Keep COOKIEs enabled once threshold is hit, until we see no COOKIEs for a few secs
[strongswan.git] / src / libcharon / network / receiver.c
1 /*
2 * Copyright (C) 2008 Tobias Brunner
3 * Copyright (C) 2005-2006 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include <stdlib.h>
19 #include <unistd.h>
20
21 #include "receiver.h"
22
23 #include <daemon.h>
24 #include <network/socket.h>
25 #include <network/packet.h>
26 #include <processing/jobs/job.h>
27 #include <processing/jobs/process_message_job.h>
28 #include <processing/jobs/callback_job.h>
29 #include <crypto/hashers/hasher.h>
30
31 /** lifetime of a cookie, in seconds */
32 #define COOKIE_LIFETIME 10
33 /** time we wait before disabling cookies */
34 #define COOKIE_CALMDOWN_DELAY 10
35 /** how many times to reuse the secret */
36 #define COOKIE_REUSE 10000
37 /** default value for private_receiver_t.cookie_threshold */
38 #define COOKIE_THRESHOLD_DEFAULT 10
39 /** default value for private_receiver_t.block_threshold */
40 #define BLOCK_THRESHOLD_DEFAULT 5
41 /** length of the secret to use for cookie calculation */
42 #define SECRET_LENGTH 16
43
44 typedef struct private_receiver_t private_receiver_t;
45
46 /**
47 * Private data of a receiver_t object.
48 */
49 struct private_receiver_t {
50 /**
51 * Public part of a receiver_t object.
52 */
53 receiver_t public;
54
55 /**
56 * Threads job receiving packets
57 */
58 callback_job_t *job;
59
60 /**
61 * current secret to use for cookie calculation
62 */
63 char secret[SECRET_LENGTH];
64
65 /**
66 * previous secret used to verify older cookies
67 */
68 char secret_old[SECRET_LENGTH];
69
70 /**
71 * how many times we have used "secret" so far
72 */
73 u_int32_t secret_used;
74
75 /**
76 * time we did the cookie switch
77 */
78 u_int32_t secret_switch;
79
80 /**
81 * time offset to use, hides our system time
82 */
83 u_int32_t secret_offset;
84
85 /**
86 * the RNG to use for secret generation
87 */
88 rng_t *rng;
89
90 /**
91 * hasher to use for cookie calculation
92 */
93 hasher_t *hasher;
94
95 /**
96 * require cookies after this many half open IKE_SAs
97 */
98 u_int32_t cookie_threshold;
99
100 /**
101 * timestamp of last cookie requested
102 */
103 time_t last_cookie;
104
105 /**
106 * how many half open IKE_SAs per peer before blocking
107 */
108 u_int32_t block_threshold;
109
110 /**
111 * Drop IKE_SA_INIT requests if processor job load exceeds this limit
112 */
113 u_int init_limit_job_load;
114
115 /**
116 * Drop IKE_SA_INIT requests if half open IKE_SA count exceeds this limit
117 */
118 u_int init_limit_half_open;
119
120 /**
121 * Delay for receiving incoming packets, to simulate larger RTT
122 */
123 int receive_delay;
124
125 /**
126 * Specific message type to delay, 0 for any
127 */
128 int receive_delay_type;
129
130 /**
131 * Delay request messages?
132 */
133 bool receive_delay_request;
134
135 /**
136 * Delay response messages?
