projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Added a job_threshold option to drop IKE_SA_INITs if a certain job load reached
[strongswan.git] / src / libcharon / network / receiver.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <stdlib.h>
19 #include <unistd.h>
20
21 #include "receiver.h"
22
23 #include <daemon.h>
24 #include <network/socket.h>
25 #include <network/packet.h>
26 #include <processing/jobs/job.h>
27 #include <processing/jobs/process_message_job.h>
28 #include <processing/jobs/callback_job.h>
29 #include <crypto/hashers/hasher.h>
30
31 /** lifetime of a cookie, in seconds */
32 #define COOKIE_LIFETIME 10
33 /** how many times to reuse the secret */
34 #define COOKIE_REUSE 10000
35 /** default value for private_receiver_t.cookie_threshold */
36 #define COOKIE_THRESHOLD_DEFAULT 10
37 /** default value for private_receiver_t.block_threshold */
38 #define BLOCK_THRESHOLD_DEFAULT 5
39 /** default value for private_receiver_t.job_threshold */
40 #define JOB_THRESHOLD_DEFAULT 0
41 /** length of the secret to use for cookie calculation */
42 #define SECRET_LENGTH 16
43
44 typedef struct private_receiver_t private_receiver_t;
45
46 /**
47 * Private data of a receiver_t object.
48 */
49 struct private_receiver_t {
50 /**
51 * Public part of a receiver_t object.
52 */
53 receiver_t public;
54
55 /**
56 * Threads job receiving packets
57 */
58 callback_job_t *job;
59
60 /**
61 * current secret to use for cookie calculation
62 */
63 char secret[SECRET_LENGTH];
64
65 /**
66 * previous secret used to verify older cookies
67 */
68 char secret_old[SECRET_LENGTH];
69
70 /**
71 * how many times we have used "secret" so far
72 */
73 u_int32_t secret_used;
74
75 /**
76 * time we did the cookie switch
77 */
78 u_int32_t secret_switch;
79
80 /**
81 * time offset to use, hides our system time
82 */
83 u_int32_t secret_offset;
84
85 /**
86 * the RNG to use for secret generation
87 */
88 rng_t *rng;
89
90 /**
91 * hasher to use for cookie calculation
92 */
93 hasher_t *hasher;
94
95 /**
96 * require cookies after this many half open IKE_SAs
97 */
98 u_int32_t cookie_threshold;
99
100 /**
101 * how many half open IKE_SAs per peer before blocking
102 */
103 u_int32_t block_threshold;
104
105 /**
106 * Drop IKE_SA_INIT requests if processor job load exceeds this limit
107 */
108 u_int32_t job_threshold;
109
110 /**
111 * Delay for receiving incoming packets, to simulate larger RTT
112 */
113 int receive_delay;
114
115 /**
116 * Specific message type to delay, 0 for any
117 */
118 int receive_delay_type;
119
120 /**
121 * Delay request messages?
122 */
123 bool receive_delay_request;
124
125 /**
126 * Delay response messages?
127 */
128 bool receive_delay_response;
129 };
130
131 /**
132 * send a notify back to the sender
133 */
134 static void send_notify(message_t *request, notify_type_t type, chunk_t data)
135 {
136 if (request->get_request(request) &&
137 request->get_exchange_type(request) == IKE_SA_INIT)
138 {
139 message_t *response;
140 host_t *src, *dst;
141 packet_t *packet;
142 ike_sa_id_t *ike_sa_id;
143
144 response = message_create();
145 dst = request->get_source(request);
146 src = request->get_destination(request);
147 response->set_source(response, src->clone(src));
148 response->set_destination(response, dst->clone(dst));
149 response->set_exchange_type(response, request->get_exchange_type(request));
150 response->set_request(response, FALSE);
151 response->set_message_id(response, 0);
152 ike_sa_id = request->get_ike_sa_id(request);
153 ike_sa_id->switch_initiator(ike_sa_id);
154 response->set_ike_sa_id(response, ike_sa_id);
155 response->add_notify(response, FALSE, type, data);
156 if (response->generate(response, NULL, &packet) == SUCCESS)
157 {
158 charon->sender->send(charon->sender, packet);
159 response->destroy(response);
160 }
161 }
162 }
163
164 /**
165 * build a cookie
166 */
167 static chunk_t cookie_build(private_receiver_t *this, message_t *message,
168 u_int32_t t, chunk_t secret)
169 {
170 u_int64_t spi = message->get_initiator_spi(message);
171 host_t *ip = message->get_source(message);
172 chunk_t input, hash;
173
174 /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
175 input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
176 chunk_from_thing(t), secret);
177 hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
178 this->hasher->get_hash(this->hasher, input, hash.ptr);
