auth = authenticator_create_verifier(this->ike_sa,
+ message, this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
+ if (!this->other_auth)
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ }
+ switch (this->other_auth->process(this->other_auth, message))
+ {
+ case SUCCESS:
+ this->other_auth->destroy(this->other_auth);
+ this->other_auth = NULL;
+ break;
+ case NEED_MORE:
+ if (message->get_payload(message, AUTHENTICATION))
+ { /* AUTH verification successful, but another build() needed */
+ break;
+ }
+ return NEED_MORE;
+ default:
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+
+ /* If authenticated (with non-EAP) and received INITIAL_CONTACT,
+ * delete any existing IKE_SAs with that peer. */
+ if (message->get_message_id(message) == 1 &&
+ message->get_notify(message, INITIAL_CONTACT))
+ {
+ this->initial_contact = TRUE;
+ }
+
+ /* another auth round done, invoke authorize hook */
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "authorization hook forbids IKE_SA, cancelling");
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+
+ /* store authentication information */
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+ this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+
+ if (!update_cfg_candidates(this, FALSE))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+
+ if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
+ {
+ this->expect_another_auth = FALSE;
+ if (!update_cfg_candidates(this, TRUE))
+ {
+ this->authentication_failed = TRUE;
+ return NEED_MORE;
+ }
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_auth_t *this, message_t *message)
+{
+ auth_cfg_t *cfg;
+
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ if (multiple_auth_enabled())
+ {
+ message->add_notify(message, FALSE, MULTIPLE_AUTH_SUPPORTED,
+ chunk_empty);
+ }
+ return collect_my_init_data(this, message);
+ }
+
+ if (this->authentication_failed || this->peer_cfg == NULL)
+ {
+ goto peer_auth_failed;
+ }
+
+ if (this->my_auth == NULL && this->do_another_auth)
+ {
+ identification_t *id, *id_cfg;
+ id_payload_t *id_payload;
+
+ /* add IDr */
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+ cfg->purge(cfg, TRUE);
+ cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE);
+
+ id_cfg = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ id = this->ike_sa->get_my_id(this->ike_sa);
+ if (id->get_type(id) == ID_ANY)
+ { /* no IDr received, apply configured ID */
+ if (!id_cfg || id_cfg->contains_wildcards(id_cfg))
+ { /* no ID configured, use local IP address */
+ host_t *me;
+
+ DBG1(DBG_CFG, "no IDr configured, fall back on IP address");
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ id_cfg = identification_create_from_sockaddr(
+ me->get_sockaddr(me));
+ cfg->add(cfg, AUTH_RULE_IDENTITY, id_cfg);
+ }
+ this->ike_sa->set_my_id(this->ike_sa, id_cfg->clone(id_cfg));
+ id = id_cfg;
+ }
+ else
+ { /* IDr received, check if it matches configuration */
+ if (id_cfg && !id->matches(id, id_cfg))
+ {
+ DBG1(DBG_CFG, "received IDr %Y, but require %Y", id, id_cfg);
+ goto peer_auth_failed;
+ }
+ }
+
+ id_payload = id_payload_create_from_identification(ID_RESPONDER, id);
+ get_reserved_id_bytes(this, id_payload);
+ message->add_payload(message, (payload_t*)id_payload);
+
+ if (this->initial_contact)
+ {
+ charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+ this->ike_sa, TRUE);
+ this->initial_contact = FALSE;
+ }
+
+ if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP)
+ { /* EAP-only authentication */
+ if (!this->ike_sa->supports_extension(this->ike_sa,
+ EXT_EAP_ONLY_AUTHENTICATION))
+ {
+ DBG1(DBG_IKE, "configured EAP-only authentication, but peer "
+ "does not support it");
+ goto peer_auth_failed;
+ }
+ }
+ else
+ {
+ /* build authentication data */
+ this->my_auth = authenticator_create_builder(this->ike_sa, cfg,
+ this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
+ if (!this->my_auth)
+ {
+ goto peer_auth_failed;
+ }
+ }
+ }
+
+ if (this->other_auth)
+ {
+ switch (this->other_auth->build(this->other_auth, message))
+ {
+ case SUCCESS:
+ this->other_auth->destroy(this->other_auth);
+ this->other_auth = NULL;
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ if (message->get_payload(message, EXTENSIBLE_AUTHENTICATION))
+ { /* skip AUTHENTICATION_FAILED if we have EAP_FAILURE */
+ goto peer_auth_failed_no_notify;
+ }
+ goto peer_auth_failed;
+ }
+ }
+ if (this->my_auth)
+ {
+ switch (this->my_auth->build(this->my_auth, message))
+ {
+ case SUCCESS:
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+ TRUE);
+ this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+ this->my_auth->destroy(this->my_auth);
+ this->my_auth = NULL;
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
+ }
+
+ /* check for additional authentication rounds */
+ if (do_another_auth(this))
+ {
+ message->add_notify(message, FALSE, ANOTHER_AUTH_FOLLOWS, chunk_empty);
+ }
+ else
+ {
+ this->do_another_auth = FALSE;
+ }
+ if (!this->do_another_auth && !this->expect_another_auth)
+ {
+ if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager,
+ this->ike_sa, FALSE))
+ {
+ DBG1(DBG_IKE, "cancelling IKE_SA setup due to uniqueness policy");
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+ return FAILED;
+ }
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, cancelling");
+ goto peer_auth_failed;
+ }
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+
+peer_auth_failed:
+ message->add_notify(message, TRUE, AUTHENTICATION_FAILED,
+ chunk_empty);
+peer_auth_failed_no_notify:
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+ return FAILED;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_auth_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ auth_cfg_t *cfg;
+ bool mutual_eap = FALSE;
+
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ if (message->get_notify(message, MULTIPLE_AUTH_SUPPORTED) &&
+ multiple_auth_enabled())
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MULTIPLE_AUTH);
+ }
+ return collect_other_init_data(this, message);
+ }
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify_payload_t *notify = (notify_payload_t*)payload;
+ notify_type_t type = notify->get_notify_type(notify);
+
+ switch (type)
+ {
+ case NO_PROPOSAL_CHOSEN:
+ case SINGLE_PAIR_REQUIRED:
+ case NO_ADDITIONAL_SAS:
+ case INTERNAL_ADDRESS_FAILURE:
+ case FAILED_CP_REQUIRED:
+ case TS_UNACCEPTABLE:
+ case INVALID_SELECTORS:
+ /* these are errors, but are not critical as only the
+ * CHILD_SA won't get build, but IKE_SA establishes anyway */
+ break;
+ case MOBIKE_SUPPORTED:
+ case ADDITIONAL_IP4_ADDRESS:
+ case ADDITIONAL_IP6_ADDRESS:
+ /* handled in ike_mobike task */
+ break;
+ case AUTH_LIFETIME:
+ /* handled in ike_auth_lifetime task */
+ break;
+ case ME_ENDPOINT:
+ /* handled in ike_me task */
+ break;
+ default:
+ {
+ if (type <= 16383)
+ {
+ DBG1(DBG_IKE, "received %N notify error",
+ notify_type_names, type);
+ enumerator->destroy(enumerator);
+ return FAILED;
+ }
+ DBG2(DBG_IKE, "received %N notify",
+ notify_type_names, type);
+ break;
+ }
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (this->expect_another_auth)
+ {
+ if (this->other_auth == NULL)
+ {
+ id_payload_t *id_payload;
+ identification_t *id;
+
+ /* handle IDr payload */
+ id_payload = (id_payload_t*)message->get_payload(message,
+ ID_RESPONDER);
+ if (!id_payload)
+ {
+ DBG1(DBG_IKE, "IDr payload missing");
+ goto peer_auth_failed;
+ }
+ id = id_payload->get_identification(id_payload);
+ get_reserved_id_bytes(this, id_payload);
+ this->ike_sa->set_other_id(this->ike_sa, id);
+ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+ cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id));
+
+ if (message->get_payload(message, AUTHENTICATION))
+ {
+ /* verify authentication data */
+ this->other_auth = authenticator_create_verifier(this->ike_sa,
+ message, this->other_nonce, this->my_nonce,
+ this->other_packet->get_data(this->other_packet),
+ this->my_packet->get_data(this->my_packet),
+ this->reserved);
+ if (!this->other_auth)
+ {
+ goto peer_auth_failed;
+ }
+ }
+ else
+ {
+ /* responder omitted AUTH payload, indicating EAP-only */
+ mutual_eap = TRUE;
+ }
+ }
+ if (this->other_auth)
+ {
+ switch (this->other_auth->process(this->other_auth, message))
+ {
+ case SUCCESS:
+ break;
+ case NEED_MORE:
+ return NEED_MORE;
+ default:
+ goto peer_auth_failed;
+ }
+ this->other_auth->destroy(this->other_auth);
+ this->other_auth = NULL;
+ }
+ /* another auth round done, invoke authorize hook */
+ if (!charon->bus->authorize(charon->bus, FALSE))
+ {
+ DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling");
+ goto peer_auth_failed;
+ }
+
+ /* store authentication information, reset authenticator */
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE);
+ this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg);
+ }
+
+ if (this->my_auth)
+ {
+ switch (this->my_auth->process(this->my_auth, message))
+ {
+ case SUCCESS:
+ cfg = auth_cfg_create();
+ cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, TRUE),
+ TRUE);
+ this->ike_sa->add_auth_cfg(this->ike_sa, TRUE, cfg);
+ this->my_auth->destroy(this->my_auth);
+ this->my_auth = NULL;
+ this->do_another_auth = do_another_auth(this);
+ break;
+ case NEED_MORE:
+ break;
+ default:
+ return FAILED;
+ }
+ }
+ if (mutual_eap)
+ {
+ if (!this->my_auth || !this->my_auth->is_mutual(this->my_auth))
+ {
+ DBG1(DBG_IKE, "do not allow non-mutual EAP-only authentication");
+ goto peer_auth_failed;
+ }
+ DBG1(DBG_IKE, "allow mutual EAP-only authentication");
+ }
+
+ if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS) == NULL)
+ {
+ this->expect_another_auth = FALSE;
+ }
+ if (!this->expect_another_auth && !this->do_another_auth && !this->my_auth)
+ {
+ if (!update_cfg_candidates(this, TRUE))
+ {
+ goto peer_auth_failed;
+ }
+ if (!charon->bus->authorize(charon->bus, TRUE))
+ {
+ DBG1(DBG_IKE, "final authorization hook forbids IKE_SA, "
+ "cancelling");
+ goto peer_auth_failed;
+ }
+ DBG0(DBG_IKE, "IKE_SA %s[%d] established between %H[%Y]...%H[%Y]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ charon->bus->ike_updown(charon->bus, this->ike_sa, TRUE);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+
+peer_auth_failed:
+ charon->bus->alert(charon->bus, ALERT_PEER_AUTH_FAILED);
+ return FAILED;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_auth_t *this)
+{
+ return TASK_IKE_AUTH;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_auth_t *this, ike_sa_t *ike_sa)
+{
+ chunk_free(&this->my_nonce);
+ chunk_free(&this->other_nonce);
+ DESTROY_IF(this->my_packet);
+ DESTROY_IF(this->other_packet);
+ DESTROY_IF(this->peer_cfg);
+ DESTROY_IF(this->my_auth);
+ DESTROY_IF(this->other_auth);
+ this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
+
+ this->my_packet = NULL;
+ this->other_packet = NULL;
+ this->ike_sa = ike_sa;
+ this->peer_cfg = NULL;
+ this->my_auth = NULL;
+ this->other_auth = NULL;
+ this->do_another_auth = TRUE;
+ this->expect_another_auth = TRUE;
+ this->authentication_failed = FALSE;
+ this->candidates = linked_list_create();
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_auth_t *this)
+{
+ chunk_free(&this->my_nonce);
+ chunk_free(&this->other_nonce);
+ DESTROY_IF(this->my_packet);
+ DESTROY_IF(this->other_packet);
+ DESTROY_IF(this->my_auth);
+ DESTROY_IF(this->other_auth);
+ DESTROY_IF(this->peer_cfg);
+ this->candidates->destroy_offset(this->candidates, offsetof(peer_cfg_t, destroy));
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_auth_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .build = _build_r,
+ .process = _process_r,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ .candidates = linked_list_create(),
+ .do_another_auth = TRUE,
+ .expect_another_auth = TRUE,
+ );
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.h b/src/libcharon/sa/ikev2/tasks/ike_auth.h
new file mode 100644
index 000000000..ca864a710
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.h
@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_auth ike_auth
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_AUTH_H_
+#define IKE_AUTH_H_
+
+typedef struct ike_auth_t ike_auth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_auth, authenticates an IKE_SA using authenticators.
+ *
+ * The ike_auth task authenticates the IKE_SA using the IKE_AUTH
+ * exchange. It processes and build IDi and IDr payloads and also
+ * handles AUTH payloads. The AUTH payloads are passed to authenticator_t's,
+ * which do the actual authentication process. If the ike_auth task is used
+ * with EAP authentication, it stays alive over multiple exchanges until
+ * EAP has completed.
+ */
+struct ike_auth_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new task of type TASK_IKE_AUTH.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if task is the initiator of an exchange
+ * @return ike_auth task to handle by the task_manager
+ */
+ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_AUTH_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
new file mode 100644
index 000000000..a7d162e68
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.c
@@ -0,0 +1,172 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_auth_lifetime.h"
+
+#include <time.h>
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_ike_auth_lifetime_t private_ike_auth_lifetime_t;
+
+/**
+ * Private members of a ike_auth_lifetime_t task.
+ */
+struct private_ike_auth_lifetime_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_auth_lifetime_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+};
+
+/**
+ * add the AUTH_LIFETIME notify to the message
+ */
+static void add_auth_lifetime(private_ike_auth_lifetime_t *this, message_t *message)
+{
+ chunk_t chunk;
+ u_int32_t lifetime;
+
+ lifetime = this->ike_sa->get_statistic(this->ike_sa, STAT_REAUTH);
+ if (lifetime)
+ {
+ lifetime -= time_monotonic(NULL);
+ chunk = chunk_from_thing(lifetime);
+ *(u_int32_t*)chunk.ptr = htonl(lifetime);
+ message->add_notify(message, FALSE, AUTH_LIFETIME, chunk);
+ }
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_auth_lifetime_t *this, message_t *message)
+{
+ notify_payload_t *notify;
+ chunk_t data;
+ u_int32_t lifetime;
+
+ notify = message->get_notify(message, AUTH_LIFETIME);
+ if (notify)
+ {
+ data = notify->get_notification_data(notify);
+ lifetime = ntohl(*(u_int32_t*)data.ptr);
+ this->ike_sa->set_auth_lifetime(this->ike_sa, lifetime);
+ }
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_auth_lifetime_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ add_auth_lifetime(this, message);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_auth_lifetime_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ process_payloads(this, message);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_auth_lifetime_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ {
+ add_auth_lifetime(this, message);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_auth_lifetime_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ {
+ process_payloads(this, message);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_auth_lifetime_t *this)
+{
+ return TASK_IKE_AUTH_LIFETIME;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_auth_lifetime_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_auth_lifetime_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_auth_lifetime_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
new file mode 100644
index 000000000..4d5087ff5
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth_lifetime.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_auth_lifetime ike_auth_lifetime
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_AUTH_LIFETIME_H_
+#define IKE_AUTH_LIFETIME_H_
+
+typedef struct ike_auth_lifetime_t ike_auth_lifetime_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_AUTH_LIFETIME, implements RFC4478.
+ *
+ * This task exchanges lifetimes for IKE_AUTH to force a client to
+ * reauthenticate before the responders lifetime reaches the limit.
+ */
+struct ike_auth_lifetime_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new TASK_IKE_AUTH_LIFETIME task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if taks is initiated by us
+ * @return ike_auth_lifetime task to handle by the task_manager
+ */
+ike_auth_lifetime_t *ike_auth_lifetime_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_AUTH_LIFETIME_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.c b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
new file mode 100644
index 000000000..a93e5137e
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.c
@@ -0,0 +1,261 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cert_post.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <encoding/payloads/auth_payload.h>
+#include <credentials/certificates/x509.h>
+
+
+typedef struct private_ike_cert_post_t private_ike_cert_post_t;
+
+/**
+ * Private members of a ike_cert_post_t task.