137 */
138 bool receive_delay_response;
139 };
140
141 /**
142 * send a notify back to the sender
143 */
144 static void send_notify(message_t *request, notify_type_t type, chunk_t data)
145 {
146 if (request->get_request(request) &&
147 request->get_exchange_type(request) == IKE_SA_INIT)
148 {
149 message_t *response;
150 host_t *src, *dst;
151 packet_t *packet;
152 ike_sa_id_t *ike_sa_id;
153
154 response = message_create();
155 dst = request->get_source(request);
156 src = request->get_destination(request);
157 response->set_source(response, src->clone(src));
158 response->set_destination(response, dst->clone(dst));
159 response->set_exchange_type(response, request->get_exchange_type(request));
160 response->set_request(response, FALSE);
161 response->set_message_id(response, 0);
162 ike_sa_id = request->get_ike_sa_id(request);
163 ike_sa_id->switch_initiator(ike_sa_id);
164 response->set_ike_sa_id(response, ike_sa_id);
165 response->add_notify(response, FALSE, type, data);
166 if (response->generate(response, NULL, &packet) == SUCCESS)
167 {
168 charon->sender->send(charon->sender, packet);
169 response->destroy(response);
170 }
171 }
172 }
173
174 /**
175 * build a cookie
176 */
177 static chunk_t cookie_build(private_receiver_t *this, message_t *message,
178 u_int32_t t, chunk_t secret)
179 {
180 u_int64_t spi = message->get_initiator_spi(message);
181 host_t *ip = message->get_source(message);
182 chunk_t input, hash;
183
184 /* COOKIE = t | sha1( IPi | SPIi | t | secret ) */
185 input = chunk_cata("cccc", ip->get_address(ip), chunk_from_thing(spi),
186 chunk_from_thing(t), secret);
187 hash = chunk_alloca(this->hasher->get_hash_size(this->hasher));
188 this->hasher->get_hash(this->hasher, input, hash.ptr);
189 return chunk_cat("cc", chunk_from_thing(t), hash);
190 }
191
192 /**
193 * verify a received cookie
194 */
195 static bool cookie_verify(private_receiver_t *this, message_t *message,
196 chunk_t cookie)
197 {
198 u_int32_t t, now;
199 chunk_t reference;
200 chunk_t secret;
201
202 now = time_monotonic(NULL);
203 t = *(u_int32_t*)cookie.ptr;
204
205 if (cookie.len != sizeof(u_int32_t) +
206 this->hasher->get_hash_size(this->hasher) ||
207 t < now - this->secret_offset - COOKIE_LIFETIME)
208 {
209 DBG2(DBG_NET, "received cookie lifetime expired, rejecting");
210 return FALSE;
211 }
212
213 /* check if cookie is derived from old_secret */
214 if (t + this->secret_offset > this->secret_switch)
215 {
216 secret = chunk_from_thing(this->secret);
217 }
218 else
219 {
220 secret = chunk_from_thing(this->secret_old);
221 }
222
223 /* compare own calculation against received */
224 reference = cookie_build(this, message, t, secret);
225 if (chunk_equals(reference, cookie))
226 {
227 chunk_free(&reference);
228 return TRUE;
229 }
230 chunk_free(&reference);
231 return FALSE;
232 }
233
234 /**
235 * Check if a valid cookie found
236 */
237 static bool check_cookie(private_receiver_t *this, message_t *message)
238 {
239 packet_t *packet;
240 chunk_t data;
241
242 /* check for a cookie. We don't use our parser here and do it
243 * quick and dirty for performance reasons.
244 * we assume the cookie is the first payload (which is a MUST), and
245 * the cookie's SPI length is zero. */
246 packet = message->get_packet(message);
247 data = packet->get_data(packet);
248 if (data.len <
249 IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH +
250 sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher) ||
251 *(data.ptr + 16) != NOTIFY ||
252 *(u_int16_t*)(data.ptr + IKE_HEADER_LENGTH + 6) != htons(COOKIE))
253 {
254 /* no cookie found */
255 packet->destroy(packet);
256 return FALSE;
257 }
258 data.ptr += IKE_HEADER_LENGTH + NOTIFY_PAYLOAD_HEADER_LENGTH;
259 data.len = sizeof(u_int32_t) + this->hasher->get_hash_size(this->hasher);
260 if (!cookie_verify(this, message, data))
261 {
262 DBG2(DBG_NET, "found cookie, but content invalid");
263 packet->destroy(packet);
264 return FALSE;
265 }
266 return TRUE;
267 }
268
269 /**
270 * Check if we currently require cookies
271 */
272 static bool cookie_required(private_receiver_t *this,
273 u_int half_open, u_int32_t now)
274 {
275 if (this->cookie_threshold && half_open >= this->cookie_threshold)
276 {
277 this->last_cookie = now;
278 return TRUE;
279 }
280 if (now < this->last_cookie + COOKIE_CALMDOWN_DELAY)
281 {
282 /* We don't disable cookies unless we haven't seen IKE_SA_INITs
283 * for COOKIE_CALMDOWN_DELAY seconds. This avoids jittering between
284 * cookie on / cookie off states, which is problematic. Consider the
285 * following: A legitimiate initiator sends a IKE_SA_INIT while we
286 * are under a DoS attack. If we toggle our cookie behavior,
287 * multiple retransmits of this IKE_SA_INIT might get answered with
288 * and without cookies. The initiator goes on and retries with
289 * a cookie, but it can't know if the completing IKE_SA_INIT response
290 * is to its IKE_SA_INIT request with or without cookies. This is
291 * problematic, as the cookie is part of AUTH payload data.
