d523e89198c26f06e86f7a3b5e2068d468c6f726
[strongswan.git] / src / libcharon / plugins / ha / ha_ike.c
1 /*
2 * Copyright (C) 2008 Martin Willi
3 * Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "ha_ike.h"
17
18 #include <sa/ikev2/keymat_v2.h>
19 #include <sa/ikev1/keymat_v1.h>
20
21 typedef struct private_ha_ike_t private_ha_ike_t;
22
23 /**
24 * Private data of an ha_ike_t object.
25 */
26 struct private_ha_ike_t {
27
28 /**
29 * Public ha_ike_t interface.
30 */
31 ha_ike_t public;
32
33 /**
34 * socket we use for syncing
35 */
36 ha_socket_t *socket;
37
38 /**
39 * tunnel securing sync messages
40 */
41 ha_tunnel_t *tunnel;
42
43 /**
44 * message cache
45 */
46 ha_cache_t *cache;
47 };
48
49 /**
50 * Return condition if it is set on ike_sa
51 */
52 static ike_condition_t copy_condition(ike_sa_t *ike_sa, ike_condition_t cond)
53 {
54 if (ike_sa->has_condition(ike_sa, cond))
55 {
56 return cond;
57 }
58 return 0;
59 }
60
61 /**
62 * Return extension if it is supported by peers IKE_SA
63 */
64 static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext)
65 {
66 if (ike_sa->supports_extension(ike_sa, ext))
67 {
68 return ext;
69 }
70 return 0;
71 }
72
73 METHOD(listener_t, ike_keys, bool,
74 private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
75 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey,
76 shared_key_t *shared)
77 {
78 ha_message_t *m;
79 chunk_t secret;
80 proposal_t *proposal;
81 u_int16_t alg, len;
82
83 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
84 { /* do not sync SA between nodes */
85 return TRUE;
86 }
87 if (dh->get_shared_secret(dh, &secret) != SUCCESS)
88 {
89 return TRUE;
90 }
91
92 m = ha_message_create(HA_IKE_ADD);
93 m->add_attribute(m, HA_IKE_VERSION, ike_sa->get_version(ike_sa));
94 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
95
96 if (rekey && rekey->get_version(rekey) == IKEV2)
97 {
98 chunk_t skd;
99 keymat_v2_t *keymat;
100
101 keymat = (keymat_v2_t*)rekey->get_keymat(rekey);
102 m->add_attribute(m, HA_IKE_REKEY_ID, rekey->get_id(rekey));
103 m->add_attribute(m, HA_ALG_OLD_PRF, keymat->get_skd(keymat, &skd));
104 m->add_attribute(m, HA_OLD_SKD, skd);
105 }
106
107 proposal = ike_sa->get_proposal(ike_sa);
108 if (proposal->get_algorithm(proposal, ENCRYPTION_ALGORITHM, &alg, &len))
109 {
110 m->add_attribute(m, HA_ALG_ENCR, alg);
111 if (len)
112 {
113 m->add_attribute(m, HA_ALG_ENCR_LEN, len);
114 }
115 }
116 if (proposal->get_algorithm(proposal, INTEGRITY_ALGORITHM, &alg, NULL))
117 {
118 m->add_attribute(m, HA_ALG_INTEG, alg);
119 }
120 if (proposal->get_algorithm(proposal, PSEUDO_RANDOM_FUNCTION, &alg, NULL))
121 {
122 m->add_attribute(m, HA_ALG_PRF, alg);
123 }
124 m->add_attribute(m, HA_NONCE_I, nonce_i);
125 m->add_attribute(m, HA_NONCE_R, nonce_r);
126 m->add_attribute(m, HA_SECRET, secret);
127 chunk_clear(&secret);
128 if (ike_sa->get_version(ike_sa) == IKEV1)
129 {
130 dh->get_my_public_value(dh, &secret);
131 m->add_attribute(m, HA_LOCAL_DH, secret);
132 chunk_free(&secret);
133 m->add_attribute(m, HA_REMOTE_DH, dh_other);
134 if (shared)
135 {
136 m->add_attribute(m, HA_PSK, shared->get_key(shared));
137 }
138 }
139
140 this->socket->push(this->socket, m);
141 this->cache->cache(this->cache, ike_sa, m);
142
143 return TRUE;
144 }
145
146 METHOD(listener_t, ike_updown, bool,
147 private_ha_ike_t *this, ike_sa_t *ike_sa, bool up)
148 {
149 ha_message_t *m;
150
151 if (ike_sa->get_state(ike_sa) == IKE_PASSIVE)
152 { /* only sync active IKE_SAs */
153 return TRUE;
154 }
155 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
156 { /* do not sync SA between nodes */
157 return TRUE;
158 }
159
160 if (up)
161 {
162 enumerator_t *enumerator;
163 peer_cfg_t *peer_cfg;
164 u_int32_t extension, condition;
165 host_t *addr;
166 ike_sa_id_t *id;