+ */
+struct private_ike_cert_post_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_cert_post_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+};
+
+/**
+ * Generates the cert payload, if possible with "Hash and URL"
+ */
+static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
+ certificate_t *cert)
+{
+ hasher_t *hasher;
+ identification_t *id;
+ chunk_t hash, encoded ;
+ enumerator_t *enumerator;
+ char *url;
+ cert_payload_t *payload = NULL;
+
+ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
+ {
+ return cert_payload_create_from_cert(CERTIFICATE, cert);
+ }
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher)
+ {
+ DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
+ return cert_payload_create_from_cert(CERTIFICATE, cert);
+ }
+
+ if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+ {
+ DBG1(DBG_IKE, "encoding certificate for cert payload failed");
+ hasher->destroy(hasher);
+ return NULL;
+ }
+ if (!hasher->allocate_hash(hasher, encoded, &hash))
+ {
+ hasher->destroy(hasher);
+ chunk_free(&encoded);
+ return cert_payload_create_from_cert(CERTIFICATE, cert);
+ }
+ chunk_free(&encoded);
+ hasher->destroy(hasher);
+ id = identification_create_from_encoding(ID_KEY_ID, hash);
+
+ enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, CERT_X509, id);
+ if (enumerator->enumerate(enumerator, &url))
+ {
+ payload = cert_payload_create_from_hash_and_url(hash, url);
+ DBG1(DBG_IKE, "sending hash-and-url \"%s\"", url);
+ }
+ else
+ {
+ payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+ }
+ enumerator->destroy(enumerator);
+ chunk_free(&hash);
+ id->destroy(id);
+ return payload;
+}
+
+/**
+ * add certificates to message
+ */
+static void build_certs(private_ike_cert_post_t *this, message_t *message)
+{
+ peer_cfg_t *peer_cfg;
+ auth_payload_t *payload;
+
+ payload = (auth_payload_t*)message->get_payload(message, AUTHENTICATION);
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (!peer_cfg || !payload || payload->get_auth_method(payload) == AUTH_PSK)
+ { /* no CERT payload for EAP/PSK */
+ return;
+ }
+
+ switch (peer_cfg->get_cert_policy(peer_cfg))
+ {
+ case CERT_NEVER_SEND:
+ break;
+ case CERT_SEND_IF_ASKED:
+ if (!this->ike_sa->has_condition(this->ike_sa, COND_CERTREQ_SEEN))
+ {
+ break;
+ }
+ /* FALL */
+ case CERT_ALWAYS_SEND:
+ {
+ cert_payload_t *payload;
+ enumerator_t *enumerator;
+ certificate_t *cert;
+ auth_rule_t type;
+ auth_cfg_t *auth;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+ /* get subject cert first, then issuing certificates */
+ cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+ if (!cert)
+ {
+ break;
+ }
+ payload = build_cert_payload(this, cert);
+ if (!payload)
+ {
+ break;
+ }
+ DBG1(DBG_IKE, "sending end entity cert \"%Y\"",
+ cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &type, &cert))
+ {
+ if (type == AUTH_RULE_IM_CERT)
+ {
+ payload = cert_payload_create_from_cert(CERTIFICATE, cert);
+ if (payload)
+ {
+ DBG1(DBG_IKE, "sending issuer cert \"%Y\"",
+ cert->get_subject(cert));
+ message->add_payload(message, (payload_t*)payload);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ }
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_cert_post_t *this, message_t *message)
+{
+ build_certs(this, message);
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_cert_post_t *this, message_t *message)
+{
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_cert_post_t *this, message_t *message)
+{
+ build_certs(this, message);
+
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* stay alive, we might have additional rounds with certs */
+ return NEED_MORE;
+ }
+ return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_cert_post_t *this, message_t *message)
+{
+ if (this->ike_sa->get_state(this->ike_sa) != IKE_ESTABLISHED)
+ { /* stay alive, we might have additional rounds with CERTS */
+ return NEED_MORE;
+ }
+ return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_cert_post_t *this)
+{
+ return TASK_IKE_CERT_POST;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_cert_post_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_cert_post_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_cert_post_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_post.h b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
new file mode 100644
index 000000000..34606b1e8
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_post.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_cert_post ike_cert_post
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_CERT_POST_H_
+#define IKE_CERT_POST_H_
+
+typedef struct ike_cert_post_t ike_cert_post_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_cert_post, certificate processing after authentication.
+ */
+struct ike_cert_post_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_cert_post task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if task is the original initiator
+ * @return ike_cert_post task to handle by the task_manager
+ */
+ike_cert_post_t *ike_cert_post_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_CERT_POST_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
new file mode 100644
index 000000000..60e878777
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.c
@@ -0,0 +1,529 @@
+/*
+ * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2006-2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_cert_pre.h"
+
+#include <daemon.h>
+#include <sa/ike_sa.h>
+#include <encoding/payloads/cert_payload.h>
+#include <encoding/payloads/certreq_payload.h>
+#include <credentials/certificates/x509.h>
+
+
+typedef struct private_ike_cert_pre_t private_ike_cert_pre_t;
+
+/**
+ * Private members of a ike_cert_pre_t task.
+ */
+struct private_ike_cert_pre_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_cert_pre_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Do we accept HTTP certificate lookup requests
+ */
+ bool do_http_lookup;
+
+ /**
+ * whether this is the final authentication round
+ */
+ bool final;
+};
+
+/**
+ * read certificate requests
+ */
+static void process_certreqs(private_ike_cert_pre_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ auth_cfg_t *auth;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE);
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ switch (payload->get_type(payload))
+ {
+ case CERTIFICATE_REQUEST:
+ {
+ certreq_payload_t *certreq = (certreq_payload_t*)payload;
+ enumerator_t *enumerator;
+ u_int unknown = 0;
+ chunk_t keyid;
+
+ this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE);
+
+ if (certreq->get_cert_type(certreq) != CERT_X509)
+ {
+ DBG1(DBG_IKE, "cert payload %N not supported - ignored",
+ certificate_type_names, certreq->get_cert_type(certreq));
+ break;
+ }
+ enumerator = certreq->create_keyid_enumerator(certreq);
+ while (enumerator->enumerate(enumerator, &keyid))
+ {
+ identification_t *id;
+ certificate_t *cert;
+
+ id = identification_create_from_encoding(ID_KEY_ID, keyid);
+ cert = lib->credmgr->get_cert(lib->credmgr,
+ CERT_X509, KEY_ANY, id, TRUE);
+ if (cert)
+ {
+ DBG1(DBG_IKE, "received cert request for \"%Y\"",
+ cert->get_subject(cert));
+ auth->add(auth, AUTH_RULE_CA_CERT, cert);
+ }
+ else
+ {
+ DBG2(DBG_IKE, "received cert request for unknown ca "
+ "with keyid %Y", id);
+ unknown++;
+ }
+ id->destroy(id);
+ }
+ enumerator->destroy(enumerator);
+ if (unknown)
+ {
+ DBG1(DBG_IKE, "received %u cert requests for an unknown ca",
+ unknown);
+ }
+ break;
+ }
+ case NOTIFY:
+ {
+ notify_payload_t *notify = (notify_payload_t*)payload;
+
+ /* we only handle one type of notify here */
+ if (notify->get_notify_type(notify) == HTTP_CERT_LOOKUP_SUPPORTED)
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_HASH_AND_URL);
+ }
+ break;
+ }
+ default:
+ /* ignore other payloads here, these are handled elsewhere */
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * tries to extract a certificate from the cert payload or the credential
+ * manager (based on the hash of a "Hash and URL" encoded cert).
+ * Note: the returned certificate (if any) has to be destroyed
+ */
+static certificate_t *try_get_cert(cert_payload_t *cert_payload)
+{
+ certificate_t *cert = NULL;
+
+ switch (cert_payload->get_cert_encoding(cert_payload))
+ {
+ case ENC_X509_SIGNATURE:
+ {
+ cert = cert_payload->get_cert(cert_payload);
+ break;
+ }
+ case ENC_X509_HASH_AND_URL:
+ {
+ identification_t *id;
+ chunk_t hash = cert_payload->get_hash(cert_payload);
+ if (!hash.ptr)
+ {
+ /* invalid "Hash and URL" data (logged elsewhere) */
+ break;
+ }
+ id = identification_create_from_encoding(ID_KEY_ID, hash);
+ cert = lib->credmgr->get_cert(lib->credmgr,
+ CERT_X509, KEY_ANY, id, FALSE);
+ id->destroy(id);
+ break;
+ }
+ default:
+ {
+ break;
+ }
+ }
+ return cert;
+}
+
+/**
+ * import certificates
+ */
+static void process_certs(private_ike_cert_pre_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ auth_cfg_t *auth;
+ bool first = TRUE;
+
+ auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == CERTIFICATE)
+ {
+ cert_payload_t *cert_payload;
+ cert_encoding_t encoding;
+ certificate_t *cert;
+ char *url;
+
+ cert_payload = (cert_payload_t*)payload;
+ encoding = cert_payload->get_cert_encoding(cert_payload);
+
+ switch (encoding)
+ {
+ case ENC_X509_HASH_AND_URL:
+ {
+ if (!this->do_http_lookup)
+ {
+ DBG1(DBG_IKE, "received hash-and-url encoded cert, but"
+ " we don't accept them, ignore");
+ break;
+ }
+ /* FALL */
+ }
+ case ENC_X509_SIGNATURE:
+ {
+ cert = try_get_cert(cert_payload);
+ if (cert)
+ {
+ if (first)
+ { /* the first is an end entity certificate */
+ DBG1(DBG_IKE, "received end entity cert \"%Y\"",
+ cert->get_subject(cert));
+ auth->add(auth, AUTH_HELPER_SUBJECT_CERT, cert);
+ first = FALSE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received issuer cert \"%Y\"",
+ cert->get_subject(cert));
+ auth->add(auth, AUTH_HELPER_IM_CERT, cert);
+ }
+ }
+ else if (encoding == ENC_X509_HASH_AND_URL)
+ {
+ /* we fetch the certificate not yet, but only if
+ * it is really needed during authentication */
+ url = cert_payload->get_url(cert_payload);
+ if (!url)
+ {
+ DBG1(DBG_IKE, "received invalid hash-and-url "
+ "encoded cert, ignore");
+ break;
+ }
+ url = strdup(url);
+ if (first)
+ { /* first URL is for an end entity certificate */
+ DBG1(DBG_IKE, "received hash-and-url for end"
+ " entity cert \"%s\"", url);
+ auth->add(auth, AUTH_HELPER_SUBJECT_HASH_URL, url);
+ first = FALSE;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "received hash-and-url for issuer"
+ " cert \"%s\"", url);
+ auth->add(auth, AUTH_HELPER_IM_HASH_URL, url);
+ }
+ }
+ break;
+ }
+ case ENC_CRL:
+ cert = cert_payload->get_cert(cert_payload);
+ if (cert)
+ {
+ DBG1(DBG_IKE, "received CRL \"%Y\"",
+ cert->get_subject(cert));
+ auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert);
+ }
+ break;
+ case ENC_PKCS7_WRAPPED_X509:
+ case ENC_PGP:
+ case ENC_DNS_SIGNED_KEY:
+ case ENC_KERBEROS_TOKEN:
+ case ENC_ARL:
+ case ENC_SPKI:
+ case ENC_X509_ATTRIBUTE:
+ case ENC_RAW_RSA_KEY:
+ case ENC_X509_HASH_AND_URL_BUNDLE:
+ case ENC_OCSP_CONTENT:
+ default:
+ DBG1(DBG_ENC, "certificate encoding %N not supported",
+ cert_encoding_names, encoding);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * add the keyid of a certificate to the certificate request payload
+ */
+static void add_certreq(certreq_payload_t **req, certificate_t *cert)
+{
+ switch (cert->get_type(cert))
+ {
+ case CERT_X509:
+ {
+ public_key_t *public;
+ chunk_t keyid;
+ x509_t *x509 = (x509_t*)cert;
+
+ if (!(x509->get_flags(x509) & X509_CA))
+ { /* no CA cert, skip */
+ break;
+ }
+ public = cert->get_public_key(cert);
+ if (!public)
+ {
+ break;
+ }
+ if (*req == NULL)
+ {
+ *req = certreq_payload_create_type(CERT_X509);
+ }
+ if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid))
+ {
+ (*req)->add_keyid(*req, keyid);
+ DBG1(DBG_IKE, "sending cert request for \"%Y\"",
+ cert->get_subject(cert));
+ }
+ public->destroy(public);
+ break;
+ }
+ default:
+ break;
+ }
+}
+
+/**
+ * add a auth_cfg's CA certificates to the certificate request
+ */
+static void add_certreqs(certreq_payload_t **req, auth_cfg_t *auth)
+{
+ enumerator_t *enumerator;
+ auth_rule_t type;
+ void *value;
+
+ enumerator = auth->create_enumerator(auth);
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ switch (type)
+ {
+ case AUTH_RULE_CA_CERT:
+ add_certreq(req, (certificate_t*)value);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * build certificate requests
+ */
+static void build_certreqs(private_ike_cert_pre_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ ike_cfg_t *ike_cfg;
+ peer_cfg_t *peer_cfg;
+ certificate_t *cert;
+ auth_cfg_t *auth;
+ certreq_payload_t *req = NULL;
+
+ ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+ if (!ike_cfg->send_certreq(ike_cfg))
+ {
+ return;
+ }
+
+ /* check if we require a specific CA for that peer */
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (peer_cfg)
+ {
+ enumerator = peer_cfg->create_auth_cfg_enumerator(peer_cfg, FALSE);
+ while (enumerator->enumerate(enumerator, &auth))
+ {
+ add_certreqs(&req, auth);
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ if (!req)
+ {
+ /* otherwise add all trusted CA certificates */
+ enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr,
+ CERT_ANY, KEY_ANY, NULL, TRUE);
+ while (enumerator->enumerate(enumerator, &cert))
+ {
+ add_certreq(&req, cert);
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ if (req)
+ {
+ message->add_payload(message, (payload_t*)req);
+
+ if (lib->settings->get_bool(lib->settings,
+ "%s.hash_and_url", FALSE, charon->name))
+ {
+ message->add_notify(message, FALSE, HTTP_CERT_LOOKUP_SUPPORTED,
+ chunk_empty);
+ this->do_http_lookup = TRUE;
+ }
+ }
+}
+
+/**
+ * Check if this is the final authentication round
+ */
+static bool final_auth(message_t *message)
+{
+ /* we check for an AUTH payload without a ANOTHER_AUTH_FOLLOWS notify */
+ if (message->get_payload(message, AUTHENTICATION) == NULL)
+ {
+ return FALSE;
+ }
+ if (message->get_notify(message, ANOTHER_AUTH_FOLLOWS))
+ {
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_cert_pre_t *this, message_t *message)
+{
+ if (message->get_message_id(message) == 1)
+ { /* initiator sends CERTREQs in first IKE_AUTH */
+ build_certreqs(this, message);
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_cert_pre_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) != IKE_SA_INIT)
+ { /* handle certreqs/certs in any IKE_AUTH, just in case */
+ process_certreqs(this, message);
+ process_certs(this, message);
+ }
+ this->final = final_auth(message);
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_cert_pre_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ build_certreqs(this, message);
+ }
+ if (this->final)
+ {
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_cert_pre_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ process_certreqs(this, message);
+ }
+ process_certs(this, message);
+
+ if (final_auth(message))
+ {
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_cert_pre_t *this)
+{
+ return TASK_IKE_CERT_PRE;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_cert_pre_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_cert_pre_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_cert_pre_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
new file mode 100644
index 000000000..ac1a85c29
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_cert_pre.h
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2007-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_cert_pre ike_cert_pre
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_CERT_PRE_H_
+#define IKE_CERT_PRE_H_
+
+typedef struct ike_cert_pre_t ike_cert_pre_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_cert_post, certificate processing before authentication.
+ */
+struct ike_cert_pre_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_cert_pre task.
+ *
+ * The initiator parameter means the original initiator, not the initiator
+ * of the certificate request.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if task is the original initiator
+ * @return ike_cert_pre task to handle by the task_manager
+ */
+ike_cert_pre_t *ike_cert_pre_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_CERT_PRE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.c b/src/libcharon/sa/ikev2/tasks/ike_config.c
new file mode 100644
index 000000000..c44f0452c
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.c
@@ -0,0 +1,510 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_config.h"
+
+#include <daemon.h>
+#include <hydra.h>
+#include <encoding/payloads/cp_payload.h>
+
+typedef struct private_ike_config_t private_ike_config_t;
+
+/**
+ * Private members of a ike_config_t task.