292 */
293 this->last_cookie = now;
294 return TRUE;
295 }
296 return FALSE;
297 }
298
299 /**
300 * Check if we should drop IKE_SA_INIT because of cookie/overload checking
301 */
302 static bool drop_ike_sa_init(private_receiver_t *this, message_t *message)
303 {
304 u_int half_open;
305 u_int32_t now;
306
307 now = time_monotonic(NULL);
308 half_open = charon->ike_sa_manager->get_half_open_count(
309 charon->ike_sa_manager, NULL);
310
311 /* check for cookies */
312 if (cookie_required(this, half_open, now) && !check_cookie(this, message))
313 {
314 chunk_t cookie;
315
316 cookie = cookie_build(this, message, now - this->secret_offset,
317 chunk_from_thing(this->secret));
318 DBG2(DBG_NET, "received packet from: %#H to %#H",
319 message->get_source(message),
320 message->get_destination(message));
321 DBG2(DBG_NET, "sending COOKIE notify to %H",
322 message->get_source(message));
323 send_notify(message, COOKIE, cookie);
324 chunk_free(&cookie);
325 if (++this->secret_used > COOKIE_REUSE)
326 {
327 /* create new cookie */
328 DBG1(DBG_NET, "generating new cookie secret after %d uses",
329 this->secret_used);
330 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
331 this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
332 this->secret_switch = now;
333 this->secret_used = 0;
334 }
335 return TRUE;
336 }
337
338 /* check if peer has too many IKE_SAs half open */
339 if (this->block_threshold &&
340 charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager,
341 message->get_source(message)) >= this->block_threshold)
342 {
343 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, "
344 "peer too aggressive", message->get_source(message));
345 return TRUE;
346 }
347
348 /* check if global half open IKE_SA limit reached */
349 if (this->init_limit_half_open &&
350 half_open >= this->init_limit_half_open)
351 {
352 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, half open IKE_SA "
353 "count of %d exceeds limit of %d", message->get_source(message),
354 half_open, this->init_limit_half_open);
355 return TRUE;
356 }
357
358 /* check if job load acceptable */
359 if (this->init_limit_job_load)
360 {
361 u_int jobs = 0, i;
362
363 for (i = 0; i < JOB_PRIO_MAX; i++)
364 {
365 jobs += lib->processor->get_job_load(lib->processor, i);
366 }
367 if (jobs > this->init_limit_job_load)
368 {
369 DBG1(DBG_NET, "ignoring IKE_SA setup from %H, job load of %d "
370 "exceeds limit of %d", message->get_source(message),
371 jobs, this->init_limit_job_load);
372 return TRUE;
373 }
374 }
375 return FALSE;
376 }
377
378 /**
379 * Job callback to receive packets
380 */
381 static job_requeue_t receive_packets(private_receiver_t *this)
382 {
383 packet_t *packet;
384 message_t *message;
385 status_t status;
386
387 /* read in a packet */
388 status = charon->socket->receive(charon->socket, &packet);
389 if (status == NOT_SUPPORTED)
390 {
391 /* the processor destroys this job */
392 this->job = NULL;
393 return JOB_REQUEUE_NONE;
394 }
395 else if (status != SUCCESS)
396 {
397 DBG2(DBG_NET, "receiving from socket failed!");
398 return JOB_REQUEUE_FAIR;
399 }
400
401 /* parse message header */
402 message = message_create_from_packet(packet);
403 if (message->parse_header(message) != SUCCESS)
404 {
405 DBG1(DBG_NET, "received invalid IKE header from %H - ignored",
406 packet->get_source(packet));
407 message->destroy(message);
408 return JOB_REQUEUE_DIRECT;
409 }
410
411 /* check IKE major version */
412 if (message->get_major_version(message) != IKE_MAJOR_VERSION)
413 {
414 DBG1(DBG_NET, "received unsupported IKE version %d.%d from %H, "
