projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
fixed NAT detection with mobike
[strongswan.git] / src / charon / sa / tasks / ike_mobike.c
1 /**
2 * @file ike_mobike.c
3 *
4 * @brief Implementation of the ike_mobike task.
5 *
6 */
7
8 /*
9 * Copyright (C) 2007 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #include "ike_mobike.h"
24
25 #include <string.h>
26
27 #include <daemon.h>
28 #include <sa/tasks/ike_natd.h>
29 #include <encoding/payloads/notify_payload.h>
30
31
32 typedef struct private_ike_mobike_t private_ike_mobike_t;
33
34 /**
35 * Private members of a ike_mobike_t task.
36 */
37 struct private_ike_mobike_t {
38
39 /**
40 * Public methods and task_t interface.
41 */
42 ike_mobike_t public;
43
44 /**
45 * Assigned IKE_SA.
46 */
47 ike_sa_t *ike_sa;
48
49 /**
50 * Are we the initiator?
51 */
52 bool initiator;
53
54 /**
55 * cookie2 value to verify new addresses
56 */
57 chunk_t cookie2;
58
59 /**
60 * NAT discovery reusing the IKE_NATD task
61 */
62 ike_natd_t *natd;
63
64 /**
65 * use task to update addresses
66 */
67 bool update;
68
69 /**
70 * do routability check
71 */
72 bool check;
73
74 /**
75 * include address list update
76 */
77 bool address;
78 };
79
80 /**
81 * flush the IKE_SAs list of additional addresses
82 */
83 static void flush_additional_addresses(private_ike_mobike_t *this)
84 {
85 iterator_t *iterator;
86 host_t *host;
87
88 iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
89 while (iterator->iterate(iterator, (void**)&host))
90 {
91 iterator->remove(iterator);
92 host->destroy(host);
93 }
94 iterator->destroy(iterator);
95 }
96
97
98 /**
99 * read notifys from message and evaluate them
100 */
101 static void process_payloads(private_ike_mobike_t *this, message_t *message)
102 {
103 iterator_t *iterator;
104 payload_t *payload;
105 bool first = TRUE;
106
107 iterator = message->get_payload_iterator(message);
108 while (iterator->iterate(iterator, (void**)&payload))
109 {
110 int family = AF_INET;
111 notify_payload_t *notify;
112 chunk_t data;
113 host_t *host;
114
115 if (payload->get_type(payload) != NOTIFY)
116 {
117 continue;
118 }
119 notify = (notify_payload_t*)payload;
120 switch (notify->get_notify_type(notify))
121 {
122 case MOBIKE_SUPPORTED:
123 {
124 DBG1(DBG_IKE, "peer supports MOBIKE");
125 this->ike_sa->enable_extension(this->ike_sa, EXT_MOBIKE);
126 break;
127 }
128 case ADDITIONAL_IP6_ADDRESS:
129 {
130 family = AF_INET6;
131 /* fall through */
132 }
133 case ADDITIONAL_IP4_ADDRESS:
134 {
135 if (first)
136 { /* an ADDITIONAL_*_ADDRESS means replace, so flush once */
137 flush_additional_addresses(this);
138 first = FALSE;
139 }
140 data = notify->get_notification_data(notify);
141 host = host_create_from_chunk(family, data, 0);
142 DBG2(DBG_IKE, "got additional MOBIKE peer address: %H", host);
143 this->ike_sa->add_additional_address(this->ike_sa, host);
144 break;
145 }
146 case UPDATE_SA_ADDRESSES:
147 {
148 this->update = TRUE;
149 break;
150 }
151 case NO_ADDITIONAL_ADDRESSES:
152 {
153 flush_additional_addresses(this);
154 break;
155 }
156 case NAT_DETECTION_SOURCE_IP:
157 case NAT_DETECTION_DESTINATION_IP:
158 {
159 /* NAT check in this MOBIKE exchange, create subtask for it */
160 if (this->natd == NULL)
161 {
162 this->natd = ike_natd_create(this->ike_sa, this->initiator);
163 }
164 break;
165 }
166 default:
167 break;
168 }
169 }
170 iterator->destroy(iterator);
171 }
172
173 /**
174 * Add ADDITIONAL_*_ADDRESS notifys depending on our address list
175 */
176 static void build_address_list(private_ike_mobike_t *this, message_t *message)
177 {
178 iterator_t *iterator;
179 host_t *host, *me;
180 notify_type_t type;
181 bool additional = FALSE;
182
183 me = this->ike_sa->get_my_host(this->ike_sa);
184 iterator = charon->kernel_interface->create_address_iterator(
185 charon->kernel_interface);
186 while (iterator->iterate(iterator, (void**)&host))
187 {
188 if (me->ip_equals(me, host))
189 { /* "ADDITIONAL" means do not include IKE_SAs host */
190 continue;
191 }
192 switch (host->get_family(host))
193 {
194 case AF_INET:
195 type = ADDITIONAL_IP4_ADDRESS;
196 break;
197 case AF_INET6:
198 type = ADDITIONAL_IP6_ADDRESS;
199 break;
200 default:
201 continue;
202 }
203 message->add_notify(message, FALSE, type, host->get_address(host));
