7492dd06e865701f68268f07edd71e770f693f2f
[strongswan.git] / src / libcharon / plugins / ha / ha_ike.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ha_ike.h"
17
18 #include <sa/ikev2/keymat_v2.h>
19 #include <sa/ikev1/keymat_v1.h>
20
21 typedef struct private_ha_ike_t private_ha_ike_t;
22
23 /**
24 * Private data of an ha_ike_t object.
25 */
26 struct private_ha_ike_t {
27
28 /**
29 * Public ha_ike_t interface.
30 */
31 ha_ike_t public;
32
33 /**
34 * socket we use for syncing
35 */
36 ha_socket_t *socket;
37
38 /**
39 * tunnel securing sync messages
40 */
41 ha_tunnel_t *tunnel;
42
43 /**
44 * message cache
45 */
46 ha_cache_t *cache;
47 };
48
49 /**
50 * Return condition if it is set on ike_sa
51 */
52 static ike_condition_t copy_condition(ike_sa_t *ike_sa, ike_condition_t cond)
53 {
54 if (ike_sa->has_condition(ike_sa, cond))
55 {
56 return cond;
57 }
58 return 0;
59 }
60
61 /**
62 * Return extension if it is supported by peers IKE_SA
63 */
64 static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
65 {
66 if (ike_sa->supports_extension(ike_sa, ext))
67 {
68 return ext;
69 }
70 return 0;
71 }
72
73 METHOD(listener_t, ike_keys, bool,
74 private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
75 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
76 shared_key_t *shared)
77 {
78 ha_message_t *m;
79 chunk_t secret;
80 proposal_t *proposal;
81 u_int16_t alg, len;
82
83 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
84 { /* do not sync SA between nodes */
85 return TRUE;
86 }
87 if (!dh->get_shared_secret(dh, &secret))
88 {
89 return TRUE;
90 }
91
92 m = ha_message_create(HA_IKE_ADD);
93 m->add_attribute(m, HA_IKE_VERSION, ike_sa->get_version(ike_sa));
94 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
95
96 if (rekey && rekey->get_version(rekey) == IKEV2)
97 {
98 chunk_t skd;
99 keymat_v2_t *keymat;
100
101 keymat = (keymat_v2_t*)rekey->get_keymat(rekey);
102 m->add_attribute(m, HA_IKE_REKEY_ID, rekey->get_id(rekey));
103 m->add_attribute(m, HA_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
104 m->add_attribute(m, HA_OLD_SKD, skd);
105 }
106
107 proposal = ike_sa->get_proposal(ike_sa);
108 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
109 {
110 m->add_attribute(m, HA_ALG_ENCR, alg);
111 if (len)
112 {
113 m->add_attribute(m, HA_ALG_ENCR_LEN, len);
114 }
115 }
116 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
117 {
118 m->add_attribute(m, HA_ALG_INTEG, alg);
119 }
120 if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
121 {
122 m->add_attribute(m, HA_ALG_PRF, alg);
123 }
124 m->add_attribute(m, HA_NONCE_I, nonce_i);
125 m->add_attribute(m, HA_NONCE_R, nonce_r);
126 m->add_attribute(m, HA_SECRET, secret);
127 chunk_clear(&secret);
128 if (ike_sa->get_version(ike_sa) == IKEV1)
129 {
130 if (dh->get_my_public_value(dh, &secret))
131 {
132 m->add_attribute(m, HA_LOCAL_DH, secret);
133 chunk_free(&secret);
134 }
135 m->add_attribute(m, HA_REMOTE_DH, dh_other);
136 if (shared)
137 {
138 m->add_attribute(m, HA_PSK, shared->get_key(shared));
139 }
140 }
141 m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
142
143 this->socket->push(this->socket, m);
144 this->cache->cache(this->cache, ike_sa, m);
145
146 return TRUE;
147 }
148
149 METHOD(listener_t, ike_updown, bool,
150 private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
151 {
152 ha_message_t *m;
153
154 if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
155 { /* only sync active IKE_SAs */
156 return TRUE;
157 }