415 "sending INVALID_MAJOR_VERSION", message->get_major_version(message),
416 message->get_minor_version(message), packet->get_source(packet));
417 send_notify(message, INVALID_MAJOR_VERSION, chunk_empty);
418 message->destroy(message);
419 return JOB_REQUEUE_DIRECT;
420 }
421
422 if (message->get_request(message) &&
423 message->get_exchange_type(message) == IKE_SA_INIT)
424 {
425 if (drop_ike_sa_init(this, message))
426 {
427 message->destroy(message);
428 return JOB_REQUEUE_DIRECT;
429 }
430 }
431 if (this->receive_delay)
432 {
433 if (this->receive_delay_type == 0 ||
434 this->receive_delay_type == message->get_exchange_type(message))
435 {
436 if ((message->get_request(message) && this->receive_delay_request) ||
437 (!message->get_request(message) && this->receive_delay_response))
438 {
439 DBG1(DBG_NET, "using receive delay: %dms",
440 this->receive_delay);
441 lib->scheduler->schedule_job_ms(lib->scheduler,
442 (job_t*)process_message_job_create(message),
443 this->receive_delay);
444 return JOB_REQUEUE_DIRECT;
445 }
446 }
447 }
448 lib->processor->queue_job(lib->processor,
449 (job_t*)process_message_job_create(message));
450 return JOB_REQUEUE_DIRECT;
451 }
452
453 METHOD(receiver_t, destroy, void,
454 private_receiver_t *this)
455 {
456 if (this->job)
457 {
458 this->job->cancel(this->job);
459 }
460 this->rng->destroy(this->rng);
461 this->hasher->destroy(this->hasher);
462 free(this);
463 }
464
465 /*
466 * Described in header.
467 */
468 receiver_t *receiver_create()
469 {
470 private_receiver_t *this;
471 u_int32_t now = time_monotonic(NULL);
472
473 INIT(this,
474 .public = {
475 .destroy = _destroy,
476 },
477 .secret_switch = now,
478 .secret_offset = random() % now,
479 );
480
481 if (lib->settings->get_bool(lib->settings, "charon.dos_protection", TRUE))
482 {
483 this->cookie_threshold = lib->settings->get_int(lib->settings,
484 "charon.cookie_threshold", COOKIE_THRESHOLD_DEFAULT);
485 this->block_threshold = lib->settings->get_int(lib->settings,
486 "charon.block_threshold", BLOCK_THRESHOLD_DEFAULT);
487 }
488 this->init_limit_job_load = lib->settings->get_int(lib->settings,
489 "charon.init_limit_job_load", 0);
490 this->init_limit_half_open = lib->settings->get_int(lib->settings,
491 "charon.init_limit_half_open", 0);
492 this->receive_delay = lib->settings->get_int(lib->settings,
493 "charon.receive_delay", 0);
494 this->receive_delay_type = lib->settings->get_int(lib->settings,
495 "charon.receive_delay_type", 0),
496 this->receive_delay_request = lib->settings->get_bool(lib->settings,
497 "charon.receive_delay_request", TRUE),
498 this->receive_delay_response = lib->settings->get_int(lib->settings,
499 "charon.receive_delay_response", TRUE),
500
501 this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
502 if (this->hasher == NULL)
503 {
504 DBG1(DBG_NET, "creating cookie hasher failed, no hashers supported");
505 free(this);
506 return NULL;
507 }
508 this->rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
509 if (this->rng == NULL)
510 {
511 DBG1(DBG_NET, "creating cookie RNG failed, no RNG supported");
512 this->hasher->destroy(this->hasher);
513 free(this);
514 return NULL;
515 }
516 this->rng->get_bytes(this->rng, SECRET_LENGTH, this->secret);
517 memcpy(this->secret_old, this->secret, SECRET_LENGTH);
518
519 this->job = callback_job_create_with_prio((callback_job_cb_t)receive_packets,
520 this, NULL, NULL, JOB_PRIO_CRITICAL);
521 lib->processor->queue_job(lib->processor, (job_t*)this->job);
522
523 return &this->public;
524 }
525