204 additional = TRUE;
205 }
206 if (!additional)
207 {
208 message->add_notify(message, FALSE, NO_ADDITIONAL_ADDRESSES, chunk_empty);
209 }
210 iterator->destroy(iterator);
211 }
212
213 /**
214 * update addresses of associated CHILD_SAs
215 */
216 static void update_children(private_ike_mobike_t *this)
217 {
218 iterator_t *iterator;
219 child_sa_t *child_sa;
220
221 iterator = this->ike_sa->create_child_sa_iterator(this->ike_sa);
222 while (iterator->iterate(iterator, (void**)&child_sa))
223 {
224 child_sa->update_hosts(child_sa,
225 this->ike_sa->get_my_host(this->ike_sa),
226 this->ike_sa->get_other_host(this->ike_sa),
227 this->ike_sa->has_condition(this->ike_sa, COND_NAT_ANY));
228 }
229 iterator->destroy(iterator);
230 }
231
232 /**
233 * Implementation of ike_mobike_t.transmit
234 */
235 static void transmit(private_ike_mobike_t *this, packet_t *packet)
236 {
237 host_t *me, *other, *me_old, *other_old;
238 iterator_t *iterator;
239 packet_t *copy;
240
241 if (!this->check)
242 {
243 return;
244 }
245
246 me_old = this->ike_sa->get_my_host(this->ike_sa);
247 other_old = this->ike_sa->get_other_host(this->ike_sa);
248
249 me = charon->kernel_interface->get_source_addr(
250 charon->kernel_interface, other_old);
251 if (me)
252 {
253 me->set_port(me, me->ip_equals(me, me_old) ?
254 me_old->get_port(me_old) : IKEV2_NATT_PORT);
255 packet->set_source(packet, me);
256 }
257
258 iterator = this->ike_sa->create_additional_address_iterator(this->ike_sa);
259 while (iterator->iterate(iterator, (void**)&other))
260 {
261 me = charon->kernel_interface->get_source_addr(
262 charon->kernel_interface, other);
263 if (me)
264 {
265 /* reuse port for an active address, 4500 otherwise */
266 me->set_port(me, me->ip_equals(me, me_old) ?
267 me_old->get_port(me_old) : IKEV2_NATT_PORT);
268 other = other->clone(other);
269 other->set_port(other, other->ip_equals(other, other_old) ?
270 other_old->get_port(other_old) : IKEV2_NATT_PORT);
271 copy = packet->clone(packet);
272 copy->set_source(copy, me);
273 copy->set_destination(copy, other);
274 charon->sender->send(charon->sender, copy);
275 }
276 }
277 iterator->destroy(iterator);
278 }
279
280 /**
281 * Implementation of task_t.process for initiator
282 */
283 static status_t build_i(private_ike_mobike_t *this, message_t *message)
284 {
285 if (message->get_exchange_type(message) == IKE_AUTH &&
286 message->get_payload(message, SECURITY_ASSOCIATION))
287 {
288 message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
289 build_address_list(this, message);
290 }
291 else if (message->get_exchange_type(message) == INFORMATIONAL)
292 {
293 if (this->update)
294 {
295 message->add_notify(message, FALSE, UPDATE_SA_ADDRESSES, chunk_empty);
296 update_children(this);
297 }
298 if (this->address)
299 {
300 build_address_list(this, message);
301 }
302 if (this->natd)
303 {
304 this->natd->task.build(&this->natd->task, message);
305 }
306 }
307 return NEED_MORE;
308 }
309
310 /**
311 * Implementation of task_t.process for responder
312 */
313 static status_t process_r(private_ike_mobike_t *this, message_t *message)
314 {
315 if (message->get_exchange_type(message) == IKE_AUTH &&
316 message->get_payload(message, SECURITY_ASSOCIATION))
317 {
318 process_payloads(this, message);
319 }
320 else if (message->get_exchange_type(message) == INFORMATIONAL)
321 {
322 process_payloads(this, message);
323 if (this->update)
324 {
325 host_t *me, *other;
326
327 me = message->get_destination(message);
328 other = message->get_source(message);
329 this->ike_sa->set_my_host(this->ike_sa, me->clone(me));
330 this->ike_sa->set_other_host(this->ike_sa, other->clone(other));
331 }
332
333 if (this->natd)
334 {
335 this->natd->task.process(&this->natd->task, message);
336 }
337 }
338 return NEED_MORE;
339 }
340
341 /**
342 * Implementation of task_t.build for responder
343 */
344 static status_t build_r(private_ike_mobike_t *this, message_t *message)
345 {
346 if (message->get_exchange_type(message) == IKE_AUTH &&
347 message->get_payload(message, SECURITY_ASSOCIATION))
348 {
349 if (this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE))
350 {
351 message->add_notify(message, FALSE, MOBIKE_SUPPORTED, chunk_empty);
352 build_address_list(this, message);
