get rid of unused iterator hook functions
[strongswan.git] / src / charon / network / receiver.c
1 /*
2 * Copyright (C) 2005-2006 Martin Willi
3 * Copyright (C) 2005 Jan Hutter
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 #include <stdlib.h>
20 #include <unistd.h>
21 #include <pthread.h>
22
23 #include "receiver.h"
24
25 #include <daemon.h>
26 #include <network/socket.h>
27 #include <network/packet.h>
28 #include <processing/jobs/job.h>
29 #include <processing/jobs/process_message_job.h>
30 #include <processing/jobs/callback_job.h>
31 #include <crypto/hashers/hasher.h>
32
33 /** lifetime of a cookie, in seconds */
34 #define COOKIE_LIFETIME 10
35 /** how many times to reuse the secret */
36 #define COOKIE_REUSE 10000
37 /** require cookies after half open IKE_SAs */
38 #define COOKIE_TRESHOLD 10
39 /** how many half open IKE_SAs per peer before blocking */
40 #define BLOCK_TRESHOLD 5
41 /** length of the secret to use for cookie calculation */
42 #define SECRET_LENGTH 16
43
44 typedef struct private_receiver_t private_receiver_t;
45
46 /**
47 * Private data of a receiver_t object.
48 */
49 struct private_receiver_t {
50 /**
51 * Public part of a receiver_t object.
52 */
53 receiver_t public;
54
55 /**
56 * Threads job receiving packets
57 */
58 callback_job_t *job;
59
60 /**
61 * Assigned thread.
62 */
63 pthread_t assigned_thread;
64
65 /**
66 * current secret to use for cookie calculation
67 */
68 char secret[SECRET_LENGTH];
69
70 /**
71 * previous secret used to verify older cookies
72 */
73 char secret_old[SECRET_LENGTH];
74
75 /**
76 * how many times we have used "secret" so far
77 */
78 u_int32_t secret_used;
79
80 /**
81 * time we did the cookie switch
82 */
83 u_int32_t secret_switch;
84
85 /**
86 * time offset to use, hides our system time
87 */
88 u_int32_t secret_offset;
89
90 /**
91 * the RNG to use for secret generation
92 */
93 rng_t *rng;
94
95 /**
96 * hasher to use for cookie calculation
97 */
98 hasher_t *hasher;
99
100 /**
101 * use denial of service protection mechanisms (cookies)
102 */
103 bool dos_protection;
104 };
105
106 /**
107 * send a notify back to the sender
108 */
109 static void send_notify(message_t *request, notify_type_t type, chunk_t data)
110 {
111 if (request->get_request(request) &&
112 request->get_exchange_type(request) == IKE_SA_INIT)
113 {
114 message_t *response;
115 host_t *src, *dst;
116 packet_t *packet;
117 ike_sa_id_t *ike_sa_id;
118
119 response = message_create();
120 dst = request->get_source(request);
121 src = request->get_destination(request);
122 response->set_source(response, src->clone(src));
123 response->set_destination(response, dst->clone(dst));
124 response->set_exchange_type(response, request->get_exchange_type(request));
125 response->set_request(response, FALSE);
126 response->set_message_id(response, 0);
127 ike_sa_id = request->get_ike_sa_id(request);
128 ike_sa_id->switch_initiator(ike_sa_id);
129 response->set_ike_sa_id(response, ike_sa_id);
130 response->add_notify(response, FALSE, type, data);
131 if (response->generate(response, NULL, NULL, &packet) == SUCCESS)
132 {
133 charon->sender->send(charon->sender, packet);
134 response->destroy(response);
135 }
136 }
137 }
138
139 /**
140 * build a cookie
141 */
142 static chunk_t cookie_build(private_receiver_t *this, message_t *message,
143 u_int32_t t, chunk_t secret)
144 {
145 u_int64_t spi = message->get_initiator_spi(message);
146 host_t *ip = message->get_source(message);
147 chunk_t input, hash;
148
149 /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
150 input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
151 chunk_from_thing(t), secret);
152 hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
153 this->hasher->get_hash(this->hasher, input, hash.ptr);
154 return chunk_cat("cc", chunk_from_thing(t), hash);
155 }
156
157 /**
158 * verify a received cookie
159 */
160 static bool cookie_verify(private_receiver_t *this, message_t *message,
161 chunk_t cookie)
162 {
163 u_int32_t t, now;
164 chunk_t reference;
165 chunk_t secret;
166
167 now = time(NULL);
168 t = *(u_int32_t*)cookie.ptr;
169
170 if (cookie.len != sizeof(u_int32_t) +
171 this->hasher->get_hash_size(this->hasher) ||
172 t < now - this->secret_offset - COOKIE_LIFETIME)
173 {
174 DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
175 return FALSE;
176 }
177
178 /* check if cookie is derived from old_secret */
179 if (t + this->secret_offset > this->secret_switch)
180 {
181 secret = chunk_from_thing(this->secret);
182 }
183 else
184 {
185 secret = chunk_from_thing(this->secret_old);
186 }
187
188 /* compare own calculation against received */
189 reference = cookie_build(this, message, t, secret);
190 if (chunk_equals(reference, cookie))
191 {
192 chunk_free(&reference);
193 return TRUE;
194 }
195 chunk_free(&reference);
196 return FALSE;
197 }
198
199 /**
200 * check if cookies are required, and if so, a valid cookie is included
201 */
202 static bool cookie_required(private_receiver_t *this, message_t *message)
203 {
204 bool failed = FALSE;
205
206 if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
207 NULL) >= COOKIE_TRESHOLD)
208 {
209 /* check for a cookie. We don't use our parser here and do it
210 * quick and dirty for performance reasons.