+ */
+struct private_ike_config_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_config_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Received list of virtual IPs, host_t*
+ */
+ linked_list_t *vips;
+
+ /**
+ * list of attributes requested and its handler, entry_t
+ */
+ linked_list_t *requested;
+};
+
+/**
+ * Entry for a requested attribute and the requesting handler
+ */
+typedef struct {
+ /** attribute requested */
+ configuration_attribute_type_t type;
+ /** handler requesting this attribute */
+ attribute_handler_t *handler;
+} entry_t;
+
+/**
+ * build INTERNAL_IPV4/6_ADDRESS attribute from virtual ip
+ */
+static configuration_attribute_t *build_vip(host_t *vip)
+{
+ configuration_attribute_type_t type;
+ chunk_t chunk, prefix;
+
+ if (vip->get_family(vip) == AF_INET)
+ {
+ type = INTERNAL_IP4_ADDRESS;
+ if (vip->is_anyaddr(vip))
+ {
+ chunk = chunk_empty;
+ }
+ else
+ {
+ chunk = vip->get_address(vip);
+ }
+ }
+ else
+ {
+ type = INTERNAL_IP6_ADDRESS;
+ if (vip->is_anyaddr(vip))
+ {
+ chunk = chunk_empty;
+ }
+ else
+ {
+ prefix = chunk_alloca(1);
+ *prefix.ptr = 64;
+ chunk = vip->get_address(vip);
+ chunk = chunk_cata("cc", chunk, prefix);
+ }
+ }
+ return configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE,
+ type, chunk);
+}
+
+/**
+ * Handle a received attribute as initiator
+ */
+static void handle_attribute(private_ike_config_t *this,
+ configuration_attribute_t *ca)
+{
+ attribute_handler_t *handler = NULL;
+ enumerator_t *enumerator;
+ entry_t *entry;
+
+ /* find the handler which requested this attribute */
+ enumerator = this->requested->create_enumerator(this->requested);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->type == ca->get_type(ca))
+ {
+ handler = entry->handler;
+ this->requested->remove_at(this->requested, enumerator);
+ free(entry);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ /* and pass it to the handle function */
+ handler = hydra->attributes->handle(hydra->attributes,
+ this->ike_sa->get_other_id(this->ike_sa), handler,
+ ca->get_type(ca), ca->get_chunk(ca));
+ if (handler)
+ {
+ this->ike_sa->add_configuration_attribute(this->ike_sa,
+ handler, ca->get_type(ca), ca->get_chunk(ca));
+ }
+}
+
+/**
+ * process a single configuration attribute
+ */
+static void process_attribute(private_ike_config_t *this,
+ configuration_attribute_t *ca)
+{
+ host_t *ip;
+ chunk_t addr;
+ int family = AF_INET6;
+
+ switch (ca->get_type(ca))
+ {
+ case INTERNAL_IP4_ADDRESS:
+ family = AF_INET;
+ /* fall */
+ case INTERNAL_IP6_ADDRESS:
+ {
+ addr = ca->get_chunk(ca);
+ if (addr.len == 0)
+ {
+ ip = host_create_any(family);
+ }
+ else
+ {
+ /* skip prefix byte in IPv6 payload*/
+ if (family == AF_INET6)
+ {
+ addr.len--;
+ }
+ ip = host_create_from_chunk(family, addr, 0);
+ }
+ if (ip)
+ {
+ this->vips->insert_last(this->vips, ip);
+ }
+ break;
+ }
+ case INTERNAL_IP4_SERVER:
+ case INTERNAL_IP6_SERVER:
+ /* assume it's a Windows client if we see proprietary attributes */
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MS_WINDOWS);
+ /* fall */
+ default:
+ {
+ if (this->initiator)
+ {
+ handle_attribute(this, ca);
+ }
+ }
+ }
+}
+
+/**
+ * Scan for configuration payloads and attributes
+ */
+static void process_payloads(private_ike_config_t *this, message_t *message)
+{
+ enumerator_t *enumerator, *attributes;
+ payload_t *payload;
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == CONFIGURATION)
+ {
+ cp_payload_t *cp = (cp_payload_t*)payload;
+ configuration_attribute_t *ca;
+
+ switch (cp->get_type(cp))
+ {
+ case CFG_REQUEST:
+ case CFG_REPLY:
+ {
+ attributes = cp->create_attribute_enumerator(cp);
+ while (attributes->enumerate(attributes, &ca))
+ {
+ DBG2(DBG_IKE, "processing %N attribute",
+ configuration_attribute_type_names, ca->get_type(ca));
+ process_attribute(this, ca);
+ }
+ attributes->destroy(attributes);
+ break;
+ }
+ default:
+ DBG1(DBG_IKE, "ignoring %N config payload",
+ config_type_names, cp->get_type(cp));
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_config_t *this, message_t *message)
+{
+ if (message->get_message_id(message) == 1)
+ { /* in first IKE_AUTH only */
+ cp_payload_t *cp = NULL;
+ enumerator_t *enumerator;
+ attribute_handler_t *handler;
+ peer_cfg_t *config;
+ configuration_attribute_type_t type;
+ chunk_t data;
+ linked_list_t *vips;
+ host_t *host;
+
+ vips = linked_list_create();
+
+ /* reuse virtual IP if we already have one */
+ enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa,
+ TRUE);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ vips->insert_last(vips, host);
+ }
+ enumerator->destroy(enumerator);
+
+ if (vips->get_count(vips) == 0)
+ {
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ enumerator = config->create_virtual_ip_enumerator(config);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ vips->insert_last(vips, host);
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ if (vips->get_count(vips))
+ {
+ cp = cp_payload_create_type(CONFIGURATION, CFG_REQUEST);
+ enumerator = vips->create_enumerator(vips);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ cp->add_attribute(cp, build_vip(host));
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ enumerator = hydra->attributes->create_initiator_enumerator(
+ hydra->attributes,
+ this->ike_sa->get_other_id(this->ike_sa), vips);
+ while (enumerator->enumerate(enumerator, &handler, &type, &data))
+ {
+ configuration_attribute_t *ca;
+ entry_t *entry;
+
+ /* create configuration attribute */
+ DBG2(DBG_IKE, "building %N attribute",
+ configuration_attribute_type_names, type);
+ ca = configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE,
+ type, data);
+ if (!cp)
+ {
+ cp = cp_payload_create_type(CONFIGURATION, CFG_REQUEST);
+ }
+ cp->add_attribute(cp, ca);
+
+ /* save handler along with requested type */
+ entry = malloc_thing(entry_t);
+ entry->type = type;
+ entry->handler = handler;
+
+ this->requested->insert_last(this->requested, entry);
+ }
+ enumerator->destroy(enumerator);
+
+ vips->destroy(vips);
+
+ if (cp)
+ {
+ message->add_payload(message, (payload_t*)cp);
+ }
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_config_t *this, message_t *message)
+{
+ if (message->get_message_id(message) == 1)
+ { /* in first IKE_AUTH only */
+ process_payloads(this, message);
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_config_t *this, message_t *message)
+{
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ { /* in last IKE_AUTH exchange */
+ enumerator_t *enumerator;
+ configuration_attribute_type_t type;
+ chunk_t value;
+ cp_payload_t *cp = NULL;
+ peer_cfg_t *config;
+ identification_t *id;
+ linked_list_t *vips, *pools;
+ host_t *requested;
+
+ id = this->ike_sa->get_other_eap_id(this->ike_sa);
+ config = this->ike_sa->get_peer_cfg(this->ike_sa);
+ vips = linked_list_create();
+ pools = linked_list_create_from_enumerator(
+ config->create_pool_enumerator(config));
+
+ this->ike_sa->clear_virtual_ips(this->ike_sa, FALSE);
+
+ enumerator = this->vips->create_enumerator(this->vips);
+ while (enumerator->enumerate(enumerator, &requested))
+ {
+ host_t *found = NULL;
+
+ /* query all pools until we get an address */
+ DBG1(DBG_IKE, "peer requested virtual IP %H", requested);
+
+ found = hydra->attributes->acquire_address(hydra->attributes,
+ pools, id, requested);
+ if (found)
+ {
+ DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", found, id);
+ this->ike_sa->add_virtual_ip(this->ike_sa, FALSE, found);
+ if (!cp)
+ {
+ cp = cp_payload_create_type(CONFIGURATION, CFG_REPLY);
+ }
+ cp->add_attribute(cp, build_vip(found));
+ vips->insert_last(vips, found);
+ }
+ else
+ {
+ DBG1(DBG_IKE, "no virtual IP found for %H requested by '%Y'",
+ requested, id);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (this->vips->get_count(this->vips) && !vips->get_count(vips))
+ {
+ DBG1(DBG_IKE, "no virtual IP found, sending %N",
+ notify_type_names, INTERNAL_ADDRESS_FAILURE);
+ message->add_notify(message, FALSE, INTERNAL_ADDRESS_FAILURE,
+ chunk_empty);
+ vips->destroy_offset(vips, offsetof(host_t, destroy));
+ pools->destroy(pools);
+ return SUCCESS;
+ }
+ if (pools->get_count(pools) && !this->vips->get_count(this->vips))
+ {
+ DBG1(DBG_IKE, "expected a virtual IP request, sending %N",
+ notify_type_names, FAILED_CP_REQUIRED);
+ message->add_notify(message, FALSE, FAILED_CP_REQUIRED, chunk_empty);
+ vips->destroy_offset(vips, offsetof(host_t, destroy));
+ pools->destroy(pools);
+ return SUCCESS;
+ }
+
+ /* query registered providers for additional attributes to include */
+ enumerator = hydra->attributes->create_responder_enumerator(
+ hydra->attributes, pools, id, vips);
+ while (enumerator->enumerate(enumerator, &type, &value))
+ {
+ if (!cp)
+ {
+ cp = cp_payload_create_type(CONFIGURATION, CFG_REPLY);
+ }
+ DBG2(DBG_IKE, "building %N attribute",
+ configuration_attribute_type_names, type);
+ cp->add_attribute(cp,
+ configuration_attribute_create_chunk(CONFIGURATION_ATTRIBUTE,
+ type, value));
+ }
+ enumerator->destroy(enumerator);
+ vips->destroy_offset(vips, offsetof(host_t, destroy));
+ pools->destroy(pools);
+
+ if (cp)
+ {
+ message->add_payload(message, (payload_t*)cp);
+ }
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_config_t *this, message_t *message)
+{
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ { /* in last IKE_AUTH exchange */
+ enumerator_t *enumerator;
+ host_t *host;
+
+ process_payloads(this, message);
+
+ this->ike_sa->clear_virtual_ips(this->ike_sa, TRUE);
+
+ enumerator = this->vips->create_enumerator(this->vips);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ if (!host->is_anyaddr(host))
+ {
+ this->ike_sa->add_virtual_ip(this->ike_sa, TRUE, host);
+ }
+ }
+ enumerator->destroy(enumerator);
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_config_t *this)
+{
+ return TASK_IKE_CONFIG;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_config_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+ this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+ this->vips = linked_list_create();
+ this->requested->destroy_function(this->requested, free);
+ this->requested = linked_list_create();
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_config_t *this)
+{
+ this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
+ this->requested->destroy_function(this->requested, free);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_config_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .initiator = initiator,
+ .ike_sa = ike_sa,
+ .vips = linked_list_create(),
+ .requested = linked_list_create(),
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_config.h b/src/libcharon/sa/ikev2/tasks/ike_config.h
new file mode 100644
index 000000000..e35457645
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_config.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_config ike_config
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_CONFIG_H_
+#define IKE_CONFIG_H_
+
+typedef struct ike_config_t ike_config_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_CONFIG, sets up a virtual IP and other
+ * configurations for an IKE_SA.
+ */
+struct ike_config_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_config task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE for initiator
+ * @return ike_config task to handle by the task_manager
+ */
+ike_config_t *ike_config_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_CONFIG_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.c b/src/libcharon/sa/ikev2/tasks/ike_delete.c
new file mode 100644
index 000000000..f127b0c15
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.c
@@ -0,0 +1,199 @@
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_delete.h"
+
+#include <daemon.h>
+#include <encoding/payloads/delete_payload.h>
+
+
+typedef struct private_ike_delete_t private_ike_delete_t;
+
+/**
+ * Private members of a ike_delete_t task.
+ */
+struct private_ike_delete_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_delete_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * are we deleting a rekeyed SA?
+ */
+ bool rekeyed;
+
+ /**
+ * are we responding to a delete, but have initated our own?
+ */
+ bool simultaneous;
+};
+
+METHOD(task_t, build_i, status_t,
+ private_ike_delete_t *this, message_t *message)
+{
+ delete_payload_t *delete_payload;
+
+ DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
+ delete_payload = delete_payload_create(DELETE, PROTO_IKE);
+ message->add_payload(message, (payload_t*)delete_payload);
+
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_REKEYING)
+ {
+ this->rekeyed = TRUE;
+ }
+ this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+
+ DBG1(DBG_IKE, "sending DELETE for IKE_SA %s[%d]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa));
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_delete_t *this, message_t *message)
+{
+ DBG0(DBG_IKE, "IKE_SA deleted");
+ if (!this->rekeyed)
+ { /* invoke ike_down() hook if SA has not been rekeyed */
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ }
+ /* completed, delete IKE_SA by returning DESTROY_ME */
+ return DESTROY_ME;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_delete_t *this, message_t *message)
+{
+ /* we don't even scan the payloads, as the message wouldn't have
+ * come so far without being correct */
+ DBG1(DBG_IKE, "received DELETE for IKE_SA %s[%d]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa));
+ DBG0(DBG_IKE, "deleting IKE_SA %s[%d] between %H[%Y]...%H[%Y]",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
+ switch (this->ike_sa->get_state(this->ike_sa))
+ {
+ case IKE_ESTABLISHED:
+ this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+ this->ike_sa->reestablish(this->ike_sa);
+ return NEED_MORE;
+ case IKE_REKEYING:
+ this->rekeyed = TRUE;
+ break;
+ case IKE_DELETING:
+ this->simultaneous = TRUE;
+ break;
+ default:
+ break;
+ }
+ this->ike_sa->set_state(this->ike_sa, IKE_DELETING);
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_delete_t *this, message_t *message)
+{
+ DBG0(DBG_IKE, "IKE_SA deleted");
+
+ if (this->simultaneous)
+ {
+ /* wait for peer's response for our delete request */
+ return SUCCESS;
+ }
+ if (!this->rekeyed)
+ { /* invoke ike_down() hook if SA has not been rekeyed */
+ charon->bus->ike_updown(charon->bus, this->ike_sa, FALSE);
+ }
+ /* completed, delete IKE_SA by returning DESTROY_ME */
+ return DESTROY_ME;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_delete_t *this)
+{
+ return TASK_IKE_DELETE;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_delete_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+ this->simultaneous = FALSE;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_delete_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_delete_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_delete.h b/src/libcharon/sa/ikev2/tasks/ike_delete.h
new file mode 100644
index 000000000..2d5d7cb3a
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_delete.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_delete ike_delete
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_DELETE_H_
+#define IKE_DELETE_H_
+
+typedef struct ike_delete_t ike_delete_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_delete, delete an IKE_SA.
+ */
+struct ike_delete_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_delete task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if we initiate the delete
+ * @return ike_delete task to handle by the task_manager
+ */
+ike_delete_t *ike_delete_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_DELETE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.c b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
new file mode 100644
index 000000000..28ccc2efe
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_dpd.h"
+
+#include <daemon.h>
+
+
+typedef struct private_ike_dpd_t private_ike_dpd_t;
+
+/**
+ * Private members of a ike_dpd_t task.
+ */
+struct private_ike_dpd_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_dpd_t public;
+};
+
+METHOD(task_t, return_need_more, status_t,
+ private_ike_dpd_t *this, message_t *message)
+{
+ return NEED_MORE;
+}
+
+METHOD(task_t, return_success, status_t,
+ private_ike_dpd_t *this, message_t *message)
+{
+ return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_dpd_t *this)
+{
+ return TASK_IKE_DPD;
+}
+
+
+METHOD(task_t, migrate, void,
+ private_ike_dpd_t *this, ike_sa_t *ike_sa)
+{
+
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_dpd_t *this)
+{
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_dpd_t *ike_dpd_create(bool initiator)
+{
+ private_ike_dpd_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _return_need_more;
+ this->public.task.process = _return_success;
+ }
+ else
+ {
+ this->public.task.build = _return_success;
+ this->public.task.process = _return_need_more;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_dpd.h b/src/libcharon/sa/ikev2/tasks/ike_dpd.h
new file mode 100644
index 000000000..026871610
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_dpd.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_dpd ike_dpd
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_DPD_H_
+#define IKE_DPD_H_
+
+typedef struct ike_dpd_t ike_dpd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_dpd, detects dead peers.
+ *
+ * The DPD task actually does nothing, as a DPD has no associated payloads.
+ */
+struct ike_dpd_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_dpd task.
+ *
+ * @param initiator TRUE if task is the original initiator
+ * @return ike_dpd task to handle by the task_manager
+ */
+ike_dpd_t *ike_dpd_create(bool initiator);
+
+#endif /** IKE_DPD_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
new file mode 100644
index 000000000..f2a06735e
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -0,0 +1,600 @@
+/*
+ * Copyright (C) 2008-2009 Tobias Brunner
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_init.h"
+
+#include <string.h>
+
+#include <daemon.h>
+#include <sa/ikev2/keymat_v2.h>
+#include <crypto/diffie_hellman.h>
+#include <encoding/payloads/sa_payload.h>
+#include <encoding/payloads/ke_payload.h>
+#include <encoding/payloads/nonce_payload.h>
+
+/** maximum retries to do with cookies/other dh groups */
+#define MAX_RETRIES 5
+
+typedef struct private_ike_init_t private_ike_init_t;
+
+/**
+ * Private members of a ike_init_t task.