167 identification_t *eap_id;
168
169 peer_cfg = ike_sa->get_peer_cfg(ike_sa);
170
171 condition = copy_condition(ike_sa, COND_NAT_ANY)
172 | copy_condition(ike_sa, COND_NAT_HERE)
173 | copy_condition(ike_sa, COND_NAT_THERE)
174 | copy_condition(ike_sa, COND_NAT_FAKE)
175 | copy_condition(ike_sa, COND_EAP_AUTHENTICATED)
176 | copy_condition(ike_sa, COND_CERTREQ_SEEN)
177 | copy_condition(ike_sa, COND_ORIGINAL_INITIATOR)
178 | copy_condition(ike_sa, COND_STALE)
179 | copy_condition(ike_sa, COND_INIT_CONTACT_SEEN)
180 | copy_condition(ike_sa, COND_XAUTH_AUTHENTICATED);
181
182 extension = copy_extension(ike_sa, EXT_NATT)
183 | copy_extension(ike_sa, EXT_MOBIKE)
184 | copy_extension(ike_sa, EXT_HASH_AND_URL)
185 | copy_extension(ike_sa, EXT_MULTIPLE_AUTH)
186 | copy_extension(ike_sa, EXT_STRONGSWAN)
187 | copy_extension(ike_sa, EXT_EAP_ONLY_AUTHENTICATION)
188 | copy_extension(ike_sa, EXT_MS_WINDOWS)
189 | copy_extension(ike_sa, EXT_XAUTH)
190 | copy_extension(ike_sa, EXT_DPD);
191
192 id = ike_sa->get_id(ike_sa);
193
194 m = ha_message_create(HA_IKE_UPDATE);
195 m->add_attribute(m, HA_IKE_ID, id);
196 m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa));
197 m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa));
198 eap_id = ike_sa->get_other_eap_id(ike_sa);
199 if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa)))
200 {
201 m->add_attribute(m, HA_REMOTE_EAP_ID, eap_id);
202 }
203 m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa));
204 m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa));
205 m->add_attribute(m, HA_CONDITIONS, condition);
206 m->add_attribute(m, HA_EXTENSIONS, extension);
207 m->add_attribute(m, HA_CONFIG_NAME, peer_cfg->get_name(peer_cfg));
208 enumerator = ike_sa->create_peer_address_enumerator(ike_sa);
209 while (enumerator->enumerate(enumerator, (void**)&addr))
210 {
211 m->add_attribute(m, HA_PEER_ADDR, addr);
212 }
213 enumerator->destroy(enumerator);
214 }
215 else
216 {
217 m = ha_message_create(HA_IKE_DELETE);
218 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
219 }
220 this->socket->push(this->socket, m);
221 this->cache->cache(this->cache, ike_sa, m);
222 return TRUE;
223 }
224
225 METHOD(listener_t, ike_rekey, bool,
226 private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new)
227 {
228 ike_updown(this, old, FALSE);
229 ike_updown(this, new, TRUE);
230 return TRUE;
231 }
232
233 METHOD(listener_t, ike_state_change, bool,
234 private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new)
235 {
236 /* delete any remaining cache entry if IKE_SA gets destroyed */
237 if (new == IKE_DESTROYING)
238 {
239 this->cache->delete(this->cache, ike_sa);
240 }
241 return TRUE;
242 }
243
244 METHOD(listener_t, message_hook, bool,
245 private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message,
246 bool incoming, bool plain)
247 {
248 if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa))
249 { /* do not sync SA between nodes */
250 return TRUE;
251 }
252
253 if (plain && ike_sa->get_version(ike_sa) == IKEV2)
254 {
255 if (message->get_exchange_type(message) != IKE_SA_INIT &&
256 message->get_request(message))
257 { /* we sync on requests, but skip it on IKE_SA_INIT */
258 ha_message_t *m;
259
260 if (incoming)
261 {
262 m = ha_message_create(HA_IKE_MID_RESPONDER);
263 }
264 else
265 {
266 m = ha_message_create(HA_IKE_MID_INITIATOR);
267 }
268 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
269 m->add_attribute(m, HA_MID, message->get_message_id(message) + 1);
270 this->socket->push(this->socket, m);
271 this->cache->cache(this->cache, ike_sa, m);
272 }
273 if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
274 message->get_exchange_type(message) == IKE_AUTH &&
275 !message->get_request(message))
276 { /* After IKE_SA has been established, sync peers virtual IP.
