6a39489b6a719ef002ad74715a25d5381523502e
[strongswan.git] / src / libcharon / network / receiver.c
1 /*
2 * Copyright (C) 2008-2012 Tobias Brunner
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <stdlib.h>
19 #include <unistd.h>
20
21 #include "receiver.h"
22
23 #include <daemon.h>
24 #include <network/socket.h>
25 #include <network/packet.h>
26 #include <processing/jobs/job.h>
27 #include <processing/jobs/process_message_job.h>
28 #include <processing/jobs/callback_job.h>
29 #include <crypto/hashers/hasher.h>
30
31 /** lifetime of a cookie, in seconds */
32 #define COOKIE_LIFETIME 10
33 /** time we wait before disabling cookies */
34 #define COOKIE_CALMDOWN_DELAY 10
35 /** how many times to reuse the secret */
36 #define COOKIE_REUSE 10000
37 /** default value for private_receiver_t.cookie_threshold */
38 #define COOKIE_THRESHOLD_DEFAULT 10
39 /** default value for private_receiver_t.block_threshold */
40 #define BLOCK_THRESHOLD_DEFAULT 5
41 /** length of the secret to use for cookie calculation */
42 #define SECRET_LENGTH 16
43 /** Length of a notify payload header */
44 #define NOTIFY_PAYLOAD_HEADER_LENGTH 8
45
46 typedef struct private_receiver_t private_receiver_t;
47
48 /**
49 * Private data of a receiver_t object.
50 */
51 struct private_receiver_t {
52 /**
53 * Public part of a receiver_t object.
54 */
55 receiver_t public;
56
57 /**
58 * current secret to use for cookie calculation
59 */
60 char secret[SECRET_LENGTH];
61
62 /**
63 * previous secret used to verify older cookies
64 */
65 char secret_old[SECRET_LENGTH];
66
67 /**
68 * how many times we have used "secret" so far
69 */
70 u_int32_t secret_used;
71
72 /**
73 * time we did the cookie switch
74 */
75 u_int32_t secret_switch;
76
77 /**
78 * time offset to use, hides our system time
79 */
80 u_int32_t secret_offset;
81
82 /**
83 * the RNG to use for secret generation
84 */
85 rng_t *rng;
86
87 /**
88 * hasher to use for cookie calculation
89 */
90 hasher_t *hasher;
91
92 /**
93 * require cookies after this many half open IKE_SAs
94 */
95 u_int32_t cookie_threshold;
96
97 /**
98 * timestamp of last cookie requested
99 */
100 time_t last_cookie;
101
102 /**
103 * how many half open IKE_SAs per peer before blocking
104 */
105 u_int32_t block_threshold;
106
107 /**
108 * Drop IKE_SA_INIT requests if processor job load exceeds this limit
109 */
110 u_int init_limit_job_load;
111
112 /**
113 * Drop IKE_SA_INIT requests if half open IKE_SA count exceeds this limit
114 */
115 u_int init_limit_half_open;
116
117 /**
118 * Delay for receiving incoming packets, to simulate larger RTT
119 */
120 int receive_delay;
121
122 /**
123 * Specific message type to delay, 0 for any
124 */
125 int receive_delay_type;
126
127 /**
128 * Delay request messages?
129 */
130 bool receive_delay_request;
131
132 /**
133 * Delay response messages?
134 */
135 bool receive_delay_response;
136 };
137
138 /**
139 * send a notify back to the sender
140 */
141 static void send_notify(message_t *request, int major, exchange_type_t exchange,
142 notify_type_t type, chunk_t data)
143 {
144 ike_sa_id_t *ike_sa_id;
145 message_t *response;
146 host_t *src, *dst;
147 packet_t *packet;
148
149 response = message_create(major, 0);
150 response->set_exchange_type(response, exchange);
151 response->add_notify(response, FALSE, type, data);
152 dst = request->get_source(request);
153 src = request->get_destination(request);
154 response->set_source(response, src->clone(src));
155 response->set_destination(response, dst->clone(dst));
156 if (major == IKEV2_MAJOR_VERSION)
157 {
158 response->set_request(response, FALSE);
159 }
160 response->set_message_id(response, 0);
161 ike_sa_id = request->get_ike_sa_id(request);
162 ike_sa_id->switch_initiator(ike_sa_id);
163 response->set_ike_sa_id(response, ike_sa_id);
164 if (response->generate(response, NULL, &packet) == SUCCESS)
165 {
166 charon->sender->send(charon->sender, packet);
167 }