+ */
+struct private_ike_init_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_init_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * IKE config to establish
+ */
+ ike_cfg_t *config;
+
+ /**
+ * diffie hellman group to use
+ */
+ diffie_hellman_group_t dh_group;
+
+ /**
+ * diffie hellman key exchange
+ */
+ diffie_hellman_t *dh;
+
+ /**
+ * Keymat derivation (from IKE_SA)
+ */
+ keymat_v2_t *keymat;
+
+ /**
+ * nonce chosen by us
+ */
+ chunk_t my_nonce;
+
+ /**
+ * nonce chosen by peer
+ */
+ chunk_t other_nonce;
+
+ /**
+ * Negotiated proposal used for IKE_SA
+ */
+ proposal_t *proposal;
+
+ /**
+ * Old IKE_SA which gets rekeyed
+ */
+ ike_sa_t *old_sa;
+
+ /**
+ * cookie received from responder
+ */
+ chunk_t cookie;
+
+ /**
+ * retries done so far after failure (cookie or bad dh group)
+ */
+ u_int retry;
+};
+
+/**
+ * build the payloads for the message
+ */
+static void build_payloads(private_ike_init_t *this, message_t *message)
+{
+ sa_payload_t *sa_payload;
+ ke_payload_t *ke_payload;
+ nonce_payload_t *nonce_payload;
+ linked_list_t *proposal_list;
+ ike_sa_id_t *id;
+ proposal_t *proposal;
+ enumerator_t *enumerator;
+
+ id = this->ike_sa->get_id(this->ike_sa);
+
+ this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
+
+ if (this->initiator)
+ {
+ proposal_list = this->config->get_proposals(this->config);
+ if (this->old_sa)
+ {
+ /* include SPI of new IKE_SA when we are rekeying */
+ enumerator = proposal_list->create_enumerator(proposal_list);
+ while (enumerator->enumerate(enumerator, (void**)&proposal))
+ {
+ proposal->set_spi(proposal, id->get_initiator_spi(id));
+ }
+ enumerator->destroy(enumerator);
+ }
+
+ sa_payload = sa_payload_create_from_proposals_v2(proposal_list);
+ proposal_list->destroy_offset(proposal_list, offsetof(proposal_t, destroy));
+ }
+ else
+ {
+ if (this->old_sa)
+ {
+ /* include SPI of new IKE_SA when we are rekeying */
+ this->proposal->set_spi(this->proposal, id->get_responder_spi(id));
+ }
+ sa_payload = sa_payload_create_from_proposal_v2(this->proposal);
+ }
+ message->add_payload(message, (payload_t*)sa_payload);
+
+ nonce_payload = nonce_payload_create(NONCE);
+ nonce_payload->set_nonce(nonce_payload, this->my_nonce);
+ ke_payload = ke_payload_create_from_diffie_hellman(KEY_EXCHANGE, this->dh);
+
+ if (this->old_sa)
+ { /* payload order differs if we are rekeying */
+ message->add_payload(message, (payload_t*)nonce_payload);
+ message->add_payload(message, (payload_t*)ke_payload);
+ }
+ else
+ {
+ message->add_payload(message, (payload_t*)ke_payload);
+ message->add_payload(message, (payload_t*)nonce_payload);
+ }
+}
+
+/**
+ * Read payloads from message
+ */
+static void process_payloads(private_ike_init_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ switch (payload->get_type(payload))
+ {
+ case SECURITY_ASSOCIATION:
+ {
+ sa_payload_t *sa_payload = (sa_payload_t*)payload;
+ linked_list_t *proposal_list;
+ bool private;
+
+ proposal_list = sa_payload->get_proposals(sa_payload);
+ private = this->ike_sa->supports_extension(this->ike_sa,
+ EXT_STRONGSWAN);
+ this->proposal = this->config->select_proposal(this->config,
+ proposal_list, private);
+ proposal_list->destroy_offset(proposal_list,
+ offsetof(proposal_t, destroy));
+ break;
+ }
+ case KEY_EXCHANGE:
+ {
+ ke_payload_t *ke_payload = (ke_payload_t*)payload;
+
+ this->dh_group = ke_payload->get_dh_group_number(ke_payload);
+ if (!this->initiator)
+ {
+ this->dh = this->keymat->keymat.create_dh(
+ &this->keymat->keymat, this->dh_group);
+ }
+ if (this->dh)
+ {
+ this->dh->set_other_public_value(this->dh,
+ ke_payload->get_key_exchange_data(ke_payload));
+ }
+ break;
+ }
+ case NONCE:
+ {
+ nonce_payload_t *nonce_payload = (nonce_payload_t*)payload;
+
+ this->other_nonce = nonce_payload->get_nonce(nonce_payload);
+ break;
+ }
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_init_t *this, message_t *message)
+{
+ this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
+ DBG0(DBG_IKE, "initiating IKE_SA %s[%d] to %H",
+ this->ike_sa->get_name(this->ike_sa),
+ this->ike_sa->get_unique_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa));
+ this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+ if (this->retry >= MAX_RETRIES)
+ {
+ DBG1(DBG_IKE, "giving up after %d retries", MAX_RETRIES);
+ return FAILED;
+ }
+
+ /* if the DH group is set via use_dh_group(), we already have a DH object */
+ if (!this->dh)
+ {
+ this->dh_group = this->config->get_dh_group(this->config);
+ this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+ this->dh_group);
+ if (!this->dh)
+ {
+ DBG1(DBG_IKE, "configured DH group %N not supported",
+ diffie_hellman_group_names, this->dh_group);
+ return FAILED;
+ }
+ }
+
+ /* generate nonce only when we are trying the first time */
+ if (this->my_nonce.ptr == NULL)
+ {
+ nonce_gen_t *nonceg;
+
+ nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+ if (!nonceg)
+ {
+ DBG1(DBG_IKE, "no nonce generator found to create nonce");
+ return FAILED;
+ }
+ if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+ {
+ DBG1(DBG_IKE, "nonce allocation failed");
+ nonceg->destroy(nonceg);
+ return FAILED;
+ }
+ nonceg->destroy(nonceg);
+ }
+
+ if (this->cookie.ptr)
+ {
+ message->add_notify(message, FALSE, COOKIE, this->cookie);
+ }
+
+ build_payloads(this, message);
+
+#ifdef ME
+ {
+ chunk_t connect_id = this->ike_sa->get_connect_id(this->ike_sa);
+ if (connect_id.ptr)
+ {
+ message->add_notify(message, FALSE, ME_CONNECTID, connect_id);
+ }
+ }
+#endif /* ME */
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_init_t *this, message_t *message)
+{
+ nonce_gen_t *nonceg;
+
+ this->config = this->ike_sa->get_ike_cfg(this->ike_sa);
+ DBG0(DBG_IKE, "%H is initiating an IKE_SA", message->get_source(message));
+ this->ike_sa->set_state(this->ike_sa, IKE_CONNECTING);
+
+ nonceg = this->keymat->keymat.create_nonce_gen(&this->keymat->keymat);
+ if (!nonceg)
+ {
+ DBG1(DBG_IKE, "no nonce generator found to create nonce");
+ return FAILED;
+ }
+ if (!nonceg->allocate_nonce(nonceg, NONCE_SIZE, &this->my_nonce))
+ {
+ DBG1(DBG_IKE, "nonce allocation failed");
+ nonceg->destroy(nonceg);
+ return FAILED;
+ }
+ nonceg->destroy(nonceg);
+
+#ifdef ME
+ {
+ notify_payload_t *notify = message->get_notify(message, ME_CONNECTID);
+ if (notify)
+ {
+ chunk_t connect_id = notify->get_notification_data(notify);
+ DBG2(DBG_IKE, "received ME_CONNECTID %#B", &connect_id);
+ charon->connect_manager->stop_checks(charon->connect_manager,
+ connect_id);
+ }
+ }
+#endif /* ME */
+
+ process_payloads(this, message);
+
+ return NEED_MORE;
+}
+
+/**
+ * Derive the keymat for the IKE_SA
+ */
+static bool derive_keys(private_ike_init_t *this,
+ chunk_t nonce_i, chunk_t nonce_r)
+{
+ keymat_v2_t *old_keymat;
+ pseudo_random_function_t prf_alg = PRF_UNDEFINED;
+ chunk_t skd = chunk_empty;
+ ike_sa_id_t *id;
+
+ id = this->ike_sa->get_id(this->ike_sa);
+ if (this->old_sa)
+ {
+ /* rekeying: Include old SKd, use old PRF, apply SPI */
+ old_keymat = (keymat_v2_t*)this->old_sa->get_keymat(this->old_sa);
+ prf_alg = old_keymat->get_skd(old_keymat, &skd);
+ if (this->initiator)
+ {
+ id->set_responder_spi(id, this->proposal->get_spi(this->proposal));
+ }
+ else
+ {
+ id->set_initiator_spi(id, this->proposal->get_spi(this->proposal));
+ }
+ }
+ if (!this->keymat->derive_ike_keys(this->keymat, this->proposal, this->dh,
+ nonce_i, nonce_r, id, prf_alg, skd))
+ {
+ return FALSE;
+ }
+ charon->bus->ike_keys(charon->bus, this->ike_sa, this->dh, chunk_empty,
+ nonce_i, nonce_r, this->old_sa, NULL);
+ return TRUE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_init_t *this, message_t *message)
+{
+ /* check if we have everything we need */
+ if (this->proposal == NULL ||
+ this->other_nonce.len == 0 || this->my_nonce.len == 0)
+ {
+ DBG1(DBG_IKE, "received proposals inacceptable");
+ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return FAILED;
+ }
+ this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+ if (this->dh == NULL ||
+ !this->proposal->has_dh_group(this->proposal, this->dh_group))
+ {
+ u_int16_t group;
+
+ if (this->proposal->get_algorithm(this->proposal, DIFFIE_HELLMAN_GROUP,
+ &group, NULL))
+ {
+ DBG1(DBG_IKE, "DH group %N inacceptable, requesting %N",
+ diffie_hellman_group_names, this->dh_group,
+ diffie_hellman_group_names, group);
+ this->dh_group = group;
+ group = htons(group);
+ message->add_notify(message, FALSE, INVALID_KE_PAYLOAD,
+ chunk_from_thing(group));
+ }
+ else
+ {
+ DBG1(DBG_IKE, "no acceptable proposal found");
+ }
+ return FAILED;
+ }
+
+ if (!derive_keys(this, this->other_nonce, this->my_nonce))
+ {
+ DBG1(DBG_IKE, "key derivation failed");
+ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return FAILED;
+ }
+ build_payloads(this, message);
+ return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_init_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+
+ /* check for erronous notifies */
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == NOTIFY)
+ {
+ notify_payload_t *notify = (notify_payload_t*)payload;
+ notify_type_t type = notify->get_notify_type(notify);
+
+ switch (type)
+ {
+ case INVALID_KE_PAYLOAD:
+ {
+ chunk_t data;
+ diffie_hellman_group_t bad_group;
+
+ bad_group = this->dh_group;
+ data = notify->get_notification_data(notify);
+ this->dh_group = ntohs(*((u_int16_t*)data.ptr));
+ DBG1(DBG_IKE, "peer didn't accept DH group %N, "
+ "it requested %N", diffie_hellman_group_names,
+ bad_group, diffie_hellman_group_names, this->dh_group);
+
+ if (this->old_sa == NULL)
+ { /* reset the IKE_SA if we are not rekeying */
+ this->ike_sa->reset(this->ike_sa);
+ }
+
+ enumerator->destroy(enumerator);
+ this->retry++;
+ return NEED_MORE;
+ }
+ case NAT_DETECTION_SOURCE_IP:
+ case NAT_DETECTION_DESTINATION_IP:
+ /* skip, handled in ike_natd_t */
+ break;
+ case MULTIPLE_AUTH_SUPPORTED:
+ /* handled in ike_auth_t */
+ break;
+ case COOKIE:
+ {
+ chunk_free(&this->cookie);
+ this->cookie = chunk_clone(notify->get_notification_data(notify));
+ this->ike_sa->reset(this->ike_sa);
+ enumerator->destroy(enumerator);
+ DBG2(DBG_IKE, "received %N notify", notify_type_names, type);
+ this->retry++;
+ return NEED_MORE;
+ }
+ default:
+ {
+ if (type <= 16383)
+ {
+ DBG1(DBG_IKE, "received %N notify error",
+ notify_type_names, type);
+ enumerator->destroy(enumerator);
+ return FAILED;
+ }
+ DBG2(DBG_IKE, "received %N notify",
+ notify_type_names, type);
+ break;
+ }
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ process_payloads(this, message);
+
+ /* check if we have everything */
+ if (this->proposal == NULL ||
+ this->other_nonce.len == 0 || this->my_nonce.len == 0)
+ {
+ DBG1(DBG_IKE, "peers proposal selection invalid");
+ return FAILED;
+ }
+ this->ike_sa->set_proposal(this->ike_sa, this->proposal);
+
+ if (this->dh == NULL ||
+ !this->proposal->has_dh_group(this->proposal, this->dh_group))
+ {
+ DBG1(DBG_IKE, "peer DH group selection invalid");
+ return FAILED;
+ }
+
+ if (!derive_keys(this, this->my_nonce, this->other_nonce))
+ {
+ DBG1(DBG_IKE, "key derivation failed");
+ return FAILED;
+ }
+ return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_init_t *this)
+{
+ return TASK_IKE_INIT;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_init_t *this, ike_sa_t *ike_sa)
+{
+ DESTROY_IF(this->proposal);
+ chunk_free(&this->other_nonce);
+
+ this->ike_sa = ike_sa;
+ this->keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
+ this->proposal = NULL;
+ if (this->dh && this->dh->get_dh_group(this->dh) != this->dh_group)
+ { /* reset DH value only if group changed (INVALID_KE_PAYLOAD) */
+ this->dh->destroy(this->dh);
+ this->dh = this->keymat->keymat.create_dh(&this->keymat->keymat,
+ this->dh_group);
+ }
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_init_t *this)
+{
+ DESTROY_IF(this->dh);
+ DESTROY_IF(this->proposal);
+ chunk_free(&this->my_nonce);
+ chunk_free(&this->other_nonce);
+ chunk_free(&this->cookie);
+ free(this);
+}
+
+METHOD(ike_init_t, get_lower_nonce, chunk_t,
+ private_ike_init_t *this)
+{
+ if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr,
+ min(this->my_nonce.len, this->other_nonce.len)) < 0)
+ {
+ return this->my_nonce;
+ }
+ else
+ {
+ return this->other_nonce;
+ }
+}
+
+/*
+ * Described in header.
+ */
+ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa)
+{
+ private_ike_init_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .get_lower_nonce = _get_lower_nonce,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ .dh_group = MODP_NONE,
+ .keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa),
+ .old_sa = old_sa,
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.h b/src/libcharon/sa/ikev2/tasks/ike_init.h
new file mode 100644
index 000000000..ab169954d
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_init ike_init
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_INIT_H_
+#define IKE_INIT_H_
+
+typedef struct ike_init_t ike_init_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_INIT, creates an IKE_SA without authentication.
+ *
+ * The authentication of is handle in the ike_auth task.
+ */
+struct ike_init_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Get the lower of the two nonces, used for rekey collisions.
+ *
+ * @return lower nonce
+ */
+ chunk_t (*get_lower_nonce) (ike_init_t *this);
+};
+
+/**
+ * Create a new TASK_IKE_INIT task.
+ *
+ * @param ike_sa IKE_SA this task works for (new one when rekeying)
+ * @param initiator TRUE if task is the original initiator
+ * @param old_sa old IKE_SA when we are rekeying
+ * @return ike_init task to handle by the task_manager
+ */
+ike_init_t *ike_init_create(ike_sa_t *ike_sa, bool initiator, ike_sa_t *old_sa);
+
+#endif /** IKE_INIT_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.c b/src/libcharon/sa/ikev2/tasks/ike_me.c
new file mode 100644
index 000000000..135c06d19
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.c
@@ -0,0 +1,845 @@
+/*
+ * Copyright (C) 2007-2008 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_me.h"
+
+#include <string.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <config/peer_cfg.h>
+#include <encoding/payloads/id_payload.h>
+#include <encoding/payloads/notify_payload.h>
+#include <encoding/payloads/endpoint_notify.h>
+#include <processing/jobs/mediation_job.h>
+
+#define ME_CONNECTID_LEN 4
+#define ME_CONNECTKEY_LEN 16
+
+typedef struct private_ike_me_t private_ike_me_t;
+
+/**
+ * Private members of a ike_me_t task.
+ */
+struct private_ike_me_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_me_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Is this a mediation connection?
+ */
+ bool mediation;
+
+ /**
+ * Is this the response from another peer?
+ */
+ bool response;
+
+ /**
+ * Gathered endpoints
+ */
+ linked_list_t *local_endpoints;
+
+ /**
+ * Parsed endpoints
+ */
+ linked_list_t *remote_endpoints;
+
+ /**
+ * Did the peer request a callback?
+ */
+ bool callback;
+
+ /**
+ * Did the connect fail?
+ */
+ bool failed;
+
+ /**
+ * Was there anything wrong with the payloads?
