Support multiple virtual IPs on peer_cfg and ike_sa classes
[strongswan.git] / src / libcharon / plugins / ha / ha_ike.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ha_ike.h"
17
18 #include <sa/ikev2/keymat_v2.h>
19 #include <sa/ikev1/keymat_v1.h>
20
21 typedef struct private_ha_ike_t private_ha_ike_t;
22
23 /**
24 * Private data of an ha_ike_t object.
25 */
26 struct private_ha_ike_t {
27
28 /**
29 * Public ha_ike_t interface.
30 */
31 ha_ike_t public;
32
33 /**
34 * socket we use for syncing
35 */
36 ha_socket_t *socket;
37
38 /**
39 * tunnel securing sync messages
40 */
41 ha_tunnel_t *tunnel;
42
43 /**
44 * message cache
45 */
46 ha_cache_t *cache;
47 };
48
49 /**
50 * Return condition if it is set on ike_sa
51 */
52 static ike_condition_t copy_condition(ike_sa_t *ike_sa, ike_condition_t cond)
53 {
54 if (ike_sa->has_condition(ike_sa, cond))
55 {
56 return cond;
57 }
58 return 0;
59 }
60
61 /**
62 * Return extension if it is supported by peers IKE_SA
63 */
64 static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
65 {
66 if (ike_sa->supports_extension(ike_sa, ext))
67 {
68 return ext;
69 }
70 return 0;
71 }
72
73 METHOD(listener_t, ike_keys, bool,
74 private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
75 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
76 shared_key_t *shared)
77 {
78 ha_message_t *m;
79 chunk_t secret;
80 proposal_t *proposal;
81 u_int16_t alg, len;
82
83 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
84 { /* do not sync SA between nodes */
85 return TRUE;
86 }
87 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
88 {
89 return TRUE;
90 }
91
92 m = ha_message_create(HA_IKE_ADD);
93 m->add_attribute(m, HA_IKE_VERSION, ike_sa->get_version(ike_sa));
94 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
95
96 if (rekey && rekey->get_version(rekey) == IKEV2)
97 {
98 chunk_t skd;
99 keymat_v2_t *keymat;
100
101 keymat = (keymat_v2_t*)rekey->get_keymat(rekey);
102 m->add_attribute(m, HA_IKE_REKEY_ID, rekey->get_id(rekey));
103 m->add_attribute(m, HA_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
104 m->add_attribute(m, HA_OLD_SKD, skd);
105 }
106
107 proposal = ike_sa->get_proposal(ike_sa);
108 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
109 {
110 m->add_attribute(m, HA_ALG_ENCR, alg);
111 if (len)
112 {
113 m->add_attribute(m, HA_ALG_ENCR_LEN, len);
114 }
115 }
116 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
117 {
118 m->add_attribute(m, HA_ALG_INTEG, alg);
119 }
120 if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
121 {
122 m->add_attribute(m, HA_ALG_PRF, alg);
123 }
124 m->add_attribute(m, HA_NONCE_I, nonce_i);
125 m->add_attribute(m, HA_NONCE_R, nonce_r);
126 m->add_attribute(m, HA_SECRET, secret);
127 chunk_clear(&secret);
128 if (ike_sa->get_version(ike_sa) == IKEV1)
129 {
130 dh->get_my_public_value(dh, &secret);
131 m->add_attribute(m, HA_LOCAL_DH, secret);
132 chunk_free(&secret);
133 m->add_attribute(m, HA_REMOTE_DH, dh_other);
134 if (shared)
135 {
136 m->add_attribute(m, HA_PSK, shared->get_key(shared));
137 }
138 }
139
140 this->socket->push(this->socket, m);
141 this->cache->cache(this->cache, ike_sa, m);
142
143 return TRUE;
144 }
145
146 METHOD(listener_t, ike_updown, bool,
147 private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
148 {
149 ha_message_t *m;
150
151 if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
152 { /* only sync active IKE_SAs */
153 return TRUE;
154 }