353 }
354 return SUCCESS;
355 }
356 else if (message->get_exchange_type(message) == INFORMATIONAL)
357 {
358 if (this->natd)
359 {
360 this->natd->task.build(&this->natd->task, message);
361 }
362 if (this->update)
363 {
364 update_children(this);
365 }
366 return SUCCESS;
367 }
368 return NEED_MORE;
369 }
370
371 /**
372 * Implementation of task_t.process for initiator
373 */
374 static status_t process_i(private_ike_mobike_t *this, message_t *message)
375 {
376 if (message->get_exchange_type(message) == IKE_AUTH &&
377 message->get_payload(message, SECURITY_ASSOCIATION))
378 {
379 process_payloads(this, message);
380 return SUCCESS;
381 }
382 else if (message->get_exchange_type(message) == INFORMATIONAL)
383 {
384 u_int32_t updates = this->ike_sa->get_pending_updates(this->ike_sa) - 1;
385 this->ike_sa->set_pending_updates(this->ike_sa, updates);
386 if (updates > 0)
387 {
388 /* newer update queued, ignore this one */
389 return SUCCESS;
390 }
391 process_payloads(this, message);
392 if (this->natd)
393 {
394 this->natd->task.process(&this->natd->task, message);
395 }
396 if (this->update)
397 {
398 /* update again, as NAT state may have changed */
399 update_children(this);
400 }
401 if (this->check)
402 {
403 host_t *me_new, *me_old, *other_new, *other_old;
404
405 me_new = message->get_destination(message);
406 other_new = message->get_source(message);
407 me_old = this->ike_sa->get_my_host(this->ike_sa);
408 other_old = this->ike_sa->get_other_host(this->ike_sa);
409
410 if (!me_new->equals(me_new, me_old))
411 {
412 this->update = TRUE;
413 this->ike_sa->set_my_host(this->ike_sa, me_new->clone(me_new));
414 }
415 if (!other_new->equals(other_new, other_old))
416 {
417 this->update = TRUE;
418 this->ike_sa->set_other_host(this->ike_sa, other_new->clone(other_new));
419 }
420 if (this->update)
421 {
422 /* start the update with the same task */
423 this->check = FALSE;
424 this->address = FALSE;
425 this->natd = ike_natd_create(this->ike_sa, this->initiator);
426 this->ike_sa->set_pending_updates(this->ike_sa, 1);
427 return NEED_MORE;
428 }
429 }
430 return SUCCESS;
431 }
432 return NEED_MORE;
433 }
434
435 /**
436 * Implementation of ike_mobike_t.roam.
437 */
438 static void roam(private_ike_mobike_t *this, bool address)
439 {
440 this->check = TRUE;
441 this->address = address;
442 this->ike_sa->set_pending_updates(this->ike_sa,
443 this->ike_sa->get_pending_updates(this->ike_sa) + 1);
444 }
445
446 /**
447 * Implementation of task_t.get_type
448 */
449 static task_type_t get_type(private_ike_mobike_t *this)
450 {
451 return IKE_MOBIKE;
452 }
453
454 /**
455 * Implementation of task_t.migrate
456 */
457 static void migrate(private_ike_mobike_t *this, ike_sa_t *ike_sa)
458 {
459 chunk_free(&this->cookie2);
460 this->ike_sa = ike_sa;
461 if (this->natd)
462 {
463 this->natd->task.migrate(&this->natd->task, ike_sa);
464 }
465 }
466
467 /**
468 * Implementation of task_t.destroy
469 */
470 static void destroy(private_ike_mobike_t *this)
471 {
472 chunk_free(&this->cookie2);
473 if (this->natd)
474 {
475 this->natd->task.destroy(&this->natd->task);
476 }
477 free(this);
478 }
479
480 /*
481 * Described in header.
482 */
483 ike_mobike_t *ike_mobike_create(ike_sa_t *ike_sa, bool initiator)
484 {
485 private_ike_mobike_t *this = malloc_thing(private_ike_mobike_t);
486
487 this->public.roam = (void(*)(ike_mobike_t*,bool))roam;
488 this->public.transmit = (void(*)(ike_mobike_t*,packet_t*))transmit;
489 this->public.task.get_type = (task_type_t(*)(task_t*))get_type;
490 this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate;
491 this->public.task.destroy = (void(*)(task_t*))destroy;
492
493 if (initiator)
494 {
495 this->public.task.build = (status_t(*)(task_t*,message_t*))build_i;
496 this->public.task.process = (status_t(*)(task_t*,message_t*))process_i;
497 }
498 else
499 {
500 this->public.task.build = (status_t(*)(task_t*,message_t*))build_r;
501 this->public.task.process = (status_t(*)(task_t*,message_t*))process_r;
502 }
503
504 this->ike_sa = ike_sa;
505 this->initiator = initiator;
506 this->update = FALSE;
507 this->check = FALSE;
508 this->address = TRUE;
509 this->cookie2 = chunk_empty;
510 this->natd = NULL;
511
512 return &this->public;
513 }
514
strongSwan - IPsec VPN