+ */
+ bool invalid_syntax;
+
+ /**
+ * The requested peer
+ */
+ identification_t *peer_id;
+ /**
+ * Received ID used for connectivity checks
+ */
+ chunk_t connect_id;
+
+ /**
+ * Received key used for connectivity checks
+ */
+ chunk_t connect_key;
+
+ /**
+ * Peer config of the mediated connection
+ */
+ peer_cfg_t *mediated_cfg;
+
+};
+
+/**
+ * Adds a list of endpoints as notifies to a given message
+ */
+static void add_endpoints_to_message(message_t *message, linked_list_t *endpoints)
+{
+ enumerator_t *enumerator;
+ endpoint_notify_t *endpoint;
+
+ enumerator = endpoints->create_enumerator(endpoints);
+ while (enumerator->enumerate(enumerator, (void**)&endpoint))
+ {
+ message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Gathers endpoints and adds them to the current message
+ */
+static void gather_and_add_endpoints(private_ike_me_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ host_t *addr, *host;
+ u_int16_t port;
+
+ /* get the port that is used to communicate with the ms */
+ host = this->ike_sa->get_my_host(this->ike_sa);
+ port = host->get_port(host);
+
+ enumerator = hydra->kernel_interface->create_address_enumerator(
+ hydra->kernel_interface, ADDR_TYPE_REGULAR);
+ while (enumerator->enumerate(enumerator, (void**)&addr))
+ {
+ host = addr->clone(addr);
+ host->set_port(host, port);
+
+ this->local_endpoints->insert_last(this->local_endpoints,
+ endpoint_notify_create_from_host(HOST, host, NULL));
+
+ host->destroy(host);
+ }
+ enumerator->destroy(enumerator);
+
+ host = this->ike_sa->get_server_reflexive_host(this->ike_sa);
+ if (host)
+ {
+ this->local_endpoints->insert_last(this->local_endpoints,
+ endpoint_notify_create_from_host(SERVER_REFLEXIVE, host,
+ this->ike_sa->get_my_host(this->ike_sa)));
+ }
+
+ add_endpoints_to_message(message, this->local_endpoints);
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_me_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) != NOTIFY)
+ {
+ continue;
+ }
+
+ notify_payload_t *notify = (notify_payload_t*)payload;
+
+ switch (notify->get_notify_type(notify))
+ {
+ case ME_CONNECT_FAILED:
+ {
+ DBG2(DBG_IKE, "received ME_CONNECT_FAILED notify");
+ this->failed = TRUE;
+ break;
+ }
+ case ME_MEDIATION:
+ {
+ DBG2(DBG_IKE, "received ME_MEDIATION notify");
+ this->mediation = TRUE;
+ break;
+ }
+ case ME_ENDPOINT:
+ {
+ endpoint_notify_t *endpoint;
+ endpoint = endpoint_notify_create_from_payload(notify);
+ if (!endpoint)
+ {
+ DBG1(DBG_IKE, "received invalid ME_ENDPOINT notify");
+ break;
+ }
+ DBG1(DBG_IKE, "received %N ME_ENDPOINT %#H",
+ me_endpoint_type_names, endpoint->get_type(endpoint),
+ endpoint->get_host(endpoint));
+
+ this->remote_endpoints->insert_last(this->remote_endpoints,
+ endpoint);
+ break;
+ }
+ case ME_CALLBACK:
+ {
+ DBG2(DBG_IKE, "received ME_CALLBACK notify");
+ this->callback = TRUE;
+ break;
+ }
+ case ME_CONNECTID:
+ {
+ chunk_free(&this->connect_id);
+ this->connect_id = chunk_clone(notify->get_notification_data(notify));
+ DBG2(DBG_IKE, "received ME_CONNECTID %#B", &this->connect_id);
+ break;
+ }
+ case ME_CONNECTKEY:
+ {
+ chunk_free(&this->connect_key);
+ this->connect_key = chunk_clone(notify->get_notification_data(notify));
+ DBG4(DBG_IKE, "received ME_CONNECTKEY %#B", &this->connect_key);
+ break;
+ }
+ case ME_RESPONSE:
+ {
+ DBG2(DBG_IKE, "received ME_RESPONSE notify");
+ this->response = TRUE;
+ break;
+ }
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ {
+ peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (peer_cfg->is_mediation(peer_cfg))
+ {
+ DBG2(DBG_IKE, "adding ME_MEDIATION");
+ message->add_notify(message, FALSE, ME_MEDIATION, chunk_empty);
+ }
+ else
+ {
+ return SUCCESS;
+ }
+ break;
+ }
+ case IKE_AUTH:
+ {
+ if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_HERE))
+ {
+ endpoint_notify_t *endpoint;
+ endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
+ NULL, NULL);
+ message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
+ endpoint->destroy(endpoint);
+ }
+ break;
+ }
+ case ME_CONNECT:
+ {
+ rng_t *rng;
+ id_payload_t *id_payload;
+ id_payload = id_payload_create_from_identification(ID_PEER,
+ this->peer_id);
+ message->add_payload(message, (payload_t*)id_payload);
+
+ rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+ if (!rng)
+ {
+ DBG1(DBG_IKE, "unable to generate connect ID for ME_CONNECT");
+ return FAILED;
+ }
+ if (!this->response)
+ {
+ /* only the initiator creates a connect ID. the responder
+ * returns the connect ID that it received from the initiator */
+ if (!rng->allocate_bytes(rng, ME_CONNECTID_LEN,
+ &this->connect_id))
+ {
+ DBG1(DBG_IKE, "unable to generate ID for ME_CONNECT");
+ rng->destroy(rng);
+ return FAILED;
+ }
+ }
+ if (!rng->allocate_bytes(rng, ME_CONNECTKEY_LEN,
+ &this->connect_key))
+ {
+ DBG1(DBG_IKE, "unable to generate connect key for ME_CONNECT");
+ rng->destroy(rng);
+ return FAILED;
+ }
+ rng->destroy(rng);
+
+ message->add_notify(message, FALSE, ME_CONNECTID, this->connect_id);
+ message->add_notify(message, FALSE, ME_CONNECTKEY, this->connect_key);
+
+ if (this->response)
+ {
+ message->add_notify(message, FALSE, ME_RESPONSE, chunk_empty);
+ }
+ else
+ {
+ /* FIXME: should we make this configurable? */
+ message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
+ }
+
+ gather_and_add_endpoints(this, message);
+
+ break;
+ }
+ default:
+ break;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case ME_CONNECT:
+ {
+ id_payload_t *id_payload;
+ id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
+ if (!id_payload)
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
+ ", aborting");
+ break;
+ }
+ this->peer_id = id_payload->get_identification(id_payload);
+
+ process_payloads(this, message);
+
+ if (this->callback)
+ {
+ DBG1(DBG_IKE, "received ME_CALLBACK for '%Y'", this->peer_id);
+ break;
+ }
+
+ if (!this->connect_id.ptr)
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
+ ", aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+
+ if (!this->connect_key.ptr)
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY "
+ "notify, aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+
+ if (!this->remote_endpoints->get_count(this->remote_endpoints))
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
+ "payloads, aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+
+ DBG1(DBG_IKE, "received ME_CONNECT");
+ break;
+ }
+ default:
+ break;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case ME_CONNECT:
+ {
+ if (this->invalid_syntax)
+ {
+ message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
+ break;
+ }
+
+ if (this->callback)
+ {
+ /* we got a callback from the mediation server, initiate the
+ * queued mediated connecction */
+ charon->connect_manager->check_and_initiate(
+ charon->connect_manager,
+ this->ike_sa->get_id(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa), this->peer_id);
+ return SUCCESS;
+ }
+
+ if (this->response)
+ {
+ /* FIXME: handle result of set_responder_data
+ * as initiator, upon receiving a response from another peer,
+ * update the checklist and start sending checks */
+ charon->connect_manager->set_responder_data(
+ charon->connect_manager,
+ this->connect_id, this->connect_key,
+ this->remote_endpoints);
+ }
+ else
+ {
+ /* FIXME: handle result of set_initiator_data
+ * as responder, create a checklist with the initiator's data */
+ charon->connect_manager->set_initiator_data(
+ charon->connect_manager,
+ this->peer_id, this->ike_sa->get_my_id(this->ike_sa),
+ this->connect_id, this->connect_key,
+ this->remote_endpoints, FALSE);
+ if (this->ike_sa->respond(this->ike_sa, this->peer_id,
+ this->connect_id) != SUCCESS)
+ {
+ return FAILED;
+ }
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ return SUCCESS;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ {
+ process_payloads(this, message);
+ if (!this->mediation)
+ {
+ DBG1(DBG_IKE, "server did not return a ME_MEDIATION, aborting");
+ return FAILED;
+ }
+ /* if we are on a mediation connection we switch to port 4500 even
+ * if no NAT is detected. */
+ this->ike_sa->float_ports(this->ike_sa);
+ return NEED_MORE;
+ }
+ case IKE_AUTH:
+ {
+ process_payloads(this, message);
+ /* FIXME: we should update the server reflexive endpoint somehow,
+ * if mobike notices a change */
+ endpoint_notify_t *reflexive;
+ if (this->remote_endpoints->get_first(this->remote_endpoints,
+ (void**)&reflexive) == SUCCESS &&
+ reflexive->get_type(reflexive) == SERVER_REFLEXIVE)
+ { /* FIXME: should we accept this endpoint even if we did not send
+ * a request? */
+ host_t *endpoint = reflexive->get_host(reflexive);
+ endpoint = endpoint->clone(endpoint);
+ this->ike_sa->set_server_reflexive_host(this->ike_sa, endpoint);
+ }
+ break;
+ }
+ case ME_CONNECT:
+ {
+ process_payloads(this, message);
+
+ if (this->failed)
+ {
+ DBG1(DBG_IKE, "peer '%Y' is not online", this->peer_id);
+ /* FIXME: notify the mediated connection (job?) */
+ }
+ else
+ {
+ if (this->response)
+ {
+ /* FIXME: handle result of set_responder_data. */
+ /* as responder, we update the checklist and start sending
+ * checks */
+ charon->connect_manager->set_responder_data(
+ charon->connect_manager, this->connect_id,
+ this->connect_key, this->local_endpoints);
+ }
+ else
+ {
+ /* FIXME: handle result of set_initiator_data */
+ /* as initiator, we create a checklist and set the
+ * initiator's data */
+ charon->connect_manager->set_initiator_data(
+ charon->connect_manager,
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->peer_id, this->connect_id, this->connect_key,
+ this->local_endpoints, TRUE);
+ /* FIXME: also start a timer for the whole transaction
+ * (maybe within the connect_manager?) */
+ }
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ return SUCCESS;
+}
+
+/**
+ * For mediation server
+ */
+METHOD(task_t, build_i_ms, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case ME_CONNECT:
+ {
+ id_payload_t *id_payload;
+ id_payload = id_payload_create_from_identification(ID_PEER,
+ this->peer_id);
+ message->add_payload(message, (payload_t*)id_payload);
+
+ if (this->callback)
+ {
+ message->add_notify(message, FALSE, ME_CALLBACK, chunk_empty);
+ }
+ else
+ {
+ if (this->response)
+ {
+ message->add_notify(message, FALSE, ME_RESPONSE,
+ chunk_empty);
+ }
+ message->add_notify(message, FALSE, ME_CONNECTID,
+ this->connect_id);
+ message->add_notify(message, FALSE, ME_CONNECTKEY,
+ this->connect_key);
+ add_endpoints_to_message(message, this->remote_endpoints);
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ return NEED_MORE;
+}
+
+/**
+ * For mediation server
+ */
+METHOD(task_t, process_r_ms, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ {
+ /* FIXME: we should check for SA* and TS* payloads. if there are
+ * any, send NO_ADDITIONAL_SAS back and delete this SA */
+ process_payloads(this, message);
+ return this->mediation ? NEED_MORE : SUCCESS;
+ }
+ case IKE_AUTH:
+ {
+ /* FIXME: we should check whether the current peer_config is
+ * configured as mediation connection */
+ process_payloads(this, message);
+ break;
+ }
+ case CREATE_CHILD_SA:
+ {
+ /* FIXME: if this is not to rekey the IKE SA we have to return a
+ * NO_ADDITIONAL_SAS and then delete the SA */
+ break;
+ }
+ case ME_CONNECT:
+ {
+ id_payload_t *id_payload;
+ id_payload = (id_payload_t*)message->get_payload(message, ID_PEER);
+ if (!id_payload)
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without ID_PEER payload"
+ ", aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+ this->peer_id = id_payload->get_identification(id_payload);
+
+ process_payloads(this, message);
+
+ if (!this->connect_id.ptr)
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTID notify"
+ ", aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+
+ if (!this->connect_key.ptr)
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without ME_CONNECTKEY notify"
+ ", aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+
+ if (!this->remote_endpoints->get_count(this->remote_endpoints))
+ {
+ DBG1(DBG_IKE, "received ME_CONNECT without any ME_ENDPOINT "
+ "payloads, aborting");
+ this->invalid_syntax = TRUE;
+ break;
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ return NEED_MORE;
+}
+
+/**
+ * For mediation server
+ */
+METHOD(task_t, build_r_ms, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ switch(message->get_exchange_type(message))
+ {
+ case IKE_SA_INIT:
+ {
+ message->add_notify(message, FALSE, ME_MEDIATION, chunk_empty);
+ return NEED_MORE;
+ }
+ case IKE_AUTH:
+ {
+ endpoint_notify_t *endpoint;
+ if (this->remote_endpoints->get_first(this->remote_endpoints,
+ (void**)&endpoint) == SUCCESS &&
+ endpoint->get_type(endpoint) == SERVER_REFLEXIVE)
+ {
+ host_t *host = this->ike_sa->get_other_host(this->ike_sa);
+ DBG2(DBG_IKE, "received request for a server reflexive "
+ "endpoint sending: %#H", host);
+ endpoint = endpoint_notify_create_from_host(SERVER_REFLEXIVE,
+ host, NULL);
+ message->add_payload(message, (payload_t*)endpoint->build_notify(endpoint));
+ endpoint->destroy(endpoint);
+ }
+ this->ike_sa->act_as_mediation_server(this->ike_sa);
+ break;
+ }
+ case ME_CONNECT:
+ {
+ if (this->invalid_syntax)
+ {
+ message->add_notify(message, TRUE, INVALID_SYNTAX, chunk_empty);
+ break;
+ }
+
+ ike_sa_id_t *peer_sa;
+ if (this->callback)
+ {
+ peer_sa = charon->mediation_manager->check_and_register(
+ charon->mediation_manager, this->peer_id,
+ this->ike_sa->get_other_id(this->ike_sa));
+ }
+ else
+ {
+ peer_sa = charon->mediation_manager->check(
+ charon->mediation_manager, this->peer_id);
+ }
+
+ if (!peer_sa)
+ {
+ /* the peer is not online */
+ message->add_notify(message, TRUE, ME_CONNECT_FAILED,
+ chunk_empty);
+ break;
+ }
+
+ job_t *job = (job_t*)mediation_job_create(this->peer_id,
+ this->ike_sa->get_other_id(this->ike_sa), this->connect_id,
+ this->connect_key, this->remote_endpoints, this->response);
+ lib->processor->queue_job(lib->processor, job);
+ break;
+ }
+ default:
+ break;
+ }
+ return SUCCESS;
+}
+
+/**
+ * For mediation server
+ */
+METHOD(task_t, process_i_ms, status_t,
+ private_ike_me_t *this, message_t *message)
+{
+ /* FIXME: theoretically we should be prepared to receive a ME_CONNECT_FAILED
+ * here if the responding peer is not able to proceed. in this case we shall
+ * notify the initiating peer with a ME_CONNECT request containing only a
+ * ME_CONNECT_FAILED */
+ return SUCCESS;
+}
+
+METHOD(ike_me_t, me_connect, void,
+ private_ike_me_t *this, identification_t *peer_id)
+{
+ this->peer_id = peer_id->clone(peer_id);
+}
+
+METHOD(ike_me_t, me_respond, void,
+ private_ike_me_t *this, identification_t *peer_id, chunk_t connect_id)
+{
+ this->peer_id = peer_id->clone(peer_id);
+ this->connect_id = chunk_clone(connect_id);
+ this->response = TRUE;
+}
+
+METHOD(ike_me_t, me_callback, void,
+ private_ike_me_t *this, identification_t *peer_id)
+{
+ this->peer_id = peer_id->clone(peer_id);
+ this->callback = TRUE;
+}
+
+METHOD(ike_me_t, relay, void,
+ private_ike_me_t *this, identification_t *requester, chunk_t connect_id,
+ chunk_t connect_key, linked_list_t *endpoints, bool response)
+{
+ this->peer_id = requester->clone(requester);
+ this->connect_id = chunk_clone(connect_id);
+ this->connect_key = chunk_clone(connect_key);
+
+ this->remote_endpoints->destroy_offset(this->remote_endpoints,
+ offsetof(endpoint_notify_t, destroy));
+ this->remote_endpoints = endpoints->clone_offset(endpoints,
+ offsetof(endpoint_notify_t, clone));
+
+ this->response = response;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_me_t *this)
+{
+ return TASK_IKE_ME;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_me_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_me_t *this)
+{
+ DESTROY_IF(this->peer_id);
+
+ chunk_free(&this->connect_id);
+ chunk_free(&this->connect_key);
+
+ this->local_endpoints->destroy_offset(this->local_endpoints,
+ offsetof(endpoint_notify_t, destroy));
+ this->remote_endpoints->destroy_offset(this->remote_endpoints,
+ offsetof(endpoint_notify_t, destroy));
+
+ DESTROY_IF(this->mediated_cfg);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_me_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .connect = _me_connect,
+ .respond = _me_respond,
+ .callback = _me_callback,
+ .relay = _relay,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ .local_endpoints = linked_list_create(),
+ .remote_endpoints = linked_list_create(),
+ );
+
+ if (ike_sa->has_condition(ike_sa, COND_ORIGINAL_INITIATOR))
+ {
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+ }
+ else
+ {
+ /* mediation server */
+ if (initiator)
+ {
+ this->public.task.build = _build_i_ms;
+ this->public.task.process = _process_i_ms;
+ }
+ else
+ {
+ this->public.task.build = _build_r_ms;
+ this->public.task.process = _process_r_ms;
+ }
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_me.h b/src/libcharon/sa/ikev2/tasks/ike_me.h
new file mode 100644
index 000000000..44a4ce69c
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_me.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2007 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_me ike_me
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_ME_H_
+#define IKE_ME_H_
+
+typedef struct ike_me_t ike_me_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_ME, detects and handles IKE-ME extensions.