155 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
156 { /* do not sync SA between nodes */
157 return TRUE;
158 }
159
160 if (up)
161 {
162 enumerator_t *enumerator;
163 peer_cfg_t *peer_cfg;
164 u_int32_t extension, condition;
165 host_t *addr;
166 ike_sa_id_t *id;
167 identification_t *eap_id;
168
169 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
170
171 condition = copy_condition(ike_sa, COND_NAT_ANY)
172 | copy_condition(ike_sa, COND_NAT_HERE)
173 | copy_condition(ike_sa, COND_NAT_THERE)
174 | copy_condition(ike_sa, COND_NAT_FAKE)
175 | copy_condition(ike_sa, COND_EAP_AUTHENTICATED)
176 | copy_condition(ike_sa, COND_CERTREQ_SEEN)
177 | copy_condition(ike_sa, COND_ORIGINAL_INITIATOR)
178 | copy_condition(ike_sa, COND_STALE)
179 | copy_condition(ike_sa, COND_INIT_CONTACT_SEEN)
180 | copy_condition(ike_sa, COND_XAUTH_AUTHENTICATED);
181
182 extension = copy_extension(ike_sa, EXT_NATT)
183 | copy_extension(ike_sa, EXT_MOBIKE)
184 | copy_extension(ike_sa, EXT_HASH_AND_URL)
185 | copy_extension(ike_sa, EXT_MULTIPLE_AUTH)
186 | copy_extension(ike_sa, EXT_STRONGSWAN)
187 | copy_extension(ike_sa, EXT_EAP_ONLY_AUTHENTICATION)
188 | copy_extension(ike_sa, EXT_MS_WINDOWS)
189 | copy_extension(ike_sa, EXT_XAUTH)
190 | copy_extension(ike_sa, EXT_DPD);
191
192 id = ike_sa->get_id(ike_sa);
193
194 m = ha_message_create(HA_IKE_UPDATE);
195 m->add_attribute(m, HA_IKE_ID, id);
196 m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa));
197 m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa));
198 eap_id = ike_sa->get_other_eap_id(ike_sa);
199 if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa)))
200 {
201 m->add_attribute(m, HA_REMOTE_EAP_ID, eap_id);
202 }
203 m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa));
204 m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
205 m->add_attribute(m, HA_CONDITIONS, condition);
206 m->add_attribute(m, HA_EXTENSIONS, extension);
207 m->add_attribute(m, HA_CONFIG_NAME, peer_cfg->get_name(peer_cfg));
208 enumerator = ike_sa->create_peer_address_enumerator(ike_sa);
209 while (enumerator->enumerate(enumerator, (void**)&addr))
210 {
211 m->add_attribute(m, HA_PEER_ADDR, addr);
212 }
213 enumerator->destroy(enumerator);
214 }
215 else
216 {
217 m = ha_message_create(HA_IKE_DELETE);
218 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
219 }
220 this->socket->push(this->socket, m);
221 this->cache->cache(this->cache, ike_sa, m);
222 return TRUE;
223 }
224
225 METHOD(listener_t, ike_rekey, bool,
226 private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
227 {
228 ike_updown(this, old, FALSE);
229 ike_updown(this, new, TRUE);
230 return TRUE;
231 }
232
233 METHOD(listener_t, ike_state_change, bool,
234 private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new)
235 {
236 /* delete any remaining cache entry if IKE_SA gets destroyed */
237 if (new == IKE_DESTROYING)
238 {
239 this->cache->delete(this->cache, ike_sa);
240 }
241 return TRUE;
242 }
243
244 /**
245 * Send a virtual IP sync message for remote VIPs
246 */
247 static void sync_vips(private_ha_ike_t *this, ike_sa_t *ike_sa)
248 {
249 ha_message_t *m = NULL;
250 enumerator_t *enumerator;
251 host_t *vip;
252
253 enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
254 while (enumerator->enumerate(enumerator, &vip))
255 {
256 if (!m)
257 {
258 m = ha_message_create(HA_IKE_UPDATE);
259 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
260 }
261 m->add_attribute(m, HA_REMOTE_VIP, vip);
262 }
263 enumerator->destroy(enumerator);