168 response->destroy(response);
169 }
170
171 /**
172 * build a cookie
173 */
174 static bool cookie_build(private_receiver_t *this, message_t *message,
175 u_int32_t t, chunk_t secret, chunk_t *cookie)
176 {
177 u_int64_t spi = message->get_initiator_spi(message);
178 host_t *ip = message->get_source(message);
179 chunk_t input, hash;
180
181 /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
182 input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
183 chunk_from_thing(t), secret);
184 hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
185 if (!this->hasher->get_hash(this->hasher, input, hash.ptr))
186 {
187 return FALSE;
188 }
189 *cookie = chunk_cat("cc", chunk_from_thing(t), hash);
190 return TRUE;
191 }
192
193 /**
194 * verify a received cookie
195 */
196 static bool cookie_verify(private_receiver_t *this, message_t *message,
197 chunk_t cookie)
198 {
199 u_int32_t t, now;
200 chunk_t reference;
201 chunk_t secret;
202
203 now = time_monotonic(NULL);
204 t = *(u_int32_t*)cookie.ptr;
205
206 if (cookie.len != sizeof(u_int32_t) +
207 this->hasher->get_hash_size(this->hasher) ||
208 t < now - this->secret_offset - COOKIE_LIFETIME)
209 {
210 DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
211 return FALSE;
212 }
213
214 /* check if cookie is derived from old_secret */
215 if (t + this->secret_offset > this->secret_switch)
216 {
217 secret = chunk_from_thing(this->secret);
218 }
219 else
220 {
221 secret = chunk_from_thing(this->secret_old);
222 }
223
224 /* compare own calculation against received */
225 if (!cookie_build(this, message, t, secret, &reference))
226 {
227 return FALSE;
228 }
229 if (chunk_equals(reference, cookie))
230 {
231 chunk_free(&reference);
232 return TRUE;
233 }
234 chunk_free(&reference);
235 return FALSE;
236 }
237
238 /**
239 * Check if a valid cookie found
240 */
241 static bool check_cookie(private_receiver_t *this, message_t *message)
242 {
243 packet_t *packet;
244 chunk_t data;
245
246 /* check for a cookie. We don't use our parser here and do it
247 * quick and dirty for performance reasons.
248 * we assume the cookie is the first payload (which is a MUST), and
249 * the cookie's SPI length is zero. */
250 packet = message->get_packet(message);
251 data = packet->get_data(packet);
252 if (data.len <
253 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
254 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
255 *(data.ptr + 16) != NOTIFY ||
256 *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
257 {
258 /* no cookie found */
259 packet->destroy(packet);
260 return FALSE;
261 }
262 data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
263 data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
264 if (!cookie_verify(this, message, data))
265 {
266 DBG2(DBG_NET, "found cookie, but content invalid");
267 packet->destroy(packet);
268 return FALSE;
269 }
270 return TRUE;
271 }
272
273 /**
274 * Check if we currently require cookies
275 */
276 static bool cookie_required(private_receiver_t *this,
277 u_int half_open, u_int32_t now)
278 {
279 if (this->cookie_threshold && half_open >= this->cookie_threshold)
280 {
281 this->last_cookie = now;
282 return TRUE;
283 }
284 if (now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
285 {
286 /* We don't disable cookies unless we haven't seen IKE_SA_INITs
287 * for COOKIE_CALMDOWN_DELAY seconds. This avoids jittering between
288 * cookie on / cookie off states, which is problematic. Consider the
289 * following: A legitimiate initiator sends a IKE_SA_INIT while we
290 * are under a DoS attack. If we toggle our cookie behavior,
291 * multiple retransmits of this IKE_SA_INIT might get answered with
292 * and without cookies. The initiator goes on and retries with
293 * a cookie, but it can't know if the completing IKE_SA_INIT response
294 * is to its IKE_SA_INIT request with or without cookies. This is
295 * problematic, as the cookie is part of AUTH payload data.