+ *
+ * This tasks handles the ME_MEDIATION Notify exchange to setup a mediation
+ * connection, allows to initiate mediated connections using ME_CONNECT
+ * exchanges and to request reflexive addresses from the mediation server using
+ * ME_ENDPOINT notifies.
+ *
+ * @note This task has to be activated before the IKE_AUTH task, because that
+ * task generates the IKE_SA_INIT message so that no more payloads can be added
+ * to it afterwards.
+ */
+struct ike_me_t {
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Initiates a connection with another peer (i.e. sends a ME_CONNECT
+ * to the mediation server)
+ *
+ * @param peer_id ID of the other peer (gets cloned)
+ */
+ void (*connect)(ike_me_t *this, identification_t *peer_id);
+
+ /**
+ * Responds to a ME_CONNECT from another peer (i.e. sends a ME_CONNECT
+ * to the mediation server)
+ *
+ * Data gets cloned.
+ *
+ * @param peer_id ID of the other peer
+ * @param connect_id the connect ID as provided by the initiator
+ */
+ void (*respond)(ike_me_t *this, identification_t *peer_id,
+ chunk_t connect_id);
+
+ /**
+ * Sends a ME_CALLBACK to a peer that previously requested some other peer.
+ *
+ * @param peer_id ID of the other peer (gets cloned)
+ */
+ void (*callback)(ike_me_t *this, identification_t *peer_id);
+
+ /**
+ * Relays data to another peer (i.e. sends a ME_CONNECT to the peer)
+ *
+ * Data gets cloned.
+ *
+ * @param requester ID of the requesting peer
+ * @param connect_id content of the ME_CONNECTID notify
+ * @param connect_key content of the ME_CONNECTKEY notify
+ * @param endpoints endpoints
+ * @param response TRUE if this is a response
+ */
+ void (*relay)(ike_me_t *this, identification_t *requester,
+ chunk_t connect_id, chunk_t connect_key,
+ linked_list_t *endpoints, bool response);
+};
+
+/**
+ * Create a new ike_me task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if task is initiated by us
+ * @return ike_me task to be handled by the task_manager
+ */
+ike_me_t *ike_me_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_ME_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.c b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
new file mode 100644
index 000000000..ae3526f42
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.c
@@ -0,0 +1,670 @@
+/*
+ * Copyright (C) 2010-2012 Tobias Brunner
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_mobike.h"
+
+#include <string.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <sa/ikev2/tasks/ike_natd.h>
+#include <encoding/payloads/notify_payload.h>
+
+#define COOKIE2_SIZE 16
+#define MAX_ADDITIONAL_ADDRS 8
+
+typedef struct private_ike_mobike_t private_ike_mobike_t;
+
+/**
+ * Private members of a ike_mobike_t task.
+ */
+struct private_ike_mobike_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_mobike_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * cookie2 value to verify new addresses
+ */
+ chunk_t cookie2;
+
+ /**
+ * NAT discovery reusing the TASK_IKE_NATD task
+ */
+ ike_natd_t *natd;
+
+ /**
+ * use task to update addresses
+ */
+ bool update;
+
+ /**
+ * do routability check
+ */
+ bool check;
+
+ /**
+ * include address list update
+ */
+ bool address;
+
+ /**
+ * additional addresses got updated
+ */
+ bool addresses_updated;
+};
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_mobike_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ bool first = TRUE;
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ int family = AF_INET;
+ notify_payload_t *notify;
+ chunk_t data;
+ host_t *host;
+
+ if (payload->get_type(payload) != NOTIFY)
+ {
+ continue;
+ }
+ notify = (notify_payload_t*)payload;
+ switch (notify->get_notify_type(notify))
+ {
+ case MOBIKE_SUPPORTED:
+ {
+ peer_cfg_t *peer_cfg;
+
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (!this->initiator &&
+ peer_cfg && !peer_cfg->use_mobike(peer_cfg))
+ {
+ DBG1(DBG_IKE, "peer supports MOBIKE, but disabled in config");
+ }
+ else
+ {
+ DBG1(DBG_IKE, "peer supports MOBIKE");
+ this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
+ }
+ break;
+ }
+ case COOKIE2:
+ {
+ chunk_free(&this->cookie2);
+ this->cookie2 = chunk_clone(notify->get_notification_data(notify));
+ break;
+ }
+ case ADDITIONAL_IP6_ADDRESS:
+ {
+ family = AF_INET6;
+ /* fall through */
+ }
+ case ADDITIONAL_IP4_ADDRESS:
+ {
+ if (first)
+ { /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
+ this->ike_sa->clear_peer_addresses(this->ike_sa);
+ first = FALSE;
+ /* add the peer's current address to the list */
+ host = message->get_source(message);
+ this->ike_sa->add_peer_address(this->ike_sa,
+ host->clone(host));
+ }
+ data = notify->get_notification_data(notify);
+ host = host_create_from_chunk(family, data, 0);
+ DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
+ this->ike_sa->add_peer_address(this->ike_sa, host);
+ this->addresses_updated = TRUE;
+ break;
+ }
+ case UPDATE_SA_ADDRESSES:
+ {
+ this->update = TRUE;
+ break;
+ }
+ case NO_ADDITIONAL_ADDRESSES:
+ {
+ this->ike_sa->clear_peer_addresses(this->ike_sa);
+ /* add the peer's current address to the list */
+ host = message->get_source(message);
+ this->ike_sa->add_peer_address(this->ike_sa, host->clone(host));
+ this->addresses_updated = TRUE;
+ break;
+ }
+ case NAT_DETECTION_SOURCE_IP:
+ case NAT_DETECTION_DESTINATION_IP:
+ {
+ /* NAT check in this MOBIKE exchange, create subtask for it */
+ if (this->natd == NULL)
+ {
+ this->natd = ike_natd_create(this->ike_sa, this->initiator);
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
+ */
+static void build_address_list(private_ike_mobike_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ host_t *host, *me;
+ notify_type_t type;
+ int added = 0;
+
+ me = this->ike_sa->get_my_host(this->ike_sa);
+ enumerator = hydra->kernel_interface->create_address_enumerator(
+ hydra->kernel_interface, ADDR_TYPE_REGULAR);
+ while (enumerator->enumerate(enumerator, (void**)&host))
+ {
+ if (me->ip_equals(me, host))
+ { /* "ADDITIONAL" means do not include IKE_SAs host */
+ continue;
+ }
+ switch (host->get_family(host))
+ {
+ case AF_INET:
+ type = ADDITIONAL_IP4_ADDRESS;
+ break;
+ case AF_INET6:
+ type = ADDITIONAL_IP6_ADDRESS;
+ break;
+ default:
+ continue;
+ }
+ message->add_notify(message, FALSE, type, host->get_address(host));
+ if (++added >= MAX_ADDITIONAL_ADDRS)
+ { /* limit number of notifys, some implementations do not like too
+ * many of them (f.e. strongSwan ;-) */
+ break;
+ }
+ }
+ if (!added)
+ {
+ message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
+ }
+ enumerator->destroy(enumerator);
+}
+
+/**
+ * build a cookie and add it to the message
+ */
+static bool build_cookie(private_ike_mobike_t *this, message_t *message)
+{
+ rng_t *rng;
+
+ chunk_free(&this->cookie2);
+ rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+ if (!rng || !rng->allocate_bytes(rng, COOKIE2_SIZE, &this->cookie2))
+ {
+ DESTROY_IF(rng);
+ return FALSE;
+ }
+ message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+ rng->destroy(rng);
+ return TRUE;
+}
+
+/**
+ * update addresses of associated CHILD_SAs
+ */
+static void update_children(private_ike_mobike_t *this)
+{
+ enumerator_t *enumerator;
+ child_sa_t *child_sa;
+ linked_list_t *vips;
+ host_t *host;
+
+ vips = linked_list_create();
+
+ enumerator = this->ike_sa->create_virtual_ip_enumerator(this->ike_sa, TRUE);
+ while (enumerator->enumerate(enumerator, &host))
+ {
+ vips->insert_last(vips, host);
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+ while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ {
+ if (child_sa->update(child_sa,
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa), vips,
+ this->ike_sa->has_condition(this->ike_sa,
+ COND_NAT_ANY)) == NOT_SUPPORTED)
+ {
+ this->ike_sa->rekey_child_sa(this->ike_sa,
+ child_sa->get_protocol(child_sa),
+ child_sa->get_spi(child_sa, TRUE));
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ vips->destroy(vips);
+}
+
+/**
+ * Apply the port of the old host, if its ip equals the new, use port otherwise.
+ */
+static void apply_port(host_t *host, host_t *old, u_int16_t port, bool local)
+{
+ if (host->ip_equals(host, old))
+ {
+ port = old->get_port(old);
+ }
+ else if (local && port == charon->socket->get_port(charon->socket, FALSE))
+ {
+ port = charon->socket->get_port(charon->socket, TRUE);
+ }
+ else if (!local && port == IKEV2_UDP_PORT)
+ {
+ port = IKEV2_NATT_PORT;
+ }
+ host->set_port(host, port);
+}
+
+METHOD(ike_mobike_t, transmit, void,
+ private_ike_mobike_t *this, packet_t *packet)
+{
+ host_t *me, *other, *me_old, *other_old;
+ enumerator_t *enumerator;
+ ike_cfg_t *ike_cfg;
+ packet_t *copy;
+
+ if (!this->check)
+ {
+ return;
+ }
+
+ me_old = this->ike_sa->get_my_host(this->ike_sa);
+ other_old = this->ike_sa->get_other_host(this->ike_sa);
+ ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+
+ enumerator = this->ike_sa->create_peer_address_enumerator(this->ike_sa);
+ while (enumerator->enumerate(enumerator, (void**)&other))
+ {
+ me = hydra->kernel_interface->get_source_addr(
+ hydra->kernel_interface, other, NULL);
+ if (me)
+ {
+ if (me->get_family(me) != other->get_family(other))
+ {
+ me->destroy(me);
+ continue;
+ }
+ /* reuse port for an active address, 4500 otherwise */
+ apply_port(me, me_old, ike_cfg->get_my_port(ike_cfg), TRUE);
+ other = other->clone(other);
+ apply_port(other, other_old, ike_cfg->get_other_port(ike_cfg), FALSE);
+ DBG1(DBG_IKE, "checking path %#H - %#H", me, other);
+ copy = packet->clone(packet);
+ copy->set_source(copy, me);
+ copy->set_destination(copy, other);
+ charon->sender->send(charon->sender, copy);
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_mobike_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ message->get_message_id(message) == 1)
+ { /* only in first IKE_AUTH */
+ message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
+ build_address_list(this, message);
+ }
+ else if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ host_t *old, *new;
+
+ /* we check if the existing address is still valid */
+ old = message->get_source(message);
+ new = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+ message->get_destination(message), old);
+ if (new)
+ {
+ if (!new->ip_equals(new, old))
+ {
+ new->set_port(new, old->get_port(old));
+ message->set_source(message, new);
+ }
+ else
+ {
+ new->destroy(new);
+ }
+ }
+ if (this->update)
+ {
+ message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES,
+ chunk_empty);
+ if (!build_cookie(this, message))
+ {
+ return FAILED;
+ }
+ update_children(this);
+ }
+ if (this->address && !this->check)
+ {
+ build_address_list(this, message);
+ }
+ if (this->natd)
+ {
+ this->natd->task.build(&this->natd->task, message);
+ }
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_mobike_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ message->get_message_id(message) == 1)
+ { /* only first IKE_AUTH */
+ process_payloads(this, message);
+ }
+ else if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ process_payloads(this, message);
+ if (this->update)
+ {
+ host_t *me, *other;
+
+ me = message->get_destination(message);
+ other = message->get_source(message);
+ this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
+ this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+ }
+
+ if (this->natd)
+ {
+ this->natd->task.process(&this->natd->task, message);
+ }
+ if (this->addresses_updated && this->ike_sa->has_condition(this->ike_sa,
+ COND_ORIGINAL_INITIATOR))
+ {
+ host_t *other = message->get_source(message);
+ host_t *other_old = this->ike_sa->get_other_host(this->ike_sa);
+ if (!other->equals(other, other_old))
+ {
+ DBG1(DBG_IKE, "remote address changed from %H to %H", other_old,
+ other);
+ this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
+ this->update = TRUE;
+ }
+ }
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_mobike_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ {
+ if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
+ {
+ message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
+ build_address_list(this, message);
+ }
+ return SUCCESS;
+ }
+ else if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ if (this->natd)
+ {
+ this->natd->task.build(&this->natd->task, message);
+ }
+ if (this->cookie2.ptr)
+ {
+ message->add_notify(message, FALSE, COOKIE2, this->cookie2);
+ chunk_free(&this->cookie2);
+ }
+ if (this->update)
+ {
+ update_children(this);
+ }
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_mobike_t *this, message_t *message)
+{
+ if (message->get_exchange_type(message) == IKE_AUTH &&
+ this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED)
+ {
+ process_payloads(this, message);
+ return SUCCESS;
+ }
+ else if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
+ this->ike_sa->set_pending_updates(this->ike_sa, updates);
+ if (updates > 0)
+ {
+ /* newer update queued, ignore this one */
+ return SUCCESS;
+ }
+ if (this->cookie2.ptr)
+ { /* check cookie if we included one */
+ chunk_t cookie2;
+
+ cookie2 = this->cookie2;
+ this->cookie2 = chunk_empty;
+ process_payloads(this, message);
+ if (!chunk_equals(cookie2, this->cookie2))
+ {
+ chunk_free(&cookie2);
+ DBG1(DBG_IKE, "COOKIE2 mismatch, closing IKE_SA");
+ return FAILED;
+ }
+ chunk_free(&cookie2);
+ }
+ else
+ {
+ process_payloads(this, message);
+ }
+ if (this->natd)
+ {
+ this->natd->task.process(&this->natd->task, message);
+ if (this->natd->has_mapping_changed(this->natd))
+ {
+ /* force an update if mappings have changed */
+ this->update = this->check = TRUE;
+ DBG1(DBG_IKE, "detected changes in NAT mappings, "
+ "initiating MOBIKE update");
+ }
+ }
+ if (this->update)
+ {
+ /* update again, as NAT state may have changed */
+ update_children(this);
+ }
+ if (this->check)
+ {
+ host_t *me_new, *me_old, *other_new, *other_old;
+
+ me_new = message->get_destination(message);
+ other_new = message->get_source(message);
+ me_old = this->ike_sa->get_my_host(this->ike_sa);
+ other_old = this->ike_sa->get_other_host(this->ike_sa);
+
+ if (!me_new->equals(me_new, me_old))
+ {
+ this->update = TRUE;
+ this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
+ }
+ if (!other_new->equals(other_new, other_old))
+ {
+ this->update = TRUE;
+ this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
+ }
+ if (this->update)
+ {
+ /* use the same task to ... */
+ if (!this->ike_sa->has_condition(this->ike_sa,
+ COND_ORIGINAL_INITIATOR))
+ { /*... send an updated list of addresses as responder */
+ update_children(this);
+ this->update = FALSE;
+ }
+ else
+ { /* ... send the update as original initiator */
+ if (this->natd)
+ {
+ this->natd->task.destroy(&this->natd->task);
+ }
+ this->natd = ike_natd_create(this->ike_sa, this->initiator);
+ }
+ this->check = FALSE;
+ this->ike_sa->set_pending_updates(this->ike_sa, 1);
+ return NEED_MORE;
+ }
+ }
+ return SUCCESS;
+ }
+ return NEED_MORE;
+}
+
+METHOD(ike_mobike_t, addresses, void,
+ private_ike_mobike_t *this)
+{
+ this->address = TRUE;
+ this->ike_sa->set_pending_updates(this->ike_sa,
+ this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+METHOD(ike_mobike_t, roam, void,
+ private_ike_mobike_t *this, bool address)
+{
+ this->check = TRUE;
+ this->address = address;
+ this->ike_sa->set_pending_updates(this->ike_sa,
+ this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+METHOD(ike_mobike_t, dpd, void,
+ private_ike_mobike_t *this)
+{
+ if (!this->natd)
+ {
+ this->natd = ike_natd_create(this->ike_sa, this->initiator);
+ }
+ this->ike_sa->set_pending_updates(this->ike_sa,
+ this->ike_sa->get_pending_updates(this->ike_sa) + 1);
+}
+
+METHOD(ike_mobike_t, is_probing, bool,
+ private_ike_mobike_t *this)
+{
+ return this->check;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_mobike_t *this)
+{
+ return TASK_IKE_MOBIKE;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_mobike_t *this, ike_sa_t *ike_sa)
+{
+ chunk_free(&this->cookie2);
+ this->ike_sa = ike_sa;
+ if (this->natd)
+ {
+ this->natd->task.migrate(&this->natd->task, ike_sa);
+ }
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_mobike_t *this)
+{
+ chunk_free(&this->cookie2);
+ if (this->natd)
+ {
+ this->natd->task.destroy(&this->natd->task);
+ }
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_mobike_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .addresses = _addresses,
+ .roam = _roam,
+ .dpd = _dpd,
+ .transmit = _transmit,
+ .is_probing = _is_probing,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mobike.h b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
new file mode 100644
index 000000000..3b447af51
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_mobike.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_mobike ike_mobike
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_MOBIKE_H_
+#define IKE_MOBIKE_H_
+
+typedef struct ike_mobike_t ike_mobike_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+#include <utils/packet.h>
+
+/**
+ * Task of type ike_mobike, detects and handles MOBIKE extension.