264
265 if (m)
266 {
267 this->socket->push(this->socket, m);
268 this->cache->cache(this->cache, ike_sa, m);
269 }
270 }
271
272 METHOD(listener_t, message_hook, bool,
273 private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message,
274 bool incoming, bool plain)
275 {
276 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
277 { /* do not sync SA between nodes */
278 return TRUE;
279 }
280
281 if (plain && ike_sa->get_version(ike_sa) == IKEV2)
282 {
283 if (message->get_exchange_type(message) != IKE_SA_INIT &&
284 message->get_request(message))
285 { /* we sync on requests, but skip it on IKE_SA_INIT */
286 ha_message_t *m;
287
288 if (incoming)
289 {
290 m = ha_message_create(HA_IKE_MID_RESPONDER);
291 }
292 else
293 {
294 m = ha_message_create(HA_IKE_MID_INITIATOR);
295 }
296 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
297 m->add_attribute(m, HA_MID, message->get_message_id(message) + 1);
298 this->socket->push(this->socket, m);
299 this->cache->cache(this->cache, ike_sa, m);
300 }
301 if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
302 message->get_exchange_type(message) == IKE_AUTH &&
303 !message->get_request(message))
304 { /* After IKE_SA has been established, sync peers virtual IP.
305 * We cannot sync it in the state_change hook, it is installed later.
306 * TODO: where to sync local VIP? */
307 sync_vips(this, ike_sa);
308 }
309 }
310 if (!plain && ike_sa->get_version(ike_sa) == IKEV1)
311 {
312 ha_message_t *m;
313 keymat_v1_t *keymat;
314 u_int32_t mid;
315 chunk_t iv;
316
317 mid = message->get_message_id(message);
318 if (mid == 0)
319 {
320 keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
321 if (keymat->get_iv(keymat, mid, &iv))
322 {
323 m = ha_message_create(HA_IKE_IV);
324 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
325 m->add_attribute(m, HA_IV, iv);
326 this->socket->push(this->socket, m);
327 this->cache->cache(this->cache, ike_sa, m);
328 }
329 }
330 if (!incoming && message->get_exchange_type(message) == TRANSACTION)
331 {
332 sync_vips(this, ike_sa);
333 }
334 }
335 if (plain && ike_sa->get_version(ike_sa) == IKEV1 &&
336 message->get_exchange_type(message) == INFORMATIONAL_V1)
337 {
338 ha_message_t *m;
339 notify_payload_t *notify;
340 chunk_t data;
341 u_int32_t seq;
342
343 notify = message->get_notify(message, DPD_R_U_THERE);
344 if (notify)
345 {
346 data = notify->get_notification_data(notify);
347 if (data.len == 4)
348 {
349 seq = untoh32(data.ptr);
350 if (incoming)
351 {
352 m = ha_message_create(HA_IKE_MID_RESPONDER);
353 }
354 else
355 {
356 m = ha_message_create(HA_IKE_MID_INITIATOR);
357 }
358 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
359 m->add_attribute(m, HA_MID, seq + 1);
360 this->socket->push(this->socket, m);
361 this->cache->cache(this->cache, ike_sa, m);
362 }
363 }
364 }
365 return TRUE;
366 }
367
368 METHOD(ha_ike_t, destroy, void,
369 private_ha_ike_t *this)
370 {
371 free(this);
372 }
373
374 /**
375 * See header
376 */
377 ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
378 ha_cache_t *cache)
379 {
380 private_ha_ike_t *this;
381
382 INIT(this,
383 .public = {
384 .listener = {
385 .ike_keys = _ike_keys,
386 .ike_updown = _ike_updown,
387 .ike_rekey = _ike_rekey,
388 .ike_state_change = _ike_state_change,
389 .message = _message_hook,
390 },
391 .destroy = _destroy,
392 },
393 .socket = socket,
394 .tunnel = tunnel,
395 .cache = cache,
396 );
397
398 return &this->public;
399 }
400