179 return chunk_cat("cc", chunk_from_thing(t), hash);
180 }
181
182 /**
183 * verify a received cookie
184 */
185 static bool cookie_verify(private_receiver_t *this, message_t *message,
186 chunk_t cookie)
187 {
188 u_int32_t t, now;
189 chunk_t reference;
190 chunk_t secret;
191
192 now = time_monotonic(NULL);
193 t = *(u_int32_t*)cookie.ptr;
194
195 if (cookie.len != sizeof(u_int32_t) +
196 this->hasher->get_hash_size(this->hasher) ||
197 t < now - this->secret_offset - COOKIE_LIFETIME)
198 {
199 DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
200 return FALSE;
201 }
202
203 /* check if cookie is derived from old_secret */
204 if (t + this->secret_offset > this->secret_switch)
205 {
206 secret = chunk_from_thing(this->secret);
207 }
208 else
209 {
210 secret = chunk_from_thing(this->secret_old);
211 }
212
213 /* compare own calculation against received */
214 reference = cookie_build(this, message, t, secret);
215 if (chunk_equals(reference, cookie))
216 {
217 chunk_free(&reference);
218 return TRUE;
219 }
220 chunk_free(&reference);
221 return FALSE;
222 }
223
224 /**
225 * check if cookies are required, and if so, a valid cookie is included
226 */
227 static bool cookie_required(private_receiver_t *this, message_t *message)
228 {
229 bool failed = FALSE;
230
231 if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
232 NULL) >= this->cookie_threshold)
233 {
234 /* check for a cookie. We don't use our parser here and do it
235 * quick and dirty for performance reasons.
236 * we assume the cookie is the first payload (which is a MUST), and
237 * the cookie's SPI length is zero. */
238 packet_t *packet = message->get_packet(message);
239 chunk_t data = packet->get_data(packet);
240 if (data.len <
241 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
242 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
243 *(data.ptr + 16) != NOTIFY ||
244 *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
245 {
246 /* no cookie found */
247 failed = TRUE;
248 }
249 else
250 {
251 data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
252 data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
253 if (!cookie_verify(this, message, data))
254 {
255 DBG2(DBG_NET, "found cookie, but content invalid");
256 failed = TRUE;
257 }
258 }
259 packet->destroy(packet);
260 }
261 return failed;
262 }
263
264 /**
265 * check if peer has to many half open IKE_SAs
266 */
267 static bool peer_too_aggressive(private_receiver_t *this, message_t *message)
268 {
269 if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
270 message->get_source(message)) >= this->block_threshold)
271 {
272 return TRUE;
273 }
274 return FALSE;
275 }
276
277 /**
278 * Job callback to receive packets
279 */
280 static job_requeue_t receive_packets(private_receiver_t *this)
281 {
282 packet_t *packet;
283 message_t *message;
284 status_t status;
285
286 /* read in a packet */
287 status = charon->socket->receive(charon->socket, &packet);
288 if (status == NOT_SUPPORTED)
289 {
290 /* the processor destroys this job */
291 this->job = NULL;
292 return JOB_REQUEUE_NONE;
293 }
294 else if (status != SUCCESS)
295 {
296 DBG2(DBG_NET, "receiving from socket failed!");
297 return JOB_REQUEUE_FAIR;
298 }
299
300 /* parse message header */
301 message = message_create_from_packet(packet);
302 if (message->parse_header(message) != SUCCESS)
303 {
304 DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
305 packet->get_source(packet));
306 message->destroy(message);
307 return JOB_REQUEUE_DIRECT;
308 }
309
310 /* check IKE major version */
311 if (message->get_major_version(message) != IKE_MAJOR_VERSION)
312 {
313 DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
314 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
315 message->get_minor_version(message), packet->get_source(packet));
316 send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
317 message->destroy(message);
318 return JOB_REQUEUE_DIRECT;
319 }
320
321 if (message->get_request(message) &&
322 message->get_exchange_type(message) == IKE_SA_INIT)
323 {
324 /* check for cookies */
325 if (this->cookie_threshold && cookie_required(this, message))
326 {
327 u_int32_t now = time_monotonic(NULL);
328 chunk_t cookie = cookie_build(this, message, now - this->secret_offset,
329 chunk_from_thing(this->secret));
330
331 DBG2(DBG_NET, "received packet from: %#H to %#H",