+ *
+ * The MOBIKE extension is defined in RFC4555. It allows to update IKE
+ * and IPsec tunnel addresses.
+ * This tasks handles the MOBIKE_SUPPORTED notify exchange to detect MOBIKE
+ * support, allows the exchange of ADDITIONAL_*_ADDRESS to exchange additional
+ * endpoints and handles the UPDATE_SA_ADDRESS notify to finally update
+ * endpoints.
+ */
+struct ike_mobike_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Use the task to update the list of additional addresses.
+ */
+ void (*addresses)(ike_mobike_t *this);
+
+ /**
+ * Use the task to roam to other addresses.
+ *
+ * @param address TRUE to include address list update
+ */
+ void (*roam)(ike_mobike_t *this, bool address);
+
+ /**
+ * Use the task for a DPD check which detects changes in NAT mappings.
+ */
+ void (*dpd)(ike_mobike_t *this);
+
+ /**
+ * Transmision hook, called by task manager.
+ *
+ * The task manager calls this hook whenever it transmits a packet. It
+ * allows the mobike task to send the packet on multiple paths to do path
+ * probing.
+ *
+ * @param packet the packet to transmit
+ */
+ void (*transmit)(ike_mobike_t *this, packet_t *packet);
+
+ /**
+ * Check if this task is probing for routability.
+ *
+ * @return TRUE if task is probing
+ */
+ bool (*is_probing)(ike_mobike_t *this);
+};
+
+/**
+ * Create a new ike_mobike task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if taks is initiated by us
+ * @return ike_mobike task to handle by the task_manager
+ */
+ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_MOBIKE_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.c b/src/libcharon/sa/ikev2/tasks/ike_natd.c
new file mode 100644
index 000000000..0a93db9ed
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.c
@@ -0,0 +1,472 @@
+/*
+ * Copyright (C) 2006-2007 Martin Willi
+ * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_natd.h"
+
+#include <string.h>
+
+#include <hydra.h>
+#include <daemon.h>
+#include <config/peer_cfg.h>
+#include <crypto/hashers/hasher.h>
+#include <encoding/payloads/notify_payload.h>
+
+
+typedef struct private_ike_natd_t private_ike_natd_t;
+
+/**
+ * Private members of a ike_natd_t task.
+ */
+struct private_ike_natd_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_natd_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * Hasher used to build NAT detection hashes
+ */
+ hasher_t *hasher;
+
+ /**
+ * Did we process any NAT detection notifys for a source address?
+ */
+ bool src_seen;
+
+ /**
+ * Did we process any NAT detection notifys for a destination address?
+ */
+ bool dst_seen;
+
+ /**
+ * Have we found a matching source address NAT hash?
+ */
+ bool src_matched;
+
+ /**
+ * Have we found a matching destination address NAT hash?
+ */
+ bool dst_matched;
+
+ /**
+ * whether NAT mappings for our NATed address has changed
+ */
+ bool mapping_changed;
+};
+
+
+/**
+ * Build NAT detection hash for a host
+ */
+static chunk_t generate_natd_hash(private_ike_natd_t *this,
+ ike_sa_id_t *ike_sa_id, host_t *host)
+{
+ chunk_t natd_chunk, spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk;
+ chunk_t natd_hash;
+ u_int64_t spi_i, spi_r;
+ u_int16_t port;
+
+ /* prepare all required chunks */
+ spi_i = ike_sa_id->get_initiator_spi(ike_sa_id);
+ spi_r = ike_sa_id->get_responder_spi(ike_sa_id);
+ spi_i_chunk.ptr = (void*)&spi_i;
+ spi_i_chunk.len = sizeof(spi_i);
+ spi_r_chunk.ptr = (void*)&spi_r;
+ spi_r_chunk.len = sizeof(spi_r);
+ port = htons(host->get_port(host));
+ port_chunk.ptr = (void*)&port;
+ port_chunk.len = sizeof(port);
+ addr_chunk = host->get_address(host);
+
+ /* natd_hash = SHA1( spi_i | spi_r | address | port ) */
+ natd_chunk = chunk_cat("cccc", spi_i_chunk, spi_r_chunk, addr_chunk, port_chunk);
+ if (!this->hasher->allocate_hash(this->hasher, natd_chunk, &natd_hash))
+ {
+ natd_hash = chunk_empty;
+ }
+ DBG3(DBG_IKE, "natd_chunk %B", &natd_chunk);
+ DBG3(DBG_IKE, "natd_hash %B", &natd_hash);
+
+ chunk_free(&natd_chunk);
+ return natd_hash;
+}
+
+/**
+ * build a faked NATD payload to enforce UDP encap
+ */
+static chunk_t generate_natd_hash_faked(private_ike_natd_t *this)
+{
+ rng_t *rng;
+ chunk_t chunk;
+
+ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+ if (!rng || !rng->allocate_bytes(rng, HASH_SIZE_SHA1, &chunk))
+ {
+ DBG1(DBG_IKE, "unable to get random bytes for NATD fake");
+ DESTROY_IF(rng);
+ return chunk_empty;
+ }
+ rng->destroy(rng);
+ return chunk;
+}
+
+/**
+ * Build a NAT detection notify payload.
+ */
+static notify_payload_t *build_natd_payload(private_ike_natd_t *this,
+ notify_type_t type, host_t *host)
+{
+ chunk_t hash;
+ notify_payload_t *notify;
+ ike_sa_id_t *ike_sa_id;
+ ike_cfg_t *config;
+
+ ike_sa_id = this->ike_sa->get_id(this->ike_sa);
+ config = this->ike_sa->get_ike_cfg(this->ike_sa);
+ if (config->force_encap(config) && type == NAT_DETECTION_SOURCE_IP)
+ {
+ hash = generate_natd_hash_faked(this);
+ }
+ else
+ {
+ hash = generate_natd_hash(this, ike_sa_id, host);
+ }
+ if (!hash.len)
+ {
+ return NULL;
+ }
+ notify = notify_payload_create(NOTIFY);
+ notify->set_notify_type(notify, type);
+ notify->set_notification_data(notify, hash);
+ chunk_free(&hash);
+
+ return notify;
+}
+
+/**
+ * read notifys from message and evaluate them
+ */
+static void process_payloads(private_ike_natd_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ notify_payload_t *notify;
+ chunk_t hash, src_hash, dst_hash;
+ ike_sa_id_t *ike_sa_id;
+ host_t *me, *other;
+ ike_cfg_t *config;
+
+ /* Precompute NAT-D hashes for incoming NAT notify comparison */
+ ike_sa_id = message->get_ike_sa_id(message);
+ me = message->get_destination(message);
+ other = message->get_source(message);
+ dst_hash = generate_natd_hash(this, ike_sa_id, me);
+ src_hash = generate_natd_hash(this, ike_sa_id, other);
+
+ DBG3(DBG_IKE, "precalculated src_hash %B", &src_hash);
+ DBG3(DBG_IKE, "precalculated dst_hash %B", &dst_hash);
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) != NOTIFY)
+ {
+ continue;
+ }
+ notify = (notify_payload_t*)payload;
+ switch (notify->get_notify_type(notify))
+ {
+ case NAT_DETECTION_DESTINATION_IP:
+ {
+ this->dst_seen = TRUE;
+ hash = notify->get_notification_data(notify);
+ if (!this->dst_matched)
+ {
+ DBG3(DBG_IKE, "received dst_hash %B", &hash);
+ if (chunk_equals(hash, dst_hash))
+ {
+ this->dst_matched = TRUE;
+ }
+ }
+ /* RFC4555 says we should also compare against IKE_SA_INIT
+ * NATD payloads, but this does not work: We are running
+ * there at port 500, but use 4500 afterwards... */
+ if (message->get_exchange_type(message) == INFORMATIONAL &&
+ this->initiator && !this->dst_matched)
+ {
+ this->mapping_changed = this->ike_sa->has_mapping_changed(
+ this->ike_sa, hash);
+ }
+ break;
+ }
+ case NAT_DETECTION_SOURCE_IP:
+ {
+ this->src_seen = TRUE;
+ if (!this->src_matched)
+ {
+ hash = notify->get_notification_data(notify);
+ DBG3(DBG_IKE, "received src_hash %B", &hash);
+ if (chunk_equals(hash, src_hash))
+ {
+ this->src_matched = TRUE;
+ }
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ chunk_free(&src_hash);
+ chunk_free(&dst_hash);
+
+ if (this->src_seen && this->dst_seen)
+ {
+ this->ike_sa->enable_extension(this->ike_sa, EXT_NATT);
+
+ this->ike_sa->set_condition(this->ike_sa, COND_NAT_HERE,
+ !this->dst_matched);
+ this->ike_sa->set_condition(this->ike_sa, COND_NAT_THERE,
+ !this->src_matched);
+ config = this->ike_sa->get_ike_cfg(this->ike_sa);
+ if (this->dst_matched && this->src_matched &&
+ config->force_encap(config))
+ {
+ this->ike_sa->set_condition(this->ike_sa, COND_NAT_FAKE, TRUE);
+ }
+ }
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_natd_t *this, message_t *message)
+{
+ process_payloads(this, message);
+
+ if (message->get_exchange_type(message) == IKE_SA_INIT)
+ {
+ peer_cfg_t *peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ if (this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY) ||
+ /* if peer supports NAT-T, we switch to port 4500 even
+ * if no NAT is detected. can't be done later (when we would know
+ * whether the peer supports MOBIKE) because there would be no
+ * exchange to actually do the switch (other than a forced DPD). */
+ (peer_cfg->use_mobike(peer_cfg) &&
+ this->ike_sa->supports_extension(this->ike_sa, EXT_NATT)))
+ {
+ this->ike_sa->float_ports(this->ike_sa);
+ }
+ }
+
+ return SUCCESS;
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_natd_t *this, message_t *message)
+{
+ notify_payload_t *notify;
+ enumerator_t *enumerator;
+ ike_cfg_t *ike_cfg;
+ host_t *host;
+
+ if (this->hasher == NULL)
+ {
+ DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
+ return NEED_MORE;
+ }
+
+ ike_cfg = this->ike_sa->get_ike_cfg(this->ike_sa);
+
+ /* destination is always set */
+ host = message->get_destination(message);
+ notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, host);
+ if (notify)
+ {
+ message->add_payload(message, (payload_t*)notify);
+ }
+
+ /* source may be any, we have 3 possibilities to get our source address:
+ * 1. It is defined in the config => use the one of the IKE_SA
+ * 2. We do a routing lookup in the kernel interface
+ * 3. Include all possbile addresses
+ */
+ host = message->get_source(message);
+ if (!host->is_anyaddr(host) || ike_cfg->force_encap(ike_cfg))
+ { /* 1. or if we force UDP encap, as it doesn't matter if it's %any */
+ notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+ if (notify)
+ {
+ message->add_payload(message, (payload_t*)notify);
+ }
+ }
+ else
+ {
+ host = hydra->kernel_interface->get_source_addr(hydra->kernel_interface,
+ this->ike_sa->get_other_host(this->ike_sa), NULL);
+ if (host)
+ { /* 2. */
+ host->set_port(host, ike_cfg->get_my_port(ike_cfg));
+ notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+ if (notify)
+ {
+ message->add_payload(message, (payload_t*)notify);
+ }
+ host->destroy(host);
+ }
+ else
+ { /* 3. */
+ enumerator = hydra->kernel_interface->create_address_enumerator(
+ hydra->kernel_interface, ADDR_TYPE_REGULAR);
+ while (enumerator->enumerate(enumerator, (void**)&host))
+ {
+ /* apply port 500 to host, but work on a copy */
+ host = host->clone(host);
+ host->set_port(host, ike_cfg->get_my_port(ike_cfg));
+ notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, host);
+ host->destroy(host);
+ if (notify)
+ {
+ message->add_payload(message, (payload_t*)notify);
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ }
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_natd_t *this, message_t *message)
+{
+ notify_payload_t *notify;
+ host_t *me, *other;
+
+ /* only add notifies on successful responses. */
+ if (message->get_exchange_type(message) == IKE_SA_INIT &&
+ message->get_payload(message, SECURITY_ASSOCIATION) == NULL)
+ {
+ return SUCCESS;
+ }
+
+ if (this->src_seen && this->dst_seen)
+ {
+ if (this->hasher == NULL)
+ {
+ DBG1(DBG_IKE, "unable to build NATD payloads, SHA1 not supported");
+ return SUCCESS;
+ }
+
+ /* initiator seems to support NAT detection, add response */
+ me = message->get_source(message);
+ notify = build_natd_payload(this, NAT_DETECTION_SOURCE_IP, me);
+ if (notify)
+ {
+ message->add_payload(message, (payload_t*)notify);
+ }
+ other = message->get_destination(message);
+ notify = build_natd_payload(this, NAT_DETECTION_DESTINATION_IP, other);
+ if (notify)
+ {
+ message->add_payload(message, (payload_t*)notify);
+ }
+ }
+ return SUCCESS;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_natd_t *this, message_t *message)
+{
+ process_payloads(this, message);
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_natd_t *this)
+{
+ return TASK_IKE_NATD;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_natd_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+ this->src_seen = FALSE;
+ this->dst_seen = FALSE;
+ this->src_matched = FALSE;
+ this->dst_matched = FALSE;
+ this->mapping_changed = FALSE;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_natd_t *this)
+{
+ DESTROY_IF(this->hasher);
+ free(this);
+}
+
+METHOD(ike_natd_t, has_mapping_changed, bool,
+ private_ike_natd_t *this)
+{
+ return this->mapping_changed;
+}
+
+/*
+ * Described in header.
+ */
+ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_natd_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .has_mapping_changed = _has_mapping_changed,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
+ );
+
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+ else
+ {
+ this->public.task.build = _build_r;
+ this->public.task.process = _process_r;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_natd.h b/src/libcharon/sa/ikev2/tasks/ike_natd.h
new file mode 100644
index 000000000..9c571b8e6
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_natd.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_natd ike_natd
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_NATD_H_
+#define IKE_NATD_H_
+
+typedef struct ike_natd_t ike_natd_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_natd, detects NAT situation in IKE_SA_INIT exchange.
+ */
+struct ike_natd_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Check if the NAT mapping has changed for our address.
+ *
+ * MOBIKE uses NAT payloads in DPD to detect changes in the NAT mappings.
+ *
+ * @return TRUE if mappings have changed
+ */
+ bool (*has_mapping_changed)(ike_natd_t *this);
+};
+
+/**
+ * Create a new ike_natd task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if task is the original initiator
+ * @return ike_natd task to handle by the task_manager
+ */
+ike_natd_t *ike_natd_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_NATD_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.c b/src/libcharon/sa/ikev2/tasks/ike_reauth.c
new file mode 100644
index 000000000..6f90339ea
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.c
@@ -0,0 +1,110 @@
+/*
+ * Copyright (C) 2006-2008 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_reauth.h"
+
+#include <daemon.h>
+#include <sa/ikev2/tasks/ike_delete.h>
+
+
+typedef struct private_ike_reauth_t private_ike_reauth_t;
+
+/**
+ * Private members of a ike_reauth_t task.