158 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
159 { /* do not sync SA between nodes */
160 return TRUE;
161 }
162
163 if (up)
164 {
165 enumerator_t *enumerator;
166 peer_cfg_t *peer_cfg;
167 u_int32_t extension, condition;
168 host_t *addr;
169 ike_sa_id_t *id;
170 identification_t *eap_id;
171
172 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
173
174 condition = copy_condition(ike_sa, COND_NAT_ANY)
175 | copy_condition(ike_sa, COND_NAT_HERE)
176 | copy_condition(ike_sa, COND_NAT_THERE)
177 | copy_condition(ike_sa, COND_NAT_FAKE)
178 | copy_condition(ike_sa, COND_EAP_AUTHENTICATED)
179 | copy_condition(ike_sa, COND_CERTREQ_SEEN)
180 | copy_condition(ike_sa, COND_ORIGINAL_INITIATOR)
181 | copy_condition(ike_sa, COND_STALE)
182 | copy_condition(ike_sa, COND_INIT_CONTACT_SEEN)
183 | copy_condition(ike_sa, COND_XAUTH_AUTHENTICATED);
184
185 extension = copy_extension(ike_sa, EXT_NATT)
186 | copy_extension(ike_sa, EXT_MOBIKE)
187 | copy_extension(ike_sa, EXT_HASH_AND_URL)
188 | copy_extension(ike_sa, EXT_MULTIPLE_AUTH)
189 | copy_extension(ike_sa, EXT_STRONGSWAN)
190 | copy_extension(ike_sa, EXT_EAP_ONLY_AUTHENTICATION)
191 | copy_extension(ike_sa, EXT_MS_WINDOWS)
192 | copy_extension(ike_sa, EXT_XAUTH)
193 | copy_extension(ike_sa, EXT_DPD);
194
195 id = ike_sa->get_id(ike_sa);
196
197 m = ha_message_create(HA_IKE_UPDATE);
198 m->add_attribute(m, HA_IKE_ID, id);
199 m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa));
200 m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa));
201 eap_id = ike_sa->get_other_eap_id(ike_sa);
202 if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa)))
203 {
204 m->add_attribute(m, HA_REMOTE_EAP_ID, eap_id);
205 }
206 m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa));
207 m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
208 m->add_attribute(m, HA_CONDITIONS, condition);
209 m->add_attribute(m, HA_EXTENSIONS, extension);
210 m->add_attribute(m, HA_CONFIG_NAME, peer_cfg->get_name(peer_cfg));
211 enumerator = ike_sa->create_peer_address_enumerator(ike_sa);
212 while (enumerator->enumerate(enumerator, (void**)&addr))
213 {
214 m->add_attribute(m, HA_PEER_ADDR, addr);
215 }
216 enumerator->destroy(enumerator);
217 }
218 else
219 {
220 m = ha_message_create(HA_IKE_DELETE);
221 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
222 }
223 this->socket->push(this->socket, m);
224 this->cache->cache(this->cache, ike_sa, m);
225 return TRUE;
226 }
227
228 METHOD(listener_t, ike_rekey, bool,
229 private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
230 {
231 ike_updown(this, old, FALSE);
232 ike_updown(this, new, TRUE);
233 return TRUE;
234 }
235
236 METHOD(listener_t, ike_state_change, bool,
237 private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new)
238 {
239 /* delete any remaining cache entry if IKE_SA gets destroyed */
240 if (new == IKE_DESTROYING)
241 {
242 this->cache->delete(this->cache, ike_sa);
243 }
244 return TRUE;
245 }
246
247 /**
248 * Send a virtual IP sync message for remote VIPs
249 */
250 static void sync_vips(private_ha_ike_t *this, ike_sa_t *ike_sa)
251 {
252 ha_message_t *m = NULL;
253 enumerator_t *enumerator;
254 host_t *vip;
255
256 enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
257 while (enumerator->enumerate(enumerator, &vip))
258 {
259 if (!m)
260 {
261 m = ha_message_create(HA_IKE_UPDATE);
262 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
263 }
264 m->add_attribute(m, HA_REMOTE_VIP, vip);
265 }