211 * we assume to cookie is the first payload (which is a MUST), and
212 * the cookies SPI length is zero. */
213 packet_t *packet = message->get_packet(message);
214 chunk_t data = packet->get_data(packet);
215 if (data.len <
216 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
217 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
218 *(data.ptr + 16) != NOTIFY ||
219 *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
220 {
221 /* no cookie found */
222 failed = TRUE;
223 }
224 else
225 {
226 data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
227 data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
228 if (!cookie_verify(this, message, data))
229 {
230 DBG2(DBG_NET, "found cookie, but content invalid");
231 failed = TRUE;
232 }
233 }
234 packet->destroy(packet);
235 }
236 return failed;
237 }
238
239 /**
240 * check if peer has to many half open IKE_SAs
241 */
242 static bool peer_to_aggressive(private_receiver_t *this, message_t *message)
243 {
244 if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
245 message->get_source(message)) >= BLOCK_TRESHOLD)
246 {
247 return TRUE;
248 }
249 return FALSE;
250 }
251
252 /**
253 * Implementation of receiver_t.receive_packets.
254 */
255 static job_requeue_t receive_packets(private_receiver_t *this)
256 {
257 packet_t *packet;
258 message_t *message;
259 job_t *job;
260
261 /* read in a packet */
262 if (charon->socket->receive(charon->socket, &packet) != SUCCESS)
263 {
264 DBG2(DBG_NET, "receiving from socket failed!");
265 return JOB_REQUEUE_FAIR;
266 }
267
268 /* parse message header */
269 message = message_create_from_packet(packet);
270 if (message->parse_header(message) != SUCCESS)
271 {
272 DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
273 packet->get_source(packet));
274 message->destroy(message);
275 return JOB_REQUEUE_DIRECT;
276 }
277
278 /* check IKE major version */
279 if (message->get_major_version(message) != IKE_MAJOR_VERSION)
280 {
281 DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
282 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
283 message->get_minor_version(message), packet->get_source(packet));
284 send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
285 message->destroy(message);
286 return JOB_REQUEUE_DIRECT;
287 }
288
289 if (message->get_request(message) &&
290 message->get_exchange_type(message) == IKE_SA_INIT &&
291 this->dos_protection)
292 {
293 /* check for cookies */
294 if (cookie_required(this, message))
295 {
296 u_int32_t now = time(NULL);
297 chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
298 chunk_from_thing(this->secret));
299
300 DBG2(DBG_NET, "received packet from: %#H to %#H",
301 message->get_source(message),
302 message->get_destination(message));
303 DBG2(DBG_NET, "sending COOKIE notify to %H",
304 message->get_source(message));
305 send_notify(message, COOKIE, cookie);
306 chunk_free(&cookie);
307 if (++this->secret_used > COOKIE_REUSE)
308 {
309 /* create new cookie */
310 DBG1(DBG_NET, "generating new cookie secret after %d uses",
311 this->secret_used);
312 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
313 this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
314 this->secret_switch = now;
315 this->secret_used = 0;
316 }
317 message->destroy(message);
318 return JOB_REQUEUE_DIRECT;
319 }
320
321 /* check if peer has not too many IKE_SAs half open */
322 if (peer_to_aggressive(this, message))
323 {
324 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
325 "peer too aggressive", message->get_source(message));
326 message->destroy(message);
327 return JOB_REQUEUE_DIRECT;
328 }
329 }
330 job = (job_t*)process_message_job_create(message);
331 charon->processor->queue_job(charon->processor, job);
332 return JOB_REQUEUE_DIRECT;
333 }
334
335 /**
336 * Implementation of receiver_t.destroy.
337 */
338 static void destroy(private_receiver_t *this)
339 {
340 this->job->cancel(this->job);
341 this->rng->destroy(this->rng);
342 this->hasher->destroy(this->hasher);
343 free(this);
344 }
345
346 /*
347 * Described in header.
348 */
349 receiver_t *receiver_create()
350 {
351 private_receiver_t *this = malloc_thing(private_receiver_t);
352 u_int32_t now = time(NULL);
353
354 this->public.destroy = (void(*)(receiver_t*)) destroy;
355
356 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
357 if (this->hasher == NULL)
358 {
359 DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
360 free(this);
361 return NULL;
362 }
363 this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
364 if (this->rng == NULL)
365 {
366 DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
367 this->hasher->destroy(this->hasher);
368 free(this);
369 return NULL;
370 }
371 this->secret_switch = now;
372 this->secret_offset = random() % now;
373 this->secret_used = 0;
374 this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
375 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
376 this->dos_protection = lib->settings->get_bool(lib->settings,
377 "charon.dos_protection", TRUE);
378
379 this->job = callback_job_create((callback_job_cb_t)receive_packets,
380 this, NULL, NULL);
381 charon->processor->queue_job(charon->processor, (job_t*)this->job);
382
383 return &this->public;
384 }
385