296 */
297 this->last_cookie = now;
298 return TRUE;
299 }
300 return FALSE;
301 }
302
303 /**
304 * Check if we should drop IKE_SA_INIT because of cookie/overload checking
305 */
306 static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
307 {
308 u_int half_open;
309 u_int32_t now;
310
311 now = time_monotonic(NULL);
312 half_open = charon->ike_sa_manager->get_half_open_count(
313 charon->ike_sa_manager, NULL);
314
315 /* check for cookies in IKEv2 */
316 if (message->get_major_version(message) == IKEV2_MAJOR_VERSION &&
317 cookie_required(this, half_open, now) && !check_cookie(this, message))
318 {
319 chunk_t cookie;
320
321 DBG2(DBG_NET, "received packet from: %#H to %#H",
322 message->get_source(message),
323 message->get_destination(message));
324 if (!cookie_build(this, message, now - this->secret_offset,
325 chunk_from_thing(this->secret), &cookie))
326 {
327 return TRUE;
328 }
329 DBG2(DBG_NET, "sending COOKIE notify to %H",
330 message->get_source(message));
331 send_notify(message, IKEV2_MAJOR_VERSION, IKE_SA_INIT, COOKIE, cookie);
332 chunk_free(&cookie);
333 if (++this->secret_used > COOKIE_REUSE)
334 {
335 char secret[SECRET_LENGTH];
336
337 DBG1(DBG_NET, "generating new cookie secret after %d uses",
338 this->secret_used);
339 if (this->rng->get_bytes(this->rng, SECRET_LENGTH, secret))
340 {
341 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
342 memcpy(this->secret, secret, SECRET_LENGTH);
343 memwipe(secret, SECRET_LENGTH);
344 this->secret_switch = now;
345 this->secret_used = 0;
346 }
347 else
348 {
349 DBG1(DBG_NET, "failed to allocated cookie secret, keeping old");
350 }
351 }
352 return TRUE;
353 }
354
355 /* check if peer has too many IKE_SAs half open */
356 if (this->block_threshold &&
357 charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
358 message->get_source(message)) >= this->block_threshold)
359 {
360 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
361 "peer too aggressive", message->get_source(message));
362 return TRUE;
363 }
364
365 /* check if global half open IKE_SA limit reached */
366 if (this->init_limit_half_open &&
367 half_open >= this->init_limit_half_open)
368 {
369 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, half open IKE_SA "
370 "count of %d exceeds limit of %d", message->get_source(message),
371 half_open, this->init_limit_half_open);
372 return TRUE;
373 }
374
375 /* check if job load acceptable */
376 if (this->init_limit_job_load)
377 {
378 u_int jobs = 0, i;
379
380 for (i = 0; i < JOB_PRIO_MAX; i++)
381 {
382 jobs += lib->processor->get_job_load(lib->processor, i);
383 }
384 if (jobs > this->init_limit_job_load)
385 {
386 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, job load of %d "
387 "exceeds limit of %d", message->get_source(message),
388 jobs, this->init_limit_job_load);
389 return TRUE;
390 }
391 }
392 return FALSE;
393 }
394
395 /**
396 * Job callback to receive packets
397 */
398 static job_requeue_t receive_packets(private_receiver_t *this)
399 {
400 ike_sa_id_t *id;
401 packet_t *packet;
402 message_t *message;
403 host_t *src, *dst;
404 status_t status;
405 bool supported = TRUE;
406
407 /* read in a packet */
408 status = charon->socket->receive(charon->socket, &packet);
409 if (status == NOT_SUPPORTED)
410 {
411 return JOB_REQUEUE_NONE;
412 }
413 else if (status != SUCCESS)
414 {
415 DBG2(DBG_NET, "receiving from socket failed!");
416 return JOB_REQUEUE_FAIR;
417 }
418
419 /* if neither source nor destination port is 500 we assume an IKE packet
420 * with Non-ESP marker or an ESP packet */
421 dst = packet->get_destination(packet);
422 src = packet->get_source(packet);
423 if (dst->get_port(dst) != IKEV2_UDP_PORT &&
424 src->get_port(src) != IKEV2_UDP_PORT)
425 {
426 chunk_t marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00), data;
427
428 data = packet->get_data(packet);
429 if (memeq(data.ptr, marker.ptr, marker.len))
430 { /* remove Non-ESP marker */
431 data = chunk_skip(data, marker.len);
432 packet->set_data(packet, chunk_clone(data));
433 }
434 else
435 { /* this seems to be an ESP packet */
436 packet->destroy(packet);
437 return JOB_REQUEUE_DIRECT;
438 }
439 }
440
441 /* parse message header */
442 message = message_create_from_packet(packet);
443 if (message->parse_header(message) != SUCCESS)
444 {
445 DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
446 packet->get_source(packet));
447 message->destroy(message);
448 return JOB_REQUEUE_DIRECT;
449 }
450
451 /* check IKE major version */
452 switch (message->get_major_version(message))
453 {
454 case IKEV2_MAJOR_VERSION:
455 #ifndef USE_IKEV2
456 if (message->get_exchange_type(message) == IKE_SA_INIT &&
457 message->get_request(message))
458 {
459 send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