266 enumerator->destroy(enumerator);
267
268 if (m)
269 {
270 this->socket->push(this->socket, m);
271 this->cache->cache(this->cache, ike_sa, m);
272 }
273 }
274
275 METHOD(listener_t, message_hook, bool,
276 private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message,
277 bool incoming, bool plain)
278 {
279 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
280 { /* do not sync SA between nodes */
281 return TRUE;
282 }
283
284 if (plain && ike_sa->get_version(ike_sa) == IKEV2)
285 {
286 if (message->get_exchange_type(message) != IKE_SA_INIT &&
287 message->get_request(message))
288 { /* we sync on requests, but skip it on IKE_SA_INIT */
289 ha_message_t *m;
290
291 if (incoming)
292 {
293 m = ha_message_create(HA_IKE_MID_RESPONDER);
294 }
295 else
296 {
297 m = ha_message_create(HA_IKE_MID_INITIATOR);
298 }
299 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
300 m->add_attribute(m, HA_MID, message->get_message_id(message) + 1);
301 this->socket->push(this->socket, m);
302 this->cache->cache(this->cache, ike_sa, m);
303 }
304 if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
305 message->get_exchange_type(message) == IKE_AUTH &&
306 !message->get_request(message))
307 { /* After IKE_SA has been established, sync peers virtual IP.
308 * We cannot sync it in the state_change hook, it is installed later.
309 * TODO: where to sync local VIP? */
310 sync_vips(this, ike_sa);
311 }
312 }
313 if (!plain && ike_sa->get_version(ike_sa) == IKEV1)
314 {
315 ha_message_t *m;
316 keymat_v1_t *keymat;
317 u_int32_t mid;
318 chunk_t iv;
319
320 mid = message->get_message_id(message);
321 if (mid == 0)
322 {
323 keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
324 if (keymat->get_iv(keymat, mid, &iv))
325 {
326 m = ha_message_create(HA_IKE_IV);
327 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
328 m->add_attribute(m, HA_IV, iv);
329 this->socket->push(this->socket, m);
330 this->cache->cache(this->cache, ike_sa, m);
331 }
332 }
333 if (!incoming && message->get_exchange_type(message) == TRANSACTION)
334 {
335 sync_vips(this, ike_sa);
336 }
337 }
338 if (plain && ike_sa->get_version(ike_sa) == IKEV1 &&
339 message->get_exchange_type(message) == INFORMATIONAL_V1)
340 {
341 ha_message_t *m;
342 notify_payload_t *notify;
343 chunk_t data;
344 u_int32_t seq;
345
346 notify = message->get_notify(message, DPD_R_U_THERE);
347 if (notify)
348 {
349 data = notify->get_notification_data(notify);
350 if (data.len == 4)
351 {
352 seq = untoh32(data.ptr);
353 if (incoming)
354 {
355 m = ha_message_create(HA_IKE_MID_RESPONDER);
356 }
357 else
358 {
359 m = ha_message_create(HA_IKE_MID_INITIATOR);
360 }
361 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
362 m->add_attribute(m, HA_MID, seq + 1);
363 this->socket->push(this->socket, m);
364 this->cache->cache(this->cache, ike_sa, m);
365 }
366 }
367 }
368 return TRUE;
369 }
370
371 METHOD(ha_ike_t, destroy, void,
372 private_ha_ike_t *this)
373 {
374 free(this);
375 }
376
377 /**
378 * See header
379 */
380 ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
381 ha_cache_t *cache)
382 {
383 private_ha_ike_t *this;
384
385 INIT(this,
386 .public = {
387 .listener = {
388 .ike_keys = _ike_keys,
389 .ike_updown = _ike_updown,
390 .ike_rekey = _ike_rekey,
391 .ike_state_change = _ike_state_change,
392 .message = _message_hook,
393 },
394 .destroy = _destroy,
395 },
396 .socket = socket,
397 .tunnel = tunnel,
398 .cache = cache,
399 );
400
401 return &this->public;
402 }
403