277 * We cannot sync it in the state_change hook, it is installed later.
278 * TODO: where to sync local VIP? */
279 ha_message_t *m;
280 host_t *vip;
281
282 vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
283 if (vip)
284 {
285 m = ha_message_create(HA_IKE_UPDATE);
286 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
287 m->add_attribute(m, HA_REMOTE_VIP, vip);
288 this->socket->push(this->socket, m);
289 this->cache->cache(this->cache, ike_sa, m);
290 }
291 }
292 }
293 if (!plain && ike_sa->get_version(ike_sa) == IKEV1)
294 {
295 ha_message_t *m;
296 keymat_v1_t *keymat;
297 u_int32_t mid;
298 chunk_t iv;
299 host_t *vip;
300
301 mid = message->get_message_id(message);
302 if (mid == 0)
303 {
304 keymat = (keymat_v1_t*)ike_sa->get_keymat(ike_sa);
305 if (keymat->get_iv(keymat, mid, &iv))
306 {
307 m = ha_message_create(HA_IKE_IV);
308 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
309 m->add_attribute(m, HA_IV, iv);
310 this->socket->push(this->socket, m);
311 this->cache->cache(this->cache, ike_sa, m);
312 }
313 }
314 if (!incoming && message->get_exchange_type(message) == TRANSACTION)
315 {
316 vip = ike_sa->get_virtual_ip(ike_sa, FALSE);
317 if (vip)
318 {
319 m = ha_message_create(HA_IKE_UPDATE);
320 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
321 m->add_attribute(m, HA_REMOTE_VIP, vip);
322 this->socket->push(this->socket, m);
323 this->cache->cache(this->cache, ike_sa, m);
324 }
325 }
326 }
327 if (plain && ike_sa->get_version(ike_sa) == IKEV1 &&
328 message->get_exchange_type(message) == INFORMATIONAL_V1)
329 {
330 ha_message_t *m;
331 notify_payload_t *notify;
332 chunk_t data;
333 u_int32_t seq;
334
335 notify = message->get_notify(message, DPD_R_U_THERE);
336 if (notify)
337 {
338 data = notify->get_notification_data(notify);
339 if (data.len == 4)
340 {
341 seq = untoh32(data.ptr);
342 if (incoming)
343 {
344 m = ha_message_create(HA_IKE_MID_RESPONDER);
345 }
346 else
347 {
348 m = ha_message_create(HA_IKE_MID_INITIATOR);
349 }
350 m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa));
351 m->add_attribute(m, HA_MID, seq + 1);
352 this->socket->push(this->socket, m);
353 this->cache->cache(this->cache, ike_sa, m);
354 }
355 }
356 }
357 return TRUE;
358 }
359
360 METHOD(ha_ike_t, destroy, void,
361 private_ha_ike_t *this)
362 {
363 free(this);
364 }
365
366 /**
367 * See header
368 */
369 ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
370 ha_cache_t *cache)
371 {
372 private_ha_ike_t *this;
373
374 INIT(this,
375 .public = {
376 .listener = {
377 .ike_keys = _ike_keys,
378 .ike_updown = _ike_updown,
379 .ike_rekey = _ike_rekey,
380 .ike_state_change = _ike_state_change,
381 .message = _message_hook,
382 },
383 .destroy = _destroy,
384 },
385 .socket = socket,
386 .tunnel = tunnel,
387 .cache = cache,
388 );
389
390 return &this->public;
391 }
392