332 message->get_source(message),
333 message->get_destination(message));
334 DBG2(DBG_NET, "sending COOKIE notify to %H",
335 message->get_source(message));
336 send_notify(message, COOKIE, cookie);
337 chunk_free(&cookie);
338 if (++this->secret_used > COOKIE_REUSE)
339 {
340 /* create new cookie */
341 DBG1(DBG_NET, "generating new cookie secret after %d uses",
342 this->secret_used);
343 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
344 this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
345 this->secret_switch = now;
346 this->secret_used = 0;
347 }
348 message->destroy(message);
349 return JOB_REQUEUE_DIRECT;
350 }
351
352 /* check if peer has not too many IKE_SAs half open */
353 if (this->block_threshold && peer_too_aggressive(this, message))
354 {
355 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
356 "peer too aggressive", message->get_source(message));
357 message->destroy(message);
358 return JOB_REQUEUE_DIRECT;
359 }
360
361 /* check if job load acceptable */
362 if (this->job_threshold)
363 {
364 u_int jobs = 0, i;
365
366 for (i = 0; i < JOB_PRIO_MAX; i++)
367 {
368 jobs += lib->processor->get_job_load(lib->processor, i);
369 }
370 if (jobs > this->job_threshold)
371 {
372 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, job load of %d "
373 "exceeds limit of %d", message->get_source(message),
374 jobs, this->job_threshold);
375 message->destroy(message);
376 return JOB_REQUEUE_DIRECT;
377 }
378 }
379 }
380 if (this->receive_delay)
381 {
382 if (this->receive_delay_type == 0 ||
383 this->receive_delay_type == message->get_exchange_type(message))
384 {
385 if ((message->get_request(message) && this->receive_delay_request) ||
386 (!message->get_request(message) && this->receive_delay_response))
387 {
388 DBG1(DBG_NET, "using receive delay: %dms",
389 this->receive_delay);
390 lib->scheduler->schedule_job_ms(lib->scheduler,
391 (job_t*)process_message_job_create(message),
392 this->receive_delay);
393 return JOB_REQUEUE_DIRECT;
394 }
395 }
396 }
397 lib->processor->queue_job(lib->processor,
398 (job_t*)process_message_job_create(message));
399 return JOB_REQUEUE_DIRECT;
400 }
401
402 METHOD(receiver_t, destroy, void,
403 private_receiver_t *this)
404 {
405 if (this->job)
406 {
407 this->job->cancel(this->job);
408 }
409 this->rng->destroy(this->rng);
410 this->hasher->destroy(this->hasher);
411 free(this);
412 }
413
414 /*
415 * Described in header.
416 */
417 receiver_t *receiver_create()
418 {
419 private_receiver_t *this;
420 u_int32_t now = time_monotonic(NULL);
421
422 INIT(this,
423 .public = {
424 .destroy = _destroy,
425 },
426 .secret_switch = now,
427 .secret_offset = random() % now,
428 );
429
430 if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
431 {
432 this->cookie_threshold = lib->settings->get_int(lib->settings,
433 "charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
434 this->block_threshold = lib->settings->get_int(lib->settings,
435 "charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
436 }
437 this->job_threshold = lib->settings->get_int(lib->settings,
438 "charon.job_threshold", JOB_THRESHOLD_DEFAULT);
439 this->receive_delay = lib->settings->get_int(lib->settings,
440 "charon.receive_delay", 0);
441 this->receive_delay_type = lib->settings->get_int(lib->settings,
442 "charon.receive_delay_type", 0),
443 this->receive_delay_request = lib->settings->get_bool(lib->settings,
444 "charon.receive_delay_request", TRUE),
445 this->receive_delay_response = lib->settings->get_int(lib->settings,
446 "charon.receive_delay_response", TRUE),
447
448 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
449 if (this->hasher == NULL)
450 {
451 DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
452 free(this);
453 return NULL;
454 }
455 this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
456 if (this->rng == NULL)
457 {
458 DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
459 this->hasher->destroy(this->hasher);
460 free(this);
461 return NULL;
462 }
463 this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
464 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
465
466 this->job = callback_job_create((callback_job_cb_t)receive_packets,
467 this, NULL, NULL);
468 lib->processor->queue_job(lib->processor, (job_t*)this->job);
469
470 return &this->public;
471 }
472
strongSwan - IPsec VPN