+ */
+struct private_ike_reauth_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_reauth_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * reused ike_delete task
+ */
+ ike_delete_t *ike_delete;
+};
+
+METHOD(task_t, build_i, status_t,
+ private_ike_reauth_t *this, message_t *message)
+{
+ return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_reauth_t *this, message_t *message)
+{
+ /* process delete response first */
+ this->ike_delete->task.process(&this->ike_delete->task, message);
+
+ /* reestablish the IKE_SA with all children */
+ if (this->ike_sa->reestablish(this->ike_sa) != SUCCESS)
+ {
+ DBG1(DBG_IKE, "reauthenticating IKE_SA failed");
+ return FAILED;
+ }
+
+ /* we always destroy the obsolete IKE_SA */
+ return DESTROY_ME;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_reauth_t *this)
+{
+ return TASK_IKE_REAUTH;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_reauth_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_delete->task.migrate(&this->ike_delete->task, ike_sa);
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_reauth_t *this)
+{
+ this->ike_delete->task.destroy(&this->ike_delete->task);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa)
+{
+ private_ike_reauth_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .migrate = _migrate,
+ .build = _build_i,
+ .process = _process_i,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ .ike_delete = ike_delete_create(ike_sa, TRUE),
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_reauth.h b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
new file mode 100644
index 000000000..781b463a7
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_reauth.h
@@ -0,0 +1,51 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_reauth ike_reauth
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_REAUTH_H_
+#define IKE_REAUTH_H_
+
+typedef struct ike_reauth_t ike_reauth_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type ike_reauth, reestablishes an IKE_SA.
+ */
+struct ike_reauth_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new ike_reauth task.
+ *
+ * This task is initiator only.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @return ike_reauth task to handle by the task_manager
+ */
+ike_reauth_t *ike_reauth_create(ike_sa_t *ike_sa);
+
+#endif /** IKE_REAUTH_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.c b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
new file mode 100644
index 000000000..c3c6cf00e
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.c
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) 2005-2008 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_rekey.h"
+
+#include <daemon.h>
+#include <encoding/payloads/notify_payload.h>
+#include <sa/ikev2/tasks/ike_init.h>
+#include <sa/ikev2/tasks/ike_delete.h>
+#include <processing/jobs/delete_ike_sa_job.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+
+
+typedef struct private_ike_rekey_t private_ike_rekey_t;
+
+/**
+ * Private members of a ike_rekey_t task.
+ */
+struct private_ike_rekey_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_rekey_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * New IKE_SA which replaces the current one
+ */
+ ike_sa_t *new_sa;
+
+ /**
+ * Are we the initiator?
+ */
+ bool initiator;
+
+ /**
+ * the TASK_IKE_INIT task which is reused to simplify rekeying
+ */
+ ike_init_t *ike_init;
+
+ /**
+ * IKE_DELETE task to delete the old IKE_SA after rekeying was successful
+ */
+ ike_delete_t *ike_delete;
+
+ /**
+ * colliding task detected by the task manager
+ */
+ task_t *collision;
+};
+
+/**
+ * Establish the new replacement IKE_SA
+ */
+static void establish_new(private_ike_rekey_t *this)
+{
+ if (this->new_sa)
+ {
+ this->new_sa->set_state(this->new_sa, IKE_ESTABLISHED);
+ DBG0(DBG_IKE, "IKE_SA %s[%d] rekeyed between %H[%Y]...%H[%Y]",
+ this->new_sa->get_name(this->new_sa),
+ this->new_sa->get_unique_id(this->new_sa),
+ this->ike_sa->get_my_host(this->ike_sa),
+ this->ike_sa->get_my_id(this->ike_sa),
+ this->ike_sa->get_other_host(this->ike_sa),
+ this->ike_sa->get_other_id(this->ike_sa));
+
+ this->new_sa->inherit(this->new_sa, this->ike_sa);
+ charon->bus->ike_rekey(charon->bus, this->ike_sa, this->new_sa);
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, this->new_sa);
+ this->new_sa = NULL;
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+}
+
+METHOD(task_t, process_r_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ establish_new(this);
+ return this->ike_delete->task.process(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_r_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_i_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ /* update exchange type to INFORMATIONAL for the delete */
+ message->set_exchange_type(message, INFORMATIONAL);
+
+ return this->ike_delete->task.build(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, process_i_delete, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ return this->ike_delete->task.process(&this->ike_delete->task, message);
+}
+
+METHOD(task_t, build_i, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ ike_version_t version;
+ peer_cfg_t *peer_cfg;
+ host_t *other_host;
+
+ /* create new SA only on first try */
+ if (this->new_sa == NULL)
+ {
+ version = this->ike_sa->get_version(this->ike_sa);
+ this->new_sa = charon->ike_sa_manager->checkout_new(
+ charon->ike_sa_manager, version, TRUE);
+ if (!this->new_sa)
+ { /* shouldn't happen */
+ return FAILED;
+ }
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ other_host = this->ike_sa->get_other_host(this->ike_sa);
+ this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+ this->new_sa->set_other_host(this->new_sa, other_host->clone(other_host));
+ this->ike_init = ike_init_create(this->new_sa, TRUE, this->ike_sa);
+ this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+ }
+ this->ike_init->task.build(&this->ike_init->task, message);
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_r, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ peer_cfg_t *peer_cfg;
+ child_sa_t *child_sa;
+
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_DELETING)
+ {
+ DBG1(DBG_IKE, "peer initiated rekeying, but we are deleting");
+ return NEED_MORE;
+ }
+
+ enumerator = this->ike_sa->create_child_sa_enumerator(this->ike_sa);
+ while (enumerator->enumerate(enumerator, (void**)&child_sa))
+ {
+ switch (child_sa->get_state(child_sa))
+ {
+ case CHILD_CREATED:
+ case CHILD_REKEYING:
+ case CHILD_DELETING:
+ /* we do not allow rekeying while we have children in-progress */
+ DBG1(DBG_IKE, "peer initiated rekeying, but a child is half-open");
+ enumerator->destroy(enumerator);
+ return NEED_MORE;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ this->new_sa = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+ this->ike_sa->get_version(this->ike_sa), FALSE);
+ if (!this->new_sa)
+ { /* shouldn't happen */
+ return FAILED;
+ }
+
+ peer_cfg = this->ike_sa->get_peer_cfg(this->ike_sa);
+ this->new_sa->set_peer_cfg(this->new_sa, peer_cfg);
+ this->ike_init = ike_init_create(this->new_sa, FALSE, this->ike_sa);
+ this->ike_init->task.process(&this->ike_init->task, message);
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, build_r, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ if (this->new_sa == NULL)
+ {
+ /* IKE_SA/a CHILD_SA is in an inacceptable state, deny rekeying */
+ message->add_notify(message, TRUE, NO_PROPOSAL_CHOSEN, chunk_empty);
+ return SUCCESS;
+ }
+
+ if (this->ike_init->task.build(&this->ike_init->task, message) == FAILED)
+ {
+ return SUCCESS;
+ }
+
+ this->ike_sa->set_state(this->ike_sa, IKE_REKEYING);
+
+ /* rekeying successful, delete the IKE_SA using a subtask */
+ this->ike_delete = ike_delete_create(this->ike_sa, FALSE);
+ this->public.task.build = _build_r_delete;
+ this->public.task.process = _process_r_delete;
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, process_i, status_t,
+ private_ike_rekey_t *this, message_t *message)
+{
+ if (message->get_notify(message, NO_ADDITIONAL_SAS))
+ {
+ DBG1(DBG_IKE, "peer seems to not support IKE rekeying, "
+ "starting reauthentication");
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)rekey_ike_sa_job_create(
+ this->ike_sa->get_id(this->ike_sa), TRUE));
+ return SUCCESS;
+ }
+
+ switch (this->ike_init->task.process(&this->ike_init->task, message))
+ {
+ case FAILED:
+ /* rekeying failed, fallback to old SA */
+ if (!(this->collision && (
+ this->collision->get_type(this->collision) == TASK_IKE_DELETE ||
+ this->collision->get_type(this->collision) == TASK_IKE_REAUTH)))
+ {
+ job_t *job;
+ u_int32_t retry = RETRY_INTERVAL - (random() % RETRY_JITTER);
+ job = (job_t*)rekey_ike_sa_job_create(
+ this->ike_sa->get_id(this->ike_sa), FALSE);
+ DBG1(DBG_IKE, "IKE_SA rekeying failed, "
+ "trying again in %d seconds", retry);
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ lib->scheduler->schedule_job(lib->scheduler, job, retry);
+ }
+ return SUCCESS;
+ case NEED_MORE:
+ /* bad dh group, try again */
+ this->ike_init->task.migrate(&this->ike_init->task, this->new_sa);
+ return NEED_MORE;
+ default:
+ break;
+ }
+
+ /* check for collisions */
+ if (this->collision &&
+ this->collision->get_type(this->collision) == TASK_IKE_REKEY)
+ {
+ private_ike_rekey_t *other = (private_ike_rekey_t*)this->collision;
+
+ /* ike_init can be NULL, if child_sa is half-open */
+ if (other->ike_init)
+ {
+ host_t *host;
+ chunk_t this_nonce, other_nonce;
+
+ this_nonce = this->ike_init->get_lower_nonce(this->ike_init);
+ other_nonce = other->ike_init->get_lower_nonce(other->ike_init);
+
+ /* if we have the lower nonce, delete rekeyed SA. If not, delete
+ * the redundant. */
+ if (memcmp(this_nonce.ptr, other_nonce.ptr,
+ min(this_nonce.len, other_nonce.len)) > 0)
+ {
+ /* peer should delete this SA. Add a timeout just in case. */
+ job_t *job = (job_t*)delete_ike_sa_job_create(
+ other->new_sa->get_id(other->new_sa), TRUE);
+ lib->scheduler->schedule_job(lib->scheduler, job, 10);
+ DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete");
+ charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa);
+ other->new_sa = NULL;
+ }
+ else
+ {
+ DBG1(DBG_IKE, "IKE_SA rekey collision lost, "
+ "deleting redundant IKE_SA");
+ /* apply host for a proper delete */
+ host = this->ike_sa->get_my_host(this->ike_sa);
+ this->new_sa->set_my_host(this->new_sa, host->clone(host));
+ host = this->ike_sa->get_other_host(this->ike_sa);
+ this->new_sa->set_other_host(this->new_sa, host->clone(host));
+ this->ike_sa->set_state(this->ike_sa, IKE_ESTABLISHED);
+ this->new_sa->set_state(this->new_sa, IKE_REKEYING);
+ if (this->new_sa->delete(this->new_sa) == DESTROY_ME)
+ {
+ this->new_sa->destroy(this->new_sa);
+ }
+ else
+ {
+ charon->ike_sa_manager->checkin(
+ charon->ike_sa_manager, this->new_sa);
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+ this->new_sa = NULL;
+ establish_new(other);
+ return SUCCESS;
+ }
+ }
+ /* set threads active IKE_SA after checkin */
+ charon->bus->set_sa(charon->bus, this->ike_sa);
+ }
+
+ establish_new(this);
+
+ /* rekeying successful, delete the IKE_SA using a subtask */
+ this->ike_delete = ike_delete_create(this->ike_sa, TRUE);
+ this->public.task.build = _build_i_delete;
+ this->public.task.process = _process_i_delete;
+
+ return NEED_MORE;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_rekey_t *this)
+{
+ return TASK_IKE_REKEY;
+}
+
+METHOD(ike_rekey_t, collide, void,
+ private_ike_rekey_t* this, task_t *other)
+{
+ DBG1(DBG_IKE, "detected %N collision with %N", task_type_names,
+ TASK_IKE_REKEY, task_type_names, other->get_type(other));
+ DESTROY_IF(this->collision);
+ this->collision = other;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_rekey_t *this, ike_sa_t *ike_sa)
+{
+ if (this->ike_init)
+ {
+ this->ike_init->task.destroy(&this->ike_init->task);
+ }
+ if (this->ike_delete)
+ {
+ this->ike_delete->task.destroy(&this->ike_delete->task);
+ }
+ DESTROY_IF(this->new_sa);
+ DESTROY_IF(this->collision);
+
+ this->collision = NULL;
+ this->ike_sa = ike_sa;
+ this->new_sa = NULL;
+ this->ike_init = NULL;
+ this->ike_delete = NULL;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_rekey_t *this)
+{
+ if (this->ike_init)
+ {
+ this->ike_init->task.destroy(&this->ike_init->task);
+ }
+ if (this->ike_delete)
+ {
+ this->ike_delete->task.destroy(&this->ike_delete->task);
+ }
+ DESTROY_IF(this->new_sa);
+ DESTROY_IF(this->collision);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_rekey_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .build = _build_r,
+ .process = _process_r,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ .collide = _collide,
+ },
+ .ike_sa = ike_sa,
+ .initiator = initiator,
+ );
+ if (initiator)
+ {
+ this->public.task.build = _build_i;
+ this->public.task.process = _process_i;
+ }
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_rekey.h b/src/libcharon/sa/ikev2/tasks/ike_rekey.h
new file mode 100644
index 000000000..6a12e9034
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_rekey.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2007 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_rekey ike_rekey
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_REKEY_H_
+#define IKE_REKEY_H_
+
+typedef struct ike_rekey_t ike_rekey_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_REKEY, rekey an established IKE_SA.
+ */
+struct ike_rekey_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+
+ /**
+ * Register a rekeying task which collides with this one.
+ *
+ * If two peers initiate rekeying at the same time, the collision must
+ * be handled gracefully. The task manager is aware of what exchanges
+ * are going on and notifies the outgoing task by passing the incoming.
+ *
+ * @param other incoming task
+ */
+ void (*collide)(ike_rekey_t* this, task_t *other);
+};
+
+/**
+ * Create a new TASK_IKE_REKEY task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE for initiator, FALSE for responder
+ * @return TASK_IKE_REKEY task to handle by the task_manager
+ */
+ike_rekey_t *ike_rekey_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_REKEY_H_ @}*/
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.c b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
new file mode 100644
index 000000000..2730f5876
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.c
@@ -0,0 +1,141 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "ike_vendor.h"
+
+#include <daemon.h>
+#include <encoding/payloads/vendor_id_payload.h>
+
+typedef struct private_ike_vendor_t private_ike_vendor_t;
+
+/**
+ * Private data of an ike_vendor_t object.
+ */
+struct private_ike_vendor_t {
+
+ /**
+ * Public ike_vendor_t interface.
+ */
+ ike_vendor_t public;
+
+ /**
+ * Associated IKE_SA
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Are we the inititator of this task
+ */
+ bool initiator;
+};
+
+/**
+ * strongSwan specific vendor ID without version, MD5("strongSwan")
+ */
+static chunk_t strongswan_vid = chunk_from_chars(
+ 0x88,0x2f,0xe5,0x6d,0x6f,0xd2,0x0d,0xbc,
+ 0x22,0x51,0x61,0x3b,0x2e,0xbe,0x5b,0xeb
+);
+
+METHOD(task_t, build, status_t,
+ private_ike_vendor_t *this, message_t *message)
+{
+ if (lib->settings->get_bool(lib->settings,
+ "%s.send_vendor_id", FALSE, charon->name))
+ {
+ vendor_id_payload_t *vid;
+
+ vid = vendor_id_payload_create_data(VENDOR_ID,
+ chunk_clone(strongswan_vid));
+ message->add_payload(message, &vid->payload_interface);
+ }
+
+ return this->initiator ? NEED_MORE : SUCCESS;
+}
+
+METHOD(task_t, process, status_t,
+ private_ike_vendor_t *this, message_t *message)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == VENDOR_ID)
+ {
+ vendor_id_payload_t *vid;
+ chunk_t data;
+
+ vid = (vendor_id_payload_t*)payload;
+ data = vid->get_data(vid);
+
+ if (chunk_equals(data, strongswan_vid))
+ {
+ DBG1(DBG_IKE, "received strongSwan vendor ID");
+ this->ike_sa->enable_extension(this->ike_sa, EXT_STRONGSWAN);
+ }
+ else
+ {
+ DBG1(DBG_ENC, "received unknown vendor ID: %#B", &data);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return this->initiator ? SUCCESS : NEED_MORE;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_vendor_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_vendor_t *this)
+{
+ return TASK_IKE_VENDOR;
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_vendor_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator)
+{
+ private_ike_vendor_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .build = _build,
+ .process = _process,
+ .migrate = _migrate,
+ .get_type = _get_type,
+ .destroy = _destroy,
+ },
+ },
+ .initiator = initiator,
+ .ike_sa = ike_sa,
+ );
+
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_vendor.h b/src/libcharon/sa/ikev2/tasks/ike_vendor.h
new file mode 100644
index 000000000..86c711636
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_vendor.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2009 Martin Willi
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ike_vendor ike_vendor
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_VENDOR_H_
+#define IKE_VENDOR_H_
+
+typedef struct ike_vendor_t ike_vendor_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Vendor ID processing task.
+ */
+struct ike_vendor_t {
+
+ /**
+ * Implements task interface.
+ */
+ task_t task;
+};
+
+/**
+ * Create a ike_vendor instance.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @param initiator TRUE if task is the original initiator
+ */
+ike_vendor_t *ike_vendor_create(ike_sa_t *ike_sa, bool initiator);
+
+#endif /** IKE_VENDOR_H_ @}*/