460 INVALID_MAJOR_VERSION, chunk_empty);
461 supported = FALSE;
462 }
463 #endif /* USE_IKEV2 */
464 break;
465 case IKEV1_MAJOR_VERSION:
466 #ifndef USE_IKEV1
467 if (message->get_exchange_type(message) == ID_PROT ||
468 message->get_exchange_type(message) == AGGRESSIVE)
469 {
470 send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
471 INVALID_MAJOR_VERSION, chunk_empty);
472 supported = FALSE;
473 }
474 #endif /* USE_IKEV1 */
475 break;
476 default:
477 #ifdef USE_IKEV2
478 send_notify(message, IKEV2_MAJOR_VERSION, INFORMATIONAL,
479 INVALID_MAJOR_VERSION, chunk_empty);
480 #endif /* USE_IKEV2 */
481 #ifdef USE_IKEV1
482 send_notify(message, IKEV1_MAJOR_VERSION, INFORMATIONAL_V1,
483 INVALID_MAJOR_VERSION, chunk_empty);
484 #endif /* USE_IKEV1 */
485 supported = FALSE;
486 break;
487 }
488 if (!supported)
489 {
490 DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, sending "
491 "INVALID_MAJOR_VERSION", message->get_major_version(message),
492 message->get_minor_version(message), packet->get_source(packet));
493 message->destroy(message);
494 return JOB_REQUEUE_DIRECT;
495 }
496 if (message->get_request(message) &&
497 message->get_exchange_type(message) == IKE_SA_INIT)
498 {
499 if (drop_ike_sa_init(this, message))
500 {
501 message->destroy(message);
502 return JOB_REQUEUE_DIRECT;
503 }
504 }
505 if (message->get_exchange_type(message) == ID_PROT ||
506 message->get_exchange_type(message) == AGGRESSIVE)
507 {
508 id = message->get_ike_sa_id(message);
509 if (id->get_responder_spi(id) == 0 &&
510 drop_ike_sa_init(this, message))
511 {
512 message->destroy(message);
513 return JOB_REQUEUE_DIRECT;
514 }
515 }
516
517 if (this->receive_delay)
518 {
519 if (this->receive_delay_type == 0 ||
520 this->receive_delay_type == message->get_exchange_type(message))
521 {
522 if ((message->get_request(message) && this->receive_delay_request) ||
523 (!message->get_request(message) && this->receive_delay_response))
524 {
525 DBG1(DBG_NET, "using receive delay: %dms",
526 this->receive_delay);
527 lib->scheduler->schedule_job_ms(lib->scheduler,
528 (job_t*)process_message_job_create(message),
529 this->receive_delay);
530 return JOB_REQUEUE_DIRECT;
531 }
532 }
533 }
534 lib->processor->queue_job(lib->processor,
535 (job_t*)process_message_job_create(message));
536 return JOB_REQUEUE_DIRECT;
537 }
538
539 METHOD(receiver_t, destroy, void,
540 private_receiver_t *this)
541 {
542 this->rng->destroy(this->rng);
543 this->hasher->destroy(this->hasher);
544 free(this);
545 }
546
547 /*
548 * Described in header.
549 */
550 receiver_t *receiver_create()
551 {
552 private_receiver_t *this;
553 u_int32_t now = time_monotonic(NULL);
554
555 INIT(this,
556 .public = {
557 .destroy = _destroy,
558 },
559 .secret_switch = now,
560 .secret_offset = random() % now,
561 );
562
563 if (lib->settings->get_bool(lib->settings,
564 "%s.dos_protection", TRUE, charon->name))
565 {
566 this->cookie_threshold = lib->settings->get_int(lib->settings,
567 "%s.cookie_threshold", COOKIE_THRESHOLD_DEFAULT, charon->name);
568 this->block_threshold = lib->settings->get_int(lib->settings,
569 "%s.block_threshold", BLOCK_THRESHOLD_DEFAULT, charon->name);
570 }
571 this->init_limit_job_load = lib->settings->get_int(lib->settings,
572 "%s.init_limit_job_load", 0, charon->name);
573 this->init_limit_half_open = lib->settings->get_int(lib->settings,
574 "%s.init_limit_half_open", 0, charon->name);
575 this->receive_delay = lib->settings->get_int(lib->settings,
576 "%s.receive_delay", 0, charon->name);
577 this->receive_delay_type = lib->settings->get_int(lib->settings,
578 "%s.receive_delay_type", 0, charon->name),
579 this->receive_delay_request = lib->settings->get_bool(lib->settings,
580 "%s.receive_delay_request", TRUE, charon->name),
581 this->receive_delay_response = lib->settings->get_bool(lib->settings,
582 "%s.receive_delay_response", TRUE, charon->name),
583
584 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
585 if (!this->hasher)
586 {
587 DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
588 free(this);
589 return NULL;
590 }
591 this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
592 if (!this->rng)
593 {
594 DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
595 this->hasher->destroy(this->hasher);
596 free(this);
597 return NULL;
598 }
599 if (!this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret))
600 {
601 DBG1(DBG_NET, "creating cookie secret failed");
602 destroy(this);
603 return NULL;
604 }
605 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
606
607 lib->processor->queue_job(lib->processor,
608 (job_t*)callback_job_create_with_prio((callback_job_cb_t)receive_packets,
609 this, NULL, (callback_job_cancel_t)return_false, JOB_PRIO_CRITICAL));
610
611 return &this->public;
612 }
613